Update to RegRipper 2.8 plugins

2025-07-12 07:56:16 +00:00 · 2017-05-08 11:50:20 -04:00 · 2017-05-08 11:50:20 -04:00 · 2cb4d22e12
commit 2cb4d22e12
parent 3e84286444
97 changed files with 1496 additions and 750 deletions
--- a/thirdparty/rr-full/plugins/adoberdr.pl
+++ b/thirdparty/rr-full/plugins/adoberdr.pl
@ -4,16 +4,20 @@
 # Parse Adobe Reader MRU keys
 #
 # Change history
 #   20150717 - updated IAW Jason Hale's blog post (see ref), added
 #              .csv output format
 #   20120716 - added version 10.0 to @versions
 #   20100218 - added checks for versions 4.0, 5.0, 9.0
 #   20091125 - modified output to make a bit more clear
 #
 # References
 #   http://dfstream.blogspot.com/2015/07/adobe-readers-not-so-crecentfiles.html
 #
 # Note: LastWrite times on c subkeys will all be the same,
 #       as each subkey is modified as when a new entry is added
 #
-# copyright 2010 Quantum Analytics Research, LLC
+# copyright 2015 Quantum Analytics Research, LLC
 # Author: H. Carvey, keydet89@yahoo.com
 #-----------------------------------------------------------
 package adoberdr;
 use strict;
@ -23,7 +27,7 @@ my %config = (hive          => "NTUSER\.DAT",
              hasDescr      => 0,
              hasRefs       => 0,
              osmask        => 22,
-              version       => 20120716);
+              version       => 20150717);
 sub getConfig{return %config}
 sub getShortDescr {
@ -41,14 +45,14 @@ sub pluginmain {
 	my $ntuser = shift;
 	::logMsg("Launching adoberdr v.".$VERSION);
 	::rptMsg("adoberdr v.".$VERSION); # banner
-    ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
+  ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
 	my $reg = Parse::Win32Registry->new($ntuser);
 	my $root_key = $reg->get_root_key;
 	::rptMsg("Adoberdr v.".$VERSION);
 # First, let's find out which version of Adobe Acrobat Reader is installed
 	my $version;
 	my $tag = 0;
-	my @versions = ("4\.0","5\.0","6\.0","7\.0","8\.0","9\.0","10\.0","11\.0","12\.0");
+	my @versions = ("4\.0","5\.0","6\.0","7\.0","8\.0","9\.0","10\.0","11\.0","12\.0","13\.0","14\.0", "DC");
 	foreach my $ver (@versions) {		
 		my $key_path = "Software\\Adobe\\Acrobat Reader\\".$ver."\\AVGeneral\\cRecentFiles";
 		if (defined($root_key->get_subkey($key_path))) {
@ -74,10 +78,30 @@ sub pluginmain {
 					$num =~ s/^c//;
 					$arkeys{$num}{lastwrite} = $s->get_timestamp();
 					$arkeys{$num}{data} = $data;
 					eval {
 						$arkeys{$num}{tDIText} = $s->get_value('tDIText')->get_data();
 					};
 					eval {
 						$arkeys{$num}{sDate} = $s->get_value('sDate')->get_data();
 						$arkeys{$num}{sDate} =~ s/^D://;
 					};
 					eval {
 						$arkeys{$num}{uFileSize} = $s->get_value('uFileSize')->get_data();
 					};
 					eval {
 						$arkeys{$num}{uPageCount} = $s->get_value('uPageCount')->get_data();
 					};
 				}
 				::rptMsg("Most recent PDF opened: ".gmtime($arkeys{1}{lastwrite})." (UTC)");
-				foreach my $k (sort keys %arkeys) {
+				::rptMsg("Key name,file name,sDate,uFileSize,uPageCount");
-					::rptMsg("  c".$k."   ".$arkeys{$k}{data});
+				foreach my $k (sort {$a <=> $b} keys %arkeys) {
 					::rptMsg("c".$k.",".$arkeys{$k}{data}.",".$arkeys{$k}{sDate}.",".$arkeys{$k}{uFileSize}.",".$arkeys{$k}{uPageCount});
 				}
 			}
 			else {
--- a/thirdparty/rr-full/plugins/all
+++ b/thirdparty/rr-full/plugins/all
@ -1,6 +1,17 @@
-# 20120528 *ALL* Plugins that apply on any HIVES, alphabetical order
+# 20161213 *ALL* Plugins that apply on any HIVES, alphabetical order
 baseline
 del
 del_tln
 fileless
 findexes
 installedcomp
 installer
 malware
 null
 regtime
 regtime_tln
 rlo
-del
+sizes
 uninstall
 uninstall_tln
 wallpaper
--- a/thirdparty/rr-full/plugins/amcache.pl
+++ b/thirdparty/rr-full/plugins/amcache.pl
@ -2,6 +2,8 @@
 # amcache.pl 
 #   
 # Change history
 #   20170315 - added output for Product Name and File Description values
 #   20160818 - added check for value 17
 #   20131218 - fixed bug computing compile time
 #   20131213 - updated 
 #   20131204 - created
@ -9,7 +11,7 @@
 # References
 #   http://www.swiftforensics.com/2013/12/amcachehve-in-windows-8-goldmine-for.html
 #
-# Copyright (c) 2013 QAR, LLC
+# Copyright (c) 2017 QAR, LLC
 # Author: H. Carvey, keydet89@yahoo.com
 #-----------------------------------------------------------
 package amcache;
@ -21,7 +23,7 @@ my %config = (hive          => "amcache",
              hasRefs       => 1,
              osmask        => 22,
              category      => "program execution",
-              version       => 20131218);
+              version       => 20170315);
 my $VERSION = getVersion();
 # Functions #
@ -62,8 +64,9 @@ sub pluginmain {
 			if (scalar(@sk) > 0) {
 				foreach my $s (@sk) {
 					::rptMsg("File Reference: ".$s->get_name());
 					::rptMsg("LastWrite     : ".gmtime($s->get_timestamp())." Z");
 # update 20131213: based on trial and error, it appears that not all file
-# references will have all of the values, such as Path, or SHA-1					
+# references will have all of the values, such as Path, or SHA-1		
 					eval {
 						::rptMsg("Path          : ".$s->get_value("15")->get_data());
 					};
@ -72,6 +75,18 @@ sub pluginmain {
 						::rptMsg("Company Name  : ".$s->get_value("1")->get_data());
 					};
 					eval {
 						::rptMsg("Product Name  : ".$s->get_value("0")->get_data());
 					};
 					eval {
 						::rptMsg("File Descr    : ".$s->get_value("c")->get_data());
 					};
 					eval {
 						::rptMsg("Lang Code     : ".$s->get_value("3")->get_data());
 					};
 					eval {
 						::rptMsg("SHA-1         : ".$s->get_value("101")->get_data());
 					};
@ -79,21 +94,26 @@ sub pluginmain {
 					eval {
 						@t = unpack("VV",$s->get_value("11")->get_data());
 						$gt = gmtime(::getTime($t[0],$t[1]));
-						::rptMsg("Last Mod Time : ".$gt);
+						::rptMsg("Last Mod Time : ".$gt." Z");
 					};
 					eval {
 						@t = unpack("VV",$s->get_value("17")->get_data());
 						$gt = gmtime(::getTime($t[0],$t[1]));
 						::rptMsg("Last Mod Time2: ".$gt." Z");
 					};
 					eval {
 						@t = unpack("VV",$s->get_value("12")->get_data());
 						$gt = gmtime(::getTime($t[0],$t[1]));
-						::rptMsg("Create Time   : ".$gt);
+						::rptMsg("Create Time   : ".$gt." Z");
 					};
 					eval {
 						$gt = gmtime($s->get_value("f")->get_data());
 #						$gt = gmtime(unpack("V",$s->get_value("f")->get_data()));
-						::rptMsg("Compile Time  : ".$gt);
+						::rptMsg("Compile Time  : ".$gt." Z");
 					};
 					::rptMsg("");
 				}
 			}
--- a/thirdparty/rr-full/plugins/appcompatcache.pl
+++ b/thirdparty/rr-full/plugins/appcompatcache.pl
@ -2,6 +2,10 @@
 # appcompatcache.pl
 #
 # History:
 #  20160528 - updated code to not de-dup entries based on filename
 #  20160217 - updated to correctly support Win10
 #  20150611 - mod'd for Kevin Pagano
 #  20150429 - updated to support Win10
 #  20140724 - update based on data provided by Shafik Punja
 #  20130801 - added initial Win8 support; very alpha at the moment
 #  20130603 - updated alerts
@ -15,14 +19,16 @@
 #  20120418 - created
 #
 # References:
 #  https://binaryforay.blogspot.com/2016/05/appcompatcacheparser-v0900-released-and.html
 #  Blog post: https://blog.mandiant.com/archives/2459
 #  Whitepaper: http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf
 #  Tool: https://github.com/mandiant/ShimCacheParser
 #  Win10: http://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html
 #
 # This plugin is based solely on the work and examples provided by Mandiant;
 # thanks to them for sharing this information, and making the plugin possible.
 # 
-# copyright 2013 Quantum Analytics Research, LLC
+# copyright 2016 Quantum Analytics Research, LLC
 # Author: H. Carvey, keydet89@yahoo.com
 #-----------------------------------------------------------
 package appcompatcache;
@ -36,11 +42,11 @@ my %config = (hive          => "System",
              hasDescr      => 0,
              hasRefs       => 0,
              osmask        => 31,  #XP - Win7
-              version       => 20140724);
+              version       => 20160528);
 sub getConfig{return %config}
 sub getShortDescr {
-	return "Parse files from System hive Shim Cache";	
+	return "Parse files from System hive AppCompatCache";	
 }
 sub getDescr{}
 sub getRefs {}
@ -49,6 +55,7 @@ sub getVersion {return $config{version};}
 my $VERSION = getVersion();
 my %files;
 my $str = "";
 sub pluginmain {
 	my $class = shift;
@ -75,13 +82,18 @@ sub pluginmain {
 			eval {
 				$app_data = $appcompat->get_subkey("AppCompatibility")->get_value("AppCompatCache")->get_data();
 				::rptMsg($appcompat_path."\\AppCompatibility");
 			  ::rptMsg("LastWrite Time: ".gmtime($appcompat->get_subkey("AppCompatibility")->get_timestamp())." Z");
 			};
 			eval {
 				$app_data = $appcompat->get_subkey("AppCompatCache")->get_value("AppCompatCache")->get_data();
 				::rptMsg($appcompat_path."\\AppCompatCache");
 			  ::rptMsg("LastWrite Time: ".gmtime($appcompat->get_subkey("AppCompatCache")->get_timestamp())." Z");
 			};
 #			::rptMsg("Length of data: ".length($app_data));
 #			probe($app_data);
 			my $sig = unpack("V",substr($app_data,0,4));
 			::rptMsg(sprintf "Signature: 0x%x",$sig);
@ -102,31 +114,37 @@ sub pluginmain {
 			}
 			elsif ($sig == 0x80) {
-				::rptMsg("Possible Win8 system\.");
+#				::rptMsg("Possible Win8 system\.");
-				::rptMsg(sprintf "Data Length: 0x%08x",length($app_data));
+#				::rptMsg(sprintf "Data Length: 0x%08x",length($app_data));
 				appWin8($app_data);
 #				probe($app_data);
 			}
 			elsif ($sig == 0x30) {
 # Windows 10 system
 				appWin10($app_data);				
 			}
 			else {
 				::rptMsg(sprintf "Unknown signature: 0x%x",$sig);
 			}
 # this is where we print out the files
 			foreach my $f (keys %files) {
-				::rptMsg($f);
+#				::rptMsg($f);
-# Warnings and alerts, updated 20130603				
+				my $modtime = $files{$f}{modtime};
-#        alertCheckPath($f);
+				if ($modtime == 0) {
-#        alertCheckADS($f);
+					$modtime = "";
-#				::alertMsg("WARN: appcompatcache: use of cacls\.exe found: ".$f) if ($f =~ m/cacls\.exe$/);
+				}
 				else {
 					$modtime = gmtime($modtime)." Z";
 				}
-				::rptMsg("ModTime: ".gmtime($files{$f}{modtime})." Z");
+				$str = $files{$f}{filename}."  ".$modtime;
-				::rptMsg("UpdTime: ".gmtime($files{$f}{updtime})." Z") if (exists $files{$f}{updtime});
+				$str .= "  ".gmtime($files{$f}{updtime})." Z" if (exists $files{$f}{updtime});
-				::rptMsg("Size   : ".$files{$f}{size}." bytes") if (exists $files{$f}{size});
+				$str .= "  ".$files{$f}{size}." bytes" if (exists $files{$f}{size});
-				::rptMsg("Executed") if (exists $files{$f}{executed});
+				$str .= "  Executed" if (exists $files{$f}{executed});
-				::rptMsg("");
+				::rptMsg($str);
 			}
 		}
 		else {
 			::rptMsg($appcompat_path." not found.");
@ -160,9 +178,10 @@ sub appXP32Bit {
 		my ($up1,$up2)   = unpack("VV",substr($x,544,8));
 		my $updtime      = ::getTime($up1,$up2);
-		$files{$file}{size} = $sz;
+		$files{$i}{filename} = $file;
-		$files{$file}{modtime} = $modtime;
+		$files{$i}{size} = $sz;
-		$files{$file}{updtime} = $updtime;
+		$files{$i}{modtime} = $modtime;
 		$files{$i}{updtime} = $updtime;
 	}
 }
 #-----------------------------------------------------------
@ -196,13 +215,10 @@ sub appWin2k3 {
 			$file =~ s/\00//g;
 			$file =~ s/^\\\?\?\\//;
 			my $t = ::getTime($t0,$t1);
-#			::rptMsg($file);
+			$files{$i}{filename} = $file;
-#			::rptMsg("  LastMod: ".gmtime($t)." Z");
+			$files{$i}{modtime} = $t;
 #			::rptMsg("  [Executed]") if (($f0 < 4) && ($f0 & 0x2));
 #			::rptMsg("");
 			$files{$file}{modtime} = $t;
 #			$files{$file}{size} = $f0 if (($f1 == 0) && ($f0 > 3));
-			$files{$file}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2));
+			$files{$i}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2));
 		}
 		elsif ($struct_sz == 32) {
 			my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvVVVVVVV",$struct);
@ -210,18 +226,13 @@ sub appWin2k3 {
 			$file =~ s/\00//g;
 			$file =~ s/^\\\?\?\\//;
 			my $t = ::getTime($t0,$t1);
-#			::rptMsg($file);
+			$files{$i}{filename} = $file;
-#			::rptMsg("  LastMod: ".gmtime($t)." Z");
+			$files{$i}{modtime} = $t;
-#			::rptMsg("  Size   : ".$f0) if (($f1 == 0) && ($f0 > 3));
+			$files{$i}{size} = $f0 if (($f1 == 0) && ($f0 > 3));
-#			::rptMsg("  [Executed]") if (($f0 < 4) && ($f0 & 0x2));
+			$files{$i}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2));
 #			::rptMsg("");
 			$files{$file}{modtime} = $t;
 			$files{$file}{size} = $f0 if (($f1 == 0) && ($f0 > 3));
 			$files{$file}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2));
 		}
 		else {
- 			
+#
 		}
 	}
 }
@ -256,12 +267,9 @@ sub appWin7 {
 			$file =~ s/\00//g;
 			$file =~ s/^\\\?\?\\//;
 			my $t = ::getTime($t0,$t1);
-#			::rptMsg($file);
+ 			$files{$i}{filename} = $file;	
-#			::rptMsg("  LastModTime: ".gmtime($t)." Z");
+			$files{$i}{modtime} = $t;
-#			::rptMsg("  [Executed]") if ($f0 & 0x2);
+			$files{$i}{executed} = 1 if ($f0 & 0x2);
 #			::rptMsg("");		
 			$files{$file}{modtime} = $t;
 			$files{$file}{executed} = 1 if ($f0 & 0x2);
 		}
 		else {
 			my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvV7x16",$struct);
@ -269,12 +277,9 @@ sub appWin7 {
 			$file =~ s/\00//g;
 			$file =~ s/^\\\?\?\\//;
 			my $t = ::getTime($t0,$t1);
-#			::rptMsg($file);
+ 			$files{$i}{filename} = $file;	
-#			::rptMsg("  LastModTime: ".gmtime($t)." Z");
+			$files{$i}{modtime} = $t;
-#			::rptMsg("  [Executed]") if ($f0 & 0x2);
+			$files{$i}{executed} = 1 if ($f0 & 0x2);
 #			::rptMsg("");		
 			$files{$file}{modtime} = $t;
 			$files{$file}{executed} = 1 if ($f0 & 0x2);
 		}
 	}
 }
@ -286,7 +291,7 @@ sub appWin8 {
 	my $data = shift;
 	my $len = length($data);
 	my ($jmp, $t0, $t1, $sz, $name);
-	
+	my $ct = 0;
 	my $ofs = unpack("V",substr($data,0,4));
 	while($ofs < $len) {
@ -298,9 +303,9 @@ sub appWin8 {
 			$sz = unpack("v",substr($data,$ofs + 20,2));
 			$name = substr($data,$ofs + 22,$sz);
 			$name =~ s/\00//g;
-			
+			$files{$ct}{filename} = $name;
-			$files{$name}{modtime} = ::getTime($t0,$t1);
+			$files{$ct}{modtime} = ::getTime($t0,$t1);
-			
+			$ct++;
 			$ofs += ($jmp + 12);
 		}
 # 64-bit
@ -309,10 +314,10 @@ sub appWin8 {
 			$sz = unpack("v",substr($data,$ofs + 0x0C,2));
 			$name = substr($data,$ofs + 0x0E,$sz + 2);
 			$name =~ s/\00//g;
 			($t0,$t1) = unpack("VV",substr($data,($ofs + 0x0E + $sz +2 + 8),8));
-			$files{$name}{modtime} = ::getTime($t0,$t1);
+			$files{$ct}{filename} = $name;
-			
+			$files{$ct}{modtime} = ::getTime($t0,$t1);
 			$ct++;
 			$ofs += ($jmp + 12);
 		}		
 		else {
@ -320,7 +325,35 @@ sub appWin8 {
 		}			
 	}
 }
 #-----------------------------------------------------------
 # appWin10()
 # Ref: http://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html
 #-----------------------------------------------------------
 sub appWin10 {
 	my $data = shift;
 	my $len = length($data);
 	my ($tag, $sz, $t0, $t1, $name, $name_len);
 	my $ct = 0;
 	my $ofs = 0x30;
 	while ($ofs < $len) {
 		$tag = substr($data,$ofs,4);
 		if ($tag eq "10ts") {
 			$sz = unpack("V",substr($data,$ofs + 0x08,4));
 			$name_len   = unpack("v",substr($data,$ofs + 0x0c,2));
 			my $name      = substr($data,$ofs + 0x0e,$name_len);
 			$name =~ s/\00//g;
 #			($t0,$t1) = unpack("VV",substr($data,$ofs + 0x03 + $name_len,8));
 			($t0,$t1) = unpack("VV",substr($data,$ofs + 0x0e + $name_len,8));
 			$files{$ct}{filename} = $name;
 			$files{$ct}{modtime} = ::getTime($t0,$t1);
 			$ct++;
 			$ofs += ($sz + 0x0c);
 		}
 	}
 }
 #-----------------------------------------------------------
@ -405,21 +438,6 @@ sub printData {
 		}
 		$display[$cnt] = sprintf("0x%08X  %-50s %s",$cnt,$lhs,$rhs);
 #		my @str1 = split(//,unpack("H*",$seg));
 #		my @s3;
 #		my $str = "";
 #		foreach my $i (0..($n - 1)) {
 #			$s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1];
 #			
 #			if (hex($s3[$i]) > 0x1f && hex($s3[$i]) < 0x7f) {
 #				$str .= chr(hex($s3[$i]));
 #			}
 #			else {
 #				$str .= "\.";
 #			}
 #		}
 #		my $h = join(' ',@s3);
 #		$display[$cnt] = sprintf "0x%08x: %-47s  ".$str,($cnt * 16),$h;
 	}
 	return @display;
