killvxk/analyzing-windows-registry-for-artifacts
skills/analyzing-windows-registry-for-artifacts/SKILL.md
提取并分析 Windows 注册表配置单元,以发现用户活动、已安装软件、自启动条目及系统入侵证据。
$ install --global
skillsauthnpx skillsauth add killvxk/cybersecurity-skills-zh analyzing-windows-registry-for-artifactsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 4:26 AM61.8s3 files scanned
SKILL.md
- name:
- analyzing-windows-registry-for-artifacts
- description:
- 提取并分析 Windows 注册表配置单元,以发现用户活动、已安装软件、自启动条目及系统入侵证据。
- domain:
- cybersecurity
- subdomain:
- digital-forensics
- tags:
- [forensics, windows-registry, artifact-analysis, regripper, registry-explorer, evidence-collection]
- version:
- 1.0
- author:
- mahipal
- license:
- Apache-2.0
分析 Windows 注册表取证痕迹
适用场景
- 在事件期间调查 Windows 系统上的用户活动时
- 识别恶意软件使用的自启动/持久化机制时
- 追踪已安装软件、USB 设备及网络连接时
- 内部威胁调查中重建用户操作时
- 将注册表时间戳与其他取证痕迹关联时
前置条件
- 取证镜像或提取的注册表配置单元文件
- RegRipper、Registry Explorer(Eric Zimmerman)或 python-registry
- 访问注册表配置单元位置(SAM、SYSTEM、SOFTWARE、NTUSER.DAT、UsrClass.dat)
- 了解 Windows 注册表结构(配置单元、键、值)
- SIFT Workstation 或取证分析环境
工作流程
步骤 1:从取证镜像提取注册表配置单元
# 以只读方式挂载取证镜像
mkdir /mnt/evidence
mount -o ro,loop,offset=$((2048*512)) /cases/case-2024-001/images/evidence.dd /mnt/evidence
# 复制系统注册表配置单元
cp /mnt/evidence/Windows/System32/config/SAM /cases/case-2024-001/registry/
cp /mnt/evidence/Windows/System32/config/SYSTEM /cases/case-2024-001/registry/
cp /mnt/evidence/Windows/System32/config/SOFTWARE /cases/case-2024-001/registry/
cp /mnt/evidence/Windows/System32/config/SECURITY /cases/case-2024-001/registry/
cp /mnt/evidence/Windows/System32/config/DEFAULT /cases/case-2024-001/registry/
# 复制用户特定配置单元
cp /mnt/evidence/Users/*/NTUSER.DAT /cases/case-2024-001/registry/
cp /mnt/evidence/Users/*/AppData/Local/Microsoft/Windows/UsrClass.dat /cases/case-2024-001/registry/
# 复制事务日志(用于脏配置单元恢复)
cp /mnt/evidence/Windows/System32/config/*.LOG* /cases/case-2024-001/registry/logs/
# 对所有提取的配置单元进行哈希
sha256sum /cases/case-2024-001/registry/* > /cases/case-2024-001/registry/hive_hashes.txt
步骤 2:使用 RegRipper 自动提取取证痕迹
# 安装 RegRipper
git clone https://github.com/keydet89/RegRipper3.0.git /opt/regripper
# 对 NTUSER.DAT(用户配置文件)运行 RegRipper
perl /opt/regripper/rip.pl -r /cases/case-2024-001/registry/NTUSER.DAT \
-f ntuser > /cases/case-2024-001/analysis/ntuser_report.txt
# 对 SYSTEM 配置单元运行
perl /opt/regripper/rip.pl -r /cases/case-2024-001/registry/SYSTEM \
-f system > /cases/case-2024-001/analysis/system_report.txt
# 对 SOFTWARE 配置单元运行
perl /opt/regripper/rip.pl -r /cases/case-2024-001/registry/SOFTWARE \
-f software > /cases/case-2024-001/analysis/software_report.txt
# 对 SAM 配置单元(用户账户)运行
perl /opt/regripper/rip.pl -r /cases/case-2024-001/registry/SAM \
-f sam > /cases/case-2024-001/analysis/sam_report.txt
# 运行特定插件
perl /opt/regripper/rip.pl -r /cases/case-2024-001/registry/NTUSER.DAT \
-p userassist > /cases/case-2024-001/analysis/userassist.txt
perl /opt/regripper/rip.pl -r /cases/case-2024-001/registry/SYSTEM \
-p usbstor > /cases/case-2024-001/analysis/usbstor.txt
步骤 3:提取持久化和自启动条目
# 使用 python-registry 进行有针对性的提取
pip install python-registry
python3 << 'PYEOF'
from Registry import Registry
# 打开 SOFTWARE 配置单元
reg = Registry.Registry("/cases/case-2024-001/registry/SOFTWARE")
