:py:mod:`dissect.target.helpers.regutil` ======================================== .. py:module:: dissect.target.helpers.regutil .. autoapi-nested-parse:: Registry related abstractions Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.helpers.regutil.RegistryHive dissect.target.helpers.regutil.RegistryKey dissect.target.helpers.regutil.RegistryValue dissect.target.helpers.regutil.VirtualHive dissect.target.helpers.regutil.VirtualKey dissect.target.helpers.regutil.VirtualValue dissect.target.helpers.regutil.HiveCollection dissect.target.helpers.regutil.KeyCollection dissect.target.helpers.regutil.ValueCollection dissect.target.helpers.regutil.RegfHive dissect.target.helpers.regutil.RegfKey dissect.target.helpers.regutil.RegfValue dissect.target.helpers.regutil.RegFlex dissect.target.helpers.regutil.RegFlexHive dissect.target.helpers.regutil.RegFlexKey dissect.target.helpers.regutil.RegFlexValue Functions ~~~~~~~~~ .. autoapisummary:: :nosignatures: dissect.target.helpers.regutil.parse_flex_value dissect.target.helpers.regutil.has_glob_magic dissect.target.helpers.regutil.glob_split dissect.target.helpers.regutil.glob_ext dissect.target.helpers.regutil.glob_ext0 dissect.target.helpers.regutil.glob_ext1 Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.helpers.regutil.GLOB_INDEX_REGEX dissect.target.helpers.regutil.GLOB_MAGIC_REGEX dissect.target.helpers.regutil.KeyType dissect.target.helpers.regutil.ValueType .. py:data:: GLOB_INDEX_REGEX .. py:data:: GLOB_MAGIC_REGEX .. py:data:: KeyType The possible key types that can be returned from the registry. .. py:data:: ValueType The possible value types that can be returned from the registry. .. py:class:: RegistryHive Base class for registry hives. .. py:method:: root() -> RegistryKey Return the root key of the hive. .. py:method:: key(key: str) -> RegistryKey :abstractmethod: Retrieve a registry key from a specific path. :param key: A path to a registry key within this hive. :raises RegistryKeyNotFoundError: If the registry key could not be found. .. py:method:: keys(keys: Union[str, list[str]]) -> Iterator[RegistryKey] Retrieve all the registry keys in this hive from the given paths. :param keys: A single path to find, or a list of paths to iterate over. .. py:class:: RegistryKey(hive: Optional[RegistryHive] = None) Base class for registry keys. :param hive: The registry hive to which this registry key belongs. .. py:property:: ts :type: datetime.datetime Returns the last modified timestamp of this key. .. py:property:: name :type: str :abstractmethod: Returns the name of this key. .. py:property:: class_name :type: str :abstractmethod: Returns the class name of this key. .. py:property:: path :type: str :abstractmethod: Returns the path of this key. .. py:property:: timestamp :type: datetime.datetime :abstractmethod: Returns the last modified timestamp of this key. .. py:method:: __repr__() -> str Return repr(self). .. py:method:: get(key_path: str) -> RegistryKey Returns the RegistryKey pointed to by ``path``. :param key_path: The path relative to this ``RegistryKey``. :returns: A relative ``RegistryKey`` .. py:method:: subkey(subkey: str) -> RegistryKey :abstractmethod: Returns a specific subkey from this key. :param subkey: The name of the subkey to retrieve. :raises RegistryKeyNotFoundError: If this key has no subkey with the requested name. .. py:method:: subkeys() -> list[RegistryKey] :abstractmethod: Returns a list of subkeys from this key. .. py:method:: value(value: str) -> RegistryValue :abstractmethod: Returns a specific value from this key. :param value: The name of the value to retrieve. :raises RegistryValueNotFoundError: If this key has no value with the requested name. .. py:method:: values() -> list[RegistryValue] :abstractmethod: Returns a list of all the values from this key. .. py:class:: RegistryValue(hive: Optional[RegistryHive] = None) Base class for registry values. :param hive: The registry hive to which this registry value belongs. .. py:property:: name :type: str :abstractmethod: Returns the name of this value. .. py:property:: value :type: ValueType :abstractmethod: Returns the value of this value. .. py:property:: type :type: int :abstractmethod: Returns the type of this value. Reference: - https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types .. py:method:: __repr__() -> str Return repr(self). .. py:class:: VirtualHive Bases: :py:obj:`RegistryHive` Virtual hive implementation. .. py:method:: __repr__() -> str Return repr(self). .. py:method:: make_keys(path: str) -> VirtualKey Create a key structure in this virtual hive from the given path. ``path`` must be a valid registry path to some arbitrary key in the registry. This method will traverse all the components of the path and create a key if it does not already exist. .. rubric:: Example The path ``test\data\something\`` becomes:: "" <- root node ├─ test | ├─ data | | ├─ something :param path: The registry path to create a key structure for. :returns: The :class:`VirtualKey` for the last path component. .. py:method:: map_hive(path: str, hive: RegistryHive) -> None Map a different registry hive to a path in this registry hive. Future traversals to this path will continue from the root of the mapped hive. :param