Registry forensics has long been relegated to analyzing only readily accessible Windows Registries, often one at a time, in a needlessly time-consuming and archaic way. Registry Recon is not just another Registry parser. Arsenal developed powerful new methods to parse Registry data so that Registries which have existed on a Windows system over time can be rebuilt, providing unique insight into how Registry data has changed over time. Registry Recon provides access to an enormous volume of Registry data which has been effectively deleted, whether that deletion occurred due to benign system activity, malfeasance by a user, or even re-imaging by IT personnel.

More information can be found in Arsenal Recon’s FAQ.


  • Browse rebuilt and resurrected Registries
  • Use Key History to view a key’s values at a particular time
  • View values in a unique and historical fashion
  • Seamless access to all instances of a particular value, both n term of time and source



One-Click Harvesting

Efficient collection of active, backed-up, and even deleted Windows Registry hives from forensic images


Registry Reconstruction

Automatic rebuilding of not only the active Registry, but Registries from previous Windows installations


Recon View

Harness the power of huge volumes of Registry information to see how Registries changed over time




  • REGISTRY RECON requires Microsoft Windows 7 or later, .NET 4, and the Visual C++ 2010 Redistributable Package (x86/x64).



  • Intuitive and efficient workflow
  • Resurrection of Windows Registries long since forgotten
  • Access to enormous amounts of deleted Registry data
  • Unique keys and values shown by default in historical fashion
  • Seamless access to all instances of keys and values
  • Windows restore point and volume shadow copy support
  • Ability to view keys (and their values) at particular points in time


What’s new

  • Fixed “All Locations” string highlighting in Search
  • Fixed a particular kind of SQLite crash
  • Updated integration with Arsenal Image Mounter
  • Fixed automatically decoded UserAssist date/time sorting
  • Added search filter for Registry key (LastWriteTime) date/times
  • Added search filter for Value Data size (Value Data search only)
  • Search now takes ROT13 decoded data into account
  • Better handling of hives containing multiple root keys
  • Multiple performance improvements