Applications that write to the registry, are they portable?

Discuss anything related to portable freeware here.
Message
Author
User avatar
Andrew Lee
Posts: 3105
Joined: Sat Feb 04, 2006 9:19 am
Contact:

Re: Applications that write to the registry, are they portable?

#76 Post by Andrew Lee »

Holy cow.. that's complicated!

User avatar
Midas
Posts: 6851
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: Applications that write to the registry, are they portable?

#77 Post by Midas »

Andrew Lee wrote: That's complicated!

Apparently, it's also poorly implemented... (or it least was, since what follows is a rather old reference):
I've just spent a couple of weeks reverse engineering the binary format completely for our hivex library and shell which now supports both reading and writing to the registry. So now I can tell you why the Registry sucks from a technical point of view too...

User avatar
Andrew Lee
Posts: 3105
Joined: Sat Feb 04, 2006 9:19 am
Contact:

Re: Applications that write to the registry, are they portable?

#78 Post by Andrew Lee »

Midas wrote: Fri Jul 29, 2022 8:53 am Apparently, it's also poorly implemented... (or it least was, since what follows is a rather old reference):
I've just spent a couple of weeks reverse engineering the binary format completely for our hivex library and shell which now supports both reading and writing to the registry. So now I can tell you why the Registry sucks from a technical point of view too...
Wow, that was brutal, but an engaging read!

influx
Posts: 6
Joined: Wed Aug 28, 2024 4:56 pm

Re: Applications that write to the registry, are they portable?

#79 Post by influx »

With Shellbags, LastRun etc. all over the registry in often obfuscated binary formats, isn't it essentially impossible to create a 100% stealth project that does anything non-trivial? You'd need a wrapper that was aware of every aspect of registry forensics that could clean up on exit, and even then you'd need to rely on the software closing elegantly every time. Stealth on Windows after XP is a myth for all but the most OCD developers working on privacy-centric apps. Linux is arguably even less friendly due to the sheer number of variables involved though -- yes, there's no ugly monolithic binary database like the registry but your desktop environment, file explorer, package manager, package format (esp. the portable ones like AppImage), distro directory structure etc. all contribute to hundreds of permutations of potential non-stealth remnants. At least with Windows, it fails stealth in a highly predictable way that uses the same dozen or so diffuse locations for remnants.

Speaking of which, anyone aware of any wrapper frameworks (for developers) or apps (for end users) that will do all that stuff? My ideal would be one that even cleans up Shellbags if explorer dialogs were used. Though that seems like a wholly unrealistic moving target. Can Sandboxie be used to avoid all of those remnants without much of a performance hit? I've always meant to try it, especially since it went open source, but just never got around to it. What about Docker? I've been looking for native solutions but I think emulation/virtualisation/containerisation is the future for truly portable apps with stealth.

I know that I talk a good game and that I should've already tried these things a long time ago but most of what I know comes from when I was a CS academic working on security engineering and networking over a decade ago, before Docker became this huge deal; I had to give up because I developed an extremely rare blood disorder that has left me (hopefully temporarily) disabled.

influx
Posts: 6
Joined: Wed Aug 28, 2024 4:56 pm

Re: Applications that write to the registry, are they portable?

#80 Post by influx »

Another big aspect that I forgot about was all the shit in the latest Windows versions (10 + 11) that take forensic artefacts out of your control entirely by broadcasting them over the net. Once Recall is a quasi-mandatory part of the OS (it may take many years to convince people to accept it, but it'll happen), "stealth" will be an essentially meaningless term. Arguably we've been trending that way for a long time, esp as MS hasn't given up on replacing .exe downloads with Store apps.

User avatar
Midas
Posts: 6851
Joined: Mon Dec 07, 2009 7:09 am
Location: Sol3

Re: Applications that write to the registry, are they portable?

#81 Post by Midas »

Sandboxie comes to mind even if I dunno if it'll fit the bill... :|

Post Reply