Skip to main content

Registry Run Keys

Artemis supports extracting the Windows Registry Run key information from several different Registry files:

  • NTUSER.DAT
  • SOFTWARE

Collection

You have to use the artemis api in order to collect Windows Run Keys.

Sample API Script

import { getRunKeys } from "./artemis-api/mod";

function main() {
    const results = getRunKeys();
    console.log(JSON.stringify(results));
}

main();

Output Structure

An array of RegistryRunKey

export interface RegistryRunKey {
    key_modified: string;
    key_path: string;
    registry_path: string;
    registry_file: string;
    path: string;
    /**When file was created */
    created: string;
    has_signature: boolean;
    md5: string;
    sha1: string;
    sha256: string;
    value: string;
    name: string;
}