Tuesday, April 08, 2008

RegRipper on SF.net

I've posted RegRipper v2.0A Basic Edition to SF.net. The archive includes the source and EXEs for RegRipper and rip.exe (as well as the required DLL), an FAQ, whitepaper, list of current plugins, etc.


Macaroni said...


All I can say is wow, and thank you. Look forward to spending some time testing this.

Thank you for all you give back to the community.

Anonymous said...

Harlan! Works like a charm on my XP Pro SP3 machine. Fast, accurate and simply great ! More feedback to come ...


e0n said...

Wow! Currently using this for an incident investigation, and it is turning work that would take hours into minutes! Thanks H.C.!

H. Carvey said...

Very cool! I'm glad it worked as well for you as it has for me...

SynJunkie said...

just caught this, i'm looking forward to getting my grubby little mitts on it (sorry that was very English).

Thanks Harlan.

Macaroni said...


This thing rocks!

H. Carvey said...


Thanks for those words! If you can think of other keys or anything else that might be done to improve the tool...aside from those things already mentioned in the documentation...please feel free to drop me a line.

A couple of things that have been mentioned so far...

Collection of Protected Storage Service info for each user

Love to, but I need help with the encryption.

Include ability to do XML, CSV, and HTML output

That might be something for the future...

You collect the contents of the USBStor key, can you also do that for the Enum\IDE key?


Can you just dump the contents of the Windows\CurrentVersion key?


Anonymous said...

I just used this tool during our most recent incident. It works like a charm.

Thank you very much, Harlan for such a great tool.

Does anyone know a reliable windows registry scanner software that can search the registry in a number of workstations at the same time?

So, I will provide the range of IPs and the reg key and the software will return the workstations that the reg key exists and its value.


H. Carvey said...



As to your second question, I mentioned in one of my books that I'd written one such tool myself. Using the Win32::TieRegistry module, I'd written a tool back in 2001-2002 that did just that...I ran it once a month across our infrastructure to get the contents of certain keys to look for spyware. I'd run it during lunch, come back, and have a report. Very nice stuff.