-
|
Hey, I really like the project and currently learning more about all the great features. I stumbled across the target-reg tool and was wondering if there is currently a way to query a specific registry key across multiple NTUSER.DAT files, like when analyzing a filesystem with multiple users. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
All user hives ( However, you can also transparently iterate all user registry keys by simply querying $ target-reg -q /path/to/target -k HKEY_USERS
<Target /path/to/target>
+ 'HKEY_USERS' (None)
+ '.DEFAULT' (2024-03-28 13:55:37.485464+00:00)
+ 'S-1-5-19' (2024-01-29 06:50:40.914640+00:00)
+ 'S-1-5-20' (2024-01-29 06:50:40.633469+00:00)
+ 'S-1-5-21-4210114722-3688140339-889193070-1000' (2024-03-14 05:29:11.140444+00:00)
+ 'S-1-5-21-4210114722-3688140339-889193070-1000_Classes' (2024-04-10 10:55:49.952747+00:00)
$ target-reg -q /path/to/target -k HKCU\\Environment
<Target /path/to/target>
+ 'Environment' (2022-05-07 08:01:11.351875+00:00)
- 'Path' '%USERPROFILE%\\AppData\\Local\\Microsoft\\WindowsApps;'
- 'TEMP' '%USERPROFILE%\\AppData\\Local\\Temp'
- 'TMP' '%USERPROFILE%\\AppData\\Local\\Temp'
+ 'Environment' (2024-01-29 06:50:40.914640+00:00)
- 'Path' '%USERPROFILE%\\AppData\\Local\\Microsoft\\WindowsApps;'
- 'TEMP' '%USERPROFILE%\\AppData\\Local\\Temp'
- 'TMP' '%USERPROFILE%\\AppData\\Local\\Temp'
+ 'Environment' (2024-01-29 06:50:40.617773+00:00)
- 'Path' '%USERPROFILE%\\AppData\\Local\\Microsoft\\WindowsApps;'
- 'TEMP' '%USERPROFILE%\\AppData\\Local\\Temp'
- 'TMP' '%USERPROFILE%\\AppData\\Local\\Temp'
+ 'Environment' (2024-02-01 00:08:31.556858+00:00)
- 'Path' '%USERPROFILE%\\AppData\\Local\\Microsoft\\WindowsApps;'
- 'TEMP' '%USERPROFILE%\\AppData\\Local\\Temp'
- 'TMP' '%USERPROFILE%\\AppData\\Local\\Temp'
$ target-shell -q /path/to/target -p
Python 3.12.1 (main, Dec 18 2023, 00:00:00) [GCC 13.2.1 20231205 (Red Hat 13.2.1-6)]
Type 'copyright', 'credits' or 'license' for more information
IPython 8.21.0 -- An enhanced Interactive Python. Type '?' for help.
Loaded targets in 'targets' variable. First target is in 't'.
In [1]: t.registry.get_user_details(list(t.registry.keys("HKCU\\Environment"))[1])
Out[1]: UserDetails(user=<windows/user hostname='DESKTOP-5LORH42' domain=None sid='S-1-5-19' name='LocalService' home='%systemroot%\\ServiceProfiles\\LocalService'>, home_path=TargetPath('C:/Windows/ServiceProfiles/LocalService'))Let me know if you have any other questions! |
Beta Was this translation helpful? Give feedback.
-
|
Thank you! |
Beta Was this translation helpful? Give feedback.
All user hives (
NTUSER.DATfiles) are available underHKEY_USERS\<SID>with the SID of the respective user. Similarly theUsrClass.datis available underHKEY_USERS\<SID>__Classes.However, you can also transparently iterate all user registry keys by simply querying
HKEY_CURRENT_USERorHKCU! Since the registry abstraction of Dissect supports registry layering, you'll be able to see all different registry values at once. Linking it back to a specific user is a little trickier fromtarget-reg, but is supported if you use the Python API.