def parse_registry(hive, disk=None):
"""Parses the registry hive's content and returns a dictionary.
{"RootKey\\Key\\...": (("ValueKey", "ValueType", ValueValue), ... )}
"""
if disk is not None:
with FileSystem(disk) as filesystem:
registry = extract_registry(filesystem, hive)
else:
registry = RegistryHive(hive)
registry.rootkey = registry_root(hive)
return dict(registry.keys())
def parse_registry(hive, disk=None, sort=False):
if disk is not None:
with FileSystem(disk) as filesystem:
registry = extract_registry(filesystem, hive)
else:
registry = RegistryHive(hive)
registry.rootkey = registry_root(hive)
if sort:
keys = sorted((k for k in registry.keys()), key=lambda k: k.timestamp)
return OrderedDict((k.path, (k.timestamp, k.values)) for k in keys)
else:
return {k.path: (k.timestamp, k.values) for k in registry.keys()}
def parse_registries(filesystem, registries):
"""Returns a dictionary with the content of the given registry hives.
{"\\Registry\\Key\\", (("ValueKey", "ValueType", ValueValue))}
"""
results = {}
for path in registries:
with NamedTemporaryFile(buffering=0) as tempfile:
filesystem.download(path, tempfile.name)
registry = RegistryHive(tempfile.name)
registry.rootkey = registry_root(path)
results.update(dict(registry.keys()))
return results
def parse_registries(filesystem, registries):
"""Returns a dictionary with the content of the given registry hives.
{"\\Registry\\Key\\", (("ValueKey", "ValueType", ValueValue))}
"""
results = {}
for path in registries:
with NamedTemporaryFile(buffering=0) as tempfile:
filesystem.download(path, tempfile.name)
registry = RegistryHive(tempfile.name)
registry.rootkey = registry_root(path)
results.update(
{k.path: (k.timestamp, k.values)
for k in registry.keys()})
return results
def extract_registry(filesystem, path):
with NamedTemporaryFile(buffering=0) as tempfile:
filesystem.download(path, tempfile.name)
return RegistryHive(tempfile.name)