pyregfi
API Documentation

The pyregfi module provides a Python interface to the regfi Windows registry library. The library operates on registry hives, each of which is contained within a single file. The quickest way to get started, is to use the openHive() function to obtain a Hive object. For example: 

 >>> import pyregfi
 >>> myHive = pyregfi.openHive('/mnt/win/c/WINDOWS/system32/config/system')

Using this Hive object, one can begin investigating what top-level keys exist by starting with the root Key attribute: 

 >>> for key in myHive.root.subkeys:
 ...   print(key.name)
 ControlSet001
 ControlSet003
 LastKnownGoodRecovery
 MountedDevices
 Select
 Setup
 WPA

From there, accessing subkeys and values by name is a simple matter of: 

 >>> myKey = myHive.root.subkeys['Select']
 >>> myValue = myKey.values['Current']

The data associated with a Value can be obtained through the fetch_data() method: 

 >>> print(myValue.fetch_data())
 1

While useful for simple exercises, using the subkeys object for deeply nested paths is not efficient and doesn't make for particularly attractive code. Instead, a special-purpose HiveIterator class is provided for simplicity of use and fast access to specific known paths: 

 >>> myIter = pyregfi.HiveIterator(myHive)
 >>> myIter.descend(['ControlSet001','Control','NetworkProvider','HwOrder'])
 >>> myKey = myIter.current_key()
 >>> print(myKey.values['ProviderOrder'].fetch_data())
 RDPNP,LanmanWorkstation,WebClient

The first two lines above can be simplified in some "syntactic sugar" provided by the Hive.subtree() method. Also, as one might expect, the HiveIterator also acts as an iterator, producing keys in a depth-first order. For instance, to traverse all keys under the ControlSet003\Services key, printing their names as we go, we could do: 

 >>> for key in Hive.subtree(['ControlSet003','Services']):
 >>>   print(key.name)
 Services
 Abiosdsk
 abp480n5
 Parameters
 PnpInterface
 ACPI
 [...]

Note that "Services" was printed first, since the subtree is traversed as a "preordering depth-first" search starting with the HiveIterator's current_key(). As one might expect, traversals of subtrees stops when all elements in a specific subtree (and none outside of it) have been traversed.

For more information, peruse the various attributes and methods available on the Hive, HiveIterator, Key, Value, and Security classes.

Note:
regfi is a read-only library by design and there are no plans to implement write support.
At present, pyregfi has been tested with Python versions 2.6 and 3.1
Developers strive to make pyregfi thread-safe.
 All Classes Namespaces Files Functions Variables
Generated by  doxygen 1.7.4