winregrc package

Submodules

winregrc.appcompatcache module

Application Compatibility Cache collector.

class winregrc.appcompatcache.AppCompatCacheCachedEntry[source]

Bases: object

Application Compatibility Cache cached entry.

cached_entry_size

size of the cached entry.

Type: int

data

data of the cached entry.

Type: bytes

file_size

size of file corresponding to the cached entry.

Type: int

insertion_flags

insertion flags of the cached entry.

Type: int

last_modification_time

last modification timestamp of the file corresponding to the cached entry.

Type: int

last_update_time

last update timestamp the cached entry.

Type: int

shim_flags

shim flags of the cached entry.

Type: int

path

path of the cached entry.

Type: str

class winregrc.appcompatcache.AppCompatCacheCollector(debug=False, output_writer=None)[source]

Bases: WindowsRegistryKeyCollector

Application Compatibility Cache collector.

cached_entries

cached entries.

Type: list[AppCompatCacheCachedEntry]

Collect(registry, all_control_sets=False)[source]

Collects the Application Compatibility Cache.

Parameters

registry (dfwinreg.WinRegistry) – Windows Registry.
all_control_sets (Optional[bool]) – True if the services should be collected from all control sets instead of only the current control set.

Returns

True if the Application Compatibility Cache key was found,: False if not.

Return type

bool

class winregrc.appcompatcache.AppCompatCacheDataParser(debug=False, output_writer=None)[source]

Bases: BinaryDataFormat

Application Compatibility Cache data parser.

CheckSignature(value_data)[source]

Parses and validates the signature.

Parameters: value_data (bytes) – value data.
Returns: format type or None if format could not be determined.
Return type: int
Raises: ParseError – if the value data could not be parsed.

ParseCachedEntry(format_type, value_data, cached_entry_index, cached_entry_offset)[source]

Parses a cached entry.

Parameters

format_type (int) – format type.
value_data (bytes) – value data.
cached_entry_index (int) – cached entry index.
cached_entry_offset (int) – offset of the first cached entry data relative to the start of the value data.

Returns

cached entry.

Return type

AppCompatCacheCachedEntry

Raises

ParseError – if the value data could not be parsed.

ParseHeader(format_type, value_data)[source]

Parses the header.

Parameters

format_type (int) – format type.
value_data (bytes) – value data.

Returns

header.

Return type

AppCompatCacheHeader

Raises

ParseError – if the value data could not be parsed.

class winregrc.appcompatcache.AppCompatCacheHeader[source]

Bases: object

Application Compatibility Cache header.

number_of_cached_entries

number of cached entries.

Type: int

header_size

header size.

Type: int

winregrc.application_identifiers module

Windows application identifiers (AppID) collector.

class winregrc.application_identifiers.ApplicationIdentifier(guid, description)[source]

Bases: object

Application identifier.

description

description.

Type: str

guid

identifier.

Type: str

class winregrc.application_identifiers.ApplicationIdentifiersCollector(debug=False)[source]

Bases: WindowsRegistryKeyCollector

Windows application identifiers collector.

Collect(registry)[source]

Collects Windows application identifiers (AppID).

Parameters: registry (dfwinreg.WinRegistry) – Windows Registry.
Yields: ApplicationIdentifier – an application identifier.

winregrc.cached_credentials module

Domain cached credentials collector.

class winregrc.cached_credentials.CachedCredentialsKeyCollector(debug=False, output_writer=None)[source]

Bases: WindowsRegistryKeyCollector

Domain cached credentials key collector.

Collect(registry)[source]

Collects system information.

Parameters: registry (dfwinreg.WinRegistry) – Windows Registry.
Returns: True if the system key was found, False if not.
Return type: bool

winregrc.catalog module

Catalog collector.

class winregrc.catalog.CatalogCollector(group_keys=False)[source]

Bases: object

Catalog collector.

Collect(root_key)[source]

Collects the catalog descriptors from a Windows Registry file.

Parameters: root_key (dfwinreg.WinRegistryKey) – root Windows Registry key.
Yields: CatalogKeyDescriptor – catalog key descriptor.

class winregrc.catalog.CatalogKeyDescriptor[source]

Bases: object

Catalog key descriptor.

grouped_key_paths

paths of Windows Registry keys with similar values.

