Windows Registry Analyzer v1.5.1



pcuser

Posted 26 November 2006 - 10:31 PM

HERE'S a plugin that I made for Windows Registry Analyzer v1.5.1 which was the last free version released by MiTec before it went under control of Paraben Forensics.

Here's a quote from the license which can be found in the help file (wra.chm)

Quote

* limitations on installation and use of the software:

you may lend or copy and distribute the software free of charge to other people provided always that the terms and conditions of this agreement accompany to each copy so lent or distributed.

you must not charge a fee, exchange goods or services, barter or otherwise profit in a commercial way from the lending, leasing, selling or distribution of the software.

you may not modify, translate, reverse engineer, decompile, dissassemble any part of the software or create derivative works based on the software.


The entire plugin is less than half a mb

The key feature of this utility is that you can boot UBCD4Win and mount a win9x/me registry (system.dat and user.dat). Yes, it's read-only but it's the only freeware utility that I know of or have ever heard of that can even do this and being able to browse the registry "offline" to see what's getting loaded on startup is enough to let you know what file to delete then you can remove the reg entry when you boot back into windows.

This could be very usefull for spotting rootkits that would normally be cloaked (even in safe mode) and hide thier startup tracks.

Jotnar

Posted 30 November 2006 - 02:32 PM

I have v1.5.2 if you want it. Only changes were some bug fixes if I remember correctly. I think the followon to that program, Windows Registry Recovery (currently at v1.2.0), can also load 98/ME hives. There are some other nice programs on his site too. One is Outlook Express Viewer, a utility to read Outlook Express emails and the other Windows File Analyser can decode thumbs.db, index.dat, Prefetch etc... files

Cheers

DaveK

Posted 04 March 2007 - 12:32 AM

View PostJotnar, on Nov 30 2006, 02:32 PM, said:

I have v1.5.2 if you want it.


Could you please post it or send it to the email address I sent you?

Thanks,
DK

Jotnar

Posted 04 March 2007 - 02:15 PM

Whoops...sorry about that. Read your message but then I forgot.

WRA 1.5.2 can be downloaded here:

http://mysite.verizo...c/files/WRA.zip

I think Windows Registry Recovery does everything this did though.

Cheers


Edit... 500 posts! Sweet!

pcuser

Posted 04 March 2007 - 02:22 PM

Quote

500 posts! Sweet!


500 good posts too ;)

Jotnar

Posted 08 July 2009 - 06:34 PM

A little thread archaeology in action...

I finally tracked down the PDF that goes with this program if anyone is interested.

You can download it here: http://mysite.verizo...RA_Guidance.pdf


Cheers


Steel/other mods,
Is there a way to make the forum not cut out the middle of the links when it displays them? I know the links work ok but recently I've noticed more forums starting to do it. Its not a big deal but it somewhat curtails my ability on google to do thread archaeology for sites/posts that no longer exist since the only reference to the link is that reduced URL as text. :)

chuckr_jcr

Posted 08 July 2009 - 10:31 PM

View PostJotnar, on 08 July 2009 - 05:34 PM, said:

A little thread archaeology in action...

I finally tracked down the PDF that goes with this program if anyone is interested.

You can download it here: http://mysite.verizo...RA_Guidance.pdf


Cheers


Steel/other mods,
Is there a way to make the forum not cut out the middle of the links when it displays them? I know the links work ok but recently I've noticed more forums starting to do it. Its not a big deal but it somewhat curtails my ability on google to do thread archaeology for sites/posts that no longer exist since the only reference to the link is that reduced URL as text. :)

If you're desperate for a quick solution, just click on the "Reply" button,
as if you were going to reply to the posting.

At the top of the reply window, the message is -quoted-, with the FULL url. Like this:
(Had to open-up some punctuation points, for clarification:)
--------------------------------------------------------------------------------

[ quote name='Jotnar' date='08 July 2009 - 05:34 PM' timestamp='1247096040' post='74726' ]
A little thread archaeology in action...
I finally tracked down the PDF that goes with this program if anyone is interested.

You can download it here: [ url ="http://mysite.verizon.net/hartsec/files/WRA_Guidance.pdf"] http :// mysite.verizon.net/hartsec/files/WRA_Guidance.pdf [ / url]
--------------------------------------------------------------------------------

No telling when Steel might get a round "tuit"... ;)

bengt

Posted 09 July 2009 - 04:42 AM

don't understand why you would like to have the url visible in the link as text? in can be miles long...

right click on the link and use "save link as" or "copy shortcut" or something like that to get the complete url

Jotnar

Posted 09 July 2009 - 04:31 PM

Most of the time when a web site/forum is unavailable the only thing I have to work with is the google cache which only does text archiving. So if I was looking for a link to that PDF all I would see would be "http://mysite.verizo...RA_Guidance.pdf" not "http://mysite.verizon.net/hartsec/WRA_Guidance.pdf". As you can imagine the former would be of no help to me since I can't actually see the link, just the descriptor and the descriptor is not complete. Thats all I was saying. :)

I encountered it many time on various forums while trying to find that particular PDF over the years. Many of those forums are gone but I could still see the posts through Google's cache but many of the links I found were shortened so while the PDF might still have been at that link I couldn't get to it.

chuckr_jcr

Posted 10 July 2009 - 04:26 AM

View PostJotnar, on 09 July 2009 - 03:31 PM, said:

the only thing I have to work with is the google cache which only does text archiving.

I could still see the posts through Google's cache but ... I couldn't get to it.

Thats all I was saying. :)

But you didn't say...

Your 'problem' seems to be with the 'Google cache', not with any specific board or forum...

So, Steel is exonerated!!! :D

Jotnar

Posted 10 July 2009 - 06:58 AM

Well...the problem is the forums truncating the link...so....

rdsok

Posted 10 July 2009 - 09:28 AM

The forum links are not going to change... one there isn't a setting to control the links as asked about and more importantly way too many of the URL's would be too long to begin with just as bengt mentioned so the request isn't a good one for that reason. So subject closed.