ogmini
ogmini
> > Heya, fellow red teamer here: Could you maybe elaborate on this part? I'm genuinely curious why you wouldn't just share the information if you have it. > >...
> Also, unfortunately, it's not the only thing left. The third byte in the format after "NP" is not part of the magic header. It's used by the .0 and...
> > @daddycocoaman do you have a possible ETA when your research will be published? > > Sorry for the delay. At some point during this, I think the tab...
> > > @daddycocoaman do you have a possible ETA when your research will be published? > > > > > > Sorry for the delay. At some point during...
> Looking at your screenshots @ogmini, the byte at offset `0A` is different between the versions and may indicate some kind of `optionsVersion` number. Thank you both again for the...
Would it be more "correct" to use FromFileTimeUtc? I might be nitpicking. I'm only noticing because I'm using FromFileTimeUtc in another plugin and want to be consistent. https://learn.microsoft.com/en-us/dotnet/api/system.datetime.fromfiletimeutc?view=net-9.0
@AndrewRathbun - I added some changes to support subkeys. Microsoft documentation didn't make mention of subkey support but it is there. I noticed it while perusing the settings.dat for Photos...
> @ogmini I have compiled this to test it out and found some more useful bits like in the Camera app it stores AppLaunchesWithSuccessfulCaptures as well as Camera devices inside...
> @ogmini Did you get it sorted okay? WindowsCommunicationApps appears to be linked to the Mail app/ Outlook UWP app built into Windows 11. Attached below is the Values section...
~~Ok, it is being stored as a Win32 Filetime and not the Unix Filetime. That is really weird...~~ **EDIT** They are being stored as Windows FILETIME or DateTime.Ticks. I'm on...