Plugin Version Hive

base 20200427 All

baseline 20130211 All
del 20200515 All
del_tln 20190506 All
fileless 20200525 All
findexes 20200525 All
null 20160119 All
rlo 20200517 All
sizes 20200517 All
slack 20200517 All
slack_tln 20190506 All
amcache 20200515 amcache
amcache_tln 20180311 amcache
adobe 20200522 NTUSER.DAT
appassoc 20200515 NTUSER.DAT
applets 20200525 NTUSER.DAT
applets_tln 20120613 NTUSER.DAT
apppaths 20200511 NTUSER.DAT Software
appspecific 20200515 NTUSER.DAT
appx 20200427 NTUSER.DAT USRCLASS.DAT
appx_tln 20191014 NTUSER.DAT USRCLASS.DAT
arpcache 20200515 NTUSER.DAT
attachmgr 20200525 NTUSER.DAT
attachmgr_tln 20130425 NTUSER.DAT
cached 20200525 NTUSER.DAT
cached_tln 20150608 NTUSER.DAT
cmdproc 20200515 NTUSER.DAT
cmdproc_tln 20130425 NTUSER.DAT
comdlg32 20200517 NTUSER.DAT
compdesc 20200511 NTUSER.DAT
ddo 20140414 NTUSER.DAT
featureusage 20200511 NTUSER.DAT
heidisql 20201227 NTUSER.DAT
iconlayouts 20211001 NTUSER.DAT
identities 20200525 NTUSER.DAT
jumplistdata 20200517 NTUSER.DAT
knowndev 20200515 NTUSER.DAT
listsoft 20200517 NTUSER.DAT
load 20200517 NTUSER.DAT
logonstats 20200517 NTUSER.DAT
lxss 20200511 NTUSER.DAT
lxss_tln 20140723 NTUSER.DAT
mixer 20200517 NTUSER.DAT
mixer_tln 20141112 NTUSER.DAT
mmc 20200517 NTUSER.DAT
mmc_tln 20120828 NTUSER.DAT
mmo 20200517 NTUSER.DAT
mndmru 20200517 NTUSER.DAT
mndmru_tln 20120829 NTUSER.DAT
mp2 20200526 NTUSER.DAT
mp2_tln 20200525 NTUSER.DAT
mpmru 20200517 NTUSER.DAT
msoffice 20200518 NTUSER.DAT
msoffice_tln 20200518 NTUSER.DAT
muicache 20200525 NTUSER.DAT USRCLASS.DAT
muicache_tln 20130425 NTUSER.DAT USRCLASS.DAT
nation 20200517 ntuser.dat
oisc 20091125 NTUSER.DAT
onedrive 20200515 NTUSER.DAT
onedrive_tln 20190823 NTUSER.DAT
osversion 20200511 NTUSER.DAT
osversion_tln 20120608 NTUSER.DAT
pendinggpos 20200427 NTUSER.DAT
profiler 20200525 NTUSER.DAT System
putty 20200515 NTUSER.DAT
recentapps 20200515 NTUSER.DAT
recentapps_tln 20190513 NTUSER.DAT
recentdocs 20200427 NTUSER.DAT
recentdocs_tln 20140220 NTUSER.DAT
runmru 20200525 NTUSER.DAT
runmru_tln 20120828 NTUSER.DAT
searchscopes 20200517 NTUSER.DAT
sevenzip 20210329 NTUSER.DAT
shc 20200427 NTUSER.DAT
shellfolders 20200515 NTUSER.DAT
speech 20200427 NTUSER.DAT
speech_tln 20191010 NTUSER.DAT
sysinternals 20080324 NTUSER.DAT
sysinternals_tln 20080324 NTUSER.DAT
tsclient 20200518 NTUSER.DAT
tsclient_tln 20120827 NTUSER.DAT
typedpaths 20200526 NTUSER.DAT
typedpaths_tln 20120828 NTUSER.DAT
typedurls 20200526 NTUSER.DAT
typedurlstime 20200526 NTUSER.DAT
typedurlstime_tln 20120613 NTUSER.DAT
typedurls_tln 20120827 NTUSER.DAT
userassist 20170204 NTUSER.DAT
userassist_tln 20180710 NTUSER.DAT
wc_shares 20200515 NTUSER.DAT
winrar 20200526 NTUSER.DAT
winrar_tln 20120829 NTUSER.DAT
winscp 20201227 NTUSER.DAT
winzip 20200526 NTUSER.DAT
wordwheelquery 20200823 NTUSER.DAT
wordwheelquery_tln 20200824 NTUSER.DAT
allowedenum 20200511 NTUSER.DAT Software
appcompatflags 20200525 NTUSER.DAT Software
appkeys 20200517 NTUSER.DAT Software
appkeys_tln 20180920 NTUSER.DAT Software
apppaths_tln 20130429 NTUSER.DAT Software
disablemru 20190924 NTUSER.DAT Software
injectdll64 20200427 NTUSER.DAT Software
outlook_homepage 20201002 NTUSER.DAT Software
pslogging 20200515 NTUSER.DAT Software
runvirtual 20200427 NTUSER.DAT Software
runvirtual_tln 20191211 NTUSER.DAT Software
