use strict; print STDERR ' 3R - RegRipper Ripper v0.6 (c) Hexacorn 2013-2020. All rights reserved. Visit us at http://www.hexacorn.com '; my %plugins; my %byfile; my %byhive; $plugins {'base.pl'}=' Parse base info from hive '; $plugins {'baseline.pl'}=' Scans a hive file, checking sizes of binary value data '; $plugins {'del.pl'}=' Parse hive, print deleted keys/values '; $plugins {'del_tln.pl'}=' Parse hive, print deleted keys/values '; $plugins {'cmd_shell.pl'}=' Classes\file\shell\open\command|where EXTENSION is exe, cmd, bat, cs, hta, pif '; $plugins {'cmd_shell_tln.pl'}=' Classes\file\shell\open\command|where EXTENSION is exe, cmd, bat, cs, hta, pif '; $plugins {'fileless.pl'}=' All keys (all hives) '; $plugins {'null.pl'}=' Check key/value names in a hive for leading null char '; $plugins {'regtime.pl'}=' (Entire Hive) '; $plugins {'regtime_tln.pl'}=$plugins {'regtime.pl'}; $plugins {'rlo.pl'}=' Parse hive, check key/value names for RLO character '; $plugins {'shares.pl'}=' ControlSetXXX\Services\LanmanServer\Shares '; $plugins {'slack.pl'}=' Look for Slack space '; $plugins {'slack_tln.pl'}=' Parse hive, print slack space, retrieve keys/values '; $plugins {'soft_run.pl'}=' Microsoft\Windows\CurrentVersion\Run '; $plugins {'ssh_host_keys.pl'}=' Software\SimonTatham\Putty\SshHostKeys Software\Martin Prikryl\WinSCP 2\SshHostKeys '; $plugins {'tracing.pl'}=' Microsoft\Tracing '; $plugins {'sizes.pl'}=' All keys (all hives) '; $plugins {'tracing_tln.pl'}=$plugins {'tracing.pl'}; $plugins {'trustrecords.pl'}=' Software\Microsoft\Office\\|where VERSION depends on Office version|and OFFICE_APP is: Word, PowerPoint, Excel, Access '; $plugins {'trustrecords_tln.pl'}=$plugins {'trustrecords.pl'}; $plugins {'vmware_vsphere_client.pl'}=' Software\VMware\Virtual Infrastructure Client\Preferences\UI\ClientsXml Software\VMware\VMware Infrastructure Client\Preferences '; $plugins {'winscp_sessions.pl'}=' Software\Martin Prikryl\WinSCP 2\Sessions '; $plugins {'winrar2.pl'}=' Software\WinRAR\ArcHistory Software\WinRAR\DialogEditHistory\ArcName Software\WinRAR\DialogEditHistory\ExtrPath '; $plugins {'winvnc.pl'}=' Software\ORL\WinVNC3 Software\ORL\WinVNC3\Default Software\ORL\WinVNC\Default Software\RealVNC\WinVNC4 Software\RealVNC\Default '; $plugins {'xpedition.pl'}=' WPA\MediaCenter WPA\TabletPC '; open HTML, '>3r.html'; binmode HTML; print HTML ' List of keys parsed by RegRipper Plugins /Generated by 3R - RegRipper Ripper v0.5/

RegRipper & keys parsed by plugins

This table is an attempt to list all registry keys parsed by all RegRipper plugins available at RegRipper v2.8 released on Oct 22th, 2014, last update Sep 2018 (retrieved on Nov 4th, 2018) and merged with changes introduced in RegRipper v3.0
available at RegRipper v3.0 released on May 27th, 2020 The list has been generated by a perl script which I called - for the fun of it - RegRipper Ripper a.k.a. 3R.
The name is similar to 3RPG and it\'s not a coincident either;
in fact, I was curious which keys are actually being already covered by the RegRipper plugins bundle.
With 400+ existing plugin it\'s easy to get lost, and perhaps even end up re-inventing the wheel by writing a plugin for a key that already has its plugin.

Most of the data below has been extracted automatically by 3R, and a few manual correction were added for items that 3R was unable to retrieve directly from the source code.
I can only wish that the author(s) of the plug-ins will be more consistent in the future while writing them; the syntax, variable names and the way these variables are initialized and used varies really a lot across all the plug-ins and makes it really tricky to parse it all w/o errors.
In any case, if you find any mistakes or omissions, please let me know and I will fix that.
Thanks.

