Author Name
Matt Nelson
Submission Title
TeamViewer 8
Artifact or Program Version
8.0.16447
Artifact Description
TeamViewer is a program that provides remote desktop software, remote control access, VPN capabilities, file transfers, etc. It can be installed, run temporarily, or used as portable application. One interesting capability is that it can determine if the Remote and Local host are on the same network and it will conduct P2P activity and connect directly, rather than use gateway servers. It is also proxy aware…you can configure it to connect through your network proxies or even a TOR proxy.
While there are important artifacts in the registry, there are a few important files that can help decipher details and events that occurred with the software.
#1 file on Local Host:
C:\Program Files (x86)\TeamViewer\Version8\TeamViewer8_Logfile.log <—–wealth of knowledge in this file
“CMD_MEETING_AUTHENTICATION From=155xxx982 To=312xxx388 L=53″ <—– “ID” to “ID”connecting information
“CT11 GWT.CmdUDPPing.UDPMasterReply 208.1xx.1x.18:12364:51347″ <—– connecting IP address:port:port
“CMeetingControl[1]::AddParticipant(): Participant[155xxx982,-1919357301] Role_Spectator, Role_Organizer”
“CStreamManager::JoinMeeting() participant=[312xxx388,537743816] key=0xf757b7eafe00641d3a8e” <—– This key is present on both systems connection logs.
Note: there are more interesting fields in the “TeamViewer8_Logfile.log”, seek it out if you suspect Teamviewer was installed.
Remote Host:
Connections.txt = C:\Users\dude\AppData\Roaming\TeamViewer\Connections.txt <—– this simple file contains the “ID” of the remote host connected to. Fields in this file include date, time connected and date/time disconnected and the user the app ran under.
Local Host:
C:\Program Files (x86)\TeamViewer\Version8\Connections_incoming.txt <—– this simple file contains the “ID” of the remote host that connected to the “local” system. Fields in this file include date, time connected and date/time disconnected and the user the app ran under.
Below is a file transfer entry logged in the TeamViewer8_Logfile.log:
2012/12/17 22:34:31.853 2960 2740 G1 – File transfer request from 155 xxx 982 allowed
2012/12/17 22:34:32.658 2960 2740 G1 – Views folder
2012/12/17 22:34:57.358 2960 2740 G1 – Views folder C:\Users\Chuck\Desktop\
2012/12/17 22:35:04.333 2960 2740 G1 – Processing file transfer…
2012/12/17 22:35:04.333 2960 2740 G1 – Write file C:\Users\Chuck\Desktop\test.txt
2012/12/17 22:35:04.343 2960 2740 G1 – File transfer finished.
2012/12/17 22:35:04.348 2960 2740 G1 – Views folder C:\Users\Chuck\Desktop\
2012/12/17 22:35:12.153 2960 2588 G1 Ending CFileTransferThreadServer…
2012/12/17 22:35:12.153 2960 2740 G1 – File transfer server shut down.
2012/12/17 22:35:12.153 2960 2588 G1 The CFileTransferThreadServer has ended.
