def list_values(hive, key=None, use_32bit_registry=False, include_default=True):
'''
Enumerates the values in a registry key or hive.
:param str hive: The name of the hive. Can be one of the following
- HKEY_LOCAL_MACHINE or HKLM
- HKEY_CURRENT_USER or HKCU
- HKEY_USER or HKU
:param str key: The key (looks like a path) to the value name. If a key is
not passed, the values under the hive will be returned.
:param bool use_32bit_registry: Accesses the 32bit portion of the registry
on 64 bit installations. On 32bit machines this is ignored.
:param bool include_default: Toggle whether to include the '(Default)' value.
:return: A list of values under the hive or key.
:rtype: list
CLI Example:
.. code-block:: bash
salt '*' reg.list_values HKLM 'SYSTEM\\CurrentControlSet\\Services\\Tcpip'
'''
local_hive = _to_unicode(hive)
local_key = _to_unicode(key)
registry = Registry()
hkey = registry.hkeys[local_hive]
access_mask = registry.registry_32[use_32bit_registry]
handle = None
values = list()
try:
handle = win32api.RegOpenKeyEx(hkey, local_key, 0, access_mask)
for i in range(win32api.RegQueryInfoKey(handle)[1]):
vname, vdata, vtype = win32api.RegEnumValue(handle, i)
if not vname:
vname = "(Default)"
value = {'hive': local_hive,
'key': local_key,
'vname': _to_mbcs(vname),
'vdata': _to_mbcs(vdata),
'vtype': registry.vtype_reverse[vtype],
'success': True}
values.append(value)
except pywintypes.error as exc: # pylint: disable=E0602
log.debug(exc)
log.debug(r'Cannot find key: {0}\{1}'.format(hive, key))
return False, r'Cannot find key: {0}\{1}'.format(hive, key)
finally:
if handle:
handle.Close()
return values
def walk_values(hive,
key_name,
value_filter_regex=None,
valuetypes=None,
autoexpand=False,
sam=win32con.KEY_READ):
"""
>>> list(walk_values(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\DrWatson", r"^(cr|dump)"))
[('DumpSymbols', 0, 4), ('DumpAllThreads', 1, 4), ('CreateCrashDump', 1, 4), ('CrashDumpType', 1, 4)]
>>> list(walk_values(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\DrWatson", valuetypes=(win32con.REG_EXPAND_SZ,)))
[('WaveFile', '', 2)]
"""
if valuetypes:
valuetypes = set(valuetypes)
with reg_connect_registry(None, hive) as reghandle:
with reg_open_key(reghandle, key_name, sam=sam) as keyhandle:
index = 0
while True:
try:
name, value, value_type = win32api.RegEnumValue(
keyhandle, index)
except Exception, e:
if e[0] == 259: # No more items available
break
raise e
index += 1
if value_filter_regex and not re.search(
value_filter_regex, name, re.IGNORECASE):
continue
if valuetypes and not value_type in valuetypes:
continue
if autoexpand and value_type == win32con.REG_EXPAND_SZ:
value = _expand_path_variables(value)
yield name, value, value_type
def get_key_info(self):
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
try:
key = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER,
'Software\\FTPware\\CoreFTP\\Sites', 0,
accessRead)
except:
return False
num_profiles = win32api.RegQueryInfoKey(key)[0]
pwdFound = []
for n in range(num_profiles):
name_skey = win32api.RegEnumKey(key, n)
skey = win32api.RegOpenKey(key, name_skey, 0, accessRead)
num = win32api.RegQueryInfoKey(skey)[1]
values = {}
for nn in range(num):
k = win32api.RegEnumValue(skey, nn)
if k[0] == 'Host':
values['Host'] = k[1]
if k[0] == 'Port':
