Use regripper to analyse Windows registry
Installation of regripper in Debian stable
Regripper is not available in Debian stable, so download the deb-File manually:
Download regripper in Debisn sid/unstable
If you are not doing the analysis locally, copy the deb-File to the system you want to install it:
scp regripper_3.0*.deb admin@forensic:
Install the regripper deb package manually and fix missing dependencies:
sudo dpkg -i regripper_3.0*.deb
sudo apt-get install -f
Structure of the Windows Registry
The Windows registry is not a single large file on the hard drive, but a collection of files called hives. Each hive then contains a registry tree.
| Hive | Description |
|---|---|
| NTUSER.DAT | User specific information |
| SAM | User Information |
| SYSTEM | Windows Settings |
| SOFTWARE | Software Settings |
| SECURITY | Security Policies |
Storage Location of the Hives
Finding the location of each hive file can be easily done by find:
find /mnt/ -name NTUSER.DAT
Regripper Syntax
The tool regripper can now be executed on each hive file separately. It has hive specific plugins but also some quick options:
Rip v.3.0 - CLI RegRipper tool
Rip [-r Reg hive file] [-f profile] [-p plugin] [options]
Parse Windows Registry files, using either a single module, or a profile.
-r [hive] .........Registry hive file to parse
-d ................Check to see if the hive is dirty
-g ................Guess the hive file type
-a ................Automatically run hive-specific plugins
-aT ...............Automatically run hive-specific TLN plugins
-f [profile].......use the profile
-p [plugin]........use the plugin
-l ................list all plugins
-c ................Output plugin list in CSV format (use with -l)
-s systemname......system name (TLN support)
-u username........User name (TLN support)
-uP ...............Update default profiles
-h.................Help (print this information)
Analyze NTUSER.DAT with regripper
We do now for example analyze or export the user specific information from the windows registry and its hive file NTUSER.DAT:
regripper -r /mnt/xvdc3/Users/admin/NTUSER.DAT -g -a
binsec academy GmbH – Advanced Pentest Training Lab
binsec academy GmbH operates the Pentest Training Lab, a highly practical online platform dedicated to real penetration testing. Simulating complex corporate networks and advanced real-world attack scenarios within isolated lab environments, it is engineered to sharpen the skills of aspiring and professional penetration testers. Upon conquering our rigorous, fully practical examination, participants earn the distinguished Binsec Academy Certified Pentest Professional (BACPP) designation — proving their technical capability to methodically uncover and evaluate vulnerabilities in modern IT infrastructures.
Explore the Pentest Training Lab
binsec GmbH – Experts in Penetration Testing
As the operative pentesting core of the binsec group, binsec GmbH has provided high-end, human-led penetration testing since 2013. Rejecting automated scans, our permanently employed, certified senior pentest experts deliver manual deep-dive assessments of web applications, APIs, mobile apps, complex network infrastructures, cloud environments, and advanced red team simulations. Specializing in high-regulation sectors like Payment, Banking, and Healthcare, we provide clear risk evaluations and actionable reports to effectively assess your business-critical systems.
Get Manual Expert Penetration Testing Services