Registry Keys
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer 8\DisplayName: “TeamViewer 8″
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer 8\DisplayIcon: “C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer 8\Publisher: “TeamViewer”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer 8\HelpLink: “http://www.teamviewer.com”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer 8\UninstallString: “C:\Program Files (x86)\TeamViewer\Version8\uninstall.exe”
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer 8\NoModify: 0×00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer 8\NoRepair: 0×00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer 8\VersionMajor: 0×00000008
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer 8\VersionMinor: 0×00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer 8\InstallLocation: “C:\Program Files (x86)\TeamViewer\Version8″
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer 8\DisplayVersion: “8.0.16447″
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts\TeamViewer8 (TrueType): “teamviewer8.otf”
HKLM\SOFTWARE\Classes\.tvc\: “TeamViewerConfiguration”
HKLM\SOFTWARE\Classes\.tvs\: “TeamViewerSession”
HKLM\SOFTWARE\Classes\teamviewer8\shell\open\command\: “”C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe” %1″
HKLM\SOFTWARE\Classes\teamviewer8\URL Protocol: “”"”
HKLM\SOFTWARE\Classes\teamviewer8\: “URL:teamviewer8 Protocol”
HKLM\SOFTWARE\Classes\TeamViewerConfiguration\shell\open\command\: “”C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe” –control “%1″”
HKLM\SOFTWARE\Classes\TeamViewerConfiguration\shell\open\command: “”
HKLM\SOFTWARE\Classes\TeamViewerConfiguration\shell\open: “”
HKLM\SOFTWARE\Classes\TeamViewerConfiguration\DefaultIcon\: “”C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe”,0″
HKLM\SOFTWARE\Classes\TeamViewerConfiguration\shell: “”
HKLM\SOFTWARE\Classes\TeamViewerConfiguration\DefaultIcon: “”
HKLM\SOFTWARE\Classes\TeamViewerSession\shell\open\command\: “”C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe” –play “%1″”
HKLM\SOFTWARE\Classes\TeamViewerSession\shell\open\command: “”
HKLM\SOFTWARE\Classes\TeamViewerSession\shell\open: “”
HKLM\SOFTWARE\Classes\TeamViewerSession\DefaultIcon\: “”C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe”,0″
HKLM\SOFTWARE\Classes\TeamViewerSession\shell: “”
HKLM\SOFTWARE\Classes\TeamViewerSession\DefaultIcon: “”
HKLM\SOFTWARE\Classes\tvjoinv8\shell\open\command\: “”C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe” %1″
HKLM\SOFTWARE\Classes\tvjoinv8\URL Protocol: “”"”
HKLM\SOFTWARE\Classes\tvjoinv8\: “URL:tvjoinv8 Protocol”
HKLM\SOFTWARE\TeamViewer\Version8\DefaultSettings\Autostart_GUI: 0×00000000
HKLM\SOFTWARE\TeamViewer\Version8\AccessControl\AC_Server_AccessControlType: 0×00000000
HKLM\SOFTWARE\TeamViewer\Version8\StartMenuGroup: “TeamViewer 8″
HKLM\SOFTWARE\TeamViewer\Version8\InstallationDate: “2012-12-17″
HKLM\SOFTWARE\TeamViewer\Version8\InstallationDirectory: “C:\Program Files (x86)\TeamViewer\Version8″
HKLM\SOFTWARE\TeamViewer\Version8\Always_Online: 0×00000000
HKLM\SOFTWARE\TeamViewer\Version8\Security_ActivateDirectIn: 0×00000000
HKLM\SOFTWARE\TeamViewer\Version8\Version: “8.0.16447″
HKLM\SOFTWARE\TeamViewer\Version8\ClientIC: 0x19F1085A
HKLM\SOFTWARE\TeamViewer\Version8\MIDInitiativeGUID: “{3ae73f42-112a-4506-9735-2efdc6a80ec1}”
HKLM\SOFTWARE\TeamViewer\Version8\ProxyAutoList: ‘;;’
HKLM\SOFTWARE\TeamViewer\Version8\ClientID: 0x12A323AC
HKLM\SOFTWARE\TeamViewer\Version8\LastUpdateCheck: 0x50CFE30B
HKLM\SOFTWARE\TeamViewer\Version8\UsageEnvironmentBackup: 0×00000002
HKLM\SOFTWARE\TeamViewer\Version8\LicenseType: 0×00002710
HKLM\SOFTWARE\TeamViewer\Version8\UpdateVersion: 00
HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{C95C73E4-4669-44F7-946C-84B2E2208D14}: “v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe|Name=Teamviewer Remote Control Application|”
HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{5D6EBB7F-E15E-47FF-A7C5-4B1817143199}: “v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe|Name=Teamviewer Remote Control Application|”
HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{2D57F017-02ED-4095-A2C1-1BEB534D9A27}: “v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe|Name=Teamviewer Remote Control Service|”
