Open hammjd opened 6 years ago
mbevilacqua
commented
6 years ago Can you share a sample of what that looks like or the PS command used to export so I can generate a few of those? Should be simple enough to add a new ingestion plugin here.
hammjd
commented
6 years ago Sure. It's really just a dump/export of the key from the registry. Here's an example from my forensic VM... To get this to you quickly, I just used regedit to export the key. (Change the extension to .reg from .txt). You can also use on your local system the command:
reg export "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache" appcompat.reg
nbareil
commented
6 years ago For the record, this issue depends on #4, since this feature has been implemented in https://github.com/mandiant/ShimCacheParser/pull/15
Feature Request: Import raw .REG key values... They're easy to collect with PowerShell and faster than trying to get the entire SYSTEM hives.