values['Port'] = k[1]
if k[0] == 'User':
values['User'] = k[1]
pwdFound.append(values)
if k[0] == 'PW':
try:
values['Password'] = self.decrypt(k[1])
except:
values['Password'] = '******'
# print the results
print_output('CoreFTP', pwdFound)
def StartRPy():
rpath = vim.eval("g:rplugin_Rgui")
rargs = ['"' + rpath + '"']
r_args = vim.eval("g:rplugin_r_args")
if r_args != " ":
r_args = r_args.split(' ')
i = 0
alen = len(r_args)
while i < alen:
rargs.append(r_args[i])
i = i + 1
kHandle = None
keyName = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"
try:
kHandle = win32api.RegOpenKeyEx(win32con.HKEY_CURRENT_USER, keyName, 0, win32con.KEY_READ)
except:
vim.command("RWarningMsg('Personal folder not found in registry')")
if kHandle:
i = 0
folder = "none"
while folder != "Personal":
try:
(folder, fpath, vtype) = win32api.RegEnumValue(kHandle, i)
except:
break
i = i + 1
win32api.RegCloseKey(kHandle)
if folder == "Personal":
rargs.append('HOME="' + fpath + '"')
else:
vim.command("RWarningMsg('Personal folder not found in registry')")
os.spawnv(os.P_NOWAIT, rpath, rargs)
def get_path():
'''获取注册表中IE安装位置
'''
hkey = win32con.HKEY_LOCAL_MACHINE
subkey = r'SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE'
hkey = win32api.RegOpenKey(hkey, subkey)
return win32api.RegEnumValue(hkey, 0)[1]
def GetRPath():
keyName = "SOFTWARE\\R-core\\R"
kHandle = None
try:
kHandle = win32api.RegOpenKeyEx(win32con.HKEY_LOCAL_MACHINE, keyName,
0, win32con.KEY_READ)
rVersion, reserved, kclass, lastwrite = win32api.RegEnumKeyEx(
kHandle)[-1]
win32api.RegCloseKey(kHandle)
kHandle = None
keyName = keyName + "\\" + rVersion
kHandle = win32api.RegOpenKeyEx(win32con.HKEY_LOCAL_MACHINE, keyName,
0, win32con.KEY_READ)
except:
try:
kHandle = win32api.RegOpenKeyEx(win32con.HKEY_CURRENT_USER,
keyName, 0, win32con.KEY_READ)
rVersion, reserved, kclass, lastwrite = win32api.RegEnumKeyEx(
kHandle)[-1]
win32api.RegCloseKey(kHandle)
kHandle = None
keyName = keyName + "\\" + rVersion
kHandle = win32api.RegOpenKeyEx(win32con.HKEY_CURRENT_USER,
keyName, 0, win32con.KEY_READ)
except:
vim.command("let s:rinstallpath = 'Key not found'")
if kHandle:
(kname, rpath, vtype) = win32api.RegEnumValue(kHandle, 0)
win32api.RegCloseKey(kHandle)
if kname == 'InstallPath':
vim.command("let s:rinstallpath = '" + rpath + "'")
else:
vim.command("let s:rinstallpath = 'Path not found'")
def list_value(self, key):
try:
i = 0
while 1:
print(win32api.RegEnumValue(key, i))
i += 1
except:
pass
def _getLocation():
''' Looks through the registry to find the current users Cookie folder. This is the folder IE uses. '''
key = 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
regkey = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, key, 0, win32con.KEY_ALL_ACCESS)
num = win32api.RegQueryInfoKey(regkey)[1]
for x in range(0, num):
k = win32api.RegEnumValue(regkey, x)
if k[0] == 'Cookies':
return k[1]
def enumerate(self): i = 0 while True: try: value, data, type = Api.RegEnumValue(self.hKey, i) except Api.error: break else: yield value, (data, type) i += 1
def get_values(self):
try:
values = []
(subkey_count, value_count, mod_time) = win32api.RegQueryInfoKey(self.get_keyh())
for i in range(0, value_count):
(s, o, t) = win32api.RegEnumValue(self.get_keyh(), i)
values.append(s)
return values
