Not really an issue but wanted to share our config file. We are demonstrating this in our FOR500 course now.
SIFT-OWNER opened this issue · 8 comments
E:$MFT
E:$Recycle.Bin
E:$LogFile
E:\Windows\System32\sru
E:\Windows\inf\setupapi.dev.log
E:\Windows\Appcompat\Programs
E:\Windows\System32\winevt\logs
E:\Windows\Tasks
E:\Windows\System32\Tasks
E:\Windows\Prefetch
E:\Windows\System32\config\SAM
E:\Windows\System32\config\SYSTEM
E:\Windows\System32\config\SOFTWARE
E:\Windows\System32\config\SECURITY
E:\Windows\System32\config\SAM.LOG1
E:\Windows\System32\config\SYSTEM.LOG1
E:\Windows\System32\config\SOFTWARE.LOG1
E:\Windows\System32\config\SECURITY.LOG1
E:\Windows\System32\config\SAM.LOG2
E:\Windows\System32\config\SYSTEM.LOG2
E:\Windows\System32\config\SOFTWARE.LOG2
E:\Windows\System32\config\SECURITY.LOG2
E:\ProgramData\Microsoft\Search\Data\Applications\Windows
E:\Users<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent
E:\Users<USERNAME>\NTUSER.DAT
E:\Users<USERNAME>\NTUSER.DAT.LOG1
E:\Users<USERNAME>\NTUSER.DAT.LOG2
E:\Users<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat
E:\Users<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
E:\Users<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2
E:\Users<USERNAME>\AppData\Local\Microsoft\Windows\Explorer
That's awesome and really appreciate the feedback. We will look at the best way to add this to the repo for sure
Adding on to the list, E:$Extend$Usnjrnl:$J
YEah -- I think they cannot pull from ADS yet -- I think we have a separate request to look at that. But the idea here is to get a really decent configuration file that folks can append/amend perhaps. Maybe set it up as a part of the distro for Windows. Not sure.
#67 This is the request for USN
Ah missed that out
I was looking at the list and think it would be best to use the Windows system variables like %SYSTEMROOT% instead of drive letters and specifying the Windows directory. This should be included as/with the Windows default.
The challenge has been finding the dynamically assigned things in user space. There is a branch for that but it has been on hold due to resource constraints. If anyone wants to help with that please let us know.
Yes -- we were just talking about that -- I was logging in to replace the E:\ with a C:\ as we use it on a mounted drive for "demonstrations"
C:$MFT
C:$Recycle.Bin
C:$LogFile
C:\Windows\System32\sru
C:\Windows\inf\setupapi.dev.log
C:\Windows\Appcompat\Programs
C:\Windows\System32\winevt\logs
C:\Windows\Tasks
C:\Windows\System32\Tasks
C:\Windows\Prefetch
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\config\SOFTWARE
C:\Windows\System32\config\SECURITY
C:\Windows\System32\config\SAM.LOG1
C:\Windows\System32\config\SYSTEM.LOG1
C:\Windows\System32\config\SOFTWARE.LOG1
C:\Windows\System32\config\SECURITY.LOG1
C:\Windows\System32\config\SAM.LOG2
C:\Windows\System32\config\SYSTEM.LOG2
C:\Windows\System32\config\SOFTWARE.LOG2
C:\Windows\System32\config\SECURITY.LOG2
C:\ProgramData\Microsoft\Search\Data\Applications\Windows
C:\Users\AppData\Roaming\Microsoft\Windows\Recent
C:\Users\NTUSER.DAT
C:\Users\NTUSER.DAT.LOG1
C:\Users\NTUSER.DAT.LOG2
C:\Users\AppData\Local\Microsoft\Windows\UsrClass.dat
C:\Users\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
C:\Users\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2
C:\Users\AppData\Local\Microsoft\Windows\Explorer
All recommendations have been included as the new default in version 1.5.0 https://github.com/orlikoski/CyLR/releases/tag/1.5.0