dfwinreg package

Submodules

dfwinreg.creg module

Windows 9x/Me Registry (CREG) objects implementation using pycreg.

class dfwinreg.creg.CREGWinRegistryFile(ascii_codepage='cp1252', key_path_prefix='')[source]

Bases: WinRegistryFile

Implementation of a Windows Registry file using pycreg.

Close()[source]: Closes the Windows Registry file.

GetKeyByPath(key_path)[source]

Retrieves the key for a specific path.

Parameters: key_path (str) – Windows Registry key path.
Returns: Registry key or None if not available.
Return type: WinRegistryKey

GetRootKey()[source]

Retrieves the root key.

Returns: Windows Registry root key or None if not available.
Return type: WinRegistryKey

Open(file_object)[source]

Opens the Windows Registry file using a file-like object.

Parameters: file_object (file) – file-like object.
Returns: True if successful or False if not.
Return type: bool

class dfwinreg.creg.CREGWinRegistryKey(pycreg_key, key_path='')[source]

Bases: WinRegistryKey

Implementation of a Windows Registry key using pycreg.

GetSubkeyByIndex(index)[source]

Retrieves a subkey by index.

Parameters: index (int) – index of the subkey.
Returns: Windows Registry subkey.
Return type: WinRegistryKey
Raises: IndexError – if the index is out of bounds.

GetSubkeyByName(name)[source]

Retrieves a subkey by name.

Parameters: name (str) – name of the subkey.
Returns: Windows Registry subkey or None if not found.
Return type: WinRegistryKey

GetSubkeyByPath(key_path)[source]

Retrieves a subkey by path.

Parameters: key_path (str) – path of the subkey.
Returns: Windows Registry subkey or None if not found.
Return type: WinRegistryKey

GetSubkeys()[source]

Retrieves all subkeys within the key.

Yields: WinRegistryKey – Windows Registry subkey.

GetValueByName(name)[source]

Retrieves a value by name.

Value names are not unique and pycreg provides first match for the value.

Parameters

name (str) – name of the value or an empty string for the default value.

Returns

Windows Registry value if a corresponding value was: found or None if not.

Return type

WinRegistryValue

GetValues()[source]

Retrieves all values within the key.

Yields: WinRegistryValue – Windows Registry value.

property class_name

class name of the key or None if not available.

Type: str

property last_written_time

last written time.

Type: dfdatetime.DateTimeValues

property name

name of the key.

Type: str

property number_of_subkeys

number of subkeys within the key.

Type: int

property number_of_values

number of values within the key.

Type: int

property offset

offset of the key within the Windows Registry file or None.

Type: int

class dfwinreg.creg.CREGWinRegistryValue(pycreg_value)[source]

Bases: WinRegistryValue

Implementation of a Windows Registry value using pycreg.

GetDataAsObject()[source]

Retrieves the data as an object.

Returns: data as a Python type.
Return type: object
Raises: WinRegistryValueError – if the value data cannot be read.

property data

value data as a byte string.

Raises: WinRegistryValueError – if the value data cannot be read.
Type: bytes

property data_type

data type.

Type: int

property name

name of the value.

Type: str

property offset

offset of the value within the Windows Registry file.

Type: int

dfwinreg.decorators module

Function decorators.

dfwinreg.decorators.deprecated(function)[source]: Decorator to mark functions or methods as deprecated.

dfwinreg.definitions module

The Windows Registry definitions.

dfwinreg.errors module

This file contains the error classes.

exception dfwinreg.errors.Error[source]

Bases: Exception

Base error class.

exception dfwinreg.errors.WinRegistryValueError[source]

Bases: Error

Raised when a Windows Registry value cannot be read.

dfwinreg.fake module

Fake Windows Registry objects implementation.

class dfwinreg.fake.FakeWinRegistryFile(ascii_codepage='cp1252', key_path_prefix='')[source]

Bases: WinRegistryFile

Fake implementation of a Windows Registry file.

AddKeyByPath(key_path, registry_key)[source]

Adds a Windows Registry key for a specific key path.

Parameters

key_path (str) – Windows Registry key path to add the key.
registry_key (WinRegistryKey) – Windows Registry key.

Raises

KeyError – if the subkey already exists.
ValueError – if the Windows Registry key cannot be added.

Close()[source]: Closes the Windows Registry file.

GetKeyByPath(key_path)[source]

Retrieves the key for a specific path.

Parameters: key_path (str) – Windows Registry key path.
Returns: Windows Registry key or None if not available.
Return type: WinRegistryKey

GetRootKey()[source]

Retrieves the root key.

Returns: Windows Registry key or None if not available.
Return type: WinRegistryKey

Open(file_object)[source]

Opens the Windows Registry file using a file-like object.

Parameters: file_object (file) – file-like object.
Returns: True if successful or False if not.
Return type: bool

class dfwinreg.fake.FakeWinRegistryKey(name, class_name=None, key_path='', last_written_time=None, offset=None, subkeys=None, values=None)[source]

Bases: WinRegistryKey

Fake implementation of a Windows Registry key.

AddSubkey(name, registry_key)[source]

Adds a subkey.

Parameters

name (str) – name of the Windows Registry subkey.
registry_key (WinRegistryKey) – Windows Registry subkey.

Raises

KeyError – if the subkey already exists.

AddValue(registry_value)[source]

Adds a value.

Parameters: registry_value (WinRegistryValue) – Windows Registry value.
Raises: KeyError – if the value already exists.

GetSubkeyByIndex(index)[source]

Retrieves a subkey by index.

Parameters: index (int) – index of the subkey.
Returns: Windows Registry subkey.
Return type: WinRegistryKey
Raises: IndexError – if the index is out of bounds.

GetSubkeyByName(name)[source]

Retrieves a subkey by name.

Parameters: name (str) – name of the subkey.
Returns: Windows Registry subkey or None if not found.
Return type: WinRegistryKey

GetSubkeyByPath(key_path)[source]

Retrieves a subkey by path.

Parameters: key_path (str) – path of the subkey.
Returns: Windows Registry subkey or None if not found.
Return type: WinRegistryKey

GetSubkeys()[source]

Retrieves all subkeys within the key.

Returns: Windows Registry subkey generator.
Return type: generator[WinRegistryKey]

GetValueByName(name)[source]

Retrieves a value by name.

Parameters: name (str) – name of the value or an empty string for the default value.
Returns: Windows Registry value or None if not found.
Return type: WinRegistryValue

GetValues()[source]

Retrieves all values within the key.

Returns: Windows Registry value generator.
Return type: generator[WinRegistryValue]

property class_name

class name of the key or None if not available.

Type: str

property last_written_time

last written time.

Type: dfdatetime.DateTimeValues

property name

name of the key.

Type: str

property number_of_subkeys

number of subkeys within the key.

Type: int

property number_of_values

number of values within the key.

Type: int

property offset

offset of the key within the Windows Registry file or None.

Type: int

class dfwinreg.fake.FakeWinRegistryValue(name, data=b'', data_type=0, offset=0)[source]

Bases: WinRegistryValue

Fake implementation of a Windows Registry value.

GetDataAsObject()[source]

Retrieves the data as an object.

Returns: data as a Python type or None if not available.
Return type: object
Raises: WinRegistryValueError – if the value data cannot be read.

property data

value data as a byte string.

Type: bytes

property data_type

data type.

Type: int

file_object = <_io.BufferedReader name='/home/docs/checkouts/readthedocs.org/user_builds/dfwinreg/checkouts/latest/dfwinreg/dtfabric.yaml'>

property name

name of the value.

Type: str

property offset

offset of the value within the Windows Registry file.

Type: int

dfwinreg.glob2regex module

Glob to regular expression conversion.

Also see: https://en.wikipedia.org/wiki/Glob_(programming)

dfwinreg.glob2regex.Glob2Regex(glob_pattern)[source]

Converts a glob pattern to a regular expression.

This function supports basic glob patterns that consist of: * matches everything ? matches any single character [seq] matches any character in sequence [!seq] matches any character not in sequence

Parameters: glob_pattern (str) – glob pattern.
Returns: regular expression pattern.
Return type: str
Raises: ValueError – if the glob pattern cannot be converted.

dfwinreg.interface module

The Windows Registry object interfaces.

class dfwinreg.interface.WinRegistryFile(ascii_codepage='cp1252', key_path_prefix='')[source]

Bases: object

Windows Registry file interface.

abstract Close()[source]: Closes the Windows Registry file.

abstract GetKeyByPath(key_path)[source]

Retrieves the key for a specific path.

Parameters: key_path (str) – Windows Registry key path.
Returns: Windows Registry key or None if not available.
Return type: WinRegistryKey

abstract GetRootKey()[source]

Retrieves the root key.

Returns: Windows Registry root key or None if not available.
Return type: WinRegistryKey

abstract Open(file_object)[source]

Opens the Windows Registry file using a file-like object.

Parameters: file_object (file) – file-like object.
Returns: True if successful or False if not.
Return type: bool

RecurseKeys()[source]

Recurses the Windows Registry keys starting with the root key.

Yields: WinRegistryKey – Windows Registry key.

SetKeyPathPrefix(key_path_prefix)[source]

Sets the Window Registry key path prefix.

Parameters: key_path_prefix (str) – Windows Registry key path prefix.

class dfwinreg.interface.WinRegistryFileReader[source]

Bases: object

Windows Registry file reader interface.

abstract Open(path, ascii_codepage='cp1252')[source]

Opens a Windows Registry file specified by the path.

Parameters

path (str) – path of the Windows Registry file. The path is a Windows path relative to the root of the file system that contains the specific Windows Registry file, for example: C:WindowsSystem32configSYSTEM
ascii_codepage (Optional[str]) – ASCII string codepage.

Returns

Windows Registry file or None.

Return type

WinRegistryFile

class dfwinreg.interface.WinRegistryKey(key_path='')[source]

Bases: object

Windows Registry key interface.

abstract GetSubkeyByIndex(index)[source]

Retrieves a subkey by index.

Parameters: index (int) – index of the subkey.
Returns: Windows Registry subkey.
Return type: WinRegistryKey
Raises: IndexError – if the index is out of bounds.

abstract GetSubkeyByName(name)[source]

Retrieves a subkey by name.

Parameters: name (str) – name of the subkey.
Returns: Windows Registry subkey or None if not found.
Return type: WinRegistryKey

abstract GetSubkeyByPath(key_path)[source]

Retrieves a subkey by a path.

Parameters: key_path (str) – relative key path of the subkey.
Returns: Windows Registry subkey or None if not found.
Return type: WinRegistryKey

abstract GetSubkeys()[source]

Retrieves all subkeys within the key.

Yields: WinRegistryKey – Windows Registry subkey.

abstract GetValueByName(name)[source]

Retrieves a value by name.

Parameters: name (str) – name of the value or an empty string for the default value.
Returns: Windows Registry value or None if not found.
Return type: WinRegistryValue

abstract GetValues()[source]

Retrieves all values within the key.

Yields: WinRegistryValue – Windows Registry value.

RecurseKeys()[source]

Recurses the subkeys starting with the key.

Yields: WinRegistryKey – Windows Registry key.

abstract property class_name

class name of the key or None if not available.

Type: str

abstract property last_written_time

last written time or None.

Type: dfdatetime.DateTimeValues

abstract property name

name of the key.

Type: str

abstract property number_of_subkeys

number of subkeys within the key.

Type: int

abstract property number_of_values

number of values within the key.

Type: int

abstract property offset

offset of the key within the Windows Registry file or None.

Type: int

property path

Windows Registry key path.

Type: str

class dfwinreg.interface.WinRegistryValue[source]

Bases: object

Windows Registry value interface.

DataIsBinaryData()[source]

Determines, based on the data type, if the data is binary data.

The data types considered binary data are: REG_BINARY.

Returns: True if the data is a binary data, False otherwise.
Return type: bool

DataIsInteger()[source]

Determines, based on the data type, if the data is an integer.

The data types considered strings are: REG_DWORD (REG_DWORD_LITTLE_ENDIAN), REG_DWORD_BIG_ENDIAN and REG_QWORD.

Returns: True if the data is an integer, False otherwise.
Return type: bool

DataIsMultiString()[source]

Determines, based on the data type, if the data is a multi string.

The data types considered multi strings are: REG_MULTI_SZ.

Returns: True if the data is multi string, False otherwise.
Return type: bool

DataIsString()[source]

Determines, based on the data type, if the data is a string.

The data types considered strings are: REG_SZ and REG_EXPAND_SZ.

Returns: True if the data is a string, False otherwise.
Return type: bool

abstract GetDataAsObject()[source]

Retrieves the data as an object.

Returns: data as a Python type.
Return type: object

abstract property data

value data.

Type: bytes

abstract property data_type

data type.

Type: int

property data_type_string

string representation of the data type.

Type: str

abstract property name

name of the value.

Type: str

abstract property offset

offset of the value within the Windows Registry file.

Type: int

dfwinreg.key_paths module

Key path functions.

dfwinreg.key_paths.JoinKeyPath(path_segments)[source]

Joins the path segments into key path.

Parameters: path_segments (list[str]) – Windows Registry key path segments.
Returns: key path.
Return type: str

dfwinreg.key_paths.SplitKeyPath(key_path, path_separator='\\')[source]

Splits the key path into path segments.

Parameters

key_path (str) – key path.
path_separator (Optional[str]) – path separator.

Returns

key path segments without the root path segment, which is an: empty string.

Return type

list[str]

dfwinreg.regf module

Windows NT Registry (REGF) objects implementation using pyregf.

class dfwinreg.regf.REGFWinRegistryFile(ascii_codepage='cp1252', emulate_virtual_keys=True, key_path_prefix='')[source]

Bases: WinRegistryFile

Implementation of a Windows Registry file using pyregf.

Close()[source]: Closes the Windows Registry file.

GetKeyByPath(key_path)[source]

Retrieves the key for a specific path.

Parameters: key_path (str) – Windows Registry key path.
Returns: Registry key or None if not available.
Return type: WinRegistryKey

GetRootKey()[source]

Retrieves the root key.

Returns: Windows Registry root key or None if not available.
Return type: WinRegistryKey

Open(file_object)[source]

Opens the Windows Registry file using a file-like object.

Parameters: file_object (file) – file-like object.
Returns: True if successful or False if not.
Return type: bool

class dfwinreg.regf.REGFWinRegistryKey(pyregf_key, key_path='')[source]

Bases: WinRegistryKey

Implementation of a Windows Registry key using pyregf.

GetSubkeyByIndex(index)[source]

Retrieves a subkey by index.

Parameters: index (int) – index of the subkey.
Returns: Windows Registry subkey.
Return type: WinRegistryKey
Raises: IndexError – if the index is out of bounds.

GetSubkeyByName(name)[source]

Retrieves a subkey by name.

Parameters: name (str) – name of the subkey.
Returns: Windows Registry subkey or None if not found.
Return type: WinRegistryKey

GetSubkeyByPath(key_path)[source]

Retrieves a subkey by path.

Parameters: key_path (str) – path of the subkey.
Returns: Windows Registry subkey or None if not found.
Return type: WinRegistryKey

GetSubkeys()[source]

Retrieves all subkeys within the key.

Yields: WinRegistryKey – Windows Registry subkey.

GetValueByName(name)[source]

Retrieves a value by name.

Parameters: name (str) – name of the value.
Returns: Windows Registry value or None if not found.
Return type: WinRegistryValue

GetValues()[source]

Retrieves all values within the key.

Yields: WinRegistryValue – Windows Registry value.

property class_name

class name of the key or None if not available.

Type: str

property last_written_time

last written time.

Type: dfdatetime.DateTimeValues

property name

name of the key.

Type: str

property number_of_subkeys

number of subkeys within the key.

Type: int

property number_of_values

number of values within the key.

Type: int

property offset

offset of the key within the Windows Registry file or None.

Type: int

class dfwinreg.regf.REGFWinRegistryValue(pyregf_value)[source]

Bases: WinRegistryValue

Implementation of a Windows Registry value using pyregf.

GetDataAsObject()[source]

Retrieves the data as an object.

Returns: data as a Python type.
Return type: object
Raises: WinRegistryValueError – if the value data cannot be read.

property data

value data as a byte string.

Raises: WinRegistryValueError – if the value data cannot be read.
Type: bytes

property data_type

data type.

Type: int

property name

name of the value.

Type: str

property offset

offset of the value within the Windows Registry file.

Type: int

class dfwinreg.regf.VirtualREGFWinRegistryKey(name, pyregf_key, current_control_set_key=None, key_path='')[source]

Bases: REGFWinRegistryKey

Implementation of a virtual Windows Registry key using pyregf.

The virtual Windows Registry key are keys that do not exist on-disk but do exist at run-time, for example HKEY_LOCAL_MACHINESystemCurrentControlSet.

GetSubkeyByIndex(index)[source]

Retrieves a subkey by index.

Parameters: index (int) – index of the subkey.
Returns: Windows Registry subkey.
Return type: WinRegistryKey
Raises: IndexError – if the index is out of bounds.

GetSubkeyByName(name)[source]

Retrieves a subkey by name.

Parameters: name (str) – name of the subkey.
Returns: Windows Registry subkey or None if not found.
Return type: WinRegistryKey

GetSubkeyByPath(key_path)[source]

Retrieves a subkey by path.

Parameters: key_path (str) – path of the subkey.
Returns: Windows Registry subkey or None if not found.
Return type: WinRegistryKey

GetSubkeys()[source]

Retrieves all subkeys within the key.

Yields: WinRegistryKey – Windows Registry subkey.

property name

name of the key.

Type: str

property number_of_subkeys

number of subkeys within the key.

Type: int

dfwinreg.registry module

Classes for Windows Registry access.

class dfwinreg.registry.WinRegistry(ascii_codepage='cp1252', registry_file_reader=None)[source]

Bases: object

Windows Registry.

GetKeyByPath(key_path)[source]

Retrieves the key for a specific path.

Parameters: key_path (str) – Windows Registry key path.
Returns: Windows Registry key or None if not available.
Return type: WinRegistryKey
Raises: RuntimeError – if the root key is not supported or the key path prefix does not match the key path.

GetRegistryFileMapping(registry_file)[source]

Determines the Registry file mapping based on the content of the file.

Parameters: registry_file (WinRegistyFile) – Windows Registry file.
Returns: key path prefix or an empty string.
Return type: str
Raises: RuntimeError – if there are multiple matching mappings and the correct mapping cannot be resolved.

GetRootKey()[source]

Retrieves the Windows Registry root key.

Returns: Windows Registry root key.
Return type: VirtualWinRegistryKey

MapFile(key_path_prefix, registry_file)[source]

Maps the Windows Registry file to a specific key path prefix.

Parameters

key_path_prefix (str) – key path prefix.
registry_file (WinRegistryFile) – Windows Registry file.

MapUserFile(profile_path, registry_file)[source]

Maps the user Windows Registry file to a specific profile path.

Parameters

profile_path (str) – profile path.
registry_file (WinRegistryFile) – user Windows Registry file.

OpenAndMapFile(path)[source]

Opens Windows Registry file and maps it to its key path prefix.

Parameters: path (str) – path of the Windows Registry file.

SplitKeyPath(key_path)[source]

Splits the key path into path segments.

Parameters

key_path (str) – key path.

Returns

key path segments without the root path segment, which is an: empty string.

Return type

list[str]

__del__()[source]: Cleans up the Windows Registry object.

class dfwinreg.registry.WinRegistryFileMapping(key_path_prefix, windows_path, unique_key_paths)[source]

Bases: object

Windows Registry file mapping.

key_path_prefix

Windows Registry key path prefix.

Type: str

unique_key_paths

key paths unique to the Windows Registry file.

Type: list[str]

windows_path

Windows path to the Windows Registry file, such as: C:WindowsSystem32configSYSTEM

Type: str

dfwinreg.registry_searcher module

A searcher to find keys and values within a Windows Registry.

class dfwinreg.registry_searcher.FindSpec(key_path=None, key_path_glob=None, key_path_regex=None)[source]

Bases: object

Find specification.

AtLastKeyPathSegment(segment_index)[source]

Determines if the a key path segment is the last one or greater.

Parameters: segment_index (int) – index of the key path segment.
Returns: True if at maximum depth, False if not.
Return type: bool

AtMaximumDepth(**kwargs)

Determines if the find specification is at maximum depth.

This method is deprecated use AtLastKeyPathSegment instead.

Parameters: search_depth (int) – number of key path segments to compare.
Returns: True if at maximum depth, False if not.
Return type: bool

CompareKeyPath(registry_key)[source]

Compares a Windows Registry key path against the find specification.

Parameters

registry_key (WinRegistryKey) – Windows Registry key.

Returns

True if the key path of the Windows Registry key matches that of: the find specification, False if not or if the find specification has no key path defined.

Return type

bool

CompareNameWithKeyPathSegment(registry_key, segment_index)[source]

Compares a Windows Registry key name against a key path segment.

Parameters

registry_key (WinRegistryKey) – Windows Registry key.
segment_index (int) – index of the key path segment to compare against, where 0 represents the root segment.

Returns

True if the key path segment of the Windows Registry key matches: that of the find specification, False if not or if the find specification has no key path defined.

Return type

bool

HasKeyPath()[source]

Determines if the find specification has a key path defined.

Returns: True if find specification has a key path defined, False if not.
Return type: bool

IsLastKeyPathSegment(segment_index)[source]

Determines if the a key path segment is the last one.

Parameters: segment_index (int) – index of the key path path segment.
Returns: True if at maximum depth, False if not.
Return type: bool

Matches(**kwargs)

Determines if the Windows Registry key matches the find specification.

This method is deprecated use CompareKeyPath or CompareNameWithKeyPathSegment instead.

Parameters

registry_key (WinRegistryKey) – Windows Registry key.
search_depth (int) – number of key path segments to compare.

Returns

containing:

bool: True if the Windows Registry key matches the find specification,
False otherwise.

bool: True if the key path matches, False if not or None if no key path
specified.

Return type

tuple

class dfwinreg.registry_searcher.WinRegistrySearcher(win_registry)[source]

Bases: object

Searcher for key and values within a Windows Registry.

Find(find_specs=None)[source]

Searches for matching keys within the Windows Registry.

Parameters: find_specs (list[FindSpec]) – find specifications. where None will return all allocated Windows Registry keys.
Yields: str – key path of a matching Windows Registry key.

GetKeyByPath(key_path)[source]

Retrieves a Windows Registry key for a path specification.

Parameters: key_path (str) – key path.
Returns: Windows Registry key or None.
Return type: WinRegistryKey

SplitKeyPath(key_path)[source]

Splits the key path into path segments.

Parameters

key_path (str) – key path.

Returns

key path segments without the root path segment, which is an: empty string.

Return type

list[str]

dfwinreg.virtual module

Virtual Windows Registry key implementation.

class dfwinreg.virtual.VirtualWinRegistryKey(name, key_path='', registry=None)[source]

Bases: WinRegistryKey

Virtual Windows Registry key.

Virtual Windows Registry key are keys that do not exist on-disk but do exist at run-time, such an example HKEY_LOCAL_MACHINESystem. The virtual key is used to “mount” the SYSTEM Windows Registry file onto the key HKEY_LOCAL_MACHINESystem.

AddSubkey(name, registry_key)[source]

Adds a subkey.

Parameters

name (str) – name of the Windows Registry subkey.
registry_key (WinRegistryKey) – Windows Registry subkey.

Raises

KeyError – if the subkey already exists.

GetSubkeyByIndex(index)[source]

Retrieves a subkey by index.

Parameters: index (int) – index of the subkey.
Returns: Windows Registry subkey or None if not found.
Return type: WinRegistryKey
Raises: IndexError – if the index is out of bounds.

GetSubkeyByName(name)[source]

Retrieves a subkey by name.

Parameters: name (str) – name of the subkey.
Returns: Windows Registry subkey or None if not found.
Return type: WinRegistryKey

GetSubkeyByPath(key_path)[source]

Retrieves a subkey by path.

Parameters: key_path (str) – path of the subkey.
Returns: Windows Registry subkey or None if not found.
Return type: WinRegistryKey

GetSubkeys()[source]

Retrieves all subkeys within the key.

Returns: Windows Registry subkey generator.
Return type: generator[WinRegistryKey]

GetValueByName(name)[source]

Retrieves a value by name.

Parameters: name (str) – name of the value or an empty string for the default value.
Returns: Windows Registry value or None if not found.
Return type: WinRegistryValue

GetValues()[source]

Retrieves all values within the key.

Returns: Windows Registry value generator.
Return type: generator[WinRegistryValue]

property class_name

class name of the key or None if not available.

Type: str

property last_written_time

last written time or None.

Type: dfdatetime.DateTimeValues

property name

name of the key.

Type: str

property number_of_subkeys

number of subkeys within the key.

Type: int

property number_of_values

number of values within the key.

Type: int

property offset

offset of the key within the Windows Registry file or None.

Type: int

Module contents

Digital Forensics Windows Registry (dfWinReg).

dfWinReg, or Digital Forensics Windows Registry, is a Python module that provides read-only access to Windows Registry objects.