code - ambau.fr

Sticky

git

https://www.atlassian.com/fr/git/tutorials
https://git-scm.com/docs

chapter
REFERENCE	- ADD	- MERGE
USED	- ARCHIVE	- PULL
URL	- BRANCH	- PUSH
VALUES	- CHECKOUT	- REMOTE
GPG	- CLONE	- RESET
GITIGNORE	- COMMIT	- STASH
TRICKS	- FETCH	- SUBMODULE
CONFIG	- LOG	- SWITCH
	- LOG	- TAG

USEFULL OPTIONS

git -C <path> <commands> # launch git commands in <path> repo

REFERENCE

^

URL

^

https://<fqdn>/<user>/<project> # https://github.com/aguytech/Shaarli
git@<fqdn>:<user>/<project>.git # git@github.com:aguytech/Shaarli.git

VALUES

^

git rev-parse --symbolic-full-name --abbrev-ref @{upstream} # print value for upstream
git rev-parse --symbolic-full-name --abbrev-ref @{push} # print value for push

git for-each-ref --format='%(refname:short) <- %(upstream:short)' refs/heads # show all upstream
git for-each-ref --format='%(upstream:short)' "$(git symbolic-ref -q HEAD)" # idem

git for-each-ref --format='%(refname:short) <- %(push:short)' refs/heads # show all upstream
git for-each-ref --format='%(push:short)' "$(git symbolic-ref -q HEAD)" # idem

USED

^

ADD

^

git add -i / --interactive # add with interactively mode
git add -u / --update # Update the index for already referred files (just where it already has an entry matching <pathspec>
gi add -A / --all / --no-ignore-removal # add all files

BRANCH

^

https://stackoverflow.com/questions/11266478/git-add-remote-branch

list

git branch / git br # print list of local branches
git br -v # print informations about local branches
git br -vv # print full information about local branches
git branch -a -vv # print full information about all branches
git br --show-current # show name of current branch

git br -r # print list of remote branches for all repositories
git br -rlv <remote>/<pattern> # list remote branches for <remote> repository & with name matched <pattern>

create

git br <branch> # create a local branch
git br <branch> <remote>/<remote_branch> # create local branch from remote

git push <upstream> <branch> # create remote branch from existing local one

delete

git br -d <branch> # delete local branch
git br -rd <remote>/<branch> # delete remote branch

rename

git br -m <branch> <new_branch># rename local branch

attach to upstream

git fetch # retrieves upsteram branches if already exists

git br -u <upstream>/<remote_branch> <branch> # attach a local branch to remote existing one
git br --set-upstream-to=<upstream>/<remote_branch> <branch>

CHECKOUT

^

git co -b <branch> # create a branch from HEAD and switch to it
git co -t <repo>/<branch> -b <branch> # create a local branch from <repo>/<branch> and set upstream
git co --orphan=<branch> # create an orphan branch (whithout history)
git co --orphan=<branch> # create an orphan branch (whithout history)
git co --detach -b <branch> # check out a commit for inspection and discardable experiments

CLONE

^

git clone <url> # clone a repository
git clone <url> <path> # clone a repository and change path name to <path>

git clone -b <branch> <url> # clone only one branch from repository

git clone -b v0.11-snippets --single-branch --no-tags git@github.com:aguytech/Shaarli.git shaarli-snippets # clone from a repository a single branch

COMMIT

^

# amend
git commit --amend --no-edit # amends a commit without changing its commit message
git commit --amend -m "message" # amends a commit with a new message

DIFF

^

git diff <file> # view the changes you made relative to the index (staging area for the next commit)
git diff HEAD README.md <file> # view the changes between index and HEAD
git diff @{u} # view the changes between local and upstream branch

FETCH

^

git fetch upstream : Get informations from upstream for all branches
git fetch upstream <branch> : Get informations from upstream only for the branch

CONFIG

^

# amend
git config --global init.defaultBranch main # set main as the default branch
git config <variable> # show variable and his value
git config --global core.editor vim # set selected editor

git config -l # list all config variables
git config -l --show-origin # list all config variables with their origins
git config -l --name-only # list all names of system config variables

git config -l --local # list all config variables defined for user
git config -l --global # list all global config variables for global users
git config -l --system # list all system config variables for system

LOG

^

git log # show logs
git log HEAD~2 <repo>/<branch> # show after the last 2nd commits
git log -3 <repo>/<branch> # show only last 3 lines of logs
git log --pretty=format:'%h' -n1 <repo>/<branch> # show short sha of last commit
git log --name-only # with file names
git log --name-status # with file names with its status
git log --stat # with file names with its statisticals

git reflog # show logs with a reference (sha) view

MERGE

^

git merge -m "message" <branch> # merge branch with actual one with a message to committing

git merge --allow-unrelated-histories <branch> # allows to merge branch with no common history

PULL

^

If you tried a pull which resulted in complex conflicts and would want to start over, you can recover with git reset

git pull # Update actual local branch from current remote
git pull <remote> # Update actual local branch from a selected remote

git pull <remote> <branch> # Merge into the current branch the remote branch
<=>
git fetch origin
git merge origin/next

git pull --rebase # pull automatically last modifications on remote (with fetch + merge) & put your validation on head directly

pull all submodules

git submodule foreach git pull
git submodule foreach git pull origin main
git submodule foreach 'git pull origin main || true' # for some submodules without updates"

PUSH

^

-q, --quiet Suppress all output
-v, --verbose   show details
--progress  show progress status

git push --all | --branches # push all branches
git push --tags # push all tags
git push -u <upstream> <branch> # Update remote refs along with associated objects
git push -u <remote> <branch> # set upstream for actual local branch & push it to remote (create one if needed)
git push --tags # push tags also

git push -d <remote> <branch> # delete remote branch

REMOTE

^

git remote -v # show upstream
git remote add <name> <url> # add a remote source to repository
git remote add -t <branch> <name> <url> # add a remote source to repository only for the branch <branch>
git remote remove <name> # remove/delete the remote source <name>
git remote rename <name> <new_name> # rename a remote source
git remote set-branches <name> <branch1> <branch2> ... # change list of branches tracked by a remote

git remote set-url [--push] <name> <newurl> [<oldurl>] # manipulate push urls
git remote set-url [--add|--delete] <name> <url> # add or delete url

git remote show # list all upstreams
git remote show <name> # show details for a upstream

RESET

^

git reset --merge # resets the index and updates the files in the working tree that are different between <commit> and HEAD

git reset --hard <commit_sha> # reset branch to commit_sha, 'git reflog' is an better way to find commit_sha
git reset --hard HEAD~1

SWITCH

^

TAG

^

git tag # List all tags
git show-ref --tags # List all tags with references
git tag -a -m "message" <tag> # Defines an unsigned, annoted tag
git tag -s "tag" -m "message" <tag> # Creates a signed tag with message (define the default key with git config --global user.signingkey before)
git tag -s <tag> -u <keyid> -m <message> <tag> # Creates a signed tag with a specified key user

git tag -d <tag> # Delete existing tags with the given names
git tag -v <tag> # Verify the GPG signature of the given tag names

git show-ref --tags # show sha commits with associated tag

git push --delete origin <tag> # delete tag in origin

# rename tag
git tag new old
git tag -d old
git push origin new :old
git pull --prune --tags # for coworkers

SUBMODULE

^

add

git submodule add <url> <name> # Add submodule to actual repository in path <path>
git add .gitmodules <name> # Add new file and path to index
git commit -m "<name>: Add submodule <url> to /<name>" # Commit changes

update

git submodule update --init --recursive <pathspec> # initialize and clone submodules within based on the provided <pathspec>

remove

git rm --cached $pathsubmodule # delete main entry point in git
rm -rf .git/modules/$pathsubmodule # delete submodule from index
rm -rf $pathsubmodule # delete files of submodule

In file <repo>/.gitmodules, remove section for the corresponding submodule

git add .gitmodules # add modifications in .gitmodules file to index
git commit -m "Remove submodule $pathsubmodule"
git push <upstream> <branch> # git push github main # push branch to origin

clone repo & submodules

git clone --no-remote-submodules <url> <path> # clone repo whithout associated submodules

git clone <url> <path>
git clone --remote-submodules <url> <path> # clone will use the status of the submodule’s remote-tracking branch. After use 'git submodule init' and 'git submodule update'

git clone --recurse-submodules <url> <path> # clone repository and its all submodules recursively
git clone --recurse-submodules[=<pathspec>] <url> <path> # clone repository and its filtered submodules by pathspec

STASH

^

git stash # Stash the changes in a dirty working directory away
git stash push -m "message" # Stash with a message
git stash list # List all stahes
git stash apply stash@{<index>} # Apply a sepcific stash
git stash pop # Apply the last stash and delete it
git stash drop stash@{<index>} # Drop a specific stash
git stash clear # Delete all stashes
git stash branch <branchname> stash@{<index>} # create a branch from a specific stash

GPG

^

https://kamarada.github.io/en/2019/07/14/using-git-with-ssh-keys/

GITIGNORE

^

https://www.atlassian.com/git/tutorials/saving-changes/gitignore

pattern

**/path # match directories anywhere in the repository, relative definition
*.pattern # matches zero or more characters
!pattern # mark to a pattern negates it
/pattern # matches files only in the repository root
path/ # appending a slash indicates the pattern is a directory
debug?.log # a question mark matches exactly one character
debug[0-9].log # Square brackets matches a single character from a specified range like [01] [a-z] [A-Z]
debug[!01].log # an exclamation mark matches any character except one from the specified set
logs/**/debug.log # a double asterisk matches zero or more directories like logs/*day/debug.log

example

*.ba[kt]
*~
!myfile.a # include file in repo
tmp/ # exclude all files in directory tmp
head/**/*.tmp # exclude all files *.tmp in subdirectory of head

