Login
        Contents x
        Collect a Forensics Package
        • 03 Nov 2025
        • 13 Minutes to read
        • PDF
        Contents

        Collect a Forensics Package

        • Updated on 03 Nov 2025
        • 13 Minutes to read
        • PDF
        Article summary

        Forensics package collection is a powerful Red Canary feature that lets you remotely gather information about an threatened endpoint to support a security investigation. If triggered by an automation action, it provides a detailed snapshot of the endpoint environment at the time the threat was detected. Since Red Canary handles the data collection, you don’t need direct access to the endpoint itself.

        Red Canary uses Osquery to generate the endpoint forensics data. Osquery is an open-source tool that collects system information about a Windows, macOS, or Linux device into a relational database and makes it queryable using SQL. We deploy and execute Osquery on the target machine, consolidate the results into either CSV or JSON format, then send you the resulting package via a secure email transfer. See the Forensic Artifacts Reference section for details of the SQL queries run.

        In order to request forensics package collection, you configure and run a standard Red Canary Automate playbook. There are two common use cases:

        • Manually collect a forensics package to investigate third-party alerts or support internal investigations

        • Automatically collect forensics packages when a high-severity threat is identified

        Supported Platforms and Integrations

        Forensics package collection is supported on the following operating systems:

        • Windows

        • macOS (both Apple Silicon and Intel)

        • Linux

        The following endpoint sensor integrations support forensics package collection:

        • Carbon Black Cloud

        • Carbon Black EDR (Response)

        • CrowdStrike Falcon

        • Microsoft Defender for Endpoint

        Important: If you use an application control product like Carbon Black Protection, you must add additional publishers to your allowlist.

        Creating a Collect Forensics Package Playbook

        To collect forensics packages, add the Collect Forensics action to an Automate playbook.

        1. From the Red Canary portal navigation menu, select Automation > Playbooks.

        2. In the Playbooks section, open an existing Automate playbook or make a new one by clicking +Create New Playbook.

        3. In the playbook, click +Add Action.

        4. From the Red Canary Prevention, Containment & Response section, add Collect Forensics to the playbook.

        5. Select a File Type (CSV or JSON) and specify who receives a notification when the package is available for download.

        6. Optionally check Require Approval and provide contact details if you want someone to approve this forensics collection action before it executes.

        7. Click Save.

        Manually Running a Collect Forensics Package Playbook

        1. To collect a forensics package manually, open the playbook and click Run.

        2. Select the desired threat or endpoint.

        3. When the playbook has finished executing, you’ll receive a notification email that links to the Red Canary file sharing system. Follow the link to download your forensics package.

          Note: The download link expires after seven days.

        Collecting a Forensics Package Automatically

        To automatically collect forensics packages when a threat is identified, link an appropriate trigger to the playbook. For more information, see Customize When a Playbook is Run With Triggers.

        Forensic Artifacts Reference

        The following tables list the forensic artifacts collected for each supported operating system, along with the SQL statement executed in Osquery to retrieve the data.

        Windows
        macOS
        Linux

        Windows

        Name

        SQL

        Application Compatibility Cache (Shim Cache)

        SELECT * FROM appcompat_shims;

        Address Resolution Protocol (ARP) Cache

        SELECT * FROM arp_cache;

        Autoexec

        SELECT DISTINCT name,source,path FROM autoexec ORDER BY name,source,path ASC;

        Bitlocker information

        SELECT protection_status,drive_letter,device_id FROM bitlocker_info;

        Chrome extensions

        SELECT uid,username,name,identifier,version FROM users JOIN chrome_extensions USING (uid) ORDER BY uid,name;

        Internet Explorer extensions

        SELECT * FROM ie_extensions;

        Disk info

        SELECT * FROM disk_info;

        Drives

        SELECT * FROM logical_drives;

        Drivers

        SELECT device_name,device_id as id,class,service_key FROM drivers where NOT (provider = 'Microsoft' AND signed = 1) AND NOT (class = '' AND service_key = '') ORDER BY device_name ASC;

        \etc\hosts details

        SELECT * FROM etc_hosts;

