`dissect.target.helpers.regutil`#

Registry related abstractions

Module Contents#

Classes#

`RegistryHive`	Base class for registry hives.
`RegistryKey`	Base class for registry keys.
`RegistryValue`	Base class for registry values.
`VirtualHive`	Virtual hive implementation.
`VirtualKey`	Virtual key implementation.
`VirtualValue`	Virtual value implementation.
`HiveCollection`	Hive implementation that is backed by multiple hives.
`KeyCollection`	Key implementation that is backed by multiple keys.
`ValueCollection`	Value implementation that is backed by multiple values.
`RegfHive`	Registry implementation for regf hives.
`RegfKey`	Key implementation for regf keys.
`RegfValue`	Value implementation for regf values.
`RegFlex`	A parser for text registry dumps (.reg files).
`RegFlexHive`	Virtual hive implementation.
`RegFlexKey`	Virtual key implementation.
`RegFlexValue`	Virtual value implementation.

Functions#

parse_flex_value

Parse values from text registry exports.

Attributes#

ValueType

The possible value types that can be returned from the registry.

dissect.target.helpers.regutil.ValueType#: The possible value types that can be returned from the registry.

class dissect.target.helpers.regutil.RegistryHive#

Base class for registry hives.

root() → RegistryKey#: Return the root key of the hive.

abstract key(key: str) → RegistryKey#

Retrieve a registry key from a specific path.

Parameters:: key – A path to a registry key within this hive.
Raises:: RegistryKeyNotFoundError – If the registry key could not be found.

keys(keys: Union[str, list[str]]) → Iterator[RegistryKey]#

Retrieve all the registry keys in this hive from the given paths.

Parameters:: keys – A single path to find, or a list of paths to iterate over.

class dissect.target.helpers.regutil.RegistryKey(hive: Optional[RegistryHive] = None)#

Base class for registry keys.

Parameters:: hive – The registry hive to which this registry key belongs.

property ts: datetime.datetime#: Returns the last modified timestamp of this key.

abstract property name: str#: Returns the name of this key.

abstract property class_name: str#: Returns the class name of this key.

abstract property path: str#: Returns the path of this key.

abstract property timestamp: datetime.datetime#: Returns the last modified timestamp of this key.

abstract subkey(subkey: str) → RegistryKey#

Returns a specific subkey from this key.

Parameters:: subkey – The name of the subkey to retrieve.
Raises:: RegistryKeyNotFoundError – If this key has no subkey with the requested name.

abstract subkeys() → list[RegistryKey]#: Returns a list of subkeys from this key.

abstract value(value: str) → RegistryValue#

Returns a specific value from this key.

Parameters:: value – The name of the value to retrieve.
Raises:: RegistryValueNotFoundError – If this key has no value with the requested name.

abstract values() → list[RegistryValue]#: Returns a list of all the values from this key.

__repr__()#: Return repr(self).

class dissect.target.helpers.regutil.RegistryValue(hive: Optional[RegistryHive] = None)#

Base class for registry values.

Parameters:: hive – The registry hive to which this registry value belongs.

abstract property name: str#: Returns the name of this value.

abstract property value: ValueType#: Returns the value of this value.

abstract property type: int#

Returns the type of this value.

Reference:

https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types

__repr__()#: Return repr(self).

class dissect.target.helpers.regutil.VirtualHive#

Bases: RegistryHive

Virtual hive implementation.

make_keys(path: str) → VirtualKey#

Create a key structure in this virtual hive from the given path.

path must be a valid registry path to some arbitrary key in the registry. This method will traverse all the components of the path and create a key if it does not already exist.

Example

The path test\data\something\ becomes:

"" <- root node
├─ test
|  ├─ data
|  |  ├─ something

Parameters:: path – The registry path to create a key structure for.
Returns:: The VirtualKey for the last path component.

map_hive(path: str, hive: RegistryHive) → None#

Map a different registry hive to a path in this registry hive.

