Hello Reader,
       Tonight we tested out Maxim Suhanov’s YARP library and his provided script to extract and decompress the LZNT1 compressed keys in the CITSystem key we talked about last night.

Here is what we learned:

  • YARP is a great python registry library, clearly I’m just scratching the surface of what it can do
  • LZNT1 requires a minimum chunk size equal to the cluster size of the ntfs drive to decompress data
  • The CITSystem key on my test system had two values to be decompressed
  • The first value appears to contain system executables
  • The second value appears to contain user executables
  • There is some overlap between the CITSystem key and the recentfilecache.bcf
  • The CITSystem key refers to the recentfilecache.bcf file
  • The CITSystem key contained calls to rundll with parameters
You can watch the video here: