RegistryHives
Compoundv1.2
Author: Eric Zimmerman
description
System and user related Registry hives
includes (3)
paths
56 pathsfrom 3 targets
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: RegistryHives
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }
function Collect-Artifact {
param(
[Parameter(Mandatory)][string]$SourceDir,
[Parameter(Mandatory)][string]$FolderName,
[string]$FileMask = "*"
)
# Expand wildcards in any path segment (e.g. 'Program Files*',
# 'ScreenConnect Client*'). robocopy itself does not glob the source.
$sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
Where-Object { $_.PSIsContainer })
if ($sources.Count -eq 0) {
$Summary.Missed++
return
}
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
$null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
foreach ($src in $sources) {
robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
}
}
# 1. SAM registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SAM.LOG*" -FolderName "SAM_registry_transaction_files"
# 2. SAM registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SAM.LOG*" -FolderName "SAM_registry_transaction_files"
# 3. SECURITY registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SECURITY.LOG*" -FolderName "SECURITY_registry_transaction_files"
# 4. SECURITY registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SECURITY.LOG*" -FolderName "SECURITY_registry_transaction_files"
# 5. SOFTWARE registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SOFTWARE.LOG*" -FolderName "SOFTWARE_registry_transaction_files"
# 6. SOFTWARE registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SOFTWARE.LOG*" -FolderName "SOFTWARE_registry_transaction_files"
# 7. SYSTEM registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SYSTEM.LOG*" -FolderName "SYSTEM_registry_transaction_files"
# 8. SYSTEM registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SYSTEM.LOG*" -FolderName "SYSTEM_registry_transaction_files"
# 9. SAM registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SAM" -FolderName "SAM_registry_hive"
# 10. SAM registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SAM" -FolderName "SAM_registry_hive"
# 11. SECURITY registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SECURITY" -FolderName "SECURITY_registry_hive"
# 12. SECURITY registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SECURITY" -FolderName "SECURITY_registry_hive"
# 13. SOFTWARE registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SOFTWARE" -FolderName "SOFTWARE_registry_hive"
# 14. SOFTWARE registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SOFTWARE" -FolderName "SOFTWARE_registry_hive"
# 15. SYSTEM registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "SYSTEM" -FolderName "SYSTEM_registry_hive"
# 16. SYSTEM registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "SYSTEM" -FolderName "SYSTEM_registry_hive"
# 17. RegBack registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config\RegBack" -FileMask "*.LOG*" -FolderName "RegBack_registry_transaction_files"
# 18. RegBack registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\RegBack" -FileMask "*.LOG*" -FolderName "RegBack_registry_transaction_files"
# 19. SAM registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows\System32\config\RegBack" -FileMask "SAM" -FolderName "SAM_registry_hive_RegBack"
# 20. SAM registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\RegBack" -FileMask "SAM" -FolderName "SAM_registry_hive_RegBack"
# 21. SECURITY registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows\System32\config\RegBack" -FileMask "SECURITY" -FolderName "SECURITY_registry_hive_RegBack"
# 22. SECURITY registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\RegBack" -FileMask "SECURITY" -FolderName "SECURITY_registry_hive_RegBack"
# 23. SOFTWARE registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows\System32\config\RegBack" -FileMask "SOFTWARE" -FolderName "SOFTWARE_registry_hive_RegBack"
# 24. SOFTWARE registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\RegBack" -FileMask "SOFTWARE" -FolderName "SOFTWARE_registry_hive_RegBack"
# 25. SYSTEM registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows\System32\config\RegBack" -FileMask "SYSTEM" -FolderName "SYSTEM_registry_hive_RegBack"
# 26. SYSTEM registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\RegBack" -FileMask "SYSTEM" -FolderName "SYSTEM_registry_hive_RegBack"
# 27. SYSTEM registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows\System32\config\RegBack" -FileMask "SYSTEM1" -FolderName "SYSTEM_registry_hive_RegBack"
# 28. SYSTEM registry hive (RegBack)
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\RegBack" -FileMask "SYSTEM1" -FolderName "SYSTEM_registry_hive_RegBack"
# 29. System Profile registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile" -FileMask "NTUSER.DAT" -FolderName "System_Profile_registry_hive"
# 30. System Profile registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\systemprofile" -FileMask "NTUSER.DAT" -FolderName "System_Profile_registry_hive"
# 31. System Profile registry transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile" -FileMask "NTUSER.DAT.LOG*" -FolderName "System_Profile_registry_transaction_files"
# 32. System Profile registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config\systemprofile" -FileMask "NTUSER.DAT.LOG*" -FolderName "System_Profile_registry_transaction_files"
# 33. Local Service registry hive
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService" -FileMask "NTUSER.DAT" -FolderName "Local_Service_registry_hive"
