Windows 8 registry ...
 
Notifications
Clear all

Windows 8 registry Tool

6 Posts
4 Users
0 Likes
781 Views
(@daniel09)
Posts: 1
New Member
Topic starter
 

Hello everyone,

I am looking for a free tool that is able to view all of the registry files in Windows 8 (including any new ones that aren't in Windows 7). It is for a class project that I have to do for a forensics class. I have used RegRipper for looking at Windows 7 registry files but it doesn't seem to work for Windows 8. (I tried to update plugins) Unfortunately, I haven't done any forensics with Windows 8 so I am lost.

Thank you in advance for your help!

 
Posted : 04/12/2012 6:28 am
(@armresl)
Posts: 1011
Noble Member
 

Hi,

Who's the teacher

Hello everyone,

I am looking for a free tool that is able to view all of the registry files in Windows 8 (including any new ones that aren't in Windows 7). It is for a class project that I have to do for a forensics class. I have used RegRipper for looking at Windows 7 registry files but it doesn't seem to work for Windows 8. (I tried to update plugins) Unfortunately, I haven't done any forensics with Windows 8 so I am lost.

Thank you in advance for your help!

 
Posted : 04/12/2012 8:51 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

> I have used RegRipper for looking at Windows 7 registry files but it doesn't seem to work for Windows 8.

Hey, thanks for making a public statement like that, particularly when you HAVE NO IDEA HOW THE TOOL WORKS!

The fact is that RegRipper works great with Windows 8…but RegRipper is NOT a Registry viewer. If there's something specific that you're looking for with respect to a plugin, and you don't find it, all you have to do is ask.

 
Posted : 04/12/2012 5:21 pm
(@twjolson)
Posts: 417
Honorable Member
 

Hello everyone,

I am looking for a free tool that is able to view all of the registry files in Windows 8 (including any new ones that aren't in Windows 7). It is for a class project that I have to do for a forensics class. I have used RegRipper for looking at Windows 7 registry files but it doesn't seem to work for Windows 8. (I tried to update plugins) Unfortunately, I haven't done any forensics with Windows 8 so I am lost.

Thank you in advance for your help!

RegRipper, as I understand it, basically goes down the registry path of interest, and pulls out the data found there.

If it isn't working, it may be because that path is no longer valid in Windows 8.

Have you opened it up in other registry tools to see if what you are looking for is there?

The other problem might be the simple stuff like pointing to the wrong file, not having proper permissions, etc.

What does the log file say?

As a side note
If you want someone to help, list your problem and give specific information.

Saying "it doesn't seem to work" says very little about the problem, nor how to solve it.

You wouldn't go to the doctor and say "I'm sick" and leave it at that, would you?

Asking a general question results in one of two things. Either the answers will be general, and probably unhelpful. Or people replying then have to take the time out of their day and list every possible cause of "it doesn't seem to work".

 
Posted : 04/12/2012 9:29 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

RegRipper was released as open source in 2008, with the hope that analysts would see the power of the tool, see that the value rested in the plugins, and either write their own plugins, or provide enough information/data so that someone could write one for them.

What's ended up happening is that the vast majority of those who use the tool do so blindly…they download the tool, expecting the tool to natively have everything that they want (without being able to define what that is…), and I think that this post clearly demonstrates that mindset.

RegRipper does, in fact, work on Windows 8 Registry hives. The binary structure of the Registry has not changed since it was first released. What's happened is that the paths to various keys and values of interest have changed or been removed, new paths added, and in some cases that paths have remained the same while the data itself has changed. There are plugins that not only work on Windows 8, but there are a couple of plugins for artifacts (typedurltimes and filehistory, specifically) that only exist on Windows 8.

To properly use RegRipper, you have to have some understanding of the Registry, and of the various versions of Windows. For example, XP maintains a record of user searches via the desktop in subkeys beneath the ACMru key. With Vista, desktop searches were maintained in an XML file, rather than the Registry. As of Windows 7, the desktop searches were moved to a key called "WordWheelQuery", and there are plugins for XP (acmru,pl) and Win7 (wordwheelquery.pl).

So…if you run wordwheelquery.pl against an XP system, it is easy to say…and incorrect to say…that when you see the response "key not found" that RegRipper did not work. The same would be true when acrmu.pl is run against Vista or above systems.

RegRipper is not a viewer. RegRipper is a tool that allows you to perform surgical, tactical, automated extraction and translation (and to some degree, correlation) of Registry data. Like any other tool, RegRipper is only as good as the person who uses it.

 
Posted : 04/12/2012 10:26 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Just a thought, and getting back on topic…but can you provide some information regarding what you're looking for? What are the goals of your analysis? Most Registry viewers will work on Windows 8 systems, and like any other tools, all have their strengths and weaknesses, pros and cons. If you could provide some indication of what it is you're looking for, it would be easier to make recommendations.

Thanks.

 
Posted : 04/12/2012 10:29 pm
Share: