dfwinreg package
Submodules
dfwinreg.creg module
Windows 9x/Me Registry (CREG) objects implementation using pycreg.
- class dfwinreg.creg.CREGWinRegistryFile(ascii_codepage='cp1252', key_path_prefix='')[source]
Bases:
WinRegistryFile
Implementation of a Windows Registry file using pycreg.
- GetKeyByPath(key_path)[source]
Retrieves the key for a specific path.
- Parameters:
key_path (str) – Windows Registry key path.
- Returns:
Windows Registry key or None if not available.
- Return type:
- GetRootKey()[source]
Retrieves the root key.
- Returns:
Windows Registry root key or None if not available.
- Return type:
- class dfwinreg.creg.CREGWinRegistryKey(pycreg_key, key_helper=None, key_path_prefix='', relative_key_path='')[source]
Bases:
WinRegistryKey
Implementation of a Windows Registry key using pycreg.
- GetSubkeyByIndex(index)[source]
Retrieves a subkey by index.
- Parameters:
index (int) – index of the subkey.
- Returns:
Windows Registry subkey.
- Return type:
- Raises:
IndexError – if the index is out of bounds.
- GetSubkeyByName(name)[source]
Retrieves a subkey by name.
- Parameters:
name (str) – name of the subkey.
- Returns:
Windows Registry subkey or None if not found.
- Return type:
- GetSubkeyByPath(key_path)[source]
Retrieves a subkey by path.
- Parameters:
key_path (str) – path of the subkey.
- Returns:
Windows Registry subkey or None if not found.
- Return type:
- GetSubkeys()[source]
Retrieves all subkeys within the key.
- Yields:
WinRegistryKey – Windows Registry subkey.
- GetValueByName(name)[source]
Retrieves a value by name.
Value names are not unique and pycreg provides first match for the value.
- Parameters:
name (str) – name of the value or an empty string for the default value.
- Returns:
- Windows Registry value if a corresponding value was
found or None if not.
- Return type:
- GetValues()[source]
Retrieves all values within the key.
- Yields:
WinRegistryValue – Windows Registry value.
- __init__(pycreg_key, key_helper=None, key_path_prefix='', relative_key_path='')[source]
Initializes a Windows Registry key.
- Parameters:
pycreg_key (pycreg.key) – pycreg key object.
key_helper (Optional[WinRegistryKeyHelper]) – Windows Registry key helper.
key_path_prefix (Optional[str]) – Windows Registry key path prefix.
relative_key_path (Optional[str]) – relative Windows Registry key path.
- property class_name
class name of the key or None if not available.
- Type:
str
- property last_written_time
last written time.
- Type:
dfdatetime.DateTimeValues
- property name
name of the key.
- Type:
str
- property number_of_subkeys
number of subkeys within the key.
- Type:
int
- property number_of_values
number of values within the key.
- Type:
int
- property offset
offset of the key within the Windows Registry file or None.
- Type:
int
- class dfwinreg.creg.CREGWinRegistryValue(pycreg_value)[source]
Bases:
WinRegistryValue
Implementation of a Windows Registry value using pycreg.
- GetDataAsObject()[source]
Retrieves the data as an object.
- Returns:
data as a Python type.
- Return type:
object
- Raises:
WinRegistryValueError – if the value data cannot be read.
- __init__(pycreg_value)[source]
Initializes a Windows Registry value.
- Parameters:
pycreg_value (pycreg.value) – pycreg value object.
- property data
value data as a byte string.
- Raises:
WinRegistryValueError – if the value data cannot be read.
- Type:
bytes
- property data_type
data type.
- Type:
int
- property name
name of the value.
- Type:
str
- property offset
offset of the value within the Windows Registry file.
- Type:
int
dfwinreg.decorators module
Function decorators.
dfwinreg.definitions module
The Windows Registry definitions.
dfwinreg.errors module
This file contains the error classes.
dfwinreg.fake module
Fake Windows Registry objects implementation.
- class dfwinreg.fake.FakeWinRegistryFile(ascii_codepage='cp1252', key_path_prefix='')[source]
Bases:
WinRegistryFile
Fake implementation of a Windows Registry file.