 }
--- a/thirdparty/rr-full/plugins/appcompatcache_tln.pl
+++ b/thirdparty/rr-full/plugins/appcompatcache_tln.pl
@ -2,25 +2,33 @@
 # appcompatcache_tln.pl
 #
 # History:
-#  20130509 - added additional alert/warn checks
+#  20160528 - updated code to not de-dup entries based on filename
 #  20160217 - updated to correctly support Win10
 #  20150611 - mod'd for Kevin Pagano
 #  20150429 - updated to support Win10
 #  20140724 - update based on data provided by Shafik Punja
 #  20130801 - added initial Win8 support; very alpha at the moment
 #  20130603 - updated alerts
 #  20130509 - added additional alerts/warnings 
 #  20130425 - added alertMsg() functionality
-#  20120817 - updated to address extra data in XP data blocks
+#  20120817 - updated to address issue with residual data in XP data blocks
-#  20120722 - updated %config hash
+#  20120722 - updated the %config hash
 #  20120523 - created; updated from appcompatcache.pl
 #  20120523 - updated to send all files to a single hash, and check for temp paths
 #  20120515 - Updated to support 64-bit Win2003 and Vista/Win2008
 #  20120424 - Modified/updated 
 #  20120418 - created
 #
 # References:
 #  https://binaryforay.blogspot.com/2016/05/appcompatcacheparser-v0900-released-and.html
 #  Blog post: https://blog.mandiant.com/archives/2459
 #  Whitepaper: http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf
 #  Tool: https://github.com/mandiant/ShimCacheParser
 #  Win10: http://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html
 #
 # This plugin is based solely on the work and examples provided by Mandiant;
 # thanks to them for sharing this information, and making the plugin possible.
 # 
-# copyright 2012 Quantum Analytics Research, LLC
+# copyright 2016 Quantum Analytics Research, LLC
 # Author: H. Carvey, keydet89@yahoo.com
 #-----------------------------------------------------------
 package appcompatcache_tln;
@ -34,11 +42,11 @@ my %config = (hive          => "System",
              hasDescr      => 0,
              hasRefs       => 0,
              osmask        => 31,  #XP - Win7
-              version       => 20130509);
+              version       => 20160528);
 sub getConfig{return %config}
 sub getShortDescr {
-	return "Parse files from System hive Shim Cache";	
+	return "Parse files from System hive AppCompatCache";	
 }
 sub getDescr{}
 sub getRefs {}
@ -47,11 +55,14 @@ sub getVersion {return $config{version};}
 my $VERSION = getVersion();
 my %files;
 my $str = "";
 sub pluginmain {
 	my $class = shift;
 	my $hive = shift;
 	::logMsg("Launching appcompatcache_tln v.".$VERSION);
 	::rptMsg("appcompatcache_tln v.".$VERSION); # banner
  ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner 
 	my $reg = Parse::Win32Registry->new($hive);
 	my $root_key = $reg->get_root_key;
 # First thing to do is get the ControlSet00x marked current...this is
@ -71,15 +82,20 @@ sub pluginmain {
 			eval {
 				$app_data = $appcompat->get_subkey("AppCompatibility")->get_value("AppCompatCache")->get_data();
 				::rptMsg($appcompat_path."\\AppCompatibility");
 			  ::rptMsg("LastWrite Time: ".gmtime($appcompat->get_subkey("AppCompatibility")->get_timestamp())." Z");
 			};
 			eval {
 				$app_data = $appcompat->get_subkey("AppCompatCache")->get_value("AppCompatCache")->get_data();
 				::rptMsg($appcompat_path."\\AppCompatCache");
 			  ::rptMsg("LastWrite Time: ".gmtime($appcompat->get_subkey("AppCompatCache")->get_timestamp())." Z");
 			};
 #			::rptMsg("Length of data: ".length($app_data));
 #			probe($app_data);
 			my $sig = unpack("V",substr($app_data,0,4));
-#			::rptMsg(sprintf "Signature: 0x%x",$sig);
+			::rptMsg(sprintf "Signature: 0x%x",$sig);
 			if ($sig == 0xdeadbeef) {
 				eval {
@ -97,26 +113,32 @@ sub pluginmain {
 				};
 			}
 			elsif ($sig == 0x80) {
 #				::rptMsg("Possible Win8 system\.");
 #				::rptMsg(sprintf "Data Length: 0x%08x",length($app_data));
 				appWin8($app_data);
 #				probe($app_data);
 			}
 			elsif ($sig == 0x30) {
 # Windows 10 system
 				appWin10($app_data);				
 			}
 			else {
-				::rptMsg("Unknown signature");
+				::rptMsg(sprintf "Unknown signature: 0x%x",$sig);
 			}
 # this is where we print out the files
 			foreach my $f (keys %files) {
 				my $str;
 				if (exists $files{$f}{executed}) {
-					$str = "M... [Program Execution] AppCompatCache - ".$f;
+					$str = "M... [Program Execution] AppCompatCache - ".$files{$f}{filename};
 				}
 				else {
-					$str = "M... AppCompatCache - ".$f;
+					$str = "M... AppCompatCache - ".$files{$f}{filename};
 				}
 				$str .= " [Size = ".$files{$f}{size}." bytes]" if (exists $files{$f}{size});
-#				$str .= " [Executed]" if (exists $files{$f}{executed}); 
+				$str .= " [Executed]" if (exists $files{$f}{executed}); 
 				::rptMsg($files{$f}{modtime}."|REG|||".$str);
 # added 20130603				
 				alertCheckPathTLN($f,$files{$f}{modtime});
 				alertCheckADSTLN($f,$files{$f}{modtime});
 				::alertMsg($files{$f}{modtime}."|WARN|||Use of calcs\.exe. appcompatcache_tln: ".$f) if ($f =~ m/cacls\.exe$/);
 			}
 		}
 		else {
@ -151,14 +173,10 @@ sub appXP32Bit {
 		my ($up1,$up2)   = unpack("VV",substr($x,544,8));
 		my $updtime      = ::getTime($up1,$up2);
-#		::rptMsg($file);
+		$files{$i}{filename} = $file;
-#		::rptMsg("Size   : ".$sz." bytes");
+		$files{$i}{size} = $sz;
-#		::rptMsg("ModTime: ".gmtime($modtime)." Z");
+		$files{$i}{modtime} = $modtime;
-#		::rptMsg("UpdTime: ".gmtime($updtime)." Z");
+		$files{$i}{updtime} = $updtime;
 #		::rptMsg("");
 		$files{$file}{size} = $sz;
 		$files{$file}{modtime} = $modtime;
 		$files{$file}{updtime} = $updtime;
 	}
 }
 #-----------------------------------------------------------
@ -192,12 +210,10 @@ sub appWin2k3 {
 			$file =~ s/\00//g;
 			$file =~ s/^\\\?\?\\//;
 			my $t = ::getTime($t0,$t1);
-#			::rptMsg($file);
+			$files{$i}{filename} = $file;
-#			::rptMsg("  LastMod: ".gmtime($t)." Z");
+			$files{$i}{modtime} = $t;
-#			::rptMsg("  [Executed]") if (($f0 < 4) && ($f0 & 0x2));
+#			$files{$file}{size} = $f0 if (($f1 == 0) && ($f0 > 3));
-#			::rptMsg("");
+			$files{$i}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2));
 			$files{$file}{modtime} = $t;
 			$files{$file}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2));
 		}
 		elsif ($struct_sz == 32) {
 			my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvVVVVVVV",$struct);
@ -205,18 +221,13 @@ sub appWin2k3 {
 			$file =~ s/\00//g;
 			$file =~ s/^\\\?\?\\//;
 			my $t = ::getTime($t0,$t1);
-#			::rptMsg($file);
+			$files{$i}{filename} = $file;
-#			::rptMsg("  LastMod: ".gmtime($t)." Z");
+			$files{$i}{modtime} = $t;
-#			::rptMsg("  Size   : ".$f0) if (($f1 == 0) && ($f0 > 3));
+			$files{$i}{size} = $f0 if (($f1 == 0) && ($f0 > 3));
-#			::rptMsg("  [Executed]") if (($f0 < 4) && ($f0 & 0x2));
+			$files{$i}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2));
 #			::rptMsg("");
 			$files{$file}{modtime} = $t;
 			$files{$file}{size} = $f0 if (($f1 == 0) && ($f0 > 3));
 			$files{$file}{executed} = 1 if (($f0 < 4) && ($f0 & 0x2));
 		}
 		else {
- 			
+#
 		}
 	}
 }
@ -251,12 +262,9 @@ sub appWin7 {
 			$file =~ s/\00//g;
 			$file =~ s/^\\\?\?\\//;
 			my $t = ::getTime($t0,$t1);
-#			::rptMsg($file);
+ 			$files{$i}{filename} = $file;	
-#			::rptMsg("  LastModTime: ".gmtime($t)." Z");
+			$files{$i}{modtime} = $t;
-#			::rptMsg("  [Executed]") if ($f0 & 0x2);
+			$files{$i}{executed} = 1 if ($f0 & 0x2);
 #			::rptMsg("");		
 			$files{$file}{modtime} = $t;
 			$files{$file}{executed} = 1 if ($f0 & 0x2);
 		}
 		else {
 			my ($len,$max_len,$padding,$ofs0,$ofs1,$t0,$t1,$f0,$f1) = unpack("vvV7x16",$struct);
@ -264,12 +272,81 @@ sub appWin7 {
 			$file =~ s/\00//g;
 			$file =~ s/^\\\?\?\\//;
 			my $t = ::getTime($t0,$t1);
-#			::rptMsg($file);
+ 			$files{$i}{filename} = $file;	
-#			::rptMsg("  LastModTime: ".gmtime($t)." Z");
+			$files{$i}{modtime} = $t;
-#			::rptMsg("  [Executed]") if ($f0 & 0x2);
+			$files{$i}{executed} = 1 if ($f0 & 0x2);
-#			::rptMsg("");		
+		}
-			$files{$file}{modtime} = $t;
+	}
-			$files{$file}{executed} = 1 if ($f0 & 0x2);
+}
 #-----------------------------------------------------------
 # appWin8()
 #-----------------------------------------------------------
 sub appWin8 {
 	my $data = shift;
 	my $len = length($data);
 	my ($jmp, $t0, $t1, $sz, $name);
 	my $ct = 0;
 	my $ofs = unpack("V",substr($data,0,4));
 	while($ofs < $len) {
 		my $tag = unpack("V",substr($data,$ofs,4));
 # 32-bit		
 		if ($tag == 0x73746f72) {
 			$jmp = unpack("V",substr($data,$ofs + 8,4));
 			($t0,$t1) = unpack("VV",substr($data,$ofs + 12,8));
 			$sz = unpack("v",substr($data,$ofs + 20,2));
 			$name = substr($data,$ofs + 22,$sz);
 			$name =~ s/\00//g;
 			$files{$ct}{filename} = $name;
 			$files{$ct}{modtime} = ::getTime($t0,$t1);
 			$ct++;
 			$ofs += ($jmp + 12);
 		}
 # 64-bit
 		elsif ($tag == 0x73743030 || $tag == 0x73743031) {
 			$jmp = unpack("V",substr($data,$ofs + 8,4));
 			$sz = unpack("v",substr($data,$ofs + 0x0C,2));
 			$name = substr($data,$ofs + 0x0E,$sz + 2);
 			$name =~ s/\00//g;
 			($t0,$t1) = unpack("VV",substr($data,($ofs + 0x0E + $sz +2 + 8),8));
 			$files{$ct}{filename} = $name;
 			$files{$ct}{modtime} = ::getTime($t0,$t1);
 			$ct++;
 			$ofs += ($jmp + 12);
 		}		
 		else {
 # Unknown tag
 		}			
 	}
 }
 #-----------------------------------------------------------
 # appWin10()
 # Ref: http://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html
 #-----------------------------------------------------------
 sub appWin10 {
 	my $data = shift;
 	my $len = length($data);
 	my ($tag, $sz, $t0, $t1, $name, $name_len);
 	my $ct = 0;
 	my $ofs = 0x30;
 	while ($ofs < $len) {
 		$tag = substr($data,$ofs,4);
 		if ($tag eq "10ts") {
 			$sz = unpack("V",substr($data,$ofs + 0x08,4));
 			$name_len   = unpack("v",substr($data,$ofs + 0x0c,2));
 			my $name      = substr($data,$ofs + 0x0e,$name_len);
 			$name =~ s/\00//g;
 #			($t0,$t1) = unpack("VV",substr($data,$ofs + 0x03 + $name_len,8));
 			($t0,$t1) = unpack("VV",substr($data,$ofs + 0x0e + $name_len,8));
 			$files{$ct}{filename} = $name;
 			$files{$ct}{modtime} = ::getTime($t0,$t1);
 			$ct++;
 			$ofs += ($sz + 0x0c);
 		}
 	}
 }
@ -277,16 +354,15 @@ sub appWin7 {
 #-----------------------------------------------------------
 # alertCheckPath()
 #-----------------------------------------------------------
-sub alertCheckPathTLN {
+sub alertCheckPath {
 	my $path = shift;
 	my $tln  = shift;
 	$path = lc($path);
 	my @alerts = ("recycle","globalroot","temp","system volume information","appdata",
 	              "application data");
 	foreach my $a (@alerts) {
 		if (grep(/$a/,$path)) {
-			::alertMsg($tln."|ALERT|||appcompatcache_tln: ".$a." found in path: ".$path);              
+			::alertMsg("ALERT: appcompatcache: ".$a." found in path: ".$path);              
 		}
 	}
 }
@ -294,11 +370,70 @@ sub alertCheckPathTLN {
 #-----------------------------------------------------------
 # alertCheckADS()
 #-----------------------------------------------------------
-sub alertCheckADSTLN {
+sub alertCheckADS {
 	my $path = shift;
 	my $tln  = shift;
 	my @list = split(/\\/,$path);
 	my $last = $list[scalar(@list) - 1];
-	::alertMsg($tln."|ALERT|||appcompatcache_tln: Poss. ADS found in path: ".$path) if grep(/:/,$last);
+	::alertMsg("ALERT: appcompatcache: Poss. ADS found in path: ".$path) if grep(/:/,$last);
 }
-1;
+
 #-----------------------------------------------------------
 # probe()
 #
 # Code the uses printData() to insert a 'probe' into a specific
 # location and display the data
 #
 # Input: binary data of arbitrary length
 # Output: Nothing, no return value.  Displays data to the console
 #-----------------------------------------------------------
 sub probe {
 	my $data = shift;
 	my @d = printData($data);
 	foreach (0..(scalar(@d) - 1)) {
 		print $d[$_]."\n";
 	}
 }
 #-----------------------------------------------------------
 # printData()
 # subroutine used primarily for debugging; takes an arbitrary
 # length of binary data, prints it out in hex editor-style
 # format for easy debugging
 #-----------------------------------------------------------
 sub printData {
 	my $data = shift;
 	my $len = length($data);
 	my @display = ();
 	my $loop = $len/16;
 	$loop++ if ($len%16);
 	foreach my $cnt (0..($loop - 1)) {
 # How much is left?
 		my $left = $len - ($cnt * 16);
 		my $n;
 		($left < 16) ? ($n = $left) : ($n = 16);
 		my $seg = substr($data,$cnt * 16,$n);
 		my $lhs = "";
 		my $rhs = "";
 		foreach my $i ($seg =~ m/./gs) {
 # This loop is to process each character at a time.
 			$lhs .= sprintf(" %02X",ord($i));
 			if ($i =~ m/[ -~]/) {
 				$rhs .= $i;
    	}
    	else {
 				$rhs .= ".";
     	}
 		}
 		$display[$cnt] = sprintf("0x%08X  %-50s %s",$cnt,$lhs,$rhs);
 	}
 	return @display;
 }
 1;
--- a/thirdparty/rr-full/plugins/appcompatflags.pl
+++ b/thirdparty/rr-full/plugins/appcompatflags.pl
@ -76,8 +76,6 @@ sub pluginmain {
 	             "Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers",
 	             "Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers");
 	foreach my $key_path (@paths) {
 	# If AppCompatFlags path exists #
 		if ($key = $root_key->get_subkey($key_path)) {
@ -169,6 +167,60 @@ sub pluginmain {
 #			::rptMsg($key_path." not found\.");
 		}
 	}	
 # Added check for use of AppCompat DB for persistence
 # 21051021, H. Carvey	
 	my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom";
 	if ($key = $root_key->get_subkey($key_path)){
 		my @subkeys = $key->get_list_of_subkeys($key);
 		if (scalar @subkeys > 0) {
 			foreach my $sk (@subkeys) {
 				::rptMsg("Key name: ".$sk->get_name());
 				::rptMsg("LastWrite time: ".gmtime($sk->get_timestamp()));
 				my @vals = $sk->get_list_of_values();
 				if (scalar @vals > 0) {
 					foreach my $v (@vals) {
 						my $name = $v->get_name();
 						my ($t0,$t1) = unpack("VV",$v->get_data());
 						my $l = ::getTime($t0,$t1);
 						my $ts   = gmtime($l);
 						::rptMsg("  ".$name."  ".$ts);
 					}
 				}
 				::rptMsg("");
 			}
 		}
 	}
 	$key_path = "Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\InstalledSDB";
 	if ($key = $root_key->get_subkey($key_path)) {
 		my @subkeys = $key->get_list_of_subkeys($key);
 		if (scalar @subkeys > 0) {
 			foreach my $sk (@subkeys) {
 				my($path, $descr, $ts);
 				eval {
 					$descr = $sk->get_value("DatabaseDescription")->get_data();
 					::rptMsg("Description: ".$descr);
 				};
 				eval {
 					$path = $sk->get_value("DatabasePath")->get_data();
 					::rptMsg("  Path: ".$path);
 				};
 				eval {
 					my ($t0,$t1) = unpack("VV",$sk->get_value("DatabaseInstallTimeStamp")->get_data());
 					my $l = ::getTime($t0,$t1);
 					$ts = gmtime($l);
 					::rptMsg("  Install TimeStamp: ".$ts);
 				};
 				::rptMsg("");
 			}
 		}
 	}
 }
 1;
--- a/thirdparty/rr-full/plugins/arpcache.pl
+++ b/thirdparty/rr-full/plugins/arpcache.pl
@ -130,6 +130,6 @@ sub parsePath {
 			}
 		}
 	}	
-	$str =~ s/\00//g;
+	$str =~ s/\x00//g;
 	return $str;
 }
--- a/thirdparty/rr-full/plugins/auditpol.pl
+++ b/thirdparty/rr-full/plugins/auditpol.pl
@ -1,14 +1,19 @@
 #-----------------------------------------------------------
 # auditpol
-# Get the audit policy from the Security hive file
+# Get the audit policy from the Security hive file (Win7+)
-# 
+# *Works for Win7 and Win10 at the moment
 #
 # History
-#   20121128 - updated for later versions of Windows
+#   20151202 - created
 #   20080327 - created
 #
 # Ref:
 #   http://www.kazamiya.net/structure/poladtev
 #   http://www.kazamiya.net/en/poladtev
 #   http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx
 #
-# copyright 2012 Quantum Analytics Research, LLC
+# Equiv: auditpol /get /category:*
 #
 # copyright 2015 Quantum Analytics Research, LLC
 # Author: H. Carvey, keydet89@yahoo.com
 #-----------------------------------------------------------
 package auditpol;
@ -17,20 +22,16 @@ use strict;
 my %config = (hive          => "Security",
              hasShortDescr => 1,
              hasDescr      => 0,
-              hasRefs       => 1,
+              hasRefs       => 0,
              osmask        => 22,
-              version       => 20121128);
+              version       => 20151202);
 sub getConfig{return %config}
 sub getShortDescr {
 	return "Get audit policy from the Security hive file";	
 }
 sub getDescr{}
-sub getRefs {
+sub getRefs {}
 	my %refs = ("How To Determine Audit Policies from the Registry" => 
 	            "http://support.microsoft.com/default.aspx?scid=kb;EN-US;q246120");
 	return %refs;	
 }
 sub getHive {return $config{hive};}
 sub getVersion {return $config{version};}
@ -46,7 +47,7 @@ sub pluginmain {
 	my $hive = shift;
 	::logMsg("Launching auditpol v.".$VERSION);
 	::rptMsg("auditpol v.".$VERSION); # banner
-    ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
+  ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
 	my $reg = Parse::Win32Registry->new($hive);
 	my $root_key = $reg->get_root_key;
@ -59,53 +60,169 @@ sub pluginmain {
 		::rptMsg("");
 		my $data;
 		my @policy;
 		eval {
 			$data = $key->get_value("")->get_data();
-			::rptMsg("Length of data: ".length($data)." bytes.");
+#			::rptMsg("Length of data: ".length($data)." bytes.");
 			my $id = unpack("v",substr($data,8,2));
 #			::rptMsg(sprintf "Offset value is: 0x%x",$id);
-			my @d = printData($data);
+			if (length($data) == 148 && $id == 0x82) {
-			foreach (0..(scalar(@d) - 1)) {
+				@policy = processWin10($data)
 				::rptMsg($d[$_]);
 			}
-			
+			elsif (length($data) == 138 && $id == 0x78) {
-		};
+				@policy = processWin7($data);
 		if ($@) {
 			::rptMsg("Error occurred getting data from ".$key_path);
 			::rptMsg(" - ".$@);
 		}
 		else {
 # Check to see if auditing is enabled
 			my $enabled = unpack("C",substr($data,0,1));
 			if ($enabled) {
 				::rptMsg("Auditing is enabled.");
 # Get audit configuration settings			
 				my @vals = unpack("V*",$data);
 				::rptMsg("\tAudit System Events        = ".$audit{$vals[1]});
 				::rptMsg("\tAudit Logon Events         = ".$audit{$vals[2]});
 				::rptMsg("\tAudit Object Access        = ".$audit{$vals[3]});
 				::rptMsg("\tAudit Privilege Use        = ".$audit{$vals[4]});
 				::rptMsg("\tAudit Process Tracking     = ".$audit{$vals[5]});
 				::rptMsg("\tAudit Policy Change        = ".$audit{$vals[6]});
 				::rptMsg("\tAudit Account Management   = ".$audit{$vals[7]});
 				::rptMsg("\tAudit Dir Service Access   = ".$audit{$vals[8]});
 				::rptMsg("\tAudit Account Logon Events = ".$audit{$vals[9]});
 			}
 			else {
-				::rptMsg("**Auditing is NOT enabled.");
+				my @d = printData($data);
 				foreach (0..(scalar(@d) - 1)) {
 					::rptMsg($d[$_]);
 				}
 			}
-		}
+			
 			foreach (0..((scalar @policy) - 1)) {
 				my ($aud,$pol) = split(/;/,$policy[$_],2);
 				::rptMsg(sprintf "%-50s %-5s",$aud,$audit{$pol});
 			} 
 		};
 	}
 	else {
 		::rptMsg($key_path." not found.");
 	}
 }
 sub processWin10 {
 	my $data = shift;
 	my @win = ("System:Security State Change;".unpack("v",substr($data,0x0c,2)),
 	             "System:Security System Extension;".unpack("v",substr($data,0x0e,2)),
 	             "System:System Integrity;".unpack("v",substr($data,0x10,2)),
 	             "System:IPsec Driver;".unpack("v",substr($data,0x12,2)),
 	             "System:Other System Events;".unpack("v",substr($data,0x14,2)),
 	             "Logon/Logoff:Logon;".unpack("v",substr($data,0x16,2)),
 	             "Logon/Logoff:Logoff;".unpack("v",substr($data,0x18,2)),
 	             "Logon/Logoff:Account Lockout;".unpack("v",substr($data,0x1a,2)),
 	             "Logon/Logoff:IPsec Main Mode;".unpack("v",substr($data,0x1c,2)),
 	             "Logon/Logoff:IPsec Quick Mode;".unpack("v",substr($data,0x1e,2)),
 	             "Logon/Logoff:IPsec Extended Mode;".unpack("v",substr($data,0x20,2)),
 	             "Logon/Logoff:Special Logon;".unpack("v",substr($data,0x22,2)),
 	             "Logon/Logoff:Other Logon/Logoff Events;".unpack("v",substr($data,0x24,2)),
 	             "Logon/Logoff:Network Policy Server;".unpack("v",substr($data,0x26,2)),
 	             "Logon/Logoff:User Device Claims;".unpack("v",substr($data,0x28,2)),
 	             "Logon/Logoff:Group Membership;".unpack("v",substr($data,0x2a,2)),
 	             "Object Access:File System;".unpack("v",substr($data,0x2c,2)),
 	             "Object Access:Registry;".unpack("v",substr($data,0x2e,2)),
 	             "Object Access:Kernel Object;".unpack("v",substr($data,0x30,2)),
 	             "Object Access:SAM;".unpack("v",substr($data,0x32,2)),
 	             "Object Access:Certification Services;".unpack("v",substr($data,0x34,2)),
 	             "Object Access:Application Generated;".unpack("v",substr($data,0x36,2)),
 	             "Object Access:Handle Manipulation;".unpack("v",substr($data,0x38,2)),
 	             "Object Access:File Share;".unpack("v",substr($data,0x3a,2)),
 	             "Object Access:Filtering Platform Packet Drop;".unpack("v",substr($data,0x3c,2)),
 	             "Object Access:Filtering Platform Connection;".unpack("v",substr($data,0x3e,2)),
 	             "Object Access:Other Object Access Events;".unpack("v",substr($data,0x40,2)),
 	             "Object Access:Detailed File Share;".unpack("v",substr($data,0x42,2)),
 	             "Object Access:Removable Storage;".unpack("v",substr($data,0x44,2)),
 	             "Object Access:Central Policy Staging;".unpack("v",substr($data,0x46,2)),
 	             "Privilege Use:Sensitive Privilege Use;".unpack("v",substr($data,0x48,2)),
 	             "Privilege Use:Non Sensitive Privilege Use;".unpack("v",substr($data,0x4a,2)),
 	             "Privilege Use:Other Privilege Use Events;".unpack("v",substr($data,0x4c,2)),
 	             "Detailed Tracking:Process Creation;".unpack("v",substr($data,0x4e,2)),
 	             "Detailed Tracking:Process Termination;".unpack("v",substr($data,0x50,2)),
 	             "Detailed Tracking:DPAPI Activity;".unpack("v",substr($data,0x52,2)),
 	             "Detailed Tracking:RPC Events;".unpack("v",substr($data,0x54,2)),
 	             "Detailed Tracking:Plug and Play Events;".unpack("v",substr($data,0x56,2)),
 	             "Policy Change:Audit Policy Change;".unpack("v",substr($data,0x58,2)),
 	             "Policy Change:Authentication Policy Change;".unpack("v",substr($data,0x5a,2)),
