reg4n6 reads a Windows Registry hive the way a forensic examiner needs it — REGF metadata, the full key tree, deleted-cell carving, hive-to-hive diffs, and provenance-aware hive discovery across a mounted image — from one panic-free static binary. Point it at a SYSTEM, SOFTWARE, NTUSER.DAT, or Amcache.hve, or at a whole extracted filesystem, and it finds every copy of every hive (live, RegBack, Volume Shadow Copy, transaction logs) and tells you what changed.
$ cargo install winreg-cli # crate: winreg-cli, binary: reg4n6Read a hive's header — type, format version, last-write time, and checksum integrity:
$ reg4n6 info /evidence/Windows/System32/config/SYSTEMFind every hive in a mounted image, with where each copy came from:
$ reg4n6 discover /mnt/evidence --format tableDiff two snapshots of the same hive to see exactly which keys and values changed:
$ reg4n6 diff before/NTUSER.DAT after/NTUSER.DAT --changes-onlywinreg-forensic is the SecurityRonin fleet's registry layer: a from-scratch REGF reader plus analyzer crates that turn raw hive bytes into forensic meaning. The end-user CLI is reg4n6 (crate winreg-cli); the library crates publish independently.
| Crate | Role |
|---|---|
winreg-format |
REGF binary-format definitions — pure types, zero I/O. |
winreg-core |
Core REGF hive parser — Hive reads via memory-mapped or in-memory I/O. |
winreg-artifacts |
Forensic artifact decoders (Amcache, COM hijacking, LSA dump, WSL/LXSS, ShellBags, services, and more). |
winreg-discover |
Provenance-aware hive discovery (live, RegBack, VSC, transaction logs). |
winreg-diff |
Hive diff engine — two Hive states → a structured DiffResult. |
winreg-carve |
Carves deleted keys and values from unallocated cells and slack. |
winreg-recover |
Deleted key/value recovery. |
winreg-timeline |
Timeline generation from registry artifacts. |
winreg-fuse |
FUSE virtual-filesystem mount for hives. |
- Panic-free — hives are untrusted, attacker-controllable input; lengths, offsets, and counts are range-checked before use, and reads go through bounds-checked helpers (Paranoid Gatekeeper standard).
#![forbid(unsafe_code)]across the workspace.- Provenance-aware — every located hive carries where it came from (live,
RegBack, Volume Shadow Copy, transaction logs), so you never silently diff the wrong copy. - Knowledge-driven — the registry-artifact catalog (which keys, what they mean) is data-driven via
forensicnomicon, not hardcoded special cases.
Privacy Policy · Terms of Service · © 2026 Security Ronin Ltd