RE: Protected Storage on Windows XP

["Mark Spencer" <mspencer () evidentdata com>]

Hi Marco,

I use SecureClean from WhiteCanyon -
http://www.whitecanyon.com/index.php.  I did a quick test of the
protected storage functionality and it looks like it works as
advertised!

Mark

-----Original Message-----
From: Marco Monicelli [mailto:marco.monicelli () marcegaglia com] 
Sent: Wednesday, November 24, 2004 11:02 AM
To: security-basics () securityfocus com; sectools () securityfocus com
Subject: Protected Storage on Windows XP
Importance: High





Hello List!

I'm not sure this is the right list to send this question but I'll give
a try.

I would like to know if it is possible to delete the protected storage
datas on Windows XP.

Supposing an user is using

PStoreView 1.0 - (c) 2002, Arne Vidstrom
               - http://ntsecurity.nu

and can read the datas inside the Protected Storage. Now what if he's
able to delete them? Is this possible? Any tool which a user can use to
wipe this useful informations? Any really working "log cleaner" known
for windows? I tried several cleaners claiming they could wipe logs out
from a windows box but I honestly didn't find them working. I made a
btach which actually is a porting of any Linux Log cleaner (finding the
string, copy the log file without that string, substituing the new log
to the old one) but this doesn't work on Windows. Can't stop the process
'cause it has SYSTEM privilegies and can't touch any system log nor
event log. I think a DLL injection would do the trick but I'm not
honestly so skilled to do that.

I'm trying to demonstrate to some friend of mine that even windows can
allow to wipe sensible informations such as logs and stuff. My friends
are sure that you cannot wipe all infos out of a Windows system and on
the contrary you can do that on a Linux machine for example.

Any help would be very appreciated

Regards

Marco