except:
return []
def iteritems_data(self):
i = 0
# yield data
try:
while 1:
s, obj, objtype = win32api.RegEnumValue(self.keyhandle, i)
yield s, self.massageIncomingRegistryValue((obj, objtype))
i += 1
except:
pass
def _getLocation():
""" Examines the registry to find the cookie folder IE uses """
key = r'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders'
regkey = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, key, 0,
win32con.KEY_ALL_ACCESS)
num = win32api.RegQueryInfoKey(regkey)[1]
for x in range(num):
k = win32api.RegEnumValue(regkey, x)
if k[0] == 'Cookies':
return k[1]
class CoreFTP(ModuleInfo):
def __init__(self):
options = {
'command': '-core',
'action': 'store_true',
'dest': 'coreftp',
'help': 'coreftp'
}
ModuleInfo.__init__(self, 'coreftp', 'sysadmin', options)
def get_secret(self):
return "hdfzpysvpzimorhk"
def decrypt(self, hex):
encoded = binascii.unhexlify(hex)
secret = self.get_secret()
BLOCK_SIZE = 16
mode = AES.MODE_ECB
cipher = AES.new(secret, mode)
return cipher.decrypt(encoded).split('\x00')[0]
def get_key_info(self):
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
try:
key = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER,
'Software\\FTPware\\CoreFTP\\Sites', 0,
accessRead)
except Exception, e:
print_debug('DEBUG', '{0}'.format(e))
return False
num_profiles = win32api.RegQueryInfoKey(key)[0]
pwdFound = []
for n in range(num_profiles):
name_skey = win32api.RegEnumKey(key, n)
skey = win32api.RegOpenKey(key, name_skey, 0, accessRead)
num = win32api.RegQueryInfoKey(skey)[1]
values = {}
for nn in range(num):
k = win32api.RegEnumValue(skey, nn)
if k[0] == 'Host':
values['Host'] = k[1]
if k[0] == 'Port':
values['Port'] = k[1]
if k[0] == 'User':
values['User'] = k[1]
pwdFound.append(values)
if k[0] == 'PW':
try:
values['Password'] = self.decrypt(k[1])
except Exception, e:
print_debug('DEBUG', '{0}'.format(e))
values['Password'] = '******'
def getkeys(pk):
d = {}
inx = 0
while 1:
try:
sv = win32api.RegEnumValue(pk, inx)
except:
break
d[sv[0]] = (sv[1], sv[2])
inx = inx + 1
return d
def getAllValues(self):
key = self.__getKey()
try:
i = 0
while True:
yield win32api.RegEnumValue(key, i)
i += 1
except Exception as e:
pass
finally:
key.close()
def getuuids(self):
"""
for each UUID in the registry, find the file, and if it's unique, load it
requires win32api
HKLM\Software\Microsoft\Internet Explorer\ActiveX Compatability\
If they have the 0x400 bit set, they're "killed"
"""
uuidsdone = {}
reg = win32api.RegConnectRegistry(None, win32con.HKEY_CLASSES_ROOT)
key = win32api.RegOpenKeyEx(reg, "CLSID")
subkey = "Hi"
i = 1
while subkey != "":
try:
subkey = win32api.RegEnumKey(key, i)
#print "Subkey=%s"%subkey
except pywintypes.error:
#end of registry just throws a lame exception
subkey = ""
continue
try:
new_subkey = win32api.RegOpenKeyEx(key, subkey)
print "Got new subkey for %s" % subkey
subkey2 = win32api.RegOpenKeyEx(new_subkey, "InprocServer32")
print "Got InprocServer subkey"
value = win32api.RegEnumValue(subkey2, 0)
print "Value = %s" % (value, )
dllname = value[1].lower()
print "Dllname=%s" % dllname
if dllname.count("exe") or dllname.count("dll"):
print "Clearing"
self.clear()
print "Doing file"
self.dofile(dllname)
print "Doing all imports"
self.doallimports()
else:
print "Not a dll or exe!"
except pywintypes.error:
#import traceback
#traceback.print_exc(file=sys.stdout)
pass
#print "No InprocServer subkey..."
i += 1
print "Done with getuuids"
print "Done DLLS: %s" % (self.imports, )
sys.exit(1)
def get_logins_info(self):
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
try:
key = win32api.RegOpenKey(
win32con.HKEY_CURRENT_USER,
'Software\Martin Prikryl\WinSCP 2\Sessions', 0, accessRead)
except:
return False
num_profiles = win32api.RegQueryInfoKey(key)[0]
pwdFound = []
for n in range(num_profiles):
name_skey = win32api.RegEnumKey(key, n)
skey = win32api.RegOpenKey(key, name_skey, 0, accessRead)
num = win32api.RegQueryInfoKey(skey)[1]
port = ''
values = {}
for nn in range(num):
k = win32api.RegEnumValue(skey, nn)
if k[0] == 'HostName':
self.set_hostname(k[1])
if k[0] == 'UserName':
self.set_username(k[1])
if k[0] == 'Password':
self.set_hash(k[1])
if k[0] == 'PortNumber':
port = str(k[1])
if num != 0:
if port == '':
port = '22'
try:
password = self.decrypt_password()
except:
password = '******'
values['Hostname'] = self.get_hostname()
values['Port'] = port
values['Username'] = self.get_username()
values['Password'] = password
pwdFound.append(values)
# print the results
print_output("WinSCP", pwdFound)
def valueNames(self):
"Returns a list of all value names."
idx = 0
valueList = []
while 1:
try:
valName, valValue, valType = win32api.RegEnumValue(self.key, idx)
except:
break
else:
valueList.append(valName)
idx = idx + 1
return valueList
def OEAccountKeys(permission = None):
"""Return registry keys for each of the OE mail accounts, along
with information about what type of mail account it is."""
if permission is None:
# Can't do this in the parameter, because then it requires
# win32con to be available for the module to be imported.
permission = win32con.KEY_READ | win32con.KEY_SET_VALUE
possible_root_keys = []
# This appears to be the place for OE6 and WinXP
# (So I'm guessing also for NT4)
if sys.getwindowsversion()[0] >= 4:
possible_root_keys = ["Software\\Microsoft\\" \
"Internet Account Manager\\Accounts"]
else:
# This appears to be the place for OE6 and Win98
# (So I'm guessing also for Win95)
possible_root_keys = OEIdentityKeys()
for key in possible_root_keys:
reg = win32api.RegOpenKeyEx(win32con.HKEY_CURRENT_USER, key)
account_index = 0
while True:
# Loop through all the accounts
account = {}
try:
subkey_name = "%s\\%s" % \
(key, win32api.RegEnumKey(reg, account_index))
except win32api.error:
break
account_index += 1
index = 0
subkey = win32api.RegOpenKeyEx(win32con.HKEY_CURRENT_USER,
subkey_name, 0, permission)
while True:
# Loop through all the keys so that we can determine
# what type of account this is.
try:
name, value, typ = win32api.RegEnumValue(subkey, index)
except win32api.error:
break
account[name] = (value, typ)
index += 1
# Yield, as appropriate.
if account.has_key("POP3 Server"):
yield("POP3", subkey, account)
elif account.has_key("IMAP Server"):
yield("IMAP4", subkey, account)
def get_values(self):
"""get key's values"""
key = self.get_key()
try:
i = 0
while True:
#循环枚举值
yield win32api.RegEnumValue(key, i)
i += 1
except Exception as e:
pass
finally:
key.close()
def getMonitorDimensions(self):
"""
This is the key function which do stuff.
Returns dict {'millimetersX', 'millimetersX', pixelX, pixelY}
for Step 1, the first argument is PCTSTR that should NOT be UNICODE.