Future traversals to this path will continue from the root of the mapped hive.

Parameters:

path – The path at which to map the registry hive.
hive – The hive to map to the path.

map_key(path: str, key: RegistryKey) → None#

Map an arbitrary RegistryKey to a path in this hive.

Parameters:

path – The path at which to map the registry key.
key – The RegistryKey to map in this hive.

map_value(path: str, name: str, value: Union[ValueType, RegistryValue]) → None#

Map an arbitrary value to a path and value name in this hive.

Parameters:

path – The path to the registry key that should hold the value.
name – The name at which to store the value.
value – The value to map to the specified location.

root() → RegistryKey#: Return the root key of the hive.

key(key: str) → RegistryKey#

Retrieve a registry key from a specific path.

Parameters:: key – A path to a registry key within this hive.
Raises:: RegistryKeyNotFoundError – If the registry key could not be found.

__repr__()#: Return repr(self).

class dissect.target.helpers.regutil.VirtualKey(hive: RegistryHive, path: str, class_name: Optional[str] = None)#

Bases: RegistryKey

Virtual key implementation.

property name: str#: Returns the name of this key.

property class_name: str#: Returns the class name of this key.

property path: str#: Returns the path of this key.

property timestamp: datetime.datetime#: Returns the last modified timestamp of this key.

__contains__(key: str) → bool#

add_subkey(name: str, key: str)#: Add a subkey to this key.

add_value(name: str, value: Union[ValueType, RegistryValue])#: Add a value to this key.

subkey(subkey: str) → RegistryKey#

Returns a specific subkey from this key.

Parameters:: subkey – The name of the subkey to retrieve.
Raises:: RegistryKeyNotFoundError – If this key has no subkey with the requested name.

subkeys() → list[RegistryKey]#: Returns a list of subkeys from this key.

value(value: str) → RegistryValue#

Returns a specific value from this key.

Parameters:: value – The name of the value to retrieve.
Raises:: RegistryValueNotFoundError – If this key has no value with the requested name.

values() → list[RegistryValue]#: Returns a list of all the values from this key.

class dissect.target.helpers.regutil.VirtualValue(hive: RegistryHive, name: str, value: ValueType)#

Bases: RegistryValue

Virtual value implementation.

property name: str#: Returns the name of this value.

property value: ValueType#: Returns the value of this value.

property type: int#

Returns the type of this value.

Reference:

https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types

class dissect.target.helpers.regutil.HiveCollection(hives: Optional[list[RegistryHive]] = None)#

Bases: RegistryHive

Hive implementation that is backed by multiple hives.

The idea here is that you can open multiple version of the same hive (one regular, one with .LOG replayed and one RegBack). When opening a key, it would (try to) open it on every hive and return them in a KeyCollection.

__len__()#

__iter__()#

__getitem__(index: int)#

add(hive: RegistryHive) → None#

key(key: str) → KeyCollection#

Retrieve a registry key from a specific path.

Parameters:: key – A path to a registry key within this hive.
Raises:: RegistryKeyNotFoundError – If the registry key could not be found.

keys(keys: Union[list, str]) → Iterator[RegistryKey]#

Retrieve all the registry keys in this hive from the given paths.

Parameters:: keys – A single path to find, or a list of paths to iterate over.

iterhives() → Iterator[RegistryHive]#

class dissect.target.helpers.regutil.KeyCollection(keys: Optional[list[RegistryKey]] = None)#

Bases: RegistryKey

Key implementation that is backed by multiple keys.

For example, both the current and the RegBack hive returned a key, but with different values. With a KeyCollection it’s possible to iterate over all versions of this key.

Things like traversing down subkeys works as expected, going down every key in it’s collection.

property class_name: str#: Returns the class name of this key.

property name: str#: Returns the name of this key.

property path: str#: Returns the path of this key.

property timestamp: datetime.datetime#: Returns the last modified timestamp of this key.

