Difference between revisions of "RegXML"

From ForensicsWiki
Jump to: navigation, search
(Add link to RegXML software from Nelson)
(Sample XML: Update with sample from realistic data set)
Line 4: Line 4:
  
 
==Sample XML==
 
==Sample XML==
 +
 +
This RegXML is a sample of the System hive from the [http://digitalcorpora.org/corpora/scenarios/m57-patents-scenario M57-Patents scenario], image Charlie 2009-11-16.
 +
 
<pre>
 
<pre>
<?xml version="1.0"?>
+
<?xml version="1.0" encoding="UTF-8"?>
<Registry>
+
<hive>
<Key Name="HKEY_CURRENT_USER">
+
  <mtime>2009-11-17T00:33:57Z</mtime>
<Key Class="" Name="Console">
+
  <node name="$$$PROTO.HIV" root="1">
<Value Name="ColorTable00" Type="REG_DWORD" Value="0" />
+
    <mtime>2009-11-13T04:47:33Z</mtime>
<Value Name="ColorTable01" Type="REG_DWORD" Value="8388608" />
+
    <byte_runs>
<Value Name="ColorTable02" Type="REG_DWORD" Value="32768" />
+
      <byte_run file_offset="4128" len="92"/>
<Value Name="ColorTable03" Type="REG_DWORD" Value="8421376" />
+
    </byte_runs>
<Value Name="ColorTable04" Type="REG_DWORD" Value="128" />
+
    <node name="ControlSet002">
<Value Name="ColorTable05" Type="REG_DWORD" Value="8388736" />
+
      <mtime>2009-11-09T01:26:39Z</mtime>
<Value Name="ColorTable06" Type="REG_DWORD" Value="32896" />
+
      <byte_runs>
<Value Name="ColorTable07" Type="REG_DWORD" Value="12632256" />
+
        <byte_run file_offset="1480856" len="93"/>
<Value Name="ColorTable08" Type="REG_DWORD" Value="8421504" />
+
      </byte_runs>
<Value Name="ColorTable09" Type="REG_DWORD" Value="16711680" />
+
      <node name="Control">
<Value Name="ColorTable10" Type="REG_DWORD" Value="65280" />
+
        <mtime>2009-11-13T04:48:01Z</mtime>
<Value Name="ColorTable11" Type="REG_DWORD" Value="16776960" />
+
        <byte_runs>
<Value Name="ColorTable12" Type="REG_DWORD" Value="255" />
+
          <byte_run file_offset="1481240" len="87"/>
<Value Name="ColorTable13" Type="REG_DWORD" Value="16711935" />
+
        </byte_runs>
<Value Name="ColorTable14" Type="REG_DWORD" Value="65535" />
+
        <value type="string" key="WaitToKillServiceTimeout" value="20000">
<Value Name="ColorTable15" Type="REG_DWORD" Value="16777215" />
+
          <byte_runs>
<Value Name="CursorSize" Type="REG_DWORD" Value="25" />
+
            <byte_run file_offset="1481328" len="48"/>
<Value Name="EnableColorSelection" Type="REG_DWORD" Value="0" />
+
            <byte_run file_offset="13448" len="16"/>
<Value Name="ExtendedEditKey" Type="REG_DWORD" Value="0" />
+
          </byte_runs>
<Value Name="ExtendedEditKeyCustom" Type="REG_DWORD" Value="0" />
+
        </value>
<Value Name="FontFamily" Type="REG_DWORD" Value="0" />
+
        <value type="string" key="SystemStartOptions" value="NOEXECUTE=OPTIN  FASTDETECT">
<Value Name="FontSize" Type="REG_DWORD" Value="0" />
+
          <byte_runs>
<Value Name="FontWeight" Type="REG_DWORD" Value="0" />
+
            <byte_run file_offset="1481464" len="42"/>
<Value Name="FullScreen" Type="REG_DWORD" Value="0" />
+
            <byte_run file_offset="3006752" len="60"/>
<Value Name="HistoryBufferSize" Type="REG_DWORD" Value="50" />
+
          </byte_runs>
<Value Name="HistoryNoDup" Type="REG_DWORD" Value="0" />
+
        </value>
<Value Name="InsertMode" Type="REG_DWORD" Value="1" />