- AddKeyByPath(key_path, registry_key)[source]
Adds a Windows Registry key for a specific key path.
- Parameters:
key_path (str) – Windows Registry key path to add the key.
registry_key (WinRegistryKey) – Windows Registry key.
- Raises:
KeyError – if the subkey already exists.
ValueError – if the Windows Registry key cannot be added.
- GetKeyByPath(key_path)[source]
Retrieves the key for a specific path.
- Parameters:
key_path (str) – Windows Registry key path.
- Returns:
Windows Registry key or None if not available.
- Return type:
- GetRootKey()[source]
Retrieves the root key.
- Returns:
Windows Registry key or None if not available.
- Return type:
- class dfwinreg.fake.FakeWinRegistryKey(name, class_name=None, key_helper=None, key_path_prefix='', last_written_time=None, offset=None, relative_key_path='', subkeys=None, values=None)[source]
Bases:
WinRegistryKey
Fake implementation of a Windows Registry key.
- AddSubkey(name, registry_key)[source]
Adds a subkey.
- Parameters:
name (str) – name of the Windows Registry subkey.
registry_key (WinRegistryKey) – Windows Registry subkey.
- Raises:
KeyError – if the subkey already exists.
- AddValue(registry_value)[source]
Adds a value.
- Parameters:
registry_value (WinRegistryValue) – Windows Registry value.
- Raises:
KeyError – if the value already exists.
- GetSubkeyByIndex(index)[source]
Retrieves a subkey by index.
- Parameters:
index (int) – index of the subkey.
- Returns:
Windows Registry subkey.
- Return type:
- Raises:
IndexError – if the index is out of bounds.
- GetSubkeyByName(name)[source]
Retrieves a subkey by name.
- Parameters:
name (str) – name of the subkey.
- Returns:
Windows Registry subkey or None if not found.
- Return type:
- GetSubkeyByPath(key_path)[source]
Retrieves a subkey by path.
- Parameters:
key_path (str) – path of the subkey.
- Returns:
Windows Registry subkey or None if not found.
- Return type:
- GetSubkeys()[source]
Retrieves all subkeys within the key.
- Returns:
Windows Registry subkey generator.
- Return type:
generator[WinRegistryKey]
- GetValueByName(name)[source]
Retrieves a value by name.
- Parameters:
name (str) – name of the value or an empty string for the default value.
- Returns:
Windows Registry value or None if not found.
- Return type:
- GetValues()[source]
Retrieves all values within the key.
- Returns:
Windows Registry value generator.
- Return type:
generator[WinRegistryValue]
- __init__(name, class_name=None, key_helper=None, key_path_prefix='', last_written_time=None, offset=None, relative_key_path='', subkeys=None, values=None)[source]
Initializes a Windows Registry key.
Subkeys and values with duplicate names are silently ignored.
- Parameters:
name (str) – name of the Windows Registry key.
class_name (Optional[str]) – class name of the Windows Registry key.
key_helper (Optional[WinRegistryKeyHelper]) – Windows Registry key helper.
key_path_prefix (Optional[str]) – Windows Registry key path prefix.
last_written_time (Optional[int]) – last written time, formatted as a FILETIME timestamp.
offset (Optional[int]) – offset of the key within the Windows Registry file.
relative_key_path (Optional[str]) – relative Windows Registry key path.
subkeys (Optional[list[FakeWinRegistryKey]]) – list of subkeys.
values (Optional[list[FakeWinRegistryValue]]) – list of values.
- property class_name
class name of the key or None if not available.
- Type:
str
- property last_written_time
last written time.
- Type:
dfdatetime.DateTimeValues
- property name
name of the key.
- Type:
str
- property number_of_subkeys
number of subkeys within the key.
- Type:
int
- property number_of_values
number of values within the key.
- Type:
int
- property offset
offset of the key within the Windows Registry file or None.
- Type:
int
- class dfwinreg.fake.FakeWinRegistryValue(name, data=b'', data_type=0, offset=0)[source]
Bases:
WinRegistryValue
Fake implementation of a Windows Registry value.
- GetDataAsObject()[source]
Retrieves the data as an object.
- Returns:
data as a Python type or None if not available.
