Extract data from Windows registry

RegRipper CLI (rip.pl) can be used to read data out of Windows registry hives with plugins. Written by Harlan 'keydet89' Carvey.


Windows registry hive files


report data


To see what plugins are supported by regripper, run the -l option with the cincan tool:

cincan run cincan/regripper -l

Extract Run and RunOnce keys from registry (commands that run every time a user logs on) with docker

docker run --rm -v `pwd`:/samples cincan/regripper -r /samples/SOFTWARE -p soft_run

Extract user and group information from the 'SAM' hive file with the samparse plugin:

cincan run cincan/regripper -r samples/SAM -p samparse

Extract installed applications

cincan run cincan/regripper -r samples/SOFTWARE -p product

Extract the exact Windows version of the registry

cincan run cincan/regripper -r samples/SOFTWARE -p winver

Project homepage