path: The path at which to map the registry hive. :param hive: The hive to map to the path. .. py:method:: map_key(path: str, key: RegistryKey) -> None Map an arbitrary :class:`RegistryKey` to a path in this hive. :param path: The path at which to map the registry key. :param key: The :class:`RegistryKey` to map in this hive. .. py:method:: map_value(path: str, name: str, value: Union[ValueType, RegistryValue]) -> None Map an arbitrary value to a path and value name in this hive. :param path: The path to the registry key that should hold the value. :param name: The name at which to store the value. :param value: The value to map to the specified location. .. py:method:: key(key: str) -> RegistryKey Retrieve a registry key from a specific path. :param key: A path to a registry key within this hive. :raises RegistryKeyNotFoundError: If the registry key could not be found. .. py:class:: VirtualKey(hive: RegistryHive, path: str, class_name: Optional[str] = None) Bases: :py:obj:`RegistryKey` Virtual key implementation. .. py:property:: name :type: str Returns the name of this key. .. py:property:: class_name :type: str Returns the class name of this key. .. py:property:: path :type: str Returns the path of this key. .. py:property:: timestamp :type: datetime.datetime Returns the last modified timestamp of this key. .. py:method:: __contains__(key: str) -> bool .. py:method:: add_subkey(name: str, key: str) Add a subkey to this key. .. py:method:: add_value(name: str, value: Union[ValueType, RegistryValue]) Add a value to this key. .. py:method:: subkey(subkey: str) -> RegistryKey Returns a specific subkey from this key. :param subkey: The name of the subkey to retrieve. :raises RegistryKeyNotFoundError: If this key has no subkey with the requested name. .. py:method:: subkeys() -> list[RegistryKey] Returns a list of subkeys from this key. .. py:method:: value(value: str) -> RegistryValue Returns a specific value from this key. :param value: The name of the value to retrieve. :raises RegistryValueNotFoundError: If this key has no value with the requested name. .. py:method:: values() -> list[RegistryValue] Returns a list of all the values from this key. .. py:class:: VirtualValue(hive: RegistryHive, name: str, value: ValueType) Bases: :py:obj:`RegistryValue` Virtual value implementation. .. py:property:: name :type: str Returns the name of this value. .. py:property:: value :type: ValueType Returns the value of this value. .. py:property:: type :type: int Returns the type of this value. Reference: - https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types .. py:class:: HiveCollection(hives: Optional[list[RegistryHive]] = None) Bases: :py:obj:`RegistryHive` Hive implementation that is backed by multiple hives. The idea here is that you can open multiple version of the same hive (one regular, one with .LOG replayed and one RegBack). When opening a key, it would (try to) open it on every hive and return them in a KeyCollection. .. py:method:: __len__() .. py:method:: __iter__() .. py:method:: __getitem__(index: int) .. py:method:: add(hive: RegistryHive) -> None .. py:method:: key(key: str) -> KeyCollection Retrieve a registry key from a specific path. :param key: A path to a registry key within this hive. :raises RegistryKeyNotFoundError: If the registry key could not be found. .. py:method:: keys(keys: Union[list, str]) -> Iterator[RegistryKey] Retrieve all the registry keys in this hive from the given paths. :param keys: A single path to find, or a list of paths to iterate over. .. py:method:: iterhives() -> Iterator[RegistryHive] .. py:class:: KeyCollection(keys: Optional[list[RegistryKey]] = None) Bases: :py:obj:`RegistryKey` Key implementation that is backed by multiple keys. For example, both the current and the RegBack hive returned a key, but with different values. With a KeyCollection it's possible to iterate over all versions of this key. Things like traversing down subkeys works as expected, going down every key in it's collection. .. py:property:: class_name :type: str Returns the class name of this key. .. py:property:: name :type: str Returns the name of this key. .. py:property:: path :type: str Returns the path of this key. .. py:property:: timestamp :type: datetime.datetime Returns the last modified timestamp of this key. .. py:method:: __len__() .. py:method:: __iter__() -> Iterator[RegistryKey] .. py:method:: __getitem__(index) -> RegistryValue .. py:method:: add(key: Union[KeyCollection, RegistryKey]) .. py:method:: get(key_path: str) -> KeyCollection Returns the RegistryKey pointed to by ``path``. :param key_path: The path relative to this ``RegistryKey``. :returns: A relative ``RegistryKey`` .. py:method:: subkey(subkey: str) -> KeyCollection Returns a specific subkey from this key. :param subkey: The name of the subkey to retrieve. :raises RegistryKeyNotFoundError: If this key has no subkey with the requested name. .. py:method:: subkeys() -> list[KeyCollection] Returns a list of subkeys from this key. .. py:method:: value(value: str) -> ValueCollection Returns a specific value from this key. :param value: The name of the value to retrieve. :raises RegistryValueNotFoundError: If this key has no value with the requested