+
        <value type="string" key="SystemBootDevice" value="multi(0)disk(0)rdisk(0)partition(1)">
<Value Name="LoadConIme" Type="REG_DWORD" Value="1" />
+
          <byte_runs>
<Value Name="NumberOfHistoryBuffers" Type="REG_DWORD" Value="4" />
+
            <byte_run file_offset="3006856" len="40"/>
<Value Name="PopupColors" Type="REG_DWORD" Value="245" />
+
            <byte_run file_offset="3206056" len="76"/>
<Value Name="QuickEdit" Type="REG_DWORD" Value="0" />
+
          </byte_runs>
<Value Name="ScreenBufferSize" Type="REG_DWORD" Value="19660880" />
+
        </value>
<Value Name="ScreenColors" Type="REG_DWORD" Value="7" />
+
        <node name="Windows">
<Value Name="TrimLeadingZeros" Type="REG_DWORD" Value="0" />
+
          <mtime>2009-11-13T03:08:00Z</mtime>
<Value Name="WindowSize" Type="REG_DWORD" Value="1638480" />
+
          <byte_runs>
<Value Name="WordDelimiters" Type="REG_DWORD" Value="0" />
+
            <byte_run file_offset="2355232" len="87"/>
</Key>
+
          </byte_runs>
</Key>
+
          <value type="expand" key="SystemDirectory" value="%SystemRoot%\system32">
</Registry>
+
            <byte_runs>
 +
              <byte_run file_offset="2355368" len="39"/>
 +
              <byte_run file_offset="3111128" len="48"/>
 +
            </byte_runs>
 +
          </value>
 +
          <value type="binary" encoding="base64" key="ShutdownTime" value="RDGhgQ5kygE=">
 +
            <byte_runs>
 +
              <byte_run file_offset="3203784" len="36"/>
 +
              <byte_run file_offset="1481592" len="12"/>
 +
            </byte_runs>
 +
          </value>
 +
        </node>
 +
        <node name="WOW">
 +
          <mtime>2009-11-09T01:22:59Z</mtime>
 +
          <byte_runs>
 +
            <byte_run file_offset="2359096" len="83"/>
 +
          </byte_runs>
 +
          <value type="expand" key="cmdline" value="%SystemRoot%\system32\ntvdm.exe">
 +
            <byte_runs>
 +
              <byte_run file_offset="2358720" len="31"/>
 +
              <byte_run file_offset="2359184" len="68"/>
 +
            </byte_runs>
 +
          </value>
 +
          <value type="string" key="KnownDLLs" value="comm.drv commdlg.dll ctl3dv2.dll ddeml.dll
 +
keyboard.drv lanman.drv mmsystem.dll mouse.drv netapi.dll olecli.dll olesvr.dll pmspl.dll shell.dll
 +
sound.drv system.drv toolhelp.dll vga.drv wfwnet.drv win87em.dll winoldap.mod winsock.dll
 +
winspool.exe wowdeb.exe timer.drv rasapi16.dll compobj.dll storage.dll ole2.dll ole2disp.dll
 +
ole2nls.dll typelib.dll msvideo.dll avifile.dll msacm.dll mciavi.drv mciseq.drv mciwave.drv
 +
progman.exe avicap.dll mapi.dll">
 +
            <byte_runs>
 +
              <byte_run file_offset="2359256" len="33"/>
 +
              <byte_run file_offset="2361648" len="904"/>
 +
            </byte_runs>
 +
          </value>
 +
        </node>
 +
      </node>
 +
    </node>
 +
  </node>
 +
</hive>
 
</pre>
 
</pre>
 
  
 
==See Also==
 
==See Also==
 
* [http://www.softpedia.com/get/Tweak/Registry-Tweak/RegXML.shtml Download from Softpedia]
 
* [http://www.softpedia.com/get/Tweak/Registry-Tweak/RegXML.shtml Download from Softpedia]

Revision as of 19:47, 12 March 2012

RegXML is a Windows command-line utility that exports sections of the Windows Registry as XML-formatted files.

