RECmd: command line tool for Windows Registry analysis

During an incident response, a fast analysis could be required, often on systems that aren't the workstation usually used by the analyst.
So, I always suggest to create a small and simple toolkit that can be copied on a USB stick.

My own toolkit is mainly composed of command line tools with the smallest amount of requirements , and today i wanto to share a small cheatsheet for Eric Zimmerman's RECmd tool [1].

The tool

RECmd [3] is a command-line tool is useful to access, search and recover, and export any data found in the Windows registry.
Is the command-line version of GUI app RegistryExplorer [2], with wich it shares the same plugins.
However, the GUI version of the tool is larger than 60 Mb, while the command line version is only 6MB, very useful in a small, portable, toolkit.

A brief cheatsheet

Search the registry

Scan NTUSER.dat for the key name that contains "Skype":

RECmd.exe -f .\NTUSER.dat --sk Skype

Search UsrClass.dat for the key value that contains "Skype":

RECmd.exe -f .\UsrClass.dat --sd Skype

Scan the whole directory registry_files for the key value that contains "Skype", with last write time >= Startdate and containing either "AppName" or "DisplayName", without recover deleted keys (--recover false) and without replay and apply all registry hive logs automatically (--nl):

RECmd.exe --d "C:\Temp\registry_files\" --sk "Skype" --StartDate "02/01/202020 10:00:00" --RegEx --sv "(App|Display)Name" --recover false --nl

The Batch Mode

A really useful feature of RECmd is the Batch Mode: using the same plugins of Registry Explorer, it allows to export data from the plugin into a normalized, standard CSV output.

When a plugin is used to process a key or key/value, the data generated by the plugin are also saved out to a CSV for further analysis.

A batch file is composed by two section, an Header and a Keys section.

The Header

Description: A general description of what this batch file is going to find
Author: Name of this batch file (can be more, too, like contact information)
Version: A version number that should be incremented as changes happen
Id: A unique (across all other batch files) GUID (Global Unique Identifier) that identifies this batch file

The Keys section

Each key contains:

Description: A user-friendly description of what this key will find. Can be anything from the key name to a friendlier description of what it means.
HiveType: The type of hive this entry corresponds to. Valid choices are NTUSER, SAM, SECURITY, SOFTWARE, SYSTEM, USRCLASS, COMPONENTS, BCD, DRIVERS, AMCACHE, SYSCACHE
KeyPath: The path to the key to look for
ValueName: OPTIONAL value that, when present, is looked for under KeyPath
Recursive: Whether or not to process KeyPath recursively
Comment: Like Description in that you can add various things here that end up in the CSV

Example batch file:

Description: Sample RECmd batch file of a whole lot of stuff
 Author: Eric Zimmerman
 Version: 1
 Id: ab13eb5f-31db-5cdc-83df-88ec12dc1a
 Keys:
     -
         Description: Typed URLs
         HiveType: NTUSER
         Category: Browser history
         KeyPath: Software\Microsoft\Internet Explorer\TypedURLs
         Recursive: false
         Comment: A comment about Typed URLs
     -
         Description: WordWheelQuery
         HiveType: NTUSER
         Category: User searches
         KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
         Recursive: true
         Comment: Dear lawyer, this is what a bad guy searched for
     -
         Description: Network MRU
         HiveType: NTUSER
         Category: Network shares
         KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
         ValueName: MRUList
         Recursive: false
         Comment: An example limited to a key and value
     -
         Description: UserAssist
         HiveType: NTUSER
         Category: Execution
         KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
         Recursive: true
         Comment: No comment
     -
         Description: Some non-existent key
         HiveType: SYSTEM
         Category: Fake
         KeyPath: Software\Wizzo\john\doe
         Recursive: true
         Comment: this is only here to show you what will happen if a key isnt found!
     -
         Description: Some non-existent key 2
         HiveType: NTUSER
         Category: Fake
         KeyPath: Software\Wizzo\john\doe
         Recursive: true
         Comment: Another non-existent key to keep you on your toes
     -
         Description: MountedDevices
         HiveType: SYSTEM
         Category: Devices
         KeyPath: MountedDevices
         Recursive: false
         Comment: Drive info yo!
     -
         Description: MountedDevicesNope
         HiveType: SYSTEM
         Category: Devices
         KeyPath: MountedDevicesNope
         Recursive: false
         Comment: So close
     -
         Description: Select current
         HiveType: SYSTEM
         Category: Devices
         KeyPath: Select
         ValueName: Current
         Recursive: false
         Comment: What is the current control set?
     -
         Description: Setup
         HiveType: SYSTEM
         Category: Devices
         KeyPath: Setup
         Recursive: false
         Comment: The entire setup key + values