- Return type:
object
- Raises:
WinRegistryValueError – if the value data cannot be read.
- __init__(name, data=b'', data_type=0, offset=0)[source]
Initializes a Windows Registry value.
- Parameters:
name (str) – name of the Windows Registry value.
data (Optional[bytes]) – value data.
data_type (Optional[int]) – value data type.
offset (Optional[int]) – offset of the value within the Windows Registry file.
- property data
value data as a byte string.
- Type:
bytes
- property data_type
data type.
- Type:
int
- file_object = <_io.BufferedReader name='/home/docs/checkouts/readthedocs.org/user_builds/dfwinreg/checkouts/stable/dfwinreg/dtfabric.yaml'>
- property name
name of the value.
- Type:
str
- property offset
offset of the value within the Windows Registry file.
- Type:
int
dfwinreg.glob2regex module
Glob to regular expression conversion.
Also see: https://en.wikipedia.org/wiki/Glob_(programming)
- dfwinreg.glob2regex.Glob2Regex(glob_pattern)[source]
Converts a glob pattern to a regular expression.
This function supports basic glob patterns that consist of: * matches everything ? matches any single character [seq] matches any character in sequence [!seq] matches any character not in sequence
- Parameters:
glob_pattern (str) – glob pattern.
- Returns:
regular expression pattern.
- Return type:
str
- Raises:
ValueError – if the glob pattern cannot be converted.
dfwinreg.interface module
The Windows Registry object interfaces.
- class dfwinreg.interface.WinRegistryFile(ascii_codepage='cp1252', key_path_prefix='')[source]
Bases:
object
Windows Registry file interface.
- abstract GetKeyByPath(key_path)[source]
Retrieves the key for a specific path.
- Parameters:
key_path (str) – Windows Registry key path.
- Returns:
Windows Registry key or None if not available.
- Return type:
- abstract GetRootKey()[source]
Retrieves the root key.
- Returns:
Windows Registry root key or None if not available.
- Return type:
- abstract Open(file_object)[source]
Opens the Windows Registry file using a file-like object.
- Parameters:
file_object (file) – file-like object.
- Returns:
True if successful or False if not.
- Return type:
bool
- RecurseKeys()[source]
Recurses the Windows Registry keys starting with the root key.
- Yields:
WinRegistryKey – Windows Registry key.
- class dfwinreg.interface.WinRegistryFileReader[source]
Bases:
object
Windows Registry file reader interface.
- abstract Open(path, ascii_codepage='cp1252')[source]
Opens a Windows Registry file specified by the path.
- Parameters:
path (str) – path of the Windows Registry file. The path is a Windows path relative to the root of the file system that contains the specific Windows Registry file, for example: C:WindowsSystem32configSYSTEM
ascii_codepage (Optional[str]) – ASCII string codepage.
- Returns:
Windows Registry file or None.
- Return type:
- class dfwinreg.interface.WinRegistryKey(key_helper=None, key_path_prefix='', relative_key_path='')[source]
Bases:
object
Windows Registry key interface.
- abstract GetSubkeyByIndex(index)[source]
Retrieves a subkey by index.
- Parameters:
index (int) – index of the subkey.
- Returns:
Windows Registry subkey.
- Return type:
- Raises:
IndexError – if the index is out of bounds.
- abstract GetSubkeyByName(name)[source]
Retrieves a subkey by name.
- Parameters:
name (str) – name of the subkey.
- Returns:
Windows Registry subkey or None if not found.
- Return type:
- abstract GetSubkeyByPath(key_path)[source]
Retrieves a subkey by a path.
- Parameters:
key_path (str) – relative key path of the subkey.
- Returns:
Windows Registry subkey or None if not found.
- Return type:
- abstract GetSubkeys()[source]
Retrieves all subkeys within the key.
- Yields:
WinRegistryKey – Windows Registry subkey.
- abstract GetValueByName(name)[source]
Retrieves a value by name.
- Parameters:
name (str) – name of the value or an empty string for the default value.
- Returns:
Windows Registry value or None if not found.
- Return type:
- abstract GetValues()[source]
Retrieves all values within the key.
- Yields:
WinRegistryValue – Windows Registry value.
