- examples/inputs/registry-samples/registry_artifacts.txt
- examples/inputs/registry-samples/sample_ntuser.dat
# Windows Registry Parsing Example
# This demonstrates parsing real Windows Registry hive files
# The sample_ntuser.dat file contains a minimal valid registry hive structure
# Use --parse-registry CLI flag to parse the registry files
decode = []
tag = "registry"
# UserAssist patterns (ROT13 encoded program names)
[[patterns]]
name = "UserAssist Entry"
pattern = "HRZR_EHACNGU|HRZR_EHAPCY"
type = "regex"
# ShimCache patterns
[[patterns]]
name = "AppCompatCache"
pattern = "AppCompatCache"
type = "string"
case-insensitive = true
# Amcache patterns
[[patterns]]
name = "Amcache Reference"
pattern = "Amcache\\.hve"
type = "regex"
case-insensitive = true
# Run key patterns
[[patterns]]
name = "Run Key Path"
pattern = "Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run"
type = "regex"
case-insensitive = true
# USB device patterns
[[patterns]]
name = "USB Device"
pattern = "USBSTOR"
type = "string"
case-insensitive = true
# Recent documents
[[patterns]]
name = "RecentDocs"
pattern = "RecentDocs"
type = "string"
case-insensitive = true
# Network patterns
[[patterns]]
name = "Network Profile"
pattern = "NetworkList\\\\Profiles"
type = "regex"
case-insensitive = true
# Registry hive file header pattern (hex for "regf")
[[patterns]]
name = "Registry Hive Header"
pattern = "72:65:67:66"
type = "bytes"
| total_files | 2 |
|---|
| critical_count | 0 |
|---|
| high_count | 0 |
|---|
| medium_count | 0 |
|---|
| low_count | 0 |
|---|
| minimal_count | 2 |
|---|
| must_investigate_count | 0 |
|---|
| all_scores | None |
|---|
| generated_at | 2025-12-03T09:19:44.251883485+00:00 |
|---|
| characteristics_score | file_type | file_type_score | must_investigate | path | pattern_count_score | pattern_matches | pattern_severity_score | reasons | risk_level | score | sha256 |
|---|
| 0 | Other | 0 | False | /registry_artifacts.txt | 15 | 14 | 13 | ["14 suspicious patterns detected"] | Minimal | 28 | 6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7 |
| 0 | Other | 0 | False | /sample_ntuser.dat | 5 | 1 | 0 | ["1 suspicious patterns detected"] | Minimal | 5 | beef928f42b43b77e3a10776b41f851f6c75ba33f24f26301b821ec32d5518b6 |
Empty CSV
| path | file_name | sha256 | file_created | file_modified | file_accessed | mime_types_from_file_extension | is_symbolic_link | is_extracted_file | is_decoded_file | is_deobfuscated_file | tag |
|---|
| /registry_artifacts.txt | registry_artifacts.txt | 6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7 | 2025-12-03T08:56:20.496889204Z | 2025-12-03T08:56:20.496889204Z | 2025-12-03T09:19:26.815975983Z | ["text/plain"] | 0 | 0 | 0 | 0 | |
| /sample_ntuser.dat | sample_ntuser.dat | beef928f42b43b77e3a10776b41f851f6c75ba33f24f26301b821ec32d5518b6 | 2025-12-03T09:15:49.863476387Z | 2025-12-03T09:15:49.863476387Z | 2025-12-03T09:19:26.815975983Z | [] | 0 | 0 | 0 | 0 | |
| id | sha256 | pattern_name | match_type | match | location | length |
|---|
| 1 | 6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7 | UserAssist Entry | regex | HRZR_EHACNGU | 7:0 | 12 |
| 2 | 6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7 | UserAssist Entry | regex | HRZR_EHAPCY | 8:0 | 11 |
| 3 | 6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7 | Amcache Reference | regex | Amcache.hve | 16:3 | 11 |
| 4 | 6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7 | Amcache Reference | regex | Amcache.hve | 17:0 | 11 |
| 5 | 6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7 | Run Key Path | regex | Software\Microsoft\Windows\CurrentVersion\Run | 23:0 | 45 |
| 6 | 6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7 | Network Profile | regex | NetworkList\Profiles | 36:0 | 20 |
| 7 | 6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7 | Network Profile | regex | NetworkList\Profiles | 40:0 | 20 |
| 8 | 6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7 | AppCompatCache | string | AppCompatCache | 10:4 | 14 |
| 9 | 6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7 | AppCompatCache | string | AppCompatCache | 10:1 | 14 |
| 10 | 6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7 | USB Device | string | USBSTOR | 27:17 | 7 |
| 11 | 6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7 | USB Device | string | USBSTOR | 27:1 | 7 |
| 12 | 6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7 | USB Device | string | USBSTOR | 28:1 | 7 |
| 13 | 6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7 | RecentDocs | string | RecentDocs | 31:1 | 10 |
| 14 | 6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7 | RecentDocs | string | RecentDocs | 32:1 | 10 |
| 15 | beef928f42b43b77e3a10776b41f851f6c75ba33f24f26301b821ec32d5518b6 | Registry Hive Header | bytes | regf | 0 | 4 |
Empty CSV
| sha256 | sha1 | md5 | file_size | mime_type_for_content | shannon_entropy |
|---|
| 6c1f8ebce94bb3481d4fefbd370f2975e624b569517564ecce263e9b99a0e4a7 | 237a6e90eb77c928471c0a5c0ed17a836f9f29a4 | 5782cd7932ef98a7ded3305e225a8489 | 1213 | text/plain | 5.35654031225439 |
| beef928f42b43b77e3a10776b41f851f6c75ba33f24f26301b821ec32d5518b6 | 4ce9e8cc03f306ca84ed1f345f029abbc565b295 | f8c4f0fa9b0806d35477c98da92f6f11 | 8192 | application/octet-stream | 0.0283069713953081 |