RECmd
RECmd copied to clipboard
EricZimmerman
Command line access to the Registry
** RECmd version # ** 2.0.0.0 **Describe the bug** When using --kn, I can successfully use the alias "ROOT\\*" to get all keys under the root path, without the need...
RLA
Command line: `-d D:\test\DESKTOP-1\uploads\auto\C\Users\b --out D:\test\DESKTOP-1\uploads\auto\C\Users\b\t` Hives found: 2 ``` Processing hive D:\test\DESKTOP-1\uploads\auto\C\Users\b\NTUSER.DAT Two transaction logs found. Determining primary log... Primary log: D:\test\DESKTOP-1\uploads\auto\C\Users\b\ntuser.dat.LOG2, secondary log: D:\test\DESKTOP-1\uploads\auto\C\Users\b\ntuser.dat.LOG1 Replaying log file: D:\test\DESKTOP-1\uploads\auto\C\Users\b\ntuser.dat.LOG2...
**RECmd version** 2.0.0.0 **rla version** 2.0.0.0 **Describe the bug** I am trying to run `rla.exe` on the NTUSER.DAT of the Administrator account. While processing with `rla.exe` I get an error...
**rla version** 2.0.0.0 **Is your feature request related to a problem? Please describe.** I am trying to clean a NTUSER.DAT file. It seems Windows somehow wrote the base file as...
> Is there any chance you want to add this to the DFIRBatch file? > > https://github.com/EricZimmerman/RECmd/blob/master/BatchExamples/DFIRBatch.reb @AndrewRathbun Let's do it :) _Originally posted by @vxsh4d0w in https://github.com/EricZimmerman/KapeFiles/pull/962#issuecomment-2323035512_
## Description This Pull Request changes the default behaviour when the flag nl is set to false. Before the commit if there are no transaction logs and it detects a...
I used the command "RECmd.exe -f "C:\Users\Administrator\Desktop\system.hiv" --kn "ControlSet001\Enum\DISPLAY" --recover --json "output_DISPLAY"" to view the information under DISPLAY that was deleted and recovered by the --recover parameter, but there was...
## Description Adds DateTime.Ticks and Automation Date OLE2.0 Support with OLE support ported over from the Registry Explorer Data Interpreter. ## Checklist: Please replace every instance of `[ ]` with...