Skip to content

Update DFIRBatch.reb #110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
RandyRandleman wants to merge 1 commit into from
Closed

Update DFIRBatch.reb #110

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 17 additions & 17 deletions BatchExamples/DFIRBatch.reb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1576,7 +1576,7 @@ Keys:
Comment: "Mount Points - NTUSER"
-
Description: MountPoints2
HiveType: User
HiveType: NTUSER
Category: Devices
KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
Recursive: true
Expand Down Expand Up @@ -1648,7 +1648,7 @@ Keys:
Comment: "Displays the UNC path for a mounted network share"
-
Description: Network Shares
HiveType: User
HiveType: NTUSER
Category: Network Shares
KeyPath: Network
ValueName: RemotePath
Expand All @@ -1664,7 +1664,7 @@ Keys:
Comment: "Displays the user account associated with the mounted network share"
-
Description: Network Shares
HiveType: User
HiveType: NTUSER
Category: Network Shares
KeyPath: Network
ValueName: UserName
Expand All @@ -1680,7 +1680,7 @@ Keys:
Comment: "Displays the provider of the mounted network share"
-
Description: Network Shares
HiveType: User
HiveType: NTUSER
Category: Network Shares
KeyPath: Network
ValueName: ProviderName
Expand All @@ -1698,7 +1698,7 @@ Keys:
Comment: "Displays drives that were mapped by the user"
-
Description: Network Drive MRU
HiveType: User
HiveType: NTUSER
Category: Network Shares
KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
Recursive: false
Expand Down Expand Up @@ -1878,7 +1878,7 @@ Keys:
Comment: "Recently ran applications, lower MRU # (Value Data3) = more recent"
-
Description: CIDSizeMRU
HiveType: User
HiveType: NTUSER
Category: Program Execution
KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
Recursive: false
Expand Down Expand Up @@ -1934,7 +1934,7 @@ Keys:
Comment: "GUI-based programs launched from the desktop"
-
Description: UserAssist
HiveType: User
HiveType: NTUSER
Category: Program Execution
KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*\Count
Recursive: false
Expand Down Expand Up @@ -2034,7 +2034,7 @@ Keys:
Comment: "Displays paths that were typed by the user in Windows Explorer"
-
Description: TypedPaths
HiveType: User
HiveType: NTUSER
Category: User Activity
KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
Recursive: false
Expand Down Expand Up @@ -2102,7 +2102,7 @@ Keys:
Comment: "User Searches"
-
Description: WordWheelQuery
HiveType: User
HiveType: NTUSER
Category: User Activity
KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
Recursive: true
Expand Down Expand Up @@ -2133,7 +2133,7 @@ Keys:
Comment: "Tracks files that have been opened or saved within a Windows shell dialog box"
-
Description: OpenSavePidlMRU
HiveType: User
HiveType: NTUSER
Category: User Activity
KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU
Recursive: false
Expand Down Expand Up @@ -2161,7 +2161,7 @@ Keys:
Comment: "Tracks the specific executable used by an application to open the files documented in OpenSavePidlMRU"
-
Description: LastVisitedPidlMRU
HiveType: User
HiveType: NTUSER
Category: User Activity
KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
Recursive: false
Expand Down Expand Up @@ -2198,7 +2198,7 @@ Keys:
Comment: "Files recently opened from Windows Explorer"
-
Description: RecentDocs
HiveType: User
HiveType: NTUSER
Category: User Activity
KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Recursive: true
Expand Down Expand Up @@ -2230,7 +2230,7 @@ Keys:

-
Description: Recent File List
HiveType: User
HiveType: NTUSER
Category: User Activity
KeyPath: Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List
Recursive: false
Expand All @@ -2248,7 +2248,7 @@ Keys:
Comment: "Displays recent files accessed by the user with MS WordPad"
-
Description: Recent File List
HiveType: User
HiveType: NTUSER
Category: User Activity
KeyPath: Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List
Recursive: false
Expand Down Expand Up @@ -3105,7 +3105,7 @@ Keys:
Comment: "WinSCP"
-
Description: WinSCP
HiveType: User
HiveType: NTUSER
Category: Third Party Applications
KeyPath: Software\Martin Prikryl
Recursive: true
Expand Down Expand Up @@ -3961,7 +3961,7 @@ Keys:
Comment: "Tracks programs associated with file extensions"
-
Description: File Extensions
HiveType: User
HiveType: NTUSER
Category: Installed Software
KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
Recursive: false
Expand All @@ -3980,7 +3980,7 @@ Keys:
Comment: "Tracks programs associated with file extensions - Linked to Open With Dialog"
-
Description: ApplicationAssociationToasts
HiveType: User
HiveType: NTUSER
Category: Installed Software
KeyPath: Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts
Recursive: false
Expand Down
Loading