TRICKS

^

bash · git

Tue Feb 25 22:50:07 2020 * · permalink

http://code.ambau.ovh/snippets/git.html

python - virtualenv

Install

https://virtualenv.pypa.io/en/latest/installation.html

manjaro

sudo pacman -S --needed python python-pipx
pipx install virtualenv

Use

https://virtualenv.pypa.io/en/latest/cli_interface.html#creator

virtualenv <path> # create the virtual environment in <path>
virtualenv --creator <path> # create the virtual environment in <path> with specific creator like : cpython3-mac-brew, cpython3-mac-framework, cpython3-posix, cpython3-win, graalpy-posix, graalpy-win, pypy3-posix, pypy3-win, venv

<path>/bin/activate # activate the virtual environment

deactivate # deactivate the virtual environment

which python3 # to view the referred python pah

python

Mon Nov 24 13:59:43 2025 * · permalink

http://code.ambau.ovh/snippets/python-virtualenv.html

bash - mkisofs

Usefull

options

-graft-points           Allow to use graft points for filenames
-J, -joliet             Generate Joliet directory information
-o FILE, -output FILE   Set output file name
-quiet                  Run quietly
-r, -rational-rock      Generate rationalized Rock Ridge directory information
-R, -rock               Generate Rock Ridge directory information
-root DIR               Set root directory for all new files and directories

commands

mkisofs -Jr -o <file> <path> <pat2h> ... # create an iso file from paths
mkisofs -Jr -o <file> -graft-points /<virtualpath1>=/<physicalpath1> /<virtualpath2>=/<physicalpath2> ... # create an iso file from paths with corresponding virtualpath=physicalpath

# create an iso file 'desktop-install.iso' with virtual paths: /bs-desktop, /desktop-manjaro and /desktop-ubuntu
mkisofs -Jr -o /vms/iso/desktop-install.iso -graft-points /bs-desktop=/home/shared/repo/bs-desktop /desktop-manjaro=/home/shared/repo/desktop-manjaro /desktop-ubuntu=/home/shared/repo/desktop-ubuntu

bash · bashroot

Thu Nov 20 13:30:29 2025 * · permalink

http://code.ambau.ovh/snippets/bash-mkisofs.html

bash-user

lock/unlock

faillock

faillock --user nikita # show failed login
faillock --reset --user nikita # reset the number of failed login. Allow to login after pam restrict access for example "too many tries"

passwd

passwd --status # show status of user <user>
passwd -S <user>
passwd --lock <user> # lock user <user>
passwd -l <user>
passwd --unlock <user> # unlock user <user>
passwd -u <user>

usermod

usermod --lock <user> # lock user <user>
usermod -L <user>
usermod --unlock <user> # unlock user <user>
usermod -U <user>

bash · bashroot

Thu Nov 20 12:42:41 2025 * · permalink

http://code.ambau.ovh/snippets/bash-user.html

github

TRICKS

create a local git repository and publish it to github

create the repo on github

on local repo:

cd <my_local_repo>
git init
echo "# <my_local_repo>" >> README.md
git commit -m "first commit: Initialize repo"
git co main
git remote add [-t <branch>] -m main [--mirror=(fetch|push)] <name> <URL>
# git remote add -m main github git@github.com:aguytech/docker_alpine-alias.git
git remote -v
git push -u <name> main # for only main
git push --all -u <name> main # for all branches
# git push -u github main

connection with ssh

import public key to github

test

ssh -T -i $private_key_file git@github.com # test ssh connection
ssh -T -i $private_key_file -p 443 git@ssh.github.com # test ssh connection over https
ssh-add $private_key_file # avoids the repeated entry of secret phrases

set the default key

git config --global user.signingkey $privaye_key_file # for ssh

test with git command

GIT_SSH_COMMAND="ssh -i $privaye_key_file -vvv" git pull

change remote url for remote existing repository

git remote -v # print https://github.com/user/project
git remote set-url origin git@github.com:user/project.git # change the connection url to use ssh
git remote -v # print git@github.com:user/project.git

delete tags

git tag -d [tag];
git push origin :[tag]

git tag -d [tag]
git push origin :refs/tags/[tag]

create orphan repo from another

Create origin to remote server

repo_local="shaarli-snippets"
tmp_branch="dev"

origin="github"
url_origin="git@github.com:aguytech/Shaarli-snippets.git"

upstream="shaarli"
url_upstream="git@github.com:aguytech/Shaarli.git"
upstream_branch="v0.11-snippets" # remote branch to track

mkdir -p "$repo_local"
cd "$repo_local"

git init

# remote
git remote add "$origin" "$url_origin"
git remote add -t "$upstream_branch" "$upstream" "$url_upstream"
git remote -v
git config --get-regexp '^remote'

# upstream
git fetch "$upstream"
git co --orphan="$tmp_branch" "$upstream"/"$upstream_branch"
git st
git ci -m "Initialize branch from $upstream/$upstream_branch $(git log --pretty=format:'%h' -n 1 "$upstream"/"$upstream_branch")"

# origin
git push --set-upstream "$origin" "$tmp_branch"
git co -b master
git push --set-upstream "$origin" master
git br -vv
git br -rlv github/*

# archive
git archive --format tar.gz -9 -o "master.$(date +%s).tar.gz" master

git

Fri Nov 14 18:37:56 2025 * · permalink

http://code.ambau.ovh/snippets/github.html

ssh-keygen

ssh-keygen -t ed25519 -C "comment" # generate a keys pair with protocol ed25519 (better than rsa)

bash · ssh

Fri Nov 14 18:33:01 2025 · permalink

http://code.ambau.ovh/snippets/ssh-keygen.html

docker-alias

Dockerfile

...
COPY ./.rc /root/
...
ENV ENV="/root/.rc"
ENTRYPOINT ["/bin/sh"]
...

docker

Thu Nov 13 19:57:39 2025 · permalink

http://code.ambau.ovh/snippets/docker-alias.html

docker-config

config.json

{
    "auths": {},
    "credsStore": "desktop",
    "currentContext": "default",
    "detachKeys": "ctrl-x,x"
}

docker

Thu Nov 13 10:32:19 2025 · permalink

http://code.ambau.ovh/snippets/docker-config.html

docker - commands

dockerfile

docker build -t <name>:<tag> <path_dockefile> # build from path with Dockerfile an image

image

docker image ls # list all images in repo
docker images
docker images --filter "dangling=true" # list only "not labelled" images
docker images -f "label!=alpine" # list only "not labelled" images
docker images -f "reference=alpine" -f "before=alpine:latest" # list only "not labelled" images
#-f or --filter format is of "key=value"
#    dangling (boolean - true or false)
#    label (label=<key> or label=<key>=<value>)
#    before (<image-name>[:<tag>], <image id> or <image@digest>)
#    since (<image-name>[:<tag>], <image id> or <image@digest>)
#    reference (pattern of an image reference)

docker image rm <image> .. # delete all docker images in repository
docker rmi $(docker images -f "dangling=true" -q) # delete "dangled" docker images
docker image rmi
docker image rm $(docker images -q) # delete all docker images in repository
docker image prune # delete all unused docker images by containers in repository

docker image tag source_image[:tag] target_image[:new_tag] # Create a tag target_image that refers to source_image
docker tag source_image[:tag] target_image[:new_tag] # Create a tag target_image that refers to source_image

container

docker run -dit -p 8090:80 --name <container> <image> # run detached container with name
docker run --rm  <image> # run ephemeral container & associated volumes

docker container attach <container> # Attach local standard input, output, and error streams to a running container
docker attach <container>

docker commit -a <author> -c <Dockerfile> -m <message> <container> [repository[:tag]] # Create a new image from a container's changes

docker

Wed Nov 12 23:26:56 2025 * · permalink

http://code.ambau.ovh/snippets/docker-commands.html

docker-desktop

Get

get URL from web page
https://docs.docker.com/desktop/release-notes/

url='https://desktop.docker.com/linux/main/amd64/209931/docker-desktop-x86_64.pkg.tar.zst?utm_source=docker&utm_medium=webreferral&utm_campaign=docs-driven-download-linux-amd64'
path=/home/.tmp/docker-desktop
mkdir -p ${path}

-----
curl ${url} | sudo tar xvf - --zstd -C ${path}
----- or
file=docker-desktop-x86_64.pkg.tar.zst
curl ${url} -O ${file}
tar xvf ${file} -C ${path}
-----

Install

sudo cp -a ${path}/opt/* /opt/
sudo cp -a ${path}/usr/bin/* /usr/bin/
sudo cp -a ${path}/usr/lib/docker /usr/lib/
sudo cp -a ${path}/usr/lib/systemd/user/* /usr/lib/systemd/user/
sudo cp -a ${path}/usr/share/applications/* /usr/share/applications/

