hive-file

Retrieves information such as the account and group, security policy, OS information, USB device, and program usage history from a registry hive file.

Syntax

hive-file [zipcharset=CHARSET] [zippath=ZIPFILE_PATH] FILE_PATH
Required Parameter
FILE_PATH
Path to the registry hive file. Using a wildcard (*) in the file name, you can retrieve all files containing a specific string pattern in the file name (e.g. D:\data\registry\*). If you provided the zippath option, input the registry hive file path in the ZIP file. There are five registry hive files.
FilePurposeRegistry PathExtraction Information
SAMAccount and access recordsHKEY_LOCAL_MACHINE\SAMAccount and group
SECURITYSecurity policy and privilegeHKEY_LOCAL_MACHINE\SecuritySecurity policy
SOFTWAREInstallation programHKEY_LOCAL_MACHINE\SoftwareOS version, OS installation date, OS installation directory and owner account
SYSTEMSystem settingsHKEY_LOCAL_MACHINE\SystemHost name, time zone, system shutdown time, USB device and the like
NTUSER.DATUser settingsHKEY_USERS\.DEFAULTList of files you opened
Optional Parameter
zipcharset=CHARSET
Character set to be used to decode the ZIP entry name and comment that are not encoded by UTF-8 encoding. Use the preferred MIME name or aliases registered in the following document: http://www.iana.org/assignments/character-sets/character-sets.xhtml
zippath=ZIPFILE_PATH
Path to the ZIP file

Description

The output fields are as follows:

FieldTypeDescription
keyStringSubkey
typeStringType
nameStringRegistry name
valueObjectRegistry data
last_writtenDateLast written time

Usage

  1. Retrieve information by providing the file path.

    hive-file D:\data\registry\SYSTEM
    
  2. Retrieve information when the zippath option is provided.

    hive-file zippath=D:\data\registry.zip registry\SYSTEM
    
  3. Check the Windows OS information.

    hive-file D:\data\registry\SOFTWARE
    | search key=="ROOT\\Microsoft\\Windows NT\\CurrentVersion"