dissect.target.helpers.regutil
#
Registry related abstractions
Module Contents#
Classes#
Base class for registry hives. |
|
Base class for registry keys. |
|
Base class for registry values. |
|
Virtual hive implementation. |
|
Virtual key implementation. |
|
Virtual value implementation. |
|
Hive implementation that is backed by multiple hives. |
|
Key implementation that is backed by multiple keys. |
|
Value implementation that is backed by multiple values. |
|
Registry implementation for regf hives. |
|
Key implementation for regf keys. |
|
Value implementation for regf values. |
|
A parser for text registry dumps (.reg files). |
|
Virtual hive implementation. |
|
Virtual key implementation. |
|
Virtual value implementation. |
Functions#
Parse values from text registry exports. |
|
Return whether |
|
Split a key path with glob patterns on the first key path part with glob patterns |
|
Yield all subkeys of |
|
Yield the subkey given by |
|
Yield all subkeys from |
Attributes#
The possible key types that can be returned from the registry. |
|
The possible value types that can be returned from the registry. |
- dissect.target.helpers.regutil.GLOB_INDEX_REGEX#
- dissect.target.helpers.regutil.GLOB_MAGIC_REGEX#
- dissect.target.helpers.regutil.KeyType#
The possible key types that can be returned from the registry.
- dissect.target.helpers.regutil.ValueType#
The possible value types that can be returned from the registry.
- class dissect.target.helpers.regutil.RegistryHive#
Base class for registry hives.
- root() RegistryKey #
Return the root key of the hive.
- abstract key(key: str) RegistryKey #
Retrieve a registry key from a specific path.
- Parameters:
key – A path to a registry key within this hive.
- Raises:
RegistryKeyNotFoundError – If the registry key could not be found.
- keys(keys: str | list[str]) Iterator[RegistryKey] #
Retrieve all the registry keys in this hive from the given paths.
- Parameters:
keys – A single path to find, or a list of paths to iterate over.
- class dissect.target.helpers.regutil.RegistryKey(hive: RegistryHive | None = None)#
Base class for registry keys.
- Parameters:
hive – The registry hive to which this registry key belongs.
- property ts: datetime.datetime#
Returns the last modified timestamp of this key.
- abstract property name: str#
Returns the name of this key.
- abstract property class_name: str#
Returns the class name of this key.
- abstract property path: str#
Returns the path of this key.
- abstract property timestamp: datetime.datetime#
Returns the last modified timestamp of this key.
- __repr__() str #
Return repr(self).
- get(key_path: str) RegistryKey #
Returns the RegistryKey pointed to by
path
.- Parameters:
key_path – The path relative to this
RegistryKey
.- Returns:
A relative
RegistryKey
- abstract subkey(subkey: str) RegistryKey #
Returns a specific subkey from this key.
- Parameters:
subkey – The name of the subkey to retrieve.
- Raises:
RegistryKeyNotFoundError – If this key has no subkey with the requested name.
- abstract subkeys() list[RegistryKey] #
Returns a list of subkeys from this key.
- abstract value(value: str) RegistryValue #
Returns a specific value from this key.
- Parameters:
value – The name of the value to retrieve.
- Raises:
RegistryValueNotFoundError – If this key has no value with the requested name.
- abstract values() list[RegistryValue] #
Returns a list of all the values from this key.
- class dissect.target.helpers.regutil.RegistryValue(hive: RegistryHive | None = None)#
Base class for registry values.
- Parameters:
hive – The registry hive to which this registry value belongs.
- abstract property name: str#
Returns the name of this value.
- abstract property value: ValueType#
Returns the value of this value.
- abstract property type: int#
Returns the type of this value.
- __repr__() str #
Return repr(self).
- class dissect.target.helpers.regutil.VirtualHive#
Bases:
RegistryHive
Virtual hive implementation.
- __repr__() str #
Return repr(self).
- make_keys(path: str) VirtualKey #
Create a key structure in this virtual hive from the given path.
path
must be a valid registry path to some arbitrary key in the registry. This method will traverse all the components of the path and create a key if it does not already exist.Example
The path
test\data\something\
becomes:"" <- root node ├─ test | ├─ data | | ├─ something
- Parameters:
path – The registry path to create a key structure for.
- Returns:
The
VirtualKey
for the last path component.
- map_hive(path: str, hive: RegistryHive) None #
Map a different registry hive to a path in this registry hive.
Future traversals to this path will continue from the root of the mapped hive.
- Parameters:
path – The path at which to map the registry hive.
hive – The hive to map to the path.
- map_key(path: str, key: RegistryKey) None #
Map an arbitrary
RegistryKey
to a path in this hive.- Parameters:
path – The path at which to map the registry key.
key – The
RegistryKey
to map in this hive.
