Skip to main content

PS-Remote Get Registry

This Playbook is part of the Windows Forensics Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbook leverages the Windows built-in PowerShell and WinRM capabilities to connect to a Windows host to acquire and export the registry as forensic evidence for further analysis. The capture can be for the entire registry or for a specific hive or path.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


This playbook does not use any integrations.


  • AddEvidence
  • Set
  • Sleep
  • UnzipFile
  • IsIntegrationAvailable


  • ps-remote-download-file
  • ps-remote-export-registry

Playbook Inputs#

NameDescriptionDefault ValueRequired
HostA single hostname or IP address from which to export the registry file. For example, testpc01.Optional
RegistryHiveThe registry hive/path to export. If no value is specified, the entire registry will be exported.allOptional
FilePathThe path on the hostname on which to create the registry file. The default path will be c:\registry.reg.
If the AddHostNameToFile input is "true", the file downloaded to XSOAR will contain the hostname.
ZipRegistrySpecify "true" to zip the reg file before sending it to XSOAR.trueOptional
AddHostNameToFileSpecify "true" for the downloaded filename to contain the hostname, or "false" to keep the filename as configured in the FilePath argument.trueOptional

Playbook Outputs#

RegistryDetailsThe registry file details.string

Playbook Image#

PS-Remote Get Registry