RegRipper is a specialized forensic tool for analyzing Windows Registry hives. It automates extraction of forensically significant data from registry files using a plugin architecture, enabling rapid identification of user activities, installed software, network configuration, and suspicious modifications. Essential for incident response and digital forensics investigations.
# Install via apt
sudo apt-get update
sudo apt-get install regripper
# Manual installation
git clone https://github.com/keydet89/RegRipper3.0
cd RegRipper3.0
# Verify installation
rip.pl -h
rip.pl -p
# Install required Perl modules
sudo apt-get install perl libparse-win32registry-perl
# Via CPAN
cpan
cpan> install Parse::Win32Registry
cpan> install Digest::MD5
cpan> install Getopt::Long
| Command | Purpose |
|---|
rip.pl -r <hive> -a <profile> | Analyze hive with specific profile |
rip.pl -r <hive> -p <plugin> | Run single plugin against hive |
rip.pl -r <hive> -p <plugin> -g | Run plugin with graph output |
rip.pl -p | List all available plugins |
| `rip.pl -p | grep ` |
# User hives
NTUSER.DAT # Per-user settings, MRU, Run keys
UsrClass.dat # User class objects
# System hives
SAM # User accounts, security identifiers
SYSTEM # Boot config, services, network settings
SOFTWARE # Installed software, Windows settings
SECURITY # Security policies, cached credentials
# Event logs
EVENTLOG # Windows Event Log data
# Application hives
Amcache.hve # Application execution history
BBI # Application compatibility
# View complete plugin list
rip.pl -p
# Count available plugins
rip.pl -p | wc -l
# Sample output (500+ plugins available):
# appcompat - Application Compatibility Shims
# arp - ARP Cache (arpcache)
# application_events - Application Event Log
# applets - Applets (Run)
# apppaths - Application Paths
# aslr - Address Space Layout Randomization
# Find plugins related to user activity
rip.pl -p | grep -i "user\|mru\|recent"
# Find malware/persistence plugins
rip.pl -p | grep -i "autorun\|services\|malware"
# Find network-related plugins
rip.pl -p | grep -i "network\|adapter\|dns"
# Find browser/history plugins
rip.pl -p | grep -i "browser\|history\|ie\|chrome"
# Analyze user accounts
rip.pl -r /path/to/SAM -p sam
# Extract account information
rip.pl -r /path/to/SAM -p samparse
# View user account details
rip.pl -r /path/to/SAM -p samkey
# Analyze password policy
rip.pl -r /path/to/SAM -p samparse | grep -i "password\|policy"
# Analyze installed applications
rip.pl -r /path/to/SOFTWARE -p software
# Extract Microsoft Windows settings
rip.pl -r /path/to/SOFTWARE -p applets
# List installed software with versions
rip.pl -r /path/to/SOFTWARE -p uninstall
# Detect shell extensions
rip.pl -r /path/to/SOFTWARE -p shellext
# Analyze Windows components
rip.pl -r /path/to/SOFTWARE -p msie
# Analyze system configuration
rip.pl -r /path/to/SYSTEM -p system
# Extract services and drivers
rip.pl -r /path/to/SYSTEM -p services
# Analyze network adapters
rip.pl -r /path/to/SYSTEM -p networks
# Extract boot configuration
rip.pl -r /path/to/SYSTEM -p bootexecute
# View USB device history
rip.pl -r /path/to/SYSTEM -p usbstor
# Analyze user activities
rip.pl -r /path/to/NTUSER.DAT -p ntuser
# Extract run history
rip.pl -r /path/to/NTUSER.DAT -p run
# View recently accessed files
rip.pl -r /path/to/NTUSER.DAT -p recent
# Analyze search terms
rip.pl -r /path/to/NTUSER.DAT -p search
# View typed paths (Windows Explorer)
rip.pl -r /path/to/NTUSER.DAT -p typedpaths
# Extract mount point data
rip.pl -r /path/to/NTUSER.DAT -p mounteddevices
# Extract all forensically significant data
rip.pl -r /path/to/SYSTEM > system_profile.txt
