RegRipper parity: which 91 plugins are in, what's still missing
5 min read
The honest version: RegRipper has been the open-source baseline for Windows registry triage since 2009. Anything that calls itself a "registry parser" gets measured against it. The list of plugins below is what this site implements today. It is not a marketing claim; it is the working catalog the worker actually runs.
I keep this page accurate because it matters to the people who use the tool in incident response. If a plugin is on the page, it produces output on the matching hive. If a plugin is in "planned", do not rely on it yet.
The architecture choice that lets this catalog grow
Each artifact is a self-contained plugin under lib/plugins/impl/. Adding a new one is one file plus a registry entry; no architectural change, no rebuild of the engine. That deliberately echoes RegRipper's Perl plugin model. The tradeoff is the same one Harlan Carvey made in RegRipper: each plugin is small and obvious, the whole catalog is huge.
The plugin contract is intentionally narrow. A plugin gets a hive session, queries the keys it cares about, and emits structured rows. No DOM access, no cross-plugin coupling. The explorer renders whatever rows come back.
Phase 1 (in)
The foundational set. If you only ever ran these on a SOC triage, you would still catch most of what the cheap end of incident response asks for.
| Plugin | Hive | Category |
|---|---|---|
| ntuser_run / ntuser_runonce | NTUSER | Persistence |
| typedurls | NTUSER | User activity |
| wordwheelquery | NTUSER | User activity |
| recentdocs | NTUSER | User activity |
| userassist | NTUSER | Execution |
| winver | SOFTWARE | System |
| installed_software | SOFTWARE | Software |
| profilelist | SOFTWARE | Accounts |
| networklist | SOFTWARE | Network |
| software_run | SOFTWARE | Persistence |
| lastloggedon | SOFTWARE | Accounts |
| compname | SYSTEM | System |
| timezone | SYSTEM | System |
| services | SYSTEM | Persistence |
| usbstor | SYSTEM | USB |
| mounted_devices | SYSTEM | USB |
| bam | SYSTEM | Execution |
| shimcache | SYSTEM | Execution |
| samparse | SAM | Accounts |
The Shimcache plugin handles the modern format variants; samparse decrypts local credential structures using the SYSKEY from SYSTEM. bam (Background Activity Monitor) is the underrated one in this list, it surfaces every program that ran in the last week with per-session timestamps.
Phase 2 (in)
The follow-on plugins that catch persistence patterns Phase 1 misses, plus the deeper user-activity and network artifacts.
RunMRU, TypedPaths, MountPoints2, RDP client history, PuTTY sessions, Explorer view settings, Winlogon, Image File Execution Options, App Paths, Policies Run, Defender exclusions, TCP/IP interfaces, SMB shares, USB devices, last shutdown time, control-set selection, netsh portproxy, and the Amcache file inventory.
The IFEO plugin is the one I use most often in this batch: it flags every Debugger value, which is where the classic sticky-keys backdoor lives. Defender exclusions is the second: a Defender exclusion list that mentions \Users\Public\ is almost always either misconfiguration or persistence.
Phase 3 (in)
cmd.exe AutoRun, User Shell Folders, mapped-drive history, Sysinternals usage, Regedit LastKey, IE settings, Active Setup, Browser Helper Objects, Winlogon Notify, AppInit_DLLs, scheduled tasks (TaskCache), Svchost groups, machine RunOnce, WOW6432 Run, network cards, PowerShell execution policy, ShellServiceObjectDelayLoad, BootExecute, KnownDLLs, Terminal Services/RDP, firewall profiles, TCP/IP parameters, NTFS settings, Prefetch config, WPD/USB volumes, and the Amcache application inventory.
The TaskCache plugin is the one to know here. Scheduled tasks are stored in two places: as XML under C:\Windows\System32\Tasks\ and as registry data under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\. Attackers who tamper with one sometimes forget the other. Comparing both halves catches the trick.
Phase 4 (in)
ShellBags (heuristic ITEMIDLIST decode, NTUSER + UsrClass), MUICache, approved shell extensions, StartupApproved state, UAC policies, Defender status, WDigest, security providers, persistent routes, RDP/NLA security, plus per-hive fan-out so every loaded NTUSER.DAT/UsrClass.dat is analysed separately.
ShellBags is the most complex plugin in the catalog. The heuristic decoder handles the common ITEMIDLIST patterns including removable-media bags; it does not handle every edge case the format throws at you. For exotic bags you may still want to cross-check against Eric Zimmerman's ShellBagsExplorer.
The WDigest plugin is small but matters: if UseLogonCredential=1 is set under HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\, the host has been configured to cache plaintext credentials in lsass.exe. That is a credential-theft enabler, period.
Total today: ~91 plugins across NTUSER, SOFTWARE, SYSTEM, SAM, SECURITY, USRCLASS, AMCACHE.
Phase 5+ (planned)
The AppCompatCache binary store variants beyond the current heuristic, OpenSave/LastVisited PIDL MRUs, Windows Search index keys, and the long tail of the 200+ RegRipper plugin set. The 200+ count includes many highly version-specific plugins (Office 2007 keys, specific IE/Edge versions, defunct services) that I have triaged into "ship later" rather than ignore.
If you have a hive in the wild that produces output in RegRipper but not here, that is the bug report I want to see. Open an issue with a sanitized hive sample and the RegRipper output, and the missing plugin moves up the queue.
Further reading
- Harlan Carvey, RegRipper — the canonical implementation and the best living reference for what each plugin does.
- Andrea Fortuna, RegRipper plugin index — the unofficial cross-reference many practitioners use.
- Maxim Suhanov, yarp — for understanding the underlying hive format the plugins query.