- RecurseKeys()[source]
Recurses the subkeys starting with the key.
- Yields:
WinRegistryKey – Windows Registry key.
- __init__(key_helper=None, key_path_prefix='', relative_key_path='')[source]
Initializes a Windows Registry key.
- Parameters:
key_helper (Optional[WinRegistryKeyHelper]) – Windows Registry key helper.
key_path_prefix (Optional[str]) – Windows Registry key path prefix.
relative_key_path (Optional[str]) – relative Windows Registry key path.
- abstract property class_name
class name of the key or None if not available.
- Type:
str
- abstract property last_written_time
last written time or None.
- Type:
dfdatetime.DateTimeValues
- abstract property name
name of the key.
- Type:
str
- abstract property number_of_subkeys
number of subkeys within the key.
- Type:
int
- abstract property number_of_values
number of values within the key.
- Type:
int
- abstract property offset
offset of the key within the Windows Registry file or None.
- Type:
int
- property path
Windows Registry key path.
- Type:
str
- class dfwinreg.interface.WinRegistryValue[source]
Bases:
object
Windows Registry value interface.
- DataIsBinaryData()[source]
Determines, based on the data type, if the data is binary data.
The data types considered binary data are: REG_BINARY.
- Returns:
True if the data is a binary data, False otherwise.
- Return type:
bool
- DataIsInteger()[source]
Determines, based on the data type, if the data is an integer.
The data types considered strings are: REG_DWORD (REG_DWORD_LITTLE_ENDIAN), REG_DWORD_BIG_ENDIAN and REG_QWORD.
- Returns:
True if the data is an integer, False otherwise.
- Return type:
bool
- DataIsMultiString()[source]
Determines, based on the data type, if the data is a multi string.
The data types considered multi strings are: REG_MULTI_SZ.
- Returns:
True if the data is multi string, False otherwise.
- Return type:
bool
- DataIsString()[source]
Determines, based on the data type, if the data is a string.
The data types considered strings are: REG_SZ and REG_EXPAND_SZ.
- Returns:
True if the data is a string, False otherwise.
- Return type:
bool
- abstract GetDataAsObject()[source]
Retrieves the data as an object.
- Returns:
data as a Python type.
- Return type:
object
- abstract property data
value data.
- Type:
bytes
- abstract property data_type
data type.
- Type:
int
- property data_type_string
string representation of the data type.
- Type:
str
- abstract property name
name of the value.
- Type:
str
- abstract property offset
offset of the value within the Windows Registry file.
- Type:
int
dfwinreg.key_paths module
Key path functions.
- dfwinreg.key_paths.JoinKeyPath(path_segments)[source]
Joins the path segments into key path.
- Parameters:
path_segments (list[str]) – Windows Registry key path segments.
- Returns:
key path.
- Return type:
str
- dfwinreg.key_paths.SplitKeyPath(key_path, path_separator='\\')[source]
Splits the key path into path segments.
- Parameters:
key_path (str) – key path.
path_separator (Optional[str]) – path separator.
- Returns:
- key path segments without the root path segment, which is an
empty string.
- Return type:
list[str]
dfwinreg.regf module
Windows NT Registry (REGF) objects implementation using pyregf.
- class dfwinreg.regf.REGFWinRegistryFile(ascii_codepage='cp1252', key_path_prefix='')[source]
Bases:
WinRegistryFile
Implementation of a Windows Registry file using pyregf.
- AddCurrentControlSetKey()[source]
Adds a virtual current control set key.
- Raises:
ValueError – if the virtual key already exists.
- AddVirtualKey(relative_key_path, pyregf_key)[source]
Adds a virtual key.
- Parameters:
relative_key_path (str) – Windows Registry key path relative to the file.
pyregf_key (pyregf.key) – pyregf key object of the key.
- Raises:
ValueError – if the virtual key already exists.
- GetKeyByPath(key_path)[source]
Retrieves the key for a specific path.
- Parameters:
key_path (str) – Windows Registry key path.
- Returns:
Windows Registry key or None if not available.
- Return type:
- GetRootKey()[source]
Retrieves the root key.
- Returns:
Windows Registry root key or None if not available.