# 检查 Run 键(自启动)
autorun_paths = [
"Microsoft\\Windows\\CurrentVersion\\Run",
"Microsoft\\Windows\\CurrentVersion\\RunOnce",
"Microsoft\\Windows\\CurrentVersion\\RunServices",
"Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run",
"Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run"
]
for path in autorun_paths:
try:
key = reg.open(path)
print(f"\n=== {path} (Last Modified: {key.timestamp()}) ===")
for value in key.values():
print(f" {value.name()}: {value.value()}")
except Registry.RegistryKeyNotFoundException:
pass
# 检查已安装的服务
key = reg.open("Microsoft\\Windows NT\\CurrentVersion\\Svchost")
print(f"\n=== Svchost Groups ===")
for value in key.values():
print(f" {value.name()}: {value.value()}")
PYEOF
# 检查 NTUSER.DAT 中的用户特定自启动
python3 << 'PYEOF'
from Registry import Registry
reg = Registry.Registry("/cases/case-2024-001/registry/NTUSER.DAT")
user_autorun = [
"Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run"
]
for path in user_autorun:
try:
key = reg.open(path)
print(f"\n=== {path} (Last Modified: {key.timestamp()}) ===")
for value in key.values():
print(f" {value.name()}: {value.value()}")
except Registry.RegistryKeyNotFoundException:
pass
PYEOF
步骤 4:分析用户活动取证痕迹
# 提取 UserAssist 数据(使用 ROT13 编码的程序执行历史)
python3 << 'PYEOF'
from Registry import Registry
import codecs, struct, datetime
reg = Registry.Registry("/cases/case-2024-001/registry/NTUSER.DAT")
ua_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist"
key = reg.open(ua_path)
for guid_key in key.subkeys():
count_key = guid_key.subkey("Count")
print(f"\n=== {guid_key.name()} ===")
for value in count_key.values():
decoded_name = codecs.decode(value.name(), 'rot_13')
data = value.value()
if len(data) >= 16:
run_count = struct.unpack('<I', data[4:8])[0]
focus_count = struct.unpack('<I', data[8:12])[0]
timestamp = struct.unpack('<Q', data[60:68])[0] if len(data) >= 68 else 0
if timestamp > 0:
ts = datetime.datetime(1601,1,1) + datetime.timedelta(microseconds=timestamp//10)
print(f" {decoded_name}: Runs={run_count}, Focus={focus_count}, Last={ts}")
else:
print(f" {decoded_name}: Runs={run_count}, Focus={focus_count}")
PYEOF
# 提取最近文档(MRU 列表)
perl /opt/regripper/rip.pl -r /cases/case-2024-001/registry/NTUSER.DAT \
-p recentdocs > /cases/case-2024-001/analysis/recentdocs.txt
# 提取已输入的 URL(浏览器)
perl /opt/regripper/rip.pl -r /cases/case-2024-001/registry/NTUSER.DAT \
-p typedurls > /cases/case-2024-001/analysis/typedurls.txt
# 提取资源管理器中的已输入路径
perl /opt/regripper/rip.pl -r /cases/case-2024-001/registry/NTUSER.DAT \
-p typedpaths > /cases/case-2024-001/analysis/typedpaths.txt
步骤 5:提取系统和网络信息
# 从 SYSTEM 配置单元获取计算机名和操作系统版本
perl /opt/regripper/rip.pl -r /cases/case-2024-001/registry/SYSTEM \
-p compname > /cases/case-2024-001/analysis/system_info.txt
# 网络接口和配置
perl /opt/regripper/rip.pl -r /cases/case-2024-001/registry/SYSTEM \
-p nic2 >> /cases/case-2024-001/analysis/system_info.txt
# 无线网络历史
perl /opt/regripper/rip.pl -r /cases/case-2024-001/registry/SOFTWARE \
-p networklist > /cases/case-2024-001/analysis/network_history.txt
# 时区配置
perl /opt/regripper/rip.pl -r /cases/case-2024-001/registry/SYSTEM \
-p timezone > /cases/case-2024-001/analysis/timezone.txt
