hive-file

Retrieves information such as the account and group, security policy, OS information, USB device, and program usage history from the registry hive file.

Syntax

hive-file [zippath=ZIPFILE_PATH] FILE_PATH
Required Parameters
FILE_PATH
Path to the registry hive file. If you provided the zippath option, input the file path in the ZIP file. There are five registry hive files.
FilePurposeRegistry pathExtraction information
SAMAccount and access recordsHKEY_LOCAL_MACHINE\SAMAccount and group
SECURITYSecurity policy and privilegeHKEY_LOCAL_MACHINE\SecuritySecurity policy
SOFTWAREInstallation programHKEY_LOCAL_MACHINE\SoftwareOS version, OS installation date, OS installation directory, and owner account
SYSTEMSystem settingsHKEY_LOCAL_MACHINE\SystemHost name, time zone, system shutdown time, USB device, and the like
NTUSER.DATUser settingsHKEY_USERS\DEFAULTThe list of files you opened
Optional Parameters
zippath=ZIPFILE_PATH
Path to the ZIP file.

Description

After running the hive-file command, the output fields are as follows:

FieldTypeDescription
keyStringSubkey
typeStringType
nameStringRegistry name
valueObjectRegistry data
last_writtenDateLast written time

Usage

  1. Retrieve information by providing the file path.

    hive-file /opt/logpresso/testdata/registry/SYSTEM
    
  2. Retrieve information when the zippath option is provided.

    hive-file zippath=/opt/logpresso/testdata/registry.zip registry/SYSTEM
    
  3. Check the Windows OS information.

    hive-file /opt/logpresso/testdata/registry/SOFTWARE
    | search key=="ROOT\\Microsoft\\Windows NT\\CurrentVersion"