target-reg

target-reg is a tool to easily query the registry of Windows targets and prints it in a tree. A +``symbol indicates that it is a registry key (i.e. may have subkeys). A ``- symbol indicates a registry value.

$ target-reg targets/EXAMPLE.E01 -k "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft"
+ 'Microsoft' (last-modified-date-shows-here)
  + '.NETFramework' (last-modified-date-shows-here)
    - 'Enable64Bit' value-shows-here
[...]

See also

Please refer to Use-cases for more examples of how to use target-reg.

Usage

target-reg - CLI interface

dissect.target

target-reg [-h] -k KEY [-kv VALUE] [-d [DEPTH]] [-l LENGTH] [-K KEYCHAIN_FILE]
           [-Kv KEYCHAIN_VALUE] [-L LOADER] [--child CHILD] [--children] [--list-children]
           [--recursive] [-v] [--version] [-q] [--plugin-path PLUGIN_PATH [PLUGIN_PATH ...]]
           TARGETS [TARGETS ...]

target-reg positional arguments

  • TARGETS - Targets to load (default: None)

target-reg options

  • -h, --help - show this help message and exit

  • -k KEY, --key KEY - key to query (default: None)

  • -kv VALUE, --value VALUE - value to query (default: None)

  • -d DEPTH, --depth DEPTH - max depth of subkeys to print (default: 1)

  • -l LENGTH, --length LENGTH - max length of key value to print (default: 100)

  • -K KEYCHAIN_FILE, --keychain-file KEYCHAIN_FILE - keychain file in CSV format (default: None)

  • -Kv KEYCHAIN_VALUE, --keychain-value KEYCHAIN_VALUE - passphrase, recovery key or key file path value (default: None)

  • -L LOADER, --loader LOADER - select a specific loader (i.e. vmx, raw) (default: None)

  • --child CHILD - load child of target by path of index (see –list-children) (default: None)

  • --children - include children

  • --list-children - list all children indices and paths, then exit (default: False)

  • --recursive - make –list-children behave recursively

  • -v, --verbose - increase output verbosity (default: 0)

  • --version - print version

  • -q, --quiet - do not output logging information

  • --plugin-path PLUGIN_PATH - a file or directory containing plugins and extensions (default: None)

For more information on the -K, --keychain-file and -Kv, --keychain-value arguments, please refer to Disk encryption (FVE).

The -k, --key argument

Next to the targets to query, the -k [KEY] key argument is a required argument. This is used to specify the key that should be queried for. Be sure to put the key within quotation.

The -kv, --value argument

The -kv, --value argument can be used to specify the value that the queried key should contain. This comes in when for example searching for legitimate keys with a known malicious value.

The -d, --depth argument

The -d, --depth argument is used to specify the depth level of the queried key. When example querying the key HKEY_LOCAL_MACHINE with a depth level of 1, the result will show all the hives that are present within (SAM, SECURITY, SOFTWARE, etc.). However, all these hives contain keys within, which means they are at depth level 2 seen from HKEY_LOCAL_MACHINE. As you can guess, this next level can be made visible using -d 2.

Example usage of the -d, --depth argument
$ target-reg targets/EXAMPLE.E01 -k "HKEY_LOCAL_MACHINE" -d 1
+ 'HKEY_LOCAL_MACHINE' (None)
  + 'SAM' (last-modified-date-shows-here)
  + 'SECURITY' (last-modified-date-shows-here)
...
$ target-reg targets/EXAMPLE.E01 -k "HKEY_LOCAL_MACHINE" -d 2
+ 'HKEY_LOCAL_MACHINE' (None)
  + 'SAM' (last-modified-date-shows-here)
    + 'SAM' (last-modified-date-shows-here)
      - 'C' value-shows-here
      - 'ServerDomainUpdates' value-shows-here
 + 'SECURITY' (last-modified-date-shows-here)
    + 'Cache' (last-modified-date-shows-here)
      - 'NL$1' value-shows-here
...