Last active
March 5, 2026 01:14
-
-
Save mark-hallman/a878bba72188a5e5e263fbe1059d891e to your computer and use it in GitHub Desktop.
RECmd Batch File Examples
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Here are a few RECmd barch file exmaples. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Description: Mircosoft Office MRU | |
| Author: Mark Hallman | |
| Version: 1 | |
| Id: 1cca5553-ffc8-4f34-92dc-99e70fdf3acb | |
| Keys: | |
| - | |
| Description: MS Office MRU | |
| HiveType: NTUSER | |
| Category: File and Folder Opening | |
| KeyPath: SOFTWARE\Microsoft\Office\*\*\User MRU\*\* | |
| Recursive: true | |
| Comment: MS Office MRU |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Description: User WordWheelQuery | |
| Author: Mark Hallman | |
| Version: 1 | |
| Id: 87fafa06-0c44-48b1-9f2c-2eca469d1309 | |
| Keys: | |
| - | |
| Description: ComDlg32 OpenSaveMRU | |
| HiveType: NtUser | |
| Category: User Activity | |
| KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU | |
| Recursive: true | |
| Comment: "" | |
| - | |
| Description: ComDlg32 OpenSavePidlMRU | |
| HiveType: NtUser | |
| Category: User Activity | |
| KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU | |
| Recursive: true | |
| Comment: "" | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Description: User Recent Files and Folders | |
| Author: Mark Hallman | |
| Version: 1 | |
| Id: 99705960-bc6f-4df4-831c-c788db0f85c8 | |
| Keys: | |
| - | |
| Description: Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs | |
| HiveType: NtUser | |
| Category: User Activity | |
| KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs | |
| Recursive: true | |
| Comment: "" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ###################################### | |
| # Use RECmd to process user artifacts like TZWorks CAFAE but in a much easier to read | |
| # outout format that loads into Timeline Explorer (TLE) | |
| # The custom .reb batch files need to be added your install. I put then in the same | |
| # location as the other Registry Explorer Examples but they can go anywhere. Adjust the --bn | |
| # path as needed. Adjust you -f hive filename to meet you needed. These examples are using the | |
| # mounted SANS FOR500 Triage Image VHDX | |
| ###################################### | |
| recmd --bn "C:\Forensic Program Files\ZimmermanTools\RegistryExplorer\BatchExamples\WordWheelQuery.reb" -f "E:\C\Users\Donald\NTUSER.DAT" --csv G:\tmp\ | |
| recmd --bn "C:\Forensic Program Files\ZimmermanTools\RegistryExplorer\BatchExamples\RecentDocs.reb" -f "E:\C\Users\Donald\NTUSER.DAT" --csv G:\tmp\ | |
| recmd --bn "C:\Forensic Program Files\ZimmermanTools\RegistryExplorer\BatchExamples\TypedPaths.reb" -f "E:\C\Users\Donald\NTUSER.DAT" --csv G:\tmp\ | |
| recmd --bn "C:\Forensic Program Files\ZimmermanTools\RegistryExplorer\BatchExamples\OpenSave_MRU.reb" -f "E:\C\Users\Donald\NTUSER.DAT" --csv G:\tmp\ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Description: User Typed Paths | |
| Author: Mark Hallman | |
| Version: 1 | |
| Id: a7a7f37e-4a5f-4405-b045-ece5e28955cd | |
| Keys: | |
| - | |
| Description: Explorer TypedPaths | |
| HiveType: NtUser | |
| Category: User Activity | |
| KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths | |
| Recursive: false | |
| Comment: "" | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Description: User Search History (WordWheelQuery) | |
| Author: Mark Hallman | |
| Version: 1 | |
| Id: 8c8263b3-c91e-4772-bf3e-4c095f66e5ce | |
| Keys: | |
| - | |
| Description: Explorer WordWheelQuery | |
| HiveType: NtUser | |
| Category: User Activity | |
| KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery | |
| Recursive: false | |
| Comment: "" | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Really helpful and well-structured examples in A_Few_RECmd_Batch_Examples.txt. The batch processing flow is clear and practical, making it easier to understand implementation. This kind of organized system is just as important for platforms managing high-demand files like Geometry Dash APK, where efficiency and smooth performance matter.