diff options
Diffstat (limited to 'patterns/README.md')
| -rw-r--r-- | patterns/README.md | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/patterns/README.md b/patterns/README.md new file mode 100644 index 0000000..5e86e41 --- /dev/null +++ b/patterns/README.md @@ -0,0 +1,11 @@ +# ImHex Patterns + +You can use these pattern files with [ImHex](https://github.com/WerWolv/ImHex) to view contents of various SPP-related files. + +## Pattern List + + - `variablebag` - For product key blobs in physical store/`cache.dat` + - `tokenstore` - For `tokens.dat` + - `win7_physstore`/`winmodern_physstore` - For decrypted Windows 7/Windows 8+ physical store + +Physical store can be decrypted with TSforge `/dump` option, ex. `tsforge /dump out.dat` on live system or `tsforge /dump out.dat in.dat` for physical store from offline system. |