How to use the regipy.plugins.plugin.Plugin function in regipy
To help you get started, we’ve selected a few regipy examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
mkorman90 / regipy / regipy / plugins / system / routes.py View on Github 
import logbook
from regipy.hive_types import SYSTEM_HIVE_TYPE
from regipy.plugins.plugin import Plugin
from regipy.utils import get_subkey_values_from_list
logger = logbook.Logger(__name__)
ROUTES_PATH = r'Services\Tcpip\Parameters\PersistentRoutes'
class RoutesPlugin(Plugin):
NAME = 'routes'
DESCRIPTION = 'Get list of routes'
COMPATIBLE_HIVE = SYSTEM_HIVE_TYPE
def run(self):
logger.info('Started Routes Plugin...')
routes_path_list = self.registry_hive.get_control_sets(ROUTES_PATH)
self.entries = get_subkey_values_from_list(self.registry_hive, routes_path_list, as_json=self.as_json)import logbook
from regipy.hive_types import SYSTEM_HIVE_TYPE
from regipy.plugins.plugin import Plugin
from regipy.plugins.system.external.ShimCacheParser import get_shimcache_entries
logger = logbook.Logger(__name__)
COMPUTER_NAME_PATH = r'Control\Session Manager'
class ShimCachePlugin(Plugin):
NAME = 'shimcache'
DESCRIPTION = 'Parse Shimcache artifact'
COMPATIBLE_HIVE = SYSTEM_HIVE_TYPE
def run(self):
logger.info('Started Shim Cache Plugin...')
for subkey_path in self.registry_hive.get_control_sets(COMPUTER_NAME_PATH):
appcompat_cache = self.registry_hive.get_key(subkey_path).get_key('AppCompatCache')
shimcache = appcompat_cache.get_value('AppCompatCache')
if shimcache:
for entry in get_shimcache_entries(shimcache, as_json=self.as_json):
self.entries.append(entry)import logbook
import attr
from regipy.exceptions import RegistryValueNotFoundException
from regipy.hive_types import SYSTEM_HIVE_TYPE
from regipy.plugins.plugin import Plugin
from regipy.utils import convert_wintime
logger = logbook.Logger(__name__)
COMPUTER_NAME_PATH = r'Control\ComputerName\ComputerName'
class ComputerNamePlugin(Plugin):
NAME = 'computer_name'
DESCRIPTION = 'Get the computer name'
COMPATIBLE_HIVE = SYSTEM_HIVE_TYPE
def run(self):
logger.info('Started Computer Name Plugin...')
for subkey_path in self.registry_hive.get_control_sets(COMPUTER_NAME_PATH):
subkey = self.registry_hive.get_key(subkey_path)
try:
self.entries.append({
'name': subkey.get_value('ComputerName', as_json=self.as_json),
'timestamp': convert_wintime(subkey.header.last_modified, as_json=self.as_json)
})
except RegistryValueNotFoundException as ex:import logbook
from inflection import underscore
from regipy import RegistryKeyNotFoundException
from regipy.hive_types import NTUSER_HIVE_TYPE
from regipy.plugins.plugin import Plugin
from regipy.utils import convert_wintime
logger = logbook.Logger(__name__)
INSTALLED_SOFTWARE_PATH = r'\Software\Microsoft\Windows\CurrentVersion\Uninstall'
class InstalledSoftwareNTUserPlugin(Plugin):
NAME = 'installed_software_ntuser'
DESCRIPTION = 'Retrieve list of installed programs and their install date'
COMPATIBLE_HIVE = NTUSER_HIVE_TYPE
def _get_installed_software(self, subkey_path):
try:
uninstall_sk = self.registry_hive.get_key(subkey_path)
except RegistryKeyNotFoundException as ex:
logger.error(ex)
return
for installed_program in uninstall_sk.iter_subkeys():
values = {underscore(x.name): x.value for x in
installed_program.iter_values(as_json=self.as_json)} if installed_program.values_count else {}
self.entries.append({
'service_name': installed_program.name,import logbook
from inflection import underscore
from regipy import RegistryKeyNotFoundException
from regipy.hive_types import SOFTWARE_HIVE_TYPE
from regipy.plugins.plugin import Plugin
from regipy.utils import convert_wintime
logger = logbook.Logger(__name__)
X64_INSTALLED_SOFTWARE_PATH = r'\Microsoft\Windows\CurrentVersion\Uninstall'
X86_INSTALLED_SOFTWARE_PATH = r'\Wow6432Node' + X64_INSTALLED_SOFTWARE_PATH
class InstalledSoftwarePlugin(Plugin):
NAME = 'installed_software'
DESCRIPTION = 'Retrieve list of installed programs and their install date'
COMPATIBLE_HIVE = SOFTWARE_HIVE_TYPE
def _get_installed_software(self, subkey_path):
try:
uninstall_sk = self.registry_hive.get_key(subkey_path)
except RegistryKeyNotFoundException as ex:
logger.error(ex)
return
for installed_program in uninstall_sk.iter_subkeys():
values = {underscore(x.name): x.value for x in
installed_program.iter_values(as_json=self.as_json)} if installed_program.values_count else {}
self.entries.append({
'service_name': installed_program.name,import logbook
from regipy import RegistryKeyNotFoundException, convert_wintime, NoRegistrySubkeysException
from regipy.hive_types import NTUSER_HIVE_TYPE
