Windows Registry Forensics: Extraction Through PowerShell -Part 2

THREAT RESEARCH

Waqas Qureshi

3/23/20252 min read

Extracting Forensic Registry Artifacts with PowerShell

Windows registry analysis is a critical component of digital forensics, providing valuable insights into user activity, system configurations, and potential security incidents. Investigators often need to extract specific registry artifacts to uncover traces of malware persistence, user interactions, and forensic evidence of unauthorized access.

This PowerShell script automates the extraction of key forensic registry locations, streamlining the collection process and ensuring comprehensive artifact retrieval.

Benefits of This Script

  • Automation & Efficiency – Quickly gathers multiple registry artifacts in one execution, reducing manual effort.

  • Covers Key Forensic Artifacts – Extracts evidence of program execution, persistence mechanisms, user activity, network configurations, and more.

  • Forensic Readiness – Helps incident responders and forensic analysts proactively collect relevant artifacts for investigations.

  • Easy Logging – Outputs all results to a text file (C:\Forensic_Registry_Artifacts.txt), making documentation and review more manageable.

Key Artifacts Collected

This script queries crucial registry paths related to:

  • Persistence Mechanisms (e.g., Run keys, Winlogon settings)

  • User Activity (e.g., Recent documents, UserAssist, OpenSave history)

  • Network & Remote Access (e.g., Terminal Services, TCP/IP parameters)

  • USB Device History (e.g., USBSTOR enumeration)

  • Security & Authentication (e.g., LSA settings, Windows Vault, SAM database)

This tool is an essential addition to any forensic investigator’s toolkit, enabling efficient and thorough registry artifact collection for incident response and malware investigations.

$outputFile = "C:\Forensic_Registry_Artifacts.txt"

$keys = @(

"HKCU\Software\Microsoft\Windows\CurrentVersion\Run",

"HKLM\Software\Microsoft\Windows\CurrentVersion\Run",

"HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce",

"HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce",

"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",

"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options",

"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks",

"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist",

"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs",

"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU",

"HKCU\Software\Microsoft\Terminal Server Client\Default",

"HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters",

"HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings",

"HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR",

"HKLM\SYSTEM\MountedDevices",

"HKLM\SYSTEM\CurrentControlSet\Control\Lsa",

"HKCU\Software\Microsoft\Windows\CurrentVersion\Vault",

"HKLM\SAM",

"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows",

"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options",

"HKLM\Software\Classes\*\shellex\ContextMenuHandlers"

)

foreach ($key in $keys) {

Write-Output "Extracting: $key" | Out-File -Append -FilePath $outputFile

reg query $key /s 2>&1 | Out-File -Append -FilePath $outputFile

}

Write-Output "Registry extraction completed. Results saved to $outputFile"

How to Execute the Forensic Registry Extraction Script

Before running the script, ensure you meet the following requirements:

  1. Administrator Privileges – Some registry keys (especially under HKLM and SAM) require elevated privileges.

  2. PowerShell Execution Policy – Ensure PowerShell allows script execution.

Step-by-Step Execution Guide:

  • Open PowerShell as Administrator

    • Method 1 (Windows GUI)

      • Click on the Start Menu, type PowerShell.

      • Right-click Windows PowerShell and select Run as administrator.

    • Method 2 (Command Line)

      • Press Win + X and select Terminal (Admin) or PowerShell (Admin).

      • If prompted by User Account Control (UAC), click Yes.

Execute the Script:

  • Method 1: Copy-Paste & Run

    • Open PowerShell (Admin).

    • Copy and paste the entire script into the console and press Enter.

  • Method 2: Save and Run as a .ps1 File

    • Open Notepad or any text editor.

    • Paste the script into the editor.

    • Save it as Extract_Registry_Artifacts.ps1 (ensure the .ps1 extension).

    • Navigate to the file location in PowerShell using:

    • cd C:\Path\To\Script\

    • Run the script using: .\Extract_Registry_Artifacts.ps1

Script: Forensic_Registry_Artifacts
If you haven't read Part 1 of this, it is here.