Registry Explorer
How to use Registry Explorer to parse the Windows Registry in order to provide evidence in support of various malicious activities during incident investigations.
Last updated
How to use Registry Explorer to parse the Windows Registry in order to provide evidence in support of various malicious activities during incident investigations.
Last updated
Registry Explorer allows Windows registry hives to be interrogated and parsed for a wide variety of forensic artifacts. The tool comes in two versions, a GUI and a command line interface. Eric Zimmerman has created several that allow automated parsing for certain forensic objects.
V1.6.0.0
Run RegistryExplorer.exe as an Administrator if interrogating a live host
Hive Selection
Live Host: Navigate to menu option File and Live System and then select the desired registry hive
Registry Dump: Navigate to menu option Load Hive and navigate to the desired registry hive via Explorer.
Hive details can be exported to several formats via the menu option File and Export
Interesting Keys
Root\
InventoryDeviceContainer: OS devices such as bluetooth, printers, etc. Has links to DevicePnps
InventoryDevicePnP: Plug and Play (PnP) devices such as bluetooth, USB, etc. More verbose details than those contained in DeviceContainers
InventoryDriverBinary: System Drivers
InventoryDriverPackage: Package information that links to both DeviceContainers and DevicePnPs
InventoryApplicationShortcut: .LNK files
Execution Time is a reference to the last execution time.
Interesting Fields
Executable: Records the parent application
Absolute Path: Records the file opened
Opened On: Date-time-group of last access time
Interesting Fields
Program Name: Records the full executable filepath
Modified Time: Date-time-group of last access time
