「1st shot」在開始動作前執行、「2nd shot」在動作結束後執行,二次紀錄結束以後點選「compare」對二次紀錄進行比較。例如在 kavo.exe 病毒執行後,Regshot 會輸出以下分析結果:
REGSHOT LOG 1.61e5
Comments:
Datetime:2009/12/28 18:36:50 , 2009/12/28 18:37:07
Computer:ZERO-A0738C6D72 , ZERO-A0738C6D72
Username:zero , zero
----------------------------------
Values added:3
----------------------------------
HKEY_USERS\S-1-5-21-527237240-436374069-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\mreb\桌面\xnib.rkr: 08 00 00 00 06 00 00 00 B0 C9 49 BA EC 87 CA 01
HKEY_USERS\S-1-5-21-527237240-436374069-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\kava: "C:\WINDOWS\system32\kavo.exe"
HKEY_USERS\S-1-5-21-527237240-436374069-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\zero\桌面\kavo.exe: "kavo"
----------------------------------
Values modified:7
----------------------------------
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 92 1F 14 70 5A 88 D7 10 29 B4 63 02 36 B9 C6 92 58 E9 6C CC 85 7F 43 CC D3 2A 26 00 EF 31 BD CC 2D A9 AB B0 C5 EF D7 49 05 B2 01 B6 CC AE 46 13 61 4A C8 C8 C0 CC A6 3D 1B 9F 79 D3 DB D7 D6 46 24 83 80 CD F9 24 8F B9 D8 F4 83 5E 66 0A 5C 73
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 31 B0 E1 CF 34 2C 86 B2 4B D5 9E FE C3 6C 48 D3 9E 62 83 48 67 69 1A 90 C5 81 61 26 91 41 01 CD F1 8D FF D5 26 68 DC 9A 82 63 B2 AE 7C 74 2A 0F 1E 14 09 5A 4E 68 19 4A B8 5A 2A 05 A3 D2 E3 D5 B4 DA DE 91 55 6E E2 6E 54 DD D1 B2 88 EA 1A 9A
...........
----------------------------------
Files added:2
----------------------------------
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo0.dll
...........
如果有其他好用的軟體歡迎推薦。