RegLookup is a powerful forensic analysis tool for examining Windows Registry hive files offline. It enables extraction of registry data, recovery of deleted entries, and forensic analysis without requiring live Windows access. This tool is essential for incident response, digital forensics, and Windows system analysis.
# Install via apt
sudo apt-get update
sudo apt-get install reglookup
# Build from source
git clone https://github.com/libyal/regf-kb
cd regf-kb
python3 setup.py install
# Install dependencies
sudo apt-get install python3 python3-pip
pip3 install construct talloc
reglookup -v
reglookup --help
| Command | Purpose |
|---|
reglookup [options] <hive_file> | Basic registry hive analysis |
reglookup -r <root_key> | Recursive key enumeration |
reglookup -l | List all registry keys |
reglookup -p <path> | Print specific key path |
reglookup -s <search_term> | Search registry contents |
# SAM (User accounts and password hashes)
/Windows/System32/config/SAM
# SECURITY (Security policies)
/Windows/System32/config/SECURITY
# SOFTWARE (Installed software and settings)
/Windows/System32/config/SOFTWARE
# SYSTEM (System configuration)
/Windows/System32/config/SYSTEM
# NTUSER.DAT (User-specific settings)
/Users/<username>/NTUSER.DAT
# UsrClass.dat (User class data)
/Users/<username>/AppData/Local/Microsoft/Windows/UsrClass.dat
# Display all root keys from hive file
reglookup -l /path/to/SYSTEM
# Example output:
# Key: \Root\Key1
# Key: \Root\Key2
# Read SAM hive for user accounts
reglookup /mnt/windows/Windows/System32/config/SAM
# Read SOFTWARE hive for installed programs
reglookup /mnt/windows/Windows/System32/config/SOFTWARE
# Read SYSTEM hive for boot configuration
reglookup /mnt/windows/Windows/System32/config/SYSTEM
# Export registry as text
reglookup -p "Software\Microsoft\Windows" /path/to/SOFTWARE > output.txt
# Export with value data
reglookup -r "Software" /path/to/SOFTWARE > all_software.txt
# Parse multiple hives
for hive in SAM SYSTEM SOFTWARE; do
reglookup /path/to/$hive > ${hive}_dump.txt
done
# Scan for deleted entries in hive
reglookup -r --recover /path/to/SYSTEM
# Extract unallocated registry space
strings /path/to/SYSTEM | grep -i "deleted" > recovered_keys.txt
# Carve registry structures
reglookup -s "User" /path/to/SOFTWARE
# Check MRU (Most Recently Used) lists
reglookup -p "Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" /path/to/NTUSER.DAT
# Review Run history
reglookup -p "Software\Microsoft\Windows\CurrentVersion\Run" /path/to/SOFTWARE
# Check TypedPaths (typed in Windows Explorer)
reglookup -p "Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths" /path/to/NTUSER.DAT
# Check installed network adapters
reglookup -p "System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces" /path/to/SYSTEM
# Review startup programs
reglookup -p "System\CurrentControlSet\Services" /path/to/SYSTEM
# Extract timezone information
reglookup -p "System\CurrentControlSet\Control\TimeZoneInformation" /path/to/SYSTEM
# Search for backdoor services
reglookup -s "services" /path/to/SYSTEM | grep -E "Exploit|Backdoor|Shell"
# Check for alternative data streams
reglookup -p "Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2" /path/to/NTUSER.DAT
# Review Shell extensions
reglookup -p "Software\Microsoft\Windows\CurrentVersion\Shell Extensions" /path/to/SOFTWARE
| Option | Description |
|---|
-l | List all registry keys |
-r [key] | Recursive enumeration (from root or specified key) |
-p <path> | Print values from specific key path |
-s <string> | Search for string in registry |
-v | Verbose output mode |
-h, --help | Display help information |
--recover | Attempt recovery of deleted entries |
#!/bin/bash
# Extract multiple hives for analysis
EVIDENCE_DIR="/mnt/evidence/windows"
OUTPUT_DIR="./registry_extracts"
mkdir -p "$OUTPUT_DIR"
# Extract each hive
for hive in SAM SECURITY SYSTEM SOFTWARE; do
echo "[*] Extracting $hive..."
reglookup -r "$EVIDENCE_DIR/Windows/System32/config/$hive" \
> "$OUTPUT_DIR/${hive}_full.txt"
done
# Extract user-specific hives
for user_hive in $EVIDENCE_DIR/Users/*/NTUSER.DAT; do
username=$(basename $(dirname "$user_hive"))
echo "[*] Extracting $username NTUSER.DAT..."
