Registry Recon



Harness huge volumes of Registry information to see how Registries changed over time

Registry forensics has long been relegated to analyzing only readily accessible Windows® Registries, often one at a time, in a needlessly time-consuming and archaic way. Registry Recon is not just another Registry parser. Arsenal developed powerful new methods to parse Registry data so that Registries which have existed on a Windows system over time can be rebuilt, providing unique insight into how Registry data has changed over time. Registry Recon provides access to an enormous volume of Registry data which has been effectively deleted, whether that deletion occurred due to benign system activity, malfeasance by a user, or even re-imaging by IT personnel.


Registry Recon Features


Unlock the potential of huge volumes of Windows Registry data and see how Registries changed over time.




  • Application usage
  • Recently accessed files
  • Removable storage activity
  • Network connections
  • Malware remnants
  • Usernames and Passwords



  • Efficient harvesting of Registry data from entire disk images
  • Resurrection of Registries long since forgotten
  • Access to enormous amounts of deleted Registry data
  • Unique keys and values shown by default in historical fashion
  • Seamless access to all instances of keys and values
  • Windows restore point and Volume Shadow Copy support
  • Ability to view keys (and their values) at particular points in time
  • Automatic decoding of particularly interesting Registry keys