- map_value(path: str, name: str, value: ValueType | RegistryValue) None #
Map an arbitrary value to a path and value name in this hive.
- Parameters:
path – The path to the registry key that should hold the value.
name – The name at which to store the value.
value – The value to map to the specified location.
- key(key: str) RegistryKey #
Retrieve a registry key from a specific path.
- Parameters:
key – A path to a registry key within this hive.
- Raises:
RegistryKeyNotFoundError – If the registry key could not be found.
- class dissect.target.helpers.regutil.VirtualKey(hive: RegistryHive, path: str, class_name: str | None = None)#
Bases:
RegistryKey
Virtual key implementation.
- property name: str#
Returns the name of this key.
- property class_name: str#
Returns the class name of this key.
- property path: str#
Returns the path of this key.
- property timestamp: datetime.datetime#
Returns the last modified timestamp of this key.
- __contains__(key: str) bool #
- add_subkey(name: str, key: str)#
Add a subkey to this key.
- add_value(name: str, value: ValueType | RegistryValue)#
Add a value to this key.
- subkey(subkey: str) RegistryKey #
Returns a specific subkey from this key.
- Parameters:
subkey – The name of the subkey to retrieve.
- Raises:
RegistryKeyNotFoundError – If this key has no subkey with the requested name.
- subkeys() list[RegistryKey] #
Returns a list of subkeys from this key.
- value(value: str) RegistryValue #
Returns a specific value from this key.
- Parameters:
value – The name of the value to retrieve.
- Raises:
RegistryValueNotFoundError – If this key has no value with the requested name.
- values() list[RegistryValue] #
Returns a list of all the values from this key.
- class dissect.target.helpers.regutil.VirtualValue(hive: RegistryHive, name: str, value: ValueType)#
Bases:
RegistryValue
Virtual value implementation.
- property name: str#
Returns the name of this value.
- property value: ValueType#
Returns the value of this value.
- property type: int#
Returns the type of this value.
- class dissect.target.helpers.regutil.HiveCollection(hives: list[RegistryHive] | None = None)#
Bases:
RegistryHive
Hive implementation that is backed by multiple hives.
The idea here is that you can open multiple version of the same hive (one regular, one with .LOG replayed and one RegBack). When opening a key, it would (try to) open it on every hive and return them in a KeyCollection.
- __len__()#
- __iter__()#
- __getitem__(index: int)#
- add(hive: RegistryHive) None #
- key(key: str) KeyCollection #
Retrieve a registry key from a specific path.
- Parameters:
key – A path to a registry key within this hive.
- Raises:
RegistryKeyNotFoundError – If the registry key could not be found.
- keys(keys: list | str) Iterator[RegistryKey] #
Retrieve all the registry keys in this hive from the given paths.
- Parameters:
keys – A single path to find, or a list of paths to iterate over.
- iterhives() Iterator[RegistryHive] #
- class dissect.target.helpers.regutil.KeyCollection(keys: list[RegistryKey] | None = None)#
Bases:
RegistryKey
Key implementation that is backed by multiple keys.
For example, both the current and the RegBack hive returned a key, but with different values. With a KeyCollection it’s possible to iterate over all versions of this key.
Things like traversing down subkeys works as expected, going down every key in it’s collection.
- property class_name: str#
Returns the class name of this key.
- property name: str#
Returns the name of this key.
- property path: str#
Returns the path of this key.
- property timestamp: datetime.datetime#
Returns the last modified timestamp of this key.
- __len__()#
- __iter__() Iterator[RegistryKey] #
- __getitem__(index) RegistryValue #
- add(key: KeyCollection | RegistryKey)#
- get(key_path: str) KeyCollection #
Returns the RegistryKey pointed to by
path
.- Parameters:
key_path – The path relative to this
RegistryKey
.- Returns:
A relative
RegistryKey
- subkey(subkey: str) KeyCollection #
Returns a specific subkey from this key.
- Parameters:
subkey – The name of the subkey to retrieve.
- Raises:
RegistryKeyNotFoundError – If this key has no subkey with the requested name.
- subkeys() list[KeyCollection] #
Returns a list of subkeys from this key.
- value(value: str) ValueCollection #
Returns a specific value from this key.
- Parameters:
value – The name of the value to retrieve.
- Raises:
RegistryValueNotFoundError – If this key has no value with the requested name.
- values() list[ValueCollection] #
Returns a list of all the values from this key.
- class dissect.target.helpers.regutil.ValueCollection(values: list[RegistryValue] | None = None)#
Bases:
RegistryValue
Value implementation that is backed by multiple values.
Same idea as KeyCollection, but for values.
- property name: str#
Returns the name of this value.
