Table of Contents
- Page 1 – Introduction, Screenshots, Usage Scenarios
- Page 2 – Registry Explorer – GUI
- Page 3 – RECmd – Command Line, How to Use rla.exe, Examining RECmd Output (CSV)
- Page 4 – Conclusion, Registry-Related CTFs, Related Blogs Posts/Videos, Change Log
Registry Explorer is an awesome tool created by Eric Zimmerman that can be used to easily make sense of the registry hives on a given system. Since Eric has kindly provided a very detailed manual for this tool, this guide will concentrate on visualizing many things you can do with these tools to make your life easier and get the answers you need in your investigations. If you have any questions about the tool that this guide doesn’t answer, read the manual!
Often for examples in this guide, I employ registry hives from the Lone Wolf 2018 Scenario. As of December 2020, the output from KAPE can be retrieved from a GitHub repository of I put together for the purpose of these EZ Tools guides. The GitHub repository can be found here. If you want to retrieve the registry hives themselves, download the Lone Wolf 2018 forensic image and extract them from the image.
This guide was created with those new to Registry Explorer/RECmd in mind, regardless of background (LE, Private, Student, etc). It should be noted the primary purpose of this guide is aimed to help break the intimidation barrier with trying out a new tool such as Registry Explorer/RECmd . There are certainly more advanced ways to leverage Registry Explorer/RECmd but they will not be covered in this guide. Maybe in a future guide!
If by the end of this guide you don’t think to yourself “hey, I can totally use this in my day to day work”, then please let me know why that’s not the case.
Download link: Eric Zimmerman’s GitHub
Documentation: A PDF manual is included with the download. Check it out, it’s very detailed!
Alternative Documentation: SANS EZ Tool Command Line Poster
Command Line (RECmd.exe)
Command Line (rla.exe)
Screenshot (Registry Explorer)
Yes, there is a dark mode. Use it! Options -> Skins to customize the GUI to your liking.
Updating EZ Tools
First and foremost, make sure you have the latest version of Registry Explorer/RECmd. Running a PowerShell script will make sure you have all of the latest EZ Tools.
Registry Explorer/RECmd can be used in many scenarios, but here are two common ones that’ll apply to most everyday examiners.
The Ultimate Practice Scenario
Practice makes perfect, right? Before you use Registry Explorer/RECmd on evidence, use it on your own system! No one knows your system better than yourself so the artifacts you see should make sense to you. This will also help you understand the artifacts better if you’ve not had any formal training yet on Windows Artifacts. If you’ve not had training, fear not! There’s a section coming up where I’ll provide some self-study resources for these artifacts so you can approach analysis from a more informed position.
Use KAPE to run a BasicCollection or KapeTriage against your own system. With the registry files that are copied (C:\Windows\System32\config), drop them into Registry Explorer’s GUI or run RECmd against the files. Pages 3 and 4 of this guide will give visual examples on how to use these tools.
The Real World Scenario
Registry Explorer and RECmd parse out registry hives with speed and ease. Registry Explorer serves to be drag and drop for the end user and RECmd can be utilized on its own or with KAPE.
Below are some use cases for registry analysis using Registry Explorer/RECmd for the everyday law enforcement examiner:
- Check UserAssist for programs executed on the system
- Check RecentDocs for recent Office documents that were opened by the user
- Check TypedURLs for URLs typed by the user
- Check MountPoints2 and MountedDevices for external devices plugged into the system or network shares mapped to the system
- Check Run and RunOnce keys for scheduled tasks
- Check Windows NT Current Version for current OS installed
- Check ComputerName to verify hostname
- Check OpenSavePidMRU for folders recently navigated to in Open/Save dialog boxes
- Check LastVisitedPidMRU for last folder location used by an application that saved or opened a file
All of the above can help strengthen the picture you paint for your case to not only show possession of illicit material, for example, but also execution of the media players to play the illicit material, or illicit website URLs typed by the user, or artifacts showing the user saved illicit material a specific folder using a specific application. Beyond simple possession of illicit material, this can help show what was done with the illicit material to build a stronger case.
IR examiners rely on registry artifacts to prove evidence of execution and evidence of file opening. Additionally, the registry can help verify that the system they think they’re looking at is actually the system their looking at thanks to the ComputerName and Network Interfaces keys. Often, IR examiners are examining a handful of systems within enterprise networks consisting of thousands of endpoints. MountPoints2 and MountedDevices also provide useful artifacts relating to cases with potential for data exfiltration. Run and RunOnce keys are utilized by threat actors to execute malware on networks, as well. Long story short, the registry is an essential piece to an IR examination.