Remove errant WinSCP entry

[AndrewRathbun]

RECmd/BatchExamples/DFIRBatch.reb

Lines 2594 to 2600 in ce986df

	-
	Description: WinSCP
	HiveType: Other
	Category: Third Party Applications
	KeyPath: Software\Martin Prikryl
	Recursive: true
	Comment: "WinSCP"

Other hive is not valid

[reece394]

When I was testing pull commit #67 I had to use Other for the DEFAULT (System Installation) hive as DEFAULT didn't work so this was purposeful. Has this changed?

[AndrewRathbun]

When I was testing pull commit #67 I had to use Other for the DEFAULT (System Installation) hive as DEFAULT didn't work so this was purposeful. Has this changed?

Ah that's news to me. I'll have to test, I guess. I don't think I know anything about the DEFAULT hive but it's not hard to make a quick test batch file. I saw your PR but didn't realize Other was the workaround to that!

[reece394]

I tested it there now with DEFAULT

Author: Eric Zimmerman ([email protected])
https://github.com/EricZimmerman/RECmd
Note: Enclose all strings containing spaces (and all RegEx) with double quotes
Command line: -d C:\Users\build\Desktop\c --bn BatchExamples\DFIRBatch.reb --nl true --csv C:\Users\build\Desktop\cparsed\Registry
Syntax error in BatchExamples\DFIRBatch.reb
Exception during deserialization
Requested value 'DEFAULT' was not found.
The batch file failed validation. Fix the issues and try again

With Other

RECmd version 2.0.0.0
Author: Eric Zimmerman ([email protected])
https://github.com/EricZimmerman/RECmd
Note: Enclose all strings containing spaces (and all RegEx) with double quotes
Command line: -d C:\Users\build\Desktop\c --bn BatchExamples\DFIRBatch.reb --nl true --csv C:\Users\build\Desktop\cparsed\Registry
Total hives found: 1
Processing hive C:\Users\build\Desktop\c\Windows\System32\config\default
Registry hive is dirty and transaction logs were found in the same directory, but --nl was provided. Data may be missing! Continuing anyways...
Sequence numbers do not match! Hive is dirty and the transaction logs should be reviewed for relevant data!
Found 361 key/value pairs across 1 file
Total search time: 0.175 seconds
Saving batch mode CSV file to C:\Users\build\Desktop\cparsed\Registry\20240907170215_RECmd_Batch_DFIRBatch_Output.csv

I agree with you it is odd but I did try and modify the code to add the DEFAULT type as an option but it didn't work hence I went with the Other option as a workaround.

For testing installing to SYSTEM if you want to experiment I use Process Hacker and go to the Hacker menu Run As and do this.

Expect errors though and weird program behaviours. I got errors in the installer of WinSCP when I tested it but I clicked through ignored them and it still worked.

[AndrewRathbun]

Good stuff. Thank you for the information! At least right now, the DFIRBatch file is functional and passing validation. We can always re-add once we figure out if Other or DEFAULT will be the path forward.

@reece394, fair to say #67 didn't take as expected, then?

If needed, we may want to tag @EricZimmerman on this. I can also try to take a peek. At least a workaround is to just use Other for DEFAULT (and other?) hives. That's a simple comment in DFIRBatch.reb or the guide/template files, or EZ Tools Manuals.

[reece394]

Well #67 was only to make RECmd actually see the DEFAULT registry when not specifically specifying it i.e not using -f default but using -d so in that regard it works as intended. But yeah it depends on if Eric wants to have a specific type for DEFAULT to avoid collisions if there are other registry hives I haven’t been considering . For my needs I was happy enough to use Other but I can understand if this isn’t acceptable.

[AndrewRathbun]

IMHO if it works, let's just roll with it. Less work on Eric's part and we'll just want to ensure proper documentation exists somewhere that Other covers DEFAULT.