        Firewall profiles

        SELECT path,data,mtime as last_modified FROM registry WHERE key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile' OR key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile' OR key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile';

        Firewall rules

        SELECT mtime as last_modified,data as firewall_rule FROM registry WHERE key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules' ORDER BY last_modified DESC;

        Groups

        SELECT * FROM groups ORDER BY gid ASC;

        Interface addresses

        SELECT interface,address,broadcast,mask from interface_addresses;

        Interface details

        SELECT interface as interface_id,mac,description,connection_id,enabled,service,dhcp_enabled,dhcp_lease_expires,dhcp_lease_obtained,dhcp_server,dns_domain,dns_domain_suffix_search_order,dns_host_name,dns_server_search_order FROM interface_details ORDER BY interface_id ASC;

        Listening ports

        SELECT DISTINCT process.name,process.path,md5,listening.port,process.pid FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid JOIN hash using (path) WHERE listening.port != 0 ORDER BY process.name,process.pid,listening.port;

        Logged in users

        SELECT time,user,type,tty,pid FROM logged_in_users ORDER BY time;

        Logon sessions

        SELECT * FROM logon_sessions;

        Multilingual user interface cache

        SELECT * FROM registry WHERE key LIKE 'HKEY_USERS\%\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache' OR key LIKE 'HKEY_USERS\%\Software\Microsoft\Windows\ShellNoRoam\MUICache';

        Operating system version

        SELECT name,version FROM os_version;

        Patches

        SELECT hotfix_id,caption,description,installed_on FROM patches;

        Pipes

        SELECT pid,name AS pipe_name,flags FROM pipes ORDER BY pid,name ASC;

        Prefetch file information

        SELECT path,btime AS create_time,mtime AS last_modified_time FROM file WHERE path LIKE 'C:\Windows\Prefetch\%' ORDER BY last_modified_time ASC;

        Process open sockets

        SELECT DISTINCT process.pid,process.name,process.path,socket.family as network_protocol,socket.protocol as transport_protocol,socket.local_address,socket.local_port,socket.remote_address,socket.remote_port,socket.state FROM processes AS process JOIN process_open_sockets as socket ON process.pid = socket.pid WHERE (socket.local_address!='' or socket.remote_address!='');

        Processes

        SELECT pid,parent as parent_pid,name,md5,path,cmdline,uid,users.username,on_disk FROM users JOIN processes USING (uid) JOIN hash USING (path);

        Programs

        SELECT * FROM programs WHERE install_date != "";

        Python packages

        SELECT name AS package_name,version,path FROM python_packages ORDER BY package_name ASC;

        Recycle bin

        SELECT path,md5,btime AS create_time,mtime AS last_modified_time FROM file JOIN hash using (path) WHERE path LIKE 'C:\$Recycle.Bin\%\%%';

        Registry persistence

        SELECT * FROM registry WHERE key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cmd' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe' OR key LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\%\ShellEx\ContextMenuHandlers' OR key LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\%\ShellEx\PropertySheetHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Background\ShellEx\ContextMenuHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\ContextMenuHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Shellex\CopyHookHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Shellex\DragDropHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Shellex\PropertySheetHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\ShellEx\ContextMenuHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Shellex\ColumnHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\ExtShellFolderViews' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\PropertySheetHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Protocols\Filter' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Protocols\Handler' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\Autorun' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ctf\LangBarAddin' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\IconServiceLib' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Shell' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Logoff' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Logon' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Shutdown' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\*\ShellEx\ContextMenuHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\*\ShellEx\PropertySheetHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Directory\ShellEx\ContextMenuHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Directory\Shellex\CopyHookHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Directory\Shellex\DragDropHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Directory\Shellex\PropertySheetHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Drive\ShellEx\ContextMenuHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Folder\Shellex\ColumnHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Folder\ShellEx\ContextMenuHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Folder\ShellEx\DragDropHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Folder\ShellEx\ExtShellFolderViews' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Folder\ShellEx\PropertySheetHandlers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\Autorun' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnConnect' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnDisconnect' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx' OR key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad' OR key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BootVerificationProgram\ImagePath' OR key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages' OR key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages' OR key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages' OR key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages' OR key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell' OR key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders' OR key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceControlManagerExtension' OR key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls' OR key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute' OR key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Execute' OR key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\S0InitialCommand' OR key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SetupExecute' OR key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms' OR key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram' OR key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries' OR key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64' OR key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries' OR key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64' OR key = 'HKEY_LOCAL_MACHINE\SYSTEM\Setup\CmdLine' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Classes\.cmd' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Classes\.exe' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Classes\%\ShellEx\ContextMenuHandlers' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Classes\%\ShellEx\PropertySheetHandlers' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Classes\Directory\Background\ShellEx\ContextMenuHandlers' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Classes\Directory\ShellEx\ContextMenuHandlers' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Classes\Directory\Shellex\CopyHookHandlers' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Classes\Directory\Shellex\DragDropHandlers' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Classes\Directory\Shellex\PropertySheetHandlers' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Classes\Drive\ShellEx\ContextMenuHandlers' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Classes\Folder\Shellex\ColumnHandlers' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Classes\Folder\ShellEx\ExtShellFolderViews' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Classes\Folder\ShellEx\PropertySheetHandlers' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Classes\Protocols\Filter' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Classes\Protocols\Handler' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Command Processor\Autorun' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Ctf\LangBarAddin' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Internet Explorer\Extensions' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Shell' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Logoff' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Logon' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run' OR key LIKE 'HKEY_USERS\%\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce';

