** RECmd version # **
2.0.0.0

Describe the bug
I get no results when using reb files on macOS. It says it found 0 key/value pairs. The exact same command and package on Windows finds 546 key/value pairs.

They both find the same number of hives (on macOS and on Windows), and I know Registry parsing seems to be correct because I can use parameters like sd/sk to search content which works and returns expected results.

Command used:

dotnet /Tools/RECmd/RECmd.dll -d '/Cases/12345/Systems/ABC1/hives' --bn '/Tools/RECmd/AllRegExecutablesFoundOrRun.reb' --csv /Cases/12345/Systems/ABC1/RECmdOutput/RegEXEsFoundOrRun --nl

I'm running dotnet v6.0.101 on macOS Big Sur 11.6.5.

To Reproduce
Steps to reproduce the behavior:

1. Run the above command on a folder containing Registry hives on macOS
2. Results on Windows shows 546 identified key/value pairs, on macOS it shows none

Expected behavior
It should find the same key/value pairs as when ran on the same data on Windows.

Is there a way extracting all information to a csv from a hive (including deleted keys and values.

i have tried
recmd.exe --f "myhive" --nl --csv "mycsv.csv" --recover --details --regex --sa *
recmd.exe --f "myhive" --nl --csv "mycsv.csv" --recover --details --regex --sa .*

but no result found

** RECmd version # **
2.0.0.0

Describe the bug
RLA command line, does not correctly build the output directory.
Executed Command line: C:\tools\rla\rla.exe -f "C:\test_pinqp\DESKTOP-B3FG6UV\C\Windows\System32\config\SOFTWARE" --out "C:\test_pinqp\DESKTOP-B3FG6UV\C\Windows\System32\config\SOFTWARE\output"

To Reproduce
Steps to reproduce the behavior:

1. Create output folder: mkdir "C:\test_pinqp\DESKTOP-B3FG6UV\C\Windows\System32\config\SOFTWARE\output"
2. Execute RLA with file source and out parameter. Please see above.

Expected behavior
Expected to clean the dirty HIVE to the new folder defined in the --out parameter.

Screenshots

Additional context
Issue might be at line 535 and 536 of the source code:
var outFile = hiveToProcess.Replace(":", "").Replace(Path.PathSeparator.ToString(), "_");
var outFileAll = Path.Combine(@out, outFile);

RLA version #
2.0.0.0

Describe the bug
Note: As ever, an excellent tool and very grateful for all your efforts in creating and maintaining them!
RLA: when targeting a particular hive file with the -f parameter, the --out recreates the full directory path (not required in my use case).
Command line:
C:\DFIR\Tools\net6\rla.exe -f "E:\Testing\Hostname\Collection\Windows\System32\config\SAM" --out "E:\Testing\Hostname\Collection\Windows\System32\config\Clean"

I've read the other issue entries and saw your comments in issue #55 about preserving the source path, in case you were processing multiple NTUSER.dat files (as an example), and I concur with this logic for the -d switch. But, I think for the -f switch where you are specifying a particular file it doesn't work as well?

In my use case I am processing individual hives before running other tools on them seperately, so it is counter-productive for it to reproduce the full source path, for example the cleaned hive file gets output to the following directory:

E:\Testing\Hostname\Collection\Windows\System32\config\Clean\E\Testing\Hostname\Collection\Windows\System32\config

Note: If you can specify the paths using relative paths it seems to work (i.e. doesn't create the original source path), but I can't relative paths in my use case and have to use the full paths to each file / directory. e.g. I have my tools on C:\ and my artifacts on E:.

To Reproduce

1. Copy a sample registry file to a directory
2. Run C:\DFIR\Tools\net6\rla.exe -f "E:\Testing\Hostname\Collection\Windows\System32\config\SAM" --out "E:\Testing\Hostname\Collection\Windows\System32\config\Clean"
3. Go to: E:\Testing\Hostname\Collection\Windows\System32\config\Clean
4. Find the preserved source path directory structure and follow it down to the clean file: E:\Testing\Hostname\Collection\Windows\System32\config\Clean\E\Testing\Hostname\Collection\Windows\System32\config

Expected behavior
When using the -f switch I would expect the clean file to be output to the path specified without retaining the source path. Or have another switch that enables / disables the preservation of the original source path?

Screenshots

** RECmd version # **
1.6 RegExplorer

Describe the bug

Attempt to get an MFT record with an old reference, Error message: Attempt to get an MFT record with an old reference, Stack trace:    at DiscUtils.Ntfs.MasterFileTable.GetRecord(FileRecordReference fileReference)
   at DiscUtils.Ntfs.File.LoadAttributes()
   at DiscUtils.Ntfs.NtfsFileSystem..ctor(Stream stream)
   at RawCopy.Helper.VerifyFileSystemOpen(String path) in D:\Code\RawCopy\RawCopy\Helper.cs:line 457
   at RawCopy.Helper.RawFileExists(String path) in D:\Code\RawCopy\RawCopy\Helper.cs:line 141
   at RawCopy.Helper.GetFiles(List`1 fileNames, Boolean dedupe) in D:\Code\RawCopy\RawCopy\Helper.cs:line 65
   at RegistryExplorer.Forms.Main.<LoadHive>d__45.MoveNext() in D:\Code\RegistryViewerZ\RegistryViewerZ\Forms\Main.cs:line 885

To Reproduce
Steps to reproduce the behavior:

1. Go to File, Live System, attempt to open SOFTWARE,SYSTEM, or current user hive
2. No hive opens, messages shows error above

Expected behavior
Open live hives

** RECmd version #
2.0.0.0

Describe the bug
RLA command line, does not correctly export to the output directory.
Command line: -d C:\temp\registry --out C:\temp\registry\output

To Reproduce
Create Output folder
Execute RLA with file source and out parameter. Please see above.

