Notice: Array to string conversion in system/classes/rewriterule.php line 112 http://ryezone.net/regripper-and-internet-explorer-1" title="RegRipper and Internet Explorer.">RegRipper and Internet Explorer.

I was working on a certification exam and I ran across a situation where I needed to find out what a user had set their home page to in Internet Explorer on a Windows XP machine. Seeing as I don't have a license to AccessData's Registry Viewer, I set out to find a free viewer to find the information I needed.

The home page settings for Internet Explorer are found in the NTUSER.dat file of the user account in question under the HKCU\Software\Microsoft\InternetExplorer\Main registry key. RegRipper does not extract this information fresh out of the box, so I had to write a custom plugin. Rather than start completely from scratch, I based this plugin off the user_run.pl plugin provided with the RegRipper program since it did pretty much what I wanted it to do with relatively few modifications.

The following plugin code is fully functional, and will dump the contents of the HKCU\Software\Microsoft\InternetExplorer\Main registry key to the console or a text file. Thanks to Harlan Carvey for developing such a versatile and extend-able tool. To download RegRipper, go to regripper.net.

#-----------------------------------------------------------
# iexplore.pl
#
# copyright 2010 E. Rye  esten@ryezone.net
#-----------------------------------------------------------
package iexplore;
use strict;

my %config = (hive          => "NTUSER\.DAT",
              osmask        => 22,
              hasShortDescr => 1,
              hasDescr      => 0,
              hasRefs       => 0,
              version       => 20100308);

sub getConfig{return %config}

sub getShortDescr {
	return "Get Main Key contents from HKCU\\Software\\Microsoft\\Internet Explorer";	
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}

my $VERSION = getVersion();

sub pluginmain {
	my $class = shift;
	my $hive = shift;
	::logMsg("Launching iexplore v.".$VERSION);
	my $reg = Parse::Win32Registry->new($hive);
	my $root_key = $reg->get_root_key;

	my $key_path = "Software\\Microsoft\\Internet Explorer\\Main";
	my $key;
	if ($key = $root_key->get_subkey($key_path)) {
		::rptMsg($key_path);
		::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
		my %vals = getKeyValues($key);
		if (scalar(keys %vals) > 0) {
			foreach my $v (keys %vals) {
				::rptMsg("\t".$v." -> ".$vals{$v});
			}
		}
		else {
			::rptMsg($key_path." has no values.");
		}		
		my @sk = $key->get_list_of_subkeys();
		if (scalar(@sk) > 0) {
			foreach my $s (@sk) {
				::rptMsg("");
				::rptMsg($key_path."\\".$s->get_name());
				::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)");
				my %vals = getKeyValues($s);
				foreach my $v (keys %vals) {
					::rptMsg("\t".$v." -> ".$vals{$v});
				}
			}
		}
		else {
			::rptMsg("");
			::rptMsg($key_path." has no subkeys.");
		}
	}
	else {
		::rptMsg($key_path." not found.");
		::logMsg($key_path." not found.");
	}	
}

sub getKeyValues {
	my $key = shift;
	my %vals;	
	my @vk = $key->get_list_of_values();
	if (scalar(@vk) > 0) {
		foreach my $v (@vk) {
			next if ($v->get_name() eq "" && $v->get_data() eq "");
			$vals{$v->get_name()} = $v->get_data();
		}
	}
	else {	
	}
	return %vals;
}

1;
 1

About

User