reg-item-id-list
Parses ITEMIDLIST binary fields contained in registry data to extract file system path information. Use it to recover folder paths accessed through registry artifacts such as ShellBags.
Command properties
| Item | Description |
|---|---|
| Command type | Processing query |
| Required permission | None |
| License usage | N/A |
| Parallel execution | Supported |
| Distributed execution | Runs on Control Node (reducer) |
Syntax
Options
field=FIELD_NAME- Name of the field containing the ITEMIDLIST binary data. This option is required.
Output fields
All fields from the input record plus the ITEMIDLIST parsing result fields are output. The result fields vary depending on the type of ITEMIDLIST entry and include file or folder path information.
If the value of the specified field is not of binary type, the record is output unchanged.
Error codes
Parse errors
| Error code | Message | Description |
|---|---|---|
| - | field option is missing | The field option is not specified |
Runtime errors
N/A
Description
The reg-item-id-list command parses ITEMIDLIST binary data from the specified field in input records and extracts file system path components. ITEMIDLIST is a data structure used by the Windows shell to represent file and folder paths.
When used with the reg-shellbags command, you can recover folder paths accessed through registry ShellBag entries.
Examples
-
Recovering folder paths from ShellBag registry data
reg-shellbags /opt/logpresso/evidence/USRCLASS.DAT | reg-item-id-list field=item_id_listParses the ITEMIDLIST from ShellBag registry data to recover accessed folder path information.