Type: list[str]

key_path

path of Windows Registry key.

Type: str

value_descriptors

pairs of value name and data type.

Type: tuple[str,str]

winregrc.data_format module

Binary data format.

class winregrc.data_format.BinaryDataFormat(debug=False, output_writer=None)[source]

Bases: object

Binary data format.

winregrc.environment_variables module

Environment variables collector.

class winregrc.environment_variables.EnvironmentVariable(name, value)[source]

Bases: object

Environment variable.

name

name.

Type: str

value

value.

Type: str

class winregrc.environment_variables.EnvironmentVariablesCollector(debug=False)[source]

Bases: WindowsRegistryKeyCollector

Environment variables collector.

Collect(registry)[source]

Collects environment variables.

Parameters: registry (dfwinreg.WinRegistry) – Windows Registry.
Yields: EnvironmentVariable – an environment variable.

winregrc.errors module

The error objects.

exception winregrc.errors.Error[source]

Bases: Exception

The error interface.

exception winregrc.errors.ParseError[source]

Bases: Error

Error that is raised when value data cannot be parsed.

winregrc.eventlog_providers module

Windows Event Log providers collector.

class winregrc.eventlog_providers.EventLogProvider[source]

Bases: object

Windows Event Log provider.

additional_identifier

additional identifier of the provider, contains a GUID.

Type: str

category_message_files

paths of the category message files.

Type: set[str]

event_message_files

paths of the event message files.

Type: set[str]

identifier

identifier of the provider, contains a GUID.

Type: str

log_sources

names of the corresponding Event Log sources.

Type: list[str]

log_types

Windows Event Log types.

Type: list[str]

name

name of the provider.

Type: str

parameter_message_files

paths of the parameter message files.

Type: set[str]

class winregrc.eventlog_providers.EventLogProvidersCollector(debug=False)[source]

Bases: WindowsRegistryKeyCollector

Windows Event Log providers collector.

Collect(registry)[source]

Collects Windows Event Log providers from a Windows Registry.

Parameters: registry (dfwinreg.WinRegistry) – Windows Registry.
Returns: Event Log provider generator.
Return type: generator[EventLogProvider]

winregrc.filters module

The Windows Registry key and value filters.

class winregrc.filters.BaseWindowsRegistryKeyFilter[source]

Bases: object

Windows Registry key filter interface.

abstract Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – a Windows Registry key.
Returns: True if a match, False otherwise.
Return type: bool

property key_paths: List of key paths defined by the filter.

class winregrc.filters.WindowsRegistryKeyPathFilter(key_path)[source]

Bases: BaseWindowsRegistryKeyFilter

Windows Registry key path filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – a Windows Registry key.
Returns: True if a match, False otherwise.
Return type: bool

property key_paths

key paths defined by the filter.

Type: list[str]

class winregrc.filters.WindowsRegistryKeyPathPrefixFilter(key_path_prefix)[source]

Bases: BaseWindowsRegistryKeyFilter

Windows Registry key path prefix filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – a Windows Registry key.
Returns: True if a match, False otherwise.
Return type: bool

class winregrc.filters.WindowsRegistryKeyPathSuffixFilter(key_path_suffix)[source]

Bases: BaseWindowsRegistryKeyFilter

Windows Registry key path suffix filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – a Windows Registry key.
Returns: True if a match, False otherwise.
Return type: bool

class winregrc.filters.WindowsRegistryKeyWithValuesFilter(value_names)[source]

Bases: BaseWindowsRegistryKeyFilter

Windows Registry key with values filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – a Windows Registry key.
Returns: True if a match, False otherwise.
Return type: bool

winregrc.hexdump module

Function to provide hexadecimal representation of data.

winregrc.hexdump.Hexdump(data)[source]

Formats data in a hexadecimal representation.

Parameters: data (byte) – data.
Returns: hexadecimal representation of the data.
Return type: str

winregrc.interface module

Windows Registry key and value collector.

class winregrc.interface.WindowsRegistryKeyCollector(debug=False)[source]

Bases: object

Windows Registry key and value collector.

winregrc.knownfolders module

Windows known folders collector.

class winregrc.knownfolders.KnownFolder(guid, name, localized_name)[source]

Bases: object

Known folder.

guid

identifier.

