Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Converts Windows Registry hives to a descriptive XML format
Python Shell

Update DFXML to fix an rdifference bug

Signed-off-by: Alex Nelson <>
latest commit 391ab930d2
@ajnelson authored
Failed to load latest commit information.
deps Update DFXML to fix an rdifference bug
etc Initial release, v0.2.0
lib Install Python scripts to share dir
m4 Check for Python environment
scripts Add tally column for failed-hive cells
tests Update Ubuntu tests; add Debian test
.gitignore Update documentation
.gitmodules Update SleuthKit to an upstream version with integrated Fiwalk
COPYING Initial release, v0.2.0
INSTALL Update documentation Update documentation Add make-dependencies to distribution
README Initial release, v0.2.0 Update documentation
TTD.txt Initial release, v0.2.0 Include DFXML libraries, update to match API Revise deprecated automake form

RegXML Extractor

Converts Windows Registry hives to a descriptive XML format.

The collective software in this project takes a disk image and outputs a set of RegXML files, one per hive extracted from the image. These hives' RegXML forms are also converted to a SQLite database, assuring the XML is readable by Python. Errors at any step in this process are verbosely logged.

Tested environments

This program has been tested in several Unix/Linux environments. The tested environments are basically:

  • CentOS
  • Fedora
  • OS X
  • Ubuntu

To see procedures and specific versions tested, see INSTALL's Testing section.

Building and installing



Running without arguments provides the available options. Usage is basically:

cd results_directory image_file


  • *.hive -- Hive files extracted from file system, named in discovery order.
  • manifest.txt -- A map of the hive names to the disk image and file system path where they were found.
  • linted.txt -- A convenience list of RegXML files that passed a basic xmllint check.
  • *.hive.regxml -- RegXML produced from the hive of matching number.
  • *.hive.checked.regxml -- RegXML, pretty-printed and validated by xmllint.
  • out.sqlite -- SQLite database representing all hives' contents that could be read by and Processing errors are captured in a table. (Run sqlite3 out.sqlite and .schema to see the tables available.)
  • *.err.log -- Standard error of the process generating the matching file name. Be on the lookout for non-0-byte error logs.
  • *.status.log -- Exit status of the associated process. '0' is success, anything else is an error.


Please report issues with Github's tracker.


RegXML is described in the following publication, in which these analysis tools were used:

Alex Nelson, "RegXML: XML conversion of the Windows Registry for forensic processing and distribution," in Advances in Digital Forensics VIII, ser. IFIP Advances in Information and Communication Technology, G. Peterson and S. Shenoi, Eds. Springer, 2012.

The M57-Patents scenario analyzed in the above paper can be found at Digital Corpora. If you wish to use RegXML Extractor to analyze this scenario as in the IFIP publication, see the etc/m57-sequences.txt file. Note that you will need to modify that file to supply full paths to where you have the M57 images stored.

This software was formerly housed at:

Something went wrong with that request. Please try again.