samparse 20200825 SAM
samparse_tln 20200826 SAM
auditpol 20200515 Security
secrets 20200517 Security
secrets_tln 20140814 Security
appinitdlls 20200427 Software
at 20200525 Software
at_tln 20140821 Software
audiodev 20200525 Software
btconfig 20200526 Software
calibrator 20200427 Software
clsid 20200526 Software USRCLASS.DAT
cmd_shell 20200515 Software
dcom 20200525 Software
defender 20200427 Software
direct 20200515 Software
direct_tln 20190911 Software
disablesr 20200515 Software
drivers32 20200525 Software
emdmgmt 20200511 Software
execpolicy 20200517 Software
gpohist Software
gpohist_tln Software
heap 20200427 Software
ica_sessions 20200528 Software
imagefile 20200515 Software
inprocserver 20200427 Software
installer 20200517 Software
killsuit 20200427 Software
killsuit_tln 20200414 Software
landesk 20200517 Software
landesk_tln 20130214 Software
lastloggedon 20200517 Software
licenses 20200526 Software
msis 20200517 Software
netsh 20200515 Software
networkcards 20200518 Software
networklist 20200518 Software
networklist_tln 20150812 Software
portdev 20090118 Software
powershellcore 20200525 Software
printdemon 20200514 Software
profilelist 20200518 Software
psscript 20200525 Software NTUSER.DAT
run 20200511 Software NTUSER.DAT
runonceex 20200427 Software
ryuk_gpo 20200427 Software
schedagent 20200518 Software
scriptleturl 20200525 Software USRCLASS.DAT
secctr 20200517 Software
sfc 20200517 Software
shelloverlay 20100308 Software
spp_clients 20130429 Software
srum 20200518 Software
ssid 20200515 Software
susclient 20200518 Software
systemindex 20200518 Software
taskcache 20200427 Software
taskcache_tln 20200416 Software
tasks 20200427 Software
tasks_tln 20200416 Software
thispcpolicy 20200511 Software
tracing 20200511 Software
tracing_tln 20120608 Software
uac 20200427 Software
uninstall 20200525 Software NTUSER.DAT
uninstall_tln 20120523 Software NTUSER.DAT
volinfocache 20200518 Software
wab 20200427 Software
wab_tln 20191122 Software
watp 20200427 Software
wbem 20200511 Software
winlogon_tln 20130429 Software
winver 20200525 Software
wow64 20200515 Software
wsh_settings 20200517 Software
syscache 20200515 syscache
syscache_csv 20200515 syscache
syscache_tln 20190516 syscache
appcertdlls 20200427 System
appcompatcache 20200428 System
appcompatcache_tln 20190112 System
backuprestore 20200517 System
bam 20200427 System
bam_tln 20180225 System
bthenum 20200515 System
bthport 20200517 System
bthport_tln 20180705 System
codepage 20200519 system
compname 20090727 System
cred 20200427 system
cred_tln 20200402 system
dafupnp 20200525 System
devclass 20200525 System
disablelastaccess 20200517 System
disableremotescm 20200513 System
environment 20200512 System NTUSER.DAT
imagedev 20140104 System
ips 20200518 System
lsa 20200517 System
macaddr 20200515 System
mountdev 20200517 System
mountdev2 20200517 System
netlogon 20200515 System
networksetup2 20191004 System
nic2 20200525 System
ntds 20200427 System
pagefile 20140505 System
pending 20130711 System
portproxy 20210622 System
prefetch 20200515 System
printmon 20200427 System
printmon_tln 20191122 System
processor_architecture 20140505 System
rdpport 20200526 System
remoteaccess 20200517 System
routes 20200526 System
ScanButton 20131210 System
securityproviders 20200526 System
services 20191024 System
shares 20200525 System
