-
Notifications
You must be signed in to change notification settings - Fork 11
Creating Registry Fingerprints
Fingerprint creates a csv file with the data of the registry on Your harddisk. Each fingerprint result is completely indipendent from previouse fingerprints - the difference between two fingerprints need to be analyzed with another command or third party program.
For fingerprinting registry, fp.exe needs to run with elevated rights (as Administrator) to get access to the registry. You can override this, but it is not recommended and only intended for testing.
fp.exe reg --f_output=<filename> [--batchmode --no_admin --field_length_limit --reg_save_additional_parameters --do_not_delete_hive_copies]
If You do not pass any commandline parameter, fp_files will ask You for the location of the results (e.g. c:\fingerprints\fp_registry_1.csv)
Commandline Parameters:
fp.exe --version # show the version
fp.exe --help # show the help
fp.exe <command> --help # show the help for a specific command
fp.exe reg [arguments and flags]
--f_output=<filename> # the resultfile, e.g. c:\fingerprint\fp_registry_1.csv
# missing directories will be created,
# c:\fingerprint\fp_registry_1.log will be created
--batchmode # do not ask for missing or wrong parameters, but exit
--no_admin # make it able to run without admin rights, not recommended
--field_length_limit=<int_value> # truncate data from registry, default set to maximum length of
# a cell in excel (32767), but we can support much longer fields
--do_not_delete_hive_copies # do not delete the copies of registry hives
--reg_save_additional_parameters=<str_parameter> # additional parameters to pass
# to "reg copy" e.g. "/reg:64" or "/reg:32"
The Result :
the result is a csv file what can be opened with excel or Your texteditor. the csv file might look like this :
c:\fingerprints\fp_registry_1.csv :
path,modified,value_name,value_type,value,change,remark
HKLM\SAM\ROOT,2018-10-06 20:17:11.249289,,KEY,,,
HKLM\SAM\SAM,2018-10-06 20:18:38.997481,,KEY,,,
HKLM\SAM\SAM,2018-10-06 20:18:38.997481,ServerDomainUpdates,RegBin,b'\xfe\xff\x07',,
HKLM\SAM\SAM\Domains,2018-10-06 20:17:11.249289,,KEY,,,
HKLM\SAM\SAM\Domains,2018-10-06 20:17:11.249289,(default),RegNone,b'',,
HKLM\SAM\SAM\Domains\Account,2018-11-18 18:21:55.111011,,KEY,,,
HKLM\SAM\SAM\Domains\Account\Aliases,2018-11-15 11:19:42.776310,,KEY,,,
HKLM\SAM\SAM\Domains\Account\Aliases,2018-11-15 11:19:42.776310,(default),RegSZ,,,
HKLM\SAM\SAM\Domains\Account\Aliases\000003EB,2018-11-15 11:19:42.776310,,KEY,,,
path : the path of the key
modified : the date of the last modification (can be spoofed by malicious programs)
value_name : the name of the registry value (empty if it is only a key)
value_type : the type of the registry data ("KEY" if it is only a key)
value : the data (empty if it is only a key)
change : what has been changed (this field is only used in diff files created by fp.exe reg_diff and described there)
remark : remark (this field is only used in diff files created by fp.exe reg_diff and described there)
Now You are already able to create registry fingerprints before and after installing some software and track the changes between the csv files with some tools like Meld, FC, diff, etc. But there is a better option, using fp.exe reg_diff what will be explained later.