Monday, October 09, 2006

Parsing Registry files

Last week, I mentioned making adaptations to a tool to perform specific tasks. Specifically, adapting the Offline Registry Parser so that instead of dumping all of the stuff in a Registry file, dump specific keys, values and their data, and translate that data into something human-readable (and parsable), rather than simply spewing it to STDOUT.

Where I thought this might be useful is with the SAM file, to start. Run through the file and pull out all of the user information, group membership info, and even the audit policy (translated into something similar to auditpol.exe's output). A side benefit of this is that you could run it against the current SAM file, as well as any located in System Restore points, and get a rough timeline of when changes occurred.

This could also be done for the NTUSER.DAT files.

Another benefit of this is data reduction. Rather than dumping the entire contents of the Software hive, you could extract only those keys, values, and data that you would most usually be interested. From there, you'd have less to analyze, and still have the original data.

1 comment:

Mark McKinnon said...

Excellent idea. I would suggest storing the data into a database so that when you go and report on it you can just write a simple sql statement to do the sorting of the date. It may still take a while since there might be a lot of data in the restore point directories.