How to use the regipy.registry.RegistryHive function in regipy

To help you get started, we’ve selected a few regipy examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github mkorman90 / regipy / regipy_tests / plugin_tests.py View on Github external
def test_installed_programs_plugin_software(software_hive):
    registry_hive = RegistryHive(software_hive)
    plugin_instance = InstalledSoftwarePlugin(registry_hive, as_json=True)
    plugin_instance.run()

    assert len(plugin_instance.entries) == 67

    assert plugin_instance.entries[0] == {
        'registry_path': '\\Microsoft\\Windows\\CurrentVersion\\Uninstall',
        'service_name': 'AddressBook',
        'timestamp': '2009-07-14T04:41:12.758808+00:00'
    }

    assert plugin_instance.entries[-1].items() > {
        'service_name': '{FE2F6A2C-196E-4210-9C04-2B1BC21F07EF}',
        'timestamp': '2011-07-05T22:58:57.996094+00:00',
        'registry_path': '\\Microsoft\\Windows\\CurrentVersion\\Uninstall',
        'uninstall_string': 'MsiExec.exe /X{FE2F6A2C-196E-4210-9C04-2B1BC21F07EF}',
github mkorman90 / regipy / regipy_tests / tests.py View on Github external
def test_recurse_ntuser(ntuser_hive):
    registry_hive = RegistryHive(ntuser_hive)

    value_types = {
        'REG_BINARY': 0,
        'REG_DWORD': 0,
        'REG_EXPAND_SZ': 0,
        'REG_MULTI_SZ': 0,
        'REG_NONE': 0,
        'REG_QWORD': 0,
        'REG_SZ': 0
    }

    subkey_count = 0
    values_count = 0
    for subkey in registry_hive.recurse_subkeys(as_json=True):
        subkey_values = subkey.values
        subkey_count += 1
github mkorman90 / regipy / regipy_tests / tests.py View on Github external
def test_hive_serialization(ntuser_hive, temp_output_file):
    registry_hive = RegistryHive(ntuser_hive)
    dump_hive_to_json(registry_hive, temp_output_file, registry_hive.root, verbose=False)
    counter = 0
    with open(temp_output_file, 'r') as dumped_hive:
        for x in dumped_hive.readlines():
            assert json.loads(x)
            counter += 1
    assert counter == 2318
github mkorman90 / regipy / regipy_tests / tests.py View on Github external
def test_parse_header(ntuser_hive):
    registry_hive = RegistryHive(ntuser_hive)

    assert isinstance(registry_hive, RegistryHive)
    assert registry_hive.header.primary_sequence_num == 744
    assert registry_hive.header.secondary_sequence_num == 744
    assert registry_hive.header.last_modification_time == 129782982453388850
    assert registry_hive.header.major_version == 1
    assert registry_hive.header.minor_version == 3
    assert registry_hive.header.root_key_offset == 32
    assert registry_hive.header.hive_bins_data_size == 733184
    assert registry_hive.header.minor_version == 3
    assert registry_hive.header.file_name == '?\\C:\\Users\\vibranium\\ntuser.dat'
    assert registry_hive.header.checksum == 448714443
github mkorman90 / regipy / regipy_tests / plugin_tests.py View on Github external
def test_persistence_plugin_software(software_hive):
    registry_hive = RegistryHive(software_hive)
    plugin_instance = SoftwarePersistencePlugin(registry_hive, as_json=True)
    plugin_instance.run()

    assert plugin_instance.entries == {
        '\\Microsoft\\Windows\\CurrentVersion\\Run':
            {'timestamp': '2012-04-04T01:54:23.669836+00:00',
             'values': [
                 {
                     'name': 'VMware Tools',
                     'value_type': 'REG_SZ',
                     'value': '"C:\\Program Files\\VMware\\VMware Tools\\VMwareTray.exe"',
                     'is_corrupted': False
                 },
                 {
                     'name': 'VMware User Process',
                     'value_type': 'REG_SZ',
github mkorman90 / regipy / regipy_tests / plugin_tests.py View on Github external
def test_persistence_plugin_ntuser(ntuser_hive):
    registry_hive = RegistryHive(ntuser_hive)
    plugin_instance = NTUserPersistencePlugin(registry_hive, as_json=True)
    plugin_instance.run()

