1)hivelist: Find and list available registry hives.

Example: vol.py hivelist

This command allows users to find and display a list of the available registry hives, which are files that contain the data stored in the registry.

2)hivedump: Print all keys and subkeys in a hive.

Example: vol.py hivedump –o 0xe1a14b60

This command allows users to print out all of the keys and subkeys in a specific registry hive. The -o flag specifies the offset of the hive to dump, which is the virtual address where the hive is stored in memory.

3)printkey: Output a registry key, subkeys, and values.

 Example: vol.py printkey –K "Microsoft\Windows\CurrentVersion\Run"

This command allows users to output a specific registry key, along with its subkeys and values. The -K flag specifies the path of the key to output.

4)dumpregistry: Extract all available registry hives.

 Example: vol.py dumpregistry --dump-dir ./output

This command allows users to extract all available registry hives and save them to a specified directory. The -o flag specifies the virtual offset of the hive to extract, and the --dump-dir flag specifies the directory to save the extracted files.

5)userassist: Find and parse userassist key values.

Example: vol.py userassist

This command allows users to find and parse the values of the userassist key in the registry, which stores information about programs that are automatically run when a user logs in.

6)hashdump: Dump user NTLM and Lanman hashes.

Example: vol.py hashdump

This command allows users to dump the NTLM and Lanman hashes of user accounts, which can be used to crack passwords.

7)autoruns: Map ASEPs to running processes.

Example: vol.py autoruns -v

This command allows users to map Autostart Extensibility Points (ASEPs) to running processes, which can be used to identify programs that are automatically started when the system boots up. The -v flag specifies that the command should show everything.