There are two tables - one sorted by hive/key pair and second by plugin file names:

    By Hive / Key

    By Plugin file name



'; scan('.'); print HTML '

By Hive / Key

'; my $cnt=0; for my $k (sort {lc($byhive{$a}) cmp lc($byhive{$b})} keys %byhive) { my $trx='';$trx = ' class=x' if ($cnt==1);$cnt=($cnt+1)&1; print HTML "".$byhive{$k}."\n"; } print HTML '
HiveKeyScans
Wow6432Node
Plugin file

'; print HTML '

By Plugin file name

'; $cnt=0; for my $k (sort {lc($byfile{$a}) cmp lc($byfile{$b})} keys %byfile) { my $trx='';$trx = ' class=x' if ($cnt==1);$cnt=($cnt+1)&1; print HTML "".$byfile{$k}."\n"; } print HTML '
Plugin FileHiveScans
Wow6432Node
Keys

'; close HTML; sub scan { my $d = shift; print STDERR "DIR: $d\n"; opendir(DIR, $d); my @dir = my @dir = sort grep { -f $d.'\\'.$_ } readdir DIR; map ( one ($d.'\\'.$_, $_), @dir); rewinddir(DIR); @dir = sort grep { $_ !~ /\.+$/ && -d $d.'\\'.$_ } readdir DIR; closedir DIR; map ( scan ($d.'\\'.$_), @dir); } sub one { my $fullpath = shift; my $file = shift; return if $file !~ /\.pl$/; return if lc($file) eq '3r.pl'; print STDERR "$fullpath\n"; open F,'<'.$fullpath || return "Can't access '$fullpath;'\n"; binmode F; read F,my $data,-s $fullpath; close F; my $cnt=0; my $hive = 'Unknown'; $hive=$1 if ($data =~ /\(\s*hive\s*=>\s*[\"\'](.*?)[\"\']/si); $hive =~ s/\\./\./sg; $data =~ s/\\\\/\\/sg; $hive = lc ($hive); my $Wow6432Node = 'N/A'; if ($hive =~ /software/) { pos $data = 0; if ($data =~ /Wow6432Node/si) { $Wow6432Node = 'Yes' } else { $Wow6432Node = 'No'; } } $data =~ s/\"\s*\.\s*\"//sig; if ($data =~ /\@([a-z]+_?)?(k|paths|attach|keys)\s*=\s*\(\s*([\"\'].+?[\"\'])(\s*,\s*)?\s*\)/sig) { my $paths = $3; my @paths2 = split(/,/,$paths); my $newpaths=''; foreach my $p (@paths2) { $p=~s/\s*[\"\'](.+?)[\"\']\s*/$1/s; $p=~s/[\r\n]+//s; next if $p =~ /^\s*$/sig; next if $p =~ /^\s*#/sig; print STDERR "p=\'$p\'\n"; $newpaths.="\$path=\"$p\";\n"; } #$data =~ s/$paths/$newpaths/sig; #print STDERR "$newpaths\n"; $data.="\n".$newpaths."\n"; } my $lcfile = lc($file); if (defined ($plugins {$lcfile})) { my @ak=split(/[\r\n]+/,$plugins {$lcfile}); foreach my $k (@ak) { next if $k =~ /^\s*$/; $k =~ s//>/sg; $k =~ s/\|/
\n/g; my $entry = "$file$hive$Wow6432Node$k\n"; $byfile {$file} = $entry; $entry = "$hive$k$Wow6432Node$file\n"; $byhive {$hive.$k} = $entry; } $cnt++; } else { pos $data=0; if ($data=~/enum_recursively\s*\(\$root_key,\s*\"(.*?)\"/si) { my $entry = "$file$hive$Wow6432Node$1\n"; $byfile {$file.$1} = $entry; $entry = "$hive$1$Wow6432Node$file\n"; $byhive {$hive.$1} = $entry; $cnt++; return; } while ($data =~ /\$([a-z]+_?)?([a-z]+_?)?path(_main|_ie)?\s*=\s*(\()?\s*([^\r\n]*?)[\"\']([^\r\n]*?)[\"\']\s*(\))?\s*;.*?[\r\n]/sig) { my $c=$5; my $k=$6; print STDERR "p2=\'$c\'\n"; $k = "ControlSetXXX\\$k" if $c =~ /\$ccs/i; # print STDERR "$c\n"; $k = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\$k" if $c =~ /\$key_path_ie/i; $k = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\\\$k" if $c =~ /\$rkeypath/i; $k = "Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\$k" if $c =~ /\$base_path/i; $k = "Software\\Microsoft\\Windows Live Contacts\\$k" if $c =~ /\$kpath/i; $k =~ s/SOFTWARE/Software/sg; $k =~ s/(ControlSet00|ControlSet)\"\.\$(ccs|chak|curr|current)\.\"/ControlSetXXX/sig; $k =~ s/ShellNoRoam\\Bags\\\"\.\$(nodeslot)\.\"/ShellNoRoam\\Bags\\/sig; $k =~ s/\"\.\$ver(sion)?\.\"//sig; $k =~ s/\\\\/\\/sg; $k =~ s/\"\.\"//sg; $k =~ s//>/sg; my $entry = "$file$hive$Wow6432Node$k\n"; $byfile {$file.$k} = $entry; $entry = "$hive$k$Wow6432Node$file\n"; $byhive {$hive.$k} = $entry; $cnt++; } } die "$file doesn't have any key associated with it\n" if $cnt==0; }