RegRipper plugins: the registry artifact reference
6 min read
RegRipper is the tool most DFIR analysts reach for first when a registry hive lands on their desk. Its strength is not magic parsing — it is the plugin library. Each plugin encodes one analyst's hard-won knowledge of where an artifact lives, how its binary value is laid out, and what the result actually means. There are hundreds of them, and most analysts use a dozen by reflex and forget the rest exist.
This page is a reference to the plugins worth knowing, grouped by what they answer. Every linked deep-dive explains the registry keys behind the plugin, the value structures it decodes, the edge cases that mislead people, and how to read the output in a real case. You can run the same extractions against your own hives — without installing Perl — by dropping them into the browser-based parser, which ships 140+ plugins modelled on RegRipper's.
How RegRipper plugins are organized
A RegRipper plugin targets one hive type (NTUSER.DAT, SOFTWARE, SYSTEM, SAM, SECURITY, USRCLASS.DAT, or Amcache.hve) and one artifact. When you run rip.pl -r SYSTEM -p shimcache, the shimcache plugin opens the SYSTEM hive, walks to ControlSet001\Control\Session Manager\AppCompatCache, parses the binary blob, and prints the result. The plugin name is usually the fastest way to search for what an artifact is and how to read it — which is why analysts type "regripper shimcache" into a search box more often than they would admit.
The categories below mirror how the artifacts are used in an investigation, not how RegRipper files them internally.
Program execution
What ran on this machine, who ran it, when, and how often. No single artifact answers all of that, which is why you read several and triangulate.
- AppCompatCache / Shimcache — the
appcompatcacheplugin: file paths and last-modified times the system tracked for compatibility. The classic trap: presence is not proof of execution. - Amcache.hve — the
amcacheplugin: file inventory with SHA-1 hashes, PE metadata, and first-seen timestamps. The hash is the pivot. - BAM and DAM — the
bamplugin: last-execution time per executable, per user SID. Execution plus attribution from the SYSTEM hive. - UserAssist — the
userassistplugin: GUI launches with run count, focus time, and last-run time. The best single per-user execution artifact. - MUICache — the
muicacheplugin: friendly names the shell cached the first time a binary ran. Weak on its own, useful for renamed or deleted binaries. - FeatureUsage — the
featureusageplugin: Windows 10+ taskbar interaction counters, per user. - RecentApps — the
recentappsplugin: per-user launch counts with a precise last-run FILETIME on the builds that populate it.
Persistence and autoruns
Where attackers hide so they survive a reboot. The registry is the densest persistence surface on Windows.
- Services — the
servicesplugin: the full service list, Start type, ImagePath, and the svchost ServiceDll trick. - Scheduled tasks — the
taskcacheplugin: TaskCache maps tasks to GUIDs and DynamicInfo timestamps; the Tree-vs-Tasks split exposes hidden tasks. - Winlogon Shell/Userinit — the
winlogonplugin: the values that should never change, and what tampering looks like. - AppInit_DLLs and AppCertDLLs — the
appinitdllsplugin: two DLL-injection vectors, one in SOFTWARE and one in SYSTEM. - Run keys and Image File Execution Options: every Run/RunOnce variant and the IFEO debugger trick.
USB and removable devices
Did data leave on a thumb drive? Was a personal device attached? The registry remembers every device long after it is unplugged.
- USBSTOR — the
usbstorplugin: every removable drive ever attached, with vendor, serial, and first/last connect. - MountPoints2 and MountedDevices — the
mountpoints2plugin: ties a USB volume to a specific user account and to a drive letter. - Bluetooth — the
bthportplugin: paired phones, headsets, and file-transfer devices — proximity evidence.
Network
What networks the machine joined, what its address was, and which remote hosts it reached.
- NetworkList — the
networklistplugin: every network the machine connected to, with first/last connect times and gateway MACs. - TCP/IP and interfaces — the
tcpipplugin: hostname, per-NIC DHCP/static config, and the DHCP server that placed it on a segment. - PuTTY and WinSCP sessions — the
puttyplugin: saved SSH/SFTP targets, and the host keys that prove a real connection was made.
Accounts
Who exists on this machine, and what their credentials reveal.
- SAM local accounts — the
samparseplugin: local users, RIDs, login counts, password-set times, and account flags. - ProfileList — the
profilelistplugin: the SID-to-username map that gives every other SID-keyed artifact a human name. - LSA secrets — the
lsasecretsplugin: what the names and timestamps of LSA secrets reveal — autologon, service accounts, cached credentials.
User activity
What the human at the keyboard actually did — opened, typed, browsed.
- RecentDocs — the
recentdocsplugin: files opened via Explorer, ordered by the MRUListEx blob. - Open/Save dialogs — the
comdlg32plugin: files opened and saved through common dialogs, as shell PIDLs. - TypedPaths and TypedURLs — the
typedpathsplugin: what the user typed into the Explorer and IE address bars — deliberate intent. - ShellBags — folder access: which folders, including on removable and network drives, the user browsed.
Foundational context
Read these first — they change how you interpret everything else.
- System time zone — the
timezoneplugin: the Bias and ActiveTimeBias you need before trusting any local timestamp. - Installed software — the
uninstallplugin: what was installed and when, in both the Uninstall and WOW6432Node keys.
Background on the hives and the format
If you are new to registry forensics, start with the mechanics:
- Which registry hive to grab: what each hive holds and what you lose by leaving one behind.
- The regf hive file format, in practice: what a hive looks like on disk and why parsing the edges is hard.
- Recovering deleted registry keys: why deleted cells often survive, and how to recover them.
- A registry triage methodology: the order to work the hives in.
Running the plugins without installing anything
Every artifact above can be extracted in your browser. Registry Parser loads NTUSER.DAT, SOFTWARE, SYSTEM, SAM, SECURITY, USRCLASS.DAT, and Amcache.hve, runs all 140+ artifact plugins at once, correlates the results across hives, and builds a single timeline — entirely client-side, with no upload. It is a fast way to triage a hive when you cannot, or do not want to, install RegRipper on the analysis box.