How do the current plug-ins rip values?
How does the user track which values are to be ripped?
Select Single Value Plug-in Generation
Select Multi-Value Plug-in Generation
Select Multi-Key Plugin
Special Cases


SYSTEM\CCS
Enumerate all values in Key

For this key, output name, LWT, all 1-level subkeys (including LWT) and all of their value
names/data
o Group by subkeyname/LWT
 Order by value name
For this key, output name, LWT, and all value names and data
o Order by value name
For this key, output name, LWT, and specific value name and data



Overall
o Output last write time uses gmtime
o Start with logmsg, new Win32Registry object, getrootkey, specify initial path
o For a given key, we might want
 Output Key name & time
 Output Key write time
 Foreach subkey
 Output subkey name & time
 Foreach value, store name and data
 Sort on valuename and output value/data
 Specific Subkey
o



Acmru
o
o
o
o
For a set of values
 Specific value data (sorted on value name)
 All value data (sorted on value name)

Hive: NTUSER
Path: Software\\Microsoft\\Search Assistant\\ACMru
Output last write time
Foreach subkey
 Output name [Last write time]
 For each value
 Store %hash{valuename}=valuedata
 Output valuedata sorted by valuename
Adoberdr
o Hive: NTUSER
o If version 6.0, 7.0 or 8.0 at Software\\Adobe\\Acrobat
Reader\\____\\AVGeneral\\cRecentFiles
 Define path as that
o Path: Path: Software\\Adobe\\Acrobat Reader\\8.0\\AVGeneral\\cRecentFiles
o Output keypath
o Output last write time
o Foreach subkey
 %hash{subkey-name}{subkey-lastwrite} and %hash{subkey-name}{sDI-data}
 Store name (like ‘c1’) and format (remove ‘c’)
 Store specific value: sDI
 Output lastwrite & data sorted by name (path to a recent file)
AIM
o Hive: NTUSER
o Path: Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users
o Output package
o Output keypath
o Foreach subkey
 Output keyname & timestamp
 For each subkey
 If subkey name contains “Login”
o Output Password1 data if exists
 If subkey name is recent
o Output subkey name
o Foreach value
 Store in %hash{valuename}=valuedata
o Output valuename and valuedata sorted by valuename



AppInitDLLs
o Hive: SOFTWARE
o Path: Microsoft\\Windows NT\\CurrentVersion\\Windows
o Output package
o Output keypath
o Output last write time
o Foreach value
 If valuename is APPInit_DLLs
 Output name and data
Applets
o Hive: NTUSER
o Path: Software\\Microsoft\\Windows\\CurrentVersion\\Applets
o Output package
o Output keypath
o Output last write time
o If paint recent file list subkey (Paint\\Recent File List)
 Output keypath
 Output last write time
 Foreach value
 %hash{#fromvaluename}=data
o Store # from name
o Value data is path to recently opened file
 Output hash contents sorted on valuename#
o If registry last key (Regedit)
 Output keypath
 Output last-write time
 For 1 value (LastKey
 Output value name and data
Services
o Hive: System
o Path: CCS\\Services
o Rip
 Foreach subkey
 Get last write time
 Get data for these specific values
o Type
o DisplayName
o ImagePath
o Start
o Group
 Push value data as join(“;”) to @{$hash{timestamp}}
o
Report
 Sort %hash, newest timestamp first
 Foreach timestamp
 Output value data