Expected behavior
Expected to clean the dirty HIVE to the new folder defined in the --out parameter.

This was previously identified and resolved in RLA --out parameter #47
#47

Screenshots

Malware uses new file associations with the exefile handler to bypass AVs. E.g. adding a registry key for .test under Classes and for the default value use exefile. I would like to add an entry to the Kroll batch file to find all file associations which use the exefile file handler (normally only one, the .exe one).

How should the entry look like in a batch file to iterate through all values for a given key and find those with specific data?

I added a Sigma rule for that https://github.com/Karneades/sigma/blob/master/rules/windows/registry_event/win_registry_file_association_exefile.yml or our team tweeted about that too https://twitter.com/swisscom_csirt/status/1463070008867704835

Command line: -d D:\test\DESKTOP-1\uploads\auto\C\Users\b --out D:\test\DESKTOP-1\uploads\auto\C\Users\b\t

    Hives found: 2

Processing hive D:\test\DESKTOP-1\uploads\auto\C\Users\b\NTUSER.DAT
Two transaction logs found. Determining primary log...
Primary log: D:\test\DESKTOP-1\uploads\auto\C\Users\b\ntuser.dat.LOG2, secondary log: D:\test\DESKTOP-1\uploads\auto\C\Users\b\ntuser.dat.LOG1
Replaying log file: D:\test\DESKTOP-1\uploads\auto\C\Users\b\ntuser.dat.LOG2
Replaying log file: D:\test\DESKTOP-1\uploads\auto\C\Users\b\ntuser.dat.LOG1
At least one transaction log was applied. Sequence numbers have been updated to 0x100A12. New Checksum: 0xAF344325
There was an error: Index was outside the bounds of the array.
System.IndexOutOfRangeException: Index was outside the bounds of the array.
   at rla.Program.DoWork(String f, String d, String out, Boolean ca, Boolean cn, Boolean debug, Boolean trace)

Processing hive D:\test\DESKTOP-1\uploads\auto\C\Users\b\AppData\Local\Microsoft\Windows\UsrClass.dat
Two transaction logs found. Determining primary log...
Primary log: D:\test\DESKTOP-1\uploads\auto\C\Users\b\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2, secondary log: D:\test\DESKTOP-1\uploads\auto\C\Users\b\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
Replaying log file: D:\test\DESKTOP-1\uploads\auto\C\Users\b\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2
Replaying log file: D:\test\DESKTOP-1\uploads\auto\C\Users\b\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
At least one transaction log was applied. Sequence numbers have been updated to 0x2C393. New Checksum: 0x449B1856
There was an error: Index was outside the bounds of the array.
System.IndexOutOfRangeException: Index was outside the bounds of the array.
   at rla.Program.DoWork(String f, String d, String out, Boolean ca, Boolean cn, Boolean debug, Boolean trace)

Hi,

I'm currently doing an IR investigation and I'm planning on doing a check on all SAM registry files to see if all local admin passwords have been resetted, The REcmd tool is perfect for that, except that it seems to always show 'False' where the value is a boolean.

The version of REcmd that I'm using is '1.5.2.0' combine the command:
ReCmd.exe --f "D:\Registry\SAM_dc" --bn RECmd_Batch_MC.reb --csv D:\output

I've also attached a SAM registry file for convenience.
SAM.zip

Is this a bug?

I appreciate all your hard work on these tools, they have been very beneficial so far, thank you!

This issue is not a feature request per se but a placeholder for a needed cleanup for the *ASEP batch examples. We have duplicates, similar keys in different files, different naming or categories for the same key... Also RegistryASEPs.reb includes all the others but not fully and we have differences between the files, e.g. some entries are only there and some only in the more specific files.

I don't think that rep includes are possible inside other .reb files (like compounds in Kape) but if we duplicate entries from the more specific into one generic "RegistryASEPs.reb" error occur or additions only made in one file.

We could of course remove RegistryASEPs.reb entirely to only have the specific files.

Question: What do you think? Do other work with those and see a value of fixing the differences?

https://github.com/EricZimmerman/RECmd/blob/master/BatchExamples/

• RegistryASEPs.reb
• SoftwareASEPs.reb
• SystemASEPs.reb
• ...

I think it is of value to cleanup them: remove duplicates, fix the differences, align the category names and keys to make the analysis easier. Furthermore, I would fix https://github.com/EricZimmerman/KapeFiles/blob/master/Modules/Registry/RECmd.mkape so either RegistryASEPs.reb is used or all the others, but not both (because of duplicated information).

If this place is wrong for such an issue, then please advice.

Hi I tried to use the program to investigate some registry files, but windows seems to automatically quarantine the file and warn for: "Ransom:Win32/WannaCrypt.A!rfn".

The file that it warns on is: "RegistryExplorer.exe"

Just want to let you know.

** RECmd version # **
2.0.0.0

Describe the bug
When using --kn, I can successfully use the alias "ROOT\*" to get all keys under the root path, without the need to know the root path name in advance. However, when using --bn, "ROOT" alias does not work.
Within the hive I'm analyzing, the root path is named "CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}" and the only method in which I was successful in fetching the data I wanted was defining:
KeyPath: CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}*

The results were:

To Reproduce
Mentioned above

Expected behavior
Mentioned above

Additional context
I hope I made sense