Monday, December 22, 2014

Registry Explorer - Getting ready for beta.

Registry Explorer. Not very original, but it's the development name of a Windows registry tool I wrote last month. I'm getting ready to round up some beta testers. I thought I would introduce it here. The final release name will most likely change. Current features inlcude:

- HTML Reporting
- Hex Dump of Keys
- Low level properties display for the hive, parent, and child keys.
- RegEx searching
- Jump to keys feature. It automatically scans a hive once loaded for the existance of user defined keys. Those keys that are found are can just jumped to directly from the quick keys pane
- You can "goto" a key via the relative naming conventions i.e. "hklm\software\".

It's part of a larger tool, but I'm working to fork off a copy from the main source tree that can be for general release and download.

Features to be completed:
- Deleted entry recovery. Deleted items are detected currently, but ignored.
- Searching of multiple hives at one time.
- Timestamp filtering.


A few screenshots to give a clear look at the user interface.


 In the image below the "Quick Key" feature is outlined in red. A "Quick Key" is a list of keys  grouped by Hive type. The quickkey behaves as a jump list for quickly accessing select keys.  You can edit and add your own Quick Keys for your items of interest. If a key path associated with a quickkey is not found it is prefixed with a double asterix "**".



In the image below the properties pane for keys, parent keys, and the hive are displayed. General key information including a hex dump of the key is displayed in the "KeyDecoded" tabbed panel. Currently a limited selection of complex keys are parsed/decoded and the details broken out. All other keys are just the raw data in a string and hex dump format.

  • Wifi Profiles
  • OSInstall Date
  • SAMF
  • SAMV
  • UserAssist
  • USB Devices (on the road map)
If you have any you think are important to include in the first release, send me an email and I'll see what I can get done before the beta release.




The "goto" key feature can use relative keys (i.e. HKLM\Software\...) or the full path. This feature will locate the parent and child key and highlight them in the table and tree.



Regular expression based searches. A small selection of predefine greps are included, but if you have suggestions I'll look at including them. The regex input is cross checked as entered to determine validity of the expression.



Current regular expression searches include:
  • Simple EMail
  • Common Webmail
  • FilePath
  • SimpleURL
  • IP Address



First return from a regular expression search for file path.



Reporting on a select keys are built in to the application.



I would like to hear back from anyone on features that they find other tools lack or a wish list of possible features. I'll post again when I'm ready for beta test volunteers,

Thanks.,





3 comments:

  1. Nice work! I am working on a registry tool as well. What are you using under the covers to actually parse out the hives?

    ReplyDelete
  2. Hi ERZ.
    I wrote it from the ground up in C#. I used the Registry document by Joachim Metz (Windows NT Registry File (REGF) format specification) and the one by Timothy Morgan to guide me through the registry structures. (http://www.sentinelchicken.com/research/registry_format).

    Harlan Carvey just posted on a registry parser library in C# released by EricZimmeran on GitHub.

    ReplyDelete
  3. Doh! we should collaborate. the code mentioned by Harlan is mine.You can see my stuff at http://binaryforay.blogspot.com/

    id love to compare our approaches. so far i am parsing everything out and recovering/reassociating deleted keys/values.i also expose slack space for values and some other interesting things.

    if you are interested, grab my email from github or let me know where to get a hold of you offline

    Willi Ballenthin and I have a common format we use to test the results of our parsers (make sure we see same keys, values, types, etc).

    ReplyDelete