-
Notifications
You must be signed in to change notification settings - Fork 0
/
registryget_regkey_field_allinfo.py
59 lines (55 loc) · 2.98 KB
/
registryget_regkey_field_allinfo.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# %%
#######################################
def registryget_regkey_field_allinfo(key_object: RegistryKey):
"""For a given RegistryKey object, returns a dictionary of all fields within that RegistryKey; such that for k,v in the dictionary, k = the field name and v = all of thr info pertinent to that field name (value, raw data, value type, etc.).
Examples:
>>> import Registry\n
>>> from pprint import pprint\n
>>> reghive = Registry.Registry.Registry('SOFTWARE')\n
>>> # Below, because our registry key's path already contains escaped '\\' backslashes we are not using a raw string ( r'' ) when we use .open()\n
>>> regkey = reghive.open('Microsoft\\\Windows NT\\\CurrentVersion\\\Winlogon')\n
>>> pprint( registryget_regkey_field_allinfo(regkey) )\n
{'AutoRestartShell': OrderedDict([('value', 1),\n
('rawdata', b'\\x01\\x00\\x00\\x00'),\n
('valuetypestr', 'RegDWord'),\n
('valuetype', 4),\n
('timestamp', '')]),\n
'Background': OrderedDict([('value', '0 0 0'),\n
('rawdata', b'0\\x00 \\x000\\x00 \\x000\\x00\\x00\\x00'),\n
('valuetypestr', 'RegSZ'),\n
('valuetype', 1),\n
('timestamp', '')]),\n
'CachedLogonsCount': OrderedDict([('value', '10'),\n
('rawdata', b'1\\x000\\x00\\x00\\x00'),\n
('valuetypestr', 'RegSZ'),\n
('valuetype', 1),\n
('timestamp', '')]), ... }\n
Args:
key_object (Registry.Registry.RegistryKey): Reference and existing RegistryKey object.
Returns:
dict: Returns a dictionary.
"""
from Registry.Registry import RegistryKey
from collections import OrderedDict
#
if isinstance(key_object, RegistryKey):
results_dict = {}
for eachfield in key_object.values():
try:
field_timestamp = str(eachfield.timestamp())
except ValueError:
field_timestamp = ''
temp_ord_dict = OrderedDict({
# 'name' : eachfield.name(), # using this as the key in the results_dict
'value' : eachfield.value(),
'rawdata' : eachfield.raw_data(),
'valuetypestr' : eachfield.value_type_str(),
'valuetype' : eachfield.value_type(),
'timestamp' : field_timestamp
})
results_dict.update({eachfield.name(): temp_ord_dict})
return results_dict
else:
print("\nThe object type given to the 'key_object' parameter is not: <class 'Registry.Registry.RegistryKey'>")
obj_type = type(key_object)
print(f"The object type is: {obj_type}\n")