How not to get p0wned by RR v2.5
I recently provided a minor update to the RegRipper tools, moving to v2.5. As there was no modification to how the tools would interact with the plugins, I only provided the tools themselves, including both the Perl scripts (source code) and Windows executables, compiled via Perl2Exe. I did not include the contents of the plugins directory along with the distribution, as I figured folks who were using the tool would just copy the files over their current installation.
Since the release of the updates, I've received a couple of comments about the RegRipper GUI not working properly. Some folks are finding that "Plugins File" drop-down box will not be populated, and the assumption appears to be that the tool isn't reading the plugins directory, even though the "plugins" directory exists and contains plugins. When you launch the GUI, one of the things that happens is that the GUI will look in the "plugins" directory for any files that do NOT contain an extension, and assume that these are profiles. What appears to be happening is that while the directory contains plugins, it does not contain profiles...these are the files that tell RegRipper which plugins to run. By default, those profiles are "ntuser", "sam", "security", "software" and "system", all without any extension (by that, I mean that the file does not end with '.txt' or anything else).
What I think may be happening is that folks are creating fresh installations of the tool; they're downloading the new version and putting it into it's own directory, and then getting the plugins archive file from here; this archive does not contain the profiles.
What you can do in that case is copy the profiles over from your RR v2.02 install, or simply create your own profile. A really easy way to do that is to go to your RR v2.5 install directory, open a command prompt, and type:
Open the resulting file in Excel and sort the rows, based on the hive column. Another way to do this for individual hive files is to use a command such as the following:
This will list just the plugins that are intended to be run against the Software hive, their versions, etc.
Since the release of the updates, I've received a couple of comments about the RegRipper GUI not working properly. Some folks are finding that "Plugins File" drop-down box will not be populated, and the assumption appears to be that the tool isn't reading the plugins directory, even though the "plugins" directory exists and contains plugins. When you launch the GUI, one of the things that happens is that the GUI will look in the "plugins" directory for any files that do NOT contain an extension, and assume that these are profiles. What appears to be happening is that while the directory contains plugins, it does not contain profiles...these are the files that tell RegRipper which plugins to run. By default, those profiles are "ntuser", "sam", "security", "software" and "system", all without any extension (by that, I mean that the file does not end with '.txt' or anything else).
What I think may be happening is that folks are creating fresh installations of the tool; they're downloading the new version and putting it into it's own directory, and then getting the plugins archive file from here; this archive does not contain the profiles.
What you can do in that case is copy the profiles over from your RR v2.02 install, or simply create your own profile. A really easy way to do that is to go to your RR v2.5 install directory, open a command prompt, and type:
rip -c -l > plugins.csv
Open the resulting file in Excel and sort the rows, based on the hive column. Another way to do this for individual hive files is to use a command such as the following:
rip -l -c | find ",Software,"
This will list just the plugins that are intended to be run against the Software hive, their versions, etc.