dissect.target.plugins.os.windows.registry#
Module Contents#
Classes#
Provides registry access for Windows targets. |
Attributes#
- dissect.target.plugins.os.windows.registry.controlset_regex#
- class dissect.target.plugins.os.windows.registry.RegistryPlugin(target)#
Bases:
dissect.target.plugin.PluginProvides registry access for Windows targets.
Acts much the same to how the registry works on a live Windows machine. Hives are correctly mapped under e.g. HKLMSOFTWARE.
Internal functions only.
- property controlsets#
- __namespace__ = 'registry'#
- SHORTNAMES#
- MAPPINGS#
- SYSTEM = ['SAM', 'SECURITY', 'SOFTWARE', 'SYSTEM', 'COMPONENTS', 'DEFAULT', 'ELAM']#
- load_user_hives()#
- add_hive(name, hive, path)#
- map_hive(location, hive)#
- check_compatible()#
Perform a compatibility check with the target.
This function should return
Noneif the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- root()#
Returns the root of the virtual registry.
- key(key=None)#
Query the virtual registry on the given key.
Returns a KeyCollection which contains all keys that match the query.
- value(key, value)#
Convenience method for accessing a specific value.
- subkey(key, subkey)#
Convenience method for accessing a specific subkey.
- iterkeys(keys)#
- keys(keys)#
Yields all keys that match the given queries.
Automatically resolves CurrentVersion keys. Also unrolls KeyCollections.
- iterhives()#
Returns an iterator for all hives.
Items are tuples with three members: (name, hive, path)
- mappings()#
Return hive mappings.
- get_user_details(key: dissect.target.helpers.regutil.RegistryKey) dissect.target.plugins.general.users.UserDetails#
Return user details for the user who owns a registry hive that contains the provided key
- get_user(key: dissect.target.helpers.regutil.RegistryKey) dissect.target.helpers.record.WindowsUserRecord#
Return user record for the user who owns a registry hive that contains the provided key