Uninstall

paths="opt/docker-desktop
usr/bin/docker-credential-desktop
usr/lib/docker/
usr/lib/systemd/user/docker-desktop.service
usr/share/applications/docker-desktop-uri-handler.desktop
usr/share/applications/docker-desktop.desktop"
for path in ${paths}; do sudo rm -fR ${path}; done

docker

Wed Nov 12 10:57:39 2025 * · permalink

http://code.ambau.ovh/snippets/docker-desktop.html

docker - btrfs

/var/lib/docker

docker info | grep 'Storage Driver'

btrfs

btrfs subvolume create docker-zetar
echo "UUID=2732b516-0c65-4b4c-ac56-a9865132649d   /home/nikita    btrfs   defaults,noatime,ssd,space_cache=v2,autodefrag,compress=zstd,subvol=/user-zetar     0   2"

docker

su -
systemctl stop docker.service docker.socket
cp -a /var/lib/docker /var/lib/docker.bk
rm -fR /var/lib/docker/*
mount /var/lib/docker
systemctl daemon-reload
cp -a /var/lib/docker.bk/* /var/lib/docker/

# /etc/docker/daemon.json
path=/etc/docker
file="${path}/daemon.json"
[ -d ${path} ] || mkdir ${path}
[ -f ${file} ] || echo "{
}" > ${file}
if grep -q storage-driver ${file}; then
    sed -i '/storage-driver/ s|"storage-driver.*"|"storage-driver": "btrfs"|' ${file}
else
    sed -i '/}/i\  "storage-driver": "btrfs"' ${file}
fi

systemctl start docker.service docker.socket
systemctl status docker
docker info | grep 'Storage Driver'

docker info | grep 'Storage Driver'

btrfs · docker

Wed Nov 12 09:51:09 2025 * · permalink

http://code.ambau.ovh/snippets/docker-btrfs.html

docker - install

Install

sudo pacman -Syu
sudo pacman -S docker

Service

sudo systemctl start docker.service
sudo systemctl enable docker.service
sudo systemctl status docker

User

sudo usermod -aG docker $USER
reboot

User

docker pull hello-world
docker run hello-world

Basic commands

docker images # list all images
docker container ls # list all containers
docker stats # CPU, RAM, and network usage of running images
docker network ls # show all available networks

docker · manjaro

Tue Nov 11 21:37:59 2025 * · permalink

http://code.ambau.ovh/snippets/docker-install.html

mimikatz

start

log mimikatz.log

lsadump

cd {$path_hive}
log c:\lsadump.log
lsadump::sam /system:SYSTEM /sam:SAM
exit

bash · disk · forensic · hive · malware · trick

Wed Jun 8 15:51:05 2022 * · permalink

http://code.ambau.ovh/snippets/mimikatz.html

hivexget hivexsh hivexml

hivexsh

hivexsh [-options] [hivefile]

Provides a simple shell for navigating Windows Registry 'hive' files

options

-d # Enable lots of debug messages. If you find a Registry file that this program cannot parse, please enable this option and post the complete output and the Registry hive file in your bug report.
-f filename # Read commands from "filename" instead of stdin. To write a hivexsh script, use: #!/usr/bin/hivexsh -f
-u # Use heuristics to tolerate certain levels of corruption within hives. This is unsafe but may allow to export/merge valid keys/values in an othewise corrupted hive.
-w # If this option is given, then writes are allowed to the hive (see "commit" command below, and the discussion of modifying hives in "WRITING TO HIVE FILES" in hivex(3)). Important Note: Even if you specify this option, nothing is written to a hive unless you call the "commit" command.  If you exit the shell without committing, all changes will be discarded. If this option is not given, then write commands are disabled.

commands

add name # Add a subkey named "name" below the current node.  The name may contain spaces and punctuation characters, and does not need to be quoted.
cd path # Change to the subkey "path".  Use Windows-style backslashes to separate path elements, and start with a backslash in order to start from the root of the hive.  For example:
close | unload # Close the currently loaded hive. If you modified the hive, all uncommitted writes are lost when you call this command (or if the shell exits).  You have to call "commit" to write changes.
commit [newfile] # Commit changes to the hive.  If the optional "newfile" parameter is supplied, then the hive is written to that file, else the original file is overwritten.
del # Delete the current node and everything beneath it.  The current directory is moved up one level (as if you did "cd ..") after this command.
exit | quit # Exit the shell.
load hivefile # Load the binary hive named "hivefile".  The currently loaded hive, if any, is closed.  The current directory is changed back to the root node.
ls # List the subkeys of the current hive Registry key.  Note this command does not take any arguments.
lsval [key] # List the (key, value) pairs of the current hive Registry key.  If no argument is given then all pairs are displayed.  If "key" is given, then the value of the named key is displayed.  If "@" is given, then the value of the default key is displayed.
setval nrvals # This command replaces all (key, value) pairs at the current node with the values in subsequent input.  "nrvals" is the number of values (ie. (key, value) pairs), and any existing values at this node are deleted.  So "setval 0" just deletes any values at the current node.

hivexget

hivexget hivefile PATH [NAME]

Get subkey from a Windows Registry binary "hive" file

example

hivexget ${path_hive}/SAM "SAM\Domains\Account\Users\000003E9" V

hivexml

hivexml [-dk] HIVE > FILE

Convert Windows Registry binary "hive" into XML

options

-d # Enable lots of debug messages.  If you find a Registry file that this program cannot parse, please enable this option and post the complete output and the Registry file in your bug report.
-k # Keep going even if we find errors in the Registry file.  This skips over any parts of the Registry that we cannot read.
-u # Use heuristics to tolerate certain levels of corruption within hives. This is unsafe but may allow to export/merge valid keys/values in an othewise corrupted hive.

Install

sudo apt install -y libhivex-bin

bash · disk · forensic · help · hive

Wed Jun 8 01:03:47 2022 * · permalink

http://code.ambau.ovh/snippets/hivex.html

chntpw reged sampasswd

https://helpmanual.io/man8/chntpw/

chntpw

chntpw [options] <samfile> [systemfile] [securityfile] [otherreghive] [...]

Utility to overwrite passwords of Windows systems

usage

chntpw -i $hive

options

-u username # Username or username ID (RID) to change. The default is 'Administrator'. 
-l # List all users in the SAM database and exit. 
-i # Interactive Menu system: list all users (as per -l option) and then ask for the user to change. 
-e # Registry editor with limited capabilities (but it does include write support). For a slightly more powerful editor see reged
-d # Use buffer debugger instead (hex editor)
    -L # Log all changed filenames to /tmp/changed. When this option is set the program automatically saves the changes in the hive files without  rompting the user. Be careful when using the -L option as a root user in a multiuser system. The filename is fixed and this can be used by  alicious users (dropping a symlink with the same name) to overwrite system files.
-N # Do not allocate more information, only allow the editing of existing values with same size. 
-E # Do not expand the hive file (safe mode).

commands

hive [<n>] # list loaded hives or switch to hive numer n
cd <key> # change current key
ls | dir [<key>] # show subkeys & values,
cat | type <value> # show key value
dpi <value> # show decoded DigitalProductId value
hex <value> # hexdump of value data
ck [<keyname>] # Show keys class data, if it has any
nk <keyname> # add key
dk <keyname> # delete key (must be empty)
ed <value> # Edit value
nv <type#> <valuename> # Add value
dv <valuename> # Delete value
delallv # Delete all values in current key
rdel <keyname> # Recursively delete key & subkeys
ek <filename> <prefix> <keyname> # export key to <filename> (Windows .reg file format)
debug # enter buffer hexeditor
st [<hexaddr>] # debug function: show struct info
q # quit

reged

reged [options] -x<registryhivefile><prefixstring><key><output.reg>

reged [options] -I<registryhivefile><prefixstring><input.reg>

reged [options] -e<registryhivefile>

Utility to export/import and edit a Windows registry hives

usage

reged -x SYSTEM 'HKEY_LOCAL_MACHINE\SYSTEM' 'ControlSet001\Control\Lsa\Skew1' test.reg

modes

-x <registryhivefile> <prefixstring> <key> <output.reg> # Xport. Where <prefixstring> for example is HKEY_LOCAL_MACHINE\SOFTWARE <key> is key  o dump (recursively), \ or \\ means all keys in hive. Only one .reg and one hive file supported at the same time
-I <registryhivefile> <prefixstring> <input.reg> # Import from .reg file. Where <prefixstring> for example is HKEY_LOCAL_MACHINE\SOFTWARE. Only one .reg and one hive file supported at the same time
-e <registryhive> ... # Interactive edit one or more of registry files

options

-L # Log changed filenames to /tmp/changed, also auto-saves
-C # Auto-save (commit) changed hives without asking
-N # No allocate mode, only allow edit of existing values with same size
-E # No expand mode, do not expand hive file (safe mode)
-t # Debug trace of allocated blocks
-v # Some more verbose messages

sampasswd

sampasswd [options] -uuser <samfile>

Reset passwords of users in the SAM user database

options

-r # Reset the user's password. 
-a # Reset all the users. If this option is used there is no need to specify the next option. 
-u <user> # User to change. The user value can be provided as a username, or a RID number in hexadecimal (if the username is preceded with '0x').  
-l # Lists the users in the SAM database. 
-H # Output human readable output. The program by default will print a parsable table unless this option is used. 
-N # Do not allocate more information, only allow the editing of existing values with same size. 
-E # Do not expand the hive file (safe mode). 
-t # Print debug information of allocated blocks. 
-v # Print verbose information and debug messages. ```

Install

sudo apt install -y chntpw

bash · disk · forensic · help · hive

Mon Jun 6 19:51:08 2022 * · permalink

http://code.ambau.ovh/snippets/chntpw.html

foralyse

xubuntu 20.04 - focal

virt-manager

host

<filesystem type="mount" accessmode="mapped" fmode="0660" dmode="0770">
  <source dir="/vms/share"/>
  <target dir="/hostshare"/>
  <address type="pci" domain="0x0000" bus="0x07" slot="0x00" function="0x0"/>
</filesystem>

