[or-cvs] r15811: Results from registry modification tests (torbrowser/trunk/docs)

sjm217 at seul.org sjm217 at seul.org
Wed Jul 9 20:39:31 UTC 2008


Author: sjm217
Date: 2008-07-09 16:39:30 -0400 (Wed, 09 Jul 2008)
New Revision: 15811

Modified:
   torbrowser/trunk/docs/traces.txt
Log:
Results from registry modification tests

Modified: torbrowser/trunk/docs/traces.txt
===================================================================
--- torbrowser/trunk/docs/traces.txt	2008-07-09 17:49:51 UTC (rev 15810)
+++ torbrowser/trunk/docs/traces.txt	2008-07-09 20:39:30 UTC (rev 15811)
@@ -47,6 +47,23 @@
 There appears to be no difference when the bundle is run from
 removable storage as opposed to the hard disk. 
 
+Registry modifications
+======================
+
+The dumpreg.py in FindTraces will take a ProcessMonitor trace and dump the
+contents of all registry keys opened or modified by Tor Browser Bundle. For each
+of these keys, the state before and after Tor Browser Bundle is started can be
+saved. Then, by comparing the two files it is possible to find registry keys
+modified by Tor Browser Bundle.
+
+On a Windows XP installation, with Firefox installed, only one registry key is
+modified: HKLM\Software\Microsoft\Cryptography\RNG\Seed (by vidalia.exe,
+tor.exe, FirefoxPortable.exe, firefox.exe, polipo.exe)
+
+This key is also modifed by a large number of other applications (including
+calc.exe, mspaint.exe, notpad.exe, etc...) Therefore the modification of this
+does not indicate that Tor Browser Bundle was run.
+
 Future steps
 ============
 



More information about the tor-commits mailing list