Forensic Riddle #7

Posted on by

Many Microsoft articles say that modifying certain registry keys require computer to be restarted for the changes to be taken into account.

Question: Why? And why sometimes these changes are taken into account immediately (i.e. without restart)?

Have a good weekend and Happy New Year 2012!

Answer here

Forensic Riddle #6 – Answer

Posted on by

Yes. It is. One way to do it is to save its own copy as an ADS (Alternate Data Stream) and run it from there. Once executed from ADS, the host file will be able to self-delete itself. So, technically it is a bit of cheating :), yet it works – see the screenshot for details.