dissect.target.plugins.os.windows.registry

Module Contents

Classes

RegistryPlugin

Provides registry access for Windows targets.

Attributes

CONTROLSET_REGEX

dissect.target.plugins.os.windows.registry.CONTROLSET_REGEX

class dissect.target.plugins.os.windows.registry.RegistryPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.Plugin

Provides registry access for Windows targets.

Acts much the same to how the registry works on a live Windows machine. Hives are correctly mapped under e.g. HKLMSOFTWARE.

Internal functions only.

property controlsets: list[str]

Return a list of the different ControlSet names.

__namespace__ = 'registry'

SHORTNAMES

MAPPINGS

SYSTEM = ['SAM', 'SECURITY', 'SOFTWARE', 'SYSTEM', 'COMPONENTS', 'DEFAULT', 'ELAM']

load_user_hives() → None

Load and map the user hives present in the target.

add_hive(name: str, location: str, hive: dissect.target.helpers.regutil.RegistryHive, path: dissect.target.helpers.fsutil.TargetPath) → None

Register and add a hive to a specific location in the root hive.

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

root() → dissect.target.helpers.regutil.KeyCollection

Returns the root of the virtual registry.

key(key: str | None = None) → dissect.target.helpers.regutil.KeyCollection

Query the virtual registry on the given key.

Returns a KeyCollection which contains all keys that match the query.

value(key: str, value: str) → dissect.target.helpers.regutil.ValueCollection

Convenience method for accessing a specific value.

subkey(key: str, subkey: str) → dissect.target.helpers.regutil.KeyCollection

Convenience method for accessing a specific subkey.

iterkeys(keys: str | list[str]) → Iterator[dissect.target.helpers.regutil.KeyCollection]

keys(keys: str | list[str]) → Iterator[dissect.target.helpers.regutil.KeyCollection]

Yields all keys that match the given queries.

Automatically resolves CurrentVersion keys. Also unrolls KeyCollections.

iterhives() → Iterator[tuple[str, dissect.target.helpers.regutil.RegistryHive, dissect.target.helpers.fsutil.TargetPath]]

Returns an iterator for all hives.

Items are tuples with three members: (name, hive, path)

mappings() → dict[str, str]

Return hive mappings.

get_user_details(key: dissect.target.helpers.regutil.RegistryKey) → dissect.target.plugins.general.users.UserDetails

Return user details for the user who owns a registry hive that contains the provided key

get_user(key: dissect.target.helpers.regutil.RegistryKey) → dissect.target.helpers.record.WindowsUserRecord

Return user record for the user who owns a registry hive that contains the provided key

glob_ext(pattern: str) → Iterator[dissect.target.helpers.regutil.KeyCollection]