There has been times where I would like to parse through a NTUSER, SYSTEM, SOFTWARE hive and pull back just the key and sub keys that have been modified between a certain date (which is one of the arguments for the below python script).
Thanks to William Ballenthin for showing how this is easy to do @ https://www.mandiant.com/blog/parsing-registry-hives-python/ and for creating the python-registry library @ https://github.com/williballenthin/python-registry.
You need to have the python-registry library from https://github.com/williballenthin/python-registry setup to use this and this script must be located in that folder.
The script below takes in 3 required arguments (Earliest Date, Latest Date, and File Location) and 1 optional argument (Output to CSV or not).
MAC Example: RegRipbyDate.py -e ‘2014-01-26 12:00:00’ -l ‘2014-01-28 00:00:00’ -i /Users/Someone/Desktop/Temp/SYSTEM. (Note the single Quotes for MAC)
Windows Example: RegRipbyDate.py -e “2014-01-20 00:00:00” -l “2014-01-27 00:00:00” -i C:\Users\SomeUser\Desktop\SYSTEM (Note the double Quotes for Windows)
A script very similar to sample script @ https://github.com/williballenthin/python-registry/blob/master/samples/printall.py, but this allows for a more elegant way to do a refined search of the registry to happen based upon the modified date.
The script is located on our Github account: https://github.com/MalWerewolf/RegRipbyDate