- Return type:
- class dfwinreg.regf.REGFWinRegistryKey(pyregf_key, key_helper=None, key_path_prefix='', relative_key_path='')[source]
Bases:
WinRegistryKey
Implementation of a Windows Registry key using pyregf.
- GetSubkeyByIndex(index)[source]
Retrieves a subkey by index.
- Parameters:
index (int) – index of the subkey.
- Returns:
Windows Registry subkey.
- Return type:
- Raises:
IndexError – if the index is out of bounds.
- GetSubkeyByName(name)[source]
Retrieves a subkey by name.
- Parameters:
name (str) – name of the subkey.
- Returns:
Windows Registry subkey or None if not found.
- Return type:
- GetSubkeyByPath(key_path)[source]
Retrieves a subkey by path.
- Parameters:
key_path (str) – path of the subkey.
- Returns:
Windows Registry subkey or None if not found.
- Return type:
- GetSubkeys()[source]
Retrieves all subkeys within the key.
- Yields:
WinRegistryKey – Windows Registry subkey.
- GetValueByName(name)[source]
Retrieves a value by name.
- Parameters:
name (str) – name of the value.
- Returns:
Windows Registry value or None if not found.
- Return type:
- GetValues()[source]
Retrieves all values within the key.
- Yields:
WinRegistryValue – Windows Registry value.
- __init__(pyregf_key, key_helper=None, key_path_prefix='', relative_key_path='')[source]
Initializes a Windows Registry key.
- Parameters:
pyregf_key (pyregf.key) – pyregf key object.
key_helper (Optional[WinRegistryKeyHelper]) – Windows Registry key helper.
key_path_prefix (Optional[str]) – Windows Registry key path prefix.
relative_key_path (Optional[str]) – relative Windows Registry key path.
- property class_name
class name of the key or None if not available.
- Type:
str
- property last_written_time
last written time.
- Type:
dfdatetime.DateTimeValues
- property name
name of the key.
- Type:
str
- property number_of_subkeys
number of subkeys within the key.
- Type:
int
- property number_of_values
number of values within the key.
- Type:
int
- property offset
offset of the key within the Windows Registry file or None.
- Type:
int
- class dfwinreg.regf.REGFWinRegistryKeyHelper[source]
Bases:
WinRegistryKeyHelper
Windows Registry key helper.
- AddVirtualKey(relative_key_path, pyregf_key)[source]
Adds a virtual key.
- Parameters:
relative_key_path (str) – Windows Registry key path relative to the file, with a leading key path segment separator.
pyregf_key (pyregf.key) – pyregf key object of the key.
- Raises:
ValueError – if the virtual key already exists.
- CreateKey(key_path_prefix, relative_key_path, pyregf_key)[source]
Creates a Windows Registry key.
- Parameters:
key_path_prefix (str) – Windows Registry key path prefix.
relative_key_path (str) – Windows Registry key path relative to the file, with a leading key path segment separator.
pyregf_key (pyregf.key) – pyregf key object.
- Returns:
- Windows Registry key or None if pyregf key object is not
set.
- Return type:
- GetKeyByPath(key_path_prefix, relative_key_path)[source]
Retrieves a key.
- Parameters:
key_path_prefix (str) – Windows Registry key path prefix.
relative_key_path (str) – Windows Registry key path relative to the file, without a leading key path segment separator.
- Returns:
Windows Registry key or None if not found.
- Return type:
- class dfwinreg.regf.REGFWinRegistryValue(pyregf_value)[source]
Bases:
WinRegistryValue
Implementation of a Windows Registry value using pyregf.
- GetDataAsObject()[source]
Retrieves the data as an object.
- Returns:
data as a Python type.
- Return type:
object
- Raises:
WinRegistryValueError – if the value data cannot be read.
- __init__(pyregf_value)[source]
Initializes a Windows Registry value.
- Parameters:
pyregf_value (pyregf.value) – pyregf value object.
- property data
value data as a byte string.
- Raises:
WinRegistryValueError – if the value data cannot be read.
- Type:
bytes
- property data_type
data type.
- Type:
int
- property name
name of the value.
- Type:
str
- property offset
offset of the value within the Windows Registry file.
