Registry Parser

Open and Read NTUSER.DAT Online

NTUSER.DAT is the per-user Windows Registry hive, and it is one of the richest artifacts in any investigation — it holds UserAssist program launches, RecentDocs, typed paths, Run-key persistence, mounted volumes, and dozens of other traces of what a user did. This page lets you open and read an NTUSER.DAT file online, for free, with nothing to install.

Open the Registry Parser explorer and drop the hive in. It is parsed entirely in your browser — the file never leaves your machine.

How to open an NTUSER.DAT file

  1. Acquire the hive from C:\Users\<name>\NTUSER.DAT (or from a forensic image or Volume Shadow Copy — it is locked while the user is logged in).
  2. Open the explorer and drag the file onto the drop zone.
  3. Browse the key tree, run all artifact plugins, and read the merged timeline — all locally.

What you can read from NTUSER.DAT

  • Program execution — UserAssist, RecentApps, FeatureUsage and MUICache.
  • File and folder access — RecentDocs, Open/Save dialog history, ShellBags.
  • User intent — TypedPaths and TypedURLs from the address bars.
  • Persistence and devices — per-user Run keys and MountPoints2 volume history.

For the artifact-by-artifact detail, see the RegRipper plugins reference and the deep-dive on UserAssist.

Frequently asked questions

How do I open an NTUSER.DAT file?
Drag the NTUSER.DAT file onto the drop zone, or click to browse for it. The hive is parsed locally in your browser — you can then explore the key tree, run every artifact plugin, and build a timeline. Nothing is uploaded.
Where is NTUSER.DAT located?
Each user profile has its own hive at C:\Users\<name>\NTUSER.DAT. It is locked while the user is logged in, so you normally acquire it from a forensic image, a Volume Shadow Copy, or an offline disk.
Can I read NTUSER.DAT without Windows?
Yes. The parser runs entirely in the browser via WebAssembly, so you can read an NTUSER.DAT hive on macOS or Linux with no Windows machine and no installed software.
Is it safe to open an evidence hive here?
Yes. The file is never uploaded — all parsing happens client-side in your browser — so it is safe to use on evidence and sensitive data.

Open NTUSER.DAT now →