dissect.target.plugins.os.windows.registry#

Module Contents#

Classes#

RegistryPlugin

Provides registry access for Windows targets.

Attributes#

dissect.target.plugins.os.windows.registry.CONTROLSET_REGEX#
class dissect.target.plugins.os.windows.registry.RegistryPlugin(target: dissect.target.target.Target)#

Bases: dissect.target.plugin.Plugin

Provides registry access for Windows targets.

Acts much the same to how the registry works on a live Windows machine. Hives are correctly mapped under e.g. HKLMSOFTWARE.

Internal functions only.

property controlsets: list[str]#

Return a list of the different ControlSet names.

__namespace__ = 'registry'#
SHORTNAMES#
MAPPINGS#
SYSTEM = ['SAM', 'SECURITY', 'SOFTWARE', 'SYSTEM', 'COMPONENTS', 'DEFAULT', 'ELAM']#
load_user_hives() None#

Load and map the user hives present in the target.

add_hive(name: str, location: str, hive: dissect.target.helpers.regutil.RegistryHive, path: dissect.target.helpers.fsutil.TargetPath) None#

Register and add a hive to a specific location in the root hive.

check_compatible() None#

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

root() dissect.target.helpers.regutil.KeyCollection#

Returns the root of the virtual registry.

key(key: str | None = None) dissect.target.helpers.regutil.KeyCollection#

Query the virtual registry on the given key.

Returns a KeyCollection which contains all keys that match the query.

value(key: str, value: str) dissect.target.helpers.regutil.ValueCollection#

Convenience method for accessing a specific value.

subkey(key: str, subkey: str) dissect.target.helpers.regutil.KeyCollection#

Convenience method for accessing a specific subkey.

iterkeys(keys: str | list[str]) Iterator[dissect.target.helpers.regutil.KeyCollection]#
keys(keys: str | list[str]) Iterator[dissect.target.helpers.regutil.KeyCollection]#

Yields all keys that match the given queries.

Automatically resolves CurrentVersion keys. Also unrolls KeyCollections.

iterhives() Iterator[tuple[str, dissect.target.helpers.regutil.RegistryHive, dissect.target.helpers.fsutil.TargetPath]]#

Returns an iterator for all hives.

Items are tuples with three members: (name, hive, path)

mappings() dict[str, str]#

Return hive mappings.

get_user_details(key: dissect.target.helpers.regutil.RegistryKey) dissect.target.plugins.general.users.UserDetails#

Return user details for the user who owns a registry hive that contains the provided key

get_user(key: dissect.target.helpers.regutil.RegistryKey) dissect.target.helpers.record.WindowsUserRecord#

Return user record for the user who owns a registry hive that contains the provided key

glob_ext(pattern: str) Iterator[dissect.target.helpers.regutil.KeyCollection]#