I've blogged about parsing the raw Registry files, and even wrote an offline parser utility that works rather well, and is platform-independent. Well, a bit ago, I came across this Perl module
ParseWin32Registry
http//
I have been planning on writing some parsing tools that will go through specific Registry files and pull out information for reports, etc. Anyway, due to a request on the HTCC last night, I threw something together really quickly to pull date info from user accounts from the raw SAM file (example output appended below).
Anyway, I just wanted to mention this to folks, let you all know what's out there, and the fact that this particular module installs easily on Windows, but also runs on Linux/MacOSX.
Harlan
———————————————————————————-
Name Administrator
Comment Built-in account for administering the computer/domain
Last Login = Never
Pwd Reset = Tue Aug 17 203147 2004 (UTC)
Pwd Fail = Never
Name Guest
Comment Built-in account for guest access to the computer/domain
Last Login = Never
Pwd Reset = Never
Pwd Fail = Never
Name HelpAssistant (Remote Desktop Help Assistant Account)
Comment Account for Providing Remote Assistance
Last Login = Never
Pwd Reset = Wed Aug 18 003719 2004 (UTC)
Pwd Fail = Never
Name SUPPORT_388945a0 (CN=Microsoft Corporation,L=Redmond,S=Washington,C=US)
Comment This is a vendor's account for the Help and Support Service
Last Login = Never
Pwd Reset = Wed Aug 18 003927 2004 (UTC)
Pwd Fail = Never
Name Harlan
Last Login = Mon Sep 26 233751 2005 (UTC)
Pwd Reset = Wed Aug 18 004942 2004 (UTC)
Pwd Fail = Mon Sep 26 233747 2005 (UTC)
Name jdoe (John Doe)
Comment Corporate User
Last Login = Mon Sep 26 225551 2005 (UTC)
Pwd Reset = Fri Sep 9 010949 2005 (UTC)
Pwd Fail = Mon Sep 26 225549 2005 (UTC)