Fix the behaviour of the ROOT NamedKey of a hive (#17)

The ROOT NamedKey of a hive should not have a named part in the path. This will interfere when constructing a full path for a key when the hive is mapped on some subkey of another hive. NamedKey.path() for the ROOT key failed as it did not take into consideration that it did not have any parents.
fox-it · Jul 20, 2023 · 6758cb2 · 6758cb2
1 parent 2d8670a
commit 6758cb2
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 7 deletions.
diff --git a/dissect/regf/regf.py b/dissect/regf/regf.py
@@ -169,6 +169,7 @@ def __init__(self, hive, data):
             )
 
         name_blob = data[len(c_regf.NAMED_KEY) :][: self.nk.key_name_size]
+
         self.name = decode_name(name_blob, self.nk.key_name_size, self.nk.flags.CompName)
 
     @property
@@ -241,13 +242,31 @@ def value(self, name):
 
     @property
     def path(self):
-        parts = [self.name]
-        data = self.hive.cell(self.nk.parent_key_offset)
-        parts.append(data.name)
+        parts = []
+
+        current = self
+        # As long as we are not the ROOT key, we add our name to the stack.
+        #
+        # The path is relative to the hive of this key. Adding a name for the
+        # ROOT key will lead to issues when this hive is mapped on a subkey of
+        # another hive. The full path to this key is constructed using both the
+        # path of the subkey in the other hieve and this key's path.
+        #
+        # If ROOT would be part of that path, that part (and thus the whole
+        # path) would not be accesible, nor is the presence of the ROOT part in
+        # the path expected by the user (it is never visible in e.g. regedit).
+        if current.nk.flags.HiveEntry != 1:
+            parent = self.hive.cell(current.nk.parent_key_offset)
+        else:
+            parent = None
 
-        while data.nk.flags.HiveEntry != 1:
-            data = self.hive.cell(data.nk.parent_key_offset)
-            parts.append(data.name)
+        while parent is not None:
+            parts.append(current.name)
+            current = parent
+            if current.nk.flags.HiveEntry != 1:
+                parent = self.hive.cell(current.nk.parent_key_offset)
+            else:
+                parent = None
 
         return "\\".join(list(reversed(parts)))
 

diff --git a/tests/test_regf.py b/tests/test_regf.py
@@ -5,10 +5,17 @@ def test_regf(system_hive):
     hive = regf.RegistryHive(system_hive)
 
     root = hive.root()
+
     assert len(list(root.subkeys())) == 17
+    assert root.name == "ROOT"
+    assert root.path == ""
     assert hive.open("Software") is root.subkey("Software") is root.subkey("software")
 
-    lsa = hive.open("ControlSet001\\Control\\LSA")
+    key_path = "ControlSet001\\Control\\Lsa"
+    lsa = hive.open(key_path)
+
+    assert lsa.name == "Lsa"
+    assert lsa.path == key_path
     assert lsa.subkey("JD").class_name == "cdebfed5"
     assert lsa.subkey("Skew1").class_name == "7db4e11c"
     assert lsa.subkey("GBG").class_name == "b185f3f2"