Bug running on Windows 22H2, OS 19045.6332

[Crockyia]

I used the command "RECmd.exe -f "C:\Users\Administrator\Desktop\system.hiv" --kn "ControlSet001\Enum\DISPLAY" --recover --json "output_DISPLAY"" to view the information under DISPLAY that was deleted and recovered by the --recover parameter, but there was no mark in the output json file. However, in the cmd window, I saw Subkey #2 (True}). After verification, True = deleted and recovered information

[EricZimmerman]

So what's the issue. It tells you right there

[EricZimmerman]

Does it get marked in the CSV?

[Crockyia]

Add IsDeleted or IsRecovered fields to JSON output

[Crockyia]

I can't save the results in csv format

[EricZimmerman]

Because csv wants a path not a filename.

You shouldn't need to specify recover either. It's on my default afaik

[Crockyia]

It seems that I can see "True" in the cmd window even if I don't use "--recover"

[EricZimmerman]

Because recover is true by default, aka it's on

[Crockyia]

According to what you said, "only specify the path" still cannot save csv

[EricZimmerman]

What's not what kn does. Just use registry explorer command line and then export from there.

[Crockyia]

I think it would be better to add "deleted data" and other indicators in the json output format

[Crockyia]

I still can't export the csv format normally, the command seems to be fine

[EricZimmerman]

You need to actually read the command line switches versus just assuming how things work

CSV only works when you're using BN

I don't know why you're expecting it to export anything out with what you're doing