ShutdownCount
I was tooling around the Internet last night and ran across the "Forensics from the sausage factory" blog...and to be honest, my first thought was, "Oh, snap!"...it sounded like another one of those blogs that starts out being technical and interesting and then pretty soon the author starts posting personal or political stuff...
Anyway, I did find some pretty interesting posts, like this one. Like a fish, I'm easily distracted by shiny objects...in this case, anything that has to do with forensic analysis and the Registry. This post mentioned the following value:
HKLM\System\CurrentControlSet\Control\Watchdog\Display\ShutdownCount
Interesting. According to the post, this maintains a count of how many times the system was shut down. Most of the information regarding this value that I've been able to find via Google has to do with CastleCops and spyware scans...not sure why. I did find some info at MS on this, but it has to do with a Watchdog timer for video display drivers.
Any thoughts?
Any other keys/values of interest? If so, it's usually helpful to state why the key/value is of interest to forensic examiners (or incident responders).
Yes, I created a plugin for this value. ;-)
Anyway, I did find some pretty interesting posts, like this one. Like a fish, I'm easily distracted by shiny objects...in this case, anything that has to do with forensic analysis and the Registry. This post mentioned the following value:
HKLM\System\CurrentControlSet\Control\Watchdog\Display\ShutdownCount
Interesting. According to the post, this maintains a count of how many times the system was shut down. Most of the information regarding this value that I've been able to find via Google has to do with CastleCops and spyware scans...not sure why. I did find some info at MS on this, but it has to do with a Watchdog timer for video display drivers.
Any thoughts?
Any other keys/values of interest? If so, it's usually helpful to state why the key/value is of interest to forensic examiners (or incident responders).
Yes, I created a plugin for this value. ;-)