`dissect.target.helpers.regutil`¶

Registry related abstractions

Module Contents¶

Classes¶

`RegistryHive`	Base class for registry hives.
`RegistryKey`	Base class for registry keys.
`RegistryValue`	Base class for registry values.
`VirtualHive`	Virtual hive implementation.
`VirtualKey`	Virtual key implementation.
`VirtualValue`	Virtual value implementation.
`HiveCollection`	Hive implementation that is backed by multiple hives.
`KeyCollection`	Key implementation that is backed by multiple keys.
`ValueCollection`	Value implementation that is backed by multiple values.
`RegfHive`	Registry implementation for regf hives.
`RegfKey`	Key implementation for regf keys.
`RegfValue`	Value implementation for regf values.
`RegFlex`	A parser for text registry dumps (.reg files).
`RegFlexHive`	Virtual hive implementation.
`RegFlexKey`	Virtual key implementation.
`RegFlexValue`	Virtual value implementation.

Functions¶

`parse_flex_value`	Parse values from text registry exports.
`has_glob_magic`	Return whether `pattern` contains any glob patterns
`glob_split`	Split a key path with glob patterns on the first key path part with glob patterns
`glob_ext`	Yield all subkeys of `key_collection` that match the glob `pattern`
`glob_ext0`	Yield the subkey given by `key_path` relative to `key_collection`
`glob_ext1`	Yield all subkeys from `key_collection` which match the glob pattern `pattern`

Attributes¶

`GLOB_INDEX_REGEX`
`GLOB_MAGIC_REGEX`
`KeyType`	The possible key types that can be returned from the registry.
`ValueType`	The possible value types that can be returned from the registry.

dissect.target.helpers.regutil.GLOB_INDEX_REGEX¶

dissect.target.helpers.regutil.GLOB_MAGIC_REGEX¶

dissect.target.helpers.regutil.KeyType¶: The possible key types that can be returned from the registry.

dissect.target.helpers.regutil.ValueType¶: The possible value types that can be returned from the registry.

class dissect.target.helpers.regutil.RegistryHive¶

Base class for registry hives.

root() → RegistryKey¶: Return the root key of the hive.

abstract key(key: str) → RegistryKey¶

Retrieve a registry key from a specific path.

Parameters:: key – A path to a registry key within this hive.
Raises:: RegistryKeyNotFoundError – If the registry key could not be found.

keys(keys: str | list[str]) → Iterator[RegistryKey]¶

Retrieve all the registry keys in this hive from the given paths.

Parameters:: keys – A single path to find, or a list of paths to iterate over.

class dissect.target.helpers.regutil.RegistryKey(hive: RegistryHive | None = None)¶

Base class for registry keys.

Parameters:: hive – The registry hive to which this registry key belongs.

property ts: datetime.datetime¶: Returns the last modified timestamp of this key.

abstract property name: str¶: Returns the name of this key.

abstract property class_name: str¶: Returns the class name of this key.

abstract property path: str¶: Returns the path of this key.

abstract property timestamp: datetime.datetime¶: Returns the last modified timestamp of this key.

__repr__() → str¶: Return repr(self).

get(key_path: str) → RegistryKey¶

Returns the RegistryKey pointed to by path.

Parameters:: key_path – The path relative to this RegistryKey.
Returns:: A relative RegistryKey

abstract subkey(subkey: str) → RegistryKey¶

Returns a specific subkey from this key.

Parameters:: subkey – The name of the subkey to retrieve.
Raises:: RegistryKeyNotFoundError – If this key has no subkey with the requested name.

abstract subkeys() → list[RegistryKey]¶: Returns a list of subkeys from this key.

abstract value(value: str) → RegistryValue¶

Returns a specific value from this key.

Parameters:: value – The name of the value to retrieve.
Raises:: RegistryValueNotFoundError – If this key has no value with the requested name.

abstract values() → list[RegistryValue]¶: Returns a list of all the values from this key.

class dissect.target.helpers.regutil.RegistryValue(hive: RegistryHive | None = None)¶

Base class for registry values.

Parameters:: hive – The registry hive to which this registry value belongs.

abstract property name: str¶: Returns the name of this value.

abstract property value: ValueType¶: Returns the value of this value.

abstract property type: int¶

Returns the type of this value.

Reference:

https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types

__repr__() → str¶: Return repr(self).

class dissect.target.helpers.regutil.VirtualHive¶

Bases: RegistryHive

Virtual hive implementation.

__repr__() → str¶: Return repr(self).

make_keys(path: str) → VirtualKey¶

Create a key structure in this virtual hive from the given path.

path must be a valid registry path to some arbitrary key in the registry. This method will traverse all the components of the path and create a key if it does not already exist.

Example

The path test\data\something\ becomes:

"" <- root node
├─ test
|  ├─ data
|  |  ├─ something

Parameters:: path – The registry path to create a key structure for.
Returns:: The VirtualKey for the last path component.

map_hive(path: str, hive: RegistryHive) → None¶

Map a different registry hive to a path in this registry hive.

