Outlook
| 0 Votes |
Description
Property Details
Properties
PST Files
Period
12 hours
| * Results in a "string"/number |
concatenation ", " of (if exists regapp "outlook.exe" then if version of regapp "outlook.exe" = "10" then (if (exists values whose (it as string contains ".pst") of keys of keys of keys "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles" of keys of keys "HKEY_USERS" of registry) then ((pathname of it & " - " & (size of it / (1024*1024)) as string & "Mb") of files ((values whose (it as string contains ".pst") of keys of keys of keys "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles" of keys of keys "HKEY_USERS" of registry) as string)) else ("No archive")) else if version of regapp "outlook.exe" >= "11" then (if (exists (Values "001f6700" of keys of keys of keys "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles" of keys of key "HKEY_USERS" of registry as string)) then (((pathname of it & " - " & (size of it / (1024*1024)) as string & "MB") of files ((hexadecimal strings (concatenation of ((hexadecimal integer (last 2 of it & first 2 of it) as hexadecimal) as string) of firsts 4 of following texts of positions whose (it mod 4 = 0) of it)) of (preceding texts of lasts "0" of (Values "001f6700" of keys of keys of keys "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles" of keys of key "HKEY_USERS" of registry as string)) as string))) else ("No Archive")) else "Outlook < XP installed" else "Outlook not installed")
# of all email accounts on computer
Period
6 hours
| * Results in a "string"/number |
if exists keys "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" of keys of key "HKEY_USERS" of registry then number of keys of keys "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" of keys of key "HKEY_USERS" of registry as string else "No Outlook installed"
# of POP accounts on computer
Period
6 hours
| * Results in a "string"/number |
number of values "POP3 Server" of keys of keys "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" of keys of key "HKEY_USERS" of registry as string
# of IMAP accounts on computer
Period
6 hours
| * Results in a "string"/number |
number of values "IMAP Server" of keys of keys "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" of keys of key "HKEY_USERS" of registry as string
POP3 Server
Period
6 hours
| * Results in a "string"/number |
concatenation of hexadecimal strings (concatenation of ((hexadecimal integers (last 2 of it & first 2 of it) as hexadecimal) as string) of firsts 4 of following texts of positions whose ( it mod 4 = 0 ) of (preceding texts of lasts "0" of (values "POP3 Server" of keys of keys "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676" of keys of key "HKEY_USERS" of registry as string)))
Outlook Profile access mode
Period
12 hours
| * Results in a "string"/number |
(effective access mode for (name of current user) of dacl of security descriptor of folder (unique value of pathnames of parent folders of files ((hexadecimal strings (concatenation of ((hexadecimal integer (last 2 of it & first 2 of it) as hexadecimal) as string) of firsts 4 of following texts of positions whose (it mod 4 = 0) of it)) of (preceding texts of lasts "0" of (Values "001f6700" of keys of keys of keys "Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles" of key ("HKEY_USERS\" & (name of key whose (((it = name of current user as lowercase OR it starts with name of current user as lowercase & "@") of (it as string as lowercase) of (if (name of operating system = "Win7") then value "USERNAME" of key "Volatile Environment" of it else value "Logon User Name" of key "Software\Microsoft\Windows\CurrentVersion\Explorer" of it))) of key "HKEY_USERS" of registry)) of registry as string)) as string) as string)) as string
MailTo:
Period
12 hours
| * Results in a "string"/number |
value "" of key "HKEY_CLASSES_ROOT\mailto\shell\open\command" of registry
HKCU Mailto Override
Period
12 hours
| * Results in a "string"/number |
exists keys "Software\Microsoft\Windows\Shell\Associations\UrlAssociations\mailto" of keys of key "HKEY_USERS" of registry
Relevance
(name of it = "WinXP" OR name of it = "WinXP-2003" OR (name of it = "WinVista" AND product type of it = nt workstation product type AND NOT x64 of it) OR (name of it = "WinVista" AND product type of it = nt workstation product type AND x64 of it) OR (name of it = "Win7" AND NOT x64 of it) OR (name of it = "Win7" AND x64 of it)) of operating system
| Used in 1 analsis | * Results in a true/false |
exists keys whose (value "DisplayName" of it as string as lowercase contains "Outlook" as lowercase) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of registry OR exists keys whose (value "DisplayName" of it as string as lowercase contains "Outlook" as lowercase) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of native registry
Sharing
| Social Media: |