#sudo usermod -G libvirtd -a $USER
sudo usermod -G libvirt-qemu -a $USER
hostpath=/vms/share
sudo chown -R libvirt-qemu:libvirt-qemu $hostpath
sudo setfacl -Rm g:libvirt-qemu:rwx $hostpath
sudo setfacl -d -Rm g:libvirt-qemu:rwx $hostpath

guest

sudo sh -c 'echo "9p
9pnet
9pnet_virtio" >> /etc/initramfs-tools/modules'
sudo update-initramfs -u

sudo sh -c 'echo "# qemu share
hostshare                                /share        9p     trans=virtio,version=9p2000.L,rw,umask=002    0 0" >> /etc/fstab'

global

install

update

sudo apt remove -y gimp* libreoffice-* thunderbird* transmission-gtk
sudo apt update
sudo apt list --upgradable
sudo apt -y dist-upgrade
sudo apt -y autoremove

system

sudo apt install -y binutils-common bsdmainutils curl debconf-utils exfat git gnupg2 gparted hfsprogs htop kpartx lnav most net-tools p7zip-full p7zip-rar pv rar sysstat testdisk tmux tree unrar vim xsysinfo # openssh-server

sudo apt install -y dconf-editor firefox-locale-fr galculator gpicview meld plank qt5ct qt5-gtk2-platformtheme thunar-media-tags-plugin tumbler-plugins-extra

conf

qt5-ct to fusion

global

sudo swapoff -av && sudo sh -c 'echo vm.swappiness=10 > /etc/sysctl.d/99-swappiness.conf' # limit swap

sudo rm /etc/localtime && sudo ln -sv /usr/share/zoneinfo/Etc/UTC /etc/localtime

software-properties-gtk # add canonical partners

export QT_QPA_PLATFORMTHEME=gtk2
echo "\n# QT\nexport QT_QPA_PLATFORMTHEME=gtk2" >> ~/.profile
echo -e "\n#JAVA\nexport _JAVA_OPTIONS=\"-Dawt.useSystemAAFontSettings=on -Dswing.aatext=true -Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel -Dswing.crossplatformlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel \${_JAVA_OPTIONS}\"" >> ~/.profile

menulibre # edit menu

path=~/.config/autostart
[ -d ${path} ] || mkdir ${path}
echo '[Desktop Entry]
Encoding=UTF-8
Version=0.9.4
Type=Application
Name=plank
Comment=plank
Exec=plank
OnlyShowIn=XFCE;
RunHook=0
StartupNotify=false
Terminal=false
Hidden=false' > ${path}/plank.desktop

plank --preferences &

trans

# HOST
path=/vms/share/trans; [ -d ${path} ] || mkdir -p ${path}
cp -r ~/dev/ /vms/share/trans/

# GUEST
path=~/.local/share/icons; [ -d ${path} ] || mkdir -p ${path}
path=~/.local/share/applications; [ -d ${path} ] || mkdir -p ${path}

path=/share/trans/dev
path_conf=${path}/install-desktop/conf

cp ${path_conf}/foralyse/.bashrc ~/
cp ${path_conf}/foralyse/.bash_alias ~/
sudo cp ${path_conf}/foralyse/.bashrc /root/
sudo cp ${path_conf}/foralyse/.bash_alias /root/
cp ${path}/install/conf/foralyse/.vimrc ~/
sudo cp ${path}/install/conf/vim/* /usr/share/vim/vim*/colors/
sudo cp ${path_conf}/soft/meld-dark.xml /usr/share/meld/styles/
sudo cp ${path_conf}/wp/* /usr/share/xfce4/backdrops/
sudo cp ${path_conf}/bash-completion/* /usr/share/bash-completion/completions/
sudo cp ${path_conf}/icons/tmux.svg /usr/share/icons/default/
sudo cp ${path_conf}/foralyse/xfce4-terminal-tmux.desktop ~/.local/share/applications/
cp ${path_conf}/foralyse/xfce4-terminal-tmux.desktop ~/.local/share/applications/
cp ${path_conf}/icons/* ~/.local/share/icons

sudo ln -sv /usr/share/bash-completion/completions/tmux.git /usr/share/bash-completion/completions/tmux

sudo chmod +r /usr/share/icons/default/tmux.svg
sudo chmod +r /usr/share/bash-completion/completions/tmux*
sudo chmod +r /usr/share/xfce4/backdrops/*

sublime text

file="/etc/hosts"
sudo sh -c "echo '\n# sublime-text hack\n127.0.0.1\tsublimetext.com\n127.0.0.1\twww.sublimetext.com\n127.0.0.1\tlicense.sublimehq.com' >> ${file}"

ips="45.55.255.55"
for ip in ${ips}; do sudo iptables -A OUTPUT -d ${ip} -j DROP; done
path=/etc/iptables
[ -d "${path}" ] || sudo mkdir "${path}"
sudo sh -c 'iptables-save > /etc/iptables/rules.v4'

cat ${S_PATH_INSTALL_CONF}/soft/sublime-text.license

forensic

global

# network
sudo apt install -y whois

# pwd & evtx & process
sudo apt install -y john libscca-utils pev radare2

# hive
sudo apt install -y libhivex-bin chntpw reglookup

# gui
sudo apt install -y bless geany ghex gpicview gtkhash wxhexeditor

conf

bless

cp /usr/share/bless/*.layout ~/.config/bless/layouts/

kali

#sudo sh -c "echo '# kali\ndeb http://http.kali.org/kali kali-rolling main non-free contrib' > /etc/apt/sources.list.d/kali.list
#wget -q -O - archive.kali.org/archive-key.asc | sudo apt-key add -
#sudo apt update

#sed -i '/^deb/ s|^|#|' /etc/apt/sources.list.d/kali.list
#sudo apt update

python

sudo apt-get install -y python3 python3-pip
. ~/.profile

sudo apt-get install -y python2 # python2-dev
cd /tmp && curl -sSL https://bootstrap.pypa.io/pip/2.7/get-pip.py -o get-pip.py
python2 get-pip.py

pip2

python2 -m pip install -U balbuzard

pip3

python3 -m pip install -U malcarve regrippy

binwalk

dependencies

sudo apt install mtd-utils gzip bzip2 tar arj lhasa p7zip p7zip-full cabextract cramfsswap squashfs-tools lzop srecord

python3 -m pip install -U nose coverage pycryptodome pyqtgraph capstone matplotlib
. ~/.profile

github

# Install sasquatch to extract non-standard SquashFS images
sudo apt install -y zlib1g-dev liblzma-dev liblzo2-dev
cd /tmp && git clone https://github.com/devttys0/sasquatch
cd sasquatch && ./build.sh

# Install jefferson to extract JFFS2 file systems
python3 -m pip install -U cstruct
cd /tmp && git clone https://github.com/sviehb/jefferson
cd jefferson && sudo python3 setup.py install

# Install ubi_reader to extract UBIFS file systems
sudo apt install -y liblzo2-dev
python3 -m pip install -U python-lzo
cd /tmp && git clone https://github.com/jrspruitt/ubi_reader
cd ubi_reader && sudo python3 setup.py install

# Install yaffshiv to extract YAFFS file systems
cd /tmp && git clone https://github.com/devttys0/yaffshiv
cd yaffshiv && sudo python3 setup.py install

# Install unstuff (closed source) to extract StuffIt archive files
cd /tmp && curl -sS http://downloads.tuxfamily.org/sdtraces/stuffit520.611linux-i386.tar.gz | tar -zxv
sudo cp bin/unstuff /usr/local/bin/

pandoc

# sudo apt install pandoc texlive-latex-base texlive-latex-recommended texlive-latex-extra

# pandoc -s -o $fileout $filein

binwalk

cd /tmp && git clone https://github.com/ReFirmLabs/binwalk
cd binwalk && sudo python3 setup.py install

regripper

sudo apt-get install -y libparse-win32registry-perl
path=$(find /usr/share -name Win32Registry)
cd /usr/share && sudo git clone https://github.com/keydet89/RegRipper3.0.git 
sudo mv RegRipper3.0 regripper
for file in WinNT/File.pm WinNT/Key.pm Base.pm; do sudo mv ${path}/${file} ${path}/${file}.$(date +%s); sudo ln -sv /usr/share/regripper/${file##*/} ${path}/${file}; done
cd regripper
sudo cp -a rip.pl rip.pl.$(date +%s)
sudo sed -i '/^my @alerts = ();/a my \$plugindir = "/usr/share/regripper/plugins/";' rip.pl
sudo sed -i "1c #! $(which perl)\nuse lib qw(/usr/lib/perl5/);" rip.pl
sudo chmod +x rip.pl
sudo ln -sv /usr/share/regripper/rip.pl /usr/bin/regripper
sudo ln -sv /usr/share/regripper/rip.pl /usr/bin/rip

volatility

volatility3

python3 -m pip install -U pefile yara-python capstone pycryptodome jsonschema leechcorepyc python-snappy

