Registry Report
From within the registry viewer, WinHex can create an HTML report, listing values of possibly relevant registry keys, when you invoke the command "Create Registry Report" in the right-click pop-up menu. The registry keys that are to be reported in all open hives are defined in text files like the pre-supplied "Reg Report *.txt", which can be tailored to your needs. The registry files you view must have their original names, or else the report may fail. You may edit the list of registry keys in this files to tailor the report to your own needs.
Standard tables have 4 columns: description, extracted value, registry path (provided as a tooltip), and last modification date of the corresponding key. The dates are displayed in gray for values that are not the only values in their respective key, as a visual aid to remind the reader that they are not the modification dates of the values themselves.
Free space in registry hives can be analyzed with the report definition file "Reg Report Free Space.txt". The free space can be as large as several MB, especially as a consequence of the use of virus scanners and registry cleaning programs. Deleted registry values are now highlighted in the report in red color.
Also registry value slack has a relevant size in NTUSER.DAT hives. This fact is exploited with 2 measures:
1) If the slack contains text strings, it will be output in the registry report (in green). This new feature can optionally be turned off the registry viewer context menu.
2) For values that contain item lists (i.e. are binary) you can use the "Reg Report Free Space.txt" definitions to output registry report will output lists of filenames with timestamps in green. The first timestamps is an access date, the second one is a creation date. If no timestamps can be output, these are artifacts from "RecentDocs".
Format of entries in "Reg Report *.txt"
(type) (tab) (registry path) (tab) (description) (linefeed=Chr(13)Chr(10))
type:
?? definition for any Windows version
NT for Windows NT through XP
VT for Windows Vista and 7
** new function (without absolute paths)
FR query in free space of the hive
registry path:
Full path of registry keys
HKLM: HKEY_LOCAL_MACHINE
HKCU: HKEY_CURRENT_USER
If an asterisk ("*") is provided as the last key, all keys on the same level and deeper and their values will be included in the report.
example:
NT HKLM\Software\Microsoft\Windows\CurrentVersion\* report whole Windows branch
If you wish to report a particular value that exists in all subkeys of a certain key, you can as well write an "*" for all subkeys and include the value after that.
The generated report contains the registry path with its timestamp, the filename of the registry hive that the key was found in, the description that was provided in the "Reg Report *.txt" file, and the value.
The description field may contain an additional statement at the end that starts with a % character. If the % is followed by a numeric character n, the n-th element of the registry path will be appended to the description in the report. This can be very useful if the path and not the value (or not only the value) contains the relevant information. If the % is followed by a letter, the value will be preferably interpreted as the data type that the letter stands for. The following letters and data types are defined at the moment:
%f Windows FILETIME timestamp
%e Epoch (Unix) timestamp
%E Epoch8 (Unix) timestamp as QWORD.
%T Windows system time timestamp
%s ANSI-ASCII null-terminated
%S UTF16 string null-terminated
%b binary data not to be interpreted as characters (REG_BINARY)
%P Windows PIDL data structure
%I ItemPos data structure (covers Shell Bag, desktop shortcuts, and more)
%B conditional: if value TRUE
%F conditional: if value FALSE
%- no empty mode
%+ recursion of the subtree
%i value case-insensitive
%d deleted values only
It is also possible to combine numeric characters and letters (e.g. %10f). In that case the numeric character must precede the letter.
// at the start of a line comments out that line (will cause it to be ignored).
## at the start of a line will output explanatory text into the report.
Additional output
In a second phase of the creation of the registry report, additional data will be analyzed and output as tables at the end of the HTML file. The specifications in the definition file which belong to this second phase are marked with "Dummy". This causes the first phase to prevent any normal output. If you would like to get the output of the first phase, you merely need to change the description in the definition to anything other than "Dummy".
The table "Attached devices by serial number" is created according to the algorithm that Harlan Carvey describes in chapter 4 of his book. Furthermore you can find the tables "Partitions by disk signature", "Windows portable devices", "Drivers installed", "File systems installed", "Services installed", "Networks", and "Network cards".
Another table is called "Browser Helper Objects", compiled with data from the hives NTUSER.DAT and SOFTWARE, about browser usage. "External Memory Devices" is a table which can be retrieved from Software hives of Windows Vista and later that lists external media with access timestamps, hardware serial number, volume label, volume serial number and volume size (size often only under Vista). Select the definition file "Reg Report Devices.txt" to get the table.