- Kroll Batch File - Development roadmap for the Kroll Batch File. Please feel free to contribute by adding ideas or by finishing tasks in the
To Docolumn. Any help is appreciated!
Command Line Interface
RECmd version 184.108.40.206 Author: Eric Zimmerman (firstname.lastname@example.org) https://github.com/EricZimmerman/RECmd Note: Enclose all strings containing spaces (and all RegEx) with double quotes d Directory to look for hives (recursively). -f or -d is required. f Hive to search. -f or -d is required. q Quiet mode. When true, hide processing details. Default is FALSE kn Display details for key name. Includes subkeys and values vn Value name. Only this value will be dumped bn Use settings from supplied file to find keys/values. See included sample file for examples csv Directory to save CSV formatted results to. Required when -bn is used. csvf File name to save CSV formatted results to. When present, overrides default name saveTo Saves --vn value data in binary form to file. Expects path to a FILE json Export --kn to directory specified by --json. Ignored when --vn is specified jsonf File name to save JSON formatted results to. When present, overrides default name details Show more details when displaying results. Default is FALSE Base64 Find Base64 encoded values with size >= Base64 (specified in bytes) MinSize Find values with data size >= MinSize (specified in bytes) sa Search for <string> in keys, values, data, and slack. sk Search for <string> in key names. sv Search for <string> in value names sd Search for <string> in value record's value data ss Search for <string> in value record's value slack literal If true, --sd and --ss search value will not be interpreted as ASCII or Unicode byte strings nd If true, do not show data when using --sd or --ss. Default is FALSE regex If present, treat <string> in --sk, --sv, --sd, and --ss as a regular expression. Default is FALSE dt The custom date/time format to use when displaying time stamps. Default is: yyyy-MM-dd HH:mm:ss.fffffff nl When true, ignore transaction log files for dirty hives. Default is FALSE recover If true, recover deleted keys/values. Default is TRUE vss Process all Volume Shadow Copies that exist on drive specified by -f or -d . Default is FALSE dedupe Deduplicate -f or -d & VSCs based on SHA-1. First file found wins. Default is TRUE sync If true, the latest batch files from https://github.com/EricZimmerman/RECmd/tree/master/BatchExamples are downloaded and local files updated. Default is FALSE debug Show debug information during processing trace Show trace information during processing Example: RECmd.exe --f "C:\Temp\UsrClass 1.dat" --sk URL --recover false --nl RECmd.exe --f "D:\temp\UsrClass 1.dat" --StartDate "11/13/2014 15:35:01" RECmd.exe --f "D:\temp\UsrClass 1.dat" --RegEx --sv "(App|Display)Name"
Command line Registry access, including batch mode!
See the manual for more examples.
If you get an error message like "error loading plugin" when running RECmd after downloading the ZIP archive and extracting it using Windows' ZIP tool, use the following PowerShell command to unblock the DLLs:
PS> Unblock-File .\Plugins\*.dll
RECmd uses Batch Files to make your Registry output more actionable. Learn about Batch Files here!
As of September 2021, there is a README specifically for the Kroll_Batch file used by RECmd and KAPE. Find it here!
Command Line Interface
rla version 220.127.116.11 Author: Eric Zimmerman (email@example.com) https://github.com/EricZimmerman/RECmd Note: Enclose all strings containing spaces (and all RegEx) with double quotes d Directory to look for hives (recursively). -f or -d is required. f Hive to process. -f or -d is required. out Directory to save updated hives to. Only dirty hives with logs applied will end up in --out directory ca When true, always copy hives to --out directory, even if they aren't dirty. Default is TRUE cn When true, compress names for profile based hives. Default is TRUE debug Show debug information during processing trace Show trace information during processing Example: rla.exe --f "C:\Temp\UsrClass 1.dat" --out C:\temp rla.exe --d "D:\temp\" --out c:\temp
RLA is a single purpose tool to replay transaction logs in Registry hives. This is useful when parsing with tools that don't recognize and replay transaction logs on their own.
Download Eric Zimmerman's Tools
All of Eric Zimmerman's tools can be downloaded here. Use the Get-ZimmermanTools PowerShell script to automate the download and updating of the EZ Tools suite. Additionally, you can automate each of these tools using KAPE!
Open Source Development funding and support provided by the following contributors: