dfwinreg package

Submodules

dfwinreg.creg module

Windows 9x/Me Registry (CREG) objects implementation using pycreg.

class dfwinreg.creg.CREGWinRegistryFile(ascii_codepage='cp1252', key_path_prefix='')[source]

Bases: WinRegistryFile

Implementation of a Windows Registry file using pycreg.

Close()[source]: Closes the Windows Registry file.

GetKeyByPath(key_path)[source]

Retrieves the key for a specific path.

Parameters:: key_path (str) – Windows Registry key path.
Returns:: Windows Registry key or None if not available.
Return type:: WinRegistryKey

GetRootKey()[source]

Retrieves the root key.

Returns:: Windows Registry root key or None if not available.
Return type:: WinRegistryKey

Open(file_object)[source]

Opens the Windows Registry file using a file-like object.

Parameters:: file_object (file) – file-like object.
Returns:: True if successful or False if not.
Return type:: bool

__init__(ascii_codepage='cp1252', key_path_prefix='')[source]

Initializes the Windows Registry file.

Parameters:

ascii_codepage (Optional[str]) – ASCII string codepage.
key_path_prefix (Optional[str]) – Windows Registry key path prefix.

class dfwinreg.creg.CREGWinRegistryKey(pycreg_key, key_helper=None, key_path_prefix='', relative_key_path='')[source]

Bases: WinRegistryKey

Implementation of a Windows Registry key using pycreg.

GetSubkeyByIndex(index)[source]

Retrieves a subkey by index.

Parameters:: index (int) – index of the subkey.
Returns:: Windows Registry subkey.
Return type:: WinRegistryKey
Raises:: IndexError – if the index is out of bounds.

GetSubkeyByName(name)[source]

Retrieves a subkey by name.

Parameters:: name (str) – name of the subkey.
Returns:: Windows Registry subkey or None if not found.
Return type:: WinRegistryKey

GetSubkeyByPath(key_path)[source]

Retrieves a subkey by path.

Parameters:: key_path (str) – path of the subkey.
Returns:: Windows Registry subkey or None if not found.
Return type:: WinRegistryKey

GetSubkeys()[source]

Retrieves all subkeys within the key.

Yields:: WinRegistryKey – Windows Registry subkey.

GetValueByName(name)[source]

Retrieves a value by name.

Value names are not unique and pycreg provides first match for the value.

Parameters:

name (str) – name of the value or an empty string for the default value.

Returns:

Windows Registry value if a corresponding value was: found or None if not.

Return type:

WinRegistryValue

GetValues()[source]

Retrieves all values within the key.

Yields:: WinRegistryValue – Windows Registry value.

__init__(pycreg_key, key_helper=None, key_path_prefix='', relative_key_path='')[source]

Initializes a Windows Registry key.

Parameters:

pycreg_key (pycreg.key) – pycreg key object.
key_helper (Optional[WinRegistryKeyHelper]) – Windows Registry key helper.
key_path_prefix (Optional[str]) – Windows Registry key path prefix.
relative_key_path (Optional[str]) – relative Windows Registry key path.

property class_name

class name of the key or None if not available.

Type:: str

property last_written_time

last written time.

Type:: dfdatetime.DateTimeValues

property name

name of the key.

Type:: str

property number_of_subkeys

number of subkeys within the key.

Type:: int

property number_of_values

number of values within the key.

Type:: int

property offset

offset of the key within the Windows Registry file or None.

Type:: int

class dfwinreg.creg.CREGWinRegistryValue(pycreg_value)[source]

Bases: WinRegistryValue

Implementation of a Windows Registry value using pycreg.

GetDataAsObject()[source]

Retrieves the data as an object.

Returns:: data as a Python type.
Return type:: object
Raises:: WinRegistryValueError – if the value data cannot be read.

__init__(pycreg_value)[source]

Initializes a Windows Registry value.

Parameters:: pycreg_value (pycreg.value) – pycreg value object.

property data

value data as a byte string.

Raises:: WinRegistryValueError – if the value data cannot be read.
Type:: bytes

property data_type

data type.

Type:: int

property name

name of the value.

Type:: str

property offset

offset of the value within the Windows Registry file.

Type:: int

dfwinreg.decorators module

Function decorators.

dfwinreg.decorators.deprecated(function)[source]: Decorator to mark functions or methods as deprecated.

dfwinreg.definitions module

The Windows Registry definitions.

dfwinreg.errors module

This file contains the error classes.

exception dfwinreg.errors.Error[source]

Bases: Exception

Base error class.

exception dfwinreg.errors.WinRegistryValueError[source]

Bases: Error

Raised when a Windows Registry value cannot be read.

dfwinreg.fake module

Fake Windows Registry objects implementation.

class dfwinreg.fake.FakeWinRegistryFile(ascii_codepage='cp1252', key_path_prefix='')[source]

Bases: WinRegistryFile

Fake implementation of a Windows Registry file.

AddKeyByPath(key_path, registry_key)[source]

Adds a Windows Registry key for a specific key path.

Parameters:

key_path (str) – Windows Registry key path to add the key.
registry_key (WinRegistryKey) – Windows Registry key.

Raises:

KeyError – if the subkey already exists.
ValueError – if the Windows Registry key cannot be added.

Close()[source]: Closes the Windows Registry file.

GetKeyByPath(key_path)[source]

Retrieves the key for a specific path.

Parameters:: key_path (str) – Windows Registry key path.
Returns:: Windows Registry key or None if not available.
Return type:: WinRegistryKey

GetRootKey()[source]

Retrieves the root key.

Returns:: Windows Registry key or None if not available.
Return type:: WinRegistryKey

Open(file_object)[source]

Opens the Windows Registry file using a file-like object.

Parameters:: file_object (file) – file-like object.
Returns:: True if successful or False if not.
Return type:: bool

__init__(ascii_codepage='cp1252', key_path_prefix='')[source]

Initializes a Windows Registry file.

Parameters:

ascii_codepage (str) – ASCII string codepage.
key_path_prefix (str) – Windows Registry key path prefix.

class dfwinreg.fake.FakeWinRegistryKey(name, class_name=None, key_helper=None, key_path_prefix='', last_written_time=None, offset=None, relative_key_path='', subkeys=None, values=None)[source]

Bases: WinRegistryKey

Fake implementation of a Windows Registry key.

AddSubkey(name, registry_key)[source]

Adds a subkey.

Parameters:

name (str) – name of the Windows Registry subkey.
registry_key (WinRegistryKey) – Windows Registry subkey.

Raises:

KeyError – if the subkey already exists.

AddValue(registry_value)[source]

Adds a value.

Parameters:: registry_value (WinRegistryValue) – Windows Registry value.
Raises:: KeyError – if the value already exists.

GetSubkeyByIndex(index)[source]

Retrieves a subkey by index.

Parameters:: index (int) – index of the subkey.
Returns:: Windows Registry subkey.
Return type:: WinRegistryKey
Raises:: IndexError – if the index is out of bounds.

GetSubkeyByName(name)[source]

Retrieves a subkey by name.

Parameters:: name (str) – name of the subkey.
Returns:: Windows Registry subkey or None if not found.
Return type:: WinRegistryKey

GetSubkeyByPath(key_path)[source]

Retrieves a subkey by path.

Parameters:: key_path (str) – path of the subkey.
Returns:: Windows Registry subkey or None if not found.
Return type:: WinRegistryKey

GetSubkeys()[source]

Retrieves all subkeys within the key.

Returns:: Windows Registry subkey generator.
Return type:: generator[WinRegistryKey]

GetValueByName(name)[source]

Retrieves a value by name.

Parameters:: name (str) – name of the value or an empty string for the default value.
Returns:: Windows Registry value or None if not found.
Return type:: WinRegistryValue

GetValues()[source]

Retrieves all values within the key.

Returns:: Windows Registry value generator.
Return type:: generator[WinRegistryValue]

__init__(name, class_name=None, key_helper=None, key_path_prefix='', last_written_time=None, offset=None, relative_key_path='', subkeys=None, values=None)[source]

Initializes a Windows Registry key.

Subkeys and values with duplicate names are silently ignored.

Parameters:

name (str) – name of the Windows Registry key.
class_name (Optional[str]) – class name of the Windows Registry key.
key_helper (Optional[WinRegistryKeyHelper]) – Windows Registry key helper.
key_path_prefix (Optional[str]) – Windows Registry key path prefix.
last_written_time (Optional[int]) – last written time, formatted as a FILETIME timestamp.
offset (Optional[int]) – offset of the key within the Windows Registry file.
relative_key_path (Optional[str]) – relative Windows Registry key path.
subkeys (Optional[list[FakeWinRegistryKey]]) – list of subkeys.
values (Optional[list[FakeWinRegistryValue]]) – list of values.

property class_name

class name of the key or None if not available.

Type:: str

property last_written_time

last written time.

Type:: dfdatetime.DateTimeValues

property name

name of the key.

Type:: str

property number_of_subkeys

number of subkeys within the key.

Type:: int

property number_of_values

number of values within the key.

Type:: int

property offset

offset of the key within the Windows Registry file or None.

Type:: int

class dfwinreg.fake.FakeWinRegistryValue(name, data=b'', data_type=0, offset=0)[source]

Bases: WinRegistryValue

Fake implementation of a Windows Registry value.

GetDataAsObject()[source]

Retrieves the data as an object.

Returns:: data as a Python type or None if not available.
Return type:: object
Raises:: WinRegistryValueError – if the value data cannot be read.

__init__(name, data=b'', data_type=0, offset=0)[source]

Initializes a Windows Registry value.

Parameters:

name (str) – name of the Windows Registry value.
data (Optional[bytes]) – value data.
data_type (Optional[int]) – value data type.
offset (Optional[int]) – offset of the value within the Windows Registry file.

property data

value data as a byte string.

Type:: bytes

property data_type

data type.

Type:: int

file_object = <_io.BufferedReader name='/home/docs/checkouts/readthedocs.org/user_builds/dfwinreg/checkouts/latest/dfwinreg/dtfabric.yaml'>

property name

name of the value.

Type:: str

property offset

offset of the value within the Windows Registry file.

Type:: int

dfwinreg.glob2regex module

Glob to regular expression conversion.

Also see: https://en.wikipedia.org/wiki/Glob_(programming)

dfwinreg.glob2regex.Glob2Regex(glob_pattern)[source]

Converts a glob pattern to a regular expression.

This function supports basic glob patterns that consist of: * matches everything ? matches any single character [seq] matches any character in sequence [!seq] matches any character not in sequence

Parameters:: glob_pattern (str) – glob pattern.
Returns:: regular expression pattern.
Return type:: str
Raises:: ValueError – if the glob pattern cannot be converted.

dfwinreg.interface module

The Windows Registry object interfaces.

class dfwinreg.interface.WinRegistryFile(ascii_codepage='cp1252', key_path_prefix='')[source]

Bases: object

Windows Registry file interface.

abstract Close()[source]: Closes the Windows Registry file.

abstract GetKeyByPath(key_path)[source]

Retrieves the key for a specific path.

Parameters:: key_path (str) – Windows Registry key path.
Returns:: Windows Registry key or None if not available.
Return type:: WinRegistryKey

abstract GetRootKey()[source]

Retrieves the root key.

Returns:: Windows Registry root key or None if not available.
Return type:: WinRegistryKey

abstract Open(file_object)[source]

Opens the Windows Registry file using a file-like object.

Parameters:: file_object (file) – file-like object.
Returns:: True if successful or False if not.
Return type:: bool

RecurseKeys()[source]

Recurses the Windows Registry keys starting with the root key.

Yields:: WinRegistryKey – Windows Registry key.

SetKeyPathPrefix(key_path_prefix)[source]

Sets the Window Registry key path prefix.

Parameters:: key_path_prefix (str) – Windows Registry key path prefix.

__init__(ascii_codepage='cp1252', key_path_prefix='')[source]

Initializes a Windows Registry file.

Parameters:

ascii_codepage (Optional[str]) – ASCII string codepage.
key_path_prefix (Optional[str]) – Windows Registry key path prefix.

class dfwinreg.interface.WinRegistryFileReader[source]

Bases: object

Windows Registry file reader interface.

abstract Open(path, ascii_codepage='cp1252')[source]

Opens a Windows Registry file specified by the path.

Parameters:

path (str) – path of the Windows Registry file. The path is a Windows path relative to the root of the file system that contains the specific Windows Registry file, for example: C:WindowsSystem32configSYSTEM
ascii_codepage (Optional[str]) – ASCII string codepage.

Returns:

Windows Registry file or None.

Return type:

WinRegistryFile

class dfwinreg.interface.WinRegistryKey(key_helper=None, key_path_prefix='', relative_key_path='')[source]

Bases: object

Windows Registry key interface.

abstract GetSubkeyByIndex(index)[source]

Retrieves a subkey by index.

Parameters:: index (int) – index of the subkey.
Returns:: Windows Registry subkey.
Return type:: WinRegistryKey
Raises:: IndexError – if the index is out of bounds.

abstract GetSubkeyByName(name)[source]

Retrieves a subkey by name.

Parameters:: name (str) – name of the subkey.
Returns:: Windows Registry subkey or None if not found.
Return type:: WinRegistryKey

abstract GetSubkeyByPath(key_path)[source]

Retrieves a subkey by a path.

Parameters:: key_path (str) – relative key path of the subkey.
Returns:: Windows Registry subkey or None if not found.
Return type:: WinRegistryKey

abstract GetSubkeys()[source]

Retrieves all subkeys within the key.

Yields:: WinRegistryKey – Windows Registry subkey.

abstract GetValueByName(name)[source]

Retrieves a value by name.

Parameters:: name (str) – name of the value or an empty string for the default value.
Returns:: Windows Registry value or None if not found.
Return type:: WinRegistryValue

abstract GetValues()[source]

Retrieves all values within the key.

Yields:: WinRegistryValue – Windows Registry value.

RecurseKeys()[source]

Recurses the subkeys starting with the key.

Yields:: WinRegistryKey – Windows Registry key.

__init__(key_helper=None, key_path_prefix='', relative_key_path='')[source]

Initializes a Windows Registry key.

Parameters:

key_helper (Optional[WinRegistryKeyHelper]) – Windows Registry key helper.
key_path_prefix (Optional[str]) – Windows Registry key path prefix.
relative_key_path (Optional[str]) – relative Windows Registry key path.

abstract property class_name

class name of the key or None if not available.

Type:: str

abstract property last_written_time

last written time or None.

Type:: dfdatetime.DateTimeValues

abstract property name

name of the key.

Type:: str

abstract property number_of_subkeys

number of subkeys within the key.

Type:: int

abstract property number_of_values

number of values within the key.

Type:: int

abstract property offset

offset of the key within the Windows Registry file or None.

Type:: int

property path

Windows Registry key path.

Type:: str

class dfwinreg.interface.WinRegistryKeyHelper[source]

Bases: object

Windows Registry key helper.

class dfwinreg.interface.WinRegistryValue[source]

Bases: object

Windows Registry value interface.

DataIsBinaryData()[source]

Determines, based on the data type, if the data is binary data.

The data types considered binary data are: REG_BINARY.

Returns:: True if the data is a binary data, False otherwise.
Return type:: bool

DataIsInteger()[source]

Determines, based on the data type, if the data is an integer.

The data types considered strings are: REG_DWORD (REG_DWORD_LITTLE_ENDIAN), REG_DWORD_BIG_ENDIAN and REG_QWORD.

Returns:: True if the data is an integer, False otherwise.
Return type:: bool

DataIsMultiString()[source]

Determines, based on the data type, if the data is a multi string.

The data types considered multi strings are: REG_MULTI_SZ.

Returns:: True if the data is multi string, False otherwise.
Return type:: bool

DataIsString()[source]

Determines, based on the data type, if the data is a string.

The data types considered strings are: REG_SZ and REG_EXPAND_SZ.

Returns:: True if the data is a string, False otherwise.
Return type:: bool

abstract GetDataAsObject()[source]

Retrieves the data as an object.

Returns:: data as a Python type.
Return type:: object

abstract property data

value data.

Type:: bytes

abstract property data_type

data type.

Type:: int

property data_type_string

string representation of the data type.

Type:: str

abstract property name

name of the value.

Type:: str

abstract property offset

offset of the value within the Windows Registry file.

Type:: int

dfwinreg.key_paths module

Key path functions.

dfwinreg.key_paths.JoinKeyPath(path_segments)[source]

Joins the path segments into key path.

Parameters:: path_segments (list[str]) – Windows Registry key path segments.
Returns:: key path.
Return type:: str

dfwinreg.key_paths.SplitKeyPath(key_path, path_separator='\\')[source]

Splits the key path into path segments.

Parameters:

key_path (str) – key path.
path_separator (Optional[str]) – path separator.

Returns:

key path segments without the root path segment, which is an: empty string.

Return type:

list[str]

dfwinreg.regf module

Windows NT Registry (REGF) objects implementation using pyregf.

class dfwinreg.regf.REGFWinRegistryFile(ascii_codepage='cp1252', key_path_prefix='')[source]

Bases: WinRegistryFile

Implementation of a Windows Registry file using pyregf.

AddCurrentControlSetKey()[source]

Adds a virtual current control set key.

Raises:: ValueError – if the virtual key already exists.

