See, if you're going to do an audit of my machine (I don't even have physical access to it, I just remote into it and from there do my job) please don't be a stupid fuck and rail on me for stupid things or else I will call your supervisor with a detailed report of your fucktitude and get you off my back/demoted/fired.
CAUTION, closely ties in to my Windows Registry love/work I've been doing lately so you'll either find this interesting/edumacating or boring as hell.
So, fucktard auditor starts the audit and checks my logs and all (regular procedure for us people who operate with sensitive data) and doesn't find anything. Then the smart-ass goes through a registry audit even though he has no idea how it works and what to look for; because of this I get the following remark:
--
HKLM\COMPONENTS\CanonicalData\Catalogs\3b54094f5a05267108b2055e89efc199eea78f49513c7d09cf77a799329e8d0e
HKLM\COMPONENTS\CanonicalData\Deployments\wpdfs.inf_31bf3856ad364e35_6.1.7600.16385_81e1c728ec4cc8a8
--
User tried to install PDF generating software which can be used to export data outside of the restricted access containment, violating the xxxx ITSec Policy.
Now, if the fucktard knew anything about his job he might have perhaps Googled those keys and found out that they are related to the Microsoft Windows Media Format Packages and not Adobe PDF.
Even easier, the HKLM\COMPONENTS is mostly about updates (Windows Updates / Microsoft Updates) to the OS, and as such, doesn't need to be human readable and what he was seeing were a lot of guids or file hashes (or something like that) used by the system updater internally.
See, it would be nice if, before you ruin my morning, you do your job and learn a little about the Registry before doing an audit on it (and it was clear this was the first time he did this):
There is a convention of apps storing registry values in essentially two places:
1. HKLM\SOFTWARE\VendorName\SoftwarePackageName (sometimes VendorName is left out)- these are intended to be config items used for systemwide installations of the software. HKLM is security protected so that it can only be written to by processes with admin or SYSTEM privs. So generally speaking this key should hold global things like paths, language versions, product activation hooha, etc.
2. HKCU\Software\VendorName\SoftwarePackageName (again VendorName is sometimes left out) - these are intended to be per-user local variables, like what size you last left the window at, your initials, favorites, menu customizations, etc. Here it's helpful to know that HKCU (HKEY_CURRENT_USER) is basically just a symlink to the registry hive located at %systemdrive%\Users\loggedonusername\NTUSER.DAT. The user profile, in other words. Similar to those things one might find in /usr/home/yourusername/.appname directories on *nix.
Now there are a few things stored elsewhere - for instance if an app needs to register a filename extension or certain other object types, that happens in HKEY_CLASSES_ROOT. And services have their own set of special keys in HKLM/SYSTEM/CurrentControlSet/Services (drivers are really a special class of services, by the way, at least from the registry's POV).
So if you were trying to find out what software I tried to install, and by some magic voodoo didn't make it in the logs but made it in the registry (which is impossible no matter how much of a 1337 hacker you can be short of modifying the entire kernel of a running machine who's uptime is almost 100%) don't look in places where keys shouldn't belong.
