Retrieves information such as the account and group, security policy, OS information, USB device, and program usage history from a registry hive file.


hive-file [zipcharset=CHARSET] [zippath=ZIPFILE_PATH] FILE_PATH
Required Parameter
Path to the registry hive file. Using a wildcard (*) in the file name, you can retrieve all files containing a specific string pattern in the file name (e.g. D:\data\registry\*). If you provided the zippath option, input the registry hive file path in the ZIP file. There are five registry hive files.
FilePurposeRegistry PathExtraction Information
SAMAccount and access recordsHKEY_LOCAL_MACHINE\SAMAccount and group
SECURITYSecurity policy and privilegeHKEY_LOCAL_MACHINE\SecuritySecurity policy
SOFTWAREInstallation programHKEY_LOCAL_MACHINE\SoftwareOS version, OS installation date, OS installation directory and owner account
SYSTEMSystem settingsHKEY_LOCAL_MACHINE\SystemHost name, time zone, system shutdown time, USB device and the like
NTUSER.DATUser settingsHKEY_USERS\.DEFAULTList of files you opened
Optional Parameter
Character set to be used to decode the ZIP entry name and comment that are not encoded by UTF-8 encoding. Use the preferred MIME name or aliases registered in the following document:
Path to the ZIP file


The output fields are as follows:

nameStringRegistry name
valueObjectRegistry data
last_writtenDateLast written time


  1. Retrieve information by providing the file path.

    hive-file D:\data\registry\SYSTEM
  2. Retrieve information when the zippath option is provided.

    hive-file zippath=D:\data\ registry\SYSTEM
  3. Check the Windows OS information.

    hive-file D:\data\registry\SOFTWARE
    | search key=="ROOT\\Microsoft\\Windows NT\\CurrentVersion"