Future traversals to this path will continue from the root of the mapped hive.

Parameters:

path – The path at which to map the registry hive.
hive – The hive to map to the path.

map_key(path: str, key: RegistryKey) → None¶

Map an arbitrary RegistryKey to a path in this hive.

Parameters:

path – The path at which to map the registry key.
key – The RegistryKey to map in this hive.

map_value(path: str, name: str, value: ValueType | RegistryValue) → None¶

Map an arbitrary value to a path and value name in this hive.

Parameters:

path – The path to the registry key that should hold the value.
name – The name at which to store the value.
value – The value to map to the specified location.

key(key: str) → RegistryKey¶

Retrieve a registry key from a specific path.

Parameters:: key – A path to a registry key within this hive.
Raises:: RegistryKeyNotFoundError – If the registry key could not be found.

class dissect.target.helpers.regutil.VirtualKey(hive: RegistryHive, path: str, class_name: str | None = None)¶

Bases: RegistryKey

Virtual key implementation.

property name: str¶: Returns the name of this key.

property class_name: str¶: Returns the class name of this key.

property path: str¶: Returns the path of this key.

property timestamp: datetime.datetime¶: Returns the last modified timestamp of this key.

__contains__(key: str) → bool¶

add_subkey(name: str, key: str)¶: Add a subkey to this key.

add_value(name: str, value: ValueType | RegistryValue)¶: Add a value to this key.

subkey(subkey: str) → RegistryKey¶

Returns a specific subkey from this key.

Parameters:: subkey – The name of the subkey to retrieve.
Raises:: RegistryKeyNotFoundError – If this key has no subkey with the requested name.

subkeys() → list[RegistryKey]¶: Returns a list of subkeys from this key.

value(value: str) → RegistryValue¶

Returns a specific value from this key.

Parameters:: value – The name of the value to retrieve.
Raises:: RegistryValueNotFoundError – If this key has no value with the requested name.

values() → list[RegistryValue]¶: Returns a list of all the values from this key.

class dissect.target.helpers.regutil.VirtualValue(hive: RegistryHive, name: str, value: ValueType)¶

Bases: RegistryValue

Virtual value implementation.

property name: str¶: Returns the name of this value.

property value: ValueType¶: Returns the value of this value.

property type: int¶

Returns the type of this value.

Reference:

https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types

class dissect.target.helpers.regutil.HiveCollection(hives: list[RegistryHive] | None = None)¶

Bases: RegistryHive

Hive implementation that is backed by multiple hives.

The idea here is that you can open multiple version of the same hive (one regular, one with .LOG replayed and one RegBack). When opening a key, it would (try to) open it on every hive and return them in a KeyCollection.

__len__()¶

__iter__()¶

__getitem__(index: int)¶

add(hive: RegistryHive) → None¶

key(key: str) → KeyCollection¶

Retrieve a registry key from a specific path.

Parameters:: key – A path to a registry key within this hive.
Raises:: RegistryKeyNotFoundError – If the registry key could not be found.

keys(keys: list | str) → Iterator[RegistryKey]¶

Retrieve all the registry keys in this hive from the given paths.

Parameters:: keys – A single path to find, or a list of paths to iterate over.

iterhives() → Iterator[RegistryHive]¶

class dissect.target.helpers.regutil.KeyCollection(keys: list[RegistryKey] | None = None)¶

Bases: RegistryKey

Key implementation that is backed by multiple keys.

For example, both the current and the RegBack hive returned a key, but with different values. With a KeyCollection it’s possible to iterate over all versions of this key.

Things like traversing down subkeys works as expected, going down every key in it’s collection.

property class_name: str¶: Returns the class name of this key.

property name: str¶: Returns the name of this key.

property path: str¶: Returns the path of this key.

property timestamp: datetime.datetime¶: Returns the last modified timestamp of this key.

__len__()¶

__iter__() → Iterator[RegistryKey]¶

__getitem__(index) → RegistryValue¶

add(key: KeyCollection | RegistryKey)¶

get(key_path: str) → KeyCollection¶

Returns the RegistryKey pointed to by path.

Parameters:: key_path – The path relative to this RegistryKey.
Returns:: A relative RegistryKey

subkey(subkey: str) → KeyCollection¶

Returns a specific subkey from this key.

Parameters:: subkey – The name of the subkey to retrieve.
Raises:: RegistryKeyNotFoundError – If this key has no subkey with the requested name.

subkeys() → list[KeyCollection]¶: Returns a list of subkeys from this key.

value(value: str) → ValueCollection¶

Returns a specific value from this key.

Parameters:: value – The name of the value to retrieve.
Raises:: RegistryValueNotFoundError – If this key has no value with the requested name.

values() → list[ValueCollection]¶: Returns a list of all the values from this key.

class dissect.target.helpers.regutil.ValueCollection(values: list[RegistryValue] | None = None)¶

Bases: RegistryValue

Value implementation that is backed by multiple values.

