You are browsing the archive for 2011 December.

Forensic Riddle #7

December 30, 2011 in Forensic Riddles

Many Microsoft articles say that modifying certain registry keys require computer to be restarted for the changes to be taken into account.

Question: Why? And why sometimes these changes are taken into account immediately (i.e. without restart)?

Have a good weekend and Happy New Year 2012!

Answer here

Forensic Riddle #6 – Answer

December 26, 2011 in Forensic Riddles - Answers

Yes. It is. One way to do it is to save its own copy as an ADS (Alternate Data Stream) and run it from there. Once executed from ADS, the host file will be able to self-delete itself. So, technically it is a bit of cheating :), yet it works – see the screenshot for details.