Outlook
Log In or Register to download the BES file, and more.

0 Votes

Description

<enter a description of the analysis here>

Property Details

ID51
TitleOutlook
DomainBESC
KeywordsOutlook, Windows
Added by on 11/29/2012 10:34:08 AM
Last Modified by on 11/29/2012 10:34:08 AM
Counters 4434 Views / 57 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 1 rating. ** Log In or Register to add your rating.

Properties

PST Files
Period 12 hours
 
  * Results in a "string"/number
Show indented relevance
concatenation ", " of (if exists regapp "outlook.exe" then if version of regapp "outlook.exe" = "10" then (if (exists values whose (it as string contains ".pst") of keys of keys of keys "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles" of keys of keys "HKEY_USERS" of registry) then ((pathname of it & " - " & (size of it / (1024*1024)) as string & "Mb") of files ((values whose (it as string contains ".pst") of keys of keys of keys "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles" of keys of keys "HKEY_USERS" of registry) as string)) else ("No archive")) else if version of regapp "outlook.exe" >= "11" then (if (exists (Values "001f6700" of keys of keys of keys "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles" of keys of key "HKEY_USERS" of registry as string)) then (((pathname of it & " - " & (size of it / (1024*1024)) as string & "MB") of files ((hexadecimal strings (concatenation of ((hexadecimal integer (last 2 of it & first 2 of it) as hexadecimal) as string) of firsts 4 of following texts of positions whose (it mod 4 = 0) of it)) of (preceding texts of lasts "0" of (Values "001f6700" of keys of keys of keys "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles" of keys of key "HKEY_USERS" of registry as string)) as string))) else ("No Archive")) else "Outlook < XP installed" else "Outlook not installed")
# of all email accounts on computer
Period 6 hours
 
  * Results in a "string"/number
Show indented relevance
if exists keys "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" of keys of key "HKEY_USERS" of registry then number of keys of keys "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" of keys of key "HKEY_USERS" of registry as string else "No Outlook installed"
# of POP accounts on computer
Period 6 hours
 
  * Results in a "string"/number
Show indented relevance
number of values "POP3 Server" of keys of keys "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" of keys of key "HKEY_USERS" of registry as string
# of IMAP accounts on computer
Period 6 hours
 
  * Results in a "string"/number
Show indented relevance
number of values "IMAP Server" of keys of keys "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" of keys of key "HKEY_USERS" of registry as string
POP3 Server
Period 6 hours
 
  * Results in a "string"/number
Show indented relevance
concatenation of hexadecimal strings (concatenation of ((hexadecimal integers (last 2 of it & first 2 of it) as hexadecimal) as string) of firsts 4 of following texts of positions whose ( it mod 4 = 0 ) of (preceding texts of lasts "0" of (values "POP3 Server" of keys of keys "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" of keys of key "HKEY_USERS" of registry as string)))
Outlook Profile access mode
Period 12 hours
 
  * Results in a "string"/number
Show indented relevance
(effective access mode for (name of current user) of dacl of security descriptor of folder (unique value of pathnames of parent folders of files ((hexadecimal strings (concatenation of ((hexadecimal integer (last 2 of it & first 2 of it) as hexadecimal) as string) of firsts 4 of following texts of positions whose (it mod 4 = 0) of it)) of (preceding texts of lasts "0" of (Values "001f6700" of keys of keys of keys "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles" of key ("HKEY_USERS\" & (name of key whose (((it = name of current user as lowercase OR it starts with name of current user as lowercase & "@") of (it as string as lowercase) of (if (name of operating system = "Win7") then value "USERNAME" of key "Volatile Environment" of it else value "Logon User Name" of key "Software\Microsoft\Windows\CurrentVersion\Explorer" of it))) of key "HKEY_USERS" of registry)) of registry as string)) as string) as string)) as string
MailTo:
Period 12 hours
 
  * Results in a "string"/number
Show indented relevance
value "" of key "HKEY_CLASSES_ROOT\mailto\shell\open\command" of registry
HKCU Mailto Override
Period 12 hours
 
  * Results in a "string"/number
Show indented relevance
exists keys "Software\Microsoft\Windows\Shell\Associations\UrlAssociations\mailto" of keys of key "HKEY_USERS" of registry

Relevance

Used in 57 fixlets and 4 analyses   * Results in a true/false
Show indented relevance
(name of it = "WinXP" OR name of it = "WinXP-2003" OR (name of it = "WinVista" AND product type of it = nt workstation product type AND NOT x64 of it) OR (name of it = "WinVista" AND product type of it = nt workstation product type AND x64 of it) OR (name of it = "Win7" AND NOT x64 of it) OR (name of it = "Win7" AND x64 of it)) of operating system
Used in 1 analsis   * Results in a true/false
Show indented relevance
exists keys whose (value "DisplayName" of it as string as lowercase contains "Outlook" as lowercase) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of registry OR exists keys whose (value "DisplayName" of it as string as lowercase contains "Outlook" as lowercase) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of native registry

Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!