shimcache 20200428 System
shimcache_tln 20190112 System
shutdown 20200518 System
source_os 20200511 System
svc 20200525 System
svcdll 20200525 System
svc_tln 20130911 System
termcert 20200526 System
termserv 20200506 System Software
timezone 20200518 System
usb 20200515 System
usbdevices 20200525 System
usbstor 20200515 System
wpdbusenum 20200515 System
exefile 20211214 USRCLASS.DAT Software
photos 20200525 USRCLASS.DAT
shellbags 20200428 USRCLASS.DAT
shellbags_tln 20180702 USRCLASS.DAT
uacbypass 20200511 USRCLASS.DAT Software
Description
Parse base info from hive
checking sizes of binary value data
print deleted keys/values
print deleted keys/values
Scans a hive file looking for fileless malware entries
Scans a hive file looking for binary value data that contains MZ
Check key/value names in a hive for leading null char
check key/value names for RLO character
Scans a hive file looking for binary value data of a min size (5000)
print slack space retrieve keys/values
print slack space retrieve keys/values
Parse AmCache.hve file
Parse AmCache.hve file
Gets user's Adobe app cRecentFiles values
Gets contents of user's ApplicationAssociationToasts key
Gets contents of user's Applets key
Gets contents of user's Applets key (TLN)
Gets content of App Paths subkeys
Gets contents of user's Intellipoint\AppSpecific subkeys
Checks for persistence via Universal Windows Platform Apps
Checks for persistence via Universal Windows Platform Apps
Retrieves CurrentVersion\App Management\ARPCache entries
Checks user's keys that manage the Attachment Manager functionality
Checks user's keys that manage the Attachment Manager functionality (TLN)
Gets cached Shell Extensions from NTUSER.DAT hive
Gets cached Shell Extensions from NTUSER.DAT hive (TLN)
Autostart - get Command Processor\AutoRun value from NTUSER.DAT hive
Autostart - get Command Processor\AutoRun value from NTUSER.DAT hive (TLN)
Gets contents of user's ComDlg32 key
Gets contents of user's ComputerDescriptions key
Gets user's DeviceDisplayObjects key contents
Extracts user's FeatureUsage data.
Gets user's heidisql data
Shell/Bag/1/Desktop - Iconlayouts
Extracts values from Identities key; NTUSER.DAT
Gets contents of user's JumpListData key
Gets user's KnownDevices key contents
Lists contents of user's Software key
Gets load and run values from user hive
Gets contents of user's LogonStats key
Gets WSL config.
Gets WSL config.
Checks user's audio mixer settings
Checks user's audio mixer info
Get contents of user's MMC\Recent File List key
Get contents of user's MMC\Recent File List key (TLN)
Checks NTUSER for Multimedia\Other values [malware]
Get contents of user's Map Network Drive MRU
Get user's Map Network Drive MRU (TLN)
Gets user's MountPoints2 key contents
Gets user's MountPoints2 key contents
Gets user's Media Player RecentFileList values
Get user's MSOffice content
Get user's MSOffice content
Gets EXEs from user's MUICache key
Gets EXEs from user's MUICache key (TLN)
Gets region information from HKCU
Gets contents of user's Office Internet Server Cache
Gets contents of user's OneDrive key
Gets contents of user's OneDrive key
Checks for OSVersion value
Checks for OSVersion value (TLN)
Gets contents of user's PendingGPOs key
Environment profiler information
Extracts the saved SshHostKeys for PuTTY.