# 34. Local Service registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\ServiceProfiles\LocalService" -FileMask "NTUSER.DAT" -FolderName "Local_Service_registry_hive"
# 35. Local Service registry transaction files
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService" -FileMask "NTUSER.DAT.LOG*" -FolderName "Local_Service_registry_transaction_files"
# 36. Local Service registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\ServiceProfiles\LocalService" -FileMask "NTUSER.DAT.LOG*" -FolderName "Local_Service_registry_transaction_files"
# 37. Network Service registry hive
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService" -FileMask "NTUSER.DAT" -FolderName "Network_Service_registry_hive"
# 38. Network Service registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\ServiceProfiles\NetworkService" -FileMask "NTUSER.DAT" -FolderName "Network_Service_registry_hive"
# 39. Network Service registry transaction files
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\NetworkService" -FileMask "NTUSER.DAT.LOG*" -FolderName "Network_Service_registry_transaction_files"
# 40. Network Service registry transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\ServiceProfiles\NetworkService" -FileMask "NTUSER.DAT.LOG*" -FolderName "Network_Service_registry_transaction_files"
# 41. System Restore Points Registry Hives (XP)
Collect-Artifact -SourceDir "C:\System Volume Information\_restore*\RP*\snapshot" -FileMask "_REGISTRY_*" -FolderName "System_Restore_Points_Registry_Hives_XP"
# 42. NTUSER.DAT DEFAULT registry hive
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "DEFAULT" -FolderName "NTUSER_DAT_DEFAULT_registry_hive"
# 43. NTUSER.DAT DEFAULT registry hive
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "DEFAULT" -FolderName "NTUSER_DAT_DEFAULT_registry_hive"
# 44. NTUSER.DAT DEFAULT transaction files
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "DEFAULT.LOG*" -FolderName "NTUSER_DAT_DEFAULT_transaction_files"
# 45. NTUSER.DAT DEFAULT transaction files
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "DEFAULT.LOG*" -FolderName "NTUSER_DAT_DEFAULT_transaction_files"
# 46. Registry.dat MSIX Hive
Collect-Artifact -SourceDir "C:\Program Files\WindowsApps\*" -FileMask "Registry.dat*" -FolderName "Registry_dat_MSIX_Hive"
# 47. Registry.dat MSIX Hive
Collect-Artifact -SourceDir "C:\Windows\SystemApps\*" -FileMask "Registry.dat*" -FolderName "Registry_dat_MSIX_Hive"
# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
ForEach-Object {
$UserName = $_.Name
# NTUSER.DAT registry hive XP
$UserPath = $_.FullName
Collect-Artifact -SourceDir $UserPath -FileMask "NTUSER.DAT*" -FolderName "NTUSER_DAT_registry_hive_XP_$UserName"
# NTUSER.DAT registry hive
$UserPath = $_.FullName
Collect-Artifact -SourceDir $UserPath -FileMask "NTUSER.DAT*" -FolderName "NTUSER_DAT_registry_hive_$UserName"
# NTUSER.DAT registry transaction files
$UserPath = $_.FullName
Collect-Artifact -SourceDir $UserPath -FileMask "NTUSER.DAT.LOG*" -FolderName "NTUSER_DAT_registry_transaction_files_$UserName"
# UsrClass.dat registry hive
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows"
Collect-Artifact -SourceDir $UserPath -FileMask "UsrClass.dat*" -FolderName "UsrClass_dat_registry_hive_$UserName"
# UsrClass.dat registry transaction files
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows"
Collect-Artifact -SourceDir $UserPath -FileMask "UsrClass.dat.LOG*" -FolderName "UsrClass_dat_registry_transaction_files_$UserName"
# Registry.dat MSIX Hive
$UserPath = "$($_.FullName)\AppData\Local\Packages\*\SystemAppData\Helium"
Collect-Artifact -SourceDir $UserPath -FileMask "Registry.dat*" -FolderName "Registry_dat_MSIX_Hive_$UserName"
# settings.dat MSIX Hive
$UserPath = "$($_.FullName)\AppData\Local\Packages\*\Settings"
Collect-Artifact -SourceDir $UserPath -FileMask "settings.dat*" -FolderName "settings_dat_MSIX_Hive_$UserName"
# User.dat MSIX Hive
$UserPath = "$($_.FullName)\AppData\Local\Packages\*\SystemAppData\Helium"
Collect-Artifact -SourceDir $UserPath -FileMask "User.dat*" -FolderName "User_dat_MSIX_Hive_$UserName"
# UserClasses.dat MSIX Hive
$UserPath = "$($_.FullName)\AppData\Local\Packages\*\SystemAppData\Helium"
Collect-Artifact -SourceDir $UserPath -FileMask "UserClasses.dat*" -FolderName "UserClasses_dat_MSIX_Hive_$UserName"
}
Write-Host ("Collection complete. Copied: {0} Missed: {1} Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
Note: This is a compound target that references 3 other targets. The KAPE command resolves them natively; the PowerShell/Batch/WSL scripts flatten every referenced path into explicit copy commands.
› cyberchef recipes
Open in CyberChef to decode values extracted from this artifact.
notes
Please note, this Compound Target does NOT include the RegistryHivesOther Target on purpose. While they are technically Registry hives, they are not currently identified as being forensically significant.
However, for the purpose of KapeResearch_Registry Modules that will dump hives from the ROOT key to JSON for the purpose of (hopefully) finding forensically relevant data in one of these Registry hives, RegistryHivesOther exists for that very reason.
If you want to pull every single Registry hive possible, combine this Compound Target along with the RegistryHivesOther Target.