python3 -m pip install -U volatility3
cd ~/.local/bin && ln -sv vol vol3

volatility2

https://github.com/volatilityfoundation/volatility/wiki/Installation

sudo apt -y install pcregrep libpcre++-dev python-dev

python2 -m pip install distorm3 ipython openpyxl pycrypto pytz ujson yara-python

libforensic1394

sudo apt install -y cmake

cd /tmp
git clone https://github.com/FreddieWitherden/libforensic1394
cd libforensic1394
mkdir build && cd build
cmake -G"Unix Makefiles" ../
sudo make install
cd ../python
sudo python setup.py install
sudo ln -sv /usr/local/lib/libforensic1394.so.0.3.0 /usr/lib/libforensic1394.so.2

cd
sudo rm -fR /tmp/libforensic1394
sudo apt remove cmake
sudo apt autoremove

volatility

cd /opt
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
rm -fR .git
sudo python setup.py install

cd /usr/local/bin
sudo ln -sv vol.py vol2
vol2 -h

wireshark

sudo add-apt-repository -y ppa:wireshark-dev/stable
sudo apt update
sudo apt install -y tshark wireshark

autopsy

global

path_share=/share

sudo apt-get update

sudo apt install -y afflib-tools testdisk ewf-tools xmount fdupes java-common

sudo apt-get install -y imagemagick libde265-0 libheif1

java

java_file=$(ls ${path_share}/jdk-8*linux-x64.tar.gz)
file=/usr/local/bin/oracle-java-installer.sh
sudo curl -sS https://raw.githubusercontent.com/labcif/oracle-java-installer/master/oracle-java-installer.sh -o ${file}
#sudo sed -i s'/update-java-alternatives -a/update-alternatives --auto java/' /usr/local/bin/oracle-java-installer.sh
#sudo sed -i s'/update-java-alternatives -l/update-alternatives --list java/' /usr/local/bin/oracle-java-installer.sh
sudo sed -i 's|tar -xvzf|tar -xzf|' /usr/local/bin/oracle-java-installer.sh
sudo chmod +x ${file}
sudo ${file} --install ${java_file}
. /etc/profile.d/jdk.sh
${file} --status ${java_file}

base64sha

file=/usr/local/bin/b64sha
sudo curl -sS https://raw.githubusercontent.com/labcif/Base64SHA/master/b64sha -o ${file}
sudo chmod +x ${file}

sleuthkit

sleuthkit_file=$(ls ${path_share}/sleuthkit-java_*_amd64.deb)
read sleuthkit_version_major sleuthkit_version_minor <<<$(echo ${sleuthkit_file}|sed 's|^.*/sleuthkit-java_\([0-9_\.]\+\)-\([0-9]\)_amd64.deb|\1 \2|')

sudo apt install ${sleuthkit_file}

autopsy

file=$(ls ${path_share}/autopsy-*.zip)
path=${file%.zip} && path=/opt/${path##*/}
sudo unzip -q -d /opt/ ${file}

sudo chown -R ${USER}:${USER} ${path}
cd /opt && sudo ln -sv ${path##*/} autopsy
cd ${path}
sh unix_setup.sh

ln -sv ${path}/bin/autopsy ~/.local/bin/autopsy
autopsy --nosplash

launcher

echo "[Desktop Entry]
Version=1.0
Type=Application
Terminal=false
Icon=/opt/autopsy/icon.ico
Name=Autopsy
Exec=autopsy" > ~/.local/share/applications/autopsy.desktop

addons

disk · foralyse · forensic · memory · network · ubuntu

Fri Jun 3 08:41:58 2022 * · permalink

http://code.ambau.ovh/snippets/foralyse.html

volatility 3

install

python3 -m pip install -U pip
python3 -m pip install -U volatility3
cd /usr/local/bin && sudo ln -sv vol vol3; cd

help

volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]] [-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG] [-o OUTPUT_DIR] [-q]

[-r RENDERER] [-f FILE] [--write-config] [--clear-cache] [--cache-path CACHE_PATH] [--offline] [--single-location SINGLE_LOCATION]            
[--stackers [STACKERS [STACKERS ...]]] [--single-swap-locations [SINGLE_SWAP_LOCATIONS [SINGLE_SWAP_LOCATIONS ...]]]
              plugin ...

An open-source memory forensics framework

-c CONFIG, --config CONFIG # Load the configuration from a json file
--parallelism [{processes,threads,off}] # Enables parallelism (defaults to off if no argument given)
-e EXTEND, --extend EXTEND # Extend the configuration with a new (or changed) setting
-p PLUGIN_DIRS, --plugin-dirs PLUGIN_DIRS # Semi-colon separated list of paths to find plugins
-s SYMBOL_DIRS, --symbol-dirs SYMBOL_DIRS # Semi-colon separated list of paths to find symbols
-v, --verbosity # Increase output verbosity
-l LOG, --log LOG # Log output to a file as well as the console
-o OUTPUT_DIR, --output-dir OUTPUT_DIR # Directory in which to output any generated files
-q, --quiet # Remove progress feedback
-r RENDERER, --renderer RENDERER # Determines how to render the output (quick, csv, pretty, json, jsonl)
-f FILE, --file FILE # Shorthand for --single-location=file:// if single-location is not defined 
--write-config # Write configuration JSON file out to config.json
--clear-cache # Clears out all short-term cached items
--cache-path CACHE_PATH # Change the default path (/home/tsurugi/.cache/volatility3) used to store the cache
--offline # Do not search online for additional JSON files
--single-location SINGLE_LOCATION # Specifies a base location on which to stack
--stackers [STACKERS [STACKERS ...]] # List of stackers
--single-swap-locations [SINGLE_SWAP_LOCATIONS [SINGLE_SWAP_LOCATIONS ...]] # Specifies a list of swap layer URIs for use with single-location

windows

windows.bigpools.BigPools # List big page pools
windows.cachedump.Cachedump # Dumps lsa secrets from memory
windows.callbacks.Callbacks # Lists kernel callbacks and notification routines
windows.cmdline.CmdLine # Lists process command line arguments
windows.crashinfo.Crashinfo
windows.dlllist.DllList # Lists the loaded modules in a particular windows memory image
windows.driverirp.DriverIrp # List IRPs for drivers in a particular windows memory image
windows.driverscan.DriverScan # Scans for drivers present in a particular windows memory image
windows.dumpfiles.DumpFiles # Dumps cached file contents from Windows memory samples
windows.envars.Envars # Display process environment variables
windows.filescan.FileScan # Scans for file objects present in a particular windows memory image
windows.getservicesids.GetServiceSIDs # Lists process token sids
windows.getsids.GetSIDs # Print the SIDs owning each process
windows.handles.Handles # Lists process open handles
windows.hashdump.Hashdump # Dumps user hashes from memory
windows.info.Info # Show OS & kernel details of the memory sample being analyzed
windows.lsadump.Lsadump # Dumps lsa secrets from memory
windows.malfind.Malfind # Lists process memory ranges that potentially contain injected code
windows.memmap.Memmap # Prints the memory map
windows.modscan.ModScan # Scans for modules present in a particular windows memory image.
windows.modules.Modules # Lists the loaded kernel modules
windows.mutantscan.MutantScan # Scans for mutexes present in a particular windows memory image
windows.netscan.NetScan # Scans for network objects present in a particular windows memory image
windows.netstat.NetStat # Traverses network tracking structures present in a particular windows memory image.
windows.poolscanner.PoolScanner # A generic pool scanner plugin
windows.privileges.Privs # Lists process token privileges
windows.pslist.PsList # Lists the processes present in a particular windows memory image
windows.psscan.PsScan # Scans for processes present in a particular windows memory image
windows.pstree.PsTree # Plugin for listing processes in a tree based on their parent process ID
windows.registry.certificates.Certificates # Lists the certificates in the registry's Certificate Store
windows.registry.hivelist.HiveList # Lists the registry hives present in a particular memory image
windows.registry.hivescan.HiveScan # Scans for registry hives present in a particular windows memory image.
windows.registry.printkey.PrintKey # Lists the registry keys under a hive or specific key value
windows.registry.userassist.UserAssist # Print userassist registry keys and information
windows.skeleton_key_check.Skeleton_Key_Check # Looks for signs of Skeleton Key malware
windows.ssdt.SSDT # Lists the system call table
windows.statistics.Statistics
windows.strings.Strings # Reads output from the strings command and indicates which process(es) each string belongs to
windows.svcscan.SvcScan # Scans for windows services
windows.symlinkscan.SymlinkScan # Scans for links present in a particular windows memory image
windows.vadinfo.VadInfo # Lists process memory ranges
windows.vadyarascan.VadYaraScan # Scans all the Virtual Address Descriptor memory maps using yara
windows.verinfo.VerInfo # Lists version information from PE files
windows.virtmap.VirtMap # Lists virtual mapped sections

linux

linux.bash.Bash # Recovers bash command history from memory
linux.check_afinfo.Check_afinfo # Verifies the operation function pointers of network protocols
linux.check_creds.Check_creds # Checks if any processes are sharing credential structures
linux.check_idt.Check_idt # Checks if the IDT has been altered
linux.check_modules.Check_modules # Compares module list to sysfs info, if available
linux.check_syscall.Check_syscall # Check system call table for hooks
linux.elfs.Elfs # Lists all memory mapped ELF files for all processes
linux.keyboard_notifiers.Keyboard_notifiers # Parses the keyboard notifier call chain
linux.kmsg.Kmsg # Kernel log buffer reader
linux.lsmod.Lsmod # Lists loaded kernel modules
linux.lsof.Lsof # Lists all memory maps for all processes
linux.malfind.Malfind # Lists process memory ranges that potentially contain injected code
linux.proc.Maps # Lists all memory maps for all processes
linux.pslist.PsList # Lists the processes present in a particular linux memory image
linux.pstree.PsTree # Plugin for listing processes in a tree based on their parent process ID
linux.tty_check.tty_check # Checks tty devices for hooks

