Note:I translated Japanese into English using Google Translate.
Thank you, Google.
Delete the registry key and check the time stamp.
Create sample registry keys and values under SYSTEM.
Last write timestamp:2018-12-09 05:33:00(UTC)
Delete the registry key and check the time stamp. The timestamp has not changed.
Last write timestamp:2018-12-09 05:33:00(UTC)
Next, we create a key with several subkeys.
EVIDENCE002: Last write timestamp:2018-12-09 05:54:22(UTC)
EVIDENCE003: Last write timestamp:2018-12-09 05:54:31(UTC)
EVIDENCE004: Last write timestamp:2018-12-09 05:54:49(UTC)
Delete the parent's EVIDENCE002 key and check the time stamp.
EVIDENCE002: Last write timestamp:2018-12-09 06:01:00(UTC)
EVIDENCE003: Last write timestamp:2018-12-09 06:01:00(UTC)
EVIDENCE004: Last write timestamp:2018-12-09 05:54:49(UTC)
The timestamp of EVIDENCE 002 and 003 has been updated.
What changed?, Compare Technical details.
EVIDENCE003(Before deleting)
Size: 0x60
Relative Offset: 0x327848
Absolute Offset: 0x328848
Signature: nk
Flags: CompressedNameName: EVIDENCE003
Last Write Timestamp: 12/9/2018 5:54:31 AM +00:00
Is Free: False
Debug: 0x0
Maximum Class Length: 0x0
Class Cell Index: 0x0
Class Length: 0x0Maximum Value Data Length: 0x0
Maximum Value Name Length: 0x0Name Length: 0xB
Maximum Name Length: 0x16Parent Cell Index: 0x327970
Security Cell Index: 0x64B3D0Subkey Counts Stable: 0x1
Subkey Lists Stable Cell Index: 0xA489A8Subkey Counts Volatile: 0x0
User Flags: 0x00000000
Virtual Control Flags: 0x00000000
Work Var: 0x0Value Count: 0x0
Value List Cell Index: 0x0Padding: 00-63-14-FE-E9
Security key
Size: 0x108
Relative Offset: 0x64B3D0
Absolute Offset: 0x64C3D0
Signature: sk
Is Free: FalseForward Link: 0x138C70
Backward Link: 0x64B8F0Reference Count: 7
Security descriptor length: 0xF0
Security descriptor: Revision: 0x1
Control: SeDaclPresent, SeDaclAutoInherited, SeSaclAutoInherited, SeSelfRelativeOwner offset: 0xC4
Owner SID: S-1-5-32-544
Owner SID Type: BuiltinAdministratorsGroup offset: 0xD4
Group SID: S-1-5-21-3032502310-280463001-373959476-513
Group SID Type: DomainUsersDacl Offset: 0x14
DACL: ACL Revision: 0x2
ACL Size: 0xB0
ACL Type: Discretionary
Sbz1: 0x0
Sbz2: 0x0
ACE Records Count: 6------------ Ace record #0 ------------
ACE Size: 0x18
ACE Type: AccessAllowedAceType
ACE Flags: ContainerInheritAce, InheritedAce
Mask: QueryValue, EnumerateSubkeys, Notify, ReadControl
SID: S-1-5-32-545
SID Type: BuiltinUsers
SID Type Description: S-1-5-32-545: A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer.------------ Ace record #1 ------------
ACE Size: 0x18
ACE Type: AccessAllowedAceType
ACE Flags: ContainerInheritAce, InheritedAce
Mask: FullControl
SID: S-1-5-32-544
SID Type: BuiltinAdministrators
SID Type Description: S-1-5-32-544: A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Administrators group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Administrators group also is added to the Administrators group.------------ Ace record #2 ------------
ACE Size: 0x14
ACE Type: AccessAllowedAceType
ACE Flags: ContainerInheritAce, InheritedAce
Mask: FullControl
SID: S-1-5-18
SID Type: LocalSystem
SID Type Description: S-1-5-18: An account that is used by the operating system.------------ Ace record #3 ------------
ACE Size: 0x14
ACE Type: AccessAllowedAceType
ACE Flags: ContainerInheritAce, InheritOnlyAce, InheritedAce
Mask: FullControl
SID: S-1-3-0
SID Type: CreatorOwner
SID Type Description: S-1-3-0: A placeholder in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the object's creator.------------ Ace record #4 ------------
ACE Size: 0x18
ACE Type: AccessAllowedAceType
ACE Flags: ContainerInheritAce, InheritedAce
Mask: QueryValue, EnumerateSubkeys, Notify, ReadControl
SID: S-1-15-2-1
SID Type: AllAppPackages
SID Type Description: S-1-15-2-1: All applications running in an app package context.------------ Ace record #5 ------------
ACE Size: 0x38
ACE Type: AccessAllowedAceType
ACE Flags: ContainerInheritAce, InheritedAce
Mask: QueryValue, EnumerateSubkeys, Notify, ReadControl
SID: S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
SID Type: UnknownOrUserSid
SID Type Description: SID does not map to a common SID or this is a user SID
Subkeys
Key name: EVIDENCE004, Value count: 1, Subkey count: 0
Key name: New Key #1, Value count: 0, Subkey count: 0
EVIDENCE003(Deleted)
Size: 0xB0
Relative Offset: 0x327848
Absolute Offset: 0x328848
Signature: nk
Flags: CompressedNameName: EVIDENCE003
Last Write Timestamp: 12/9/2018 6:01:00 AM +00:00
Is Free: True
Debug: 0x0
Maximum Class Length: 0x0
Class Cell Index: 0x0
Class Length: 0x0Maximum Value Data Length: 0x0
Maximum Value Name Length: 0x0Name Length: 0xB
Maximum Name Length: 0x0Parent Cell Index: 0x327970
Security Cell Index: 0xFFFFFFFFSubkey Counts Stable: 0x0
Subkey Lists Stable Cell Index: 0x0Subkey Counts Volatile: 0x0
User Flags: 0x00000000
Virtual Control Flags: 0x00000000
Work Var: 0x0Value Count: 0x0
Value List Cell Index: 0x0
SubkeysKey name: New Key #1, Value count: 0, Subkey count: 0
Key name: EVIDENCE004, Value count: 1, Subkey count: 0
Verification environment: Windows 10 1803
Reference URL: