In a recent engagement I found an application that I never encounter before. I searched a bit online but I couldn't find any articles related to this application and the artifacts it leaves behind. This guide is by no means an exhaustive examination of the application.
Revo Uninstaller Pro[1] is an application that enabled the users to remove applications from the computer. But the most interesting feature is that it enabled the user to remove some Windows Artifacts like, Web History, Search History, UserAssist, comDlg32, etc.
The "TrackCleaner" subkey stores the user settings responsible for deleting various windows artifacts. The Last Write Time is not the last execution date but the last time that the user changed the settings.
For example, inside "Software\VS Revo Group\Revo Uninstaller Pro\TrackCleaner\Windows" we see that the preset for the user is to remove the ComDlg32 Windows Artifact.
Inside the MSOffice subkey you find the Microsoft Office related configuration. It's stored in a cryptic form.
That simples translates into:
CARDH -> Microsoft Office Access
CERDH -> Microsoft Office Excel
CPPRDH -> Microsoft Office PowerPoint
CWRDH -> Microsoft Office Word
Then you can search for the event ID 8194 in the Windows Application Event Log and find out what application was actually removed.
More research is needed for this application. If time permits I will post more about it in the future.
[1] https://www.revouninstaller.com
[2] https://github.com/tsousahs/RegRipper2.8/blob/master/plugins/revouninstaller.pl
Revo Uninstaller Pro[1] is an application that enabled the users to remove applications from the computer. But the most interesting feature is that it enabled the user to remove some Windows Artifacts like, Web History, Search History, UserAssist, comDlg32, etc.
Windows Registry Artifacts
While installing the tool I found that it creates Windows Registry keys in the user NTUSER.DAT Hive. The location of the data is "Software\VS Revo Group\Revo Uninstaller Pro\".
The "TrackCleaner" subkey stores the user settings responsible for deleting various windows artifacts. The Last Write Time is not the last execution date but the last time that the user changed the settings.
Inside the MSOffice subkey you find the Microsoft Office related configuration. It's stored in a cryptic form.
That simples translates into:
CARDH -> Microsoft Office Access
CERDH -> Microsoft Office Excel
CPPRDH -> Microsoft Office PowerPoint
CWRDH -> Microsoft Office Word
Removing Software
When the user tries to remove an pre-existing application using Revo Uninstaller Pro que default behavior it's to created a System Restore Point. You can see this setting if you navigate to "Software\VS Revo Group\Revo Uninstaller Pro\Uninstaller" in the "Create System Restore Pont" value.Then you can search for the event ID 8194 in the Windows Application Event Log and find out what application was actually removed.
RegRipper Plugin:
To speed up the process of analyzing I created a regripper plugin that I share with you guys [2].
More research is needed for this application. If time permits I will post more about it in the future.
[1] https://www.revouninstaller.com
[2] https://github.com/tsousahs/RegRipper2.8/blob/master/plugins/revouninstaller.pl
Comentários
Enviar um comentário