mac

mac.bash.Bash # Recovers bash command history from memory
mac.check_syscall.Check_syscall # Check system call table for hooks
mac.check_sysctl.Check_sysctl # Check sysctl handlers for hooks
mac.check_trap_table.Check_trap_table # Check mach trap table for hooks
mac.ifconfig.Ifconfig # Lists loaded kernel modules
mac.kauth_listeners.Kauth_listeners # Lists kauth listeners and their status
mac.kauth_scopes.Kauth_scopes # Lists kauth scopes and their status
mac.kevents.Kevents # Lists event handlers registered by processes
mac.list_files.List_Files # Lists all open file descriptors for all processes
mac.lsmod.Lsmod # Lists loaded kernel modules
mac.lsof.Lsof # Lists all open file descriptors for all processes
mac.malfind.Malfind # Lists process memory ranges that potentially contain injected code
mac.mount.Mount # A module containing a collection of plugins that produce data typically foundin Mac's mount command
mac.netstat.Netstat # Lists all network connections for all processes
mac.proc_maps.Maps # Lists process memory ranges that potentially contain injected code
mac.psaux.Psaux # Recovers program command line arguments
mac.pslist.PsList # Lists the processes present in a particular mac memory image
mac.pstree.PsTree # Plugin for listing processes in a tree based on their parent process ID
mac.socket_filters.Socket_filters # Enumerates kernel socket filters
mac.timers.Timers # Check for malicious kernel timers
mac.trustedbsd.Trustedbsd # Checks for malicious trustedbsd modules
mac.vfsevents.VFSevents # Lists processes that are filtering file system events

others

banners.Banners # Attempts to identify potential linux banners in an image
configwriter.ConfigWriter # Runs the automagics and both prints and outputs configuration in the output directory
frameworkinfo.FrameworkInfo # Plugin to list the various modular components of Volatility
isfinfo.IsfInfo # Determines information about the currently available ISF files, or a specific one
layerwriter.LayerWriter # Runs the automagics and writes out the primary layer produced by the stacker
timeliner.Timeliner # Runs all relevant plugins that provide time related information and orders the results by time
yarascan.YaraScan # Scans kernel memory using yara rules (string or file)

bash · forensic · help · memory

Wed Jun 1 12:34:12 2022 * · permalink

http://code.ambau.ovh/snippets/volatility3.html

forensic - sqlite3

windows notifications

file=/vol6/Users/Angela/AppData/Local/Microsoft/Windows/Notifications/wpndatabase.db
sqlitebrowser ${file}

SELECT datetime((ArrivalTime/10000000)-11644473600, 'unixepoch') AS ArrivalTime,
datetime((ExpiryTime/10000000)-11644473600, 'unixepoch') AS ExpiryTime,
Type, HandlerId, Notification.Id, Payload, Tag, 'Group', 'Order', PrimaryId, HandlerType, WNFEventName, CreatedTime as HandlerCreatedTime, ModifiedTime as HandlerModifiedTime
FROM Notification LEFT JOIN NotificationHandler ON Notification.HandlerId = NotificationHandler.RecordId

bash · forensic · malware · trick

Mon May 30 12:27:13 2022 * · permalink

http://code.ambau.ovh/snippets/forensic-sqlite3.html

regripper

regripper [-r Reg hive file] [-f profile] [-p plugin] [options]

Parse Windows Registry files, using either a single module, or a profile

Special

regripper -l -c|sort|column -t -s, # show plugins list in table sorted by plugins
regripper -l -c|sort -t, -k3 -k1|column -t -s, # show plugins list in table sorted by hive/plugins

regripper -p winver -r SOFTWARE # get version of wnidows
regripper -p timezone -r SYSTEM # get timezone information about SYSTEM hive
regripper -a -r SYSTEM # get full analyse for SYSTEM hive

Usefull

-a # Automatically run hive-specific plugins 
-l # list all plugins
-f [profile] # use the profile 
-p [plugin] # use the plugin

All

-r [hive] # Registry hive file to parse
-d # Check to see if the hive is dirty 
-g # Guess the hive file type 
-a # Automatically run hive-specific plugins 
-aT # Automatically run hive-specific TLN plugins 
-f [profile] # use the profile 
-p [plugin] # use the plugin
-l # list all plugins
-c # Output plugin list in CSV format (use with -l)
-s systemname # system name (TLN support)
-u username # User name (TLN support)
-uP # Update default profiles

