We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
From HIVE file NTUSER.DAT, I want to extract the content of Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count.
All seems good, except the binary data, just 64 bytes are returned; however the complete binary string is 72 bytes.
Example:
This is what should return:
This is what returns: 9200 0000 0000 0000 0000 0000 0000 0000 9976 043d 5c5c a73d 96d2 8c3d 9550 333d 1a1a 1b3c b31a 4a3d 455d c63b b524 c93b d598 393d caff fc3d 0800 0000 5026 b568
The code I am using that writes the retrieved data into a CSV file:
import regipy import Rot13 hive = regipy.registry.RegistryHive(r"<path_to_hive>\NTUSER.DAT") key = "NTUSER.DAT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist" uaf = open("userassist.csv","w",encoding="UTF-8") uaf.write("timestamp,User,Index,Object,Encoded,binary,Type\n") for entry in hive.recurse_subkeys(hive.get_key(key),as_json=True): if entry.values_count <= 1: continue GUID_Type = "" index_i = 0 if entry.path == "\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count": GUID_Type = "Objects that have been accessed." elif entry.path == "\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count": GUID_Type = "Shortcut links used to start programs." for value in entry.values: application_encoded = value["name"] application_fullpath = Rot13.func(value["name"]) binary_value = value["value"] uaf.write(f"timestamp,User,{index_i},{application_fullpath},{application_encoded},{binary_value},{GUID_Type}\n") index_i += 1 uaf.close()
The text was updated successfully, but these errors were encountered:
The recurse_subkeys function trims value by default (I have to add support for the trim_values parameter).
recurse_subkeys
trim_values
Meanwhile, look at the user assist parsing example at https://github.com/mkorman90/regipy/blob/master/regipy/plugins/ntuser/user_assist.py#L80
It is possible to fetch the subkey itself, then use subkey.iter_values(trim_values=False) to iterate over the values.
subkey.iter_values(trim_values=False)
Sorry, something went wrong.
No branches or pull requests
From HIVE file NTUSER.DAT, I want to extract the content of Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count.
All seems good, except the binary data, just 64 bytes are returned; however the complete binary string is 72 bytes.
Example:
This is what should return:
![image](https://user-images.githubusercontent.com/29933547/207400426-7e7fb548-a9f1-4faa-80de-9dc0900bbe33.png)
This is what returns:
9200 0000 0000 0000 0000 0000 0000 0000
9976 043d 5c5c a73d 96d2 8c3d 9550 333d
1a1a 1b3c b31a 4a3d 455d c63b b524 c93b
d598 393d caff fc3d 0800 0000 5026 b568
The code I am using that writes the retrieved data into a CSV file:
The text was updated successfully, but these errors were encountered: