def __init__(self, hive_path):
"""
Represents a registry hive
:param hive_path: Path to the registry hive
"""
with open(hive_path, 'rb') as f:
self._stream = BytesIO(f.read())
with boomerang_stream(self._stream) as s:
self.header = REGF_HEADER.parse_stream(s)
# Get the first cell in root HBin, which is the root NKRecord:
root_hbin = self.get_hbin_at_offset()
root_hbin_cell = next(root_hbin.iter_cells(s))
self.root = NKRecord(root_hbin_cell, s)
self.name = self.header.file_name
self.hive_type = identify_hive_type(self.name)
def __init__(self, hive_path, hive_type=None, partial_hive_path=None):
"""
Represents a registry hive
:param hive_path: Path to the registry hive
:param hive_type: The hive type can be specified if this is a partial hive,
or for some other reason regipy cannot identify the hive type
:param partial_hive_path: The path from which the partial hive actually starts, for example:
hive_type=ntuser partial_hive_path="/Software" would mean
this is actually a HKCU hive, starting from HKCU/Software
"""
self.partial_hive_path = None
self.hive_type = None
with open(hive_path, 'rb') as f:
self._stream = BytesIO(f.read())
with boomerang_stream(self._stream) as s:
self.header = REGF_HEADER.parse_stream(s)
# Get the first cell in root HBin, which is the root NKRecord:
root_hbin = self.get_hbin_at_offset()
root_hbin_cell = next(root_hbin.iter_cells(s))
self.root = NKRecord(root_hbin_cell, s)
self.name = self.header.file_name
if hive_type:
if hive_type.lower() in SUPPORTED_HIVE_TYPES:
self.hive_type = hive_type
else:
raise UnidentifiedHiveException(
f'{hive_type} is not a supported hive type: '
f'only the following are supported: {SUPPORTED_HIVE_TYPES}'
)
else:
try:
self.hive_type = identify_hive_type(self.name)
except UnidentifiedHiveException:
logger.info(
f'Hive type for {hive_path} was not identified: {self.name}'
)
if partial_hive_path:
self.partial_hive_path = partial_hive_path