    assert plugin_instance.entries == {
        '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run': {
            'timestamp': '2012-04-03T21:19:54.837716+00:00',
            'values': [
                {'name': 'Sidebar',
                 'value_type': 'REG_EXPAND_SZ',
                 'value': '%ProgramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun', 'is_corrupted': False
                 }
github mkorman90 / regipy / regipy_tests / plugin_tests.py View on Github external
def test_typed_urls_plugin_ntuser(ntuser_hive):
    registry_hive = RegistryHive(ntuser_hive)
    plugin_instance = TypedUrlsPlugin(registry_hive, as_json=True)
    plugin_instance.run()

    assert plugin_instance.entries == {
        'last_write': '2012-04-03T22:37:55.411500+00:00',
        'entries': [
            {'url1': 'http://199.73.28.114:53/'},
            {'url2': 'http://go.microsoft.com/fwlink/?LinkId=69157'}
        ]
github mkorman90 / regipy / regipy_tests / plugin_tests.py View on Github external
def test_shimcache_plugin(system_hive):
    registry_hive = RegistryHive(system_hive)
    plugin_instance = ShimCachePlugin(registry_hive, as_json=True)
    plugin_instance.run()

    assert len(plugin_instance.entries) == 660
    assert plugin_instance.entries[0] == {
        'last_mod_date': '2011-01-12T12:08:00+00:00',
        'path': '\\??\\C:\\Program Files\\McAfee\\VirusScan Enterprise\\mfeann.exe',
        'exec_flag': 'True'
    }
github mkorman90 / regipy / regipy_tests / plugin_tests.py View on Github external
def test_printdemon_plugin(software_hive):
    registry_hive = RegistryHive(software_hive)
    plugin_instance = PrintDemonPlugin(registry_hive, as_json=True)
    plugin_instance.run()
    
    assert plugin_instance.entries == [
        {'parameters': ['9600', 'n', '8', '1'],
         'port_name': 'COM1:',
         'timestamp': '2010-11-10T10:35:02.448040+00:00'},
        {'parameters': ['9600', 'n', '8', '1'],
         'port_name': 'COM2:',
         'timestamp': '2010-11-10T10:35:02.448040+00:00'},
        {'parameters': ['9600', 'n', '8', '1'],
         'port_name': 'COM3:',
         'timestamp': '2010-11-10T10:35:02.448040+00:00'},
        {'parameters': ['9600', 'n', '8', '1'],
         'port_name': 'COM4:',
         'timestamp': '2010-11-10T10:35:02.448040+00:00'},
github mkorman90 / regipy / regipy / recovery.py View on Github external
log_size = os.path.getsize(primary_log_path)
    logger.info(f'Log Size: {log_size}')

    restored_hive_buffer, recovered_dirty_pages_count = _parse_transaction_log(registry_hive, hive_path,
                                                                               primary_log_path)

    recovered_dirty_pages_total_count += recovered_dirty_pages_count

    # Write to disk the modified registry hive
    with open(restored_hive_path, 'wb') as f:
        restored_hive_buffer.seek(0)
        f.write(restored_hive_buffer.read())

    if secondary_log_path:
        registry_hive = RegistryHive(restored_hive_path)
        restored_hive_buffer, recovered_dirty_pages_count = _parse_transaction_log(registry_hive, restored_hive_path,
                                                                                   secondary_log_path)
        # Write to disk the modified registry hive
        with open(restored_hive_path, 'wb') as f:
            restored_hive_buffer.seek(0)
            f.write(restored_hive_buffer.read())

        recovered_dirty_pages_total_count += recovered_dirty_pages_count
    return restored_hive_path, recovered_dirty_pages_total_count