Wanting to know what was controlling this folder, I Googled "RegBack", which resulted in about 77,000 hits related to registry tech support or anti-virus scan results. The key moment came when I saw a forum poster mention that this folder was controlled by the "RegIdleBackup" scheduled task. I then browsed my scheduled tasks library and found this task:
As can be seen in the picture, the "RegIdleBackup" task is scheduled to run every ten days and has a description of "Registry Idle Backup Task". Obviously, I did not create this task so I will assume its default in Windows 7. This would concur with many of the posts I found related to the RegBack folder.
I then decided to see if this behavior was the same on Vista and Server 2008. To my surprise, the RegBack folder and a registry backup existed on both of these operating system versions, but neither of them had the "RegIdleBackup" scheduled task. I then looked at the services list to see if any had a name related to registry functions, but did not find any. At this point I have yet to determine what controls the updating of this folder on Vista/2008 or when the update occurs. If anyone has insight into this please comment on the blog or email me about it and I will update the post.
After realizing that the all of the latest Windows versions contain a pristine, historical copy of the registry, I wanted to see if the existence of RegBack was known in the forensics community. I then emailed a few people who I know perform many related hands-on investigations and training sessions, and all of them said that they had not heard about the folder or its associated task. I then Googled for for terms such as "regback" "forensics" and "regback" "sans" and all results came back empty. The one reference I did find to RegBack examination was a CEIC 2007 presentation (here, slides 23-24) by Lance Mueller. The existence of this folder has obvious forensics implications, and can enable at least one revision of historical files to be gathered offline without having to interact with the volume shadow service.
Hopefully this post was interesting enough for a Monday morning read. If after reading the post you notice that your Windows 7 installation does not have the RegIdleBackup scheduled task or that your Vista/2008 installation does, I would be very interested in hearing about it.
Very interesting. This will definitely be useful to a lot of us who encounter W7 systems increasingly.
ReplyDeleteThanks for sharing!
Good find. I had seen that folder but didn't think to investigate it further. It is on my 32-bit version of Win7 (both the folder and the scheduled task to do the backup).
ReplyDeleteI am running Windows 7 Ultimate and do have the scheduled task as a default install. It was setup by Microsoft and runs hidden whether the user is logged in or not.
ReplyDeleteDid a little more research and found that there are two registry entries:
ReplyDeleteThe first is at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CA4B8FF2-A4D2-4D88-A52E-3A5BDAF7F56E}
Now if you google the last part of this key name {CA4B8FF2-A4D2-4D88-A52E-3A5BDAF7F56E}. This will show you that this key is a name of a log file located at C:\Windows\System32\Logfiles\Scm\.
The contents of this logfile are unreadable and I am still researching on how to unencrypt this info.
There is a second registry entry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Registry\RegIdleBackup.
This contains a REG_Dword of 0x00000003 (3) which indicates all features are turned on for this application.
Those are the only two registry entries I was able to find so I will create a script that will run under Regripper to identify these entries for me up front that way I will know that a backup does exist or did exist at one time. Even if a user deletes the task under taskschelduler I believe these two entries will stay but the information might change.
So if anyone knows how to unencrypt the log file let me know.
I believe that file is analyzed by the "System File Checker" SCF.EXE
DeleteThe Registry Backup Task exists as a Hidden Task in the Task Scheduler Library of Server 2008 R2 SP1. It is possible to modify this task to 'Allow task to be run on demand' (on the Properties tab). I am really pleased to have stumbled on this blog. Thanks for alerting meto the existence of this amazingly useful task...
ReplyDeleteHi There, very interesting topic. I just messed up my registry and wanted to know how I can recover it from these log files that are in RegBack.
ReplyDeleteIt doesn't even let me to copy them.
Thanks,
Sep
Hi there,
ReplyDeleteI just messed up my registry. I was wondering how I can recover it from these log files in the RegBack.
I don't like to use windows recovery itself since it really didn't work for me the last time I used it.
Thanks,
Sep
Hmm this actually sounds like a dangerous operation since its still not known when the backups are created... you would not be guarented to restore a proper state
Delete