This project has moved and is read-only. For the latest updates, please go here.

Portable mode and Windows registry

Topics: Users Discussion
Apr 28, 2016 at 4:14 PM
I note that portable mode under Windows still leaves evidence in the registry. Am I correct in thinking this is because it needs to register the driver, hence the requirement for UAC elevation each time it's run?

If this is the case, even if it required a second UAC elevation prompt, is it possible to reverse this action after dismounting all volumes?

I don't know if they are using a similar driver model or not, but I note that TightVNC has an explicit option under Service mode to unregister its driver. Does that imply the possibility of doing this?

Would it even be worth it? Can an adversary determine that a registry key existed in the past and has been deleted by doing sufficient analysis of the registry files?
Apr 28, 2016 at 5:30 PM
Under windows, everything is recorded, there are keys for all the folders you have ever seen, some traces are even "encrypted" (ehm, with rot13, lol). Windows keep multiple backups of registry, traces are in mft table and free space, You never know where. Windows are so evil, they even mirror your photos and executables from encrypted container to system drive. Even if they can't unlock your container, they will have file names and their previews, enough to prove exactly what and when you have been doing. If you want to partially erase traces, use privazer, but you can be sure it won't be enough :-( For no trails is best to use live linux dvd, or encrypt the whole system plus disable integrated spy features with windows spy destroyer, oo shut up, and maybe others.