I want to make a search in the registry based on a specific date. If I make a search by Ctrl+f in regedit and write the date and press seach , it will not bring any result, however I know that there are registry keys which were written on that date, and I can see them If I individually check them.
So, is there a way to find all registry keys which were written on a specific date, or can you make a seach in registry in order to find out which keys were written on that specific date?
Download Registry-Ripper (http//
perl rip.pl -r "/Path/to/Registry-File" -p regtime
you get an list with the timestamp of the last write time for each key.
I want to make a search in the registry based on a specific date. If I make a search by Ctrl+f in regedit and write the date and press seach , it will not bring any result, however I know that there are registry keys which were written on that date, and I can see them If I individually check them.
This suggests that you are dealing with a live registry – is that right?
Regedit does not display any timestamps (at least not versions of it I have used). So it should not really be unexpected that searches also are limited to the fielkds that are displayed in the user interface.
So, is there a way to find all registry keys which were written on a specific date, or can you make a seach in registry in order to find out which keys were written on that specific date?
There are several ways.
Export to .TXT file, and search that file for Last Write Time. Format is not perfect for computer processing, though.
Or, as long as you deal with a live registry, use Microsoft LogParser. From there you can either select the time stamp range yourself in an SQL-like query language, or just output all entries as TXT, CSV or XML, and import that in Access, if you feel more comfortable with that.
NO, it is not a live registry. I exported the registy files from Windows/config - software and system, and opened them in Registry Viewer. It gives you the same interface like live forensics.
RegRipper is a good place to start; however, that only gets the LastWrite times on keys, and does not get the time stamps embedded within various value data; just something to keep in mind when performing your search.
If you export the registry as a text file, using regedit, it writes the Last Write time to that text file along with the key value pairs.
Then you can search using Notepad.