from regipy.plugins.plugin import Plugin
logger = logbook.Logger(__name__)
TSCLIENT_HISTORY_PATH = r'\Software\Microsoft\Terminal Server Client\Servers'
class TSClientPlugin(Plugin):
NAME = 'terminal_services_history'
DESCRIPTION = 'Retrieve history of RDP connections'
COMPATIBLE_HIVE = NTUSER_HIVE_TYPE
def run(self):
try:
tsclient_subkey = self.registry_hive.get_key(TSCLIENT_HISTORY_PATH)
except (RegistryKeyNotFoundException, NoRegistrySubkeysException) as ex:
logger.error(ex)
return
for server in tsclient_subkey.iter_subkeys():
self.entries.append({
'server': server.name,
'last_connection': convert_wintime(server.header.last_modified, as_json=self.as_json),
'username_hint': server.get_value('UsernameHint')PERSISTENCE_ENTRIES = [
r'\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run',
r'\Microsoft\Windows\CurrentVersion\Run',
r'\Microsoft\Windows\CurrentVersion\RunOnce',
r'\Microsoft\Windows\CurrentVersion\RunOnce\Setup',
r'\Microsoft\Windows\CurrentVersion\RunOnceEx',
r'\Wow6432Node\Microsoft\Windows\CurrentVersion\Run',
r'\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce',
r'\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Setup',
r'\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx',
r'\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run',
r'\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify'
]
class SoftwarePersistencePlugin(Plugin):
NAME = 'software_plugin'
DESCRIPTION = 'Retrieve values from known persistence subkeys in Software hive'
COMPATIBLE_HIVE = SOFTWARE_HIVE_TYPE
def run(self):
self.entries = get_subkey_values_from_list(self.registry_hive, PERSISTENCE_ENTRIES, as_json=self.as_json)import attr
import logbook
from regipy.hive_types import SYSTEM_HIVE_TYPE
from regipy.plugins.plugin import Plugin
logger = logbook.Logger(__name__)
TZ_DATA_PATH = r'Control\TimeZoneInformation'
class TimezoneDataPlugin(Plugin):
NAME = 'timezone_data'
DESCRIPTION = 'Get timezone data'
COMPATIBLE_HIVE = SYSTEM_HIVE_TYPE
def run(self):
self.entries = {}
tzdata_subkeys = self.registry_hive.get_control_sets(TZ_DATA_PATH)
for tzdata_subkey in tzdata_subkeys:
tzdata = self.registry_hive.get_key(tzdata_subkey)
self.entries[tzdata_subkey] = [x for x in tzdata.iter_values(as_json=self.as_json)]
if self.as_json:
for k, v in self.entries.items():
self.entries[k] = [attr.asdict(x) for x in v]import logbook
import attr
from regipy.hive_types import SYSTEM_HIVE_TYPE
from regipy.plugins.plugin import Plugin
logger = logbook.Logger(__name__)
SELECT = r'\Select'
class ActiveControlSetPlugin(Plugin):
NAME = 'active_control_set'
DESCRIPTION = 'Get information on SYSTEM hive control sets'
COMPATIBLE_HIVE = SYSTEM_HIVE_TYPE
def run(self):
subkey = self.registry_hive.get_key(SELECT)
self.entries = [x for x in subkey.iter_values(as_json=self.as_json)]
if self.as_json:
self.entries = [attr.asdict(x) for x in self.entries]import pytz
import datetime
import logbook
from regipy.exceptions import RegistryKeyNotFoundException, NoRegistryValuesException
from regipy.hive_types import SOFTWARE_HIVE_TYPE
from regipy.plugins.plugin import Plugin
from regipy.utils import get_subkey_values_from_list
from regipy.utils import convert_wintime, convert_filetime
logger = logbook.Logger(__name__)
PROFILE_LIST_KEY_PATH = r"\Microsoft\Windows NT\CurrentVersion\ProfileList"
class ProfileListPlugin(Plugin):
NAME = 'profilelist_plugin'
DESCRIPTION = 'Parses information about user profiles found in the ProfileList key'
COMPATIBLE_HIVE = SOFTWARE_HIVE_TYPE
def run(self):
logger.info('Started profile list plugin...')
try:
subkey = self.registry_hive.get_key(PROFILE_LIST_KEY_PATH)
except RegistryKeyNotFoundException as ex:
logger.error(ex)
for profile in subkey.iter_subkeys():
self.entries.append({
'last_write': convert_wintime(profile.header.last_modified, as_json=self.as_json),
'path': profile.get_value('ProfileImagePath'),
'flags': profile.get_value('Flags'),
Popular regipy functions
- regipy.boomerang_stream
- regipy.convert_wintime
- regipy.exceptions.RegipyException
- regipy.exceptions.RegistryKeyNotFoundException
- regipy.exceptions.RegistryParsingException
- regipy.exceptions.RegistryRecoveryException
- regipy.plugins.plugin.Plugin
- regipy.regdiff.compare_hives
- regipy.registry.Cell
- regipy.registry.NKRecord
- regipy.registry.RegistryHive
- regipy.registry.VKRecord
- regipy.RegistryKeyNotFoundException
- regipy.structs.INDEX_LEAF.parse_stream
- regipy.structs.LF_LH_SK_ELEMENT.parse_stream
- regipy.structs.VALUE_KEY.parse_stream
- regipy.utils._get_log_handlers
- regipy.utils.boomerang_stream
- regipy.utils.convert_wintime
- regipy.utils.try_decode_binary