Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

REG key value #6

Open
hammjd opened this issue Aug 16, 2017 · 3 comments
Open

REG key value #6

hammjd opened this issue Aug 16, 2017 · 3 comments
Labels
enhancement

Comments

@hammjd
Copy link

hammjd commented Aug 16, 2017

Feature Request: Import raw .REG key values... They're easy to collect with PowerShell and faster than trying to get the entire SYSTEM hives.
@mbevilacqua
Copy link
Owner

Can you share a sample of what that looks like or the PS command used to export so I can generate a few of those? Should be simple enough to add a new ingestion plugin here.

@hammjd
Copy link
Author

hammjd commented Sep 6, 2017
edited
Loading

Sure. It's really just a dump/export of the key from the registry. Here's an example from my forensic VM... To get this to you quickly, I just used regedit to export the key. (Change the extension to .reg from .txt). You can also use on your local system the command:

reg export "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache" appcompat.reg

@nbareil
Copy link

nbareil commented Apr 26, 2018

For the record, this issue depends on #4, since this feature has been implemented in mandiant/ShimCacheParser#15

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nbareil @mbevilacqua @hammjd