Registry Recon

windows registry parser forensic

Registry forensics has long been relegated to analyzing only readily accessible Windows Registries, often one at a time, in a needlessly time-consuming and archaic way.

Registry Recon is not just another Registry parser. We have developed powerful new methods to parse Registry data, rather than relying on Microsoft APIs, so that Registries which have existed on a Windows system over time can be resurrected. Registry Recon provides access to an enormous volume of Registry data which has been effectively deleted, whether that deletion occurred due to benign system activity, malfeasance by a user, or even re-imaging by IT personnel. Your timelines can now include Registry data that was active, backed up in restore points or volume shadow copies, or carved from unallocated space. While Registry Recon displays unique Registry data by default, seamless access to all instances of particular Registry keys and values is available (with full paths and sector offsets) so your findings can be efficiently authenticated.


  • Intuitive and efficient workflow
  • Resurrection of Windows Registries long since forgotten
  • Access to enormous amounts of deleted Registry data
  • Unique keys and values shown by default in historical fashion
  • Seamless access to all instances of keys and values
  • Windows restore point and volume shadow copy support
  • Ability to view keys (and their values) at particular points in time


REGISTRYRECON requires Microsoft Windows 7 or later, .NET 4, and the Visual C++ 2010 Redistributable Package (x86/x64).


What is the Microsoft Windows Registry?

The Registry is a complex ecosystem, in database form, containing information related to hardware, software, and users on computer systems running Microsoft Windows. At a very basic level, the Registry is composed of “keys” and “values” which are similar in some ways to folders and files. Analysis of this information reveals the names of recently accessed files, when applications were last run, who attached removable storage devices, and much more. The Registry is continually referenced during Windows operation so large volumes of Registry data can always be found both on disk and in live memory.

How do you resurrect long forgotten Registries?

We have spent countless hours developing patent pending technologies which allow us to find as much Registry data as possible on a computer system and then rebuild Registries which have existed over time from that data.

What are Recon Registries and Recon View?

Recon Registries are all the Registries rebuilt by Registry Recon. Recon View is our method of showing you all the values within them in a unique and historical fashion, with seamless access to all instances of those values if you so desire.

How do Recon Registries get their names?

If a full set of hives (particularly System and Software) are available for any particular Registry, its Recon Registries name will include the system name, Windows version, and install date. If a System hive is available, but a Software hive is not, the name will include the system name and Machine Security ID (“MSID”). If a Software hive is available, but a System hive is not, the name will include the Windows version and install date. If both System and Software hives are missing, the name will simply include an MSID.

Can Registry Recon resurrect Registries if they have been overwritten?

It’s important to keep in mind that in the context of computer forensics, “deleted” and “overwritten” are two very different things. Registry Recon is often very successful rebuilding Registries which have been deleted and only exist in unallocated (deleted) space. Registry Recon cannot however rebuild Registries if they have been overwritten – for example, if a data scrubbing tool has been used to overwrite unallocated space.

What kinds of evidence can be added to Registry Recon?

Registry Recon supports adding forensic images in EnCase (E01) and raw (dd) formats, VHD disk images, physically mounted slave drives, and the contents of directories as evidence.