Friday, April 1, 2016

Forensic Friday: Get-ForensicRunKey

[This article is a continuation of my Forensic Friday series.  Every Friday I will provide a short post on a forensic topic of interest or PowerForensics functionality (such as cmdlet descriptions, use cases, and details about lesser known features). Subscribe to Invoke-IR so you don’t miss a Forensic Friday!]

Vote for PowerForensics for the Forensic 4:cast Awards' Open Source Digital Forensic Software of the Year!

Now back to your regularly scheduled programming! Yesterday, Vijay (@vakasapu on Twitter) asked if we are taking feature requests (specifically regarding autoruns like features) for PowerForensics.
Let me start by saying that we are very interested in community involvement! If you have ideas to make PowerForensics better, please let me know via email ( or github. While PowerForensics does not currently support the extensive list of Auto Start Extensibility Points (ASEP), we do currently support a few of the more common auto start locations. This week I want to introduce Get-ForensicRunKey which parses the registry for entries in the numerous system and user based "run" keys. This cmdlet is built on top of PowerForensics' MFT and Registry Parser, so all of this data is gathered from a live system without relying on the Window's API.
Common Use
By default, this cmdlet parses the system SOFTWARE hive and all NTUSER.DAT hives on the system’s C: volume, but can be pointed at any logical volume. Individual hives (including exported hives) can be parsed using the -HivePath parameter in order to perform offline analysis. I’ve listed a few examples below.

Parse system and user hives for Run Key Persistence:
Get-ForensicRunKey -VolumeName C: | Format-List

Parse the system SOFTWARE hive for Run Key persistence:
Get-ForensicRunKey -HivePath ‘C:\Windows\System32\config\SOFTWARE’ | Format-List


  1. I’m a new pertaining to almost all of the articles or blog posts, My spouse and i definitely savored, I'd personally genuinely like additional files with regards to this specific, since it can be okay., Congratulations for the purpose of putting up. Graphics Designing

  2. ์นด์ง€๋…ธ Great article and excellent layout. Your blog post deserves all of the positive feedback it’s been getting.

  3. Nice information, valuable and excellent design, as share good stuff with good ideas and concepts.

    Review my page please: ์˜จ๋ผ์ธ์นด์ง€๋…ธ

  4. You completed certain reliable points there. I did a search on the subject and found nearly all persons will agree with your blog.
    ์Šคํฌ์ธ ํ† ํ† 

  5. You there, this is really good post here. Thanks for taking the time to post such valuable information. Quality content is what always gets the visitors coming. A very awesome blog post.

  6. The Get-ForensicRunKey cmdlet parses the SOFTWARE and NTUSER.DAT hives to produce a list of applications that have been added to a "Run" key.

  7. Nice to be visiting your blog again, it has been months for me. Well this article that i've been waited for so long. I need this article to complete my assignment in the college, and it has same topic with your article. Thanks, great share.Regularly scheduled programming

  8. This comment has been removed by the author.

  9. Usually I don't comments on any post but I've to comment on this post due to valuable content you shared.
    For best skilled realtors in Wilmington DE you may contact to best company.


- Invoke-IR - By Jared Atkinson -