Type: str

localized_name

localized name.

Type: str

name

name.

Type: str

class winregrc.knownfolders.KnownFoldersCollector(debug=False)[source]

Bases: WindowsRegistryKeyCollector

Windows known folders collector.

Collect(registry)[source]

Collects Windows known folders.

Parameters: registry (dfwinreg.WinRegistry) – Windows Registry.
Yields: KnownFolder – a known folder.

winregrc.mounted_devices module

Windows mounted devices collector.

class winregrc.mounted_devices.MountedDevice(identifier)[source]

Bases: object

Mounted device.

device

device.

Type: str

disk_identity

MBR disk identity.

Type: int

identifier

identifier.

Type: str

partition_identifier

GPT partition identifier.

Type: str

partition_offset

MBR partition offset.

Type: int

class winregrc.mounted_devices.MountedDevicesCollector(debug=False, output_writer=None)[source]

Bases: BinaryDataFormat

Windows mounted devices collector.

Collect(registry)[source]

Collects Windows mounted devices.

Parameters: registry (dfwinreg.WinRegistry) – Windows Registry.
Yields: MountedDevice – a mounted device.
Raises: ParseError – if a mounted devices value could not be parsed.

winregrc.mru module

Most Recently Used (MRU) collector.

class winregrc.mru.MostRecentlyUsedCollector(debug=False, output_writer=None)[source]

Bases: BinaryDataFormat

Most Recently Used (MRU) collector.

mru_entries

most recently used (MRU) entries.

Type: list[MostRecentlyUsedEntry]

Collect(registry)[source]

Collects Most Recently Used (MRU) entries.

Parameters: registry (dfwinreg.WinRegistry) – Windows Registry.
Returns: True if a Most Recently Used (MRU) key was found, False if not.
Return type: bool

class winregrc.mru.MostRecentlyUsedEntry(key_path=None, shell_item_data=None, shell_item_list_data=None, string=None, value_name=None)[source]

Bases: object

Most Recently Used (MRU) entry.

key_path

path of the Windows Registry key.

Type: str

shell_item_data

Shell Item data.

Type: bytes

shell_item_list_data

Shell Item list data.

Type: bytes

string

string.

Type: str

value_name

name of the Windows Registry value.

Type: str

winregrc.msie_zone_info module

Microsoft Internet Explorer (MSIE) zone information collector.

class winregrc.msie_zone_info.MSIEZoneInformation(zone, zone_name, control, control_value)[source]

Bases: object

MSIE zone information.

control

control.

Type: str

control_value

value to which the control is set.

Type: int|str

zone

identifier of the zone to which the control applies.

Type: str

zone_name

name of the zone to which the control applies.

Type: str

class winregrc.msie_zone_info.MSIEZoneInformationCollector(debug=False)[source]

Bases: WindowsRegistryKeyCollector

MSIE zone information collector.

Collect(registry)[source]

Collects the MSIE zone information.

Parameters: registry (dfwinreg.WinRegistry) – Windows Registry.
Yields: MSIEZoneInformation – MSIE zone information.

winregrc.output_writers module

Output writer.

class winregrc.output_writers.OutputWriter[source]

Bases: object

Output writer interface.

abstract Close()[source]: Closes the output writer.

DebugPrintData(description, data)[source]

Prints data for debugging.

Parameters

description (str) – description.
data (bytes) – data.

DebugPrintText(text)[source]

Prints text for debugging.

Parameters: text (str) – text.

DebugPrintValue(description, value)[source]

Prints a value for debugging.

Parameters

description (str) – description.
value (object) – value.

abstract Open()[source]

Opens the output writer.

Returns: True if successful or False if not.
Return type: bool

abstract WriteDebugData(description, data)[source]

Writes data for debugging.

Parameters

description (str) – description to write.
data (bytes) – data to write.

abstract WriteFiletimeValue(description, value)[source]

Writes a FILETIME timestamp value.

Parameters

description (str) – description to write.
value (str) – value to write.

abstract WriteIntegerValueAsDecimal(description, value)[source]

Writes an integer value as decimal.

Parameters

description (str) – description to write.
value (int) – value to write.

abstract WriteText(text)[source]

Writes text.

Parameters: text (str) – text to write.

abstract WriteValue(description, value)[source]

Writes a value.