 	             "Policy Change:Authorization Policy Change;".unpack("v",substr($data,0x5c,2)),
 	             "Policy Change:MPSSVC Rule-Level Policy Change;".unpack("v",substr($data,0x5e,2)),
 	             "Policy Change:Filtering Platform Policy Change;".unpack("v",substr($data,0x60,2)),
 	             "Policy Change:Other Policy Change Events;".unpack("v",substr($data,0x62,2)),
 	             "Account Management:User Account Management;".unpack("v",substr($data,0x64,2)),
 	             "Account Management:Computer Account Management;".unpack("v",substr($data,0x66,2)),
 	             "Account Management:Security Group Management;".unpack("v",substr($data,0x68,2)),
 	             "Account Management:Distribution Group Management;".unpack("v",substr($data,0x6a,2)),
 	             "Account Management:Application Group Management;".unpack("v",substr($data,0x6c,2)),
 	             "Account Management:Other Account Management Events;".unpack("v",substr($data,0x6e,2)),
 	             "DS Access:Directory Service Access;".unpack("v",substr($data,0x70,2)),
 	             "DS Access:Directory Service Changes;".unpack("v",substr($data,0x72,2)),
 	             "DS Access:Directory Service Replication;".unpack("v",substr($data,0x74,2)),
 	             "DS Access:Detailed Directory Service Replication;".unpack("v",substr($data,0x76,2)),
 	             "Account Logon:Credential Validation;".unpack("v",substr($data,0x78,2)),
 	             "Account Logon:Kerberos Service Ticket Operations;".unpack("v",substr($data,0x7a,2)),
 	             "Account Logon:Other Account Logon Events;".unpack("v",substr($data,0x7c,2)),
 	             "Account Logon:Kerberos Authentication Service;".unpack("v",substr($data,0x7e,2)));
 	return @win;
 }
 sub processWin7 {
 	my $data = shift;
 	my @win = ("System:Security State Change;".unpack("v",substr($data,0x0c,2)),
 	             "System:Security System Extension;".unpack("v",substr($data,0x0e,2)),
 	             "System:System Integrity;".unpack("v",substr($data,0x10,2)),
 	             "System:IPsec Driver;".unpack("v",substr($data,0x12,2)),
 	             "System:Other System Events;".unpack("v",substr($data,0x14,2)),
 	             "Logon/Logoff:Logon;".unpack("v",substr($data,0x16,2)),
 	             "Logon/Logoff:Logoff;".unpack("v",substr($data,0x18,2)),
 	             "Logon/Logoff:Account Lockout;".unpack("v",substr($data,0x1a,2)),
 	             "Logon/Logoff:IPsec Main Mode;".unpack("v",substr($data,0x1c,2)),
 	             "Logon/Logoff:IPsec Quick Mode;".unpack("v",substr($data,0x1e,2)),
 	             "Logon/Logoff:IPsec Extended Mode;".unpack("v",substr($data,0x20,2)),
 	             "Logon/Logoff:Special Logon;".unpack("v",substr($data,0x22,2)),
 	             "Logon/Logoff:Other Logon/Logoff Events;".unpack("v",substr($data,0x24,2)),
 	             "Logon/Logoff:Network Policy Server;".unpack("v",substr($data,0x26,2)),
 	             "Object Access:File System;".unpack("v",substr($data,0x28,2)),
 	             "Object Access:Registry;".unpack("v",substr($data,0x2a,2)),
 	             "Object Access:Kernel Object;".unpack("v",substr($data,0x2c,2)),
 	             "Object Access:SAM;".unpack("v",substr($data,0x2e,2)),
 	             "Object Access:Other Object Access Events;".unpack("v",substr($data,0x30,2)),
 	             "Object Access:Certification Services;".unpack("v",substr($data,0x32,2)),
 	             "Object Access:Application Generated;".unpack("v",substr($data,0x34,2)),
 	             "Object Access:Handle Manipulation;".unpack("v",substr($data,0x36,2)),
 	             "Object Access:File Share;".unpack("v",substr($data,0x38,2)),
 	             "Object Access:Filtering Platform Packet Drop;".unpack("v",substr($data,0x3a,2)),
 	             "Object Access:Filtering Platform Connection;".unpack("v",substr($data,0x3c,2)),
 	             "Object Access:Detailed File Share;".unpack("v",substr($data,0x3e,2)),
 	             "Privilege Use:Sensitive Privilege Use;".unpack("v",substr($data,0x40,2)),
 	             "Privilege Use:Non Sensitive Privilege Use;".unpack("v",substr($data,0x42,2)),
 	             "Privilege Use:Other Privilege Use Events;".unpack("v",substr($data,0x44,2)),
 	             "Detailed Tracking:Process Creation;".unpack("v",substr($data,0x46,2)),
 	             "Detailed Tracking:Process Termination;".unpack("v",substr($data,0x48,2)),
 	             "Detailed Tracking:DPAPI Activity;".unpack("v",substr($data,0x4a,2)),
 	             "Detailed Tracking:RPC Events;".unpack("v",substr($data,0x4c,2)),
 	             "Policy Change:Audit Policy Change;".unpack("v",substr($data,0x4e,2)),
 	             "Policy Change:Authentication Policy Change;".unpack("v",substr($data,0x50,2)),
 	             "Policy Change:Authorization Policy Change;".unpack("v",substr($data,0x52,2)),
 	             "Policy Change:MPSSVC Rule-Level Policy Change;".unpack("v",substr($data,0x54,2)),
 	             "Policy Change:Filtering Platform Policy Change;".unpack("v",substr($data,0x56,2)),
 	             "Policy Change:Other Policy Change Events;".unpack("v",substr($data,0x58,2)),
 	             "Account Management:User Account Management;".unpack("v",substr($data,0x5a,2)),
 	             "Account Management:Computer Account Management;".unpack("v",substr($data,0x5c,2)),
 	             "Account Management:Security Group Management;".unpack("v",substr($data,0x5e,2)),
 	             "Account Management:Distribution Group Management;".unpack("v",substr($data,0x60,2)),
 	             "Account Management:Application Group Management;".unpack("v",substr($data,0x62,2)),
 	             "Account Management:Other Account Management Events;".unpack("v",substr($data,0x64,2)),
 	             "DS Access:Directory Service Access;".unpack("v",substr($data,0x66,2)),
 	             "DS Access:Directory Service Changes;".unpack("v",substr($data,0x68,2)),
 	             "DS Access:Directory Service Replication;".unpack("v",substr($data,0x6a,2)),
 	             "DS Access:Detailed Directory Service Replication;".unpack("v",substr($data,0x6c,2)),
 	             "Account Logon:Credential Validation;".unpack("v",substr($data,0x6e,2)),
 	             "Account Logon:Kerberos Service Ticket Operations;".unpack("v",substr($data,0x70,2)),
 	             "Account Logon:Other Account Logon Events;".unpack("v",substr($data,0x72,2)),
 	             "Account Logon:Kerberos Authentication Service;".unpack("v",substr($data,0x74,2)));	           
 	return @win;
 }
 #-----------------------------------------------------------
 # printData()
 # subroutine used primarily for debugging; takes an arbitrary
 # length of binary data, prints it out in hex editor-style
 # format for easy debugging
 #
 # my @d = printData($data);
 #	foreach (0..(scalar(@d) - 1)) {
 #		::rptMsg($d[$_]);
 #	}
 #-----------------------------------------------------------
 sub printData {
 	my $data = shift;
--- a/thirdparty/rr-full/plugins/banner.pl
+++ b/thirdparty/rr-full/plugins/banner.pl
@ -83,8 +83,7 @@ sub pluginmain {
 		::logMsg($key_path." not found.");
 	}
-my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon";
+	$key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		::rptMsg($key_path);
 		::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
@ -126,4 +125,4 @@ my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon";
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/brisv.pl
+++ b/thirdparty/rr-full/plugins/brisv.pl
@ -29,7 +29,7 @@ my %config = (hive          => "NTUSER\.DAT",
 sub getConfig{return %config}
 sub getShortDescr {
-	return "Detect artifacts of a Troj\.Brisv\.A infection";	
+	return "Detect artifacts of a Troj.Brisv.A infection";	
 }
 sub getDescr{}
 sub getRefs {}
@ -67,4 +67,4 @@ sub pluginmain {
 		::rptMsg($key_path." not found.");
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/bthport.pl
+++ b/thirdparty/rr-full/plugins/bthport.pl
@ -6,10 +6,11 @@
 # 
 # Change history
 #   20130115 - created
 #   20170129 - added support for http://www.hexacorn.com/blog/2017/01/29/beyond-good-ol-run-key-part-59/
 #
 # Category:
 # 
-# copyright 2013 Quantum Analytics Research, LLC
+# copyright 2017 Quantum Analytics Research, LLC
 # Author: H. Carvey, keydet89@yahoo.com
 #-----------------------------------------------------------
 package bthport;
@ -20,7 +21,7 @@ my %config = (hive          => "System",
              hasDescr      => 0,
              hasRefs       => 0,
              osmask        => 22,
-              version       => 20130115);
+              version       => 20170129);
 sub getConfig{return %config}
 sub getShortDescr {
@ -38,7 +39,7 @@ sub pluginmain {
 	my $hive = shift;
 	::logMsg("Launching bthport v.".$VERSION);
 	::rptMsg("bthport v.".$VERSION); # banner
-::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner 
+  ::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner 
 	my $reg = Parse::Win32Registry->new($hive);
 	my $root_key = $reg->get_root_key;
 # First thing to do is get the ControlSet00x marked current...this is
@ -91,11 +92,25 @@ sub pluginmain {
 		else {
 			::rptMsg($cn_path." not found.");
 		}
 		my $rs_path = $ccs."\\services\\BTHPORT\\Parameters\\Radio Support";
 		my $rs;
 		if ($rs = $root_key->get_subkey($rs_path)) {
 			::rptMsg($rs_path);
 			::rptMsg("LastWrite: ".gmtime($rs->get_timestamp())." UTC");
 			eval {
 				my $spt = $rs->get_value("SupportDLL")->get_data();
 				::rptMsg("SupportDLL = ".$spt);
 			};
 		}
 		else {
 			::rptMsg($rs_path." not found.");
 		}
 	}
 	else {
 		::rptMsg($key_path." not found.");
 	}
 }
 1;
--- a/thirdparty/rr-full/plugins/clampi.pl
+++ b/thirdparty/rr-full/plugins/clampi.pl
@ -26,7 +26,7 @@ my %config = (hive          => "NTUSER\.DAT",
 sub getConfig{return %config}
 sub getShortDescr {
-	return "TEST - Checks for keys set by Trojan\.Clampi PROT module";	
+	return "TEST - Checks for keys set by Trojan.Clampi PROT module";	
 }
 sub getDescr{}
 sub getRefs {}
@ -77,8 +77,7 @@ sub pluginmain {
 		::rptMsg($key_path." not found.");
 	}
 	::rptMsg("");
-	my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete";
+	$key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		::rptMsg($key_path);
 		::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
@ -94,8 +93,7 @@ sub pluginmain {
 		::rptMsg($key_path." not found.");
 	}
 	::rptMsg("");
-	my $key_path = "Software\\Microsoft\\Internet Account Manager\\Accounts";
+	$key_path = "Software\\Microsoft\\Internet Account Manager\\Accounts";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		::rptMsg($key_path);
 		::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
@ -119,4 +117,4 @@ sub pluginmain {
 		::rptMsg("PROT module.");
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/cmd_shell_u.pl
+++ b/thirdparty/rr-full/plugins/cmd_shell_u.pl
@ -23,7 +23,7 @@ my %config = (hive          => "USRCLASS\.DAT",
 sub getConfig{return %config}
 sub getShortDescr {
-	return "Gets shell open cmds for various file types from USRCLASS\.DAT";	
+	return "Gets shell open cmds for various file types from USRCLASS.DAT";	
 }
 sub getDescr{}
 sub getRefs {}
@ -64,4 +64,4 @@ sub pluginmain {
 	}
 	::rptMsg("");
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/cmdproc.pl
+++ b/thirdparty/rr-full/plugins/cmdproc.pl
@ -26,7 +26,7 @@ my %config = (hive          => "NTUSER\.DAT",
 sub getConfig{return %config}
 sub getShortDescr {
-	return "Autostart - get Command Processor\\AutoRun value from NTUSER\.DAT hive";	
+	return "Autostart - get Command Processor\\AutoRun value from NTUSER.DAT hive";	
 }
 sub getDescr{}
 sub getRefs {}
@ -64,4 +64,4 @@ sub pluginmain {
 		::rptMsg($key_path." not found.");
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/cmdproc_tln.pl
+++ b/thirdparty/rr-full/plugins/cmdproc_tln.pl
@ -25,7 +25,7 @@ my %config = (hive          => "NTUSER\.DAT",
 sub getConfig{return %config}
 sub getShortDescr {
-	return "Autostart - get Command Processor\\AutoRun value from NTUSER\.DAT hive (TLN)";	
+	return "Autostart - get Command Processor\\AutoRun value from NTUSER.DAT hive (TLN)";	
 }
 sub getDescr{}
 sub getRefs {}
@ -64,4 +64,4 @@ sub pluginmain {
 #		::rptMsg($key_path." not found.");
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/comdlg32.pl
+++ b/thirdparty/rr-full/plugins/comdlg32.pl
@ -128,9 +128,9 @@ sub parseLastVisitedMRU {
 			@mrulist = split(//,$lvmru{MRUList});
 			delete($lvmru{MRUList});
 			foreach my $m (@mrulist) {
-				my ($file,$dir) = split(/\00\00/,$lvmru{$m},2);
+				my ($file,$dir) = split(/\x00\x00/,$lvmru{$m},2);
-				$file =~ s/\00//g;
+				$file =~ s/\x00//g;
-				$dir  =~ s/\00//g;
+				$dir  =~ s/\x00//g;
 				::rptMsg("  ".$m." -> EXE: ".$file);
 				::rptMsg("    -> Last Dir: ".$dir);
 			}
@ -213,8 +213,8 @@ sub parseCIDSizeMRU {
 			delete $mru{0xffffffff};	
 			foreach my $m (sort {$a <=> $b} keys %mru) {
 #				my $file = parseStr($mru{$m});
-				my $file = (split(/\00\00/,$mru{$m},2))[0];
+				my $file = (split(/\x00\x00/,$mru{$m},2))[0];
-				$file =~ s/\00//g;
+				$file =~ s/\x00//g;
 				::rptMsg("  ".$file);
 			}
 		}
@ -251,18 +251,18 @@ sub parseFirstFolder {
 			delete $mru{0xffffffff};	
 			foreach my $m (sort {$a <=> $b} keys %mru) {
 #				my $file = parseStr($mru{$m});
-				my @files = split(/\00\00/,$mru{$m});
+				my @files = split(/\x00\x00/,$mru{$m});
 				if (scalar(@files) == 0) {
 					::rptMsg("  No files listed.");
 				}
 				elsif (scalar(@files) == 1) {
-					$files[0] =~ s/\00//g;
+					$files[0] =~ s/\x00//g;
 					::rptMsg("  ".$files[0]);
 				}
 				elsif (scalar(@files) > 1) {
 					my @files2;
 					foreach my $file (@files) {
-						$file =~ s/\00//g;
+						$file =~ s/\x00//g;
 						push(@files2,$file);
 					}
 					::rptMsg("  ".join(' ',@files2));
@ -305,9 +305,9 @@ sub parseLastVisitedPidlMRU {
 			delete $mru{0xffffffff};	
 			foreach my $m (sort {$a <=> $b} keys %mru) {
-				my ($file,$shell) = split(/\00\00/,$mru{$m},2);
+				my ($file,$shell) = split(/\x00\x00/,$mru{$m},2);
-				$file =~ s/\00//g;
+				$file =~ s/\x00//g;
-				$shell =~ s/^\00//;
+				$shell =~ s/^\x00//;
 				my $str = parseShellItem($shell);
 				::rptMsg("  ".$file." - ".$str);
 			}
@ -497,7 +497,7 @@ sub parseNetworkEntry {
 	my %item = ();	
 	$item{type} = unpack("C",substr($data,2,1));
-	my @n = split(/\00/,substr($data,4,length($data) - 4));
+	my @n = split(/\x00/,substr($data,4,length($data) - 4));
 	$item{name} = $n[0];
 	$item{name} =~ s/^\W//;
 	return %item;
@ -537,14 +537,14 @@ sub parseFolderEntry {
 	($item{mtime_str},$item{mtime}) = convertDOSDate($m[0],$m[1]);
 # Need to read in short name; nul-term ASCII
-#	$item{shortname} = (split(/\00/,substr($data,12,length($data) - 12),2))[0];
+#	$item{shortname} = (split(/\x00/,substr($data,12,length($data) - 12),2))[0];
 	$ofs_shortname = $ofs_mdate + 6;	
 	my $tag = 1;
 	my $cnt = 0;
 	my $str = "";
 	while($tag) {
 		my $s = substr($data,$ofs_shortname + $cnt,1);
-		if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) {
+		if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) {
 			$tag = 0;
 		}
 		else {
@ -552,12 +552,12 @@ sub parseFolderEntry {
 			$cnt++;
 		}
 	}
-#	$str =~ s/\00//g;
+#	$str =~ s/\x00//g;
 	my $shortname = $str;
 	my $ofs = $ofs_shortname + $cnt + 1;
 # Read progressively, 1 byte at a time, looking for 0xbeef	
-	my $tag = 1;
+	$tag = 1;
-	my $cnt = 0;
+	$cnt = 0;
 	while ($tag) {
 		if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) {
 			$tag = 0;
@ -573,10 +573,10 @@ sub parseFolderEntry {
 	$ofs = $ofs + $cnt + 2;
-	my @m = unpack("vv",substr($data,$ofs,4));
+	@m = unpack("vv",substr($data,$ofs,4));
 	($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]);
 	$ofs += 4;
-	my @m = unpack("vv",substr($data,$ofs,4));
+	@m = unpack("vv",substr($data,$ofs,4));
 	($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]);
 	$ofs += 4;
@ -595,10 +595,10 @@ sub parseFolderEntry {
 	$ofs += $jmp;
 #	::rptMsg(sprintf "  Offset: 0x%x",$ofs);
-	my $str = substr($data,$ofs,length($data) - $ofs);
+	$str = substr($data,$ofs,length($data) - $ofs);
-	my $longname = (split(/\00\00/,$str,2))[0];
+	my $longname = (split(/\x00\x00/,$str,2))[0];
-	$longname =~ s/\00//g;
+	$longname =~ s/\x00//g;
 	if ($longname ne "") {
 		$item{name} = $longname;
@ -697,4 +697,4 @@ sub printData {
 	return @display;
 }
-1;		
+1;		
--- a/thirdparty/rr-full/plugins/comfoo.pl
+++ b/thirdparty/rr-full/plugins/comfoo.pl
@ -58,7 +58,6 @@ sub pluginmain {
 		foreach my $s (@svcs) {
 			$cf_path = $ccs."\\Services\\".$s;
 			$cf;
 			if ($cf = $root_key->get_subkey($cf_path)) {
 				::rptMsg($cf_path);
 				::rptMsg("LastWrite Time ".gmtime($cf->get_subkey("Parameters")->get_timestamp())." (UTC)");
@ -88,4 +87,4 @@ sub pluginmain {
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/defbrowser.pl
+++ b/thirdparty/rr-full/plugins/defbrowser.pl
@ -41,7 +41,8 @@ sub pluginmain {
 	my $root_key = $reg->get_root_key;
 	my $key_path = "Clients\\StartMenuInternet";
-	if (my $key = $root_key->get_subkey($key_path)) {
+	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		::rptMsg("Default Browser Check #1");
 		::rptMsg($key_path);
 		::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
@ -55,9 +56,8 @@ sub pluginmain {
 	::rptMsg("");
-	my $key_path = "Classes\\HTTP\\shell\\open\\command";
+	$key_path = "Classes\\HTTP\\shell\\open\\command";
-	my $key;
+	if (my $key = $root_key->get_subkey($key_path)) {
 	if ($key = $root_key->get_subkey($key_path)) {
 		::rptMsg("Default Browser Check #2");
 		::rptMsg($key_path);
 		::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
@ -77,4 +77,4 @@ sub pluginmain {
 		::rptMsg($key_path." not found.");
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/devclass.pl
+++ b/thirdparty/rr-full/plugins/devclass.pl
@ -56,8 +56,7 @@ sub pluginmain {
 		return
 	}
 # Get devices from the Disk GUID
-	my $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}";
+	$key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		::rptMsg("DevClasses - Disks");
 		::rptMsg($key_path);
@ -90,8 +89,7 @@ sub pluginmain {
 	}
 	::rptMsg("");
 # Get devices from the Volume GUID
-	my $key_path = $ccs."\\Control\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}";
+	$key_path = $ccs."\\Control\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		::rptMsg("DevClasses - Volumes");
 		::rptMsg($key_path);
@ -150,4 +148,4 @@ sub pluginmain {
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/disablelastaccess.pl
+++ b/thirdparty/rr-full/plugins/disablelastaccess.pl
@ -48,8 +48,7 @@ sub pluginmain {
 		$ccs = "ControlSet00".$current;
 	}
-	my $key_path = $ccs."\\Control\\FileSystem";
+	$key_path = $ccs."\\Control\\FileSystem";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		::rptMsg("NtfsDisableLastAccessUpdate");
 		::rptMsg($key_path);
@ -72,4 +71,4 @@ sub pluginmain {
 		::rptMsg($key_path." not found.");
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/drwatson.pl
+++ b/thirdparty/rr-full/plugins/drwatson.pl
@ -57,8 +57,7 @@ sub pluginmain {
 	}
 	::rptMsg("");
-	my $key_path = "Microsoft\\DrWatson";
+	$key_path = "Microsoft\\DrWatson";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		::rptMsg($key_path);
 		::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
@ -76,4 +75,4 @@ sub pluginmain {
 	::rptMsg("Analysis Tips: For Dr. Watson settings information check: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/DrWatson.html");
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/environment.pl
+++ b/thirdparty/rr-full/plugins/environment.pl
@ -3,23 +3,23 @@
 #   Extracts user's Environment paths from NTUSER.DAT
 # 
 # Change history
 #   20150910 - added check for specific value, per Hexacorn blog
 #   20110830 [fpi] + banner, no change to the version number
 #
 # References
-# 
+#  http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/
 #
 # Copyright (c) 2011-02-04 Brendan Coles <bcoles@gmail.com>
 #-----------------------------------------------------------
 # Require #
 package environment;
 use strict;
 # Declarations #
 my %config = (hive          => "NTUSER\.DAT",
              hasShortDescr => 1,
              hasDescr      => 0,
              hasRefs       => 0,
              osmask        => 22,
-              version       => 20110204);
+              version       => 20150910);
 my $VERSION = getVersion();
 # Functions #
@ -32,9 +32,6 @@ sub getShortDescr {
 	return "Extracts user's Environment paths from NTUSER.DAT";
 }
 ############################################################
 # pluginmain #
 ############################################################
 sub pluginmain {
 	# Declarations #
@ -43,8 +40,8 @@ sub pluginmain {
 	# Initialize #
 	::logMsg("Launching environment v.".$VERSION);
-    ::rptMsg("environment v.".$VERSION); # 20110830 [fpi] + banner
+  ::rptMsg("environment v.".$VERSION); 
-    ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
+  ::rptMsg("(".getHive().") ".getShortDescr()."\n"); 
 	my $reg = Parse::Win32Registry->new($hive);
 	my $root_key = $reg->get_root_key;
 	my $key;
@ -67,23 +64,27 @@ sub pluginmain {
 			# Extract # all key names+values for Environment registry path #
 			foreach my $v (@vals) {
-				::rptMsg($v->get_name()." -> ".$v->get_data());
+				my $name = $v->get_name();
 				::rptMsg($name." -> ".$v->get_data());
 				if ($name eq "UserInitMprLogonScript") {
 					::rptMsg("**ALERT: UserInitMprLogonScript value found: ".$v->get_data());
 				}
 			}
 		# Error # key value is null #
-		} else {
+		} 
 		else {
 			::rptMsg($key_path." has no values.");
 		}
 	# Error # Environment isn't here, try another castle #
 	} else {
 		::rptMsg($key_path." not found.");
 		::logMsg($key_path." not found.");
 	}
 	# Return # obligatory new-line #
 	::rptMsg("");
 }
 # Error # oh snap! #
 1;
--- a/thirdparty/rr-full/plugins/ide.pl
+++ b/thirdparty/rr-full/plugins/ide.pl
@ -50,8 +50,7 @@ sub pluginmain {
 		return
 	}
-	my $key_path = $ccs."\\Enum\\IDE";
+	$key_path = $ccs."\\Enum\\IDE";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		::rptMsg($key_path);
 		::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
@ -84,8 +83,7 @@ sub pluginmain {
 		::logMsg($key_path." not found.");
 	}
-	my $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}";
+	$key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		::rptMsg("DevClasses - Disks");
 		::rptMsg($key_path);
@ -122,4 +120,4 @@ sub pluginmain {
 		::logMsg($key_path." not found.");
