:py:mod:`dissect.target.plugins.os.windows.registry` ==================================================== .. py:module:: dissect.target.plugins.os.windows.registry Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.registry.RegistryPlugin Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.registry.CONTROLSET_REGEX .. py:data:: CONTROLSET_REGEX .. py:class:: RegistryPlugin(target: dissect.target.target.Target) Bases: :py:obj:`dissect.target.plugin.Plugin` Provides registry access for Windows targets. Acts much the same to how the registry works on a live Windows machine. Hives are correctly mapped under e.g. HKLM\SOFTWARE. Internal functions only. .. py:attribute:: __namespace__ :value: 'registry' Defines the plugin namespace. .. py:attribute:: SHORTNAMES :type: Final[dict[str, str]] .. py:attribute:: MAPPINGS :type: Final[dict[str, str]] .. py:attribute:: SYSTEM :value: ('SAM', 'SECURITY', 'SOFTWARE', 'SYSTEM', 'COMPONENTS', 'DEFAULT', 'ELAM', 'USER.DAT',... .. py:attribute:: key .. py:method:: load_user_hives() -> None Load and map the user hives present in the target. .. py:method:: add_hive(name: str, location: str, hive: dissect.target.helpers.regutil.RegistryHive, path: dissect.target.helpers.fsutil.TargetPath) -> None Register and add a hive to a specific location in the root hive. .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an :class:`UnsupportedPluginError`. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:property:: controlsets :type: list[str] Return a list of the different ControlSet names. .. py:method:: root() -> dissect.target.helpers.regutil.KeyCollection Returns the root of the virtual registry. .. py:method:: value(key: str, value: str) -> dissect.target.helpers.regutil.ValueCollection Convenience method for accessing a specific value. .. py:method:: subkey(key: str, subkey: str) -> dissect.target.helpers.regutil.KeyCollection Convenience method for accessing a specific subkey. .. py:method:: keys(keys: str | collections.abc.Iterable[str]) -> collections.abc.Iterator[dissect.target.helpers.regutil.RegistryKey] Yields all keys that match the given queries. Automatically resolves CurrentVersion keys. Also flattens KeyCollections. .. py:method:: values(keys: str | collections.abc.Iterable[str], value: str | collections.abc.Iterable[str]) -> collections.abc.Iterator[dissect.target.helpers.regutil.RegistryValue] Yields all values that match the given queries. Automatically resolves CurrentVersion keys. Also flattens ValueCollections. .. py:method:: iterhives() -> collections.abc.Iterator[tuple[str, dissect.target.helpers.regutil.RegistryHive, dissect.target.helpers.fsutil.TargetPath]] Returns an iterator for all hives. Items are tuples with three members: (name, hive, path) .. py:method:: mappings() -> dict[str, str] Return hive mappings. .. py:method:: get_user_details(key: dissect.target.helpers.regutil.RegistryKey | dissect.target.helpers.regutil.RegistryValue) -> dissect.target.plugins.general.users.UserDetails | None Return user details for the user who owns a registry hive that contains the provided key. .. py:method:: get_user(key: dissect.target.helpers.regutil.RegistryKey | dissect.target.helpers.regutil.RegistryValue) -> dissect.target.helpers.record.WindowsUserRecord | None Return user record for the user who owns a registry hive that contains the provided key. .. py:method:: glob_ext(pattern: str) -> collections.abc.Iterator[dissect.target.helpers.regutil.KeyCollection]