Parameters

description (str) – description to write.
value (str) – value to write.

class winregrc.output_writers.StdoutOutputWriter[source]

Bases: OutputWriter

Stdout output writer.

Close()[source]: Closes the output writer.

Open()[source]

Opens the output writer.

Returns: True if successful or False if not.
Return type: bool

WriteDebugData(description, data)[source]

Writes data for debugging.

Parameters

description (str) – description to write.
data (bytes) – data to write.

WriteFiletimeValue(description, value)[source]

Writes a FILETIME timestamp value.

Parameters

description (str) – description to write.
value (str) – value to write.

WriteIntegerValueAsDecimal(description, value)[source]

Writes an integer value as decimal.

Parameters

description (str) – description to write.
value (int) – value to write.

WriteText(text)[source]

Writes text.

Parameters: text (str) – text to write.

WriteValue(description, value)[source]

Writes a value.

Parameters

description (str) – description to write.
value (object) – value to write.

winregrc.profiles module

Windows user profiles collector.

class winregrc.profiles.UserProfile(security_identifier, profile_path)[source]

Bases: object

User profile.

profile_path

path of the users profile.

Type: str

security_identifier

security identifier of the user.

Type: str

class winregrc.profiles.UserProfilesCollector(debug=False)[source]

Bases: WindowsRegistryKeyCollector

Windows user profiles collector.

Collect(registry)[source]

Collects user profiles.

Parameters: registry (dfwinreg.WinRegistry) – Windows Registry.
Yields: UserProfile – an user profile.

winregrc.programscache module

Windows Programs Cache information collector.

class winregrc.programscache.ProgramsCacheCollector(debug=False, output_writer=None)[source]

Bases: WindowsRegistryKeyCollector

Windows program cache collector.

Collect(registry)[source]

Collects the Programs Cache information.

Parameters: registry (dfwinreg.WinRegistry) – Windows Registry.
Returns: True if the Programs Cache information key was found, False if not.
Return type: bool

class winregrc.programscache.ProgramsCacheDataParser(debug=False, output_writer=None)[source]

Bases: BinaryDataFormat

Programs Cache data parser.

Parse(value_data)[source]

Parses the value data.

Parameters: value_data (bytes) – value data.
Raises: ParseError – if the value data could not be parsed.

winregrc.sam module

Security Accounts Manager (SAM) collector.

class winregrc.sam.SecurityAccountManagerCollector(debug=False, output_writer=None)[source]

Bases: WindowsRegistryKeyCollector

Security Accounts Manager (SAM) collector.

user_accounts

user accounts.

Type: list[UserAccount]

Collect(registry)[source]

Collects the Security Accounts Manager (SAM) information.

Parameters

registry (dfwinreg.WinRegistry) – Windows Registry.

Returns

True if the Security Accounts Manager (SAM) information key was: found, False if not.

Return type

bool

class winregrc.sam.SecurityAccountManagerDataParser(debug=False, output_writer=None)[source]

Bases: BinaryDataFormat

Security Accounts Manager (SAM) data parser.

ParseCValue(value_data)[source]

Parses the C value data.

Parameters: value_data (bytes) – F value data.
Raises: ParseError – if the value data could not be parsed.

ParseFValue(value_data, user_account)[source]

Parses the F value data.

Parameters

value_data (bytes) – F value data.
user_account (UserAccount) – user account.

Raises

ParseError – if the value data could not be parsed.

ParseVValue(value_data, user_account)[source]

Parses the V value data.

Parameters

value_data (bytes) – V value data.
user_account (UserAccount) – user account.

Raises

ParseError – if the value data could not be parsed.

class winregrc.sam.UserAccount[source]

Bases: object

User account.

account_expiration_time

account expiration date and time.

Type: dfdatetime.DateTimeValues

codepage

code page.

Type: str

comment

comment.

Type: str

full_name

full name.

Type: str

last_login_time

last log-in date and time.

Type: dfdatetime.DateTimeValues

last_password_failure_time

last password failure date and time.

Type: dfdatetime.DateTimeValues

last_password_set_time

last password set date and time.

Type: dfdatetime.DateTimeValues

name

name

Type: str

number_of_logons

number of log-ons.

Type: int

number_of_password_failures

number of password failures.