AddVirtualKey(relative_key_path, pyregf_key)[source]

Adds a virtual key.

Parameters:

relative_key_path (str) – Windows Registry key path relative to the file.
pyregf_key (pyregf.key) – pyregf key object of the key.

Raises:

ValueError – if the virtual key already exists.

Close()[source]: Closes the Windows Registry file.

GetKeyByPath(key_path)[source]

Retrieves the key for a specific path.

Parameters:: key_path (str) – Windows Registry key path.
Returns:: Windows Registry key or None if not available.
Return type:: WinRegistryKey

GetRootKey()[source]

Retrieves the root key.

Returns:: Windows Registry root key or None if not available.
Return type:: WinRegistryKey

Open(file_object)[source]

Opens the Windows Registry file using a file-like object.

Parameters:: file_object (file) – file-like object.
Returns:: True if successful or False if not.
Return type:: bool

__init__(ascii_codepage='cp1252', key_path_prefix='')[source]

Initializes the Windows Registry file.

Parameters:

ascii_codepage (Optional[str]) – ASCII string codepage.
key_path_prefix (Optional[str]) – Windows Registry key path prefix.

class dfwinreg.regf.REGFWinRegistryKey(pyregf_key, key_helper=None, key_path_prefix='', relative_key_path='')[source]

Bases: WinRegistryKey

Implementation of a Windows Registry key using pyregf.

GetSubkeyByIndex(index)[source]

Retrieves a subkey by index.

Parameters:: index (int) – index of the subkey.
Returns:: Windows Registry subkey.
Return type:: WinRegistryKey
Raises:: IndexError – if the index is out of bounds.

GetSubkeyByName(name)[source]

Retrieves a subkey by name.

Parameters:: name (str) – name of the subkey.
Returns:: Windows Registry subkey or None if not found.
Return type:: WinRegistryKey

GetSubkeyByPath(key_path)[source]

Retrieves a subkey by path.

Parameters:: key_path (str) – path of the subkey.
Returns:: Windows Registry subkey or None if not found.
Return type:: WinRegistryKey

GetSubkeys()[source]

Retrieves all subkeys within the key.

Yields:: WinRegistryKey – Windows Registry subkey.

GetValueByName(name)[source]

Retrieves a value by name.

Parameters:: name (str) – name of the value.
Returns:: Windows Registry value or None if not found.
Return type:: WinRegistryValue

GetValues()[source]

Retrieves all values within the key.

Yields:: WinRegistryValue – Windows Registry value.

__init__(pyregf_key, key_helper=None, key_path_prefix='', relative_key_path='')[source]

Initializes a Windows Registry key.

Parameters:

pyregf_key (pyregf.key) – pyregf key object.
key_helper (Optional[WinRegistryKeyHelper]) – Windows Registry key helper.
key_path_prefix (Optional[str]) – Windows Registry key path prefix.
relative_key_path (Optional[str]) – relative Windows Registry key path.

property class_name

class name of the key or None if not available.

Type:: str

property last_written_time

last written time.

Type:: dfdatetime.DateTimeValues

property name

name of the key.

Type:: str

property number_of_subkeys

number of subkeys within the key.

Type:: int

property number_of_values

number of values within the key.

Type:: int

property offset

offset of the key within the Windows Registry file or None.

Type:: int

class dfwinreg.regf.REGFWinRegistryKeyHelper[source]

Bases: WinRegistryKeyHelper

Windows Registry key helper.

AddVirtualKey(relative_key_path, pyregf_key)[source]

Adds a virtual key.

Parameters:

relative_key_path (str) – Windows Registry key path relative to the file, with a leading key path segment separator.
pyregf_key (pyregf.key) – pyregf key object of the key.

Raises:

ValueError – if the virtual key already exists.

CreateKey(key_path_prefix, relative_key_path, pyregf_key)[source]

Creates a Windows Registry key.

Parameters:

key_path_prefix (str) – Windows Registry key path prefix.
relative_key_path (str) – Windows Registry key path relative to the file, with a leading key path segment separator.
pyregf_key (pyregf.key) – pyregf key object.

Returns:

Windows Registry key or None if pyregf key object is not: set.

Return type:

WinRegistryKey

GetKeyByPath(key_path_prefix, relative_key_path)[source]

Retrieves a key.

Parameters:

key_path_prefix (str) – Windows Registry key path prefix.
relative_key_path (str) – Windows Registry key path relative to the file, without a leading key path segment separator.

Returns:

Windows Registry key or None if not found.

Return type:

WinRegistryKey

__init__()[source]: Initializes the Windows Registry key helper.

class dfwinreg.regf.REGFWinRegistryValue(pyregf_value)[source]

Bases: WinRegistryValue

Implementation of a Windows Registry value using pyregf.

GetDataAsObject()[source]

Retrieves the data as an object.

Returns:: data as a Python type.
Return type:: object
Raises:: WinRegistryValueError – if the value data cannot be read.

__init__(pyregf_value)[source]

Initializes a Windows Registry value.

Parameters:: pyregf_value (pyregf.value) – pyregf value object.

property data

value data as a byte string.

Raises:: WinRegistryValueError – if the value data cannot be read.
Type:: bytes

property data_type

data type.

Type:: int

property name

name of the value.

Type:: str

property offset

offset of the value within the Windows Registry file.

Type:: int

class dfwinreg.regf.VirtualREGFWinRegistryKey(name, pyregf_key, key_helper=None, key_path_prefix='', relative_key_path='')[source]

Bases: REGFWinRegistryKey

Implementation of a virtual Windows Registry key using pyregf.

Virtual Windows Registry key are used to handle keys that do not exist on-disk but do exist at run-time, like HKEY_LOCAL_MACHINESystemCurrentControlSet.

AddVirtualSubKey(name, subkey)[source]

Adds a virtual subkey.

Parameters:

name (str) – name of the virtual Windows Registry subkey.
subkey (pyregf.key) – pyregf key object of the subkey.

Raises:

ValueError – if the virtual subkey already exists.

GetSubkeyByIndex(index)[source]

Retrieves a subkey by index.

Parameters:: index (int) – index of the subkey.
Returns:: Windows Registry subkey.
Return type:: WinRegistryKey
Raises:: IndexError – if the index is out of bounds.

GetSubkeyByName(name)[source]

Retrieves a subkey by name.

Parameters:: name (str) – name of the subkey.
Returns:: Windows Registry subkey or None if not found.
Return type:: WinRegistryKey

GetSubkeyByPath(key_path)[source]

Retrieves a subkey by path.

Parameters:: key_path (str) – path of the subkey.
Returns:: Windows Registry subkey or None if not found.
Return type:: WinRegistryKey

GetSubkeys()[source]

Retrieves all subkeys within the key.

Yields:: WinRegistryKey – Windows Registry subkey.

__init__(name, pyregf_key, key_helper=None, key_path_prefix='', relative_key_path='')[source]

Initializes a virtual Windows Registry key.

Parameters:

name (str) – name of the Windows Registry key.
pyregf_key (pyregf.key) – pyregf key object.
key_helper (Optional[WinRegistryKeyHelper]) – Windows Registry key helper.
key_path_prefix (Optional[str]) – Windows Registry key path prefix.
relative_key_path (Optional[str]) – relative Windows Registry key path.

property name

name of the key.

Type:: str

property number_of_subkeys

number of subkeys within the key.

Type:: int

dfwinreg.registry module

Classes for Windows Registry access.

class dfwinreg.registry.WinRegistry(ascii_codepage='cp1252', registry_file_reader=None)[source]

Bases: object

Windows Registry.

GetKeyByPath(key_path)[source]

Retrieves the key for a specific path.

Parameters:: key_path (str) – Windows Registry key path.
Returns:: Windows Registry key or None if not available.
Return type:: WinRegistryKey
Raises:: RuntimeError – if the root key is not supported or the key path prefix does not match the key path.

GetRegistryFileMapping(registry_file)[source]

Determines the Registry file mapping based on the content of the file.

Parameters:: registry_file (WinRegistyFile) – Windows Registry file.
Returns:: key path prefix or an empty string.
Return type:: str
Raises:: RuntimeError – if there are multiple matching mappings and the correct mapping cannot be resolved.

GetRootKey()[source]

Retrieves the Windows Registry root key.

Returns:: Windows Registry root key.
Return type:: VirtualWinRegistryKey

MapFile(key_path_prefix, registry_file)[source]

Maps the Windows Registry file to a specific key path prefix.

Parameters:

key_path_prefix (str) – key path prefix.
registry_file (WinRegistryFile) – Windows Registry file.

MapUserFile(profile_path, registry_file)[source]

Maps the user Windows Registry file to a specific profile path.

Parameters:

profile_path (str) – profile path.
registry_file (WinRegistryFile) – user Windows Registry file.

OpenAndMapFile(path)[source]

Opens Windows Registry file and maps it to its key path prefix.

Parameters:: path (str) – path of the Windows Registry file.

SplitKeyPath(key_path)[source]

Splits the key path into path segments.

Parameters:

key_path (str) – key path.

Returns:

key path segments without the root path segment, which is an: empty string.

Return type:

list[str]

__del__()[source]: Cleans up the Windows Registry object.

__init__(ascii_codepage='cp1252', registry_file_reader=None)[source]

Initializes the Windows Registry.

Parameters:

ascii_codepage (Optional[str]) – ASCII string codepage.
registry_file_reader (Optional[WinRegistryFileReader]) – Windows Registry file reader.

class dfwinreg.registry.WinRegistryFileMapping(key_path_prefix, windows_path, unique_key_paths)[source]

Bases: object

Windows Registry file mapping.

key_path_prefix

Windows Registry key path prefix.

Type:: str

unique_key_paths

key paths unique to the Windows Registry file.

Type:: list[str]

windows_path

Windows path to the Windows Registry file, such as: C:WindowsSystem32configSYSTEM

Type:: str

__init__(key_path_prefix, windows_path, unique_key_paths)[source]

Initializes the Windows Registry file mapping.

Parameters:

key_path_prefix (str) – Windows Registry key path prefix.
windows_path (str) – Windows path to the Windows Registry file, such as: C:WindowsSystem32configSYSTEM
unique_key_paths (list[str]) – key paths unique to the Windows Registry file.

dfwinreg.registry_searcher module

A searcher to find keys and values within a Windows Registry.

class dfwinreg.registry_searcher.FindSpec(key_path=None, key_path_glob=None, key_path_regex=None)[source]

Bases: object

Find specification.

AtLastKeyPathSegment(segment_index)[source]

Determines if the a key path segment is the last one or greater.

Parameters:: segment_index (int) – index of the key path segment.
Returns:: True if at maximum depth, False if not.
Return type:: bool

AtMaximumDepth(**kwargs)

Determines if the find specification is at maximum depth.

This method is deprecated use AtLastKeyPathSegment instead.

Parameters:: search_depth (int) – number of key path segments to compare.
Returns:: True if at maximum depth, False if not.
Return type:: bool

CompareKeyPath(registry_key)[source]

Compares a Windows Registry key path against the find specification.

Parameters:

registry_key (WinRegistryKey) – Windows Registry key.

Returns:

True if the key path of the Windows Registry key matches that of: the find specification, False if not or if the find specification has no key path defined.

Return type:

bool

CompareNameWithKeyPathSegment(registry_key, segment_index)[source]

Compares a Windows Registry key name against a key path segment.

Parameters:

registry_key (WinRegistryKey) – Windows Registry key.
segment_index (int) – index of the key path segment to compare against, where 0 represents the root segment.

Returns:

True if the key path segment of the Windows Registry key matches: that of the find specification, False if not or if the find specification has no key path defined.

Return type:

bool

HasKeyPath()[source]

Determines if the find specification has a key path defined.

Returns:: True if find specification has a key path defined, False if not.
Return type:: bool

IsLastKeyPathSegment(segment_index)[source]

Determines if the a key path segment is the last one.

Parameters:: segment_index (int) – index of the key path path segment.
Returns:: True if at maximum depth, False if not.
Return type:: bool

Matches(**kwargs)

Determines if the Windows Registry key matches the find specification.

This method is deprecated use CompareKeyPath or CompareNameWithKeyPathSegment instead.

Parameters:

registry_key (WinRegistryKey) – Windows Registry key.
search_depth (int) – number of key path segments to compare.

Returns:

containing:

bool: True if the Windows Registry key matches the find specification,
False otherwise.

bool: True if the key path matches, False if not or None if no key path
specified.

Return type:

tuple

__init__(key_path=None, key_path_glob=None, key_path_regex=None)[source]

Initializes a find specification.

Parameters:

key_path (Optional[str|list[str]]) – key path or key path segments, where None indicates no preference. The key path should be defined relative to the root of the Windows Registry. Note that the string will be split into segments based on the key path segment separator.
(Optional[str (key_path_glob) – list[str]]): key path glob or key path glob segments, where None indicates no preference. The key path glob should be defined relative to the root of the Windows Registry. The default is None. Note that the string will be split into segments based on the key path segment separator.
key_path_regex (Optional[str|list[str]]) – key path regular expression or key path regular expression segments, where None indicates no preference. The key path regular expression should be defined relative to the root of the Windows Registry. The default is None. Note that the string will be split into segments based on the key path segment separator.

