locked
can registry key's lastwritetime be updated to a datetime in the past using powershell? RRS feed

  • Question

  • Can a registry key's lastwritetime be updated to a past datetime using a script?  I am looking to detect fraudulent copy and  lastwritetime update of a registry key?

    Thanks in advance.


    ss883r

    Thursday, February 6, 2014 7:43 PM

Answers

  • I would say that the answer is probably yes. This function looks like it can do it, so you could use PInvoke to make a function to call from PowerShell. You could also change the information on an offline system by directly modifying the hive file (that would be much more dangerous than using the internal API call linked earlier, though).
    • Marked as answer by srrs Thursday, February 6, 2014 8:33 PM
    Thursday, February 6, 2014 8:22 PM

All replies

  • How to use Group Policy to audit registry keys: http://support.microsoft.com/kb/324739

    Bill

    • Proposed as answer by Mike Laughlin Thursday, February 6, 2014 8:11 PM
    Thursday, February 6, 2014 8:04 PM
  • Unfortunately, I will not be allowed to create a group/local policy to audit the key in question. Also if i backup the registry on machine 1 and restore on a machine 2 without auditing enabled, it might hide any suspicious activity.  So appreciate any thoughts on alternatives.  thx


    ss883r

    Thursday, February 6, 2014 8:12 PM
  • I would say that the answer is probably yes. This function looks like it can do it, so you could use PInvoke to make a function to call from PowerShell. You could also change the information on an offline system by directly modifying the hive file (that would be much more dangerous than using the internal API call linked earlier, though).
    • Marked as answer by srrs Thursday, February 6, 2014 8:33 PM
    Thursday, February 6, 2014 8:22 PM
  • so if update is possible, maybe i could achieve my anti-fraud goal by changing the permission on the key when i create it to not allow KEY_WRITE.  hopefully backing-up a registry and restoring will not allow changes as well.


    ss883r

    Thursday, February 6, 2014 8:26 PM
  • This sounds like a security question, not a scripting question.

    Bill

    Thursday, February 6, 2014 8:50 PM
  • I agree - sorry to muddy the waters there.. thanks for everyone's prompt responses!

    ss883r

    Thursday, February 6, 2014 8:51 PM