Wednesday, August 31, 2005

Offline Regisry Parser

I've posted the current iteration of the code I wrote for an offline Registry parser here.

The code is written in Perl, and uses only one module...and that's just to handle time/date translation. I've got some documentation in the code, and I know that I need to clean it up a bit...but take a look.

Here's what the code does...let's say that you've got an imaged Windows boxen, and you want to take a look at the Registry to get certain values out. Well, the script will dump the contents of the NTUSER.DAT file, or the SOFTWARE or SYSTEM files.

To run the script, use a command line like:

C:\Perl>perl reg.pl [path_to_file] > output.log

The script parses the Registry file in binary mode, and prints out the keys with LastWrite times (in GMT format), as well as values, the data type of the value, and the data associated with the value.

This script isn't the most efficient way of parsing the Registry, but it works. You can search/grep through the output file to find the information you're looking for.

I developed the script on Windows, but my goal is to make it cross-platform. Also, I'm going to use the subroutines in the script as building blocks for scripts that search for specific keys and values, based on user input.

4 comments:

Ketema said...

Your script is awesome. I have used it to find registry entries in the sotware hive, that were being hidden while the box was active. Which leads me to the question: How can this script be modified to compare an online scan of the registry that uses normal Win32 API functions and its own scan? Is it possible to make a copy of a hive while the system is up?

Keydet89 said...

> How can this script be modified
> to compare an online scan of
> the registry that uses normal
> Win32 API functions and its own
> scan?

It sounds like you just answered your own question. ;-) Dump the Registry from the live system using the MS API, and then compare that to the output of the script.

One way is to modify the script to return it's output in a format similar to RegEdit's export function. Then, run diff against the two.

> Is it possible to make a copy
> of a hive while the system is
> up?

Look for a utility called xlock.exe...I'm told that it allows you to copy files in use by the o/s.

Another way is to use a tool like ProDiscover to collect an image of the live system.

Anonymous said...

Hi,

I am looking for a tool like you desribed. Unfortunately the link does not work anymore. Any chance to still get it?

Thanks,
Frank

Keydet89 said...

Email me at keydet89 at yahoo dot com and I'll send you a copy.

Harlan