Hello,
I am curious if anyone knows about a tool that will analyze many common restore point files all at the same time and output the difference from them? Specifically exporting all the NTUSER.dat or System registry files from 30+ restore points and do a diff on them to show any new additions + timestamp etc. I have looked around but have only found tools to parse the change.log or to individually look at the exported file one at a time.
Thanks,
Mark
Yes, I've written a version of RegRipper that does exactly what you're asking about called 'ripXP'; I've blogged about it…
http//
I would certainly be interested in ripXP.
Thaks, looks like that will work.
Harlan,
I can't find the link to the tool? I read on the comments page that you might not be releasing the tool. Is it out somewhere?
Thanks
RipXP will probably be the best tool for the Registry. Not tried it yet, although will try to give it a go this week.
Also though, there is an EnScript, written by Trevor Fairchild (C4P Author), for those using EnCase. It does seem a bit buggy, but does work.
Minesh
Mark,
No, I haven't released ripXP publicly yet…so I don't know how Minesh is going to try it.
Part of the issue is that this requires some set up…once it's going, it runs like a champ…Ovie from Cyberspeak has used it, and I've used it several times.
Due to the reaction of folks with tools like RegRipper…such as running it on hive files on live systems, running it against ntuser.dat.log files, etc….I'm hesitant to release it to the general public. Again, the set up needs to follow some explicit steps.
Harlan,
At the risk of looking like a kid throwing sand on the playground )
What is the point of referencing an application that isn't released or one that appears will never be released?
I am curious because it doesn't seem to answer the user's question - looking for a tool (presumably one that can be used today) to use against restore points. I doubt Mark was looking for references to vapor ware. (Not insinuating ripXP is vapor ware as you've written it and made it available to one person, but since it's not available to Mark and you haven't indicated here that Mark can use it then for all intents and purposes for Mark's application it is vapor ware)
Cheers!
farmerdude
Thomas,
> What is the point of referencing an application that isn't released or one
> that appears will never be released?
I'm not sure where you're getting the part about "will never be released", but for the moment, I'm kind of swamped with billable work.
As I stated in my previous post, releasing far simpler tools with explicitly documented instructions have resulted in a number of emails from folks who have not read the documentation, misused the tool, and blamed it on me. Therefore, I am attempting to take the time to make the tool easier to use; however, this is not an effort directed by my employer. Instead, it is something I'm doing on my own. Therefore, you've gotta wait.
Re
I am curious if anyone knows about a tool that will analyze many common restore point files all at the same time and output the difference from them?
You can use kdiff3 to compare the parsed registry files.
(use reg ripper , ripxp … etc to parse the files)
It can only compare 3 files at the most at once.
Has been very useful to compare different registry files.
the way it displays the changes makes it easy to see where the changes are.
? Does anyone know of a tool which will display the diffference of more than three txt files and show the changes ?