Searching the Registry using PowerShell

On a cold and rainy Thursday morning, I thought that it would be a good time to write a post on searching the Windows registry using PowerShell. In an Incident Response scenario you may want or need to do some live analysis on a compromised system, and part of this analysis may be to search the registry for some sort of artifact that is appropriate. Using PowerShell can help you do this in a relatively efficient manner and is, of course, built in on new version of Windows (i.e. Windows 7, 2008, etc).

For example, let’s say that you know (or have guessed) that you’re dealing with some sort of malware that is probably going to be calling home at some time and you are wanting to look through the registry to see if the malware author decided to store any IPs/URLs in the clear. In PowerShell you are able to easily browse and search through the registry, just like you were dealing with a filesystem. There are a number of ways to accomplish this (for example, using -match rather than select-string), so feel free to use whatever method you’re comfortable with. But, let me show you how I mangled my way through it this morning…

1.Open up a PowerShell window.
2.Let’s look for things that appear to be IP addresses under HKEY_CURRENT_USER, so first I need to recursively iterate through everything under that hive. I do this by using the Get-ChildItem method:

[code]Get-ChildItem HKCU:\ -rec -ea SilentlyContinue[/code]

Category Article

3 Responses to “c0decstuff”

What's on Your Mind...

Thank f' u C0mment