# Registry Explorer

Registry Explorer allows Windows registry hives to be interrogated and parsed for a wide variety of forensic artifacts. The tool comes in two versions, a GUI and a command line interface. Eric Zimmerman has created several [plugins](https://github.com/EricZimmerman/RegistryPlugins) that allow automated parsing for certain forensic objects.

| Tool Name                                                                                                                                                                    | Version  | MITRE ATT\&CK Tactic                                                                                                                                                                                                                                                                                    | MITRE ATT\&CK Technique |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- |
| <p><a href="https://github.com/EricZimmerman/RECmd">Registry Explorer (RECmd)</a><br><a href="https://www.sans.org/tools/registry-explorer/">Registry Explorer (GUI)</a></p> | V1.6.0.0 | <p><a href="https://attack.mitre.org/tactics/TA0002/">Execution</a><br><a href="https://attack.mitre.org/tactics/TA0003/">Persistence</a><br><a href="https://attack.mitre.org/tactics/TA0005/">Defense Evasion</a><br><a href="https://attack.mitre.org/tactics/TA0006/">Credential Access</a><br></p> |                         |

## Instructions

### Loading a Hosts Registry via Registry Explorer

1. Run RegistryExplorer.exe as an Administrator if interrogating a live host
2. Hive Selection

* **Live Host:** Navigate to menu option File and Live System and then select the desired registry hive
* **Registry Dump:** Navigate to menu option Load Hive and navigate to the desired registry hive via Explorer.

> Hive details can be exported to several formats via the menu option File and Export

### Parsing the AmCache.hve for Evidence of Execution

Interesting Keys

* `Root\`
  * **InventoryDeviceContainer:** OS devices such as bluetooth, printers, etc. Has links to DevicePnps
  * **InventoryDevicePnP:** Plug and Play (PnP) devices such as bluetooth, USB, etc. More verbose details than those contained in DeviceContainers
  * **InventoryDriverBinary:** System Drivers
  * **InventoryDriverPackage:** Package information that links to both DeviceContainers and DevicePnPs
  * **InventoryApplicationShortcut:** .LNK files

<figure><img src="https://1729410104-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUWgoU3Cxbipx0MCPbAcJ%2Fuploads%2FqlgxH2TZXVFPTBRqeorD%2FDFIR_Tools_Toolkits_RegistryExplorer_AmCache.png?alt=media&#x26;token=d07a1072-019d-446d-bcb7-2b9436c4c8f2" alt="Registry Explorer Output - Amcache Hive"><figcaption></figcaption></figure>

### Parsing the BAM/DAM for Evidence of Execution

* `Execution Time` is a reference to the last execution time.

<figure><img src="https://1729410104-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUWgoU3Cxbipx0MCPbAcJ%2Fuploads%2FMj2yyUSMPW6SdCWr81fs%2FDFIR_Tools_Toolkits_RegistryExplorer_BAM_DAM.png?alt=media&#x26;token=e35befde-ba99-4089-bda9-9080fdcffb5d" alt="Registry Explorer Output - BAM/DAM"><figcaption></figcaption></figure>

### Parsing the LastVisitedMRU for Evidence of Execution

Interesting Fields

* **Executable:** Records the parent application
* **Absolute Path:** Records the file opened
* **Opened On:** Date-time-group of last access time

<figure><img src="https://1729410104-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUWgoU3Cxbipx0MCPbAcJ%2Fuploads%2F2VPIOawvU5NpBDRNFCkJ%2FDFIR_Tools_Toolkits_RegistryExplorer_LastVisitedMRU.png?alt=media&#x26;token=08549fb0-f0c3-4bfe-9223-82d23ac241d3" alt="Registry Explorer Output - LastVisitedMRU"><figcaption></figcaption></figure>

### Parsing the ShimCache (AppCompatCache) for Evidence of Execution

Interesting Fields

* **Program Name:** Records the full executable filepath
* **Modified Time:** Date-time-group of last access time

<figure><img src="https://1729410104-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUWgoU3Cxbipx0MCPbAcJ%2Fuploads%2FWXL6qOehoPZ8BOdPRW3Y%2FDFIR_Tools_Toolkits_RegistryExplorer_ShimCache.png?alt=media&#x26;token=0b42f1fa-222b-42ed-af32-3e85e771df3f" alt="Registry Explorer Output - Shimcache"><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://darkcybe.gitbook.io/darkcybe/guides/dfir/dfir-tools/dfir-toolkits/registry-explorer.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.