        Routes

        SELECT interface,gateway,netmask,type,destination FROM routes ORDER BY interface,gateway,netmask,type,destination ASC;

        Scheduled tasks

        SELECT * FROM scheduled_tasks;

        Services

        SELECT name,service_type,display_name,status,pid,start_type,path,module_path,description,user_account as run_as FROM services ORDER BY name ASC;

        Shared resources

        SELECT name,description,path,status FROM shared_resources ORDER BY name ASC;

        Shimcache

        SELECT * FROM registry WHERE key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache' OR key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility';

        Startup items

        SELECT * FROM startup_items;

        System info

        SELECT * FROM system_info;

        Time (time zone specific)

        SELECT local_time,local_timezone,unix_time,timestamp as date_time FROM time;

        Uptime

        SELECT * FROM uptime;

        UserAssist details

        SELECT * FROM registry WHERE key LIKE 'HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count' OR key LIKE 'HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count' OR key LIKE 'HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count' OR key LIKE 'HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count';

        User groups

        SELECT * FROM groups JOIN user_groups USING (gid) JOIN users using (uid);

        Users

        SELECT * FROM users;

        Windows crashes

        SELECT * FROM windows_crashes;

        Windows event logs

        SELECT path,btime AS create_time,mtime AS last_modified_time FROM file WHERE path LIKE 'C:\Windows\System32\winevt\Logs\%.evtx' OR path LIKE 'C:\Windows\System32\config\%.evt';

        Windows Management Instrumentation (WMI) commandline interface event consumers

        SELECT * FROM wmi_cli_event_consumers;

        Windows Management Instrumentation (WMI) event filters

        SELECT * FROM wmi_event_filters;

        Windows Management Instrumentation (WMI) filter consumer binding

        SELECT * FROM wmi_filter_consumer_binding;

        Windows Management Instrumentation (WMI) script event consumers

        SELECT * FROM wmi_script_event_consumers;

        macOS

        Name

        SQL

        Account policy details

        SELECT users.username,apd.* FROM users JOIN account_policy_data AS apd using (uid);

        Active Directory details

        SELECT * FROM ad_config;

        Application URL schemes

        SELECT scheme,handler FROM app_schemes;

        Applications

        SELECT name,path,bundle_identifier,last_opened_time FROM apps ORDER BY name ASC;

        Address Resolution Protocol (ARP) Cache

        SELECT * FROM arp_cache;

        Authorized keys

        SELECT username,a.* FROM users JOIN authorized_keys AS a USING (uid);

        Battery information

        SELECT serial_number,health,state,charging as is_charging,charged as is_charged,percent_remaining AS battery_precent_remaining,minutes_until_empty,minutes_to_full_charge FROM battery;

        Block devices (disk, ramdisk, etc.)