Gets contents of user's RecentApps key
Gets contents of user's RecentApps key
Gets contents of user's RecentDocs key
Gets contents of user's RecentDocs key (TLN)
Gets contents of user's RunMRU key
Gets contents of user's RunMRU key (TLN)
Gets contents of user's SearchScopes key
Gets records of histories from 7-Zip keys
Gets SHC entries from user hive
Gets user's shell folders values
Get values from user's Speech key
Get values from user's Speech key
Checks for SysInternals apps keys
Checks for SysInternals apps keys (TLN)
Displays contents of user's Terminal Server Client\Default key
Displays contents of user's Terminal Server Client key (TLN)
Gets contents of user's typedpaths key
Gets contents of user's typedpaths key (TLN)
Returns contents of user's TypedURLs key.
Returns contents of user's TypedURLsTime key.
Returns contents of Win8 user's TypedURLsTime key (TLN).
Returns MRU for user's TypedURLs key (TLN)
Displays contents of UserAssist subkeys
Displays contents of UserAssist subkeys in TLN format
Gets contents of user's WorkgroupCrawler/Shares subkeys
Get WinRAR\ArcHistory entries
Get WinRAR\ArcHistory entries (TLN)
Gets user's WinSCP 2 data
Get WinZip extract and filemenu values
Gets contents of user's WordWheelQuery key
Gets contents of user's WordWheelQuery key
Extracts AllowedEnumeration values to determine hidden special folders
Extracts AppCompatFlags for Windows.
Extracts AppKeys entries.
Extracts AppKeys entries.
Gets content of App Paths subkeys (TLN)
Checks settings disabling user's MRUs
Retrieve values set to weaken Chrome security
Retrieve values set to attack Outlook WebView Homepage
Extracts PowerShell logging settings
Gets RunVirtual entries
Gets RunVirtual entries
Parse SAM file for user & group mbrshp info
Parse SAM file for user acct info (TLN)
Get audit policy from the Security hive file
Get the last write time for the Policy\Secrets key
Get the last write time for the Policy\Secrets key
Gets contents of AppInit_DLLs value
Checks Software hive for AT jobs
Checks Software hive for AT jobs
Gets audio capture/render devices
Determines BlueTooth devices 'seen' by BroadComm drivers
Checks DisplayCalibrator value (possible bypass assoc with LockBit ransomware)
Get list of CLSID/registered classes
Gets shell open cmds for various file types
Check DCOM Ports
Get Windows Defender settings
Searches Direct* keys for MostRecentApplication subkeys
Searches Direct* keys for MostRecentApplication subkeys (TLN)
Gets the value that turns System Restore either on or off
Get values from the Drivers32 key
Gets contents of EMDMgmt subkeys and values
Gets PowerShell Execution Policy
Collects system/user GPO history
Collects system/user GPO history (TLN)
Checks HeapLeakDetection\DiagnosedApplications Subkeys
ARETE ONLY - Extracts Citrix ICA Session info
Checks ImageFileExecutionOptions subkeys values
Checks CLSID InProcServer32 values for indications of malware
Determines product install information
Check for indications of Danderspritz Killsuit installation
Check for indications of Danderspritz Killsuit installation
Get list of programs monitored by LANDESK - Software hive
Get list of programs monitored by LANDESK from Software hive
Gets LastLoggedOn* values from LogonUI key
Get contents of HKLM/Software/Licenses key
Determine MSI packages installed on the system
Gets list of NetSH helper DLLs
Get NetworkCards Info
Collects network info from NetworkList key
Collects network info from NetworkList key (TLN)
Parses Windows Portable Devices key contents
Extracts PowerShellCore settings
Gets value assoc with printer ports and descriptions
Get content of ProfileList key
Get PSScript.ini values
[Autostart] Get autostart key contents from Software hive
Gets contents of RunOnceEx values
Get GPO policy settings from Software hive related to Ryuk
