Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / DFI / MEMORY / DUMP / VOLATILITY / Registry

printkey

Walks Registry hive structures

Usage

  • Detect in-memory persistence
  • Hidden autoruns

Commands

# Print specific registry key (Vol2)  
vol.py -f <mem> --profile=<profile> printkey -K "<KeyPath>"  
  
# Print registry key (Vol3)  
python3 vol.py -f <mem> windows.registry.printkey --key "<KeyPath>"