Skip to main content


This Script is part of the Windows Forensics Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This command uses the Registry Parse automation to extract critical forensics data from a registry file. The essential values are specified by the argument.

Script Data#

Script Typepython3
Cortex XSOAR Version6.0.0

Used In#

This script is used in the following playbooks and scripts.

  • Registry Parse Data Analysis


Argument NameDescription
entryIDThis entry ID for the reg file.
registryDataThis argument allows the user to specify which of the following objects in the registry to parse. Default is "All".
customRegistryPathsA comma-separated list of registry paths to parse. Try to keep your searches as exact as possible, for example registry_path=`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\AutoExclusionList`.


RegistryForensicDataRaw.TypeThe registry data type. "Custom" for custom registry path.Unknown
RegistryForensicDataRaw.RegistryPathThe registry key path.Unknown
RegistryForensicDataRaw.RegistryKeyThe registry key.Unknown
RegistryForensicDataRaw.RegistryValueThe registry value.Unknown
RegistryForensicData.Users.SidUser SID.Unknown
RegistryForensicData.Users.GuidUser GUID.Unknown
RegistryForensicData.LastLoggedOnUserLast user to be logged in.Unknown
RegistryForensicData.TimeZoneRegistry ime zone.Unknown
RegistryForensicData.Services.DisplayNameRegistry service name.Unknown