Artifacts

Archive for March, 2012


RSS Gadget

Posted by:  /  Tags: , ,

John Lukach

Feed Headlines 1.1.0.0 for Windows Gadget Platform on Windows 7 x64

Windows Gadget Platform allows the Feeds Headlines (RSS) mini-program to be displayed on the desktop. The RSS Gadget determines which feeds and how many to display from settings stored in the C:\Users\Username\AppData\Local\Microsoft\Windows Sidebar\Settings.ini file. These feeds are managed by Internet Explorer using the FeedStore.FeedsDB-MS file found under the C:\ Users\Username\AppData\Local\Microsoft\Feeds path. Other files organized in sub-folder structures in this directory that normally contain the tilde (~) would indicate independent feeds and content downloaded by the RSS Gadget.

The NTUSER.DAT registry hive contains three keys that automate the feed updates under the Software\Microsoft\Feeds path. SyncStatus is used to enable automatic feed updates based on the yes value of “1”. DefaultInterval lets you determine if the updates should occur every 15 minutes, 30 minutes, 1 hour, 4 hours, 1 day, or 1 week intervals. SynTask correlates to a key in the SOFTWARE registry hive that provides a Last Written time stamp of when the scheduled task last ran to update the feeds under Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\User_Feed_Sychronization{guid}.

Outlook Email Saving Options

Posted by:  /  Tags: , , , ,

John Lukach

Outlook 2010 & Aid4Mail 2.4

Microsoft Outlook 2010 by default allows users to save email messages externally as a MSG, OFT, HTML, MHT, or TXT file format. Microsoft Office programs can have add-ins installed that extend the available functionality of the software. Verifying if any add-ins exists in Outlook can be done by checking the SOFTWARE and NTUSER.DAT registry hives for the following folder path: Microsoft\Office\Outlook\Addins.

Other applications can access email using a Messaging Application Programming Interface (MAPI) connection. One example is Aid4Mail an email conversion program from Fookes Software that adds additional file format export options such as PDF, ZIP, XML, and others. The file formats and export paths used by the application can be found in the C:\Users\\AppData\Roaming\Aid4Mail\Aid4Mail.ini file.

Not every application using MAPI connections will leave as obvious of an artifact thus leaving it up to the specific developer on what email formats will be available. One option is to determine what specific DLL’s are used by an executable such as C:\Windows\SysWow64\mapi32.dll or C:\Program Files (x86)\Microsoft Office\Office14\olmapi32.dll for example. Another is using a time line approach to determine if a MAPI configuration was abnormally accessed by looking for creation and deletion of C:\Users\\Documents\Outlook Files\~Outlook.pst.tmp without other normal Outlook behavior.