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/ie_settings.pl
+++ b/thirdparty/rr-full/plugins/ie_settings.pl
@ -102,8 +102,7 @@ sub pluginmain {
 #
 #
 #-----------------------------------------------------------
-	my $key_path = 'Software\\Microsoft\\Internet Explorer\\Main\\WindowsSearch';
+	$key_path = 'Software\\Microsoft\\Internet Explorer\\Main\\WindowsSearch';
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		::rptMsg("");
 		::rptMsg($key_path);
@ -152,4 +151,4 @@ sub pluginmain {
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/inprocserver.pl
+++ b/thirdparty/rr-full/plugins/inprocserver.pl
@ -3,6 +3,7 @@
 # 
 #
 # History
 #   20141126 - minor updates
 #   20141112 - added support for Wow6432Node
 #   20141103 - updated to include detection for PowerLiks
 #   20141030 - added GDataSoftware reference
@ -36,7 +37,7 @@ my %config = (hive          => "Software","NTUSER\.DAT","USRCLASS\.DAT",
              hasShortDescr => 1,
              hasDescr      => 0,
              hasRefs       => 0,
-              version       => 20141103);
+              version       => 20141126);
 sub getConfig{return %config}
@ -61,7 +62,7 @@ sub pluginmain {
  ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
 	my $reg = Parse::Win32Registry->new($hive);
 	my $root_key = $reg->get_root_key;
-  my @paths = ("Classes\\CLSID","Wow6432Node\\Classes\\CLSID","CLSID","Wow6432Node\\CLSID");
+  my @paths = ("Classes\\CLSID","Classes\\Wow6432Node\\CLSID","CLSID","Wow6432Node\\CLSID");
  foreach my $key_path (@paths) {
 		my $key;
 		if ($key = $root_key->get_subkey($key_path)) {
@ -80,10 +81,12 @@ sub pluginmain {
 						my $l = $s->get_subkey("InprocServer32")->get_value("")->get_data();
 						$l =~ tr/[A-Z]/[a-z]/;
-						::rptMsg("Possible Lurk infection found!") unless ($l eq "c:\\windows\\system32\\pngfilt\.dll");
+						if ($l eq "c:\\windows\\system32\\pngfilt\.dll" || $l eq "c:\\windows\\syswow64\\pngfilt\.dll") {
-
+							::rptMsg("Possible Lurk infection found!");
 							::rptMsg("  ".$l);
 						}
 					}
-					
+				
 					eval {
 						my $n = $s->get_subkey("InprocServer32")->get_value("")->get_data();
 						alertCheckPath($n);
@ -95,9 +98,9 @@ sub pluginmain {
 					eval {
 						my $local = $s->get_subkey("localserver32");
 						my $powerliks = $local->get_value("")->get_data();
-						::rptMsg($s->get_name()."\\LocalServer32 key found\.");
+#						::rptMsg($s->get_name()."\\LocalServer32 key found\.");
-						::rptMsg("  LastWrite: ".gmtime($local->get_timestamp()));
+#						::rptMsg("  LastWrite: ".gmtime($local->get_timestamp()));
-						if ($powerliks =~ m/^rundll32/) {
+						if ($powerliks =~ m/^rundll32 javascript/) {
 							::rptMsg("**Possible PowerLiks found\.");
 							::rptMsg("  ".$powerliks);
 						}
@ -123,7 +126,7 @@ sub alertCheckPath {
 	$path =~ tr/[A-Z]/[a-z]/;
 	my @alerts = ("recycle","globalroot","temp","system volume information","appdata",
-	              "application data","c:\\users");
+	              "application data","programdata","c:\\users");
 	foreach my $a (@alerts) {
 		if (grep(/$a/,$path)) {
--- a/thirdparty/rr-full/plugins/itempos.pl
+++ b/thirdparty/rr-full/plugins/itempos.pl
@ -43,7 +43,7 @@ my %config = (hive          => "NTUSER\.DAT",
 sub getConfig{return %config}
 sub getShortDescr {
-	return "Shell/Bags/1/Desktop ItemPos* value parsing; Win7 NTUSER\.DAT hives";	
+	return "Shell/Bags/1/Desktop ItemPos* value parsing; Win7 NTUSER.DAT hives";	
 }
 sub getDescr{}
 sub getRefs {}
@ -98,8 +98,7 @@ sub pluginmain {
 	}
 #	::rptMsg("");
 # The following was added on 20130514 to address Windows XP systems	
-	my $key_path = "Software\\Microsoft\\Windows\\ShellNoRoam\\Bags";
+	$key_path = "Software\\Microsoft\\Windows\\ShellNoRoam\\Bags";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		my @sk = $key->get_list_of_subkeys();
 		if (scalar(@sk) > 0) {
@ -229,7 +228,7 @@ sub parseFolderItem {
 	my $str = "";
 	while($tag) {
 		my $s = substr($data,$ofs_shortname + $cnt,1);
-		if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) {
+		if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) {
 			$tag = 0;
 		}
 		else {
@ -237,12 +236,12 @@ sub parseFolderItem {
 			$cnt++;
 		}
 	}
-#	$str =~ s/\00//g;
+#	$str =~ s/\x00//g;
 	my $shortname = $str;
 	my $ofs = $ofs_shortname + $cnt + 1;
 # Read progressively, 1 byte at a time, looking for 0xbeef	
-	my $tag = 1;
+	$tag = 1;
-	my $cnt = 0;
+	$cnt = 0;
 	while ($tag) {
 		if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) {
 			$tag = 0;
@ -254,10 +253,10 @@ sub parseFolderItem {
 	$item{extver} = unpack("v",substr($data,$ofs + $cnt - 4,2));
 	$ofs = $ofs + $cnt + 2;
-	my @m = unpack("vv",substr($data,$ofs,4));
+	@m = unpack("vv",substr($data,$ofs,4));
 	($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]);
 	$ofs += 4;
-	my @m = unpack("vv",substr($data,$ofs,4));
+	@m = unpack("vv",substr($data,$ofs,4));
 	($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]);
 	my $jmp;
@ -274,9 +273,9 @@ sub parseFolderItem {
 	$ofs += $jmp;
-	my $str = substr($data,$ofs,length($data) - 30);
+	$str = substr($data,$ofs,length($data) - 30);
-	my $longname = (split(/\00\00/,$str,2))[0];
+	my $longname = (split(/\x00\x00/,$str,2))[0];
-	$longname =~ s/\00//g;
+	$longname =~ s/\x00//g;
 	if ($longname ne "") {
 		$item{name} = $longname;
@ -378,4 +377,4 @@ sub printData {
 		::rptMsg(sprintf "0x%08x: %-47s  ".$str,($cnt * 16),$h);
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/landesk.pl
+++ b/thirdparty/rr-full/plugins/landesk.pl
@ -3,7 +3,11 @@
 # parses LANDESK Monitor Logs
 #
 #
 #  https://community.landesk.com/docs/DOC-3249
 #
 # Change history
 #   20160823 - added "Current Duration" parsing
 #   20160822 - updated based on client engagement
 #   20130326 - added Wow6432Node path
 #   20130214 - updated w/ Logon info
 #   20090729 - updates, H. Carvey
@ -19,7 +23,7 @@ my %config = (hive          => "Software",
              hasShortDescr => 1,
              hasDescr      => 0,
              hasRefs       => 0,
-              version       => 20130326);
+              version       => 20160823);
 sub getConfig{return %config}
@ -32,7 +36,7 @@ sub getHive {return $config{hive};}
 sub getVersion {return $config{version};}
 my $VERSION = getVersion();
-my %ls;
+my (@ts,$d);
 sub pluginmain {
 	my $class = shift;
@ -53,18 +57,49 @@ sub pluginmain {
 			my @subkeys = $key->get_list_of_subkeys();
 			if (scalar(@subkeys) > 0) {
 				foreach my $s (@subkeys) {
 				  ::rptMsg($s->get_name());
 					::rptMsg("  LastWrite: ".gmtime($s->get_timestamp())." Z");
 					eval {
-						my $lw = $s->get_timestamp();
+						@ts = unpack("VV",$s->get_value("Last Started")->get_data());
-# Push the data into a hash of arrays 
+						::rptMsg("  Last Started: ".gmtime(::getTime($ts[0],$ts[1]))." Z");
 						push(@{$ls{$lw}},$s->get_name());
 					};
-				}
+					
-			
+					eval {
-				foreach my $t (reverse sort {$a <=> $b} keys %ls) {
+						@ts = unpack("VV",$s->get_value("Last Duration")->get_data());
-					::rptMsg(gmtime($t)." (UTC)");
+						my $i = c64($ts[0],$ts[1]);
-					foreach my $item (@{$ls{$t}}) {
+						$i = $i/10000000;
-						::rptMsg("  $item");
+						::rptMsg("  Last Duration: ".$i." sec");
-					}
+					};
 					eval {
 						@ts = unpack("VV",$s->get_value("Current Duration")->get_data());
 						my $i = c64($ts[0],$ts[1]);
 						$i = $i/10000000;
 						::rptMsg("  Current Duration: ".$i." sec");
 					};
 					eval {
 						@ts = unpack("VV",$s->get_value("Total Duration")->get_data());
 						my $i = c64($ts[0],$ts[1]);
 						$i = $i/10000000;
 						::rptMsg("  Total Duration: ".$i." sec");
 					};
 					eval {
 						@ts = unpack("VV",$s->get_value("First Started")->get_data());
 						::rptMsg("  First Started: ".gmtime(::getTime($ts[0],$ts[1]))." Z");
 					};
 					eval {
 						::rptMsg("  Total Runs: ".$s->get_value("Total Runs")->get_data());
 					};
 					eval {
 						::rptMsg("  Current User: ".$s->get_value("Current User")->get_data());
 					};
 					::rptMsg("");
 				}
 			}
 			else {
@ -76,6 +111,7 @@ sub pluginmain {
 		}
 	}
 	::rptMsg("");
 # update added 20130327
 	my @paths = ("LANDesk\\Inventory\\LogonHistory\\Logons",
 	             "Wow6432Node\\LANDesk\\Inventory\\LogonHistory\\Logons");
@ -107,4 +143,19 @@ sub pluginmain {
 	}	
 }
 # Thanks to David Cowen for sharing this code
 sub c64 {
 	my $n1 = shift;
 	my $n2 = shift;
 	if ($n2 != 0) {
 		$n2 = ($n2 * 4294967296);
 		my $n = $n1 + $n2;
 		return $n;
 	}
 	else {
 		return $n1;
 	}
 }
 1;
--- a/thirdparty/rr-full/plugins/landesk_tln.pl
+++ b/thirdparty/rr-full/plugins/landesk_tln.pl
@ -4,6 +4,7 @@
 #
 #
 # Change history
 #   20160822 - minor updates based on client engagement
 #   20130214 - updated with Logon info
 #   20090729 - updates, H. Carvey
 #
@ -31,7 +32,7 @@ sub getHive {return $config{hive};}
 sub getVersion {return $config{version};}
 my $VERSION = getVersion();
-my %ls;
+my (@f,$first);
 sub pluginmain {
 	my $class = shift;
@ -62,17 +63,23 @@ sub pluginmain {
 					$user = "" if ($@);
 #				::rptMsg($lw."|REG||".$user."|M... LanDesk - ".$name." key last modified");
-				
+# "Current User" value not included in "First Started" data, as the user value applies only to the
 # "Last Started" value				
 					eval {
-						my @f = unpack("VV",$s->get_value("First Started")->get_data());
+						@f = unpack("VV",$s->get_value("First Started")->get_data());
-						my $first = ::getTime($f[0],$f[1]);
+						$first = ::getTime($f[0],$f[1]);
-						::rptMsg($first."|REG||".$user."|LanDesk - ".$name." First Started");
+						::rptMsg($first."|REG|||LanDesk - ".$name." First Started");
 					};
 					eval {
-						my @f = unpack("VV",$s->get_value("Last Started")->get_data());
+						@f = unpack("VV",$s->get_value("Last Started")->get_data());
-						my $first = ::getTime($f[0],$f[1]);
+						$first = ::getTime($f[0],$f[1]);
-						::rptMsg($first."|REG||".$user."|LanDesk - ".$name." Last Started");
+						
 						@f = unpack("VV",$s->get_value("Last Duration")->get_data());
 						my $i = c64($f[0],$f[1]);
 						$i = $i/10000000;
 						::rptMsg($first."|REG||".$user."|LanDesk - ".$name." Last Started, Last Duration : ".$i." sec. - Total Runs: ".$s->get_value("Total Runs")->get_data());
 					};
 				}
 			}
@ -115,4 +122,19 @@ sub pluginmain {
 	}
 }
 # Thanks to David Cowen for sharing this code
 sub c64 {
 	my $n1 = shift;
 	my $n2 = shift;
 	if ($n2 != 0) {
 		$n2 = ($n2 * 4294967296);
 		my $n = $n1 + $n2;
 		return $n;
 	}
 	else {
 		return $n1;
 	}
 }
 1;
--- a/thirdparty/rr-full/plugins/lsasecrets.pl
+++ b/thirdparty/rr-full/plugins/lsasecrets.pl
@ -54,7 +54,7 @@ sub pluginmain {
 			::rptMsg("CupdTime = ".$cupd);
 			my $o = $key->get_subkey("\$MACHINE\.ACC\\OupdTime")->get_value("")->get_data();
-			my @v = unpack("VV",$c);
+			@v = unpack("VV",$c);
 			my $oupd = gmtime(::getTime($v[0],$v[1]));
 			::rptMsg("OupdTime = ".$oupd);
 		};
@ -64,4 +64,4 @@ sub pluginmain {
 		::rptMsg($key_path." not found.");
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/menuorder.pl
+++ b/thirdparty/rr-full/plugins/menuorder.pl
@ -167,7 +167,7 @@ sub parseAugM {
 		my $str = "";
 		while($tag) {
 			my $s = substr($data,0x16 + $cnt,1);
-			if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) {
+			if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) {
 				$tag = 0;
 			}
 			else {
@ -183,18 +183,18 @@ sub parseAugM {
 		$item{version} = unpack("v",substr($data2,2,2));
 		my $ext = unpack("v",substr($data2,4,2));
-		my $ofs = 0x08;
+		$ofs = 0x08;
 # Get creation time values;
 #		my @m = unpack("vv",substr($data,$ofs,4));
 		$ofs += 4;
 # Get last access time values		
-#		my @m = unpack("vv",substr($data,$ofs,4));
+#		@m = unpack("vv",substr($data,$ofs,4));
 		$ofs += 4;
 		$ofs += 4;
-		my $tag = 1;
+		$tag = 1;
-		my $cnt = 0;
+		$cnt = 0;
-		my $str = "";
+		$str = "";
 		while ($tag) {
 			my $s = substr($data2,$ofs + $cnt,2);
 			if (unpack("v",$s) == 0) {
@ -205,15 +205,15 @@ sub parseAugM {
 				$cnt += 2;
 			}
 		}
-		$str =~ s/\00//g;
+		$str =~ s/\x00//g;
 		$item{name} = $str;
 		$ofs += $cnt;
 #		::rptMsg(sprintf " - Ofs: 0x%x   Remaining Data: 0x%x",$ofs,$sz - $ofs);
 		if (($sz - $ofs) > 0x10) {
 			my $str = substr($data2,$ofs,$sz - $ofs);
-			$str =~ s/^\00+//;
+			$str =~ s/^\x00+//;
-			my $s = (split(/\00/,$str,2))[0];
+			my $s = (split(/\x00/,$str,2))[0];
 			$item{name} .= " (".$s.")";
 		}
@ -241,7 +241,7 @@ sub parseItem {
 	my $str = "";
 	while($tag) {
 		my $s = substr($data,$ofs + $cnt,1);
-		if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) {
+		if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) {
 			$tag = 0;
 		}
 		else {
@ -258,7 +258,7 @@ sub parseItem {
 	my $ext = unpack("v",substr($data2,4,2));
-	my $ofs = 0x08;
+	$ofs = 0x08;
 # Get creation time values;
 #		my @m = unpack("vv",substr($data,$ofs,4));
 	$ofs += 4;
@ -280,9 +280,9 @@ sub parseItem {
 	$ofs += $jmp;
-	my $tag = 1;
+	$tag = 1;
-	my $cnt = 0;
+	$cnt = 0;
-	my $str = "";
+	$str = "";
 	while ($tag) {
 		my $s = substr($data2,$ofs + $cnt,2);
 		if (unpack("v",$s) == 0) {
@ -293,7 +293,7 @@ sub parseItem {
 			$cnt += 2;
 		}
 	}
-	$str =~ s/\00//g;
+	$str =~ s/\x00//g;
 	$item{name} = $str;
 	$ofs += $cnt;
@ -377,4 +377,4 @@ sub convertDOSDate {
-1;
+1;
--- a/thirdparty/rr-full/plugins/mmo.pl
+++ b/thirdparty/rr-full/plugins/mmo.pl
@ -72,8 +72,7 @@ sub pluginmain {
 	}
 # Section added 17 Feb 2013, to address Trojan.Swaylib
 #
-	my $key_path = "Software\\Microsoft\\CTF\\LangBarAddIn";
+	$key_path = "Software\\Microsoft\\CTF\\LangBarAddIn";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		my @subkeys = $key->get_list_of_subkeys();
 		if (scalar(@subkeys) > 0) {
@ -106,4 +105,4 @@ sub pluginmain {
 		::rptMsg($key_path." not found\.");
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/mountdev.pl
+++ b/thirdparty/rr-full/plugins/mountdev.pl
@ -63,7 +63,7 @@ sub pluginmain {
 				}
 				elsif ($len > 12) {
-					$data =~ s/\00//g;
+					$data =~ s/\x00//g;
 					push(@{$md{$data}},$v->get_name());
 				}
 				else {
--- a/thirdparty/rr-full/plugins/mountdev2.pl
+++ b/thirdparty/rr-full/plugins/mountdev2.pl
@ -104,7 +104,7 @@ sub pluginmain {
 					$offset{$v->get_name()} = $o;
 				}
 				elsif ($len > 12) {
-					$data =~ s/\00//g;
+					$data =~ s/\x00//g;
 					push(@{$md{$data}},$v->get_name());
 				}
 				else {
@ -120,15 +120,15 @@ sub pluginmain {
 			}
 			::rptMsg("");
 			foreach my $v (sort keys %vol) {
-				next unless ($v =~ m/^\\\?\?\\Volume{/);
+				next unless ($v =~ m/^\\\?\?\\Volume\{/);
 				my $id = $v;
-				$id =~ s/^\\\?\?\\Volume{//;
+				$id =~ s/^\\\?\?\\Volume\{//;
 				$id =~ s/}$//;
 				$id =~ s/-//g;
 				my $l = hex(substr($id,0,8));
 				my $m = hex(substr($id,8,4));
 				my $h = hex(substr($id,12,4)) & 0x0fff;
-				my $h = $m | $h << 16;
+				$h = $m | $h << 16;
 				my $t = (::getTime($l,$h) - 574819200);
 				::rptMsg($v);
 				::rptMsg("  ".gmtime($t));
@ -141,7 +141,7 @@ sub pluginmain {
 					if ($item =~ m/^\\\?\?\\Volume/) {
 						my $id = $item;
-						$id =~ s/^\\\?\?\\Volume{//;
+						$id =~ s/^\\\?\?\\Volume\{//;
 						$id =~ s/}$//;
 #						$id =~ s/-//g;
 #						my $l = hex(substr($id,0,8));
@ -188,4 +188,4 @@ sub _translateBinary {
 	return join(' ',reverse @list);
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/mp3.pl
+++ b/thirdparty/rr-full/plugins/mp3.pl
@ -92,7 +92,7 @@ sub pluginmain {
 					my $l = hex(substr($id,0,8));
 					my $m = hex(substr($id,8,4));
 					my $h = hex(substr($id,12,4)) & 0x0fff;
-					my $h = $m | $h << 16;
+					$h = $m | $h << 16;
 					my $t2 = (::getTime($l,$h) - 574819200);
 					::rptMsg($t2."|REG|Server|User|".$id2." Vol GUID date");
@ -110,4 +110,4 @@ sub pluginmain {
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/muicache.pl
+++ b/thirdparty/rr-full/plugins/muicache.pl
@ -65,8 +65,7 @@ sub pluginmain {
 		::rptMsg("");
 	}
 # Added for access to USRCLASS.DAT
-	my $key_path = 'Local Settings\\Software\\Microsoft\\Windows\\Shell\\MUICache';
+	$key_path = 'Local Settings\\Software\\Microsoft\\Windows\\Shell\\MUICache';
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		::rptMsg($key_path);
 		::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
@ -90,4 +89,4 @@ sub pluginmain {
 	} 	
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/muicache_tln.pl
+++ b/thirdparty/rr-full/plugins/muicache_tln.pl
@ -64,8 +64,7 @@ sub pluginmain {
 #		::rptMsg("");
 	}
 # Added for access to USRCLASS.DAT
-	my $key_path = 'Local Settings\\Software\\Microsoft\\Windows\\Shell\\MUICache';
+	$key_path = 'Local Settings\\Software\\Microsoft\\Windows\\Shell\\MUICache';
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 #		::rptMsg($key_path);
 #		::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
@ -89,4 +88,4 @@ sub pluginmain {
 	} 	
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/networklist.pl
+++ b/thirdparty/rr-full/plugins/networklist.pl
@ -5,6 +5,7 @@
 #
 #
 # Change History:
 #    20150812 - updated to include Nla\Cache data
 #    20120917 - updated to include NameType value
 #    20090812 - updated code to parse DateCreated and DateLastConnected
 #               values; modified output, as well
@ -12,7 +13,8 @@
 #
 # References
 #
-# copyright 2009 H. Carvey, keydet89@yahoo.com
+# copyright 2015 Quantum Analytics Research, LLC
 # Author: H. Carvey, keydet89@yahoo.com
 #-----------------------------------------------------------
 package networklist;
 use strict;
@ -22,7 +24,7 @@ my %config = (hive          => "Software",
              hasShortDescr => 1,
              hasDescr      => 0,
              hasRefs       => 0,
-              version       => 20120917);
+              version       => 20150812);
 sub getConfig{return %config}
@ -123,7 +125,7 @@ sub pluginmain {
 			foreach my $n (keys %nl) {
 				my $str = sprintf "%-15s Gateway Mac: ".$nl{$n}{DefaultGatewayMac},$nl{$n}{ProfileName};
 				::rptMsg($nl{$n}{ProfileName});
-				::rptMsg("  Key LastWrite    : ".gmtime($nl{$n}{LastWrite})." UTC");
+				::rptMsg("  Key LastWrite    : ".gmtime($nl{$n}{LastWrite})." Z");
 				::rptMsg("  DateLastConnected: ".$nl{$n}{DateLastConnected});
 				::rptMsg("  DateCreated      : ".$nl{$n}{DateCreated});
 				::rptMsg("  DefaultGatewayMac: ".$nl{$n}{DefaultGatewayMac});
@ -139,6 +141,18 @@ sub pluginmain {
 	else {
 		::rptMsg($key_path." not found.");
 	}
  ::rptMsg("");
 # Get NLA info
  $key_path = $base_path."\\Nla\\Cache\\Intranet";
  if ($key = $root_key->get_subkey($key_path)) { 
  	my @subkeys = $key->get_list_of_subkeys();
  	if (scalar(@subkeys) > 0) {
  		::rptMsg(sprintf "%-26s  %-30s","Date","Domain/IP");
  		foreach my $s (@subkeys) {
  			::rptMsg(sprintf "%-26s  %-30s",gmtime($s->get_timestamp())." Z",$s->get_name());
  		}
  	}
  }
 }
--- a/thirdparty/rr-full/plugins/networklist_tln.pl
+++ b/thirdparty/rr-full/plugins/networklist_tln.pl
@ -5,6 +5,7 @@
 #
 #
 # Change History:
 #    20150812 - updated to include Nla\Cache data
 #    20120608 - updated from networklist.pl to add TLN output
 #    20090812 - updated code to parse DateCreated and DateLastConnected
 #               values; modified output, as well
@ -12,7 +13,7 @@
 #
 # References
 #
-# copyright 2012 Quantum Analytics Research, LLC
+# copyright 2015 Quantum Analytics Research, LLC
 # Author: H. Carvey, keydet89@yahoo.com
 #-----------------------------------------------------------
 package networklist_tln;
@ -23,7 +24,7 @@ my %config = (hive          => "Software",
              hasShortDescr => 1,
              hasDescr      => 0,
              hasRefs       => 0,
-              version       => 20120608);
+              version       => 20150812);
 sub getConfig{return %config}
@ -130,6 +131,18 @@ sub pluginmain {
 				::rptMsg($nl{$n}{LastWrite}."|REG|||[".$nl{$n}{Type}." Connect] - Last Connected to ".$nl{$n}{ProfileName}." (".$nl{$n}{DefaultGatewayMac}.")");
 			}		
 # Get NLA info
  		$key_path = $base_path."\\Nla\\Cache\\Intranet";
  		if ($key = $root_key->get_subkey($key_path)) { 
  			my @subkeys = $key->get_list_of_subkeys();
  			if (scalar(@subkeys) > 0) {
  				foreach my $s (@subkeys) {
  					::rptMsg($s->get_timestamp()."|REG|||First connected to: ".$s->get_name());
  				}
  			}
  		}
 		}
 		else {
 #			::rptMsg($key_path." has not subkeys");
--- a/thirdparty/rr-full/plugins/nic2.pl
+++ b/thirdparty/rr-full/plugins/nic2.pl
@ -1,15 +1,15 @@
 #-----------------------------------------------------------
 # nic2.pl
 # 
 # 
 # Change history
 #    20150812 - included updates from Yogesh Khatri
 #    20100401 - created
 #
 # References
 #   LeaseObtainedTime - http://technet.microsoft.com/en-us/library/cc978465.aspx
 #   T1 - http://technet.microsoft.com/en-us/library/cc978470.aspx
 # 
-# copyright 2010 Quantum Analytics Research, LLC
+# copyright 2015 Quantum Analytics Research, LLC
 #-----------------------------------------------------------
 package nic2;
 use strict;
@ -19,7 +19,7 @@ my %config = (hive          => "System",
              hasDescr      => 0,
              hasRefs       => 0,
              osmask        => 22,
-              version       => 20100401);
+              version       => 20150812);
 sub getConfig{return %config}
 sub getShortDescr {
@ -39,7 +39,7 @@ sub pluginmain {
 	my $ccs;
 	::logMsg("Launching nic2 v.".$VERSION);
 	::rptMsg("nic2 v.".$VERSION); # banner
-    ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
+  ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
 	my $reg = Parse::Win32Registry->new($hive);
 	my $root_key = $reg->get_root_key;
 # First thing to do is get the ControlSet00x marked current...this is
@ -65,10 +65,36 @@ sub pluginmain {
 						my $data = $v->get_data();
 						$data = gmtime($data)." Z" if ($name eq "T1" || $name eq "T2");
 						$data = gmtime($data)." Z" if ($name =~ m/Time$/);
 						$data = pack("h*",reverse $data) if (uc($name) eq uc("DhcpNetworkHint")); # SSID nibbles reversed //YK
 						::rptMsg(sprintf "  %-28s %-20s",$name,$data);
 					}
 					::rptMsg("");
 				};
 				# Parse subfolders having similar data for different wifi access points , key name is SSID (nibbles reversed) //YK
 				my @ssids = $g->get_list_of_subkeys();
 				if (scalar @ssids > 0) {
 					foreach my $ssid (@ssids) {
 						::rptMsg("Adapter: ".$g->get_name()."/".$ssid->get_name());