So, for Py3 compatibility, where all strings are Unicode we need to
pass bytes object. bytes are specially designed to pass plain Ascii
strings to other systems
"""
# step 1 - get class GUID
if not self.SetupDiClassGuidsFromName(
'Monitor'.encode('ascii'), self.GUIDs, ctypes.sizeof(
self.GUIDs), ctypes.byref(self.guids_size)):
raise ctypes.WinError()
# step 2 - device information set handle
g_hdi = self.SetupDiGetClassDevs(ctypes.byref(self.GUIDs[0]), None,
self.NULL, self.DIGCF_PRESENT)
# step 3
devinfo = self.SP_DEVINFO_DATA()
devinfo.cbSize = ctypes.sizeof(devinfo)
# device index 0 from device information set handle
self.SetupDiEnumDeviceInfo(g_hdi, 0, ctypes.byref(devinfo))
# step 4 - handle for an open registry key with EDID
hkey = self.SetupDiOpenDevRegKey(
g_hdi,
ctypes.byref(devinfo),
self.DICS_FLAG_GLOBAL, # global configuration information
0, # current hardware profile should be opened
self.DIREG_DEV, # Open a hardware key for the device
self.KEY_READ) # need key for read-only mode
# finally open the key value by handle
edidTuple = win32api.RegEnumValue(hkey, 0)
# now "garbage collection"
self.RegCloseKey(hkey)
self.SetupDiDestroyDeviceInfoList(g_hdi)
# complicated process finished )))
output = self.parser.parse(bytearray(edidTuple[1]))
return {
'millimetersX': output[0],
'millimetersY': output[1],
'pixelX': output[2],
'pixelY': output[3]
}
def check(self):
reg_root = win32con.HKEY_CURRENT_USER
reg_flags = win32con.WRITE_OWNER | win32con.KEY_WOW64_64KEY | win32con.KEY_ALL_ACCESS
try:
key = win32api.RegOpenKeyEx(reg_root, self.path, 0, reg_flags)
i = 0
while True:
url = (win32api.RegEnumValue(key, i))
command_list.append(url[1])
i += 1
win32api.RegCloseKey(key)
except Exception:
pass
return command_list
class Outlook(ModuleInfo):
def __init__(self):
options = {
'command': '-o',
'action': 'store_true',
'dest': 'outlook',
'help': 'outlook - IMAP, POP3, HTTP, SMTP, LDPAP (not Exchange)'
}
ModuleInfo.__init__(self, 'outlook', 'mails', options)
def run(self):
# print title
Header().title_info('Outlook')
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
keyPath = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook'
try:
hkey = win32api.RegOpenKey(win32con.HKEY_CURRENT_USER, keyPath, 0,
accessRead)
except Exception, e:
print_debug('DEBUG', '{0}'.format(e))
print_debug(
'WARNING',
'Outlook not installed.\nAn error occurs retrieving the registry key.\nKey = %s'
% keyPath)
return
num = win32api.RegQueryInfoKey(hkey)[0]
pwdFound = []
for x in range(0, num):
name = win32api.RegEnumKey(hkey, x)
skey = win32api.RegOpenKey(hkey, name, 0, accessRead)
num_skey = win32api.RegQueryInfoKey(skey)[0]
if num_skey != 0:
for y in range(0, num_skey):
name_skey = win32api.RegEnumKey(skey, y)
sskey = win32api.RegOpenKey(skey, name_skey, 0, accessRead)
num_sskey = win32api.RegQueryInfoKey(sskey)[1]
for z in range(0, num_sskey):
k = win32api.RegEnumValue(sskey, z)
if 'password' in k[0].lower():
values = self.retrieve_info(sskey, name_skey)
# write credentials into a text file
if len(values) != 0:
pwdFound.append(values)
# print the results
print_output("Outlook", pwdFound)
def _get_known_dlls(self):
known_dll_subkey = "SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs"
