Yet Another Registry Utility (yaru)
yaru is a platform independent Windows registry viewer. Inspired by the desire to look into the Windows registry metadata, so as to better forensically analyze the registry hives, yaru was designed with a portable and extensible architecture in mind so that it could be compiled to run on various operating systems. The registry parsing engine is written in standard C/C++ and has no dependencies on the Windows registry API functions.
The Windows version of yaru has the ability to take a snapshot of any of the active hives and examine the internal structure of the hive. Since the Windows operating system locks down the active hives from other processes reading them, yaru can resort to raw NTFS disk reads to read any of the desired hives. Consequently, this requires the user to run this tool with administrative privileges. While this approach adds complexity to yaru, it ensures that all metadata is available for analysis, as well as ensures there is no corruption or changes to the active hive during analysis.
Some other rudimentary functionality includes:
- Show allocated (but unused) key value data space.
- Show unallocated hive space.
- Able to traverse the hive slack space and enumerate deleted keys.
- Report generation capability.
- Optional logging capability that records the user selections along with data values into a separate XML file for later review.
- Ability to export any key in the hive under evaluation to a registration (.reg) file to be used for analysis.
- Ability to process any hive using user defined templates.
- Simple search capability: (a) key names, (b) value names, (c) date ranges, and (e) strings
- The ability to verify that all allocated chunks have valid links to the registry.
When a hive is loaded into yaru, the hive is broken up into 4 main segments: (a) the normal hive data that is viewable by the normal registry editors, (b) the unallocated space within the hive, (c) any allocated space that should have a parent key but does not, and (d) any deleted keys and their associated values that have not been overwritten.
When traversing any of the keys or associated values, all the metadata is shown without regard to the permissions of the user running yaru. However, depending on the license you have, some of the information may not be shown.
For the reconstruction of deleted keys/values, yaru does its best putting the deleted entries into the proper context of where they were in the overall hive hierarchy. Sometimes this is not possible, when one of the nodes in the heirarchy have been overwritten during space reuse. yaru clearly shows when it cannot complete the entire path to the parent root key by grouping these entries in the folder "unk_path" as shown below.
One can export any of the deleted keys along with their associated parents that have not been deleted but right clicking on the folder and selecting one the "Export Keys" options.
The exported keys and values are rendered in the Windows Registry Editor Version 5.00 format. If a deleted key has a parent key in the hierarchy that is not deleted, then they are shown as well. Below is a snipet from an deleted key and what the output looks like.
One of the more useful capabilities yaru has is the ability to generate reports. These reports can target the live system hive or the hive that was explicitly loaded into yaru.
|32-bit Version||64-bit Version|
|Mac OS X:||Not Available||yaru.v.1.41.osx.tar.gz||md5/sha1|
|*32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present.|