HKLM\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{7B189A6A-2E6A-4902-B5A3-350B1328B3FC}: “v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe|Name=Teamviewer Remote Control Service|”
HKLM\SYSTEM\ControlSet001\services\TeamViewer8\Type: 0×00000010
HKLM\SYSTEM\ControlSet001\services\TeamViewer8\Start: 0×00000002
HKLM\SYSTEM\ControlSet001\services\TeamViewer8\ErrorControl: 0×00000001
HKLM\SYSTEM\ControlSet001\services\TeamViewer8\ImagePath: “”C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe”"
HKLM\SYSTEM\ControlSet001\services\TeamViewer8\DisplayName: “TeamViewer 8″
HKLM\SYSTEM\ControlSet001\services\TeamViewer8\WOW64: 0×00000001
HKLM\SYSTEM\ControlSet001\services\TeamViewer8\ObjectName: “LocalSystem”
HKLM\SYSTEM\ControlSet001\services\TeamViewer8\Description: “TeamViewer Remote Software”
HKLM\SYSTEM\ControlSet001\services\TeamViewer8\FailureActions: 80 51 01 00 00 00 00 00 00 00 00 00 03 00 00 00 14 00 00 00 01 00 00 00 D0 07 00 00 01 00 00 00 D0 07 00 00 00 00 00 00 00 00 00 00
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{C95C73E4-4669-44F7-946C-84B2E2208D14}: “v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe|Name=Teamviewer Remote Control Application|”
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{5D6EBB7F-E15E-47FF-A7C5-4B1817143199}: “v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe|Name=Teamviewer Remote Control Application|”
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{2D57F017-02ED-4095-A2C1-1BEB534D9A27}: “v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe|Name=Teamviewer Remote Control Service|”
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{7B189A6A-2E6A-4902-B5A3-350B1328B3FC}: “v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe|Name=Teamviewer Remote Control Service|”
HKLM\SYSTEM\CurrentControlSet\services\TeamViewer8\Type: 0×00000010
HKLM\SYSTEM\CurrentControlSet\services\TeamViewer8\Start: 0×00000002
HKLM\SYSTEM\CurrentControlSet\services\TeamViewer8\ErrorControl: 0×00000001
HKLM\SYSTEM\CurrentControlSet\services\TeamViewer8\ImagePath: “”C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe”"
HKLM\SYSTEM\CurrentControlSet\services\TeamViewer8\DisplayName: “TeamViewer 8″
HKLM\SYSTEM\CurrentControlSet\services\TeamViewer8\WOW64: 0×00000001
HKLM\SYSTEM\CurrentControlSet\services\TeamViewer8\ObjectName: “LocalSystem”
HKLM\SYSTEM\CurrentControlSet\services\TeamViewer8\Description: “TeamViewer Remote Software”
HKU\[USERSID]\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted\C:\Users\Chuck\Downloads\TeamViewer_Setup_en.exe: 0×00000001
HKU\[USERSID]\Software\Classes\Local Settings\MuiCache\6B\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042: “Peer to Peer Trust”
HKU\[USERSID]\Software\Classes\Local Settings\MuiCache\6B\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10: “System Health Authentication”
HKU\[USERSID]\Software\Classes\Local Settings\MuiCache\6B\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103: “Domain Name System (DNS) Server Trust”
HKU\[USERSID]\Software\Classes\Local Settings\MuiCache\6B\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843: “BitLocker Drive Encryption”
HKU\[USERSID]\Software\Classes\Local Settings\MuiCache\6B\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844: “BitLocker Data Recovery Agent”
HKU\[USERSID]\Software\TeamViewer\Version8\Buddy_QuickPresExclusions: ‘chrome.exe devenv.exe mediamonkey.exe msnmsgr.exe opera.exe psr.exe super.exe wlmail.exe wlxphotogallery.exe’
HKU\[USERSID]\Software\TeamViewer\Version8\Buddy_QuickPresExclusions_Version: 0×00000003
HKU\[USERSID]\Software\TeamViewer\Version8\MainWindowHandle: 0×00120306
HKU\[USERSID]\Software\TeamViewer\Version8\Meeting_UserName: “Chuck”
HKU\[USERSID]\Software\TeamViewer\Version8\Buddy_WindowPos: ’1 1131 220 1361 755′
File Locations
C:\Program Files (x86)\TeamViewer\Version8\
C:\Users\dude\AppData\Roaming\TeamViewer\
C:\Program Files (x86)\TeamViewer\Version8\TVExtractTemp\
C:\Users\Chuck\AppData\Local\Temp\TeamViewer\Version8
Research Links
http://www.teamviewer.com/en/index.aspx
Forensic Programs of Use
Regshot
ProcessHacker