appcompatprocessor icon indicating copy to clipboard operation
appcompatprocessor copied to clipboard
verified publisher icon mbevilacqua

REG key value

Open hammjd opened this issue 8 years ago • 3 comments

Feature Request: Import raw .REG key values... They're easy to collect with PowerShell and faster than trying to get the entire SYSTEM hives.

hammjd avatar Aug 16 '17 16:08 hammjd

Can you share a sample of what that looks like or the PS command used to export so I can generate a few of those? Should be simple enough to add a new ingestion plugin here.

mbevilacqua avatar Sep 01 '17 11:09 mbevilacqua

Sure. It's really just a dump/export of the key from the registry. Here's an example from my forensic VM... To get this to you quickly, I just used regedit to export the key. (Change the extension to .reg from .txt). You can also use on your local system the command:

reg export "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache" appcompat.reg

hammjd avatar Sep 06 '17 08:09 hammjd

For the record, this issue depends on #4, since this feature has been implemented in https://github.com/mandiant/ShimCacheParser/pull/15

nbareil avatar Apr 26 '18 09:04 nbareil