Forensicswindowsregistryforensicsanalysisntfsdigital-forensics

reglookup

RegLookup is a system for direct analysis of Windows NT-based registry files, providing command line tools, a C API, and Python module for accessing registry data structures with a focus on digital forensics investigations. It includes algorithms for retrieving deleted data structures from registry hives and supports filtering results by path and data type.

Description

RegLookup enables direct analysis of Windows NT-based registry files, offering command line utilities like reglookup, reglookup-recover, and reglookup-timeline for reading, recovering deleted data, and generating timelines. Designed primarily for digital forensics, it outputs registry data in a standardized CSV-like format with quoted special characters, facilitating parsing by other tools. Users can filter output by registry path prefixes and data types such as SZ, BINARY, DWORD, and others.

The toolset supports mounting Windows registry hives from disk images and extracting keys, values, timestamps, and security descriptors. It handles deleted structures through recovery algorithms and provides verbose options for detailed output, including ACLs and rarely used fields. Related packages include development libraries (libregfi-dev), runtime libraries (libregfi1t64), and Python bindings (python3-pyregfi) for programmatic access.

Common use cases involve investigating mounted Windows images for evidence in system hives like SYSTEM, SOFTWARE, or NTUSER.DAT, reconstructing timelines of key modifications, and recovering artifacts from unallocated space.

How It Works

RegLookup reads Windows NT+ registry hive files (e.g., from %SystemRoot%/system32/config/), parsing internal data structures including keys, values, MTIMEs (modification timestamps stored on keys), and security descriptors. It decodes registry data types (NONE, SZ, EXPAND_SZ, BINARY, DWORD, etc.) and outputs in CSV format, encoding special characters as %XX hex. Deleted data recovery scans slack space and unallocated cells using algorithms based on registry format specifications. Security attributes parse ACLs into SIDs, ACE types (ALLOW/DENY), access rights (e.g., KEY_QUERY_VALUE), and flags (OI, CI), with unrecognized bits as hex. Timestamps convert to UTC, inheriting parent key MTIMEs for values.

Installation

bash

sudo apt install reglookup

Flags

-p prefix-filterSpecify a path prefix filter. Only keys/values under this registry path will be output.

-t type-filterSpecify a type filter. Only elements which match this registry data type will be printed. Acceptable values are: NONE, SZ, EXPAND_SZ, BINARY, DWORD, DWORD_BE, LINK, MULTI_SZ, RSRC_LIST, RSRC_DESC, RSRC_REQ_LIST, QWORD, KEY.

-hEnables the printing of a column header row. (default)

-iPrinted values inherit the timestamp of their parent key, which is printed along with them.

-HDisables the printing of a column header row.

-sAdds five additional columns to output containing information from key security descriptors and rarely used fields. The columns are: owner, group, sacl, dacl, class.

-SDisables the printing of security descriptor information. (default)

-vVerbose output.

-lDisplay cells which could not be interpreted as valid registry structures at the end of the output. (reglookup-recover)

-LDo not display cells which could not be interpreted as valid registry structures. This is the default behavior. (reglookup-recover)

-rDisplay raw cell contents for cells which were interpreted as intact data structures. (reglookup-recover)

-RDo not display raw cell contents for cells which were interpreted as intact data structures. This is the default behavior. (reglookup-recover)

Examples

Read and print the contents of an entire system registry file.

reglookup /mnt/win/c/WINNT/system32/config/system

Limit the output to just those entries under the Services key.

reglookup -p /ControlSet002/Services /mnt/win/c/WINNT/system32/config/system

Limit the output to all registry values of type BINARY.

reglookup -t BINARY /mnt/win/c/WINNT/system32/config/system

Limit the output to BINARY values under the Services key.

reglookup -t BINARY -p /ControlSet002/Services /mnt/win/c/WINNT/system32/config/system

Dump the recoverable contents of a system registry hive.

reglookup-recover /mnt/win/c/WINDOWS/system32/config/system

Extract all available unallocated data, including unparsable unallocated space and the raw data associated with parsed cells in a user-specific registry.

reglookup-recover -r -l '/mnt/win/c/Documents and Settings/user/NTUSER.DAT'

Display help for the reglookup-timeline MTIME timeline generator, showing output format: MTIME,FILE,PATH.

reglookup-timeline -h

Updated 2026-04-16kali.org ↗