- Type:
int
- class dfwinreg.regf.VirtualREGFWinRegistryKey(name, pyregf_key, key_helper=None, key_path_prefix='', relative_key_path='')[source]
Bases:
REGFWinRegistryKey
Implementation of a virtual Windows Registry key using pyregf.
Virtual Windows Registry key are used to handle keys that do not exist on-disk but do exist at run-time, like HKEY_LOCAL_MACHINESystemCurrentControlSet.
- AddVirtualSubKey(name, subkey)[source]
Adds a virtual subkey.
- Parameters:
name (str) – name of the virtual Windows Registry subkey.
subkey (pyregf.key) – pyregf key object of the subkey.
- Raises:
ValueError – if the virtual subkey already exists.
- GetSubkeyByIndex(index)[source]
Retrieves a subkey by index.
- Parameters:
index (int) – index of the subkey.
- Returns:
Windows Registry subkey.
- Return type:
- Raises:
IndexError – if the index is out of bounds.
- GetSubkeyByName(name)[source]
Retrieves a subkey by name.
- Parameters:
name (str) – name of the subkey.
- Returns:
Windows Registry subkey or None if not found.
- Return type:
- GetSubkeyByPath(key_path)[source]
Retrieves a subkey by path.
- Parameters:
key_path (str) – path of the subkey.
- Returns:
Windows Registry subkey or None if not found.
- Return type:
- GetSubkeys()[source]
Retrieves all subkeys within the key.
- Yields:
WinRegistryKey – Windows Registry subkey.
- __init__(name, pyregf_key, key_helper=None, key_path_prefix='', relative_key_path='')[source]
Initializes a virtual Windows Registry key.
- Parameters:
name (str) – name of the Windows Registry key.
pyregf_key (pyregf.key) – pyregf key object.
key_helper (Optional[WinRegistryKeyHelper]) – Windows Registry key helper.
key_path_prefix (Optional[str]) – Windows Registry key path prefix.
relative_key_path (Optional[str]) – relative Windows Registry key path.
- property name
name of the key.
- Type:
str
- property number_of_subkeys
number of subkeys within the key.
- Type:
int
dfwinreg.registry module
Classes for Windows Registry access.
- class dfwinreg.registry.WinRegistry(ascii_codepage='cp1252', registry_file_reader=None)[source]
Bases:
object
Windows Registry.
- GetKeyByPath(key_path)[source]
Retrieves the key for a specific path.
- Parameters:
key_path (str) – Windows Registry key path.
- Returns:
Windows Registry key or None if not available.
- Return type:
- Raises:
RuntimeError – if the root key is not supported or the key path prefix does not match the key path.
- GetRegistryFileMapping(registry_file)[source]
Determines the Registry file mapping based on the content of the file.
- Parameters:
registry_file (WinRegistyFile) – Windows Registry file.
- Returns:
key path prefix or an empty string.
- Return type:
str
- Raises:
RuntimeError – if there are multiple matching mappings and the correct mapping cannot be resolved.
- GetRootKey()[source]
Retrieves the Windows Registry root key.
- Returns:
Windows Registry root key.
- Return type:
- MapFile(key_path_prefix, registry_file)[source]
Maps the Windows Registry file to a specific key path prefix.
- Parameters:
key_path_prefix (str) – key path prefix.
registry_file (WinRegistryFile) – Windows Registry file.
- MapUserFile(profile_path, registry_file)[source]
Maps the user Windows Registry file to a specific profile path.
- Parameters:
profile_path (str) – profile path.
registry_file (WinRegistryFile) – user Windows Registry file.
- OpenAndMapFile(path)[source]
Opens Windows Registry file and maps it to its key path prefix.
- Parameters:
path (str) – path of the Windows Registry file.
- SplitKeyPath(key_path)[source]
Splits the key path into path segments.
- Parameters:
key_path (str) – key path.
- Returns:
- key path segments without the root path segment, which is an
empty string.
- Return type:
list[str]
- __init__(ascii_codepage='cp1252', registry_file_reader=None)[source]
Initializes the Windows Registry.
