If you have ever used Process Monitor, to monitor certain processes’ behaviour, you might have noticed some odd-looking words in the registry, which are being queried by explorer.exe.
These are actually normal words, on which a Caesar Shift of 13 has been applied.
In cryptography, a Caesar shift, is one of the simplest and most widely known encryption techniques. It is a type of substitution cipher in which each letter in the plaintext is replaced by a letter some fixed number of positions down the alphabet, in this case a shift 13.
A shift 13 is self-inverse, so the same code can be used for “encryption” and “decryption”.
If I put some words from the example above, into my Caesar shift 13 Tool ;
Zvpebfbsg.NhgbTrarengrq
vfpfvpcy.rkr
ZqFpurq.rkr
cevagznantrzrag.zfp
freivprf.zfp
…
iscsicpl.exe
mdsched.exe
printmanagement.msc
services.msc
…
These entries are in the parentkey {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} – This is a list applications, files etc which have recently been accessed.
Programs that have been launched from commandline will not appear in this list. Nevertheless this decoding can be a useful tool in computer forensics.