[Vol-users] Volatile registry keys

Thomas Chopitea tomchop at gmail.com
Thu Feb 25 19:44:48 CST 2016


Dear vol-users,

I'm trying to get data from a volatile registry key using the regapi /
rawreg classes in volatility.

The key I'm looking for is under HKCU\Software\Classes\, and is called CLSID

vol.py
--plugins='/Users/tomchop/Infosec/Forensics-RE/volatility-plugins/volatility-autoruns'
-f Windows\ 7\ x64-aa76b309.vmem --profile=Win7SP1x64 printkey -K
"Software\\Classes\\CLSID"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable   (V) = Volatile

The requested key could not be found in the hive(s) searched

So I go up one level:

vol.py
--plugins='/Users/tomchop/Infosec/Forensics-RE/volatility-plugins/volatility-autoruns'
-f Windows\ 7\ x64-aa76b309.vmem --profile=Win7SP1x64 printkey -K
"Software\\Classes"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \??\C:\Users\admin\ntuser.dat
Key name: Classes (V)
Last updated: 2015-04-11 18:04:18 UTC+0000

Subkeys:

Values:
REG_LINK      SymbolicLinkValue : (V) \Registry
\User\S-1-5-21-978483858-511166411-2750856381-1000_Classes
----------------------------
Registry: \SystemRoot\System32\Config\DEFAULT
Key name: Classes (S)
Last updated: 2009-07-14 04:48:57 UTC+0000

Subkeys:
  (S) Local Settings

Values:

How can I query this key and keep on drilling its subkeys ?

Also, my plugin is making extensive use of rawreg because I try to get each
individual NTUSER.dat hive, and I don't know which hive_name to pass on to
regapi. Should I use the full hive name, as in
self.hive_name(obj.Object("_CMHIVE",
vm = addr_space, offset = hive_offset)), or is there a better way of doing
it?

Any help is greatly appreciated. Have a great day!

-- 
Thomas Chopitea
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20160226/6c61e9dd/attachment.html


More information about the Vol-users mailing list