Same idea as KeyCollection, but for values.

property name: str¶: Returns the name of this value.

property value: ValueType¶: Returns the value of this value.

property type: int¶

Returns the type of this value.

Reference:

https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types

__len__()¶

__iter__()¶

add(value: RegistryValue) → None¶

class dissect.target.helpers.regutil.RegfHive(filepath: pathlib.Path, fh: BinaryIO | None = None)¶

Bases: RegistryHive

Registry implementation for regf hives.

root() → RegistryKey¶: Return the root key of the hive.

key(key: str) → RegistryKey¶

Retrieve a registry key from a specific path.

Parameters:: key – A path to a registry key within this hive.
Raises:: RegistryKeyNotFoundError – If the registry key could not be found.

class dissect.target.helpers.regutil.RegfKey(hive: RegistryHive, key: KeyType)¶

Bases: RegistryKey

Key implementation for regf keys.

property name: str¶: Returns the name of this key.

property class_name: str¶: Returns the class name of this key.

property path: str¶: Returns the path of this key.

property timestamp: datetime.datetime¶: Returns the last modified timestamp of this key.

subkey(subkey: str) → RegistryKey¶

Returns a specific subkey from this key.

Parameters:: subkey – The name of the subkey to retrieve.
Raises:: RegistryKeyNotFoundError – If this key has no subkey with the requested name.

subkeys() → list[RegistryKey]¶: Returns a list of subkeys from this key.

value(value: str) → RegistryValue¶

Returns a specific value from this key.

Parameters:: value – The name of the value to retrieve.
Raises:: RegistryValueNotFoundError – If this key has no value with the requested name.

values() → list[RegistryValue]¶: Returns a list of all the values from this key.

class dissect.target.helpers.regutil.RegfValue(hive: RegistryHive, kv: RegistryValue)¶

Bases: RegistryValue

Value implementation for regf values.

property name: str¶: Returns the name of this value.

property value: ValueType¶: Returns the value of this value.

property type: int¶

Returns the type of this value.

Reference:

https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types

class dissect.target.helpers.regutil.RegFlex¶

A parser for text registry dumps (.reg files).

map_definition(fh: TextIO) → None¶

Parse a text registry export to a hive with keys and values.

Parameters:: fh – A file-like object opened in text mode of the registry export to parse.

class dissect.target.helpers.regutil.RegFlexHive¶

Bases: VirtualHive

Virtual hive implementation.

class dissect.target.helpers.regutil.RegFlexKey(hive: RegistryHive, path: str, class_name: str | None = None)¶

Bases: VirtualKey

Virtual key implementation.

class dissect.target.helpers.regutil.RegFlexValue(hive: RegistryHive, name: str, value: ValueType)¶

Bases: VirtualValue

Virtual value implementation.

property value: ValueType¶: Returns the value of this value.

dissect.target.helpers.regutil.parse_flex_value(value: str) → ValueType¶

Parse values from text registry exports.

Parameters:: value – The value to parse.
Raises:: NotImplementedError – If value is not of a supported type for parsing.

dissect.target.helpers.regutil.has_glob_magic(pattern: str) → bool¶

Return whether pattern contains any glob patterns

Parameters:: pattern – The string to check on glob patterns.
Returns:: Whether pattern contains any glob patterns.

dissect.target.helpers.regutil.glob_split(pattern: str) → tuple[str]¶

Split a key path with glob patterns on the first key path part with glob patterns

Parameters:: pattern – A key path with glob patterns to split.
Returns:: A tuple of two strings, where the first contains the first number of key path parts (if any) which don’t have a glob pattern. The second contains the rest of the key path with parts containing glob patterns.

dissect.target.helpers.regutil.glob_ext(key_collection: KeyCollection, pattern: str) → Iterator[KeyCollection]¶

Yield all subkeys of key_collection that match the glob pattern

Parameters:

key_collection – The KeyCollection to start the path pattern glob matching on.
pattern – A key path with glob patterns.

Yields:

All subkeys that match pattern

dissect.target.helpers.regutil.glob_ext0(key_collection: KeyCollection, key_path: str) → Iterator[KeyCollection]¶

Yield the subkey given by key_path relative to key_collection

Parameters:

key_collection – The KeyCollection to yield the subkey from.
key_path – The key path to the subkey, relative to key_collection.

Yields:

The subkey from key_collection pointed to by key_path.

dissect.target.helpers.regutil.glob_ext1(key_collection: KeyCollection, pattern: str) → Iterator[KeyCollection]¶

Yield all subkeys from key_collection which match the glob pattern pattern

Parameters:

key_collection – The KeyCollection from which subkeys should be matched.
pattern – The pattern a subkey must match.

Yields:

All KeyCollections of subkeys that match pattern.

dissect.target.helpers.regutil¶

Module Contents¶

Classes¶

Functions¶

Attributes¶

`dissect.target.helpers.regutil`¶