Use regripper to analyse Windows registry
Installation of regripper in Debian stable
Regripper is not available in Debian stable, so download the deb-File manually:
Download regripper in Debisn sid/unstable
If you are not doing the analysis locally, copy the deb-File to the system you want to install it:
scp regripper_3.0*.deb admin@forensic:
Install the regripper deb package manually and fix missing dependencies:
sudo dpkg -i regripper_3.0*.deb
sudo apt-get install -f
Structure of the Windows Registry
The Windows registry is not a single large file on the hard drive, but a collection of files called hives. Each hive then contains a registry tree.
| Hive | Description |
|---|---|
| NTUSER.DAT | User specific information |
| SAM | User Information |
| SYSTEM | Windows Settings |
| SOFTWARE | Software Settings |
| SECURITY | Security Policies |
Storage Location of the Hives
Finding the location of each hive file can be easily done by find:
find /mnt/ -name NTUSER.DAT
Regripper Syntax
The tool regripper can now be executed on each hive file separately. It has hive specific plugins but also some quick options:
Rip v.3.0 - CLI RegRipper tool
Rip [-r Reg hive file] [-f profile] [-p plugin] [options]
Parse Windows Registry files, using either a single module, or a profile.
-r [hive] .........Registry hive file to parse
-d ................Check to see if the hive is dirty
-g ................Guess the hive file type
-a ................Automatically run hive-specific plugins
-aT ...............Automatically run hive-specific TLN plugins
-f [profile].......use the profile
-p [plugin]........use the plugin
-l ................list all plugins
-c ................Output plugin list in CSV format (use with -l)
-s systemname......system name (TLN support)
-u username........User name (TLN support)
-uP ...............Update default profiles
-h.................Help (print this information)
Analyze NTUSER.DAT with regripper
We do now for example analyze or export the user specific information from the windows registry and its hive file NTUSER.DAT:
regripper -r /mnt/xvdc3/Users/admin/NTUSER.DAT -g -a
binsec academy GmbH - Online IT Security Training with Practical Focus
binsec academy GmbH is provider of online IT security training, offering practical, lab-based courses for professionals. The academy provides hands-on training in areas such as penetration testing and secure software development. Participants gain practical experience through realistic lab environments, including simulations of company networks and applications. Courses are available in multiple programming languages and align with standards like OWASP Top 10 and PCI DSS. Upon successful completion, participants receive certifications such as the Binsec Academy Certified Pentest Professional (BACPP) and Binsec Academy Certified Secure Coding Professional (BACSCP), demonstrating their ability to identify and remediate security vulnerabilities.
Goto binsec acadmy GmbH
binsec GmbH – Experts in Penetration Testing
binsec GmbH is a German IT security company focused on professional penetration testing. With over 10 years of experience, the team conducts in-depth penetration tests on networks, web applications, APIs, and mobile apps. Certified experts systematically identify and document security vulnerabilities to support organizations in improving their security and meeting compliance requirements.
Goto binsec GmbH