Software to produce and analyze RegXML is available here.

Sample XML

This RegXML is a sample of the System hive from the M57-Patents scenario, image Charlie 2009-11-16.

<?xml version="1.0" encoding="UTF-8"?>
<hive>
  <mtime>2009-11-17T00:33:57Z</mtime>
  <node name="$$$PROTO.HIV" root="1">
    <mtime>2009-11-13T04:47:33Z</mtime>
    <byte_runs>
      <byte_run file_offset="4128" len="92"/>
    </byte_runs>
    <node name="ControlSet002">
      <mtime>2009-11-09T01:26:39Z</mtime>
      <byte_runs>
        <byte_run file_offset="1480856" len="93"/>
      </byte_runs>
      <node name="Control">
        <mtime>2009-11-13T04:48:01Z</mtime>
        <byte_runs>
          <byte_run file_offset="1481240" len="87"/>
        </byte_runs>
        <value type="string" key="WaitToKillServiceTimeout" value="20000">
          <byte_runs>
            <byte_run file_offset="1481328" len="48"/>
            <byte_run file_offset="13448" len="16"/>
          </byte_runs>
        </value>
        <value type="string" key="SystemStartOptions" value="NOEXECUTE=OPTIN  FASTDETECT">
          <byte_runs>
            <byte_run file_offset="1481464" len="42"/>
            <byte_run file_offset="3006752" len="60"/>
          </byte_runs>
        </value>
        <value type="string" key="SystemBootDevice" value="multi(0)disk(0)rdisk(0)partition(1)">
          <byte_runs>
            <byte_run file_offset="3006856" len="40"/>
            <byte_run file_offset="3206056" len="76"/>
          </byte_runs>
        </value>
        <node name="Windows">
          <mtime>2009-11-13T03:08:00Z</mtime>
          <byte_runs>
            <byte_run file_offset="2355232" len="87"/>
          </byte_runs>
          <value type="expand" key="SystemDirectory" value="%SystemRoot%\system32">
            <byte_runs>
              <byte_run file_offset="2355368" len="39"/>
              <byte_run file_offset="3111128" len="48"/>
            </byte_runs>
          </value>
          <value type="binary" encoding="base64" key="ShutdownTime" value="RDGhgQ5kygE=">
            <byte_runs>
              <byte_run file_offset="3203784" len="36"/>
              <byte_run file_offset="1481592" len="12"/>
            </byte_runs>
          </value>
        </node>
        <node name="WOW">
          <mtime>2009-11-09T01:22:59Z</mtime>
          <byte_runs>
            <byte_run file_offset="2359096" len="83"/>
          </byte_runs>
          <value type="expand" key="cmdline" value="%SystemRoot%\system32\ntvdm.exe">
            <byte_runs>
              <byte_run file_offset="2358720" len="31"/>
              <byte_run file_offset="2359184" len="68"/>
            </byte_runs>
          </value>
          <value type="string" key="KnownDLLs" value="comm.drv commdlg.dll ctl3dv2.dll ddeml.dll
 keyboard.drv lanman.drv mmsystem.dll mouse.drv netapi.dll olecli.dll olesvr.dll pmspl.dll shell.dll
 sound.drv system.drv toolhelp.dll vga.drv wfwnet.drv win87em.dll winoldap.mod winsock.dll
 winspool.exe wowdeb.exe timer.drv rasapi16.dll compobj.dll storage.dll ole2.dll ole2disp.dll
 ole2nls.dll typelib.dll msvideo.dll avifile.dll msacm.dll mciavi.drv mciseq.drv mciwave.drv
 progman.exe avicap.dll mapi.dll">
            <byte_runs>
              <byte_run file_offset="2359256" len="33"/>
              <byte_run file_offset="2361648" len="904"/>
            </byte_runs>
          </value>
        </node>
      </node>
    </node>
  </node>
</hive>

See Also