name. .. py:method:: values() -> list[ValueCollection] Returns a list of all the values from this key. .. py:class:: ValueCollection(values: Optional[list[RegistryValue]] = None) Bases: :py:obj:`RegistryValue` Value implementation that is backed by multiple values. Same idea as KeyCollection, but for values. .. py:property:: name :type: str Returns the name of this value. .. py:property:: value :type: ValueType Returns the value of this value. .. py:property:: type :type: int Returns the type of this value. Reference: - https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types .. py:method:: __len__() .. py:method:: __iter__() .. py:method:: add(value: RegistryValue) -> None .. py:class:: RegfHive(filepath: pathlib.Path, fh: Optional[BinaryIO] = None) Bases: :py:obj:`RegistryHive` Registry implementation for regf hives. .. py:method:: root() -> RegistryKey Return the root key of the hive. .. py:method:: key(key: str) -> RegistryKey Retrieve a registry key from a specific path. :param key: A path to a registry key within this hive. :raises RegistryKeyNotFoundError: If the registry key could not be found. .. py:class:: RegfKey(hive: RegistryHive, key: KeyType) Bases: :py:obj:`RegistryKey` Key implementation for regf keys. .. py:property:: name :type: str Returns the name of this key. .. py:property:: class_name :type: str Returns the class name of this key. .. py:property:: path :type: str Returns the path of this key. .. py:property:: timestamp :type: datetime.datetime Returns the last modified timestamp of this key. .. py:method:: subkey(subkey: str) -> RegistryKey Returns a specific subkey from this key. :param subkey: The name of the subkey to retrieve. :raises RegistryKeyNotFoundError: If this key has no subkey with the requested name. .. py:method:: subkeys() -> list[RegistryKey] Returns a list of subkeys from this key. .. py:method:: value(value: str) -> RegistryValue Returns a specific value from this key. :param value: The name of the value to retrieve. :raises RegistryValueNotFoundError: If this key has no value with the requested name. .. py:method:: values() -> list[RegistryValue] Returns a list of all the values from this key. .. py:class:: RegfValue(hive: RegistryHive, kv: RegistryValue) Bases: :py:obj:`RegistryValue` Value implementation for regf values. .. py:property:: name :type: str Returns the name of this value. .. py:property:: value :type: ValueType Returns the value of this value. .. py:property:: type :type: int Returns the type of this value. Reference: - https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types .. py:class:: RegFlex A parser for text registry dumps (.reg files). .. py:method:: map_definition(fh: TextIO) -> None Parse a text registry export to a hive with keys and values. :param fh: A file-like object opened in text mode of the registry export to parse. .. py:class:: RegFlexHive Bases: :py:obj:`VirtualHive` Virtual hive implementation. .. py:class:: RegFlexKey(hive: RegistryHive, path: str, class_name: Optional[str] = None) Bases: :py:obj:`VirtualKey` Virtual key implementation. .. py:class:: RegFlexValue(hive: RegistryHive, name: str, value: ValueType) Bases: :py:obj:`VirtualValue` Virtual value implementation. .. py:property:: value :type: ValueType Returns the value of this value. .. py:function:: parse_flex_value(value: str) -> ValueType Parse values from text registry exports. :param value: The value to parse. :raises NotImplementedError: If ``value`` is not of a supported type for parsing. .. py:function:: has_glob_magic(pattern: str) -> bool Return whether ``pattern`` contains any glob patterns :param pattern: The string to check on glob patterns. :returns: Whether ``pattern`` contains any glob patterns. .. py:function:: glob_split(pattern: str) -> tuple[str] Split a key path with glob patterns on the first key path part with glob patterns :param pattern: A key path with glob patterns to split. :returns: A tuple of two strings, where the first contains the first number of key path parts (if any) which don't have a glob pattern. The second contains the rest of the key path with parts containing glob patterns. .. py:function:: glob_ext(key_collection: KeyCollection, pattern: str) -> Iterator[KeyCollection] Yield all subkeys of ``key_collection`` that match the glob ``pattern`` :param key_collection: The ``KeyCollection`` to start the path pattern glob matching on. :param pattern: A key path with glob patterns. :Yields: All subkeys that match ``pattern`` .. py:function:: glob_ext0(key_collection: KeyCollection, key_path: str) -> Iterator[KeyCollection] Yield the subkey given by ``key_path`` relative to ``key_collection`` :param key_collection: The ``KeyCollection`` to yield the subkey from. :param key_path: The key path to the subkey, relative to ``key_collection``. :Yields: The subkey from ``key_collection`` pointed to by ``key_path``. .. py:function:: glob_ext1(key_collection: KeyCollection, pattern: str) -> Iterator[KeyCollection] Yield all subkeys from ``key_collection`` which match the glob pattern ``pattern`` :param key_collection: The ``KeyCollection`` from which subkeys should be matched. :param pattern: The pattern a subkey must match. :Yields: All KeyCollections of subkeys that match ``pattern``.