Plugins

adobe                   20200522  NTUSER.DAT               Gets user's Adobe app cRecentFiles values
allowedenum             20200511  NTUSER.DAT Software      Extracts AllowedEnumeration values to determine hidden special folders
amcache                 20200515  amcache                  Parse AmCache.hve file
amcache_tln             20180311  amcache                  Parse AmCache.hve file
appassoc                20200515  NTUSER.DAT               Gets contents of user's ApplicationAssociationToasts key
appcertdlls             20200427  System                   Get entries from AppCertDlls key
appcompatcache          20200428  System                   Parse files from System hive AppCompatCache
appcompatcache_tln      20190112  System                   Parse files from System hive AppCompatCache
appcompatflags          20200525  NTUSER.DAT Software      Extracts AppCompatFlags for Windows.
appinitdlls             20200427  Software                 Gets contents of AppInit_DLLs value
appkeys                 20200517  NTUSER.DAT Software      Extracts AppKeys entries.
appkeys_tln             20180920  NTUSER.DAT Software      Extracts AppKeys entries.
applets                 20200525  NTUSER.DAT               Gets contents of user's Applets key
applets_tln             20120613  NTUSER.DAT               Gets contents of user's Applets key (TLN)
apppaths                20200511  NTUSER.DAT Software      Gets content of App Paths subkeys
apppaths_tln            20130429  NTUSER.DAT Software      Gets content of App Paths subkeys (TLN)
appspecific             20200515  NTUSER.DAT               Gets contents of user's Intellipoint\AppSpecific subkeys
appx                    20200427  NTUSER.DAT USRCLASS.DAT  Checks for persistence via Universal Windows Platform Apps
appx_tln                20191014  NTUSER.DAT USRCLASS.DAT  Checks for persistence via Universal Windows Platform Apps
arpcache                20200515  NTUSER.DAT               Retrieves CurrentVersion\App Management\ARPCache entries
at                      20200525  Software                 Checks Software hive for AT jobs
attachmgr               20200525  NTUSER.DAT               Checks user's keys that manage the Attachment Manager functionality
attachmgr_tln           20130425  NTUSER.DAT               Checks user's keys that manage the Attachment Manager functionality (TLN)
at_tln                  20140821  Software                 Checks Software hive for AT jobs
audiodev                20200525  Software                 Gets audio capture/render devices
auditpol                20200515  Security                 Get audit policy from the Security hive file
backuprestore           20200517  System                   Gets the contents of the FilesNotToSnapshot, KeysNotToRestore, and FilesNotToBackup keys
bam                     20200427  System                   Parse files from System hive BAM Services
bam_tln                 20180225  System                   Parse files from System hive BAM Services
base                    20200427  All                      Parse base info from hive
baseline                20130211  All                      Scans a hive file, checking sizes of binary value data
btconfig                20200526  Software                 Determines BlueTooth devices 'seen' by BroadComm drivers
bthenum                 20200515  System                   Get BTHENUM subkey info
bthport                 20200517  System                   Gets Bluetooth-connected devices from System hive
bthport_tln             20180705  System                   Gets Bluetooth-connected devices from System hive; TLN output
cached                  20200525  NTUSER.DAT               Gets cached Shell Extensions from NTUSER.DAT hive
cached_tln              20150608  NTUSER.DAT               Gets cached Shell Extensions from NTUSER.DAT hive (TLN)
calibrator              20200427  Software                 Checks DisplayCalibrator value (possible bypass assoc with LockBit ransomware)
clsid                   20200526  Software USRCLASS.DAT    Get list of CLSID/registered classes
clsid_tln               20200526  Software USRCLASS.DAT    Get list of CLSID/registered classes
cmdproc                 20200515  NTUSER.DAT               Autostart - get Command Processor\AutoRun value from NTUSER.DAT hive
cmdproc_tln             20130425  NTUSER.DAT               Autostart - get Command Processor\AutoRun value from NTUSER.DAT hive (TLN)
cmd_shell               20200515  Software                 Gets shell open cmds for various file types
codepage                20200519  system                   Checks codepage value
comdlg32                20200517  NTUSER.DAT               Gets contents of user's ComDlg32 key
compdesc                20200511  NTUSER.DAT               Gets contents of user's ComputerDescriptions key
compname                20090727  System                   Gets ComputerName and Hostname values from System hive
cred                    20200427  system                   Checks for UseLogonCredential value
cred_tln                20200402  system                   Checks UseLogonCredential value
dafupnp                 20200525  System                   Parses data from networked media streaming devices
dcom                    20200525  Software                 Check DCOM Ports
ddo                     20140414  NTUSER.DAT               Gets user's DeviceDisplayObjects key contents
defender                20200427  Software                 Get Windows Defender settings
del                     20200515  All                      Parse hive, print deleted keys/values
del_tln                 20190506  All                      Parse hive, print deleted keys/values
devclass                20200525  System                   Get USB device info from the DeviceClasses keys in the System hive
direct                  20200515  Software                 Searches Direct* keys for MostRecentApplication subkeys
direct_tln              20190911  Software                 Searches Direct* keys for MostRecentApplication subkeys (TLN)
disablelastaccess       20200517  System                   Get NTFSDisableLastAccessUpdate value
disablemru              20190924  NTUSER.DAT Software      Checks settings disabling user's MRUs
disableremotescm        20200513  System                   Gets DisableRemoteScmEndpoints value from System hive
disablesr               20200515  Software                 Gets the value that turns System Restore either on or off
drivers32               20200525  Software                 Get values from the Drivers32 key
emdmgmt                 20200511  Software                 Gets contents of EMDMgmt subkeys and values
environment             20200512  System NTUSER.DAT        Get environment vars from NTUSER.DAT & System hives
execpolicy              20200517  Software                 Gets PowerShell Execution Policy
featureusage            20200511  NTUSER.DAT               Extracts user's FeatureUsage data.
fileless                20200525  All                      Scans a hive file looking for fileless malware entries
findexes                20200525  All                      Scans a hive file looking for binary value data that contains MZ
gpohist                 20200525  Software NTUSER.DAT      Collects system/user GPO history
gpohist_tln             20150529  Software NTUSER.DAT      Collects system/user GPO history (TLN)
heap                    20200427  Software                 Checks HeapLeakDetection\DiagnosedApplications Subkeys
heidisql                20201227  NTUSER.DAT               Gets user's heidisql data
ica_sessions            20200528  Software                 ARETE ONLY - Extracts Citrix ICA Session info
identities              20200525  NTUSER.DAT               Extracts values from Identities key; NTUSER.DAT
imagedev                20140104  System                    -- 
imagefile               20200515  Software                 Checks ImageFileExecutionOptions subkeys values
injectdll64             20200427  NTUSER.DAT Software      Retrieve values set to weaken Chrome security
inprocserver            20200427  Software                 Checks CLSID InProcServer32 values for indications of malware
installer               20200517  Software                 Determines product install information
ips                     20200518  System                   Get IP Addresses and domains (DHCP, static)
jumplistdata            20200517  NTUSER.DAT               Gets contents of user's JumpListData key
killsuit                20200427  Software                 Check for indications of Danderspritz Killsuit installation
killsuit_tln            20200414  Software                 Check for indications of Danderspritz Killsuit installation
knowndev                20200515  NTUSER.DAT               Gets user's KnownDevices key contents
landesk                 20200517  Software                 Get list of programs monitored by LANDESK - Software hive
landesk_tln             20130214  Software                 Get list of programs monitored by LANDESK from Software hive
lastloggedon            20200517  Software                 Gets LastLoggedOn* values from LogonUI key
licenses                20200526  Software                 Get contents of HKLM/Software/Licenses key
listsoft                20200517  NTUSER.DAT               Lists contents of user's Software key
load                    20200517  NTUSER.DAT               Gets load and run values from user hive
logonstats              20200517  NTUSER.DAT               Gets contents of user's LogonStats key
lsa                     20200517  System                   Lists specific contents of LSA key
lxss                    20200511  NTUSER.DAT               Gets WSL config.
lxss_tln                20140723  NTUSER.DAT               Gets WSL config.
macaddr                 20200515  System Software           -- 
mixer                   20200517  NTUSER.DAT               Checks user's audio mixer settings
mixer_tln               20141112  NTUSER.DAT               Checks user's audio mixer info
mmc                     20200517  NTUSER.DAT               Get contents of user's MMC\Recent File List key
mmc_tln                 20120828  NTUSER.DAT               Get contents of user's MMC\Recent File List key (TLN)
mmo                     20200517  NTUSER.DAT               Checks NTUSER for Multimedia\Other values [malware]
mndmru                  20200517  NTUSER.DAT               Get contents of user's Map Network Drive MRU
mndmru_tln              20120829  NTUSER.DAT               Get user's Map Network Drive MRU (TLN)
mountdev                20200517  System                   Return contents of System hive MountedDevices key
mountdev2               20200517  System                   Return contents of System hive MountedDevices key
mp2                     20200526  NTUSER.DAT               Gets user's MountPoints2 key contents
mp2_tln                 20200525  NTUSER.DAT               Gets user's MountPoints2 key contents
mpmru                   20200517  NTUSER.DAT               Gets user's Media Player RecentFileList values
msis                    20200517  Software                 Determine MSI packages installed on the system
msoffice                20200518  NTUSER.DAT               Get user's MSOffice content
msoffice_tln            20200518  NTUSER.DAT               Get user's MSOffice content
muicache                20200525  NTUSER.DAT USRCLASS.DAT  Gets EXEs from user's MUICache key
muicache_tln            20130425  NTUSER.DAT USRCLASS.DAT  Gets EXEs from user's MUICache key (TLN)
nation                  20200517  ntuser.dat               Gets region information from HKCU
netlogon                20200515  System                   Parse values for machine account password changes
netsh                   20200515  Software                 Gets list of NetSH helper DLLs
networkcards            20200518  Software                 Get NetworkCards Info
networklist             20200518  Software                 Collects network info from NetworkList key
networklist_tln         20150812  Software                 Collects network info from NetworkList key (TLN)
networksetup2           20191004  System                   Get NetworkSetup2 subkey info
nic2                    20200525  System                   Gets NIC info from System hive
ntds                    20200427  System                   Parse Services NTDS key for specific persistence values
null                    20160119  All                      Check key/value names in a hive for leading null char
oisc                    20091125  NTUSER.DAT               Gets contents of user's Office Internet Server Cache
onedrive                20200515  NTUSER.DAT               Gets contents of user's OneDrive key
onedrive_tln            20190823  NTUSER.DAT               Gets contents of user's OneDrive key
osversion               20200511  NTUSER.DAT               Checks for OSVersion value
osversion_tln           20120608  NTUSER.DAT               Checks for OSVersion value (TLN)
outlook_homepage        20201002  NTUSER.DAT Software      Retrieve values set to attack Outlook WebView Homepage
pagefile                20140505  System                   Get info on pagefile(s)
pending                 20130711  System                   Gets contents of PendingFileRenameOperations value
pendinggpos             20200427  NTUSER.DAT               Gets contents of user's PendingGPOs key
photos                  20200525  USRCLASS.DAT             Shell/BagMRU traversal in Win7 USRCLASS.DAT hives
Plugin                  Version   Hive                     Description
portdev                 20090118  Software                 Parses Windows Portable Devices key contents
powershellcore          20200525  Software                 Extracts PowerShellCore settings
prefetch                20200515  System                   Gets the the Prefetch Parameters
printdemon              20200514  Software                 Gets value assoc with printer ports and descriptions
printmon                20200427  System                   Lists installed Print Monitors
printmon_tln            20191122  System                   Lists installed Print Monitors
processor_architecture  20140505  System                   Get from the processor architecture from the System's environment key
profilelist             20200518  Software                 Get content of ProfileList key
profiler                20200525  NTUSER.DAwindows.memmap.MemmapT System        Environment profiler information
pslogging               20200515  NTUSER.DAT Software      Extracts PowerShell logging settings
psscript                20200525  Software NTUSER.DAT      Get PSScript.ini values
putty                   20200515  NTUSER.DAT               Extracts the saved SshHostKeys for PuTTY.
rdpport                 20200526  System                   Queries System hive for RDP Port
recentapps              20200515  NTUSER.DAT               Gets contents of user's RecentApps key
recentapps_tln          20190513  NTUSER.DAT               Gets contents of user's RecentApps key
recentdocs              20200427  NTUSER.DAT               Gets contents of user's RecentDocs key
recentdocs_tln          20140220  NTUSER.DAT               Gets contents of user's RecentDocs key (TLN)
remoteaccess            20200517  System                   Get RemoteAccess AccountLockout settings
rlo                     20200517  All                      Parse hive, check key/value names for RLO character
routes                  20200526  System                   Get persistent routes from the Registry
run                     20200511  Software NTUSER.DAT      [Autostart] Get autostart key contents from Software hive
runmru                  20200525  NTUSER.DAT               Gets contents of user's RunMRU key
runmru_tln              20120828  NTUSER.DAT               Gets contents of user's RunMRU key (TLN)
runonceex               20200427  Software                 Gets contents of RunOnceEx values
runvirtual              20200427  NTUSER.DAT Software      Gets RunVirtual entries
runvirtual_tln          20191211  NTUSER.DAT Software      Gets RunVirtual entries
ryuk_gpo                20200427  Software                 Get GPO policy settings from Software hive related to Ryuk
samparse                20200825  SAM                      Parse SAM file for user & group mbrshp info
samparse_tln            20200826  SAM                      Parse SAM file for user acct info (TLN)
ScanButton              20131210  System                   Get Scan Button information
schedagent              20200518  Software                 Get SchedulingAgent key contents
scriptleturl            20200525  Software USRCLASS.DAT    Check CLSIDs for ScriptletURL subkeys
searchscopes            20200517  NTUSER.DAT               Gets contents of user's SearchScopes key
secctr                  20200517  Software                 Get data from Security Center key
secrets                 20200517  Security                 Get the last write time for the Policy\Secrets key
secrets_tln             20140814  Security                 Get the last write time for the Policy\Secrets key
securityproviders       20200526  System                   Gets SecurityProvider value from System hive
services                20191024  System                   Lists services/drivers in Services key by LastWrite times
sevenzip                20210329  NTUSER.DAT               Gets records of histories from 7-Zip keys
sfc                     20200517  Software                 Get SFC values
shares                  20200525  System                   Get list of shares from System hive file
shc                     20200427  NTUSER.DAT               Gets SHC entries from user hive
shellbags               20200428  USRCLASS.DAT             Shell/BagMRU traversal in Win7+ USRCLASS.DAT hives
shellbags_tln           20180702  USRCLASS.DAT             Shell/BagMRU traversal in Win7 USRCLASS.DAT hives
shellfolders            20200515  NTUSER.DAT               Gets user's shell folders values
shelloverlay            20100308  Software                 Gets ShellIconOverlayIdentifiers values
shimcache               20200428  System                   Parse file refs from System hive AppCompatCache data
shimcache_tln           20190112  System                   Parse file refs from System hive AppCompatCache data
shutdown                20200518  System                   Gets ShutdownTime value from System hive
sizes                   20200517  All                      Scans a hive file looking for binary value data of a min size (5000)
slack                   20200517  All                      Parse hive, print slack space, retrieve keys/values
slack_tln               20190506  All                      Parse hive, print slack space, retrieve keys/values
source_os               20200511  System                   Parse Source OS subkey values
speech                  20200427  NTUSER.DAT               Get values from user's Speech key
speech_tln              20191010  NTUSER.DAT               Get values from user's Speech key
spp_clients             20130429  Software                 Determines volumes monitored by VSS
srum                    20200518  Software                 Gets contents of SRUM subkeys
ssid                    20200515  Software                 Get WZCSVC SSID Info
susclient               20200518  Software                 Extracts SusClient* info, including HDD SN (if avail)
svc                     20200525  System                   Lists Services key contents by LastWrite time (CSV)
svcdll                  20200525  System                   Lists Services keys with ServiceDll values
svc_tln                 20130911  System                   Lists Services key contents by LastWrite time (CSV)
syscache                20200515  syscache                 Parse SysCache.hve file
syscache_csv            20200515  syscache                 
syscache_tln            20190516  syscache                 
sysinternals            20080324  NTUSER.DAT               Checks for SysInternals apps keys
sysinternals_tln        20080324  NTUSER.DAT               Checks for SysInternals apps keys (TLN)
systemindex             20200518  Software                 Gets systemindex\..\Paths info from Windows Search key
taskcache               20200427  Software                 Checks TaskCache\Tree root keys (not subkeys)
taskcache_tln           20200416  Software                 Checks TaskCache\Tree root keys (not subkeys)
tasks                   20200427  Software                 Checks TaskCache\Tasks subkeys
tasks_tln               20200416  Software                 Checks TaskCache\Tasks subkeys
termcert                20200526  System                   Gets Terminal Server certificate
termserv                20200506  System Software          Gets Terminal Server settings from System and Software hives
thispcpolicy            20200511  Software                 Gets ThisPCPolicy values
timezone                20200518  System                   Get TimeZoneInformation key contents
tracing                 20200511  Software                 Gets list of apps that can be traced
tracing_tln             20120608  Software                 Gets list of apps that can be traced (TLN)
tsclient                20200518  NTUSER.DAT               Displays contents of user's Terminal Server Client\Default key
tsclient_tln            20120827  NTUSER.DAT               Displays contents of user's Terminal Server Client key (TLN)
typedpaths              20200526  NTUSER.DAT               Gets contents of user's typedpaths key
typedpaths_tln          20120828  NTUSER.DAT               Gets contents of user's typedpaths key (TLN)
typedurls               20200526  NTUSER.DAT               Returns contents of user's TypedURLs key.
typedurlstime           20200526  NTUSER.DAT               Returns contents of user's TypedURLsTime key.
typedurlstime_tln       20120613  NTUSER.DAT               Returns contents of Win8 user's TypedURLsTime key (TLN).
typedurls_tln           20120827  NTUSER.DAT               Returns MRU for user's TypedURLs key (TLN)
uac                     20200427  Software                 Get Select User Account Control (UAC) Values from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
uacbypass               20200511  USRCLASS.DAT Software    Get possible UAC bypass settings
uninstall               20200525  Software NTUSER.DAT      Gets contents of Uninstall keys from Software, NTUSER.DAT hives
uninstall_tln           20120523  Software NTUSER.DAT      Gets contents of Uninstall keys from Software, NTUSER.DAT hives(TLN format)
usb                     20200515  System                   Get USB key info
usbdevices              20200525  System                   Parses Enum\USB key for USB & WPD devices
usbstor                 20200515  System                   Get USBStor key info
userassist              20170204  NTUSER.DAT               Displays contents of UserAssist subkeys
userassist_tln          20180710  NTUSER.DAT               Displays contents of UserAssist subkeys in TLN format
volinfocache            20200518  Software                 Gets VolumeInfoCache from Windows Search key
wab                     20200427  Software                 Get WAB DLLPath settings
wab_tln                 20191122  Software                 Get WAB DLLPath settings
watp                    20200427  Software                 Gets contents of Windows Advanced Threat Protection key
wbem                    20200511  Software                 Get some contents from WBEM key
wc_shares               20200515  NTUSER.DAT               Gets contents of user's WorkgroupCrawler/Shares subkeys
winlogon_tln            20130429  Software                 Alerts on values from the WinLogon key (TLN)
winrar                  20200526  NTUSER.DAT               Get WinRAR\ArcHistory entries
winrar_tln              20120829  NTUSER.DAT               Get WinRAR\ArcHistory entries (TLN)
winscp                  20201227  NTUSER.DAT               Gets user's WinSCP 2 data
winver                  20200525  Software                 Get Windows version & build info
winzip                  20200526  NTUSER.DAT               Get WinZip extract and filemenu values
wordwheelquery          20200823  NTUSER.DAT               Gets contents of user's WordWheelQuery key
wordwheelquery_tln      20200824  NTUSER.DAT               Gets contents of user's WordWheelQuery key
wow64                   20200515  Software                 Gets contents of WOW64\x86 key
wpdbusenum              20200515  System                   Get WpdBusEnum subkey info
wsh_settings            20200517  Software                 Gets WSH Settings

