Skip to content

Regscout

Regscout

Windows Registry Forensics Scripts

These scripts were created as a way to pull and parse windows registry for forensics and characterization of an endpoint. While preparing them to be ingested into Elasticsearch backend and visualized in Kibana.

There have been 2 major milestones to these scripts to date:

  • Version 1.00 was the initial creation of getting it to work.

  • Version 2.00 was a major under taking to move this to the ECS aligned schema.

I have also spent more time during 2.00 versions to try and document the locations of the data, so even if the scripts are not used the cybersecurity community at large could potentially benefit from a consolidation of key registry artifacts.

I have also spent a lot of time creating a parser of the data that is collected so the end goal would be to have the data that is output requiring as little interpretation as possible. This is not always 100% done but this is my end goal for this project is to achieve this.

Windows Registry

Overview

What is the Windows Registry?

From Microsoft: "The registry is a system-defined database in which applications and system components store and retrieve configuration data."

In other words, this is the location that Operating System and Installed programs can store their configurations and possibly the history of a program/user/so has done.

Why is this important for us in the world of Cyber Defenders/Digital Forensics matter to us?

There is a ton of information that can be extracted from the registry if you know where to look. some of the big items that we can find in the registry include:

  • Startup operations
  • Current and Past networks connected to
  • Recent user activities
  • Devices connected to the system
  • Printers that have been used
  • Services and their properties/configurations
  • Network shares connected to
  • Persistence of malicious programs

This is just a short list of the items that we may find of interest in hunting through the Windows registry, but how do we go about and look into these items? There are so many registry entries in a windows system.

Windows helps keep things organized by splitting things up in separate registry hives.

There are a handful of hives that all have very important uses to the way the Window Operating System works.

  • HKEY_CLASSES_ROOT (HKCR)
    • Contains information about registered applications, this is a combination of the current_user and local_machine classes subkeys where the current user information will override a matching local_machine registry key.
  • HKEY_CURRENT_USER (HKCU)
    • Registry and settings of the current logged in user. Data here is pulled from the ntuser.dat file
  • HKEY_LOCAL_MACHINE (HKLM)
    • Stores settings that are specific to the local computer. These keys are loaded at boot located %systemroot%\system23\config folder
  • HKEY_USERS (HKU)
    • Similar to HKEY_CURRENT_USER but rather than the current logged in user it tracks all the profiles currently stored on the computer.
  • HKEY_CURRENT_CONFIG (HKCC)
    • Pointer to settings currently in use by the computer. Most of the items point to the HKLM hive. Changes made to HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\ typically mirror the HKCC and vice versa.

The registry is your typical database where you have keys and values. - Keys are similar to folders in the filesystem. They are used as a way to organize the data in the registry - Values are name/data pairs that are stored inside of a registry key. This of this like the documents inside of a folder.

The registry can contain several types of values in it, so it can be more than just numbers or words. Here is a quick chart to cover those various items:

Type Name Meaning
REG_NONE No type (the stored value, if any)
REG_SZ A string value
REG_EXPAND_SZ An "expandable" string value that can contain environment variables
REG_BINARY Binary data
REG_DWORD a 32-bit unsigned integer
REG_LINK A symbolic link to another registry key
REG_MULTI_SZ A multi-string value, which is an ordered list of non-empty strings
REG_RESOURCE_LIST A resource list
REG_QWORD A 64-bit integer

Regscout Modules

I want to introduce a tool that I have developed in order to extract important information from windows computers. I went with a modularized set of PowerShell scripts that are prepared to be used in a framework and currently set to be shipped back to an Elasticsearch instance for analysis.

Here is a list of the modules and a brief description as to what they were built for:

Modules Description
ComputerInfo List of several computer baseline items, processor info, system environment, RDP enabled, prefetch, paging, lastuser logged in.
DownloadDocs This will list all items that are asked for a prompt to open/save files (last 20 per extension)
Enum list of any device connected to a computer (USBs will be in this list)
File Extensions List of all Extensions and default apps assigned per user and program to open them
Firewalls List of all Firewall rules that are allowed on the host
IEHistory User Web Browsing History for Internet Explorer
IESettings User Internet Explorer settings
InstalledPrograms list of all programs that are installed (listed in the uninstall list)
KnownDlls List of trusted DLLs that have special treatment by the OS
LanMan list of share permissions and names of folders shared out to the network
Last Visit list of executables used by an application to open the files. Also lists the directory location for the last file that was accessed by that application
Mounted Devices This will gather all device that have been mounted on the system (HDD mainly), but will display the connection type, vendor and name
Networks This is a collection of network gathering for the host. Includes ip4, ip6, any wireless, and list of networks that have been connected to in the past, also NICs connected. (Anything network related)
Office Server Cache This is a list of office online locations that a user has accessed (most will be SharePoint)
Printers This is a list of all printers installed on a computer, not all printers will be added to a user
Recent Apps List of applications that were recently ran per user
RecentDocs This grabs all documents/types that have been opened (up to last 20 in an extension)
Recycle Bypass Main item here is the NukeonDelete (if this is set to 1 then recycle bin is not used)
RunPrograms This is list of everything typed into the run command
Services Services that are registered with the OS
Shell Folders Locations of users profile folders (Desktop, Documents, Start Menu, etc.)
UserAssist List of recent links and executable files that were recently opened per user
UserPrinters This will display the list of any printer that users have added under their profile
UserList List of users, sids, and locations
UserShares This will list out any and all shares that are setup by the user/system that the user will see.
WordWheel Any searches that are done in explorer