rip.pl -r /path/to/SOFTWARE > software_profile.txt
rip.pl -r /path/to/SAM > user_accounts.txt
rip.pl -r /path/to/NTUSER.DAT > user_activities.txt
rip.pl -r /path/to/UsrClass.dat > user_classes.txt
# Generate summary report
cat > forensic_summary.txt << EOF
=== FORENSIC REGISTRY ANALYSIS ===
System Profile: $(date)
Analyst: $(whoami)
System Configuration: system_profile.txt
Installed Software: software_profile.txt
User Accounts: user_accounts.txt
User Activities: user_activities.txt
EOF
# Check for autostart locations
rip.pl -r /path/to/SOFTWARE -p appcompat | tee appcompat.txt
rip.pl -r /path/to/SOFTWARE -p applets | grep -i "run\|startup"
# Analyze services for backdoors
rip.pl -r /path/to/SYSTEM -p services | grep -v "Microsoft" > third_party_services.txt
# Check scheduled tasks
rip.pl -r /path/to/SOFTWARE -p scheduled
# Review browser extensions
rip.pl -r /path/to/NTUSER.DAT -p browseraddons
# Check WinLogon settings
rip.pl -r /path/to/SOFTWARE -p winlogon
# Extract MRU (Most Recently Used)
rip.pl -r /path/to/NTUSER.DAT -p mru
# Get recent document access
rip.pl -r /path/to/NTUSER.DAT -p recent > recent_docs.txt
# View WordWheelQuery (search history)
rip.pl -r /path/to/NTUSER.DAT -p wordwheel
# Extract typed URLs
rip.pl -r /path/to/NTUSER.DAT -p typedurls
# Analyze application usage
rip.pl -r /path/to/NTUSER.DAT -p appusage
# Search for suspicious services
rip.pl -r /path/to/SYSTEM -p services | \
grep -v "Microsoft\|Windows\|Drivers" > suspicious_services.txt
# Check for rootkit indicators
rip.pl -r /path/to/SYSTEM -p bootexecute
# Analyze application paths
rip.pl -r /path/to/SOFTWARE -p apppaths | grep -E "temp|appdata|system32"
# Review startup programs
rip.pl -r /path/to/NTUSER.DAT -p startup
# Check for WMI persistence
rip.pl -r /path/to/SOFTWARE -p wmi
| Category | Common Plugins |
|---|
| User Activity | run, recent, typedpaths, mru, search |
| Persistence | services, startup, appcompat, winlogon |
| Software | software, uninstall, apppaths, shellext |
| Network | networks, adapter, arp, snmp |
| Security | sam, samparse, sharedaccess |
| System | system, bootexecute, usbstor |
| Browser | ie, iehistory, typedurls, browseraddons |
#!/bin/bash
# Comprehensive registry analysis across all hives
EVIDENCE_DIR="$1"
OUTPUT_DIR="${2:-.}/registry_analysis"
if [ -z "$EVIDENCE_DIR" ]; then
echo "Usage: $0 <evidence_directory> [output_directory]"
exit 1
fi
mkdir -p "$OUTPUT_DIR"
echo "[*] Starting registry analysis..."
echo "[*] Evidence directory: $EVIDENCE_DIR"
echo "[*] Output directory: $OUTPUT_DIR"
# Analyze each hive
for hive in SYSTEM SOFTWARE SAM SECURITY; do
hive_path="$EVIDENCE_DIR/Windows/System32/config/$hive"
if [ -f "$hive_path" ]; then
echo "[*] Analyzing $hive..."
rip.pl -r "$hive_path" > "$OUTPUT_DIR/${hive}_analysis.txt" 2>/dev/null
echo "[+] $hive analysis complete"
else
echo "[-] $hive not found at $hive_path"
fi
done
# Analyze user hives
for user_hive in "$EVIDENCE_DIR"/Users/*/NTUSER.DAT; do
if [ -f "$user_hive" ]; then
username=$(basename $(dirname "$user_hive"))
echo "[*] Analyzing $username profile..."
rip.pl -r "$user_hive" > "$OUTPUT_DIR/${username}_NTUSER_analysis.txt" 2>/dev/null
echo "[+] $username analysis complete"
fi
done
echo "[+] Registry analysis complete - results in $OUTPUT_DIR"
#!/bin/bash
# Run multiple specific plugins for targeted analysis
HIVE_FILE="$1"
OUTPUT_PREFIX="${2:-.}/analysis"
if [ -z "$HIVE_FILE" ]; then
echo "Usage: $0 <hive_file> [output_prefix]"
exit 1
fi
# Plugins to analyze
PLUGINS=(
"sam"
"run"
"recent"
"services"
"networks"
"uninstall"
"startup"
"typedpaths"
"shellext"
"apppaths"
)
for plugin in "${PLUGINS[@]}"; do
echo "[*] Running $plugin plugin..."
