RegLookUp Package

Reglookup

RegLookUp Package is designed to read windows registry elements and print them out to stdout in a CSV-like format. It has filtering options to narrow the focus of the output. This tool is designed to work with on Windows NT-based registries.

Usage

Syntax

reglookup [-v] [-s] [-p <PATH_FILTER>] [-t <TYPE_FILTER>] <REGISTRY_FILE>

Options

        -v	 sets verbose mode. RegLookUp Package
	-h	 enables header row. (default) RegLookUp Package
	-H	 disables header row. RegLookUp Package
	-s	 enables security descriptor output. RegLookUp Package
	-S	 disables security descriptor output. (default) RegLookUp Package
	-p	 restrict output to elements below this path. RegLookUp Package
	-t	 restrict results to this specific data type. RegLookUp Package
	-i	 includes parent key modification times with child values. RegLookUp Package

Example

cyborg@cyborg:~$ sudo reglookup -t BINARY  /mnt/ntfs/Windows/System32/config/SYSTEM
PATH,TYPE,VALUE,MTIME
/ControlSet001/Control/AGP/102B0520,BINARY,%80%00%00%00%00%00%00%00,
/ControlSet001/Control/AGP/102B0521,BINARY,%80%00%00%00%00%00%00%00,
/ControlSet001/Control/AGP/102B0525,BINARY,%80%00%00%00%00%00%00%00,
/ControlSet001/Control/AGP/10DE0100,BINARY,%00%01%00%00%00%00%00%00,
/ControlSet001/Control/AGP/53339102,BINARY,%00%01%00%00%00%00%00%00,
/ControlSet001/Control/AGP/53338C10,BINARY,%00%01%00%00%00%00%00%00,
/ControlSet001/Control/AGP/53338C12,BINARY,%00%01%00%00%00%00%00%00,
/ControlSet001/Control/Class/{0475BB51-5A02-4EE0-B36C-29040FAD2650}/Properties/Security,BINARY,%01%00%0C%90%00%00%00%00%00%00%00%00%00%00%00%00%14%00%00%00%02%004%00%02%00%00%00%00%00%14%00%00%00%00%10%01%01%00%00%00%00%00%05%12%00%00%00%00%00%18%00%00%00%00%10%01%02%00%00%00%00%00%05 %00%00%00 %02%00%00,
/ControlSet001/Control/Class/{1264760F-A5C8-4BFE-B314-D56A7B44A362}/Properties/Security,BINARY,%01%00%0C%90%00%00%00%00%00%00%00%00%00%00%00%00%14%00%00%00%02%00%08%00%00%00%00%00


Reglookup-Recover

reglookup-recover generates a comma-separated values (CSV) like output and writes it to stdout.

Usage

Syntax

 reglookup-recover [options] <REGISTRY_FILE>

Options

        -v	 sets verbose mode.
	-h	 enables header row. (default)
	-H	 disables header row.
	-l	 enables leftover(raw) cell output.
	-L	 disables leftover(raw) cell output. (default)
	-r	 enables raw cell output for parsed cells.
	-R	 disables raw cell output for parsed cells. (default)

Example

cyborg@cyborg:~$ sudo reglookup-recover /mnt/ntfs/Windows/System32/config/SYSTEM 
OFFSET,REC_LENGTH,REC_TYPE,PATH,NAME,NK_MTIME,NK_NVAL,VK_TYPE,VK_VALUE,VK_DATA_LEN,SK_OWNER,SK_GROUP,SK_SACL,SK_DACL,RAW_CELL
00C49F88,00000058,KEY,/CMI-CreateHive{2A7FB991-7BBE-4F9D-B91E-7CB51D4737F5}/ControlSet001/Enum/USB/VID_15D9&PID_0A4F/5&23573013&0&2/Properties/{83da6326-97a6-4088-9453-a1923f573b29},00000009,2015-10-26 12:42:50,0,,,,,,,,


Reglookup-TimeLine

reglookup-timeline generates a comma-separated values (CSV) compatible format to stdout.

Usage

Syntax

reglookup-timeline [-H] [-V] <REGISTRY_FILE> [<REGISTRY_FILE> ...]

Options

   -H  Omit header line
   -V  Include values with parent timestamps

Example

cyborg@cyborg:~$ sudo reglookup-timeline /mnt/ntfs/Windows/System32/config/SYSTEM
MTIME,FILE,PATH
2009-07-14 02:35:22,/mnt/ntfs/Windows/System32/config/SYSTEM,/ControlSet001/Hardware Profiles/0000
2009-07-14 02:35:22,/mnt/ntfs/Windows/System32/config/SYSTEM,/ControlSet001/Hardware Profiles/0000/System
2009-07-14 02:35:22,/mnt/ntfs/Windows/System32/config/SYSTEM,/ControlSet002/Hardware Profiles/0000
2009-07-14 02:35:22,/mnt/ntfs/Windows/System32/config/SYSTEM,/ControlSet002/Hardware Profiles/0000/System
2009-07-14 04:45:20,/mnt/ntfs/Windows/System32/config/SYSTEM,/ControlSet001/Enum/ACPI_HAL
0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?