 						my $ssid_realname = pack("h*",reverse $ssid->get_name());
 						::rptMsg("SSID Decoded: ".$ssid_realname);
 						::rptMsg("LastWrite Time: ".gmtime($ssid->get_timestamp())." Z");
 						eval {
 							my @vals = $ssid->get_list_of_values();
 							foreach my $v (@vals) {
 								my $name = $v->get_name();
 								my $data = $v->get_data();
 								$data = gmtime($data)." Z" if ($name eq "T1" || $name eq "T2");
 								$data = gmtime($data)." Z" if ($name =~ m/Time$/);
 								$data = pack("h*",reverse $data) if (uc($name) eq uc("DhcpNetworkHint"));
 								::rptMsg(sprintf "  %-28s %-20s",$name,$data);
 							}
 							::rptMsg("");
 						};
 					}
 				}
 				else {
 					::rptMsg($key_path." has no subkeys.");
 				}	
 			}
 		}
 		else {
--- a/thirdparty/rr-full/plugins/ntuser
+++ b/thirdparty/rr-full/plugins/ntuser
@ -1,26 +1,35 @@
-# 20120528 *ALL* Plugins that apply on NTUSER hive, alphabetical order
+# 20161213 *ALL* Plugins that apply on NTUSER hive, alphabetical order
 acmru
 adoberdr
 aim
 aports
 appcompatflags
 applets
 applets_tln
 appspecific
 ares
 arpcache
 attachmgr
 attachmgr_tln
 autoendtasks
 autorun
 bitbucket_user
 brisv
 cached
 cached_tln
 cain
 ccleaner
 cdstaginginfo
 clampi
 clampitm
 cmdproc
 cmdproc_tln
 comdlg32
 compatassist
 compdesc
 controlpanel
 cortana
 cpldontload
 ddo
 decaf
 dependency_walker
 domains
@ -30,62 +39,98 @@ filehistory
 gthist
 gtwhitelist
 haven_and_hearth
 identities
 iejava
 ie_main
 ie_settings
 ie_zones
 internet_explorer_cu
 internet_settings_cu
 itempos
 javafx
 kankan
 knowndev
 latentbot
 listsoft
 liveContactsGUID
 load
 logonusername
 menuorder
 mixer
 mixer_tln
 mmc
 mmc_tln
 mmo
 mndmru
 mndmru_tln
 mp2
 mp3
 mpmru
 mspaper
 muicache
 muicache_tln
 nero
 netassist
 ntusernetwork
 odysseus
 officedocs
 officedocs2010
 officedocs2010_tln
 oisc
 olsearch
 osversion
 osversion_tln
 outlook
 outlook2
 policies_u
 printermru
 printers
 privoxy
 profiler
 proxysettings
 publishingwizard
 putty
 rdphint
 reading_locations
 realplayer6
 realvnc
 recentdocs
 recentdocs_tln
 reveton
 rootkit_revealer
 runmru
 runmru_tln
 sevenzip
 shc
 shellbags_xp
 shellfolders
 skype
 snapshot_viewer
 ssh_host_keys
 startmenuinternetapps_cu
 startpage
-streammru
+startup
 streams
 sysinternals
 sysinternals_tln
 trustrecords
 trustrecords_tln
 tsclient
 tsclient_tln
 typedpaths
 typedpaths_tln
 typedurls
 typedurlstime
 typedurlstime_tln
 typedurls_tln
 unreadmail
-user_run
+urun_tln
 user_win
 userassist
 userassist_tln
 userinfo
 userlocsvc
 user_run
 user_win
 vawtrak
 vista_bitbucket
 vmplayer
 vmware_vsphere_client
@ -93,11 +138,13 @@ vnchooksapplicationprefs
 vncviewer
 wallpaper
 warcraft3
 winlivemail
 winlogon_u
 winrar
 winrar2
 winrar_tln
 winscp
 winscp_sessions
 winvnc
 winzip
 wordwheelquery
-yahoo_cu
+yahoo_cu
--- a/thirdparty/rr-full/plugins/officedocs.pl
+++ b/thirdparty/rr-full/plugins/officedocs.pl
@ -67,7 +67,7 @@ sub pluginmain {
 					::rptMsg("LastWrite Time ".gmtime($word_key->get_timestamp())." (UTC)");
 					::rptMsg("");
 					my $value = $word_key->get_value("Value")->get_data();
-					my @data = split(/\00/,$value);
+					my @data = split(/\x00/,$value);
 					map{::rptMsg("$_");}@data;
 				}
 				else {
--- a/thirdparty/rr-full/plugins/olsearch.pl
+++ b/thirdparty/rr-full/plugins/olsearch.pl
@ -87,7 +87,7 @@ sub parseSearchMRU {
 	foreach my $i (0..($num - 1)) {
 		$item{$i} = substr($data,$ofs[$i], $ofs[$i + 1] - $ofs[$i]);
-		$item{$i} =~ s/\00//g;
+		$item{$i} =~ s/\x00//g;
 	}
 	return %item;
 }
--- a/thirdparty/rr-full/plugins/outlook.pl
+++ b/thirdparty/rr-full/plugins/outlook.pl
@ -56,32 +56,32 @@ sub pluginmain {
 # http://support.microsoft.com/kb/198479				
 				eval {
 					my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001f0324")->get_data();
-					$data =~ s/\00//g;
+					$data =~ s/\x00//g;
 					::rptMsg("  Outlook 2007 AutoArchive path -> ".$data);
 				};
 				eval {
 					my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e0324")->get_data();
-					$data =~ s/\00//g;
+					$data =~ s/\x00//g;
 					::rptMsg("  Outlook 2003 AutoArchive path -> ".$data);
 				};
 				eval {
 					my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e032c")->get_data();
-					$data =~ s/\00//g;
+					$data =~ s/\x00//g;
 					::rptMsg("  Outlook 2003 AutoArchive path (alt) -> ".$data);
 				};
 # http://support.microsoft.com/kb/288570				
 				eval {
 					my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("101e0384")->get_data();
-					$data =~ s/\00//g;
+					$data =~ s/\x00//g;
 					::rptMsg("  Open Other Users MRU (Outlook 97) -> ".$data);
 				};
 				eval {
 					my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("101f0390")->get_data();
-					$data =~ s/\00//g;
+					$data =~ s/\x00//g;
 					::rptMsg("  Open Other Users MRU (Outlook 2003) -> ".$data);
 				};
@ -104,26 +104,26 @@ sub pluginmain {
 				eval {
 					my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6610")->get_data();
-					$data =~ s/\00//g;
+					$data =~ s/\x00//g;
 					::rptMsg("  Path to OST file: ".$data);
 				};
 				eval {
 					my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6607")->get_data();
-					$data =~ s/\00//g;
+					$data =~ s/\x00//g;
 					::rptMsg("  Email: ".$data);
 				};
 				eval {
 					my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6620")->get_data();
-					$data =~ s/\00//g;
+					$data =~ s/\x00//g;
 					::rptMsg("  Email: ".$data);
 				};
 # http://support.microsoft.com/kb/959956				
 #				eval {
 #					my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("01026687")->get_data();
-#					$data =~ s/\00/\./g;
+#					$data =~ s/\x00/\./g;
 #					$data =~ s/\W//g;
 #					::rptMsg("  Non-SMTP Email: ".$data);
 #				};
@ -143,7 +143,7 @@ sub pluginmain {
 				eval {
 					my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e032c")->get_data();
-					$data =~ s/\00//g;
+					$data =~ s/\x00//g;
 					::rptMsg("  Outlook 2003 AutoArchive path (alt) -> ".$data);
 				};
@ -154,7 +154,7 @@ sub pluginmain {
 				eval {
 					my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001f0418")->get_data();
-					$data =~ s/\00//g;
+					$data =~ s/\x00//g;
 					::rptMsg("  001f0418 -> ".$data);
 				};
 #				::rptMsg("Error : ".$@) if ($@);
--- a/thirdparty/rr-full/plugins/photos.pl
+++ b/thirdparty/rr-full/plugins/photos.pl
@ -26,7 +26,7 @@ my %config = (hive          => "USRCLASS\.DAT",
 sub getConfig{return %config}
 sub getShortDescr {
-	return "Shell/BagMRU traversal in Win7 USRCLASS\.DAT hives";	
+	return "Shell/BagMRU traversal in Win7 USRCLASS.DAT hives";	
 }
 sub getDescr{}
 sub getRefs {}
--- a/thirdparty/rr-full/plugins/polacdms.pl
+++ b/thirdparty/rr-full/plugins/polacdms.pl
@ -67,8 +67,7 @@ sub pluginmain {
 		::rptMsg($key_path." not found.");
 	}
 	::rptMsg("");
-	my $key_path = "Policy\\PolPrDmS";
+	$key_path = "Policy\\PolPrDmS";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		::rptMsg("PolPrDmS");
 		::rptMsg($key_path);
@ -92,4 +91,4 @@ sub pluginmain {
 		::rptMsg($key_path." not found.");
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/prefetch.pl
+++ b/thirdparty/rr-full/plugins/prefetch.pl
@ -3,7 +3,7 @@
 #   Access System hive file to get the Prefetch Parameters
 # 
 # Change history
-#   
+#   2016-05-06  Added check for SysMain service start method. James Habben
 #
 # References
 #   http://msdn.microsoft.com/en-us/library/bb499146(v=winembedded.5).aspx
@ -18,7 +18,13 @@ my %config = (hive          => "SYSTEM",
              hasDescr      => 0,
              hasRefs       => 0,
              osmask        => 22,
-              version       => 20120914);
+              version       => 20160506);
 my %starts = (0x00 => "Boot Start",
              0x01 => "System Start",
              0x02 => "Auto Start",
              0x03 => "Manual",
              0x04 => "Disabled");
 sub getConfig{return %config}
 sub getShortDescr {
@ -65,6 +71,24 @@ sub pluginmain {
 			::rptMsg($pp_path." not found.");
 			::logMsg($pp_path." not found.");
 		}
 		my $pfsvc_path = $ccs."\\services\\SysMain";
 		my $pfsvc;
 		if ($pfsvc = $root_key->get_subkey($pfsvc_path)) {
 			my $svc_start = $pfsvc->get_value("Start")->get_data();
 			if (exists $starts{$svc_start}) {
 				$svc_start = $starts{$svc_start};
 			}
 			::rptMsg("");
 			::rptMsg("Superfetch service runs both Superfetch and Prefetch functions. Shortname is SysMain.");
 			::rptMsg("SysMain Service    = ".$svc_start);
 		}
 		else {
 			::rptMsg($pfsvc_path." not found.");
 			::logMsg($pfsvc_path." not found.");
 		}
 	}
 	else {
 		::rptMsg($key_path." not found.");
@ -73,4 +97,4 @@ sub pluginmain {
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/printers.pl
+++ b/thirdparty/rr-full/plugins/printers.pl
@ -70,8 +70,7 @@ sub pluginmain {
 			::rptMsg("Default Printer (via CurrentVersion\\Windows): ".$def);
 		};
 # another attempt to get the default printer
-		my $def_path = "Printers";
+		$def_path = "Printers";
 		my $def;
 		eval {
 			$def = $root_key->get_subkey($def_path)->get_value("DeviceOld")->get_data();
 			::rptMsg("Default Printer (via Printers->DeviceOld): ".$def);
@ -82,4 +81,4 @@ sub pluginmain {
 		::rptMsg($key_path." not found.");
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/productpolicy.pl
+++ b/thirdparty/rr-full/plugins/productpolicy.pl
@ -69,32 +69,29 @@ sub pluginmain {
 	my $key;
 	my $key_path = "ControlSet00".$curr."\\Control\\ProductOptions";
 	if ($key = $root_key->get_subkey($key_path)) {
 		my $prod;
 		eval {
-			my $v1 = $key->get_value("ProductPolicy");
+			$prod = $key->get_value("ProductPolicy")->get_data();
                        if (defined $v1) {
                            my $prod = $v1->get_data();
                            my %pol = parseData($prod);	
                            ::rptMsg("");
                            ::rptMsg("Note: This plugin applies to Vista and Windows 2008 ONLY.");
                            ::rptMsg("For a listing of names and values, see:");
                            ::rptMsg("http://www.geoffchappell.com/viewer.htm?doc=notes/windows/license/install.htm&tx=3,5,6;4");
                            ::rptMsg("");	
                            foreach my $p (sort keys %pol) {
                                    ::rptMsg($p." - ".$pol{$p});
                            }
                            if (exists $prodinfo{$pol{"Kernel\-ProductInfo"}}) {
                                    ::rptMsg("");
                                    ::rptMsg("Kernel\-ProductInfo = ".$prodinfo{$pol{"Kernel\-ProductInfo"}});
                            }
                        }
                        else {
                            ::rptMsg("Error getting ProductPolicy value");
                        }
 		};
 		if ($@) {
 			::rptMsg("Error getting ProductPolicy value: $@");
 		}
 		else {	
 			my %pol = parseData($prod);	
 			::rptMsg("");
 			::rptMsg("Note: This plugin applies to Vista and Windows 2008 ONLY.");
 			::rptMsg("For a listing of names and values, see:");
 			::rptMsg("http://www.geoffchappell.com/viewer.htm?doc=notes/windows/license/install.htm&tx=3,5,6;4");
 			::rptMsg("");	
 			foreach my $p (sort keys %pol) {
 				::rptMsg($p." - ".$pol{$p});
 			}
 			if (exists $prodinfo{$pol{"Kernel\-ProductInfo"}}) {
 				::rptMsg("");
 				::rptMsg("Kernel\-ProductInfo = ".$prodinfo{$pol{"Kernel\-ProductInfo"}});
 			}
 		}
 	}
 	else {
 		::rptMsg($key_path." not found.");
@ -125,7 +122,7 @@ sub parseData {
 		my @vals = unpack("v4V2",	substr($pd,$cursor,0x10));	
 		my $value = substr($pd,$cursor,$vals[0]);
 		my $name = substr($value,0x10,$vals[1]);
-		$name =~ s/\00//g;
+		$name =~ s/\x00//g;
 		my $data = substr($value,0x10 + $vals[1],$vals[3]);
 		if ($vals[2] == 4) {
@ -133,7 +130,7 @@ sub parseData {
 			$data = unpack("V",$data);
 		}
 		elsif ($vals[2] == 1) {
-			$data =~ s/\00//g;
+			$data =~ s/\x00//g;
 		}
 		elsif ($vals[2] == 3) {
 			$data = unpack("H*",$data);
--- a/thirdparty/rr-full/plugins/profilelist.pl
+++ b/thirdparty/rr-full/plugins/profilelist.pl
@ -40,7 +40,7 @@ sub pluginmain {
 	my %profiles;
-	#::logMsg("Launching profilelist v.".$VERSION);
+	::logMsg("Launching profilelist v.".$VERSION);
 	::rptMsg("profilelist v.".$VERSION); # banner
    ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
 	my $reg = Parse::Win32Registry->new($hive);
@ -95,7 +95,7 @@ sub pluginmain {
 	}
 # The following was added 20100219
-	my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon";
+	$key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon";
 	if ($key = $root_key->get_subkey($key_path)) {
 		my @subkeys = $key->get_list_of_subkeys();
 		if (scalar @subkeys > 0) {
@ -136,4 +136,4 @@ sub pluginmain {
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/realplayer6.pl
+++ b/thirdparty/rr-full/plugins/realplayer6.pl
@ -25,7 +25,7 @@ my %config = (hive          => "NTUSER\.DAT",
 sub getConfig{return %config}
 sub getShortDescr {
-	return "Gets user's RealPlayer v6 MostRecentClips\(Default) values";	
+	return "Gets user's RealPlayer v6 MostRecentClips(Default) values";	
 }
 sub getDescr{}
 sub getRefs {}
@ -75,4 +75,4 @@ sub pluginmain {
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/recentdocs.pl
+++ b/thirdparty/rr-full/plugins/recentdocs.pl
@ -147,9 +147,9 @@ sub getRDValues {
 			else {
 # New code
 				$data = decode("ucs-2le", $data);
-				my $file = (split(/\00/,$data))[0];
+				my $file = (split(/\x00/,$data))[0];
-#				my $file = (split(/\00\00/,$data))[0];
+#				my $file = (split(/\x00\x00/,$data))[0];
-#				$file =~ s/\00//g;
+#				$file =~ s/\x00//g;
 				$rdvals{$name} = $file;
 			}
 		}
--- a/thirdparty/rr-full/plugins/recentdocs_tln.pl
+++ b/thirdparty/rr-full/plugins/recentdocs_tln.pl
@ -118,9 +118,9 @@ sub getRDValues {
 			else {
 # New code
 				$data = decode("ucs-2le", $data);
-				my $file = (split(/\00/,$data))[0];
+				my $file = (split(/\x00/,$data))[0];
-#				my $file = (split(/\00\00/,$data))[0];
+#				my $file = (split(/\x00\x00/,$data))[0];
-#				$file =~ s/\00//g;
+#				$file =~ s/\x00//g;
 				$rdvals{$name} = $file;
 			}
 		}
--- a/thirdparty/rr-full/plugins/regback.pl
+++ b/thirdparty/rr-full/plugins/regback.pl
@ -30,8 +30,9 @@ my %config = (hive          => "Software",
 sub getConfig{return %config}
 sub getShortDescr {
-	return "Get logfile name of registry backup tasks";	
+	return "List all backup tasks along with logfile name and last written date/time";
 }
 sub getDescr{}
 sub getRefs {}
 sub getHive {return $config{hive};}
@ -42,8 +43,8 @@ my $VERSION = getVersion();
 sub pluginmain {
 	::logMsg("Launching regback v.".$VERSION);
-  ::rptMsg("regback v.".$VERSION); # 20110830 [fpi] + banner
+	::rptMsg("regback v.".$VERSION); # 20110830 [fpi] + banner
-  ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
+	::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
 	my $class = shift;
 	my $hive = shift;
@ -71,18 +72,13 @@ sub pluginmain {
 		::rptMsg($key_path." not found.");
 	}
-	my $class = shift;
+	$class = shift;
-	my $hive = shift;
+	$hive = shift;
 	my %tasks;
-sub getShortDescr {
+	$root_key = $reg->get_root_key;
-	return "List all tasks along with logfile name and last written date/time";	
+	$key_path = "Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks";
 }
 	my $root_key = $reg->get_root_key;
 	my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		::rptMsg($key_path);
 		::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
@ -109,4 +105,4 @@ sub getShortDescr {
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/sam
+++ b/thirdparty/rr-full/plugins/sam
@ -1,2 +1,3 @@
-# 20120528 *ALL* Plugins that apply on SAM hive, alphabetical order
+# 20161213 *ALL* Plugins that apply on SAM hive, alphabetical order
-samparse
+samparse
 samparse_ltn
--- a/thirdparty/rr-full/plugins/samparse.pl
+++ b/thirdparty/rr-full/plugins/samparse.pl
@ -3,6 +3,7 @@
 # Parse the SAM hive file for user/group membership info
 #
 # Change history:
 #    20160203 - updated to include add'l values (randomaccess/Phill Moore contribution)
 #    20120722 - updated %config hash
 #    20110303 - Fixed parsing of SID, added check for account type
 #               Acct type determined based on Dustin Hulburt's "Forensic
@ -17,7 +18,7 @@
 #    Source available here: http://pogostick.net/~pnh/ntpasswd/
 #    http://accessdata.com/downloads/media/Forensic_Determination_Users_Logon_Status.pdf
 #
-# copyright 2012 Quantum Analytics Research, LLC
+# copyright 2016 Quantum Analytics Research, LLC
 # Author: H. Carvey, keydet89@yahoo.com
 #-----------------------------------------------------------
 package samparse;
@ -31,7 +32,7 @@ my %config = (hive          => "SAM",
              hasShortDescr => 1,
              hasDescr      => 0,
              hasRefs       => 1,
-              version       => 20120722);
+              version       => 20160203);
 sub getConfig{return %config}
@ -117,10 +118,33 @@ sub pluginmain {
 					($f_val{pwd_reset_date} == 0) ? ($pwdreset = "Never") : ($pwdreset = gmtime($f_val{pwd_reset_date})." Z");
 					($f_val{pwd_fail_date} == 0) ? ($pwdfail = "Never") : ($pwdfail = gmtime($f_val{pwd_fail_date})." Z");
 					my $given;
 					my $surname;
 					eval {
 						$given = $u->get_value("GivenName")->get_data();
 						$given =~ s/\x00//g;
 					};
 					eval {
 						$surname = $u->get_value("SurName")->get_data();
 						$surname =~ s/\x00//g;
 					};
 					::rptMsg("Name            : ".$given." ".$surname);
 					my $internet;
 					eval {
 						$internet = $u->get_value("InternetUserName")->get_data();
 						$internet =~ s/\x00//g;
 						::rptMsg("InternetName    : ".$internet);
 					};
 					my $pw_hint;
 					eval {
 						$pw_hint = $u->get_value("UserPasswordHint")->get_data();
-						$pw_hint =~ s/\00//g;
+						$pw_hint =~ s/\x00//g;
 					};
 					::rptMsg("Password Hint   : ".$pw_hint) unless ($@);
 					::rptMsg("Last Login Date : ".$lastlogin);
@ -143,7 +167,7 @@ sub pluginmain {
 	::rptMsg("Group Membership Information");
 	::rptMsg("-" x 25);
 # Get Group membership information	
-	my $key_path = 'SAM\\Domains\\Builtin\\Aliases';
+	$key_path = 'SAM\\Domains\\Builtin\\Aliases';
 	if ($key = $root_key->get_subkey($key_path)) {
 		my %grps;
 		my @groups = $key->get_list_of_subkeys();
@ -187,12 +211,10 @@ sub pluginmain {
 		}
 		else {
 			::rptMsg($key_path." has no subkeys.");
 			::logMsg($key_path." has no subkeys.");
 		}
 	}
 	else {
 		::rptMsg($key_path." not found.");
 		::logMsg($key_path." not found.");
 	}
 }
@ -323,8 +345,8 @@ sub _translateSID {
 #---------------------------------------------------------------------
 sub _uniToAscii {
  my $str = $_[0];
-  $str =~ s/\00//g;
+  $str =~ s/\x00//g;
  return $str;
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/samparse_tln.pl
+++ b/thirdparty/rr-full/plugins/samparse_tln.pl
@ -121,7 +121,7 @@ sub pluginmain {
 					my $c_descr = "Acct Created (".$v_val{type}.")";
 					eval {
 						$pw_hint = $u->get_value("UserPasswordHint")->get_data();
-						$pw_hint =~ s/\00//g;
+						$pw_hint =~ s/\x00//g;
 						$c_descr .= " (Pwd Hint: ".$pw_hint.")";
 					};
@ -278,7 +278,7 @@ sub _translateSID {
 #---------------------------------------------------------------------
 sub _uniToAscii {
  my $str = $_[0];
-  $str =~ s/\00//g;
+  $str =~ s/\x00//g;
  return $str;
 }
--- a/thirdparty/rr-full/plugins/security
+++ b/thirdparty/rr-full/plugins/security
@ -1,4 +1,8 @@
-# 20120528 *ALL* Plugins that apply on SECURITY hive, alphabetical order
+# 20161213 *ALL* Plugins that apply on SECURITY hive, alphabetical order
 auditpol
 auditpol_xp
 lsasecrets
-polacdms
+polacdms
 secrets
 secrets_tln
 securityproviders
--- a/thirdparty/rr-full/plugins/sevenzip.pl
+++ b/thirdparty/rr-full/plugins/sevenzip.pl
@ -59,9 +59,9 @@ sub pluginmain {
 			eval {
 				::rptMsg("ArcHistory:");
 				my $copy = $key->get_subkey("Compression")->get_value("ArcHistory")->get_data();
-				my @c = split(/\00\00/,$copy);
+				my @c = split(/\x00\x00/,$copy);
 				foreach my $hist (@c) {
-					$hist =~ s/\00//g;
+					$hist =~ s/\x00//g;
 					::rptMsg("  ".$hist);
 				}
 			};
@ -69,9 +69,9 @@ sub pluginmain {
 			eval {
 				::rptMsg("PathHistory:");
 				my $copy = $key->get_subkey("Extraction")->get_value("PathHistory")->get_data();
-				my @c = split(/\00\00/,$copy);
+				my @c = split(/\x00\x00/,$copy);
 				foreach my $hist (@c) {
-					$hist =~ s/\00//g;
+					$hist =~ s/\x00//g;
 					::rptMsg("  ".$hist);
 				}
 				::rptMsg("");
@ -80,9 +80,9 @@ sub pluginmain {
 			eval {
 				::rptMsg("CopyHistory:");
 				my $copy = $key->get_subkey("FM")->get_value("CopyHistory")->get_data();
-				my @c = split(/\00\00/,$copy);
+				my @c = split(/\x00\x00/,$copy);
 				foreach my $hist (@c) {
-					$hist =~ s/\00//g;
+					$hist =~ s/\x00//g;
 					::rptMsg("  ".$hist);
 				}
 				::rptMsg("");
@ -91,9 +91,9 @@ sub pluginmain {
 			eval {
 				::rptMsg("FolderHistory:");
 				my $copy = $key->get_subkey("FM")->get_value("FolderHistory")->get_data();
-				my @c = split(/\00\00/,$copy);
+				my @c = split(/\x00\x00/,$copy);
 				foreach my $hist (@c) {
-					$hist =~ s/\00//g;
+					$hist =~ s/\x00//g;
 					::rptMsg("  ".$hist);
 				}
 			};
--- a/thirdparty/rr-full/plugins/sfc.pl
+++ b/thirdparty/rr-full/plugins/sfc.pl
@ -75,8 +75,7 @@ sub pluginmain {
 # According to http://support.microsoft.com/kb/222193, sfc* values in this key, if 
 # it exists, take precedence over and are copied into the values within the Winlogon
 # key; see also http://support.microsoft.com/kb/222473/
-	my $key_path = "Policies\\Microsoft\\Windows NT\\Windows File Protection";
+	$key_path = "Policies\\Microsoft\\Windows NT\\Windows File Protection";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		::rptMsg($key_path);
 		::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
@ -106,4 +105,4 @@ sub pluginmain {
 #		::logMsg($key_path." not found.");
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/shares.pl
+++ b/thirdparty/rr-full/plugins/shares.pl
@ -97,7 +97,7 @@ sub pluginmain {
 # Determine of the AutoShareServer/Wks values have been set
 	my $path = $key_path."\\".$lanman;
-	my $tag  = "parameters";
+	$tag  = "parameters";
 	my $para = getKeyPath($path,$tag);
 	eval {
 		if ($key = $root_key->get_subkey($path."\\".$para)) {
@ -139,4 +139,4 @@ sub getKeyPath {
 	return $subkey;