__len__()#

__iter__() → Iterator[RegistryKey]#

__getitem__(index) → RegistryValue#

add(key: Union[KeyCollection, RegistryKey])#

subkey(subkey: str) → KeyCollection#

Returns a specific subkey from this key.

Parameters:: subkey – The name of the subkey to retrieve.
Raises:: RegistryKeyNotFoundError – If this key has no subkey with the requested name.

subkeys() → list[KeyCollection]#: Returns a list of subkeys from this key.

value(value: str) → ValueCollection#

Returns a specific value from this key.

Parameters:: value – The name of the value to retrieve.
Raises:: RegistryValueNotFoundError – If this key has no value with the requested name.

values() → list[ValueCollection]#: Returns a list of all the values from this key.

class dissect.target.helpers.regutil.ValueCollection(values: Optional[list[RegistryValue]] = None)#

Bases: RegistryValue

Value implementation that is backed by multiple values.

Same idea as KeyCollection, but for values.

property name: str#: Returns the name of this value.

property value: ValueType#: Returns the value of this value.

property type: int#

Returns the type of this value.

Reference:

https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types

__len__()#

__iter__()#

add(value: RegistryValue) → None#

class dissect.target.helpers.regutil.RegfHive(filepath: pathlib.Path, fh: Optional[BinaryIO] = None)#

Bases: RegistryHive

Registry implementation for regf hives.

root() → RegistryKey#: Return the root key of the hive.

key(key: str) → RegistryKey#

Retrieve a registry key from a specific path.

Parameters:: key – A path to a registry key within this hive.
Raises:: RegistryKeyNotFoundError – If the registry key could not be found.

class dissect.target.helpers.regutil.RegfKey(hive: RegistryHive, key: RegistryKey)#

Bases: RegistryKey

Key implementation for regf keys.

property name: str#: Returns the name of this key.

property class_name: str#: Returns the class name of this key.

property path: str#: Returns the path of this key.

property timestamp: datetime.datetime#: Returns the last modified timestamp of this key.

subkey(subkey: str) → RegistryKey#

Returns a specific subkey from this key.

Parameters:: subkey – The name of the subkey to retrieve.
Raises:: RegistryKeyNotFoundError – If this key has no subkey with the requested name.

subkeys() → list[RegistryKey]#: Returns a list of subkeys from this key.

value(value: str) → RegistryValue#

Returns a specific value from this key.

Parameters:: value – The name of the value to retrieve.
Raises:: RegistryValueNotFoundError – If this key has no value with the requested name.

values() → list[RegistryValue]#: Returns a list of all the values from this key.

class dissect.target.helpers.regutil.RegfValue(hive: RegistryHive, kv: RegistryValue)#

Bases: RegistryValue

Value implementation for regf values.

property name: str#: Returns the name of this value.

property value: ValueType#: Returns the value of this value.

property type: int#

Returns the type of this value.

Reference:

https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types

class dissect.target.helpers.regutil.RegFlex#

A parser for text registry dumps (.reg files).

map_definition(fh: TextIO) → None#

Parse a text registry export to a hive with keys and values.

Parameters:: fh – A file-like object opened in text mode of the registry export to parse.

class dissect.target.helpers.regutil.RegFlexHive#

Bases: VirtualHive

Virtual hive implementation.

class dissect.target.helpers.regutil.RegFlexKey(hive: RegistryHive, path: str, class_name: Optional[str] = None)#

Bases: VirtualKey

Virtual key implementation.

class dissect.target.helpers.regutil.RegFlexValue(hive: RegistryHive, name: str, value: ValueType)#

Bases: VirtualValue

Virtual value implementation.

property value: ValueType#: Returns the value of this value.

dissect.target.helpers.regutil.parse_flex_value(value: str) → ValueType#

Parse values from text registry exports.

Parameters:: value – The value to parse.
Raises:: NotImplementedError – If value is not of a supported type for parsing.

dissect.target.helpers.regutil#

Module Contents#

Classes#

Functions#

Attributes#

`dissect.target.helpers.regutil`#