        SELECT * FROM block_devices;

        Browser plugins

        SELECT uid,username,name as plugin_name,identifier,version,path,disabled FROM users JOIN browser_plugins AS b USING (uid) ORDER BY uid,name ASC;

        Chrome extensions

        SELECT uid,username,name,identifier,version FROM users JOIN chrome_extensions USING (uid) ORDER BY uid,name;

        Crashes

        SELECT * FROM crashes;

        Cronjob entries

        SELECT * FROM crontab;

        Disk encryption details

        SELECT encrypted,name as disk_name,type as cipher_type,uid,uuid as disk_uuid FROM disk_encryption;

        Configured DNS resolvers

        SELECT * FROM dns_resolvers;

        Event monitor daemon (emond) rules

        SELECT path,btime AS create_time,mtime AS last_modified_time FROM file WHERE path LIKE '/etc/emond.d/rules/%%';

        /etc/hosts entries

        SELECT * FROM etc_hosts;

        /etc/common details

        SELECT path,btime AS create_time,mtime AS last_modified_time FROM file WHERE path = '/etc/rc.common';

        Firefox add-ons

        SELECT uid,username,name as addon_name,identifier,f.type,version FROM users JOIN firefox_addons AS f USING (uid) ORDER BY uid,addon_name;

        Application layer firewall details

        SELECT * FROM alf;

        Application layer firewall exceptions

        SELECT * FROM alf_exceptions;

        Application layer firewall explicit proxy authentication

        SELECT * FROM alf_explicit_auths;

        Application layer firewall services

        SELECT * FROM alf_services;

        Gatekeeper settings

        SELECT assessments_enabled AS enabled,dev_id_enabled AS allow_apps_from_identified_developers FROM gatekeeper;

        Gatekeeper approved applications

        SELECT * FROM gatekeeper_approved_apps;

        Groups

        SELECT * FROM groups ORDER BY gid ASC;

        Interface addresses

        SELECT interface,address,broadcast,mask from interface_addresses;

        Interface details

        SELECT interface,mac,type as interface_type,ibytes as input_bytes,obytes as output_bytes,last_change as last_device_modification FROM interface_details ORDER BY interface ASC;

        Kernel extensions

        SELECT name,version,path FROM kernel_extensions ORDER BY name ASC;

        Kernel panics

        SELECT * FROM kernel_panics;

        Known hosts

        SELECT uid,username,key,key_file FROM users JOIN known_hosts USING (uid) ORDER BY uid,key_file,key;

        Last logins

        SELECT time,tty,username FROM last WHERE username != "" ORDER by time ASC;

        Launchd

        SELECT * FROM launchd;

        Process listening ports

        SELECT DISTINCT process.name,process.path,md5,listening.port,process.pid FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid JOIN hash using (path) WHERE listening.port != 0 ORDER BY process.name,process.pid,listening.port;

        Logged in users

        SELECT time,user,type,tty,pid FROM logged_in_users ORDER BY time;

        Managed polices

        SELECT * FROM managed_policies;

        Mounts

        SELECT device,device_alias,path,type,blocks_size,blocks_free,blocks_available FROM mounts;

        Network file system (NFS) shares

        SELECT * FROM nfs_shares;

        Operating system version

        SELECT name,version FROM os_version;

        Package install history

        SELECT time,name,package_id,source FROM package_install_history ORDER BY time ASC;

        Package receipts

        SELECT install_time,installer_name,package_id,version from package_receipts ORDER BY install_time ASC;

        Periodic entries

        SELECT path,btime AS create_time,mtime AS last_modified_time FROM file WHERE path LIKE '/etc/periodic/%%';

        Printers

        SELECT option_value as make_and_model FROM cups_destinations WHERE option_name = 'printer-make-and-model';

        Process environment variables

        SELECT name AS process_name,key as env_key,value as env_value FROM process_envs JOIN processes USING (pid) ORDER BY process_name,env_key ASC;

        Process open files

        SELECT DISTINCT process.pid,process.name,open.path as open_path FROM processes AS process JOIN process_open_files as open ON process.pid = open.pid WHERE open_path != '/dev/null' AND open_path != '/dev/urandom';

