Registry Parser
All articles

RegRipper parity: which 143 plugins are in, what's still missing

7 min read

The honest version: RegRipper has been the open-source baseline for Windows registry triage since 2009. Anything that calls itself a "registry parser" gets measured against it. The list of plugins below is what this site implements today. It is not a marketing claim; it is the working catalog the worker actually runs.

I keep this page accurate because it matters to the people who use the tool in incident response. If a plugin is on the page, it produces output on the matching hive. If a plugin is in "planned", do not rely on it yet.

The architecture choice that lets this catalog grow

Each artifact is a self-contained plugin under lib/plugins/impl/. Adding a new one is one file plus a registry entry; no architectural change, no rebuild of the engine. That deliberately echoes RegRipper's Perl plugin model. The tradeoff is the same one Harlan Carvey made in RegRipper: each plugin is small and obvious, the whole catalog is huge.

The plugin contract is intentionally narrow. A plugin gets a hive session, queries the keys it cares about, and emits structured rows. No DOM access, no cross-plugin coupling. The explorer renders whatever rows come back.

Phase 1 (in)

The foundational set. If you only ever ran these on a SOC triage, you would still catch most of what the cheap end of incident response asks for.

PluginHiveCategory
ntuser_run / ntuser_runonceNTUSERPersistence
typedurlsNTUSERUser activity
wordwheelqueryNTUSERUser activity
recentdocsNTUSERUser activity
userassistNTUSERExecution
winverSOFTWARESystem
installed_softwareSOFTWARESoftware
profilelistSOFTWAREAccounts
networklistSOFTWARENetwork
software_runSOFTWAREPersistence
lastloggedonSOFTWAREAccounts
compnameSYSTEMSystem
timezoneSYSTEMSystem
servicesSYSTEMPersistence
usbstorSYSTEMUSB
mounted_devicesSYSTEMUSB
bamSYSTEMExecution
shimcacheSYSTEMExecution
samparseSAMAccounts
sam_groupsSAMAccounts

The Shimcache plugin handles the modern format variants. samparse decodes the per-RID F and V structures — account flags, last-login/password-set/last-failed timestamps, login and failure counts, full name and comment — and sam_groups decodes the Builtin alias C structures to resolve local group membership. Both surface account metadata; neither decrypts the password hashes (that needs the SYSKEY from SYSTEM and is out of scope here). bam (Background Activity Monitor) is the underrated one in this list, it surfaces every program that ran in the last week with per-session timestamps.

Phase 2 (in)

The follow-on plugins that catch persistence patterns Phase 1 misses, plus the deeper user-activity and network artifacts.

RunMRU, TypedPaths, MountPoints2, RDP client history, PuTTY sessions, Explorer view settings, Winlogon, Image File Execution Options, App Paths, Policies Run, Defender exclusions, TCP/IP interfaces, SMB shares, USB devices, last shutdown time, control-set selection, netsh portproxy, RecentApps (the Windows Search/Start launch history), the ComDlg32 open/save dialog MRUs (comdlg32 — files opened/saved per extension and the last folder each app browsed), and the Amcache file inventory. RecentDocs now carries MRU ordering and the key write time that dates each key's most-recent entry.

The IFEO plugin is the one I use most often in this batch: it flags every Debugger value, which is where the classic sticky-keys backdoor lives. Defender exclusions is the second: a Defender exclusion list that mentions \Users\Public\ is almost always either misconfiguration or persistence.

Phase 3 (in)

cmd.exe AutoRun, User Shell Folders, mapped-drive history, Sysinternals usage, Regedit LastKey, IE settings, Active Setup, Browser Helper Objects, Winlogon Notify, AppInit_DLLs, scheduled tasks (TaskCache), Svchost groups, machine RunOnce, WOW6432 Run, network cards, PowerShell execution policy, ShellServiceObjectDelayLoad, BootExecute, KnownDLLs, Terminal Services/RDP, firewall profiles, TCP/IP parameters, NTFS settings, Prefetch config, WPD/USB volumes, and the Amcache application inventory.

