ericzimmerman / registryplugins Goto Github PK

Dear @EricZimmerman:

Could you please enable the "GitHub Discussions" feature? This might be useful both for users and for code contributors.

It's quite easy to do. If you wish to enable the feature, you simply:

• Go to https://github.com/EricZimmerman/RegistryPlugins/settings.
• Scroll down.
• Click the green "Set up discussions" button.
• Scroll down again.
• Click the green "Start discussion" button.

Any thoughts?

Thank you for reading this!

Update https://github.com/EricZimmerman/RegistryPlugins/blob/master/RegistryPlugin.USB/USB.cs
-  Add columns for the values Service and ParentIdPrefix located in key: SYSTEM\<ControlSet>\Enum\USB\<Device ID>\<Serial Number>  
(Not all keys will have ParentIdPrefix, but it is important for cross-referencing information in the HID and SCSI keys)

Create a new plugin for the SYSTEM\<ControlSet>\Enum\SCSI key. This plugin should be nearly identical to the existing USBSTOR plugin (https://github.com/EricZimmerman/RegistryPlugins/tree/master/RegistryPlugin.USBSTOR), with a couple of column changes:
- Change "Serial Number" column name to "ParentIdPrefix"
- No "Version" column
Everything else should be in the same places, including Disk Id and timestamps

@hyuunnn would you mind doing the above when you have a chance?

** RECmd version # **
Reporting the version for REcmd and RegistryExplorer is difficult because for the last 12 - 18 months, the version displayed is 2.0.0.0, and there have been several updates in that time frame. Here is the best I can do identifying the version.

Machine A 22.2 - referred to as “earlier version” in the screenshots
RECmd Version: 2.0.0.0 Date Created 2022-10-02
RegistryExplorer Version 2.0.0.0 Date Created 2022-10-02

Machine B 23.1 - referred to as the “latest version” in the screenshots
RECmd Version: 2.0.0.0 Date Created 2023-01-17
RegistryExplorer Version: 2.0.0.0 Date Created 2023-01-17

Describe the bug
This may be an intentional change that the author has made or possibly an inadvertent change in the code. When the SANS FOR500 course VM was in QA review this week, one of the Registry labs was not producing the expected results for the OpenSavePidMRU key values shown in the ComDlg32 OpenSavePidMRU bookmark.

The tests I have run were done on two separate VMs; Machine A has an older version of EZTools. Machine B has the latest version of EZTools. The data used in the lab is the rocba ntuser.dat from a KAPE Triage image. I’ll try to upload that file. The data in both VMs are identical.

The issue is that the new version (Machine B) of RECmd and RE drops some of the data that has historically been in the Absolute Path column. Specifically, the Absolute Path no longer shows the folders and file names, it only shows only the drive letter, colon, and three slashes. In the lab, we are trying to find files that have “My Drive” in the Absolute Path, but on the screenshots, I am using “F:\” has the filter to illustrate the issue. See the screenshots below.

To Reproduce
Steps to reproduce the behavior:

For each version of RE or RECmd do the following:

1. Load a clean ntuser.dat into RE or process with RECmd. Both tools produce the same results
2. The recmd.exe command line used is provided below.
3. in RE, select the Bookmarks tab and select the ComDlg32 OpenSavePidMRU bookmark.
4. Filter the Absolute Path column on “F:\”
5. Review the values in the Absolute Path Column.

Expected behavior
The absolute Path should show the folder and file for each row in the table.

Screenshots

From Registry Explorer - Machine A

From recmd.exe - UserActivity.reb - Machine A

From Registry Explorer - Machine B

From recmd.exe - UserActivity.reb - Machine B

I've replicated this issue across two separate Win10 hosts for both RegistryExplorer and RECmd. Below is an example output.

Win10 Build: 18363

`C:\Users<Username>\Triage\RegistryExplorer>RECmd.exe -f c:\Users<Username>\NTUSER.DAT --sa "userassist"
RECmd version 1.5.2.0

Author: Eric Zimmerman ([email protected])
https://github.com/EricZimmerman/RECmd

Note: Enclose all strings containing spaces (and all RegEx) with double quotes

Command line: -f c:\Users<Username>\NTUSER.DAT --sa userassist

Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.7-ZipHistory.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.Adobe.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.AppCompatCache.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.AppCompatFlags.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.Ares.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.BamDam.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.BluetoothServicesBthPort.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.CIDSizeMRU.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.DHCPNetworkHint.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.FileExts.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.FirstFolder.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.JumplistData.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.KnownNetworks.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.LastVisitedMRU.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.LastVisitedPidlMRU.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.MountedDevices.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.OfficeMRU.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.OpenSaveMRU.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.OpenSavePidlMRU.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.RecentApps.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.RecentDocs.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.RunMRU.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.SAM.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.Services.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.SyscacheObjectTable.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.Taskband.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.TaskFlowShellActivities.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.TerminalServerClient.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.TimeZoneInformation.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.TrustedDocuments.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.TypedURLs.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.UserAssist.dll
Error loading plugin: C:\Users<Username>\Triage\RegistryExplorer\Plugins\RegistryPlugin.WordWheelQuery.dll

Processing hive 'c:\Users<Username>\NTUSER.DAT'
'c:\Users<Username>\NTUSER.DAT' is in use. Rerouting...

Two transaction logs found. Determining primary log...
Primary log: c:\Users<Username>\ntuser.dat.LOG2, secondary log: c:\Users<Username>\ntuser.dat.LOG1
Replaying log file: c:\Users<Username>\ntuser.dat.LOG2
Replaying log file: c:\Users<Username>\ntuser.dat.LOG1
At least one transaction log was applied. Sequence numbers have been updated to 0x1AFEA. New Checksum: 0x1DE42454
Found 1 search hit in 'c:\Users<Username>\NTUSER.DAT'
Key: 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist'`

I think ControlSet* looks better than ControlSet 0~5.
Before
RegistryPlugin.TimeZoneInformation
RegistryPlugin.DHCPNetworkHint
RegistryPlugin.AppCompatCache
RegistryPlugin.Services

After
RegistryPlugin.USBSTOR

The inclusion of the DiskID for USBSTOR devices would be appreciated.

ValuesOut.cs - Line 36