velociraptor icon indicating copy to clipboard operation
velociraptor copied to clipboard

Published 20 hours ago verified publisher icon Velocidex

Artifact update - Windows.Registry.NTUSER

Open randomaccess3 opened this issue 1 year ago • 0 comments

looking at the Windows.Registry.NTUSER artifact, it would be great to have it updated to do an API read of HKU first, and then only raw read the hives that arent loaded (although you could always just do both and group by after).

Current thought process is:

  1. Get all users
  2. Read HKU and run query
  3. For all users in users but not in hku, run raw read of ntusers
  4. Collate results

I dont think the artifact itself would be hard to fix up, just wondering whether it would break anything that uses this as a dependency. May be worth keeping the original as "Windows.Registry.RawNTUSER"

randomaccess3 avatar Aug 11 '23 01:08 randomaccess3