The TaskCache plugin is the one to know here. Scheduled tasks are stored in two places: as XML under C:\Windows\System32\Tasks\ and as registry data under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\. Attackers who tamper with one sometimes forget the other. Comparing both halves catches the trick.

Phase 4 (in)

ShellBags (heuristic ITEMIDLIST decode, NTUSER + UsrClass), MUICache, approved shell extensions, StartupApproved state, UAC policies, Defender status, WDigest, security providers, persistent routes, RDP/NLA security, the LSA machine and primary-domain SID (polacdms), the legacy audit policy (auditpol), plus per-hive fan-out so every loaded NTUSER.DAT/UsrClass.dat is analysed separately.

This phase also adds the device- and identity-context artifacts: paired Bluetooth devices (bthport, with last-seen/last-connected times), installed printers (printers), the Windows Update client ID and last detect/install times (susclient), System Restore disabled state (disablesr), RAS/WinINet tracing entries that flag network-capable binaries (tracing), applied Group Policy history (gpohist), per-application jump-list last-access times (jumplistdata), and configured OneDrive accounts (onedrive).

ShellBags is the most complex plugin in the catalog. The heuristic decoder handles the common ITEMIDLIST patterns including removable-media bags; it does not handle every edge case the format throws at you. For exotic bags you may still want to cross-check against Eric Zimmerman's ShellBagsExplorer.

The WDigest plugin is small but matters: if UseLogonCredential=1 is set under HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\, the host has been configured to cache plaintext credentials in lsass.exe. That is a credential-theft enabler, period.

Total today: ~143 plugins across NTUSER, SOFTWARE, SYSTEM, SAM, SECURITY, USRCLASS, AMCACHE.

Phase 5 (in): the long tail

The application- and host-context artifacts that round out triage. AppCertDLLs (appcertdlls — a CreateProcess-time injection mechanism), Safe Mode services and drivers (safeboot — survives safe-boot remediation), OEM manufacturer/model (oeminfo), MSI-installed products (installed_products), WSL Linux distributions (wsl), desktop wallpaper (wallpaper — ransom-note indicator), MMC recent snap-ins (mmc), 7-Zip path history (sevenzip), saved WinSCP sessions (winscp — remote-access/lateral-movement evidence), and Adobe Reader recent files (adoberdr). The Shimcache decoder now also reads the Windows 7 0xBADC0FEE binary store, not just the Win8/10 signature entries.

The security-policy artifacts round it out: file-association defaults (fileexts — UserChoice hijack), browser search scopes (searchscopes), the screensaver executable (screensaver — a logon-desktop persistence vector), AppLocker (applocker) and Software Restriction Policies (srp_codeid), installed VNC servers (vnc), the remote-UAC token policy (remote_uacLocalAccountTokenFilterPolicy, a pass-the-hash enabler), and DLL search-order hardening (dllsearch). Rounding out the autostart-DLL-load persistence vectors: LSA packages (lsa_packages — authentication/notification/security DLLs, including password-filter persistence), print port monitors (print_monitors), W32Time providers (time_providers), and netsh helper DLLs (netsh_helpers). Every timestamped artifact also feeds a merged timeline that exports to CSV, to the pipe-delimited TLN format, and to a TSK/mactime bodyfile for the standard log2timeline toolchain.

Phase 6+ (planned)

The audit subcategory (granular) policy on Vista+ (which lives in LSA/audit.csv rather than a decodable hive value), Windows Search index keys, and the long tail of the 200+ RegRipper plugin set. The 200+ count includes many highly version-specific plugins (Office 2007 keys, specific IE/Edge versions, defunct services) that I have triaged into "ship later" rather than ignore.

If you have a hive in the wild that produces output in RegRipper but not here, that is the bug report I want to see. Open an issue with a sanitized hive sample and the RegRipper output, and the missing plugin moves up the queue.

Further reading

  • Harlan Carvey, RegRipper — the canonical implementation and the best living reference for what each plugin does.
  • Andrea Fortuna, RegRipper plugin index — the unofficial cross-reference many practitioners use.
  • Maxim Suhanov, yarp — for understanding the underlying hive format the plugins query.