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/shellbags.pl
+++ b/thirdparty/rr-full/plugins/shellbags.pl
@ -3,6 +3,7 @@
 # RR plugin to parse (Vista, Win7/Win2008R2) shell bags
 #
 # History:
 #   20150325 - updated parsing based on input from Eric Zimmerman
 #   20140728 - updated shell item 0x01 parsing
 #   20131216 - updated to support shell item type 0x52
 #   20130102 - updated to include type 0x35
@ -31,7 +32,7 @@
 # assistance with some parsing.
 #
 # License: GPL v3 
-# copyright 2012 Quantum Analytics Research, LLC
+# copyright 2015 Quantum Analytics Research, LLC
 # Author: H. Carvey, keydet89@yahoo.com
 #-----------------------------------------------------------
 package shellbags;
@ -46,12 +47,12 @@ my %config = (hive          => "USRCLASS\.DAT",
              hasShortDescr => 1,
              hasDescr      => 0,
              hasRefs       => 0,
-              version       => 20130102);
+              version       => 20150325);
 sub getConfig{return %config}
 sub getShortDescr {
-	return "Shell/BagMRU traversal in Win7 USRCLASS\.DAT hives";	
+	return "Shell/BagMRU traversal in Win7 USRCLASS.DAT hives";	
 }
 sub getDescr{}
 sub getRefs {}
@ -72,6 +73,7 @@ my %cp_guids = ("{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}" => "Action Center",
    "{e2e7934b-dce5-43c4-9576-7fe4f75e7480}" => "Date and Time",
    "{00c6d95f-329c-409a-81d7-c46c66ea7f33}" => "Default Location",
    "{17cd9488-1228-4b2f-88ce-4298e93e0966}" => "Default Programs",
    "{b4bfcc3a-db2c-424c-b029-7fe99a87c641}" => "Desktop",
    "{37efd44d-ef8d-41b1-940d-96973a50e9e0}" => "Desktop Gadgets",
    "{74246bfc-4c96-11d0-abef-0020af6b0b7a}" => "Device Manager",
    "{a8a91a66-3a7d-4424-8d24-04e180695c7a}" => "Devices and Printers",
@ -136,18 +138,22 @@ my %folder_types = ("{724ef170-a42d-4fef-9f26-b60e846fba4f}" => "Administrative
    "{1ac14e77-02e7-4e5d-b744-2eb1ae5198b7}" => "CSIDL_SYSTEM",
    "{b4bfcc3a-db2c-424c-b029-7fe99a87c641}" => "Desktop",
    "{7b0db17d-9cd2-4a93-9733-46cc89022e7c}" => "Documents Library",
    "{a8cdff1c-4878-43be-b5fd-f8091c1c60d0}" => "Documents",
    "{fdd39ad0-238f-46af-adb4-6c85480369c7}" => "Documents",
    "{374de290-123f-4565-9164-39c4925e467b}" => "Downloads",
    "{de61d971-5ebc-4f02-a3a9-6c82895e5c04}" => "Get Programs",
    "{a305ce99-f527-492b-8b1a-7e76fa98d6e4}" => "Installed Updates",
    "{871c5380-42a0-1069-a2ea-08002b30309d}" => "Internet Explorer (Homepage)",
    "{031e4825-7b94-4dc3-b131-e946b44c8dd5}" => "Libraries",
    "{2112ab0a-c86a-4ffe-a368-0de96e47012e}" => "Music",
    "{1cf1260c-4dd0-4ebb-811f-33c572699fde}" => "Music",
    "{4bd8d571-6d19-48d3-be97-422220080e43}" => "Music",
    "{20d04fe0-3aea-1069-a2d8-08002b30309d}" => "My Computer",
    "{450d8fba-ad25-11d0-98a8-0800361b1103}" => "My Documents",
    "{ed228fdf-9ea8-4870-83b1-96b02cfe0d52}" => "My Games",
    "{208d2c60-3aea-1069-a2d7-08002b30309d}" => "My Network Places",
    "{f02c1a0d-be21-4350-88b0-7367fc96ef3c}" => "Network", 
    "{3add1653-eb32-4cb0-bbd7-dfa0abb5acca}" => "Pictures",
    "{33e28130-4e1e-4676-835a-98395c3bc3bb}" => "Pictures",
    "{a990ae9f-a03b-4e80-94bc-9912d7504104}" => "Pictures",
    "{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}" => "Program Files (x86)",
@ -164,6 +170,7 @@ my %folder_types = ("{724ef170-a42d-4fef-9f26-b60e846fba4f}" => "Administrative
    "{9e52ab10-f80d-49df-acb8-4330f5687855}" => "Temporary Burn Folder",
    "{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}" => "Users Files",
    "{59031a47-3f72-44a7-89c5-5595fe6b30ee}" => "Users",
    "{a0953c92-50dc-43bf-be83-3742fed03c9c}" => "Videos",
    "{b5947d7f-b489-4fde-9e77-23780cc610d1}" => "Virtual Machines",
    "{f38bf404-1d43-42f2-9305-67de0b28fc23}" => "Windows");
@ -240,7 +247,7 @@ sub traverse {
 		}
 		elsif ($type == 0x2e) {
 # Device
-			%item = parseDeviceEntry($values{$v}); 		
+			%item = parseDeviceEntry($values{$v});		
 		}
 		elsif ($type == 0x2F) {
 # Volume (Drive Letter) 			
@ -260,10 +267,10 @@ sub traverse {
 		elsif ($type == 0x31 || $type == 0x32 || $type == 0xb1 || $type == 0x74) {
 # Folder or Zip File			
 			%item = parseFolderEntry($values{$v}); 
 # 			probe($values{$v});
 		}
 		elsif ($type == 0x35) {
 			%item = parseFolderEntry2($values{$v});
 			probe($values{$v});
 		}
 		elsif ($type == 0x71) {
 # Control Panel
@ -387,35 +394,13 @@ sub parseVariableEntry {
 	  			my $num = unpack("V",substr($stuff,$cnt + 13,4));
 	  			my $str = substr($stuff,$cnt + 13 + 4,($num * 2));
-	  			$str =~ s/\00//g;
+	  			$str =~ s/\x00//g;
 	  			$item{name} = $str;
 	  		}
 	  		$cnt += $sz;
 	  	}
 	  }
-	  
+	 
 #		if (exists $segs{"{5cbf2787-48cf-4208-b90e-ee5e5d420294}"}) {
 #			my $stuff = $segs{"{5cbf2787-48cf-4208-b90e-ee5e5d420294}"};
 #	  	my $tag = 1;
 #	  	my $cnt = 0x10;
 #	  	while($tag) {
 #	  		my $sz = unpack("V",substr($stuff,$cnt,4));
 #	  		my $id = unpack("V",substr($stuff,$cnt + 4,4));
 #	  		
 #	  		if ($sz == 0x00) {
 #	  			$tag = 0;
 #	  			next;
 #	  		}
 #	  		elsif ($id == 0x19) {
 #	  			
 #	  			my $num = unpack("V",substr($stuff,$cnt + 13,4));
 #	  			my $str = substr($stuff,$cnt + 13 + 4,($num * 2));
 #	  			$str =~ s/\00//g;
 #	  			$item{name} = $str;
 #	  		}
 #	  		$cnt += $sz;
 #	  	}
 #		}
 	}
 	elsif (substr($data,4,4) eq "AugM") {
 		%item = parseFolderEntry($data);
@ -424,12 +409,26 @@ sub parseVariableEntry {
 	elsif ($tag == 0x7b || $tag == 0xbb || $tag == 0xfb) {
 		my ($sz1,$sz2,$sz3) = unpack("VVV",substr($data,0x3e,12));
 		$item{name} = substr($data,0x4a,$sz1 * 2);
-		$item{name} =~ s/\00//g;
+		$item{name} =~ s/\x00//g;
 	}
 	elsif ($tag == 0x02 || $tag == 0x03) {
 		my ($sz1,$sz2,$sz3,$sz4) = unpack("VVVV",substr($data,0x26,16));
 		$item{name} = substr($data,0x36,$sz1 * 2);
-		$item{name} =~ s/\00//g;
+		$item{name} =~ s/\x00//g;
 	}
 	elsif (unpack("v",substr($data,6,2)) == 0x05) {
 		my $o = 0x26;
 		my $t = 1;
 		while ($t) {
 			my $i = substr($data,$o,1);
 			if ($i =~ m/\x00/) {
 				$t = 0;
 			}
 			else {
 				$item{name} .= $i;
 				$o++;
 			}
 		}	
 	}
 	else {
 		$item{name} = "Unknown Type";	
@ -446,7 +445,7 @@ sub parseNetworkEntry {
 	my %item = ();	
 	$item{type} = unpack("C",substr($data,2,1));
-	my @n = split(/\00/,substr($data,4,length($data) - 4));
+	my @n = split(/\x00/,substr($data,4,length($data) - 4));
 	$item{name} = $n[0];
 	return %item;
 }
@ -463,13 +462,13 @@ sub parseZipSubFolderItem {
 # Get the opened/accessed date/time	
 	$item{datetime} = substr($data,0x24,6);
-	$item{datetime} =~ s/\00//g;
+	$item{datetime} =~ s/\x00//g;
 	if ($item{datetime} eq "N/A") {
 	}
 	else {
 		$item{datetime} = substr($data,0x24,40);
-		$item{datetime} =~ s/\00//g;
+		$item{datetime} =~ s/\x00//g;
 		my ($date,$time) = split(/\s+/,$item{datetime},2);
 		my ($mon,$day,$yr) = split(/\//,$date,3);
 		my ($hr,$min,$sec) = split(/:/,$time,3);
@ -482,9 +481,9 @@ sub parseZipSubFolderItem {
 	my $sz2 = unpack("V",substr($data,0x58,4));
 	my $str1 = substr($data,0x5C,$sz *2) if ($sz > 0);
-	$str1 =~ s/\00//g;
+	$str1 =~ s/\x00//g;
 	my $str2 = substr($data,0x5C + ($sz * 2),$sz2 *2) if ($sz2 > 0);
-	$str2 =~ s/\00//g;
+	$str2 =~ s/\x00//g;
 	if ($sz2 > 0) {
 		$item{name} = $str1."\\".$str2;
@ -547,10 +546,10 @@ sub parseURIEntry {
 	my $sz = unpack("V",substr($data,0x2a,4));
 	my $uri = substr($data,0x2e,$sz);
-	$uri =~ s/\00//g;
+	$uri =~ s/\x00//g;
 	my $proto = substr($data,length($data) - 6, 6);
-	$proto =~ s/\00//g;
+	$proto =~ s/\x00//g;
 	$item{name} = $proto."://".$uri." [".gmtime($item{uritime})."]";
@ -600,7 +599,18 @@ sub parseGUID {
  my $d3 = unpack("v",substr($data,6,2));
 	my $d4 = unpack("H*",substr($data,8,2));
  my $d5 = unpack("H*",substr($data,10,6));
-  return sprintf "{%08x-%x-%x-$d4-$d5}",$d1,$d2,$d3;
+  my $guid = sprintf "{%08x-%x-%x-$d4-$d5}",$d1,$d2,$d3;
  if (exists $cp_guids{$guid}) {
  	return "CLSID_".$cp_guids{$guid};
  }
  elsif (exists $folder_types{$guid}) {
  	return "CLSID_".$folder_types{$guid};
  }
  else {
  	return $guid;
  }
 }
 #-----------------------------------------------------------
@ -609,17 +619,47 @@ sub parseGUID {
 sub parseDeviceEntry {
 	my $data = shift;
 	my %item = ();
 	my $ofs = unpack("v",substr($data,4,2));
 	my $tag = unpack("V",substr($data,6,4));
-	my $userlen = unpack("V",substr($data,30,4));
+	if ($tag == 0) {
-	my $devlen  = unpack("V",substr($data,34,4));
+		my $guid1 = parseGUID(substr($data,$ofs + 6,16));
-	
+		my $guid2 = parseGUID(substr($data,$ofs + 6 + 16,16));
-	my $user    = substr($data,0x28,$userlen * 2);
+		$item{name} = $guid1."\\".$guid2
-	$user =~ s/\00//g;
+	}
-	
+	elsif ($tag == 2) {
-	my $dev = substr($data,0x28 + ($userlen * 2),$devlen * 2);
+		$item{name} = substr($data,0x0a,($ofs + 6) - 0x0a);
-	$dev =~ s/\00//g;
+		$item{name} =~ s/\x00//g;
-	
+	}
-	$item{name} = $user;
+	else {
    my $ver = unpack("C",substr($data,9,1));
 # Version 3 = XP    
    if ($ver == 3) {
    	my $guid1 = parseGUID(substr($data,$ofs + 6,16));
 			my $guid2 = parseGUID(substr($data,$ofs + 6 + 16,16));
 			$item{name} = $guid1."\\".$guid2
    }
 # Version 8 = Win7    
    elsif ($ver == 8) {
    	my $userlen = unpack("V",substr($data,30,4));
 			my $devlen  = unpack("V",substr($data,34,4));
 			my $user    = substr($data,0x28,$userlen * 2);
 			$user =~ s/\x00//g;
 			my $dev = substr($data,0x28 + ($userlen * 2),$devlen * 2);
 			$dev =~ s/\x00//g;
 			$item{name} = $user;	
    }
    elsif (unpack("C",substr($data,3,1)) == 0x80) {
    	$item{name} = parseGUID(substr($data,4,16));
    }
 # Version unknown    
    else { 
    	$item{name} = "Device Entry - Unknown Version";
    } 
 	}
 	return %item;
 }
@ -685,14 +725,14 @@ sub parseFolderEntry {
 	($item{mtime_str},$item{mtime}) = convertDOSDate($m[0],$m[1]);
 # Need to read in short name; nul-term ASCII
-#	$item{shortname} = (split(/\00/,substr($data,12,length($data) - 12),2))[0];
+#	$item{shortname} = (split(/\x00/,substr($data,12,length($data) - 12),2))[0];
 	$ofs_shortname = $ofs_mdate + 6;	
 	my $tag = 1;
 	my $cnt = 0;
 	my $str = "";
 	while($tag) {
 		my $s = substr($data,$ofs_shortname + $cnt,1);
-		if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) {
+		if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) {
 			$tag = 0;
 		}
 		else {
@ -700,12 +740,12 @@ sub parseFolderEntry {
 			$cnt++;
 		}
 	}
-#	$str =~ s/\00//g;
+#	$str =~ s/\x00//g;
 	my $shortname = $str;
 	my $ofs = $ofs_shortname + $cnt + 1;
 # Read progressively, 1 byte at a time, looking for 0xbeef	
-	my $tag = 1;
+	$tag = 1;
-	my $cnt = 0;
+	$cnt = 0;
 	while ($tag) {
 		if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) {
 			$tag = 0;
@ -715,12 +755,13 @@ sub parseFolderEntry {
 		}
 	}
 	$item{extver} = unpack("v",substr($data,$ofs + $cnt - 4,2));
 #	printf "Version: 0x%x\n",$item{extver};
 	$ofs = $ofs + $cnt + 2;
-	my @m = unpack("vv",substr($data,$ofs,4));
+	@m = unpack("vv",substr($data,$ofs,4));
 	($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]);
 	$ofs += 4;
-	my @m = unpack("vv",substr($data,$ofs,4));
+	@m = unpack("vv",substr($data,$ofs,4));
 	($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]);
 	my $jmp;
@ -733,6 +774,9 @@ sub parseFolderEntry {
 	elsif ($item{extver} == 0x08) {
 		$jmp = 30;
 	}
 	elsif ($item{extver} == 0x09) {
 		$jmp = 34;
 	}
 	else {}
 	if ($item{type} == 0x31 && $item{extver} >= 0x07) {
@ -747,9 +791,9 @@ sub parseFolderEntry {
 	$ofs += $jmp;
-	my $str = substr($data,$ofs,length($data) - 30);
+	$str = substr($data,$ofs,length($data) - 30);
-	my $longname = (split(/\00\00/,$str,2))[0];
+	my $longname = (split(/\x00\x00/,$str,2))[0];
-	$longname =~ s/\00//g;
+	$longname =~ s/\x00//g;
 	if ($longname ne "") {
 		$item{name} = $longname;
@ -821,6 +865,9 @@ sub parseFolderEntry2 {
 	if ($item{extver} == 0x03) {
 		$jmp = 8;
 	}
 	elsif ($item{extver} == 0x04) {
 		$jmp = 34;
 	}
 	elsif ($item{extver} == 0x07) {
 		$jmp = 26;
 	}
@ -840,9 +887,9 @@ sub parseFolderEntry2 {
 #	}
 #	::rptMsg("");
-	$item{name} = (split(/\00\00/,$str,2))[0];
+	$item{name} = (split(/\x00\x00/,$str,2))[0];
-	$item{name} =~ s/\13\20/\2D\00/;
+	$item{name} =~ s/\x13\x20/\x2D\x00/;
-	$item{name} =~ s/\00//g;
+	$item{name} =~ s/\x00//g;
 	return %item;
 }
@ -853,7 +900,7 @@ sub parseNetworkEntry {
 	my $data     = shift;
 	my %item = ();
 	$item{type} = unpack("C",substr($data,2,1));
-	my @names = split(/\00/,substr($data,5,length($data) - 5));
+	my @names = split(/\x00/,substr($data,5,length($data) - 5));
 	$item{name} = $names[0];
 	return %item;
 }
@ -865,9 +912,9 @@ sub parseDatePathItem {
 	my $data = shift;
 	my %item = ();
 	$item{datestr} = substr($data,0x18,30);
-	my ($file,$dir) = split(/\00\00/,substr($data,0x44,length($data) - 0x44));
+	my ($file,$dir) = split(/\x00\x00/,substr($data,0x44,length($data) - 0x44));
-	$file =~ s/\00//g;
+	$file =~ s/\x00//g;
-	$dir =~ s/\00//g;
+	$dir =~ s/\x00//g;
 	$item{name} = $dir.$file;
 	return %item;	
 }
@ -912,7 +959,7 @@ sub shellItem0x52 {
 			$cnt += 2;
 		}
 	}	
-	$item{name} =~ s/\00//g;
+	$item{name} =~ s/\x00//g;
 	if ($item{subtype} < 3) {
 		$ofs = 0x32 + $cnt + 2;
@ -922,7 +969,7 @@ sub shellItem0x52 {
 	}
 	$sz = unpack("V",substr($data,$ofs,4));
 	$item{str} = substr($data,$ofs + 4,$sz * 2);
-	$item{str} =~ s/\00//g;
+	$item{str} =~ s/\x00//g;
 	return %item;
 }
@ -1003,4 +1050,4 @@ sub getNum48 {
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/shellbags_test.pl
+++ b/thirdparty/rr-full/plugins/shellbags_test.pl
@ -358,7 +358,7 @@ sub parseFolderItem {
 	my $str = "";
 	while($tag) {
 		my $s = substr($data,$ofs_shortname + $cnt,1);
-		if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) {
+		if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) {
 			$tag = 0;
 		}
 		else {
@ -366,12 +366,12 @@ sub parseFolderItem {
 			$cnt++;
 		}
 	}
-#	$str =~ s/\00//g;
+#	$str =~ s/\x00//g;
 	my $shortname = $str;
 	my $ofs = $ofs_shortname + $cnt + 1;
 # Read progressively, 1 byte at a time, looking for 0xbeef	
-	my $tag = 1;
+	$tag = 1;
-	my $cnt = 0;
+	$cnt = 0;
 	while ($tag) {
 		if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) {
 			$tag = 0;
@ -383,10 +383,10 @@ sub parseFolderItem {
 	$item{extver} = unpack("v",substr($data,$ofs + $cnt - 4,2));
 	$ofs = $ofs + $cnt + 2;
-	my @m = unpack("vv",substr($data,$ofs,4));
+	@m = unpack("vv",substr($data,$ofs,4));
 	($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]);
 	$ofs += 4;
-	my @m = unpack("vv",substr($data,$ofs,4));
+	@m = unpack("vv",substr($data,$ofs,4));
 	($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]);
 	my $jmp;
@ -403,9 +403,9 @@ sub parseFolderItem {
 	$ofs += $jmp;
-	my $str = substr($data,$ofs,length($data) - $ofs);
+	$str = substr($data,$ofs,length($data) - $ofs);
-	my $longname = (split(/\00\00/,$str,2))[0];
+	my $longname = (split(/\x00\x00/,$str,2))[0];
-	$longname =~ s/\00//g;
+	$longname =~ s/\x00//g;
 	if ($longname ne "") {
 		$item{name} = $longname;
@ -416,4 +416,4 @@ sub parseFolderItem {
 	return %item;
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/shellbags_tln.pl
+++ b/thirdparty/rr-full/plugins/shellbags_tln.pl
@ -47,7 +47,7 @@ my %config = (hive          => "USRCLASS\.DAT",
 sub getConfig{return %config}
 sub getShortDescr {
-	return "Shell/BagMRU traversal in Win7 USRCLASS\.DAT hives";	
+	return "Shell/BagMRU traversal in Win7 USRCLASS.DAT hives";	
 }
 sub getDescr{}
 sub getRefs {}
@ -371,7 +371,7 @@ sub parseVariableEntry {
 	  			my $num = unpack("V",substr($stuff,$cnt + 13,4));
 	  			my $str = substr($stuff,$cnt + 13 + 4,($num * 2));
-	  			$str =~ s/\00//g;
+	  			$str =~ s/\x00//g;
 	  			$item{name} = $str;
 	  		}
 	  		$cnt += $sz;
@ -394,7 +394,7 @@ sub parseVariableEntry {
 #	  			
 #	  			my $num = unpack("V",substr($stuff,$cnt + 13,4));
 #	  			my $str = substr($stuff,$cnt + 13 + 4,($num * 2));
-#	  			$str =~ s/\00//g;
+#	  			$str =~ s/\x00//g;
 #	  			$item{name} = $str;
 #	  		}
 #	  		$cnt += $sz;
@ -408,12 +408,12 @@ sub parseVariableEntry {
 	elsif ($tag == 0x7b || $tag == 0xbb || $tag == 0xfb) {
 		my ($sz1,$sz2,$sz3) = unpack("VVV",substr($data,0x3e,12));
 		$item{name} = substr($data,0x4a,$sz1 * 2);
-		$item{name} =~ s/\00//g;
+		$item{name} =~ s/\x00//g;
 	}
 	elsif ($tag == 0x02 || $tag == 0x03) {
 		my ($sz1,$sz2,$sz3,$sz4) = unpack("VVVV",substr($data,0x26,16));
 		$item{name} = substr($data,0x36,$sz1 * 2);
-		$item{name} =~ s/\00//g;
+		$item{name} =~ s/\x00//g;
 	}
 	else {
 		$item{name} = "Unknown Type";	
@ -430,7 +430,7 @@ sub parseNetworkEntry {
 	my %item = ();	
 	$item{type} = unpack("C",substr($data,2,1));
-	my @n = split(/\00/,substr($data,4,length($data) - 4));
+	my @n = split(/\x00/,substr($data,4,length($data) - 4));
 	$item{name} = $n[0];
 	return %item;
 }
@ -447,13 +447,13 @@ sub parseZipSubFolderItem {
 # Get the opened/accessed date/time	
 	$item{datetime} = substr($data,0x24,6);
-	$item{datetime} =~ s/\00//g;
+	$item{datetime} =~ s/\x00//g;
 	if ($item{datetime} eq "N/A") {
 	}
 	else {
 		$item{datetime} = substr($data,0x24,40);
-		$item{datetime} =~ s/\00//g;
+		$item{datetime} =~ s/\x00//g;
 		my ($date,$time) = split(/\s+/,$item{datetime},2);
 		my ($mon,$day,$yr) = split(/\//,$date,3);
 		my ($hr,$min,$sec) = split(/:/,$time,3);
@ -466,9 +466,9 @@ sub parseZipSubFolderItem {
 	my $sz2 = unpack("V",substr($data,0x58,4));
 	my $str1 = substr($data,0x5C,$sz *2) if ($sz > 0);
-	$str1 =~ s/\00//g;
+	$str1 =~ s/\x00//g;
 	my $str2 = substr($data,0x5C + ($sz * 2),$sz2 *2) if ($sz2 > 0);
-	$str2 =~ s/\00//g;
+	$str2 =~ s/\x00//g;
 	if ($sz2 > 0) {
 		$item{name} = $str1."\\".$str2;
@ -507,10 +507,10 @@ sub parseURIEntry {
 	my $sz = unpack("V",substr($data,0x2a,4));
 	my $uri = substr($data,0x2e,$sz);
-	$uri =~ s/\00//g;
+	$uri =~ s/\x00//g;
 	my $proto = substr($data,length($data) - 6, 6);
-	$proto =~ s/\00//g;
+	$proto =~ s/\x00//g;
 	$item{name} = $proto."://".$uri;
@ -574,10 +574,10 @@ sub parseDeviceEntry {
 	my $devlen  = unpack("V",substr($data,34,4));
 	my $user    = substr($data,0x28,$userlen * 2);
-	$user =~ s/\00//g;
+	$user =~ s/\x00//g;
 	my $dev = substr($data,0x28 + ($userlen * 2),$devlen * 2);
-	$dev =~ s/\00//g;
+	$dev =~ s/\x00//g;
 	$item{name} = $user;
 	return %item;
@ -645,14 +645,14 @@ sub parseFolderEntry {
 	($item{mtime_str},$item{mtime}) = convertDOSDate($m[0],$m[1]);
 # Need to read in short name; nul-term ASCII
-#	$item{shortname} = (split(/\00/,substr($data,12,length($data) - 12),2))[0];
+#	$item{shortname} = (split(/\x00/,substr($data,12,length($data) - 12),2))[0];
 	$ofs_shortname = $ofs_mdate + 6;	
 	my $tag = 1;
 	my $cnt = 0;
 	my $str = "";
 	while($tag) {
 		my $s = substr($data,$ofs_shortname + $cnt,1);
-		if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) {
+		if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) {
 			$tag = 0;
 		}
 		else {