Raises:

TypeError – if the key_path, key_path_glob or key_path_regex type is not supported.
ValueError – if the key_path, key_path_glob or key_path_regex arguments are used at the same time.

class dfwinreg.registry_searcher.WinRegistrySearcher(win_registry)[source]

Bases: object

Searcher for key and values within a Windows Registry.

Find(find_specs=None)[source]

Searches for matching keys within the Windows Registry.

Parameters:: find_specs (list[FindSpec]) – find specifications. where None will return all allocated Windows Registry keys.
Yields:: str – key path of a matching Windows Registry key.

GetKeyByPath(key_path)[source]

Retrieves a Windows Registry key for a path specification.

Parameters:: key_path (str) – key path.
Returns:: Windows Registry key or None.
Return type:: WinRegistryKey

SplitKeyPath(key_path)[source]

Splits the key path into path segments.

Parameters:

key_path (str) – key path.

Returns:

key path segments without the root path segment, which is an: empty string.

Return type:

list[str]

__init__(win_registry)[source]

Initializes a Windows Registry searcher.

Parameters:: win_registry (WinRegistry) – Windows Registry.
Raises:: ValueError – when Windows Registry is not set.

dfwinreg.virtual module

Virtual Windows Registry key implementation.

class dfwinreg.virtual.VirtualWinRegistryKey(name, key_helper=None, key_path_prefix='', registry=None, relative_key_path='')[source]

Bases: WinRegistryKey

Virtual Windows Registry key.

Virtual Windows Registry key are keys that do not exist on-disk but do exist at run-time, such an example HKEY_LOCAL_MACHINESystem. The virtual key is used to “mount” the SYSTEM Windows Registry file onto the key HKEY_LOCAL_MACHINESystem.

AddSubkey(name, registry_key)[source]

Adds a subkey.

Parameters:

name (str) – name of the Windows Registry subkey.
registry_key (WinRegistryKey) – Windows Registry subkey.

Raises:

KeyError – if the subkey already exists.

GetSubkeyByIndex(index)[source]

Retrieves a subkey by index.

Parameters:: index (int) – index of the subkey.
Returns:: Windows Registry subkey or None if not found.
Return type:: WinRegistryKey
Raises:: IndexError – if the index is out of bounds.

GetSubkeyByName(name)[source]

Retrieves a subkey by name.

Parameters:: name (str) – name of the subkey.
Returns:: Windows Registry subkey or None if not found.
Return type:: WinRegistryKey

GetSubkeyByPath(key_path)[source]

Retrieves a subkey by path.

Parameters:: key_path (str) – path of the subkey.
Returns:: Windows Registry subkey or None if not found.
Return type:: WinRegistryKey

GetSubkeys()[source]

Retrieves all subkeys within the key.

Yields:: WinRegistryKey – Windows Registry subkey.

GetValueByName(name)[source]

Retrieves a value by name.

Parameters:: name (str) – name of the value or an empty string for the default value.
Returns:: Windows Registry value or None if not found.
Return type:: WinRegistryValue

GetValues()[source]

Retrieves all values within the key.

Yields:: WinRegistryValue – Windows Registry value.

__init__(name, key_helper=None, key_path_prefix='', registry=None, relative_key_path='')[source]

Initializes a Windows Registry key.

Parameters:

name (str) – name of the Windows Registry key.
key_helper (Optional[WinRegistryKeyHelper]) – Windows Registry key helper.
key_path_prefix (Optional[str]) – Windows Registry key path prefix.
registry (Optional[WinRegistry]) – Windows Registry.
relative_key_path (Optional[str]) – relative Windows Registry key path.

property class_name

class name of the key or None if not available.

Type:: str

property last_written_time

last written time or None.

Type:: dfdatetime.DateTimeValues

property name

name of the key.

Type:: str

property number_of_subkeys

number of subkeys within the key.

Type:: int

property number_of_values

number of values within the key.

Type:: int

property offset

offset of the key within the Windows Registry file or None.

Type:: int

Module contents

Digital Forensics Windows Registry (dfWinReg).

dfWinReg, or Digital Forensics Windows Registry, is a Python module that provides read-only access to Windows Registry objects.