        Process open sockets

        SELECT DISTINCT process.pid,process.name,process.path,socket.family as network_protocol,socket.protocol as transport_protocol,socket.local_address,socket.local_port,socket.remote_address,socket.remote_port,socket.state FROM processes AS process JOIN process_open_sockets as socket ON process.pid = socket.pid WHERE (socket.local_address!='' or socket.remote_address!='');

        Processes

        SELECT pid,parent as parent_pid,name,md5,path,cmdline,uid,users.username,on_disk FROM users JOIN processes USING (uid) JOIN hash USING (path);

        Python packages

        SELECT name AS package_name,version,path FROM python_packages ORDER BY package_name ASC;

        Routes

        SELECT interface,gateway,netmask,type,destination FROM routes ORDER BY interface,gateway,netmask,type,destination ASC;

        Safari extensions

        SELECT uid,username,name as extension_name,identifier,version,path FROM users JOIN safari_extensions USING (uid) ORDER BY uid,name;

        Shared folders

        SELECT * from shared_folders ORDER BY name ASC;

        Sharing preferences

        SELECT * FROM sharing_preferences;

        Shell history

        SELECT time,uid,username,command,history_file FROM users JOIN shell_history USING (uid) ORDER BY time,uid ASC;

        System integrity protection (SIP) configurations

        SELECT * FROM sip_config;

        SSH configurations

        SELECT uid,username,block as host_block,option,ssh_config_file FROM users JOIN ssh_configs USING (uid);

        Startup items

        SELECT * FROM startup_items;

        Sudoers

        SELECT * FROM sudoers;

        System information

        SELECT * FROM system_info;

        Time (time zone specific)

        SELECT local_time,local_timezone,unix_time,timestamp as date_time FROM time;

        Time machine backups

        SELECT * FROM time_machine_backups;

        Time machine destinations

        SELECT * FROM time_machine_destinations;

        Update

        SELECT * FROM uptime;

        USB devices

        SELECT usb_port,vendor,vendor_id,model,model_id,removable FROM usb_devices ORDER BY usb_port ASC;

        User groups

        SELECT uid,username,g.gid,groupname,description FROM groups AS g JOIN user_groups USING (gid) JOIN users using (uid) ORDER BY uid,g.gid ASC;

        Hidden user files

        SELECT path,btime AS create_time,mtime AS last_modified_time FROM file WHERE path LIKE '/Users/%/.%';

        User SSH keys

        SELECT uid,username,directory,path,encrypted as is_encrypted FROM users JOIN user_ssh_keys USING (uid) ORDER BY uid,directory,path ASC;

        Users

        SELECT * FROM users;

        /var/log entries

        SELECT path,btime AS create_time,mtime AS last_modified_time FROM file WHERE path LIKE '/var/log/%%';

        Wifi networks

        SELECT ssid,network_name,security_Type,last_connected,captive_portal FROM wifi_networks ORDER BY last_connected;

        Wifi status

        SELECT interface,ssid,bssid,network_name,country_code,security_type,mode as wifi_interface_mode FROM wifi_status ORDER BY interface ASC;

        XProtect reports

        SELECT * FROM xprotect_reports;

        Linux

        Name

        SQL

        APT sources

        SELECT source,name,base_uri FROM apt_sources ORDER BY source,name;

        Address Resolution Protocol (ARP) Cache

        SELECT * FROM arp_cache;

        Authorized Keys

        SELECT username,a.* FROM users JOIN authorized_keys AS a USING (uid);

        Block devices (disk, ramdisk, etc.)