Type: int

primary_gid

primary group identifier (GID).

Type: int

rid

relative identifier (RID).

Type: str

user_account_control_flags

user account control flags.

Type: int

user_comment

user comment.

Type: str

username

username.

Type: str

winregrc.services module

Windows services and drivers collector.

class winregrc.services.WindowsService(name, service_type, display_name, description, image_path, object_name, start_value)[source]

Bases: object

Windows service.

description

service description.

Type: str

display_name

display name.

Type: str

image_path

image path.

Type: str

name

name.

Type: str

object_name

object name

Type: str

service_type

service type.

Type: str

start_value

start value.

Type: str

GetObjectNameDescription()[source]

Retrieves the object name description.

Returns: object name description.
Return type: str

GetServiceTypeDescription()[source]

Retrieves the service type description.

Returns: service type description.
Return type: str

GetStartValueDescription()[source]

Retrieves the start value description.

Returns: start value description.
Return type: str

__eq__(other)[source]

Determines the current Windows service is equal to the other.

Returns: True if equal.
Return type: bool

__ne__(other)[source]

Determines the current Windows service is not equal to the other.

Returns: True if not equal.
Return type: bool

class winregrc.services.WindowsServicesCollector(debug=False)[source]

Bases: WindowsRegistryKeyCollector

Windows services and drivers collector.

Collect(registry, all_control_sets=False)[source]

Collects Windows services and drivers.

Parameters

registry (dfwinreg.WinRegistry) – Windows Registry.
all_control_sets (Optional[bool]) – True if the services should be collected from all control sets instead of only the current control set.

Yields

WindowsService – a Windows service.

Compare(registry, output_writer)[source]

Compares services in the different control sets.

Parameters

registry (dfwinreg.WinRegistry) – Windows Registry.
output_writer (OutputWriter) – output writer.

Returns

True if the services key was found, False if not.

Return type

bool

winregrc.shellfolders module

Windows Shell folder collector.

class winregrc.shellfolders.ShellFoldersCollector(debug=False)[source]

Bases: WindowsRegistryKeyCollector

Windows Shell folder collector.

Collect(registry)[source]

Collects Windows Shell folders.

Parameters: registry (dfwinreg.WinRegistry) – Windows Registry.
Yields: WindowsShellFolder – a Windows Shell folder.

class winregrc.shellfolders.WindowsShellFolder(*args: Any, **kwargs: Any)[source]

Bases: AttributeContainer

Windows Shell folder.

identifier

identifier (GUID).

Type: str

name

name.

Type: str

localized_string

localized string of the name.

Type: str

CONTAINER_TYPE = 'windows_shell_folder'

SCHEMA = {'identifier': 'str', 'localized_string': 'str', 'name': 'str'}

winregrc.srum_extensions module

System Resource Usage Monitor (SRUM) extension collector.

class winregrc.srum_extensions.SRUMExtension(guid, dll_name)[source]

Bases: object

System Resource Usage Monitor (SRUM) extension.

dll_name

DLL name.

Type: str

guid

identifier.

Type: str

class winregrc.srum_extensions.SRUMExtensionsCollector(debug=False)[source]

Bases: WindowsRegistryKeyCollector

Windows System Resource Usage Monitor (SRUM) extension collector.

Collect(registry, output_writer)[source]

Collects the SRUM extensions.

Parameters

registry (dfwinreg.WinRegistry) – Windows Registry.
output_writer (OutputWriter) – output writer.

Returns

True if the SRUM extensions key was found, False if not.

Return type

bool

winregrc.sysinfo module

System information collector.

class winregrc.sysinfo.SystemInfoCollector(debug=False, output_writer=None)[source]

Bases: WindowsRegistryKeyCollector

System information collector.

system_information

system information.

Type: SystemInformation

Collect(registry)[source]

Collects system information.

Parameters: registry (dfwinreg.WinRegistry) – Windows Registry.
Returns: True if the system information key was found, False if not.
Return type: bool

class winregrc.sysinfo.SystemInformation[source]

Bases: object

System information.

csd_version

CSD version.

Type: str

current_build_number

current build number.

Type: str

current_type

current type.

Type: str

current_version

current version.

Type: str

installation_date

installation date and time.

Type: dfdatetime.DateTimeValues

path_name

path name.

