Registry Hives Parsing

Parses Windows Registry hive files and extracts forensic artifacts, configuration data, persistence mechanisms, and user activity patterns for comprehensive analysis.

Registry Hives Parsing

Parses Windows Registry hive files and extracts forensic artifacts, configuration data, persistence mechanisms, and user activity patterns for comprehensive analysis.

API Endpoint

POST /analysis/registry/parse

HTTP Headers

Content-Type: application/json
X-Cursed-Api-Token: API token for authentication
X-Cursed-Api-Enc-Key: Encryption key for authenticated users (required if using encrypted files)

Request Method

POST

Parameters

Request Body (JSON):

Parameter	Type	Required	Description
`file_ids`	array	Yes	Array of file UUIDs to parse (50 hives maximum)

Request Body Schema

{
  "file_ids": ["string (UUID)", "string (UUID)", ...]
}

Response Format

Success Response (200 OK):

{
  "id": "b2c3d4e5-f6g7-8901-bcde-f23456789012",
  "job_name": "Celestial Sage Parser",
  "message": "Job queued",
  "category": "registry"
}

Error Response (400 Bad Request):

{
  "error": "No file IDs provided"
}

{
  "error": "Too many file IDs provided"
}

{
  "error": "Max registry analysis file limit exceeded"
}

{
  "error": "Failed to download file"
}

Error Response (401 Unauthorized):

{
  "error": "Unauthorized"
}

Error Codes

HTTP Status	Description
200	Success - Analysis job queued
400	Bad Request - Invalid parameters or file limit exceeded
401	Unauthorized - Missing authentication for private files
413	Payload Too Large - Too many files submitted
500	Internal Server Error - Server processing error

Example cURL Commands

Parse Multiple Registry Hives

curl -X POST https://api.cursedtools.com/analysis/registry/parse \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "file_ids": [
      "98765432-fedc-5432-ba98-765432109876",
      "13579246-acef-8024-bd97-135792468024"
    ]
  }'

Parse Single Registry Hive

curl -X POST https://api.cursedtools.com/analysis/registry/parse \
  -H "Content-Type: application/json" \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "file_ids": ["98765432-fedc-5432-ba98-765432109876"]
  }'

Example Response

{
  "id": "79f49d06-d80b-463d-9b3c-1f54c87ae95c",
  "job_name": "Quantum Oracle Parser",
  "message": "Job queued",
  "category": "registry"
}

Job Results

Once parsing is complete, the job will contain structured analysis results that can be retrieved using the Job Status API. Results include:

Analysis Types

Result Type	Description
Persistence Analysis	Run keys, services, startup programs, and other persistence mechanisms
User Activity	Shellbags, UserAssist, MRU lists, and user behavior artifacts
System Configuration	Installed software, network settings, and system policies
Authentication Data	User accounts, group memberships, and security policies
Network Artifacts	Network adapters, wireless profiles, and connection history
Application Data	Browser artifacts, office documents, and application configurations

Forensic Artifacts

Persistence Mechanisms

Run Keys: HKLM/HKCU Software\Microsoft\Windows\CurrentVersion\Run
Services: System and user-installed service configurations
Scheduled Tasks: Task scheduler artifacts and configurations
WinLogon: Shell and userinit modifications
Image Hijacking: Application and DLL hijacking attempts

User Activity Artifacts

Shellbags: Folder access patterns and directory navigation
UserAssist: Program execution frequency and timestamps
MRU Lists: Recently used files across applications
Jump Lists: Recent document and application usage
Typed URLs: Browser address bar history

System & Application Data

Amcache: Application execution metadata and file information
Shimcache: Application compatibility cache entries
BAM/DAM: Background and Desktop Activity Monitor data
USB Devices: Connected device history and metadata
Installed Software: Software inventory and installation dates

Security & Authentication

User Accounts: Local user profiles and account information
Group Memberships: User group assignments and privileges
Security Policies: Password policies and audit configurations
Cached Credentials: Domain credential cache analysis

Network Configuration

Network Adapters: Network interface configurations
Wireless Profiles: Saved wireless network profiles
Firewall Rules: Windows Firewall configuration and exceptions
Proxy Settings: Internet connection and proxy configurations

Processing Notes

File Requirements

Files must be valid Windows Registry hive format (.dat, .hiv, .reg)
Supports compressed archives (.zip) containing multiple hives
Maximum 50 hive files per request
Files are processed asynchronously
Supports Registry hives from Windows XP through Windows 11

Supported Hive Types

SYSTEM: System configuration and services
SOFTWARE: Installed applications and system-wide settings
SECURITY: Security policies and authentication data
SAM: User account and authentication information
NTUSER.DAT: User-specific settings and activity
UsrClass.dat: User application associations
COMPONENTS: Windows component and update information

Performance Considerations

Processing time varies by hive size and complexity
SYSTEM and SOFTWARE hives typically take 10-30 seconds
User hives (NTUSER.DAT) process within 5-15 seconds
Job priority determined by user subscription level
Multiple hives are processed in parallel when possible

Example Use Cases

cURL Example - Malware Persistence Hunt

# Analyze system hives for persistence mechanisms
curl -X POST https://api.cursedtools.com/analysis/registry/parse \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "file_ids": ["system-hive-uuid", "software-hive-uuid"]
  }'

cURL Example - User Activity Analysis

# Analyze user hives for activity patterns
curl -X POST https://api.cursedtools.com/analysis/registry/parse \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "file_ids": ["ntuser-hive-uuid", "usrclass-hive-uuid"]
  }'

cURL Example - Comprehensive Analysis

# Full Registry analysis with multiple hive types
curl -X POST https://api.cursedtools.com/analysis/registry/parse \
  -H "X-Cursed-Api-Token: your_api_token" \
  -H "X-Cursed-Api-Enc-Key: your_encryption_key" \
  -d '{
    "file_ids": [
      "system-hive-uuid",
      "software-hive-uuid", 
      "security-hive-uuid",
      "sam-hive-uuid",
      "ntuser-hive-uuid"
    ]
  }'

Notes

Maximum of 50 Registry hive files can be analyzed in a single request
Job results can be retrieved using the job status endpoint
Authentication is required for private/encrypted files
Job names are auto-generated using creative memorable combinations
Priority is determined by user subscription level
Unauthenticated users can analyze public files only
The analysis creates a background job that processes files asynchronously
Results include searchable summary data for efficient querying
Analysis automatically handles different Registry hive formats
Cross-hive correlation is performed when multiple hives are submitted
Timestamps are normalized to UTC for consistency
Binary data is automatically parsed and formatted for analysis

Prefetch Parsing

Parses Windows Prefetch (.pf) files and extracts execution artifacts, timeline data, and behavioral patterns for forensic analysis.

Search Event Logs (EVTX)

Searches through parsed Windows Event Log data using text queries, filters, and time ranges. Enables rapid investigation of specific events, patterns, and anomalies in EVTX analysis results.