dissect.target.plugins.os.windows.registry#

Module Contents#

Classes#

RegistryPlugin

Provides registry access for Windows targets.

Attributes#

dissect.target.plugins.os.windows.registry.controlset_regex#
class dissect.target.plugins.os.windows.registry.RegistryPlugin(target)#

Bases: dissect.target.plugin.Plugin

Provides registry access for Windows targets.

Acts much the same to how the registry works on a live Windows machine. Hives are correctly mapped under e.g. HKLMSOFTWARE.

Internal functions only.

property controlsets#
__namespace__ = 'registry'#
SHORTNAMES#
MAPPINGS#
SYSTEM = ['SAM', 'SECURITY', 'SOFTWARE', 'SYSTEM', 'COMPONENTS', 'DEFAULT', 'ELAM']#
load_user_hives()#
add_hive(name, hive, path)#
map_hive(location, hive)#
check_compatible()#

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

root()#

Returns the root of the virtual registry.

key(key=None)#

Query the virtual registry on the given key.

Returns a KeyCollection which contains all keys that match the query.

value(key, value)#

Convenience method for accessing a specific value.

subkey(key, subkey)#

Convenience method for accessing a specific subkey.

iterkeys(keys)#
keys(keys)#

Yields all keys that match the given queries.

Automatically resolves CurrentVersion keys. Also unrolls KeyCollections.

iterhives()#

Returns an iterator for all hives.

Items are tuples with three members: (name, hive, path)

mappings()#

Return hive mappings.

get_user_details(key: dissect.target.helpers.regutil.RegistryKey) dissect.target.plugins.general.users.UserDetails#

Return user details for the user who owns a registry hive that contains the provided key

get_user(key: dissect.target.helpers.regutil.RegistryKey) dissect.target.helpers.record.WindowsUserRecord#

Return user record for the user who owns a registry hive that contains the provided key