Get SchedulingAgent key contents
Check CLSIDs for ScriptletURL subkeys
Get data from Security Center key
Get SFC values
Gets ShellIconOverlayIdentifiers values
Determines volumes monitored by VSS
Gets contents of SRUM subkeys
Get WZCSVC SSID Info
Extracts SusClient* info including HDD SN (if avail)
Gets systemindex\..\Paths info from Windows Search key
Checks TaskCache\Tree root keys (not subkeys)
Checks TaskCache\Tree root keys (not subkeys)
Checks TaskCache\Tasks subkeys
Checks TaskCache\Tasks subkeys
Gets ThisPCPolicy values
Gets list of apps that can be traced
Gets list of apps that can be traced (TLN)
Get Select User Account Control (UAC) Values from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
Gets contents of Uninstall keys from Software
Gets contents of Uninstall keys from Software
Gets VolumeInfoCache from Windows Search key
Get WAB DLLPath settings
Get WAB DLLPath settings
Gets contents of Windows Advanced Threat Protection key
Get some contents from WBEM key
Alerts on values from the WinLogon key (TLN)
Get Windows version & build info
Gets contents of WOW64\x86 key
Gets WSH Settings
Parse SysCache.hve file

Get entries from AppCertDlls key

Parse files from System hive AppCompatCache
Parse files from System hive AppCompatCache
Gets the contents of the FilesNotToSnapshot KeysNotToRestore and FilesNotToBackup keys
Parse files from System hive BAM Services
Parse files from System hive BAM Services
Get BTHENUM subkey info
Gets Bluetooth-connected devices from System hive
Gets Bluetooth-connected devices from System hive; TLN output
Checks codepage value
Gets ComputerName and Hostname values from System hive
Checks for UseLogonCredential value
Checks UseLogonCredential value
Parses data from networked media streaming devices
Get USB device info from the DeviceClasses keys in the System hive
Get NTFSDisableLastAccessUpdate value
Gets DisableRemoteScmEndpoints value from System hive
Get environment vars from NTUSER.DAT & System hives
 --
Get IP Addresses and domains (DHCP static)
Lists specific contents of LSA key
Software
Return contents of System hive MountedDevices key
Return contents of System hive MountedDevices key
Parse values for machine account password changes
Get NetworkSetup2 subkey info
Gets NIC info from System hive
Parse Services NTDS key for specific persistence values
Get info on pagefile(s)
Gets contents of PendingFileRenameOperations value
Get port proxy configuration from PortProxy key
Gets the the Prefetch Parameters
Lists installed Print Monitors
Lists installed Print Monitors
Get from the processor architecture from the System's environment key
Queries System hive for RDP Port
Get RemoteAccess AccountLockout settings
Get persistent routes from the Registry
Get Scan Button information
Gets SecurityProvider value from System hive
Lists services/drivers in Services key by LastWrite times
Get list of shares from System hive file
Parse file refs from System hive AppCompatCache data
Parse file refs from System hive AppCompatCache data
Gets ShutdownTime value from System hive
Parse Source OS subkey values
Lists Services key contents by LastWrite time (CSV)
Lists Services keys with ServiceDll values
Lists Services key contents by LastWrite time (CSV)
Gets Terminal Server certificate
Gets Terminal Server settings from System and Software hives
Get TimeZoneInformation key contents
Get USB key info
Parses Enum\USB key for USB & WPD devices
Get USBStor key info
Get WpdBusEnum subkey info
Get file associations using exefile file handler and modified open handler for exefile
Shell/BagMRU traversal in Win7 USRCLASS.DAT hives
Shell/BagMRU traversal in Win7+ USRCLASS.DAT hives
Shell/BagMRU traversal in Win7 USRCLASS.DAT hives
Get possible UAC bypass settings
ntVersion\Policies\System