pkg registry

pkg/registry - Windows Registry Hive Parser

Offline parser for Windows registry hive files (SAM, SYSTEM, SECURITY). Used by secretsdump for local credential extraction.

func Open(data []byte) (*Hive, error)

Specialized Parsers

File	Functions	Description
`system.go`	Boot key extraction	Extract the SYSKEY from the SYSTEM hive
`sam.go`	SAM parsing	Extract local user hashes from the SAM hive
`security.go`	LSA secrets, cached credentials	Extract LSA secrets and domain cached credentials
`crypto.go`	Decryption helpers	AES/DES/RC4 decryption for registry secrets

Example: Extract Boot Key

data, _ := os.ReadFile("SYSTEM")
hive, err := registry.Open(data)
if err != nil {
    fmt.Printf("[-] %v\n", err)
    return
}

bootKey := hive.GetBootKey()
fmt.Printf("[+] Boot key: %x\n", bootKey)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

pkg registry

pkg/registry - Windows Registry Hive Parser

Specialized Parsers

Example: Extract Boot Key

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally