Author: js2010
Subject: Procmon export registry to .reg?
Posted: 11 April 2014 at 8:32pm
Wow, I was just thinking about this myself. Here is my attempt to at least parse out the registry entries from the xml logfile:
Edited by js2010 - 8 hours 34 minutes ago at 9:26pm
Subject: Procmon export registry to .reg?
Posted: 11 April 2014 at 8:32pm
Wow, I was just thinking about this myself. Here is my attempt to at least parse out the registry entries from the xml logfile:
$A = [xml] (get-content "logfile.xml")
$A.procmon.eventlist.event | foreach-object {
if ($_.Operation -eq "RegSetValue") {
$key = split-path $_.Path -parent
$value = split-path $_.Path -leaf
write-host key $key
write-host value $value
$type,$length,$data = $_.Detail -split ", ",3
$type = $type -replace "^Type: ", ""
$length = $length -replace "^Length: ", ""
$data = $data -replace "^Data: ", ""
write-host type $type
write-host length $length
write-host data $data
}
}
Although I wish the xml looked more like this:
<procmon>
<eventlist>
<event>
<Path parent="HKCU\Software\Microsoft\Installer\Products\EF4A121EB900B583BBD09B432E8A2888\SourceList\" leaf="LastUsedSource"/>
<detail Type="REG_EXPAND_SZ" Length="186" Data="n;1;C:\Users\user\AppData\Local\Google\Update\Install\{94252C03-8CCF-40FF-A45E-770AF972E4CC}\"/>
</event>
</eventlist>
</procmon>
Then I can simply say:
write-host key $_.path.parent
write-host value $_.path.leaf
write-host type $_.detail.type
write-host length $_.detail.length
write-host data $_.detail.data
Parsing the Path for a registry entry can be tricky (impossible?) if a drive letter is in the value name. Example:
<Path>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Config.Msi\</Path>
(Split-path doesn't handle drive letters well either.)
EDIT:
Woah, those powershell scripts Aaron Margosis demoed on Channel 9 around 24 min look really cool (GetModListFromProcmon.ps1, GetModObjectsFromProcmon.ps1). I hope he posts them on his blog soon.
Edited by js2010 - 8 hours 34 minutes ago at 9:26pm