Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
Español
Entry № 1021

RegRipper

¿Qué es RegRipper?

RegRipperAn open-source Windows registry forensics tool by Harlan Carvey that runs plug-in 'extractors' over registry hives (NTUSER.DAT, SYSTEM, SOFTWARE, SAM, SECURITY) to surface specific artifacts of investigative interest.

RegRipper, written by Harlan Carvey and maintained on GitHub, is the de facto open-source tool for triaging Windows registry hives. Where a generic registry viewer (Registry Explorer, regedit) lets an analyst browse, RegRipper runs a curated library of Perl plug-ins that each target a specific artifact — RecentDocs, ShellBags, UserAssist, AppCompatCache, AmCache, USB device history, installed software, persistent run keys, services, scheduled tasks, network interfaces, Office MRU, and many more. Plug-ins emit consistently formatted text suitable for inclusion in a forensic report or for line-by-line review. RegRipper is normally pointed at offline copies of `NTUSER.DAT`, `UsrClass.dat`, `SOFTWARE`, `SYSTEM`, `SAM`, `SECURITY` extracted from a disk image or live system, and is most often used after autopsy/imaging tools have collected the relevant hives. Recent versions added support for the BCD hive and several new persistence-mechanism plug-ins reflecting modern adversary tradecraft.

Ejemplos

  1. 01

    An IR triage runs RegRipper's `userassist`, `runmru`, and `recentdocs` plug-ins against a suspect's NTUSER.DAT to reconstruct recent program launches and document opens.

  2. 02

    A persistence-focused pass executes `services`, `run`, and `appcompatcache` against the SYSTEM hive of every endpoint imaged during the engagement.

Preguntas frecuentes

¿Qué es RegRipper?

An open-source Windows registry forensics tool by Harlan Carvey that runs plug-in 'extractors' over registry hives (NTUSER.DAT, SYSTEM, SOFTWARE, SAM, SECURITY) to surface specific artifacts of investigative interest. Pertenece a la categoría de Forense y respuesta en ciberseguridad.

¿Qué significa RegRipper?

An open-source Windows registry forensics tool by Harlan Carvey that runs plug-in 'extractors' over registry hives (NTUSER.DAT, SYSTEM, SOFTWARE, SAM, SECURITY) to surface specific artifacts of investigative interest.

¿Cómo funciona RegRipper?

RegRipper, written by Harlan Carvey and maintained on GitHub, is the de facto open-source tool for triaging Windows registry hives. Where a generic registry viewer (Registry Explorer, regedit) lets an analyst browse, RegRipper runs a curated library of Perl plug-ins that each target a specific artifact — RecentDocs, ShellBags, UserAssist, AppCompatCache, AmCache, USB device history, installed software, persistent run keys, services, scheduled tasks, network interfaces, Office MRU, and many more. Plug-ins emit consistently formatted text suitable for inclusion in a forensic report or for line-by-line review. RegRipper is normally pointed at offline copies of `NTUSER.DAT`, `UsrClass.dat`, `SOFTWARE`, `SYSTEM`, `SAM`, `SECURITY` extracted from a disk image or live system, and is most often used after autopsy/imaging tools have collected the relevant hives. Recent versions added support for the BCD hive and several new persistence-mechanism plug-ins reflecting modern adversary tradecraft.

¿Cómo defenderse de RegRipper?

Las defensas contra RegRipper combinan habitualmente controles técnicos y prácticas operativas, como se detalla en la definición.

¿Cuáles son otros nombres para RegRipper?

Nombres alternativos comunes: RegRipper3, rip.exe.

Términos relacionados