RegRipper.

An open-source Windows registry forensics tool by Harlan Carvey that runs plug-in 'extractors' over registry hives (NTUSER.DAT, SYSTEM, SOFTWARE, SAM, SECURITY) to surface specific artifacts of investigative interest. It belongs to the Forensics & IR category of cybersecurity.

An open-source Windows registry forensics tool by Harlan Carvey that runs plug-in 'extractors' over registry hives (NTUSER.DAT, SYSTEM, SOFTWARE, SAM, SECURITY) to surface specific artifacts of investigative interest.

RegRipper, written by Harlan Carvey and maintained on GitHub, is the de facto open-source tool for triaging Windows registry hives. Where a generic registry viewer (Registry Explorer, regedit) lets an analyst browse, RegRipper runs a curated library of Perl plug-ins that each target a specific artifact — RecentDocs, ShellBags, UserAssist, AppCompatCache, AmCache, USB device history, installed software, persistent run keys, services, scheduled tasks, network interfaces, Office MRU, and many more. Plug-ins emit consistently formatted text suitable for inclusion in a forensic report or for line-by-line review. RegRipper is normally pointed at offline copies of `NTUSER.DAT`, `UsrClass.dat`, `SOFTWARE`, `SYSTEM`, `SAM`, `SECURITY` extracted from a disk image or live system, and is most often used after autopsy/imaging tools have collected the relevant hives. Recent versions added support for the BCD hive and several new persistence-mechanism plug-ins reflecting modern adversary tradecraft.

Defences for RegRipper typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: RegRipper3, rip.exe.