rip.pl -r "$HIVE_FILE" -p "$plugin" > "${OUTPUT_PREFIX}_${plugin}.txt" 2>/dev/null
if [ $? -eq 0 ]; then
echo "[+] $plugin complete"
fi
done
echo "[+] All plugins executed"
# Find all startup programs
rip.pl -r NTUSER.DAT | grep -i "startup\|autorun" > startup_programs.txt
# Identify suspicious file paths
rip.pl -r SOFTWARE | grep -E "Temp|AppData|System32" | \
grep -v "Microsoft" > suspicious_paths.txt
# Extract credentials or sensitive data
rip.pl -r NTUSER.DAT | grep -i "password\|credential\|token"
# Find deleted entries (unallocated registry space)
rip.pl -r SYSTEM | grep -i "deleted\|[Xx]"
# Generate timeline from registry data
rip.pl -r NTUSER.DAT | grep -E "[0-9]{4}-[0-9]{2}-[0-9]{2}" | \
sort > registry_timeline.txt
# Combine with filesystem timestamps
cat registry_timeline.txt | \
awk '{print $1 "\t" $0}' | sort > combined_timeline.csv
# Step 1: Extract services
rip.pl -r SYSTEM -p services > services.txt
# Step 2: Check for suspicious services
grep -v "Microsoft\|Windows\|Intel\|NVIDIA" services.txt | \
grep -E "\.exe|\.scr|\.bat" > suspicious.txt
# Step 3: Review startup programs
rip.pl -r NTUSER.DAT -p startup >> suspicious.txt
# Step 4: Analyze shell extensions
rip.pl -r SOFTWARE -p shellext >> suspicious.txt
echo "[+] Suspicious artifacts extracted"
# Step 1: Extract recent files
rip.pl -r NTUSER.DAT -p recent > recent_files.txt
# Step 2: Get MRU lists
rip.pl -r NTUSER.DAT -p mru >> recent_files.txt
# Step 3: Check typed paths
rip.pl -r NTUSER.DAT -p typedpaths >> recent_files.txt
# Step 4: Extract application usage
rip.pl -r NTUSER.DAT -p appusage >> recent_files.txt
# Step 5: Generate timeline
cat recent_files.txt | grep -oE '[0-9]{4}-[0-9]{2}-[0-9]{2}' | \
sort -u > activity_dates.txt
echo "[+] User activity timeline created"
# Step 1: Baseline system services
rip.pl -r SYSTEM -p services | grep "Running" > baseline_services.txt
# Step 2: Check installed software modifications
rip.pl -r SOFTWARE -p software > installed_software.txt
# Step 3: Analyze network configuration
rip.pl -r SYSTEM -p networks > network_config.txt
# Step 4: Review USB device history
rip.pl -r SYSTEM -p usbstor > usb_history.txt
# Step 5: Generate compromise report
echo "Potential compromise indicators:" > compromise_report.txt
grep -E "Unknown|Suspicious|Modified" *.txt >> compromise_report.txt
# Generate graphical output
rip.pl -r NTUSER.DAT -p services -g > services_graph.csv
# Create timeline visualization
rip.pl -r SYSTEM -p services -g | sort > timeline.csv
# SAM plugin with context
rip.pl -r SAM -p samparse 2>/dev/null | tail -50
# Services plugin with filtering
rip.pl -r SYSTEM -p services | grep -A5 "Start\|Path"
# Run keys with detailed output
rip.pl -r NTUSER.DAT -p run -a detailed
| Issue | Solution |
|---|
| Plugin not found | Verify plugin exists: rip.pl -p | grep plugin_name |
| Permission denied | Run with sudo or ensure file is readable: chmod 644 hive |
| Hive corruption | Try with -c flag or use alternative tools |
| No output | Check hive path and format with: file /path/to/hive |
| Perl warnings | Install missing modules: cpan Parse::Win32Registry |
- Always use copies - Never analyze original evidence files
- Document your findings - Maintain detailed analysis logs
- Cross-validate results - Verify findings with multiple plugins
- Timestamp everything - Record analysis date and time
- Organize output - Use consistent directory structure for reports
- Chain of custody - Document evidence source and analyst information
- Automate repetitive tasks - Create scripts for common workflows
- Official RegRipper GitHub - Latest plugins and updates
- Harlan Carvey’s Blog - Registry forensics methodology
- SANS Digital Forensics - Advanced registry analysis techniques
- Microsoft Registry Reference - Official registry key documentation