- property value: ValueType#
Returns the value of this value.
- property type: int#
Returns the type of this value.
- __len__()#
- __iter__()#
- add(value: RegistryValue) None #
- class dissect.target.helpers.regutil.RegfHive(filepath: pathlib.Path, fh: BinaryIO | None = None)#
Bases:
RegistryHive
Registry implementation for regf hives.
- root() RegistryKey #
Return the root key of the hive.
- key(key: str) RegistryKey #
Retrieve a registry key from a specific path.
- Parameters:
key – A path to a registry key within this hive.
- Raises:
RegistryKeyNotFoundError – If the registry key could not be found.
- class dissect.target.helpers.regutil.RegfKey(hive: RegistryHive, key: KeyType)#
Bases:
RegistryKey
Key implementation for regf keys.
- property name: str#
Returns the name of this key.
- property class_name: str#
Returns the class name of this key.
- property path: str#
Returns the path of this key.
- property timestamp: datetime.datetime#
Returns the last modified timestamp of this key.
- subkey(subkey: str) RegistryKey #
Returns a specific subkey from this key.
- Parameters:
subkey – The name of the subkey to retrieve.
- Raises:
RegistryKeyNotFoundError – If this key has no subkey with the requested name.
- subkeys() list[RegistryKey] #
Returns a list of subkeys from this key.
- value(value: str) RegistryValue #
Returns a specific value from this key.
- Parameters:
value – The name of the value to retrieve.
- Raises:
RegistryValueNotFoundError – If this key has no value with the requested name.
- values() list[RegistryValue] #
Returns a list of all the values from this key.
- class dissect.target.helpers.regutil.RegfValue(hive: RegistryHive, kv: RegistryValue)#
Bases:
RegistryValue
Value implementation for regf values.
- property name: str#
Returns the name of this value.
- property value: ValueType#
Returns the value of this value.
- property type: int#
Returns the type of this value.
- class dissect.target.helpers.regutil.RegFlex#
A parser for text registry dumps (.reg files).
- map_definition(fh: TextIO) None #
Parse a text registry export to a hive with keys and values.
- Parameters:
fh – A file-like object opened in text mode of the registry export to parse.
- class dissect.target.helpers.regutil.RegFlexHive#
Bases:
VirtualHive
Virtual hive implementation.
- class dissect.target.helpers.regutil.RegFlexKey(hive: RegistryHive, path: str, class_name: str | None = None)#
Bases:
VirtualKey
Virtual key implementation.
- class dissect.target.helpers.regutil.RegFlexValue(hive: RegistryHive, name: str, value: ValueType)#
Bases:
VirtualValue
Virtual value implementation.
- property value: ValueType#
Returns the value of this value.
- dissect.target.helpers.regutil.parse_flex_value(value: str) ValueType #
Parse values from text registry exports.
- Parameters:
value – The value to parse.
- Raises:
NotImplementedError – If
value
is not of a supported type for parsing.
- dissect.target.helpers.regutil.has_glob_magic(pattern: str) bool #
Return whether
pattern
contains any glob patterns- Parameters:
pattern – The string to check on glob patterns.
- Returns:
Whether
pattern
contains any glob patterns.
- dissect.target.helpers.regutil.glob_split(pattern: str) tuple[str] #
Split a key path with glob patterns on the first key path part with glob patterns
- Parameters:
pattern – A key path with glob patterns to split.
- Returns:
A tuple of two strings, where the first contains the first number of key path parts (if any) which don’t have a glob pattern. The second contains the rest of the key path with parts containing glob patterns.
- dissect.target.helpers.regutil.glob_ext(key_collection: KeyCollection, pattern: str) Iterator[KeyCollection] #
Yield all subkeys of
key_collection
that match the globpattern
- Parameters:
key_collection – The
KeyCollection
to start the path pattern glob matching on.pattern – A key path with glob patterns.
- Yields:
All subkeys that match
pattern
- dissect.target.helpers.regutil.glob_ext0(key_collection: KeyCollection, key_path: str) Iterator[KeyCollection] #
Yield the subkey given by
key_path
relative tokey_collection
- Parameters:
key_collection – The
KeyCollection
to yield the subkey from.key_path – The key path to the subkey, relative to
key_collection
.
- Yields:
The subkey from
key_collection
pointed to bykey_path
.
- dissect.target.helpers.regutil.glob_ext1(key_collection: KeyCollection, pattern: str) Iterator[KeyCollection] #
Yield all subkeys from
key_collection
which match the glob patternpattern
- Parameters:
key_collection – The
KeyCollection
from which subkeys should be matched.pattern – The pattern a subkey must match.
- Yields:
All KeyCollections of subkeys that match
pattern
.