Yet Another Registry Utility (yaru)

yaru is a platform independent Windows registry viewer. Inspired by the desire to look into the Windows registry metadata, so as to better forensically analyze the registry hives, yaru was designed with a portable and extensible architecture in mind so that it could be compiled to run on various operating systems. The registry parsing engine is written in standard C/C++ and has no dependencies on the Windows registry API functions.

The Windows version of yaru has the ability to take a snapshot of any of the active hives and examine the internal structure of the hive. Since the Windows operating system locks down the active hives from other processes reading them, yaru can resort to raw NTFS disk reads to read any of the desired hives. Consequently, this requires the user to run this tool with administrative privileges. While this approach adds complexity to yaru, it ensures that all metadata is available for analysis, as well as ensures there is no corruption or changes to the active hive during analysis.

Some other rudimentary functionality includes:

When a hive is loaded into yaru, the hive is broken up into 4 main segments: (a) the normal hive data that is viewable by the normal registry editors, (b) the unallocated space within the hive, (c) any allocated space that should have a parent key but does not, and (d) any deleted keys and their associated values that have not been overwritten.

yaru's main screen

When traversing any of the keys or associated values, all the metadata is shown without regard to the permissions of the user running yaru. However, depending on the license you have, some of the information may not be shown.

For the reconstruction of deleted keys/values, yaru does its best putting the deleted entries into the proper context of where they were in the overall hive hierarchy. Sometimes this is not possible, when one of the nodes in the heirarchy have been overwritten during space reuse. yaru clearly shows when it cannot complete the entire path to the parent root key by grouping these entries in the folder "unk_path" as shown below.

Key/Value reconstruction

One can export any of the deleted keys along with their associated parents that have not been deleted but right clicking on the folder and selecting one the "Export Keys" options.

Exporting key hierarchy

The exported keys and values are rendered in the Windows Registry Editor Version 5.00 format. If a deleted key has a parent key in the hierarchy that is not deleted, then they are shown as well. Below is a snipet from an deleted key and what the output looks like.

Export snipet

One of the more useful capabilities yaru has is the ability to generate reports. These reports can target the live system hive or the hive that was explicitly loaded into yaru.

Reports

Downloads

32-bit Version64-bit Version
Windows:yaru32.v.1.41.win.zipyaru64.v.1.41.win.zipmd5/sha1
Linux:yaru32.v.1.41.lin.tar.gzyaru64.v.1.41.lin.tar.gzmd5/sha1
Mac OS X:Not Availableyaru.v.1.41.osx.tar.gzmd5/sha1
*32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present.