@ -660,12 +660,12 @@ sub parseFolderEntry {
 			$cnt++;
 		}
 	}
-#	$str =~ s/\00//g;
+#	$str =~ s/\x00//g;
 	my $shortname = $str;
 	my $ofs = $ofs_shortname + $cnt + 1;
 # Read progressively, 1 byte at a time, looking for 0xbeef	
-	my $tag = 1;
+	$tag = 1;
-	my $cnt = 0;
+	$cnt = 0;
 	while ($tag) {
 		if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) {
 			$tag = 0;
@ -677,10 +677,10 @@ sub parseFolderEntry {
 	$item{extver} = unpack("v",substr($data,$ofs + $cnt - 4,2));
 	$ofs = $ofs + $cnt + 2;
-	my @m = unpack("vv",substr($data,$ofs,4));
+	@m = unpack("vv",substr($data,$ofs,4));
 	($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]);
 	$ofs += 4;
-	my @m = unpack("vv",substr($data,$ofs,4));
+	@m = unpack("vv",substr($data,$ofs,4));
 	($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]);
 	my $jmp;
@ -693,9 +693,9 @@ sub parseFolderEntry {
 	$ofs += $jmp;
-	my $str = substr($data,$ofs,length($data) - 30);
+	$str = substr($data,$ofs,length($data) - 30);
-	my $longname = (split(/\00\00/,$str,2))[0];
+	my $longname = (split(/\x00\x00/,$str,2))[0];
-	$longname =~ s/\00//g;
+	$longname =~ s/\x00//g;
 	if ($longname ne "") {
 		$item{name} = $longname;
@ -745,7 +745,7 @@ sub parseNetworkEntry {
 	my $data     = shift;
 	my %item = ();
 	$item{type} = unpack("C",substr($data,2,1));
-	my @names = split(/\00/,substr($data,5,length($data) - 5));
+	my @names = split(/\x00/,substr($data,5,length($data) - 5));
 	$item{name} = $names[0];
 	return %item;
 }
@ -792,4 +792,4 @@ sub printData {
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/shellbags_xp.pl
+++ b/thirdparty/rr-full/plugins/shellbags_xp.pl
@ -50,7 +50,7 @@ my %config = (hive          => "NTUSER\.DAT",
 sub getConfig{return %config}
 sub getShortDescr {
-	return "Shell/BagMRU traversal in XP NTUSER\.DAT hives";	
+	return "Shell/BagMRU traversal in XP NTUSER.DAT hives";	
 }
 sub getDescr{}
 sub getRefs {}
@ -405,7 +405,7 @@ sub parseVariableEntry {
 	  			my $num = unpack("V",substr($stuff,$cnt + 13,4));
 	  			my $str = substr($stuff,$cnt + 13 + 4,($num * 2));
-	  			$str =~ s/\00//g;
+	  			$str =~ s/\x00//g;
 	  			$item{name} = $str;
 	  		}
 	  		$cnt += $sz;
@ -428,7 +428,7 @@ sub parseVariableEntry {
 #	  			
 #	  			my $num = unpack("V",substr($stuff,$cnt + 13,4));
 #	  			my $str = substr($stuff,$cnt + 13 + 4,($num * 2));
-#	  			$str =~ s/\00//g;
+#	  			$str =~ s/\x00//g;
 #	  			$item{name} = $str;
 #	  		}
 #	  		$cnt += $sz;
@ -442,12 +442,12 @@ sub parseVariableEntry {
 	elsif ($tag == 0x7b || $tag == 0xbb || $tag == 0xfb) {
 		my ($sz1,$sz2,$sz3) = unpack("VVV",substr($data,0x3e,12));
 		$item{name} = substr($data,0x4a,$sz1 * 2);
-		$item{name} =~ s/\00//g;
+		$item{name} =~ s/\x00//g;
 	}
 	elsif ($tag == 0x02 || $tag == 0x03) {
 		my ($sz1,$sz2,$sz3,$sz4) = unpack("VVVV",substr($data,0x26,16));
 		$item{name} = substr($data,0x36,$sz1 * 2);
-		$item{name} =~ s/\00//g;
+		$item{name} =~ s/\x00//g;
 	}
 	else {
 		$item{name} = "Unknown Type";	
@ -464,7 +464,7 @@ sub parseNetworkEntry {
 	my %item = ();	
 	$item{type} = unpack("C",substr($data,2,1));
-	my @n = split(/\00/,substr($data,4,length($data) - 4));
+	my @n = split(/\x00/,substr($data,4,length($data) - 4));
 	$item{name} = $n[0];
 	return %item;
 }
@ -481,13 +481,13 @@ sub parseZipSubFolderItem {
 # Get the opened/accessed date/time	
 	$item{datetime} = substr($data,0x24,6);
-	$item{datetime} =~ s/\00//g;
+	$item{datetime} =~ s/\x00//g;
 	if ($item{datetime} eq "N/A") {
 	}
 	else {
 		$item{datetime} = substr($data,0x24,40);
-		$item{datetime} =~ s/\00//g;
+		$item{datetime} =~ s/\x00//g;
 		my ($date,$time) = split(/\s+/,$item{datetime},2);
 		my ($mon,$day,$yr) = split(/\//,$date,3);
 		my ($hr,$min,$sec) = split(/:/,$time,3);
@ -501,9 +501,9 @@ sub parseZipSubFolderItem {
 	my $sz2 = unpack("V",substr($data,0x58,4));
 	my $str1 = substr($data,0x5C,$sz *2) if ($sz > 0);
-	$str1 =~ s/\00//g;
+	$str1 =~ s/\x00//g;
 	my $str2 = substr($data,0x5C + ($sz * 2),$sz2 *2) if ($sz2 > 0);
-	$str2 =~ s/\00//g;
+	$str2 =~ s/\x00//g;
 	if ($sz2 > 0) {
 		$item{name} = $str1."\\".$str2;
@ -540,7 +540,7 @@ sub parseXPShellDeviceItem {
 	$item{timestamp} = ::getTime($t0,$t1);
 # starting at offset 0x18, read the null-term. string as the name value
 	my $str = substr($data,0x18,length($data) - 0x18);
-	$item{name} = (split(/\00/,$str))[0];
+	$item{name} = (split(/\x00/,$str))[0];
 	return %item;
 }
@ -558,10 +558,10 @@ sub parseURIEntry {
 	my $sz = unpack("V",substr($data,0x2a,4));
 	my $uri = substr($data,0x2e,$sz);
-	$uri =~ s/\00//g;
+	$uri =~ s/\x00//g;
 	my $proto = substr($data,length($data) - 6, 6);
-	$proto =~ s/\00//g;
+	$proto =~ s/\x00//g;
 	$item{name} = $proto."://".$uri." [".gmtime($item{uritime})."]";
@ -635,10 +635,10 @@ sub parseDeviceEntry {
 #	my $devlen  = unpack("V",substr($data,34,4));
 #	
 #	my $user    = substr($data,0x28,$userlen * 2);
-#	$user =~ s/\00//g;
+#	$user =~ s/\x00//g;
 #	
 #	my $dev = substr($data,0x28 + ($userlen * 2),$devlen * 2);
-#	$dev =~ s/\00//g;
+#	$dev =~ s/\x00//g;
 #	
 #	$item{name} = $user;
 	my $len = unpack("v",substr($data,0,2));
@ -718,14 +718,14 @@ sub parseFolderEntry {
 	($item{mtime_str},$item{mtime}) = convertDOSDate($m[0],$m[1]);
 # Need to read in short name; nul-term ASCII
-#	$item{shortname} = (split(/\00/,substr($data,12,length($data) - 12),2))[0];
+#	$item{shortname} = (split(/\x00/,substr($data,12,length($data) - 12),2))[0];
 	$ofs_shortname = $ofs_mdate + 6;	
 	my $tag = 1;
 	my $cnt = 0;
 	my $str = "";
 	while($tag) {
 		my $s = substr($data,$ofs_shortname + $cnt,1);
-		if ($s =~ m/\00/ && ((($cnt + 1) % 2) == 0)) {
+		if ($s =~ m/\x00/ && ((($cnt + 1) % 2) == 0)) {
 			$tag = 0;
 		}
 		else {
@ -733,12 +733,12 @@ sub parseFolderEntry {
 			$cnt++;
 		}
 	}
-#	$str =~ s/\00//g;
+#	$str =~ s/\x00//g;
 	my $shortname = $str;
 	my $ofs = $ofs_shortname + $cnt + 1;
 # Read progressively, 1 byte at a time, looking for 0xbeef	
-	my $tag = 1;
+	$tag = 1;
-	my $cnt = 0;
+	$cnt = 0;
 	while ($tag) {
 		if (unpack("v",substr($data,$ofs + $cnt,2)) == 0xbeef) {
 			$tag = 0;
@ -750,10 +750,10 @@ sub parseFolderEntry {
 	$item{extver} = unpack("v",substr($data,$ofs + $cnt - 4,2));
 	$ofs = $ofs + $cnt + 2;
-	my @m = unpack("vv",substr($data,$ofs,4));
+	@m = unpack("vv",substr($data,$ofs,4));
 	($item{ctime_str},$item{ctime}) = convertDOSDate($m[0],$m[1]);
 	$ofs += 4;
-	my @m = unpack("vv",substr($data,$ofs,4));
+	@m = unpack("vv",substr($data,$ofs,4));
 	($item{atime_str},$item{atime}) = convertDOSDate($m[0],$m[1]);
 	my $jmp;
@ -770,9 +770,9 @@ sub parseFolderEntry {
 	$ofs += $jmp;
-	my $str = substr($data,$ofs,length($data) - 30);
+	$str = substr($data,$ofs,length($data) - 30);
-	my $longname = (split(/\00\00/,$str,2))[0];
+	my $longname = (split(/\x00\x00/,$str,2))[0];
-	$longname =~ s/\00//g;
+	$longname =~ s/\x00//g;
 	if ($longname ne "") {
 		$item{name} = $longname;
@ -863,9 +863,9 @@ sub parseFolderEntry2 {
 	}
 	::rptMsg("");
-	$item{name} = (split(/\00\00/,$str,2))[0];
+	$item{name} = (split(/\x00\x00/,$str,2))[0];
-	$item{name} =~ s/\13\20/\2D\00/;
+	$item{name} =~ s/\x13\x20/\x2D\x00/;
-	$item{name} =~ s/\00//g;
+	$item{name} =~ s/\x00//g;
 	return %item;
 }
@ -876,7 +876,7 @@ sub parseNetworkEntry {
 	my $data     = shift;
 	my %item = ();
 	$item{type} = unpack("C",substr($data,2,1));
-	my @names = split(/\00/,substr($data,5,length($data) - 5));
+	my @names = split(/\x00/,substr($data,5,length($data) - 5));
 	$item{name} = $names[0];
 	return %item;
 }
@ -890,7 +890,6 @@ sub printData {
 	my $data = shift;
 	my $len = length($data);
 	my $tag = 1;
 	my $cnt = 0;
 	my @display = ();
 	my $loop = $len/16;
@ -926,4 +925,4 @@ sub printData {
 	return @display;
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/shutdowncount.pl
+++ b/thirdparty/rr-full/plugins/shutdowncount.pl
@ -52,8 +52,7 @@ sub pluginmain {
 		return
 	}
-	my $key_path = $ccs."\\Control\\Watchdog\\Display";
+	$key_path = $ccs."\\Control\\Watchdog\\Display";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		::rptMsg("ShutdownCount");
 		::rptMsg($key_path);
@ -80,4 +79,4 @@ sub pluginmain {
 		::logMsg($key_path." not found.");
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/skype.pl
+++ b/thirdparty/rr-full/plugins/skype.pl
@ -45,17 +45,13 @@ sub pluginmain {
 		::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
 		::rptMsg("");
 		my $install;
 		eval {
-			my $v1 = $install = $key->get_subkey("Installer")->get_value("DonwloadLastModified");
+			$install = $key->get_subkey("Installer")->get_value("DonwloadLastModified")->get_data();
-                        if (defined $v1) {
+			::rptMsg("DonwloadLastModified = ".$install);
                            my $install = $v1->get_data()
                            ::rptMsg("DonwloadLastModified = ".$install);
                        }
                        else {
                            ::rptMsg("DonwloadLastModified value not found");
                        }
 		};
 		::rptMsg("DonwloadLastModified value not found: ".$@) if ($@);
 	}
 	else {
 		::rptMsg($key_path." not found.");
--- a/thirdparty/rr-full/plugins/software
+++ b/thirdparty/rr-full/plugins/software
@ -1,33 +1,61 @@
-# 20120528 *ALL* Plugins that apply on SOFTWARE hive, alphabetical order
+# 20161213 *ALL* Plugins that apply on SOFTWARE hive, alphabetical order
 ahaha
 appinitdlls
 apppaths
 apppaths_tln
 assoc
 at
 at_tln
 audiodev
 banner
 bho
 bitbucket
 btconfig
 clsid
 cmd_shell
 cmd_shell_tln
 codeid
 ctrlpnl
-defbrowser
+dcom
 dfrg
 direct
 direct_tln
 disablesr
 drivers32
 drwatson
 emdmgmt
 esent
 etos
 gauss
 gpohist
 gpohist_tln
 handler
 ie_version
 ie_zones
 imagefile
 init_dlls
 inprocserver
 installedcomp
 installer
 javasoft
 kb950582
 landesk
 landesk_tln
 lastloggedon
 lazyshell
 licenses
 logmein
 logmein_tln
 macaddr
 mrt
 msis
 netsh
 networkcards
 networklist
 networklist_tln
 networkuid
 opencandy
 port_dev
 product
 profilelist
 regback
@ -43,17 +71,28 @@ snapshot
 soft_run
 spp_clients
 sql_lastconnect
 srun_tln
 ssid
 startmenuinternetapps_lm
 susclient
 svchost
 systemindex
 teamviewer
 tracing
-uninstall
+tracing_tln
-urlzone
+trappoll
 uac
 uninstall
 uninstall_tln
 urlzone
 virut
-win_cv
+volinfocache
 wbem
 winbackup
 win_cv
 winevt
 winlogon
 winlogon_tln
 winnt_cv
 winver
-yahoo_lm
+yahoo_lm
--- a/thirdparty/rr-full/plugins/ssid.pl
+++ b/thirdparty/rr-full/plugins/ssid.pl
@ -109,8 +109,7 @@ sub pluginmain {
 # Now, go to the EAPOL key, locate the appropriate subkeys and parse out
 # any available SSIDs	
 # EAPOL is Extensible Authentication Protocol over LAN
-	my $key_path = "Microsoft\\EAPOL\\Parameters\\Interfaces";
+	$key_path = "Microsoft\\EAPOL\\Parameters\\Interfaces";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		::rptMsg("");
 		::rptMsg($key_path);
@ -182,4 +181,4 @@ sub parseEAPOLData {
 	return substr($data,0x14,$size);
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/stillimage.pl
+++ b/thirdparty/rr-full/plugins/stillimage.pl
@ -55,8 +55,7 @@ sub pluginmain {
 		return;
 	}
-	my $key_path = $ccs."\\Control\\Class\\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}";
+	$key_path = $ccs."\\Control\\Class\\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		my @subkeys = $key->get_list_of_subkeys();
@ -89,8 +88,7 @@ sub pluginmain {
 # http://msdn.microsoft.com/en-us/library/ms791870.aspx
 # StillImage logging levels
-	my $key_path = $ccs."\\Control\\StillImage\\Logging";
+	$key_path = $ccs."\\Control\\StillImage\\Logging";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		::rptMsg("");
 		::rptMsg("StillImage Logging Level");
@ -111,4 +109,4 @@ sub pluginmain {
 		::rptMsg($key_path." not found.");
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/susclient.pl
+++ b/thirdparty/rr-full/plugins/susclient.pl
@ -90,8 +90,8 @@ sub parseSN {
 	my $sz     = unpack("C",substr($data,2,1));
 	$sn = substr($data,$offset,$sz);
-	$sn =~ s/\00//g;
+	$sn =~ s/\x00//g;
-	$sn =~ s/\20//g;
+	$sn =~ s/\x20//g;
 	return $sn;
 }
--- a/thirdparty/rr-full/plugins/system
+++ b/thirdparty/rr-full/plugins/system
@ -1,14 +1,19 @@
-# 20120528 *ALL* Plugins that apply on SYSTEM hive, alphabetical order
+# 20161213 *ALL* Plugins that apply on SYSTEM hive, alphabetical order
 appcertdlls
 appcompatcache
 appcompatcache_tln
 auditfail
 backuprestore
 bthport
 comfoo
 compname
 crashcontrol
 ddm
 devclass
 diag_sr
 disablelastaccess
 dllsearch
 dnschanger
 eventlog
 eventlogs
 fw_config
@ -17,29 +22,43 @@ ide
 imagedev
 kbdcrash
 legacy
 legacy_tln
 lsa_packages
 mountdev
 mountdev2
 netsvcs
 network
 nic
 nic_mst2
 nic2
 nic_mst2
 nolmhash
 pagefile
 pending
 phdet
 prefetch
-#This currently gets stuck in an infinite loop
+processor_architecture
-#productpolicy
+productpolicy
 producttype
 rdpnla
 rdpport
 regin
 remoteaccess
 routes
 safeboot
 securityproviders
 services
 shares
 shimcache
 shimcache_tln
 shutdown
 shutdowncount
 stillimage
 svc
 svc2
 svc_plus
 svcdll
 svc_plus
 svc_tln
 systemindex
 termcert
 termserv
 timezone
 usb
@ -47,5 +66,5 @@ usbdevices
 usbstor
 usbstor2
 usbstor3
 xpedition
 wpdbusenum
 xpedition
--- a/thirdparty/rr-full/plugins/termserv.pl
+++ b/thirdparty/rr-full/plugins/termserv.pl
@ -3,6 +3,7 @@
 # Plugin for Registry Ripper; 
 # 
 # Change history
 #   20160224 - added SysProcs info
 #   20131007 - updated with Sticky Keys info
 #   20130307 - updated with autostart locations
 #   20100713 - Updated to include additional values, based on references
@ -12,6 +13,7 @@
 # Category: Autostart
 #
 # References
 #   SysProcs - https://support.microsoft.com/en-us/kb/899867
 #   Change TS listening port number - http://support.microsoft.com/kb/187623
 #   Examining TS key - http://support.microsoft.com/kb/243215
 #   Win2K8 TS stops listening - http://support.microsoft.com/kb/954398
@ -30,7 +32,7 @@ my %config = (hive          => "System",
              hasDescr      => 0,
              hasRefs       => 0,
              osmask        => 22,
-              version       => 20130307);
+              version       => 20160224);
 sub getConfig{return %config}
 sub getShortDescr {
@ -149,6 +151,19 @@ sub pluginmain {
 			};
 			::rptMsg(" InitialProgram value not found\.") if ($@);
 # Added 20160224			
 			eval {
 				my $sys = $ts->get_subkey("SysProcs");
 				my @vals = $sys->get_list_of_values();
 				if ((scalar @vals) > 0) {
 					::rptMsg("SysProcs key values");
 					::rptMsg("LastWrite: ".gmtime($sys->get_timestamp())." Z");
 					foreach my $v (@vals) {
 						::rptMsg("  ".$v->get_name()." - ".$v->get_data());
 					}
 				} 
 			};
 # Sticky Keys info, added 20131007
 # ref: http://www.room362.com/blog/2012/5/25/sticky-keys-and-utilman-against-nla.html					
 			eval {
--- a/thirdparty/rr-full/plugins/timezone.pl
+++ b/thirdparty/rr-full/plugins/timezone.pl
@ -4,6 +4,7 @@
 # contents of the TimeZoneInformation key
 # 
 # Change history
 #   20160318 - added display of TimeZoneKeyName value
 #   20130830 - updated
 #   20080324 - created
 #
@ -24,7 +25,7 @@ my %config = (hive          => "System",
              hasDescr      => 0,
              hasRefs       => 0,
              osmask        => 22,
-              version       => 20130830);
+              version       => 20160318);
 sub getConfig{return %config}
 sub getShortDescr {
@ -73,6 +74,7 @@ sub pluginmain {
 				::rptMsg("  Bias           -> ".$b." (".($b/60)." hours)");
 				::rptMsg("  ActiveTimeBias -> ".$a." (".($a/60)." hours)");
 				::rptMsg("  TimeZoneKeyName-> ".$tz_vals{"TimeZoneKeyName"}) if exists ($tz_vals{"TimeZoneKeyName"});
 			}
 			else {
--- a/thirdparty/rr-full/plugins/trustrecords.pl
+++ b/thirdparty/rr-full/plugins/trustrecords.pl
@ -4,9 +4,11 @@
 #   the default security settings for the application 
 #
 # Change history
 #  20160224 - modified per Mari's blog post
 #  20120716 - created
 #
 # References
 #  http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html
 #  ForensicArtifacts.com posting by Andrew Case:
 #    http://forensicartifacts.com/2012/07/ntuser-trust-records/
 #  http://archive.hack.lu/2010/Filiol-Office-Documents-New-Weapons-of-Cyberwarfare-slides.pdf
@ -18,15 +20,16 @@ package  trustrecords;
 use strict;
 my %config = (hive          => "NTUSER\.DAT",
 							category      => "User Activity",
              hasShortDescr => 1,
              hasDescr      => 0,
              hasRefs       => 0,
              osmask        => 22,
-              version       => 20120716);
+              version       => 20160224);
 sub getConfig{return %config}
 sub getShortDescr {
-	return "Gets user's Office 2010 TrustRecords values";	
+	return "Get user's MSOffice TrustRecords values";	
 }
 sub getDescr{}
 sub getRefs {}
@ -34,7 +37,12 @@ sub getHive {return $config{hive};}
 sub getVersion {return $config{version};}
 my $VERSION = getVersion();
-
+my $office_version;
 my %vba = (1 => "Enable all macros",
           2 => "Disable all macros w/ notification",
           3 => "Disalbe all macros except dig. signed macros",
           4 => "Disalbe all macros w/o notification");
 sub pluginmain {
 	my $class = shift;
 	my $ntuser = shift;
@ -43,43 +51,63 @@ sub pluginmain {
 	my $root_key = $reg->get_root_key;
 	::rptMsg("trustrecords v.".$VERSION);
 	::rptMsg("");
 # First, let's find out which version of Office is installed
 	my @version;
 	my $key;
 	my $key_path = "Software\\Microsoft\\Office";
-	if (my $key = $root_key->get_subkey($key_path)) {
+	if ($key = $root_key->get_subkey($key_path)) {
 		my @subkeys = $key->get_list_of_subkeys();
 		foreach my $s (@subkeys) {
 			my $name = $s->get_name();
 			push(@version,$name) if ($name =~ m/^\d/);
 		}
 	}
-	
+# Determine MSOffice version in use	
 	my @v = reverse sort {$a<=>$b} @version;
-#	::rptMsg("Office version = ".$v[0]);
+	foreach my $i (@v) {
 		eval {
 			if (my $o = $key->get_subkey($i."\\User Settings")) {
 				$office_version = $i;
 			}
 		};
 	}
 # Now that we have the most recent version of Office installed, let's 
 # start looking at the various subkeys
 	my @apps = ("Word","PowerPoint","Excel","Access");	
-	my $key_path = "Software\\Microsoft\\Office\\".$v[0];
+	$key_path = "Software\\Microsoft\\Office\\".$office_version;
 	foreach my $app (@apps) {
-		my $app_path = $key_path."\\".$app."\\Security\\Trusted Documents";
+		::rptMsg("**".$app."**");
-		::rptMsg($app);
+		::rptMsg("-" x 10);
 		my $app_path = $key_path."\\".$app."\\Security";
 		eval {
 			if (my $sec = $root_key->get_subkey($app_path)) {
 				::rptMsg("Security key LastWrite: ".gmtime($sec->get_timestamp())." Z");
 				my $w = $sec->get_value("VBAWarnings")->get_data();
 				::rptMsg("VBAWarnings = ".$vba{$w});
 				::rptMsg("");
 			}
 		};
 # Trusted Documents/Trust Records		
 		$app_path = $key_path."\\".$app."\\Security\\Trusted Documents";
 		if (my $app_key = $root_key->get_subkey($app_path)) {
