`filerenameop`¶

$ target-query <path/to/target> -f filerenameop

Details¶
Module	`dissect.target.plugins.os.windows.generic.GenericPlugin`
Output	`records`

Module documentation

Generic Windows plugin.

Provides Windows operating system plugins too small to fit in a separate plugin.

Function documentation

Return all pending file rename operations.

The PendingFileRenameOperations registry key value contains information about files that will be renamed on reboot. Can be used to hunt for malicious binaries.

References:

https://forensicatorj.wordpress.com/2014/06/25/interpreting-the-pendingfilerenameoperations-registry-key-for-forensics/
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241%28v=technet.10%29?redirectedfrom=MSDN
https://qtechbabble.wordpress.com/2020/06/26/use-pendingfilerenameoperations-registry-key-to-automatically-delete-a-file-on-reboot/

filerenameop¶

`filerenameop`¶