We have been doing quite a bit of registry-related research lately, and when I was investigating a Windows 7 machine, I noticed a folder "RegBack" under "C:\Windows\System32\config" (the normal directory where registry files are kept). This piqued my interest and upon viewing the folder, I noticed what looked like a backup of all the core registry files (system, software, security, sam), and they all had a last written time of about 8 days earlier.
Wanting to know what was controlling this folder, I Googled "RegBack", which resulted in about 77,000 hits related to registry tech support or anti-virus scan results. The key moment came when I saw a forum poster mention that this folder was controlled by the "RegIdleBackup" scheduled task. I then browsed my scheduled tasks library and found this task:
As can be seen in the picture, the "RegIdleBackup" task is scheduled to run every ten days and has a description of "Registry Idle Backup Task". Obviously, I did not create this task so I will assume its default in Windows 7. This would concur with many of the posts I found related to the RegBack folder.
I then decided to see if this behavior was the same on Vista and Server 2008. To my surprise, the RegBack folder and a registry backup existed on both of these operating system versions, but neither of them had the "RegIdleBackup" scheduled task. I then looked at the services list to see if any had a name related to registry functions, but did not find any. At this point I have yet to determine what controls the updating of this folder on Vista/2008 or when the update occurs. If anyone has insight into this please comment on the blog or email me about it and I will update the post.
After realizing that the all of the latest Windows versions contain a pristine, historical copy of the registry, I wanted to see if the existence of RegBack was known in the forensics community. I then emailed a few people who I know perform many related hands-on investigations and training sessions, and all of them said that they had not heard about the folder or its associated task. I then Googled for for terms such as "regback" "forensics" and "regback" "sans" and all results came back empty. The one reference I did find to RegBack examination was a CEIC 2007 presentation (here, slides 23-24) by Lance Mueller. The existence of this folder has obvious forensics implications, and can enable at least one revision of historical files to be gathered offline without having to interact with the volume shadow service.
Hopefully this post was interesting enough for a Monday morning read. If after reading the post you notice that your Windows 7 installation does not have the RegIdleBackup scheduled task or that your Vista/2008 installation does, I would be very interested in hearing about it.