I need to find a way to encrypt my computer registry when computer
shuts down, and decrypt it when it boots up /great if I could use
password protection to decrypt/encrypt/. What I need to do is to
prevent anyone to from taking my HDD booting it up with other system
and editing my regedit (looking for e-mail accounts, settings,
passwords etc.) Is there any way of doing it? I could use regular PGP
to encrypt that file, but then computer won't even boot up without the
encrypted registry. Is that doable ?

---

Request for Question Clarification by endo-ga on 04 Dec 2003 15:02 PST

Hi,

Have you considered using the BIOS password feature? This would
prevent the system to even boot up, and bar someone opening the case
and resetting the BIOS settings, it can't be circumvented. Even that
possibility can be prevented with an adequate lock.

Thanks.
endo

---

Clarification of Question by polishruben-ga on 05 Dec 2003 07:37 PST

Endo-ga, I don't need bios password. It can be reset within 10 sec,
even without opening the case.

Themessiah-ga you had good idea, but forgot that you cannot encruytp
with EFS any system files /check:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/deploy/confeat/nt5efs.asp/
- where reads:
"Users (administrators, in this case) should not encrypt files in the
system directory because these files are needed for the system to
boot. During the boot process, a user's key is not available to
decrypt the files. Such an operation can render the system useless"

As far as I know registry belongs to quite crucial system files ;)
If there is not other way to do that.. well.. I guess I won't be able
to do it. If someone knows ways around it that would be great, and I
promise a better tip as well.
One more time, let me specify what I need:

1) No one can read my registry even when they phisically remove hard
drive and plug it to a new system as an additional drive.

thank you guys.

---

Clarification of Question by polishruben-ga on 05 Dec 2003 08:54 PST

One more thing I forgot to add - I am using windows 2000, with ntfs file system.

---

Request for Question Clarification by bookface-ga on 15 Dec 2003 10:29 PST

What malachite suggests is, in essence, possible, even though you use
Windows 2000 and NTFS. There is a tool called NTFSDOS which allows
NTFS filesystems to be accessed from DOS [I don't remember if it
allows writing, though, and I suspect it does not], and Linux's latest
version can also read NTFS filesystems, and write to them provided the
data is going into a file of constant size, i.e. it can write any
200kb of data to a 200 kb file already existing on the system, which
could be perfect for your needs.

Let me detail the procedure.

A bootable floppy disk or CD could, when booted from, access the hard
drive and perform an encryption routine [optionally using a
user-inputted password] on the data in the registry file, storing it
in encrypted form into a second file that under normal use of the
computer would be filled with either garbage or blanks. (Both files
would be of the same size; the encrypted version's filesize could
easily be adjusted at shutdown to accomodate for any changes in the
registry.) When the encryption operation is sucessfully performed, the
data in the real registry file would then be blanked out.

Upon a second boot with the same disk [and password if one was given]
the file would then be decrypted from the second file back into the
registry contents and the second file would filled with blanks again.

If this would be an acceptable solution to you, I can work out the
details and do the coding for you, though I'd want a little more than
$2 for my troubles.


Another, slightly safer method might a program or script that would
export the registry to a file, encrypt it with a password [or better
yet store it on a secure USB key], and if successful delete all
non-vital keys from the registry [i.e. everything not required for
booting]. Upon rebooting, one could then have a program or script do
the same in reverse, inserting values into the registry/importing from
the saved file. I am fairly sure this is quite doable and I consider
it safer because writing to NTFS or the registry comes with no
gaurantee outside of Windows, and I could work on this solution for
you as well if desired.

Things to note:
Passwords are *normally* stored encrypted into the registry (though
note that is at the descretion of the programmer.) For all major
commercial software, you should be fine, though I make no guarantees
of course. For instance, until AIM version 4.2 or so, passwords were
only lightly encrypted and multiple programs existed to extract and
decrypt passwords from the registry; until 2.15 BulletProof FTP Server
stored its passwords in cleartext by default (although not in the
registry, which should be another concern of yours as not everything
is stored in that central repository); and so forth. However, as both
users and programmers become more aware of and attuned to security
issues, these holes are becoming less and less common.

It is possible that by scanning your registry someone might find an
email address of yours, but it seems much more likely they could find
this information through the internet or other easier and more legal
means.

As currently described, the latter of those two methods makes no
attempt to overwrite any data and the former makes only one. In the
latter case, with a simple hex editor and a boot disk one might
recover sensitive information; in the former, one could still take the
drive to for instance, a forensics expert and be able to recover the
data. If I recall correctly, the data would need to be overwritten 7
times with garbage data for security. Again, this could be done if
desired, though it will probably be harder in the latter case.

Please let me know your thoughts.

- Bookface

---

Clarification of Question by polishruben-ga on 16 Dec 2003 12:25 PST

bookface-ga, I like your solution with the usb key. 
How can I pay you for your troubles; can you change the status of this
question to 'answered'?
greetings

(See clarifications.)

Thanks for your interesting question, and for choosing Google! Answers.

- bookface

You may wish to do some research on something called "EFS" or
Encrypted File SYstem, it's one of the benefits of having Windows 2000
or greater.You can encrypt your entire filesystem so that if someone
doesn't have the correct username / password / security certificate,
they can't read the data even if they take your hard drive out and use
another machien to read it.  The catch is that if you lose your
certificate / username / password, you are up the creek, sans paddle.

This is a nifty solution, if you don't mind performing the additional
manual steps...

You could write (or have written) a DOS based program that performs
the file encryption. Then you would:

- shut down windows
- boot into DOS from a floppy
- run the program to encrypt your system files
- shut down the computer

Then reverse the process when starting up: 

- boot into DOS (booting windows won't work)
- decrypt your system files
- take out the floppy and boot into windows

An experienced c++/windows programmer could write a simple encryption
application to do this. It would probably only take a day or two.

Because it's such a proprietary encryption solution, it would likely
baffle most hackers or hard drive thiefs.

As long as you don't mind booting into DOS every time you start up and
shut down your computer, this is a pretty cool solution. As a general
rule, the more secure your system is, the more annoying manual steps
you must take to keep it that way.

Cheers!