Table of Contents
- Page 1 – Introduction, Screenshots, Usage Scenarios
- Page 2 – Registry Explorer – GUI
- Page 3 – RECmd – Command Line, How to Use rla.exe, Examining RECmd Output (CSV)
- Page 4 – Conclusion, Registry-Related CTFs, Related Blogs Posts/Videos, Change Log
Registry Explorer – GUI
How to Use Registry Explorer
Registry Explorer is a very powerful and easy to use tool for traversing registry hives. Think of it like RegEdit but on steroids. There are lots of great features to help make your life easier.
- An Intuitive GUI
- Registry Explorer’s GUI is very easy to use. However, due to the limitations in the size of the below screenshots/GIFs, I wanted to make sure everyone is aware that the left pane is scrollable and has valuable data that would otherwise be visible when Registry Explorer is maximized.
- View the live registry hives from your own system
- Requires you to execute Registry Explorer as Administrator
- For each registry hive, there are bookmarks that have been implemented for your convenience. In this example, I have the following hives open: SYSTEM, SOFTWARE, SAM, SECURITY, DEFAULT, and jcloudy’s NTUSER.DAT. Watch how the number of bookmarks change for each hive that I click on.
- NOTE: These are bookmarks that come with Registry Explorer. You can created your own custom bookmarks to cover artifacts that don’t have a bookmark for them. Ideally, if you create your own bookmarks, contribute them to RegistryExplorerBookmarks repository.
- There are multiple ways to navigate the bookmarks. The bookmarks will depend on which hive you’re actively navigating in. As you can see in this example, I select a hive and then wrap to a bookmark for that respective hive. Again, you can see the number of Bookmarks change as I go between the hives. I only explorer SYSTEM and SOFTWARE in this example but it’s the same process for the other open hives.
- Available Bookmarks
- Available Bookmarks will show the total amount of Bookmarks available for all open registry hives. Note: each key shown here is the ROOT key for each bookmark shown. Any user defined bookmarks are shown in blue.
- Available Bookmarks
- Bookmark Manager
- Honestly, this is an awesome place to learn about the registry. Lots of good information here that’ll help you study for the GCFE.
- Bookmark Manager
- Show Root Key Name on bottom left (check box)
- Why is this good to know? Because you can double click on the path to copy it to your clipboard. If you don’t want ROOT\ to be included, then this is how you modify that!
- Tools -> Find
- This is a way to search across all open registry hives. Please note that you can double click on any of the results and you’ll warp to that hit in the main Registry Explorer window. Also, the results can be exported via the “Export results” button on the bottom right. To demonstrate, you can do a simple expression like “jcloudy” and see what turns up:
- Or you can do a regex for an IP address, such as this:
- Which will result in the following hits in the Value Data column:
- For the purpose of consistency, we’ll use the search term “jcloudy” for demonstration purposes. This will filter down the results to only show what’s applicable to our query.
- Much like Grouping in Timeline Explorer, you can group on the right half of Registry Explorer, if need be. For this example, we’ll be traversing jcloudy’s NTUSER.dat file to view the RecentDocs artifact.
- Plugins make your life easier! Peruse the plugins to learn a thing or two. After that, you can check them out on GitHub where you can contribute your own!
- Without Plugins, Registry Explorer parses additional information relating to specific artifacts and, in some instances, decodes artifacts for you, such as UserAssist which is natively stored in ROT-13. For instance, here’s the AppCompatCache Plugin as it’s displayed in Registry Explorer’s GUI:
- Within the right pane of Registry Explorer, you can enable Show Find Panel and do filtering based on your query, much like in Timeline Explorer.
- At any point in time, you can double click on the path in the bottom left to copy it to your clipboard.
- Help -> Legend. This isn’t readable in dark mode so I apologize in advance for blinding you!
- Help -> Quick Help provides some quick tips that’ll help you make better use of Registry Explorer.