It would be a nice to have if the registry hives in packaged apps were supported by this tool as well.
Doing research with @ogmini it is clear that these registry hives have forensic value particularly as Windows 11 gets more adopted.
It seems like Microsoft is migrating key applications to this packages format so over time NTUser.dat and Usrclass.dat will have less and less visibility during general use. (Already migrated Paint and Notepad as two examples)
Microsoft uses registry redirection technology for this and a summary of each of them is below:
Example Folder Path: C:\Users\User\AppData\Local\Packages
Microsoft.WindowsNotepad_8wekyb3d8bbwe\SystemAppData\Helium
User.dat (Not to be confused with older versions of Windows User.dat) - equates to HKCU\Software
UserClasses.dat - equates to UsrClass.dat
Registry.dat - equates to HKLM\Software
These are not usually mapped in the registry as they are per packaged app.
There are two ideas I have for mapping either map them over the top of the NTUser.dat and Usrclass.dat paths or separately map them per user and per application. Doing my research with RECmd the same rules for NTUser.dat can be used as Microsoft uses the same keys and paths for both NTUser.dat and User.dat.
Examples of some of the rules that mapped to both are here EricZimmerman/RECmd#99 and EricZimmerman/RECmd#100
Additionally it would be a good bonus to implement support for settings.dat. Example path C:\Users\User\AppData\Local\Packages
Microsoft.WindowsNotepad_8wekyb3d8bbwe\Settings\settings.dat. Lots of useful values are stored within there however it will require you to add parsing support for the values in https://github.com/Velocidex/regparser. I implemented this into RECmd here EricZimmerman/Registry#34 and @ogmini implemented support in Registry Explorer here EricZimmerman/RegistryPlugins#68. The interesting thing about settings.dat is unlike other registry hives each value has its own timestamp (I did not implement this in RECmd due to lack of time). Allowing the ability to mass search over these in Velociraptor and even navigating them in VFS could help out on cases especially going into the future.
It would be a nice to have if the registry hives in packaged apps were supported by this tool as well.
Doing research with @ogmini it is clear that these registry hives have forensic value particularly as Windows 11 gets more adopted.
It seems like Microsoft is migrating key applications to this packages format so over time NTUser.dat and Usrclass.dat will have less and less visibility during general use. (Already migrated Paint and Notepad as two examples)
Microsoft uses registry redirection technology for this and a summary of each of them is below:
Example Folder Path: C:\Users\User\AppData\Local\Packages
Microsoft.WindowsNotepad_8wekyb3d8bbwe\SystemAppData\Helium
User.dat (Not to be confused with older versions of Windows User.dat) - equates to HKCU\Software
UserClasses.dat - equates to UsrClass.dat
Registry.dat - equates to HKLM\Software
These are not usually mapped in the registry as they are per packaged app.
There are two ideas I have for mapping either map them over the top of the NTUser.dat and Usrclass.dat paths or separately map them per user and per application. Doing my research with RECmd the same rules for NTUser.dat can be used as Microsoft uses the same keys and paths for both NTUser.dat and User.dat.
Examples of some of the rules that mapped to both are here EricZimmerman/RECmd#99 and EricZimmerman/RECmd#100
Additionally it would be a good bonus to implement support for settings.dat. Example path C:\Users\User\AppData\Local\Packages
Microsoft.WindowsNotepad_8wekyb3d8bbwe\Settings\settings.dat. Lots of useful values are stored within there however it will require you to add parsing support for the values in https://github.com/Velocidex/regparser. I implemented this into RECmd here EricZimmerman/Registry#34 and @ogmini implemented support in Registry Explorer here EricZimmerman/RegistryPlugins#68. The interesting thing about settings.dat is unlike other registry hives each value has its own timestamp (I did not implement this in RECmd due to lack of time). Allowing the ability to mass search over these in Velociraptor and even navigating them in VFS could help out on cases especially going into the future.