        SELECT * FROM block_devices;

        Crontab Entries

        SELECT * FROM crontab;

        Distribution package details

        SELECT name,version FROM deb_packages ORDER BY name ASC;

        Disk encryption details

        SELECT encrypted,name as disk_name,type as cipher_type,uid,uuid as disk_uuid FROM disk_encryption;

        Configured DNS resolvers

        SELECT * FROM dns_resolvers;

        /etc/hosts entries

        SELECT * FROM etc_hosts;

        Interface addresses

        SELECT interface,address,broadcast,mask from interface_addresses;

        Interface details

        SELECT interface,mac,type as interface_type,ibytes as input_bytes,obytes as output_bytes,last_change as last_device_modification FROM interface_details ORDER BY interface ASC;

        IPtables entries

        SELECT * FROM iptables;

        Kernel info

        SELECT * FROM kernel_info;

        Kernel modules

        SELECT name,used_by,status,address FROM kernel_modules ORDER BY name ASC;

        Known hosts

        SELECT uid,username,key,key_file FROM users JOIN known_hosts USING (uid) ORDER BY uid,key_file,key;

        Last logins

        SELECT time,tty,username FROM last WHERE username != "" ORDER by time ASC;

        Listening ports

        SELECT DISTINCT process.name,process.path,md5,listening.port,process.pid FROM processes AS process JOIN listening_ports AS listening ON process.pid = listening.pid JOIN hash using (path) WHERE listening.port != 0 ORDER BY process.name,process.pid,listening.port;

        Load average

        SELECT * FROM load_average;

        Logged in users

        SELECT time,user,type,tty,pid FROM logged_in_users ORDER BY time;

        Mounts

        SELECT device,device_alias,path,type,blocks_size,blocks_free,blocks_available FROM mounts;

        NPM packages

        SELECT * FROM npm_packages;

        Operating system version

        SELECT name,version FROM os_version;

        Process environment variables

        SELECT name AS process_name,key as env_key,value as env_value FROM process_envs JOIN processes USING (pid) ORDER BY process_name,env_key ASC;

        Process open sockets

        SELECT DISTINCT process.pid,process.name,process.path,socket.family as network_protocol,socket.protocol as transport_protocol,socket.local_address,socket.local_port,socket.remote_address,socket.remote_port,socket.state FROM processes AS process JOIN process_open_sockets as socket ON process.pid = socket.pid WHERE (socket.local_address!='' or socket.remote_address!='');

        Processes

        SELECT pid,parent as parent_pid,name,md5,path,cmdline,uid,users.username,on_disk FROM users JOIN processes USING (uid) JOIN hash USING (path);

        Python packages

        SELECT name AS package_name,version,path FROM python_packages ORDER BY package_name ASC;

        Routes

        SELECT interface,gateway,netmask,type,destination FROM routes ORDER BY interface,gateway,netmask,type,destination ASC;

        RPM package files

        SELECT * FROM rpm_package_files;

        RPM packages

        SELECT * FROM rpm_packages;

        Shadow

        SELECT password_status,username,last_change FROM shadow ORDER BY last_change ASC;

        Shell history

        SELECT time,uid,username,command,history_file FROM users JOIN shell_history USING (uid) ORDER BY time,uid ASC;

        SSH configs

        SELECT uid,username,block as host_block,option,ssh_config_file FROM users JOIN ssh_configs USING (uid);

        Sudoers

        SELECT * FROM sudoers;

        System info

        SELECT * FROM system_info;

        Time (time zone specific)

        SELECT local_time,local_timezone,unix_time,timestamp as date_time FROM time;

        Uptime

        SELECT * FROM uptime;

        USB devices

        SELECT usb_port,vendor,vendor_id,model,model_id,removable FROM usb_devices ORDER BY usb_port ASC;

        User groups

        SELECT uid,username,g.gid,groupname,description FROM groups AS g JOIN user_groups USING (gid) JOIN users using (uid) ORDER BY uid,g.gid ASC;

        User SSH keys

        SELECT uid,username,directory,path,encrypted as is_encrypted FROM users JOIN user_ssh_keys USING (uid) ORDER BY uid,directory,path ASC;

        Users

        SELECT * FROM users;

        /var/log paths

        SELECT path,mtime AS last_modified_time FROM file WHERE path LIKE '/var/log/%%';

        Yum sources

        SELECT * FROM yum_sources;

        Was this article helpful?
        What's Next
        Change password!
        Changing your password will log you out immediately. Use the new password to log back in.
        Change profile
        Success!
        First name must have atleast 2 characters. Numbers and special characters are not allowed.
        Last name must have atleast 1 characters. Numbers and special characters are not allowed.
        Enter a valid email
        Enter a valid password
        Your profile has been successfully updated.
        Logout