X-Ways Plugin: XT_Info

An X-Ways X-Tension querying registry hives from your case to get a quick overview of the computer system configuration, users and commonly used malware keys.

XT_Info automatically loads and queries available registry hives.
XT_Info currently uses preconfigured artifacts, but allows custom queries as well.


XT_Info searches for \windows\system32\config\[security,software,system] hives, then queries
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*\ProfileImagePath
for available user directories and loads each available NTUSER.DAT as well.

Query format:

  • Query one or multiple keys:
    Format: <path>\<key>[,<key>]
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load,Run
  • Query all keys:
    Format: <path>\*
  • Query multiple paths:
    Format: <path>\*\<path> (plus key(s) or *)

Note that “CurrentControlSet” is automatically translated to the current control set  key.


Developed in C# and tested with X-Ways 19.7 SR-3 x64.

Registry queries are based on code from https://github.com/EricZimmerman/Registry

X-Tensions API:

c# Plugin API based on code from:
https://github.com/stdio-h/x-tensions (modified version of https://github.com/jp-slackspace/x-tension-c-sharp)

Artifacts are heavily based on https://www.forensicswiki.org/wiki/Windows_Registry


External artifacts (import or config file)

Export / Report results


Current development version is available here (use at own risk, no warranty). Open your case, browse a Windows image and run the XT_Info plugin. If asked to “Force unload?”, click “No” or you will not be able to issue any new queries. Note that the GUI might be minimized or sent  to background upon start.

XT_Info plugin.

You may also like...

Leave a Reply