 			my $lastpurge = $app_key->get_value("LastPurgeTime")->get_data();
 			::rptMsg("LastPurgeTime = ".gmtime($lastpurge));
 			if (my $trust = $app_key->get_subkey("TrustRecords")) {
 				my @vals = $trust->get_list_of_values();
 				foreach my $v (@vals) {
-					my ($t0,$t1) = (unpack("VV",substr($v->get_data(),0,8)));
+					my $data = $v->get_data();
 					my ($t0,$t1) = (unpack("VV",substr($data,0,8)));
 					my $t = ::getTime($t0,$t1);
-					::rptMsg(gmtime($t)." -> ".$v->get_name());	
+					::rptMsg(gmtime($t)." Z : ".$v->get_name());	
 					my $e = unpack("V",substr($data, length($data) - 4, 4));
 					::rptMsg("**Enable Content button clicked.") if ($e == 2147483647);
 				}
 			}
 		}
 		::rptMsg("");
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/trustrecords_tln.pl
+++ b/thirdparty/rr-full/plugins/trustrecords_tln.pl
@ -4,9 +4,11 @@
 #   the default security settings for the application 
 #
 # Change history
 #  20160224 - modified per Mari's blog post
 #  20120717 - created; modified from trustrecords.pl plugin
 #
 # References
 #  http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html
 #  ForensicArtifacts.com posting by Andrew Case:
 #    http://forensicartifacts.com/2012/07/ntuser-trust-records/
 #  http://archive.hack.lu/2010/Filiol-Office-Documents-New-Weapons-of-Cyberwarfare-slides.pdf
@ -18,15 +20,16 @@ package  trustrecords_tln;
 use strict;
 my %config = (hive          => "NTUSER\.DAT",
              category      => "User Activity",
              hasShortDescr => 1,
              hasDescr      => 0,
              hasRefs       => 0,
              osmask        => 22,
-              version       => 20120717);
+              version       => 20160224);
 sub getConfig{return %config}
 sub getShortDescr {
-	return "Gets user's Office 2010 TrustRecords values; TLN output";	
+	return "Get user's MSOffice TrustRecords values";	
 }
 sub getDescr{}
 sub getRefs {}
@ -34,6 +37,7 @@ sub getHive {return $config{hive};}
 sub getVersion {return $config{version};}
 my $VERSION = getVersion();
 my $office_version;
 sub pluginmain {
 	my $class = shift;
@ -45,8 +49,9 @@ sub pluginmain {
 #	::rptMsg("trustrecords v.".$VERSION);
 # First, let's find out which version of Office is installed
 	my @version;
 	my $key;
 	my $key_path = "Software\\Microsoft\\Office";
-	if (my $key = $root_key->get_subkey($key_path)) {
+	if ($key = $root_key->get_subkey($key_path)) {
 		my @subkeys = $key->get_list_of_subkeys();
 		foreach my $s (@subkeys) {
 			my $name = $s->get_name();
@ -54,33 +59,41 @@ sub pluginmain {
 		}
 	}
 # Determine MSOffice version in use	
 	my @v = reverse sort {$a<=>$b} @version;
-#	::rptMsg("Office version = ".$v[0]);
+	foreach my $i (@v) {
-	
+		eval {
 			if (my $o = $key->get_subkey($i."\\User Settings")) {
 				$office_version = $i;
 			}
 		};
 	}
 	::rptMsg("Version: ".$office_version);
 # Now that we have the most recent version of Office installed, let's 
 # start looking at the various subkeys
 	my @apps = ("Word","PowerPoint","Excel","Access");	
-	my $key_path = "Software\\Microsoft\\Office\\".$v[0];
+	$key_path = "Software\\Microsoft\\Office\\".$office_version;
 	foreach my $app (@apps) {
 		my $app_path = $key_path."\\".$app."\\Security\\Trusted Documents";
 #		::rptMsg($app);
 		if (my $app_key = $root_key->get_subkey($app_path)) {
 #			my $lastpurge = $app_key->get_value("LastPurgeTime")->get_data();
 #			::rptMsg("LastPurgeTime = ".gmtime($lastpurge));
 			if (my $trust = $app_key->get_subkey("TrustRecords")) {
 				my @vals = $trust->get_list_of_values();
 				foreach my $v (@vals) {
-					my ($t0,$t1) = (unpack("VV",substr($v->get_data(),0,8)));
+					my $data = $v->get_data();
 					my ($t0,$t1) = (unpack("VV",substr($data,0,8)));
 					my $t = ::getTime($t0,$t1);
-#					::rptMsg(gmtime($t)." -> ".$v->get_name());	
+					my $descr = "TrustRecords - ".$v->get_name();
-					::rptMsg($t."|REG|||TrustRecords - ".$v->get_name());
+					my $e = unpack("V",substr($data, length($data) - 4, 4));
 					$descr = $descr." [Enable Content button clicked]" if ($e == 2147483647);
 					::rptMsg($t."|REG|||".$descr);
 				}
 			}
 		}
 #		::rptMsg("");
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/tsclient.pl
+++ b/thirdparty/rr-full/plugins/tsclient.pl
@ -71,8 +71,7 @@ sub pluginmain {
 	}
 	::rptMsg("");
-	my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Servers';
+	$key_path = 'Software\\Microsoft\\Terminal Server Client\\Servers';
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		::rptMsg($key_path);
 		::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
@ -100,4 +99,4 @@ sub pluginmain {
 	}	
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/tsclient_tln.pl
+++ b/thirdparty/rr-full/plugins/tsclient_tln.pl
@ -64,8 +64,7 @@ sub pluginmain {
 	}
 	::rptMsg("");
-	my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Servers';
+	$key_path = 'Software\\Microsoft\\Terminal Server Client\\Servers';
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 #		::rptMsg($key_path);
 #		::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
@ -94,4 +93,4 @@ sub pluginmain {
 	}	
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/uac.pl
+++ b/thirdparty/rr-full/plugins/uac.pl
@ -28,7 +28,7 @@ my %config = (hive => "Software",
 sub getConfig{return %config}
 sub getShortDescr {
-    return "Get Select User Account Control (UAC) Values from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System";
+    return "Get Select User Account Control (UAC) Values from HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System";
 }
 sub getDescr{}
 sub getRefs {}
--- a/thirdparty/rr-full/plugins/uninstall.pl
+++ b/thirdparty/rr-full/plugins/uninstall.pl
@ -32,7 +32,7 @@ my %config = (hive          => "Software, NTUSER\.DAT",
 sub getConfig{return %config}
 sub getShortDescr {
-	return "Gets contents of Uninstall keys from Software, NTUSER\.DAT hives";	
+	return "Gets contents of Uninstall keys from Software, NTUSER.DAT hives";	
 }
 sub getDescr{}
 sub getRefs {}
@ -98,4 +98,4 @@ sub pluginmain {
 		}
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/uninstall_tln.pl
+++ b/thirdparty/rr-full/plugins/uninstall_tln.pl
@ -30,7 +30,7 @@ my %config = (hive          => "Software, NTUSER\.DAT",
 sub getConfig{return %config}
 sub getShortDescr {
-	return "Gets contents of Uninstall keys from Software, NTUSER\.DAT hives(TLN format)";	
+	return "Gets contents of Uninstall keys from Software, NTUSER.DAT hives(TLN format)";	
 }
 sub getDescr{}
 sub getRefs {}
@ -93,4 +93,4 @@ sub pluginmain {
 		}
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/urun_tln.pl
+++ b/thirdparty/rr-full/plugins/urun_tln.pl
@ -26,7 +26,7 @@ my %config = (hive          => "NTUSER\.DAT",
 sub getConfig{return %config}
 sub getShortDescr {
-	return "[Autostart] Get autostart key contents from NTUSER\.DAT hive";	
+	return "[Autostart] Get autostart key contents from NTUSER.DAT hive";	
 }
 sub getDescr{}
 sub getRefs {
@ -165,4 +165,4 @@ sub getKeyValues {
 	return %vals;
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/usb.pl
+++ b/thirdparty/rr-full/plugins/usb.pl
@ -56,8 +56,7 @@ sub pluginmain {
 		return;
 	}
-	my $key_path = $ccs."\\Enum\\USB";
+	$key_path = $ccs."\\Enum\\USB";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		::rptMsg("USBStor");
 		::rptMsg($key_path);
@ -119,4 +118,4 @@ sub pluginmain {
 		::rptMsg($key_path." not found.");
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/usbdevices.pl
+++ b/thirdparty/rr-full/plugins/usbdevices.pl
@ -54,8 +54,7 @@ sub pluginmain {
 		return;
 	}
-	my $key_path = $ccs."\\Enum\\USB";
+	$key_path = $ccs."\\Enum\\USB";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		my @subkeys = $key->get_list_of_subkeys();
@ -124,4 +123,4 @@ sub pluginmain {
 		::rptMsg($key_path." not found.");
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/usbstor.pl
+++ b/thirdparty/rr-full/plugins/usbstor.pl
@ -58,8 +58,7 @@ sub pluginmain {
 		return;
 	}
-	my $key_path = $ccs."\\Enum\\USBStor";
+	$key_path = $ccs."\\Enum\\USBStor";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		::rptMsg("USBStor");
 		::rptMsg($key_path);
@ -121,4 +120,4 @@ sub pluginmain {
 		::rptMsg($key_path." not found.");
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/usbstor2.pl
+++ b/thirdparty/rr-full/plugins/usbstor2.pl
@ -30,6 +30,8 @@ my $VERSION = getVersion();
 my $reg;
 sub pluginmain {
 	::logMsg("Launching usbstor2 v.".$VERSION);
 	::rptMsg("usbstor2 v.".$VERSION); # banner
 	my $class = shift;
 	my $hive = shift;
 	$reg = Parse::Win32Registry->new($hive);
@ -56,8 +58,7 @@ sub pluginmain {
 	};
 	$comp_name = "Test" if ($@);
-	my $key_path = $ccs."\\Enum\\USBStor";
+	$key_path = $ccs."\\Enum\\USBStor";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		my @subkeys = $key->get_list_of_subkeys();
@ -119,7 +120,7 @@ sub checkMountedDevices {
 				next unless ($name =~ m/^\\DosDevices/);
 				my $data = $v->get_data();
 				if (length($data) > 12) {
-					$data =~ s/\00//g; 
+					$data =~ s/\x00//g; 
 					return $name if (grep(/$pip/,$data));
 				}
 			}
@ -131,4 +132,4 @@ sub checkMountedDevices {
 	return undef;
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/usbstor3.pl
+++ b/thirdparty/rr-full/plugins/usbstor3.pl
@ -51,8 +51,7 @@ sub pluginmain {
 		return;
 	}
-	my $key_path = $ccs."\\Enum\\USBStor";
+	$key_path = $ccs."\\Enum\\USBStor";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 #		::rptMsg("USBStor");
 #		::rptMsg($key_path);
@ -100,4 +99,4 @@ sub pluginmain {
 		::rptMsg($key_path." not found.");
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/user_run.pl
+++ b/thirdparty/rr-full/plugins/user_run.pl
@ -33,7 +33,7 @@ my %config = (hive          => "NTUSER\.DAT",
 sub getConfig{return %config}
 sub getShortDescr {
-	return "[Autostart] Get autostart key contents from NTUSER\.DAT hive";	
+	return "[Autostart] Get autostart key contents from NTUSER.DAT hive";	
 }
 sub getDescr{}
 sub getRefs {
@ -203,4 +203,4 @@ sub alertCheckADS {
 	my $last = $list[scalar(@list) - 1];
 	::alertMsg("ALERT: user_run: Poss. ADS found in path: ".$path) if grep(/:/,$last);
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/userassist.pl
+++ b/thirdparty/rr-full/plugins/userassist.pl
@ -5,6 +5,7 @@
 # UserAssist values 
 #
 # Change history
 #  20170304 - removed alerts, added printing of values with no timestamps in the data
 #  20130603 - added alert functionality
 #  20100322 - Added CLSID list reference
 #  20100308 - created, based on original userassist.pl plugin
@ -13,7 +14,7 @@
 #  Control Panel Applets - http://support.microsoft.com/kb/313808
 #  CLSIDs - http://www.autohotkey.com/docs/misc/CLSID-List.htm
 # 
-# copyright 2010 Quantum Analytics Research, LLC
+# copyright 2017 Quantum Analytics Research, LLC
 #-----------------------------------------------------------
 package userassist;
 use strict;
@ -23,12 +24,7 @@ my %config = (hive          => "NTUSER\.DAT",
              hasDescr      => 0,
              hasRefs       => 0,
              osmask        => 22,
-              version       => 20130603);
+              version       => 20170204);
 my @paths = ("recycle","globalroot","temp","system volume information","appdata",
 	              "application data");
 my @alerts = ();
 sub getConfig{return %config}
 sub getShortDescr {
@ -44,7 +40,7 @@ my $VERSION = getVersion();
 sub pluginmain {
 	my $class = shift;
 	my $ntuser = shift;
-	::logMsg("Launching userassist2 v.".$VERSION);
+	::logMsg("Launching userassist v.".$VERSION);
 	my $reg = Parse::Win32Registry->new($ntuser);
 	my $root_key = $reg->get_root_key;
@ -78,7 +74,8 @@ sub processKey {
 	my $key = $ua->get_subkey("Count");
-	my %ua;
+	my %ua = ();
 	my @no_time = ();
 	my $hrzr = "HRZR";
 	my @vals = $key->get_list_of_values();
@ -98,6 +95,9 @@ sub processKey {
 					$count -= 5 if ($count > 5);
 					push(@{$ua{$time_value}},$value_name." (".$count.")");
 				}
 				else {
 					push(@no_time,$value_name);
 				}
 			}
 # Windows 7				
 			elsif (length($data) == 72) { 
@ -112,9 +112,16 @@ sub processKey {
 #				}
 				my $count = unpack("V",substr($data,4,4));
 				my @t = unpack("VV",substr($data,60,8));
-				next if ($t[0] == 0 && $t[1] == 0);
+				if ($t[0] == 0 && $t[1] == 0) {
-				my $time_val = ::getTime($t[0],$t[1]);	
+					push(@no_time,$value_name);
-				push(@{$ua{$time_val}},$value_name." (".$count.")");
+				}
 				else {
 #				
 #				print "Value name: ".$value_name."\n";
 #				
 					my $time_val = ::getTime($t[0],$t[1]);
 					push(@{$ua{$time_val}},$value_name." (".$count.")");
 				}
 			}
 			else {
 # Nothing else to do
@ -124,22 +131,14 @@ sub processKey {
 			::rptMsg(gmtime($t)." Z");
 			foreach my $i (@{$ua{$t}}) {
 				::rptMsg("  ".$i);
 				my $lci = lc($i);
 				foreach my $a (@paths) {
 					push(@alerts,"ALERT: userassist: ".$a." found in path: ".$i) if (grep(/$a/,$lci));
 				}
 			}
 		}
-	}
+		::rptMsg("");
-	
+		::rptMsg("Value names with no time stamps:");
-	if (scalar(@alerts) > 0) {
+		foreach my $n (@no_time) {
-		print "\n";
+			::rptMsg("  ".$n);
 		print "Alerts:\n";
 		foreach (@alerts) {
 			::alertMsg($_);
 		}
 	}
 }
 1;
--- a/thirdparty/rr-full/plugins/usrclass
+++ b/thirdparty/rr-full/plugins/usrclass
@ -1,3 +1,5 @@
-# 20120918 *ALL* Plugins that apply on USRCLASS hive, alphabetical order
+# 20161213 *ALL* Plugins that apply on USRCLASS hive, alphabetical order
-muicache
+cmd_shell_u
-shellbags
+photos
 shellbags
 shellbags_tln
--- a/thirdparty/rr-full/plugins/vista_bitbucket.pl
+++ b/thirdparty/rr-full/plugins/vista_bitbucket.pl
@ -23,7 +23,7 @@ my %config = (hive          => "NTUSER\.DAT",
 sub getConfig{return %config}
 sub getShortDescr {
-	return "Get BitBucket settings from Vista via NTUSER\.DAT";	
+	return "Get BitBucket settings from Vista via NTUSER.DAT";	
 }
 sub getDescr{}
 sub getRefs {}
@ -93,4 +93,4 @@ sub pluginmain {
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/vncviewer.pl
+++ b/thirdparty/rr-full/plugins/vncviewer.pl
@ -72,8 +72,7 @@ sub pluginmain {
 		::rptMsg($key_path." not found.");
 	}
-	my $key_path = "Software\\RealVNC\\VNCViewer4\\MRU";
+	$key_path = "Software\\RealVNC\\VNCViewer4\\MRU";
 	my $key; 
 	if ($key = $root_key->get_subkey($key_path)) {
 		::rptMsg($key_path);
 		::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
@ -103,4 +102,4 @@ sub pluginmain {
 		::rptMsg($key_path." not found.");
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/wallpaper.pl
+++ b/thirdparty/rr-full/plugins/wallpaper.pl
@ -85,8 +85,8 @@ sub pluginmain {
 #-----------------------------------------------------------
 sub getStringValue {
 	my $bin = shift;
-	my $str = (split(/\00\00/,$bin,2))[0];
+	my $str = (split(/\x00\x00/,$bin,2))[0];
-	$str =~ s/\00//g;
+	$str =~ s/\x00//g;
 	return $str;
 }
 1;
--- a/thirdparty/rr-full/plugins/winbackup.pl
+++ b/thirdparty/rr-full/plugins/winbackup.pl
@ -136,8 +136,7 @@ sub pluginmain {
 #status
  ::rptMsg("");
-  my $key_path = "Microsoft\\Windows\\CurrentVersion\\WindowsBackup\\Status";
+	$key_path = "Microsoft\\Windows\\CurrentVersion\\WindowsBackup\\Status";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 #		::rptMsg("{name}");
 		::rptMsg($key_path);
@ -208,4 +207,4 @@ sub pluginmain {
 		::rptMsg($key_path." not found.");
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/winevt.pl
+++ b/thirdparty/rr-full/plugins/winevt.pl
@ -25,8 +25,9 @@ my %config = (hive          => "Software",
 sub getConfig{return %config}
 sub getShortDescr {
-	return "Get the Windows event log policy from the Winevt'\'Channels key";	
+	return "Get the Windows event log policy from the Winevt\\Channels key";	
 }
 sub getDescr{}
 sub getRefs {}
 sub getHive {return $config{hive};}
@ -44,14 +45,10 @@ sub pluginmain {
 	my $hive = shift;
 	my $reg = Parse::Win32Registry->new($hive);
-sub getShortDescr {
+	my $root_key = $reg->get_root_key;
-	return "Get the Windows event log policy from the Winevt\Channels key";	
+	my $key_path = "Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels";
-}
+	my $key;
-	
+	if ($key = $root_key->get_subkey($key_path)) {
 my $root_key = $reg->get_root_key;
 my $key_path = "Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels";
 my $key;
 if ($key = $root_key->get_subkey($key_path)) {
 	::rptMsg("");
 	::rptMsg($key_path);
 	::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
@ -82,4 +79,4 @@ if ($key = $root_key->get_subkey($key_path)) {
 	}
 }
-1;
+1;
--- a/thirdparty/rr-full/plugins/winnt_cv.pl
+++ b/thirdparty/rr-full/plugins/winnt_cv.pl
@ -4,6 +4,8 @@
 # Output sorted based on length of data
 #
 # Change History:
 # 20161123: added translation of InstallTime time (found in Win10) - Phill Moore, randomaccess3@gmail.com
 #			InstallTime should match InstallDate
 # 20080609: added translation of InstallDate time
 #
 # copyright 2008 H. Carvey, keydet89@yahoo.com
@ -16,7 +18,7 @@ my %config = (hive          => "Software",
              hasDescr      => 0,
              hasRefs       => 0,
              osmask        => 22,
-              version       => 20080609);
+              version       => 20161123);
 sub getConfig{return %config}
 sub getShortDescr {
@ -51,6 +53,12 @@ sub pluginmain {
 				my $name = $v->get_name();
 				my $data = $v->get_data();
 				$data = gmtime($data)." (UTC)" if ($name eq "InstallDate");
 				if ($name eq "InstallTime"){ 
 					my @t = unpack("VV",$data); 
 					$data = gmtime(::getTime($t[0],$t[1]))." (UTC)"; 
 				}
 				my $len  = length($data);
 				next if ($name eq "");
 				if ($v->get_type() == 3) {
--- a/thirdparty/rr-full/plugins/wordwheelquery.pl
+++ b/thirdparty/rr-full/plugins/wordwheelquery.pl
@ -57,7 +57,7 @@ sub pluginmain {
 				}
 				else {
 					my $data = $v->get_data();
-					$data =~ s/\00//g;
+					$data =~ s/\x00//g;
 					$wwq{$name} = $data;
 				}
 			}
--- a/thirdparty/rr-full/plugins/wpdbusenum.pl
+++ b/thirdparty/rr-full/plugins/wpdbusenum.pl
@ -59,8 +59,7 @@ sub pluginmain {
 		return;
 	}
-	my $key_path = $ccs."\\Enum\\WpdBusEnumRoot";
+	$key_path = $ccs."\\Enum\\WpdBusEnumRoot";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		my @subkeys = $key->get_list_of_subkeys();
@ -129,8 +128,7 @@ sub pluginmain {
 # number of references to USBOblivion, a tool described as being able to wipe
 # out (all) indications of USB removable storage devices being connected to
 # the system.
-	my $key_path = $ccs."\\Control\\DeviceClasses\\{10497b1b-ba51-44e5-8318-a65c837b6661}";
+	$key_path = $ccs."\\Control\\DeviceClasses\\{10497b1b-ba51-44e5-8318-a65c837b6661}";
 	my $key;
 	if ($key = $root_key->get_subkey($key_path)) {
 		::rptMsg($key_path);
 		my @subkeys = $key->get_list_of_subkeys();
@ -156,4 +154,4 @@ sub pluginmain {
 		::rptMsg($key_path." not found.");
 	}
 }
-1;
+1;