Install

see foralyse

bash · disk · forensic · help · hive

Mon May 30 08:41:26 2022 * · permalink

http://code.ambau.ovh/snippets/regripper.html

reglookup

reglookup [-v] [-s] [-p <PATH_FILTER>] [-t <TYPE_FILTER>] <REGISTRY_FILE>

Print windows registry elements to stdout in a CSV-like format

Special

for hive in SAM SECURITY SOFTWARE SYSTEM $(find /vol6/ -iname ntuser.dat); do echo $hive; reglookup -i $hive > /share/examen/disk/hive/reglookup_${hive//\//_}; done

Usefull

-p # restrict output to elements below this path.
-H # disables header row.
-s # enables security descriptor output.

All

-v # sets verbose mode.
-h # enables header row. (default)
-H # disables header row.
-s # enables security descriptor output.
-S # disables security descriptor output. (default)
-p # restrict output to elements below this path.
-t # restrict results to this specific data type.
-i # includes parent key modification times with child values.

reglookup-timeline

reglookup-timeline [-H] [-V] <REGISTRY_FILE> [<REGISTRY_FILE> ...]

Builds timelines for forensic investigations, a wrapper for reglookup

Special

cd /vol6/Windows/System32/config && hives="SAM SECURITY SOFTWARE SYSTEM $(find /vol6/ -iname ntuser.dat)" && reglookup-timeline -v $hives > /share/examen/disk/hive/reglookup-tl # complete timeline
sed -n '/^2021-09-09 18:1/,$p' reglookup-tl > reglookup-tl-select # select part of timeline

All

-H # Omit header line
-V # Include values with parent timestamps

reglookup-recover

reglookup-recover [options] <REGISTRY_FILE>

Attempts to scour a Windows registry hive for deleted data structures and outputs those found in a CSV-like format

All

-v # sets verbose mode.
-h # enables header row. (default)
-H # disables header row.
-l # enables leftover(raw) cell output.
-L # disables leftover(raw) cell output. (default)
-r # enables raw cell output for parsed cells.
-R # disables raw cell output for parsed cells. (default)

Install

sudo apt install reglookup

bash · disk · forensic · help · hive

Sun May 29 19:35:33 2022 * · permalink

http://code.ambau.ovh/snippets/reglookup.html

TOC

USEFULL OPTIONS

REFERENCE

URL

VALUES

USED

ADD

ARCHIVE

BRANCH

list

create

delete

rename

attach to upstream

CHECKOUT

CLONE

COMMIT

DIFF

FETCH

CONFIG

LOG

MERGE

PULL

PUSH

REMOTE

RESET

SWITCH

TAG

SUBMODULE

add

update

remove

clone repo & submodules

STASH

GPG

GITIGNORE

pattern

example

TRICKS

Install

manjaro

Use

Usefull

options

commands

lock/unlock

faillock

passwd

usermod

TRICKS

create a local git repository and publish it to github

connection with ssh

change remote url for remote existing repository

delete tags

create orphan repo from another

Dockerfile

config.json

dockerfile

image

container

Get

Install

Uninstall

/var/lib/docker

btrfs

docker

Install

Service

User

User

Basic commands

start

lsadump

hivexsh

hivexsh [-options] [hivefile]

Provides a simple shell for navigating Windows Registry 'hive' files

hivexget

hivexget hivefile PATH [NAME]

Get subkey from a Windows Registry binary "hive" file

hivexml