`catroot.catdb`¶

$ target-query <path/to/target> -f catroot.catdb

Details¶
Module	`dissect.target.plugins.os.windows.catroot.CatrootPlugin`
Output	`records`

Module documentation

Catroot plugin.

Parses catroot files for hashes and file hints.

Function documentation

Return the hash values present in the catdb files in the catroot2 folder.

The catdb file is an ESE database file that contains the digests of the catalog files present on the system. This database is used to speed up the process of validating a Portable Executable (PE) file.

Note: catalog files can include file hints, however these seem not to be present in the catdb files.

References:

https://www.thewindowsclub.com/catroot-catroot2-folder-reset-windows
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/catalog-files

Yields CatrootRecords with the following fields:

hostname (string): The target hostname.
domain (string): The target domain.
digest (digest): The parsed digest.
hints (string[]): File hints, if present.
catroot_name (string): Catroot name.
source (path): Source of the catroot record.

catroot.catdb¶

`catroot.catdb`¶