Type: str

product_identifier

product identifier.

Type: str

product_name

product name.

Type: str

registered_organization

registered organization.

Type: str

registered_owner

registered owner.

Type: str

system_root

system root path.

Type: str

winregrc.syskey module

System key (syskey) collector.

class winregrc.syskey.SystemKey[source]

Bases: object

System key.

boot_key

boot key.

Type: bytes

class winregrc.syskey.SystemKeyCollector(debug=False, output_writer=None)[source]

Bases: WindowsRegistryKeyCollector

System key collector.

system_key

system key.

Type: SystemKey

Collect(registry)[source]

Collects system information.

Parameters: registry (dfwinreg.WinRegistry) – Windows Registry.
Returns: True if the system key was found, False if not.
Return type: bool

winregrc.task_cache module

Task Cache collector.

class winregrc.task_cache.CachedTask[source]

Bases: object

Cached task.

identifier

identifier.

Type: str

last_registered_time

last registered date and time.

Type: dfdatetime.DateTimeValues

launch_time

launch date and time.

Type: dfdatetime.DateTimeValues

name

name.

Type: str

class winregrc.task_cache.TaskCacheCollector(debug=False, output_writer=None)[source]

Bases: WindowsRegistryKeyCollector

Task Cache collector.

cached_tasks

cached tasks.

Type: list[CachedTask]

Collect(registry)[source]

Collects the Task Cache.

Parameters: registry (dfwinreg.WinRegistry) – Windows Registry.
Returns: True if the Task Cache key was found, False if not.
Return type: bool

class winregrc.task_cache.TaskCacheDataParser(debug=False, output_writer=None)[source]

Bases: BinaryDataFormat

Task Cache data parser.

ParseDynamicInfo(value_data, cached_task)[source]

Parses the DynamicInfo value data.

Parameters

value_data (bytes) – DynamicInfo value data.
cached_task (CachedTask) – cached task.

Raises

ParseError – if the value data could not be parsed.

winregrc.time_zones module

Windows time zones collector.

class winregrc.time_zones.TimeZone(name)[source]

Bases: object

Time zone.

localized_name

localized name.

Type: str

name

name.

Type: str

offset

time zone offset in number of minutes from UTC.

Type: int

class winregrc.time_zones.TimeZoneInformationDataParser(debug=False, output_writer=None)[source]

Bases: BinaryDataFormat

Time Zone Information (TZI) data parser.

ParseTZIValue(value_data, time_zone)[source]

Parses the TZI value data.

Parameters

value_data (bytes) – TZI value data.
time_zone (TimeZone) – time zone.

Raises

ParseError – if the value data could not be parsed.

class winregrc.time_zones.TimeZonesCollector(debug=False)[source]

Bases: WindowsRegistryKeyCollector

Windows time zones collector.

Collect(registry, output_writer)[source]

Collects the time zones.

Parameters

registry (dfwinreg.WinRegistry) – Windows Registry.
output_writer (OutputWriter) – output writer.

Returns

True if the time zones key was found, False if not.

Return type

bool

winregrc.type_libraries module

Windows type libraries collector.

class winregrc.type_libraries.TypeLibrariesCollector(debug=False, output_writer=None)[source]

Bases: WindowsRegistryKeyCollector

Windows type libraries collector.

type_libraries

type libraries.

Type: list[TypeLibrary]

Collect(registry)[source]

Collects the type libraries.

Parameters: registry (dfwinreg.WinRegistry) – Windows Registry.
Returns: True if the type libraries key was found, False if not.
Return type: bool

class winregrc.type_libraries.TypeLibrary(guid, version, description, typelib_filename)[source]

Bases: object

Type library.

description

description.

Type: str

guid

identifier.

Type: str

typelib_filename

typelib_filename.

Type: str

version

version.

Type: str

winregrc.usbstor module

Windows USB storage device collector.

class winregrc.usbstor.USBStorageDevice[source]

Bases: object

USB storage device.

device_type

type of USB device.

Type: str

display_name

display name of the USB device.

Type: str

key_path

Windows Registry key path.

Type: str

product

product of the USB device.

Type: str

properties

properties.

Type: list[USBStorageDeviceProperty]

revision

revision number of the USB device.