# 关机时间
perl /opt/regripper/rip.pl -r /cases/case-2024-001/registry/SYSTEM \
-p shutdown > /cases/case-2024-001/analysis/shutdown.txt
# 从 Uninstall 键提取已安装软件
perl /opt/regripper/rip.pl -r /cases/case-2024-001/registry/SOFTWARE \
-p uninstall > /cases/case-2024-001/analysis/installed_software.txt
核心概念
| 概念 | 描述 | |---------|-------------| | 注册表配置单元(Registry hive) | 存储注册表某一部分的二进制文件(SAM、SYSTEM、SOFTWARE、NTUSER.DAT) | | MRU(Most Recently Used,最近使用) | 跟踪最近访问的文件、命令和搜索词的列表 | | UserAssist | 使用 ROT13 编码记录带时间戳的程序执行的注册表条目 | | ShimCache | 记录已执行程序的应用程序兼容性缓存 | | AmCache | 详细的执行历史,包含可执行文件的 SHA-1 哈希 | | BAM/DAM | 在 Windows 10+ 中追踪程序执行的后台/桌面活动调节器 | | 最后写入时间(Last Write Time) | 注册表键上的时间戳,表明上次修改时间 | | 事务日志(Transaction logs) | 允许在异常关机后恢复注册表状态的日志文件 |
工具与系统
| 工具 | 用途 | |------|---------| | RegRipper | 使用插件架构自动提取注册表取证痕迹 | | Registry Explorer | Eric Zimmerman 用于交互式注册表分析的 GUI 工具 | | python-registry | 用于编程化注册表配置单元解析的 Python 库 | | RECmd | Eric Zimmerman 命令行注册表分析工具 | | yarp | 用于 Python 分析的另一种注册表解析器 | | AppCompatCacheParser | 专用 ShimCache/AppCompatCache 解析器 | | AmcacheParser | 专用 AmCache.hve 分析工具 | | ShellBags Explorer | 用于分析 ShellBag 取证痕迹的专用工具 |
常见场景
场景 1:恶意软件持久化调查 提取 SOFTWARE 和 NTUSER.DAT 配置单元,检查所有 Run/RunOnce 键中的未授权条目,检查服务中的可疑添加,检查计划任务注册表键,将自启动时间戳与恶意软件执行时间线关联。
场景 2:用户活动重建 分析 UserAssist 获取程序执行历史,检查 RecentDocs 获取已访问文件,检查 TypedPaths 获取资源管理器导航记录,提取 ShellBag 获取文件夹访问模式,围绕事件窗口构建用户活动时间线。
场景 3:未授权软件检测 解析 Uninstall 键获取所有已安装应用程序,与批准的软件基线比较,检查 BAM/DAM 获取批准列表之外最近执行的程序,检查 AppCompatCache 获取即使在卸载后也有的执行证据。
场景 4:USB 数据外泄调查 从 SYSTEM 配置单元提取 USBSTOR 条目获取已连接设备,将设备序列号与 MountedDevices 关联,检查 NTUSER.DAT MountPoints2 获取用户访问可移动介质的记录,检查 SetupAPI 日志获取首次连接时间戳。
输出格式
Registry Analysis Summary:
System: DESKTOP-ABC123 (Windows 10 Pro Build 19041)
Timezone: Eastern Standard Time (UTC-5)
Last Shutdown: 2024-01-18 23:45:12 UTC
Autorun Entries:
HKLM Run: 5 entries (1 suspicious: "updater.exe" -> C:\ProgramData\svc\updater.exe)
HKCU Run: 3 entries (all legitimate)
Services: 142 entries (2 unknown: "WinDefSvc", "SysMonAgent")
User Activity (NTUSER.DAT):
UserAssist Programs: 234 entries
Recent Documents: 89 entries
Typed URLs: 45 entries
Typed Paths: 12 entries
USB Devices Connected:
- Kingston DataTraveler (Serial: 0019E06B4521) - First: 2024-01-10, Last: 2024-01-18
- WD My Passport (Serial: 575834314131) - First: 2024-01-15, Last: 2024-01-15
Installed Software: 127 applications
Suspicious Findings: 3 items flagged for review
Related Skills
killvxk/conducting-social-engineering-penetration-test
testing
VerifiedTrustedCommunity
设计并执行社会工程学渗透测试,包括钓鱼、语音钓鱼、短信钓鱼和物理借口活动,以衡量人员安全韧性并识别培训差距。
10SKILL.mdUpdated Apr 29, 2026
killvxk/conducting-post-incident-lessons-learned
testing
VerifiedTrustedCommunity
主持结构化的事件后审查,以识别根本原因、记录有效和无效的措施,并提出可操作的改进建议以提升未来的事件响应能力。
10SKILL.mdUpdated Apr 29, 2026
killvxk/conducting-phishing-incident-response
testing
VerifiedTrustedCommunity
通过分析举报的邮件、提取指标、评估凭据受攻陷情况、在全组织范围隔离恶意邮件并修复受影响账号来响应网络钓鱼事件。涵盖邮件头分析、URL/附件沙箱检测和邮箱范围清除操作。适用于网络钓鱼响应、邮件事件、凭据钓鱼、鱼叉式网络钓鱼调查或钓鱼修复相关请求。
10SKILL.mdUpdated Apr 29, 2026
killvxk/conducting-pass-the-ticket-attack
tools
VerifiedTrustedCommunity
票据传递(Pass-the-Ticket,PtT)是一种横向移动技术,使用窃取的 Kerberos 票据(TGT 或 TGS)在不知道用户密码的情况下向服务进行认证。通过从已控制的主机内存中提取 Kerberos 票据,攻击者可以将这些票据注入自己的会话以模拟票据所有者。
10SKILL.mdUpdated Apr 29, 2026