- Parameters:
ascii_codepage (Optional[str]) – ASCII string codepage.
registry_file_reader (Optional[WinRegistryFileReader]) – Windows Registry file reader.
- class dfwinreg.registry.WinRegistryFileMapping(key_path_prefix, windows_path, unique_key_paths)[source]
Bases:
object
Windows Registry file mapping.
- key_path_prefix
Windows Registry key path prefix.
- Type:
str
- unique_key_paths
key paths unique to the Windows Registry file.
- Type:
list[str]
- windows_path
Windows path to the Windows Registry file, such as: C:WindowsSystem32configSYSTEM
- Type:
str
- __init__(key_path_prefix, windows_path, unique_key_paths)[source]
Initializes the Windows Registry file mapping.
- Parameters:
key_path_prefix (str) – Windows Registry key path prefix.
windows_path (str) – Windows path to the Windows Registry file, such as: C:WindowsSystem32configSYSTEM
unique_key_paths (list[str]) – key paths unique to the Windows Registry file.
dfwinreg.registry_searcher module
A searcher to find keys and values within a Windows Registry.
- class dfwinreg.registry_searcher.FindSpec(key_path=None, key_path_glob=None, key_path_regex=None)[source]
Bases:
object
Find specification.
- AtLastKeyPathSegment(segment_index)[source]
Determines if the a key path segment is the last one or greater.
- Parameters:
segment_index (int) – index of the key path segment.
- Returns:
True if at maximum depth, False if not.
- Return type:
bool
- AtMaximumDepth(**kwargs)
Determines if the find specification is at maximum depth.
This method is deprecated use AtLastKeyPathSegment instead.
- Parameters:
search_depth (int) – number of key path segments to compare.
- Returns:
True if at maximum depth, False if not.
- Return type:
bool
- CompareKeyPath(registry_key)[source]
Compares a Windows Registry key path against the find specification.
- Parameters:
registry_key (WinRegistryKey) – Windows Registry key.
- Returns:
- True if the key path of the Windows Registry key matches that of
the find specification, False if not or if the find specification has no key path defined.
- Return type:
bool
- CompareNameWithKeyPathSegment(registry_key, segment_index)[source]
Compares a Windows Registry key name against a key path segment.
- Parameters:
registry_key (WinRegistryKey) – Windows Registry key.
segment_index (int) – index of the key path segment to compare against, where 0 represents the root segment.
- Returns:
- True if the key path segment of the Windows Registry key matches
that of the find specification, False if not or if the find specification has no key path defined.
- Return type:
bool
- HasKeyPath()[source]
Determines if the find specification has a key path defined.
- Returns:
True if find specification has a key path defined, False if not.
- Return type:
bool
- IsLastKeyPathSegment(segment_index)[source]
Determines if the a key path segment is the last one.
- Parameters:
segment_index (int) – index of the key path path segment.
- Returns:
True if at maximum depth, False if not.
- Return type:
bool
- Matches(**kwargs)
Determines if the Windows Registry key matches the find specification.
This method is deprecated use CompareKeyPath or CompareNameWithKeyPathSegment instead.
- Parameters:
registry_key (WinRegistryKey) – Windows Registry key.
search_depth (int) – number of key path segments to compare.
- Returns:
containing:
- bool: True if the Windows Registry key matches the find specification,
False otherwise.
- bool: True if the key path matches, False if not or None if no key path
specified.
- Return type:
tuple
- __init__(key_path=None, key_path_glob=None, key_path_regex=None)[source]
Initializes a find specification.
- Parameters:
key_path (Optional[str|list[str]]) – key path or key path segments, where None indicates no preference. The key path should be defined relative to the root of the Windows Registry. Note that the string will be split into segments based on the key path segment separator.
(Optional[str (key_path_glob) – list[str]]): key path glob or key path glob segments, where None indicates no preference. The key path glob should be defined relative to the root of the Windows Registry. The default is None. Note that the string will be split into segments based on the key path segment separator.
key_path_regex (Optional[str|list[str]]) – key path regular expression or key path regular expression segments, where None indicates no preference. The key path regular expression should be defined relative to the root of the Windows Registry. The default is None. Note that the string will be split into segments based on the key path segment separator.
