Parsing Microsoft Office 2013 MRU Lists in Registry using Perl

Question

I am currently trying to parse the keys in a Windows 7 registry containing the MRU lists for Microsoft Office 2013. However when I attempt to run the Perl script in RegRipper it says the plugin was not successfully run. Im not sure if there is a syntax error in my code or if it is unable to parse the registry as I have it written. The biggest problem is that one of the keys is named after the user's LiveId (it appear as LiveId_XXXXXXX) and this changes from user to user so i would like this plugin to work no matter what the user's LiveId is. Thanks!

my $reg = Parse::Win32Registry->new($ntuser);
    my $root_key = $reg->get_root_key;
    # ::rptMsg("officedocs2013_File_MRU v.".$VERSION); # 20110830 [fpi] - redundant
    my $tag = 0;
    my $key_path = "Software\\Microsoft\\Office\\15.0";
    if (defined($root_key->get_subkey($key_path))) {
        $tag = 1;
    }

    if ($tag) {
        ::rptMsg("MSOffice version 2013 located.");
        my $key_path = "Software\\Microsoft\\Office\\15.0";            
        my $of_key = $root_key->get_subkey($key_path);
        if ($of_key) {
# Attempt to retrieve Word docs
            my $word_mru_key_path = 'Software\\Microsoft\\Office\\15.0\\Word\\User MRU';
            my $word_mru_key = $of_key->get_subkey($word_mru_key_path);
            foreach ($word_mru_key->get_list_of_subkeys())
    {
        if ($key->as_string() =~ /LiveId_\w+/)
        {
            $word = join($key->as_string(),'\\File MRU');
            ::rptMsg($key_path."\\".$word);
            ::rptMsg("LastWrite Time ".gmtime($word_key->get_timestamp())." (UTC)");
            my @vals = $word_key->get_list_of_values();
                if (scalar(@vals) > 0) {
                    my %files

# Retrieve values and load into a hash for sorting          
                    foreach my $v (@vals) {
                        my $val = $v->get_name();
                        if ($val eq "Max Display") { next; }
                        my $data = getWinTS($v->get_data());
                        my $tag = (split(/Item/,$val))[1];
                        $files{$tag} = $val.":".$data;
                    }
# Print sorted content to report file           
                    foreach my $u (sort {$a <=> $b} keys %files) {
                        my ($val,$data) = split(/:/,$files{$u},2);
                        ::rptMsg("  ".$val." -> ".$data);
                    }
                }
                else {
                    ::rptMsg($key_path.$word." has no values.");
                }

            else {
                ::rptMsg($key_path.$word." not found.");
            }
            ::rptMsg("");                                                                        
        }
    }

Also give input and expected output. Otherwise we have no idea how the regex is supposed to work — skamazin, Aug 04 '14 at 16:58
The output is a text document that lists all of the values in the File MRU key along with "Last Write Time" date and time. right next to the name of the document. — thunter92, Aug 04 '14 at 17:11
I mean literal output. Regex is very specific so we need specific input and specific output. If you want the regex to apply to `LiveId_XXXXXXX` it should be rather easy but we still the context of where this string is located — skamazin, Aug 04 '14 at 17:18
I am using a program is called RegRipper, it consists of many different "plugins" (Perl scripts) that parse various parts of the registry, depending on what you are looking for. In my case the information I want is located in the NTUSER.DAT file. Therefore I feed RegRipper the NTUSER.DAT file I would like to parse and it runs the appropriate scripts and dumps the output into a text file. The full path to the File MRUs I am looking for within NTUSER.DAT is "Word\\User MRU\\LiveId_7A5166EB69B271A475B25410BA565F1A63A6FD1BD8CF0F780A344EC2B287CCC1\\Plac‌e MRU" — thunter92, Aug 04 '14 at 17:34
That's fine, that's actually what regex is good at. If you take a [look here](http://regex101.com/r/tD9gJ3/1) you'll see that the regex can grab that random string after `LiveId_` and you can reference it with a `\1` [like this](http://regex101.com/r/tD9gJ3/2). I hope that helps a little — skamazin, Aug 04 '14 at 17:40
I'm going to turn that comment into a answer so we can close this question — skamazin, Aug 04 '14 at 17:58

score 0 · Answer 1 · answered Aug 04 '14 at 17:59

0

The regex

LiveId_(\w+)

will grab the string after LiveId_ and you can reference it with a \1 like this

answered Aug 04 '14 at 17:59

skamazin

757
5
12

Parsing Microsoft Office 2013 MRU Lists in Registry using Perl

1 Answers1