Type: str

vendor

vendor of the USB device.

Type: str

class winregrc.usbstor.USBStorageDeviceCollector(debug=False, output_writer=None)[source]

Bases: BinaryDataFormat

Windows USB storage device collector.

Collect(registry)[source]

Collects USB storage devices.

Parameters: registry (dfwinreg.WinRegistry) – Windows Registry.
Yields: USBStorageDevice – an USB storage device.

class winregrc.usbstor.USBStorageDeviceProperty(property_set, identifier)[source]

Bases: object

USB storage device property.

identifier

identifier of the property.

Type: str

property_set

identifier of the property set.

Type: str

value

property value.

Type: object

value_type

property value type.

Type: int

winregrc.userassist module

Windows UserAssist information collector.

class winregrc.userassist.UserAssistCollector(debug=False, output_writer=None)[source]

Bases: WindowsRegistryKeyCollector

Windows UserAssist information collector.

Returns: UserAssist entries.
Return type: user_assist_entries (list[UserAssistEntry])

Collect(registry)[source]

Collects the UserAssist information.

Parameters: registry (dfwinreg.WinRegistry) – Windows Registry.
Returns: True if the UserAssist key was found, False if not.
Return type: bool

class winregrc.userassist.UserAssistDataParser(debug=False, output_writer=None)[source]

Bases: BinaryDataFormat

UserAssist data parser.

ParseEntry(format_version, entry_data)[source]

Parses an UserAssist entry.

Parameters

format_version (int) – format version.
entry_data (bytes) – entry data.

Returns

UserAssist entry.

Return type

user_assist_entry_v3|user_assist_entry_v5

Raises

ParseError – if the value data could not be parsed.

class winregrc.userassist.UserAssistEntry(guid=None, name=None, value_name=None)[source]

Bases: object

UserAssist entry.

guid

GUID.

Type: str

name

name.

Type: str

value_name

name of the Windows Registry value.

Type: str

winregrc.volume_scanner module

Windows Registry volume scanner.

class winregrc.volume_scanner.SingleFileWindowsRegistryFileReader(*args: Any, **kwargs: Any)[source]

Bases: WinRegistryFileReader

Single file Windows Registry file reader.

Open(path, ascii_codepage='cp1252')[source]

Opens the Windows Registry file specified by the path.

Parameters

path (str) – path of the Windows Registry file. The path is a Windows path relative to the root of the file system that contains the specific Windows Registry file. E.g. C:WindowsSystem32configSYSTEM
ascii_codepage (Optional[str]) – ASCII string codepage.

Returns

Windows Registry file or None if the file cannot: be opened.

Return type

WinRegistryFile

class winregrc.volume_scanner.WindowsRegistryVolumeScanner(*args: Any, **kwargs: Any)[source]

Bases: WindowsVolumeScanner

Windows Registry volume scanner.

registry

Windows Registry.

Type: dfwinreg.WinRegistry

IsSingleFileRegistry()[source]

Determines if the Registry consists of a single file.

Returns: True if the Registry consists of a single file.
Return type: bool

OpenFile(windows_path)[source]

Opens the file specified by the Windows path.

Parameters: windows_path (str) – Windows path to the file.
Returns: file-like object or None if the file does not exist.
Return type: dfvfs.FileIO
Raises: ScannerError – if the scan node is invalid or the scanner does not know how to proceed.

ScanForWindowsVolume(source_path, options=None)[source]

Scans for a Windows volume.

Parameters

source_path (str) – source path.
options (Optional[VolumeScannerOptions]) – volume scanner options. If None the default volume scanner options are used, which are defined in the VolumeScannerOptions class.

Returns

True if a Windows volume was found.

Return type

bool

Raises

ScannerError – if the source path does not exists, or if the source path is not a file or directory, or if the format of or within the source file is not supported.

class winregrc.volume_scanner.WindowsRegistryVolumeScannerMediator(*args: Any, **kwargs: Any)[source]

Bases: CLIVolumeScannerMediator

Windows Registry volume scanner mediator.

PrintUsersSubDirectoriesOverview(users_file_entry)[source]

Prints an overview of the Users sub directories.

Parameters: users_file_entry (dfvfs.FileEntry) – file entry of the Users directory.

Module contents

Windows Registry resources (winregrc).