Windows Forensic

Windows Registry

Enumeration

1
require 'win32/registry'
2
3
4
# List keys
5
keyname = 'SOFTWARE\Clients'
6
access = Win32::Registry::KEY_ALL_ACCESS
7
Win32::Registry::HKEY_LOCAL_MACHINE.open(keyname, access).keys
8
9
# List all MAC address keys
10
keyname= 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged'
11
access = Win32::Registry::KEY_ALL_ACCESS
12
Win32::Registry::HKEY_LOCAL_MACHINE.open(ketname, access).keys
13
14
keyname= 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged'
15
access = Win32::Registry::KEY_ALL_ACCESS
16
Win32::Registry::HKEY_LOCAL_MACHINE.open(keyname, access) do |reg|;
17
reg.each_key{|k, v| puts k, v}
18
end
Copied!
Note: KEY_ALL_ACCESS enables you to write and deleted. The default access is KEY_READ if you specify nothing.