Closed jt0dd closed 2 years ago
Hello.
You are trying to use the library against a text file containing exported registry data. This is not supported.
And such text files do not contain deleted data, as well as some important metadata for allocated keys and values. For analysis, a better option is "reg save \<hive> \<file>" (see: https://dfir.ru/2020/10/03/exporting-registry-hives-from-a-live-system/).
Thanks, perfect!
New to forensics, but we're thinking in order to pull registries from many machines for analysis, we would use PowerShell to run:
reg export HKLM hklm.reg
on every machine and then parse the exported
hklm.reg
file.Seemed simple enough, so I tried using yarp to parse it like:
and got this error:
Am I misusing the library?