- Raises:
TypeError – if the key_path, key_path_glob or key_path_regex type is not supported.
ValueError – if the key_path, key_path_glob or key_path_regex arguments are used at the same time.
- class dfwinreg.registry_searcher.WinRegistrySearcher(win_registry)[source]
Bases:
object
Searcher for key and values within a Windows Registry.
- Find(find_specs=None)[source]
Searches for matching keys within the Windows Registry.
- Parameters:
find_specs (list[FindSpec]) – find specifications. where None will return all allocated Windows Registry keys.
- Yields:
str – key path of a matching Windows Registry key.
- GetKeyByPath(key_path)[source]
Retrieves a Windows Registry key for a path specification.
- Parameters:
key_path (str) – key path.
- Returns:
Windows Registry key or None.
- Return type:
- SplitKeyPath(key_path)[source]
Splits the key path into path segments.
- Parameters:
key_path (str) – key path.
- Returns:
- key path segments without the root path segment, which is an
empty string.
- Return type:
list[str]
- __init__(win_registry)[source]
Initializes a Windows Registry searcher.
- Parameters:
win_registry (WinRegistry) – Windows Registry.
- Raises:
ValueError – when Windows Registry is not set.
dfwinreg.virtual module
Virtual Windows Registry key implementation.
- class dfwinreg.virtual.VirtualWinRegistryKey(name, key_helper=None, key_path_prefix='', registry=None, relative_key_path='')[source]
Bases:
WinRegistryKey
Virtual Windows Registry key.
Virtual Windows Registry key are keys that do not exist on-disk but do exist at run-time, such an example HKEY_LOCAL_MACHINESystem. The virtual key is used to “mount” the SYSTEM Windows Registry file onto the key HKEY_LOCAL_MACHINESystem.
- AddSubkey(name, registry_key)[source]
Adds a subkey.
- Parameters:
name (str) – name of the Windows Registry subkey.
registry_key (WinRegistryKey) – Windows Registry subkey.
- Raises:
KeyError – if the subkey already exists.
- GetSubkeyByIndex(index)[source]
Retrieves a subkey by index.
- Parameters:
index (int) – index of the subkey.
- Returns:
Windows Registry subkey or None if not found.
- Return type:
- Raises:
IndexError – if the index is out of bounds.
- GetSubkeyByName(name)[source]
Retrieves a subkey by name.
- Parameters:
name (str) – name of the subkey.
- Returns:
Windows Registry subkey or None if not found.
- Return type:
- GetSubkeyByPath(key_path)[source]
Retrieves a subkey by path.
- Parameters:
key_path (str) – path of the subkey.
- Returns:
Windows Registry subkey or None if not found.
- Return type:
- GetSubkeys()[source]
Retrieves all subkeys within the key.
- Yields:
WinRegistryKey – Windows Registry subkey.
- GetValueByName(name)[source]
Retrieves a value by name.
- Parameters:
name (str) – name of the value or an empty string for the default value.
- Returns:
Windows Registry value or None if not found.
- Return type:
- GetValues()[source]
Retrieves all values within the key.
- Yields:
WinRegistryValue – Windows Registry value.
- __init__(name, key_helper=None, key_path_prefix='', registry=None, relative_key_path='')[source]
Initializes a Windows Registry key.
- Parameters:
name (str) – name of the Windows Registry key.
key_helper (Optional[WinRegistryKeyHelper]) – Windows Registry key helper.
key_path_prefix (Optional[str]) – Windows Registry key path prefix.
registry (Optional[WinRegistry]) – Windows Registry.
relative_key_path (Optional[str]) – relative Windows Registry key path.
- property class_name
class name of the key or None if not available.
- Type:
str
- property last_written_time
last written time or None.
- Type:
dfdatetime.DateTimeValues
- property name
name of the key.
- Type:
str
- property number_of_subkeys
number of subkeys within the key.
- Type:
int
- property number_of_values
number of values within the key.
- Type:
int
- property offset
offset of the key within the Windows Registry file or None.
- Type:
int
Module contents
Digital Forensics Windows Registry (dfWinReg).
dfWinReg, or Digital Forensics Windows Registry, is a Python module that provides read-only access to Windows Registry objects.