Registry Recon

Registry Recon

Registry Recon FAQs

System Requirements

Registry Recon requires Microsoft Windows 7 or later, .NET 4, and the Visual C++ 2010 Redistributable Package (x86/x64).

What is the Microsoft Windows Registry?

The Registry is a complex ecosystem, in database form, containing information related to hardware, software, and users on computer systems running Microsoft Windows. At a very basic level, the Registry is composed of “keys” and “values” which are similar in some ways to folders and files. Analysis of this information reveals the names of recently accessed files when applications were last run, who attached removable storage devices, and much more. The Registry is continually referenced during Windows operation so large volumes of Registry data can always be found both on disk and in live memory.

What are the Recon Registries and Recon View?

Recon Registries are all the Registries rebuilt by Registry Recon. Recon View is our method of showing you all the values within them in a unique and historical fashion, with seamless access to all instances of those values if you so desire.

What kinds of evidence can be added to Registry Recon?

Registry Recon supports adding forensic images in EnCase (E01) and raw (dd) formats, VHD disk images, physically mounted slave drives, and the contents of directories as evidence.

I am a student and would like to try Registry Recon. Where can I find sample evidence?

You can find sample evidence herehere, and here.

How Do Recon Registries Get Their Name?

If a full set of hives (particularly System and Software) are available for any particular Registry, its Recon Registries name will include the system name, Windows version, and install date. If a System hive is available, but a Software hive is not, the name will include the system name and Machine Security ID (“MSID”). If a Software hive is available, but a System hive is not, the name will include the Windows version and install date. If both System and Software hives are missing, the name will simply include an MSID.

Can Registry Recon resurrect registries if they have been overwritten?

It’s important to keep in mind that in the context of computer forensics, “deleted” and “overwritten” are two very different things. Registry Recon is often very successful rebuilding Registries which have been deleted and only exist in unallocated (deleted) space. Registry Recon cannot however rebuild Registries if they have been overwritten – for example, if a data scrubbing tool has been used to overwrite unallocated space.

Where can I get the latest version of Registry Recon?

You can get the latest version of Registry Recon from our Downloads page.

How can I activate an Arsenal license on an offline/air-gapped workstation?

If you want your offline/air-gapped workstation properly licensed to run Registry Recon and our other tools:

1.) Open Arsenal Image Mounter and enter the license code you were given

2.) Upon realizing that no Internet connection is available, Arsenal Image Mounter will save a “.LIC” file in the Users\Public\ArsenalRecon folder

3.) On a workstation with Internet access, go to our Offline Activation page at and upload the “.LIC” file

4.) Finally, copy the CDM file you receive to the Users\Public\ArsenalRecon folder on your offline/air-gapped workstation

Your offline/air-gapped workstation is now ready to run all the Arsenal tools! Please note, if you provide your offline/air-gapped workstation with Internet access for some reason and then launch our tools, the Arsenal license type will be converted from offline to online.

I had trouble adding evidence to Registry Recon, what is wrong?

Certain computer forensics applications can interfere with physical drives being added as evidence to Registry Recon, so Arsenal recommends refraining from their use while Adding Evidence.

What updates are on the way?

We are working on a large number of updates which include support for live memory captures, greatly improving searching, bookmarking, and reporting functionality, and performance tuning.