reglookup -r "$user_hive" > "$OUTPUT_DIR/${username}_NTUSER.txt"
done
echo "[+] Registry extraction complete"
#!/bin/bash
# Search for specific registry patterns
SEARCH_PATTERN="$1"
HIVE_FILE="$2"
if [ -z "$SEARCH_PATTERN" ] || [ -z "$HIVE_FILE" ]; then
echo "Usage: $0 <pattern> <hive_file>"
exit 1
fi
echo "[*] Searching for '$SEARCH_PATTERN' in $HIVE_FILE"
reglookup -s "$SEARCH_PATTERN" "$HIVE_FILE" | tee search_results.txt
echo "[+] Results saved to search_results.txt"
# 1. Acquire registry hives from suspect system
dd if=/dev/sdb1 of=./disk_image.raw bs=4M status=progress
# 2. Mount and extract registry files
mkdir -p /mnt/evidence
mount -o ro,loop disk_image.raw /mnt/evidence
# 3. Copy hives to analysis directory
mkdir -p ./hives
cp /mnt/evidence/Windows/System32/config/* ./hives/
# 4. Analyze each hive
for hive in ./hives/*; do
echo "=== Analyzing $(basename $hive) ==="
reglookup -r "$hive" | head -50
done
# 5. Extract specific forensic indicators
reglookup -p "Software\Microsoft\Windows\CurrentVersion\Run" ./hives/SOFTWARE
reglookup -p "Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" ./hives/NTUSER.DAT
# 6. Generate forensic report
cat > forensic_report.txt << EOF
Registry Forensic Analysis Report
==================================
Evidence: disk_image.raw
Analysis Date: $(date)
Key Findings:
EOF
Registry Hive: SAM
Root Keys:
- SAM
- Domains
- Builtin
- Users
- 000001F4 (Administrator)
- 000001F5 (Guest)
- Account
- Users
- Names
- Administrator
- Guest
# View raw value data
reglookup -p "Software\Microsoft\Windows\CurrentVersion\Run" /path/to/SOFTWARE
# Example output:
# Key: Software\Microsoft\Windows\CurrentVersion\Run
# Value: "Antivirus" = "C:\Program Files\Antivirus\av.exe"
# Value: "Malware" = "C:\Windows\System32\malware.exe"
# Extract installed software with timestamps
reglookup -p "Software\Microsoft\Windows\CurrentVersion\Uninstall" /mnt/evidence/SOFTWARE \
> installed_software.txt
# Search for suspicious installation paths
grep -i "temp\|appdata\|root" installed_software.txt | tee suspicious_installs.txt
# Extract user account information
reglookup /mnt/evidence/SAM | grep -E "Account|Password|LastLogin" \
> account_analysis.txt
# Check for disabled or hidden accounts
reglookup -p "SAM\Domains\Builtin\Users" /mnt/evidence/SAM | \
grep -E "000001F[4-9]|[0-9]{8}" > accounts.txt
# Extract network adapter configuration
reglookup -p "System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces" \
/mnt/evidence/SYSTEM > network_config.txt
# Review DNS settings
grep -i "dns" network_config.txt | tee dns_analysis.txt
| Issue | Solution |
|---|
| Hive file not found | Verify path is correct and file exists: ls -la /path/to/hive |
| Permission denied | Use sudo or ensure proper file permissions: chmod 644 hive_file |
| Corrupted hive | Try recovery mode: reglookup --recover /path/to/hive |
| No output | Check hive format: file /path/to/hive should show “MS Windows registry” |
| Search returns nothing | Verify search term exists and try broader patterns |
- Always work with copies - Never analyze original evidence files directly
- Document your analysis - Keep detailed logs of all queries and findings
- Cross-reference data - Validate findings across multiple hives
- Timeline analysis - Compare timestamps across different registry keys
- Preserve chain of custody - Document evidence source and analysis methodology
- Automate repetitive tasks - Create scripts for common analysis patterns
- Export findings - Generate structured reports for legal proceedings
- RegRipper plugin reference - Enhanced registry analysis with community plugins
- SANS Digital Forensics - Registry analysis methodologies and case studies
- NIST Forensics - Windows registry forensic best practices
- Microsoft Registry documentation - Understanding registry structure and keys