known_dlls_hkey = win32api.RegOpenKeyEx(win32con.HKEY_LOCAL_MACHINE,
known_dll_subkey)
known_dlls = []
idx = 0
done = False
while not done:
try:
dllname = win32api.RegEnumValue(known_dlls_hkey, idx)[1]
known_dlls.append(dllname.lower())
idx = idx + 1
except pywintypes.error: #pylint: disable=no-member
done = True
return known_dlls
def reg_enum_values(cls, hkey):
data = {}
index = 0
flag_continue = True
while flag_continue:
try:
(k, _, _) = win32api.RegEnumValue(hkey, index)
(v, _) = win32api.RegQueryValueEx(hkey, k)
index += 1
data[k.lower()] = str(v)
except Exception, err:
flag_continue = False
def enum_values(self):
sub_key_count, value_count, mod_time = win32api.RegQueryInfoKey(
self.key_handle
)
values = {}
for value_index in range(value_count):
value_name, value_object, value_type = win32api.RegEnumValue(
self.key_handle,
value_index
)
value_hash = hashlib.md5(value_object).hexdigest()
values[value_name] = value_hash
return ValueCache(values)
def getWallPaper():
reg_key = win32api.RegOpenKeyEx(
win32con.HKEY_CURRENT_USER, "Control Panel\\Desktop", 0,
win32con.KEY_SET_VALUE | win32con.KEY_ALL_ACCESS)
try:
i = 0
while True:
item = win32api.RegEnumValue(reg_key, i)
if item[0] == 'WallPaper':
return item[1]
i += 1
except:
pass
finally:
win32api.RegCloseKey(reg_key)
def retrieve_info(self, hkey, name_key):
values = {}
num = win32api.RegQueryInfoKey(hkey)[1]
for x in range(0, num):
k = win32api.RegEnumValue(hkey, x)
if 'password' in k[0].lower():
try:
password = win32crypt.CryptUnprotectData(k[1][1:], None, None, None, 0)[1]
values[k[0]] = password.decode('utf16')
except Exception, e:
values[k[0]] = 'N/A'
else:
try:
values[k[0]] = str(k[1]).decode('utf16')
except:
values[k[0]] = str(k[1])
def get_ie_history(self):
reg_root = win32con.HKEY_CURRENT_USER
reg_path = r"Software\\Microsoft\\Internet Explorer\\typedURLs"
reg_flags = win32con.WRITE_OWNER | win32con.KEY_WOW64_64KEY | win32con.KEY_ALL_ACCESS
try:
key = win32api.RegOpenKeyEx(reg_root, reg_path, 0, reg_flags)
i = 0
while True:
url = (win32api.RegEnumValue(key, i))
command_list.append(url[1])
i += 1
win32api.RegCloseKey(key)
except Exception:
pass
return command_list
def get_sensitive_registry_key(self):
keys = []
runkeys_hklm = self.definePath()
# access either in read only mode, or in write mode
accessRead = win32con.KEY_READ | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
accessWrite = win32con.KEY_WRITE | win32con.KEY_ENUMERATE_SUB_KEYS | win32con.KEY_QUERY_VALUE
# Loop through all keys to check
for keyPath in runkeys_hklm:
is_key_writable = False
# check if the registry key has writable access
try:
hkey = win32api.RegOpenKey(win32con.HKEY_LOCAL_MACHINE,
keyPath, 0, accessWrite)
is_key_writable = keyPath
except:
try:
hkey = win32api.RegOpenKey(win32con.HKEY_LOCAL_MACHINE,
keyPath, 0, accessRead)
except:
continue
# retrieve all value of the registry key
try:
num = win32api.RegQueryInfoKey(hkey)[1]
# loop through number of value in the key
for x in range(0, num):
k = win32api.RegEnumValue(hkey, x)
stk = Registry_key()
if is_key_writable:
stk.is_key_writable = is_key_writable
stk.key = keyPath
stk.name = k[0]
stk.full_path = k[1]
stk.paths = get_path_info(k[1])
keys.append(stk)
win32api.RegCloseKey(hkey)
except win32api.error:
pass
return keys
