ShellBags Explorer

Description

Parses BagMRU keys from online or offline registry hives and displays them in an Explorer like interface.

Platform	Windows
Author	Eric Zimmerman
License	MIT License
URL	https://ericzimmerman.github.io/#!index.md

Usage

SBECmd version 1.4.0.0
 
Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman
 
        d               Directory to look for registry hives. This or -l is required
        l               Process live registry. This or -d is required
        csv             Directory to save output to. Required
 
        dedupe          When true, SBECmd processes all hives in -d <directory> and removes duplicates. See manual for details
 
        dt              Date/time format string to use. Default is 'yyyy-MM-dd HH:mm:ss'
        tz              Time zone to use (Default = UTC). Enclose in quotes. Use '--tz list' for options
        nl              When true, ignore transaction log files for dirty hives. Default is FALSE
 
Examples: SBECmd.exe -d c:\temp\hives --csv c:\temp\sbeout
          SBECmd.exe -d c:\temp\hives --csv c:\temp\sbeout --tz "US Eastern Standard Time"
          SBECmd.exe -d c:\temp\hives --csv c:\temp\sbeout --dedupe
 
          Short options (single letter) are prefixed with a single dash. Long commands are prefixed with two dashes

Examples

Blog Posts

RegRipper

Description

The Registry Ripper, or RegRipper, is an open-source application for extracting, correlating, and displaying information from Windows NT registry hive files.

Platform	Perl
Author	H. Carvey
License	GPLv3
URL	https://github.com/warewolf/regripper

Usage

Rip 2.8_20130801 - CLI RegRipper tool	
Rip [-r Reg hive file] [-f plugin file] [-p plugin module] [-l] [-h]
Parse Windows Registry files, using either a single module, or a plugins file.
  -r Reg hive file...Registry hive file to parse
  -g ................Guess the hive file (experimental)
  -f [profile].......use the plugin file (default: plugins\\plugins)
  -p plugin module...use only this module
  -l ................list all plugins
  -c ................Output list in CSV format (use with -l)
  -s system name.....Server name (TLN support)
  -u username........User name (TLN support)
  -h.................Help (print this information)
  
Ex: C:\\>rip -r c:\\case\\system -f system
    C:\\>rip -r c:\\case\\ntuser.dat -p userassist
    C:\\>rip -l -c
All output goes to STDOUT; use redirection (ie, > or >>) to output to a file\.
  
copyright 2013 Quantum Analytics Research, LLC

Examples

rip.pl -r SAM -f sam > /cases/sam.txt

rip.pl -r SYSTEM -f system > /cases/system.txt

Blog Posts

Registry Explorer

Description

A registry viewer powered by plugins.

Platform	Windows
Author	Eric Zimmerman
License	MIT License
URL	https://ericzimmerman.github.io/#!index.md

Usage

To load hives, drag and drop onto any of the three main panels. You can also use the File menu to load hives.

Once hives are loaded, Registry Explorer operates much like regedit.exe does, but with many more options.

Bookmarks

The Bookmarks menu will dynamically update to reflect which bookmarks are available in the currently selected hive.

Available Bookmarks

The available bookmarks tab displays all available bookmarks across all loaded hives.

Context menu

Right click on Nodes in the tree for various options such as exporting keys, full technical details, etc.

For full details, see the included manual.

Examples

Blog Posts

Tag: windows registry