dissect.target icon indicating copy to clipboard operation
dissect.target copied to clipboard
verified publisher icon fox-it

Duplicate results, if registry backups exist in RegBack

Open falklindner opened this issue 3 months ago • 3 comments

If there are Registry Backups present in sysvol/windows/system32/config/RegBack, some plugins will display duplicated or outdated results, if they use target.registry.keys("xxx") to load the registry keys holding certain information.

This can be mitigated after parsing by invoking by removing them using the filepath:

key_list = list(self.target.registry.keys(KEYS))

key_list_filtered = [ key for key in key_list if not hasattr(key.hive, "filepath") or "RegBack" not in key.hive.filepath.parts ]

Ideally though, skipping RegBack could be enabled at the keys method.

falklindner avatar Sep 09 '25 14:09 falklindner

Ideally though, skipping RegBack could be enabled at the keys method.

I think a better approach is for it to be user toggle-able somehow. Maybe through an environment variable or a command line argument (--ignore-regback). I don't think we'd want this to be hardcoded in a plugin.

Schamper avatar Sep 10 '25 08:09 Schamper

Would you imagine thes CLI argument to be available for target-query and target-reg. Are there additional commands you'd see the need for that?

falklindner-dev avatar Sep 10 '25 08:09 falklindner-dev

I think ideally there's a common way we can set flags on a Target object (i.e. Target.props), and every CLI tool just uses that (like we already have common argument parsers for BitLocker and LUKS keys.

Schamper avatar Sep 10 '25 09:09 Schamper