RegRipper - How do you use it?

RegRipper will parse a registry hive file for specific information.
It doesn't work on a live hive file on a running system.
It will work on an image file or a mounted drive like Mount Drive Pro.

How do I get an image of just the registry hive to run RegRipper on?

Since RegRipper doesn't look for information in the file system I don't want to make a byte for byte copy of the entire HDD just to scan the registry.

Will it work on RegShot Images?

RegRipper

Regshot

 

No, but it does work with ERUNT and Registry Workshop images.

 

I gave it a run against the Erunt Hive.

rrPOC seems to do a pretty good job with it's default plug-ins (all.adv).
It doesn't run any additional plug-ins.
It's report lay out is decent could be better.

rr20080909 doesn't seem to function well and haven't figured out why.
Running the program creates a report that is huge, 218kb with 80+ plug-ins.
With just 1 plug-in it generated a report of 422kb.

Have you seen this behavior in RegRipper?

 

I see pretty much the opposite. If I run all plugins against the SOFTWARE hive, the report size is 14 MB; if I use only the software plugin, the size is 14 KB.

I haven't done a side-by-side plugin comparison, but RegExtract is a nice alternative to RegRipper. It only works with ERUNT hives. Its report layout is better than RegRipper's.

 

RegExtract crashed on Vista. I was unable to run a scan.

 

I used it today on 7 32-bit with no problems. Did you use the Windows installer or the cross-platform Mono version? I used the Windows installer version.

 

I used the windows installer version also.

I don't think it was the program itself. I will have to try again when I can solve my issues.