12-28-2018 10:36 PM
12-28-2018 10:36 PM
Request: Introduce Program UUIDs into the Windows Registry to better manage all of the registry keys associated with a program throughout its lifetime on the system.
When a program executes on the system regardless of if it went through a standard MSI installation or is a standalone executable downloaded from the internet, the kernel should generate a UUID from the contents of the program such as an SHA-1 hash from the executable's contents the first time that program is executed. The UUID should not be generated if it does not ever execute, The kernel would store this on disk in a secret and privileged program UUID table.
The UUID table would be a memory mapped file when the operating system initializes so that it could make use of the kernel's file cache as well as not having to routinely call the file management APIs.
After the kernel assigns a UUID with the program, the executable file on disk will have a bit updated which states that it was assigned a UUID. Copies of the executable file will share that UUID as long as the contents of the file are not changed or updated, when they are then a dirty bit is set for the file indicating to the kernel that the next time it executes it should generate a new UUID for that file. Downloaded files that execute which generate the same UUID as another program based off of its contents should also share that UUID. When the kernel loads the file into main memory, this UUID bit should be checked conditionally, if it already exists then it skips over the routine that assigns it and then it grabs a reference to the UUID in the UUID table for that program's runtime.
When the program makes modifications to the Windows registry by calling routines such as RegCreateKey, the kernel will check the program UUID of the process from which the thread is executing and then assign it as an attribute to that registry key. This allows administrators to know which keys were created by which programs when managing them or uninstalling them because some programs don't completely clean up after themselves in the registry.
Cmdlets that could be used with PowerShell for this:
Get-ProgramUUID <Program> <# Gets the UUID for the program #>
Enum-ProgramUUID <Program> <# Enumerates each registry key the program added #>
RegDelete-ProgramUUID <Program> <# Deletes all keys associated with the program #>
Possible Development Issues:
- Adding new data structures to the Windows kernel and revising some such as EPROCESS
- Modifying how the registry database works by adding in attributes such as UUIDs
- Adding new API calls to interface with UUIDs
- Modifying existing API calls in the kernel
A major obstacle is most likely having duplicate files