Hi
Forgive the absence of grey cells. I'm sure that very recently I either saw or (even worse) produced some output from XP Restore Points which listed the changes made to the registry in successive RPs
But I'm damned if I can remember or find the example again.
Mebbe I'm halucinating, or just not using the right syntax - can anyone out there help? Am using Mandiant Restore Point Analyzer and Harlan's RipXP.
Thanks
Are you looking to see all changes or changes involving specific key(s)?
If you are looking for changes involving a specific key (or keys) then Harlan's RipXP will work. I've used it numerous times before to quickly parse the registry in restore points. I usually mount the image then run ripxp against the mounted image using the following command
ripxp.exe -r hive name -p plugin module -d Restore point directory
The following is the command I just used to run ripxp against an image mounted with FTK imager (file system read only option). The command rips the winlogon key across all of the software hives in the restore points.
ripxp.exe -r G\[root]\WINDOWS\system32\config\software -p winlogon -d "G\[root]\System Volume Information\_restore{36C3D145-AB8E-4E10-8674-37427A733E09}"
Corey Harrell
"Journey into Incident Response"
http//journeyintoir.blogspot.com
Thanks Cory
Am particularly interested in Installs and UnInstalls across all all RPs, would be nice if there was an overview available which gave that info but I think I'm hallucinating.
I've since remembered where I saw some kind of summary, it was in CCleaner (in the "ToolsSystem Restore" option) but it's not as complete as it could be.
Guess I'll have to run RipXP against UserAssist and compare against the current sub-keys and values.
Cheers
No problem for the help. You may be aware of this but I forgot to mention when you run ripxp make sure the folder it is running from has the plugins folder. On my system ripxp.exe is in the same folder as Regripper so both programs access the same plugins folder.
> Am particularly interested in Installs and UnInstalls across all all RPs
When you run ripxp you could run the uninstall plugin against the software hive and the listsoft plugin against the user account's ntuser.dat of interest. The uninstall plugin "gets contents of Uninstall key from Software hive" while the listsoft plugin "lists contents of user's Software key". This may provide some of the information about the programs installed. The command syntax would be the same I posted before with the exception of the registry hive (software or ntuser.dat) and plugin -p (uninstall or listsoft) changing.
The plugins folder I'm using was last updated on 020911 and both plugins are present in the plugins folder.
Corey Harrell
"Journey into Incident Response"
http//journeyintoir.blogspot.com
If I could expand on this, same question, Win7/Vista OS?
Randy
Randy,
Win7/Vista use VSCs rather than XP System Restore Points.
Here's a post I wrote up on accessing VSCs
http//
Here's a post from Corey where he talks about automating accessing VSCs, including doing things while you have access, like running RegRipper's rip.pl tool…
http//
If you just want file system metadata, take a look at Stacey's post
http//
hope this helps