Python Registry Parser
Project description
Regipy is a python library for parsing offline registry hives!
Requires Python 3.9 or higher.
Features:
Use as a library
Recurse over the registry hive, from root or a given path and get all subkeys and values
Read specific subkeys and values
Apply transaction logs on a registry hive
- Command Line Tools:
Dump an entire registry hive to json
Apply transaction logs on a registry hive
Compare registry hives
Execute plugins from a robust plugin system (i.e: amcache, shimcache, extract computer name…)
- Project page:
Using as a library:
from regipy.registry import RegistryHive
reg = RegistryHive('/Users/martinkorman/Documents/TestEvidence/Registry/Vibranium-NTUSER.DAT')
# Iterate over a registry hive recursively:
for entry in reg.recurse_subkeys(as_json=True):
print(entry)
# Iterate over a key and get all subkeys and their modification time:
for sk in reg.get_key('Software').get_subkeys():
print(sk.name, convert_wintime(sk.header.last_modified).isoformat())
# Get values from a specific registry key:
reg.get_key('Software\Microsoft\Internet Explorer\BrowserEmulation').get_values(as_json=True)
# Use plugins:
from regipy.plugins.ntuser.ntuser_persistence import NTUserPersistencePlugin
NTUserPersistencePlugin(reg, as_json=True).run()
# Run all validated plugins on a registry hive:
run_relevant_plugins(reg, as_json=True)
# Include unvalidated plugins (may return incomplete/inaccurate data):
run_relevant_plugins(reg, as_json=True, include_unvalidated=True)Install
Install regipy and the command line tools dependencies:
pip install regipy[cli]
NOTE: using pip with regipy[cli] instead of the plain regipy is a significant change from version 1.9.x
For using regipy as a library, install only regipy which comes with fewer dependencies:
pip install regipy
Plugin Validation
Regipy plugins are validated using test cases to ensure they return accurate data. By default, only validated plugins are executed when using run_relevant_plugins() or the CLI tools.
To include unvalidated plugins (which may return incomplete or inaccurate data):
# As a library:
run_relevant_plugins(reg, as_json=True, include_unvalidated=True)# CLI:
regipy-plugins-run /path/to/hive -o output.json --include-unvalidatedUnvalidated plugins will log a warning when executed. Use them at your own discretion.
Available Plugins
NTUSER Plugins:
user_assist - Parses User Assist execution history
typed_urls - Retrieves typed URLs from IE history
typed_paths - Retrieves typed file paths
ntuser_persistence - Retrieves persistence entries (Run, RunOnce, etc.)
shellbag_plugin - Parses Shellbag items
network_drives_plugin - Retrieves mapped network drives
terminal_services_history - Parses RDP/Terminal Server client data
winrar_plugin - Parses WinRAR archive history
winscp_saved_sessions - Retrieves WinSCP saved sessions
word_wheel_query - Parses Windows Search word wheel query
wsl - Gets WSL distribution information
installed_programs_ntuser - Retrieves installed programs
ntuser_classes_installer - Parses class installer information
recentdocs - Parses recently opened documents
comdlg32 - Parses Open/Save dialog MRU lists
runmru - Parses Run dialog MRU list
muicache - Parses MUI Cache (application display names)
appkeys - Parses application keyboard shortcuts
sysinternals - Parses Sysinternals tools EULA acceptance
putty - Parses PuTTY sessions and SSH host keys
SOFTWARE Plugins:
installed_programs_software - Retrieves installed programs
profilelist_plugin - Parses user profile information
uac_plugin - Gets User Access Control settings
winver_plugin - Gets OS version information
last_logon_plugin - Gets last logon information
image_file_execution_options - Retrieves IFEO entries
print_demon_plugin - Gets installed printer ports
ras_tracing - Gets tracing/debugging configuration
disablesr_plugin - Gets system restore disable status
spp_clients_plugin - Determines volumes monitored by VSS
susclient_plugin - Extracts Windows Update client info
software_classes_installer - Parses class installer information
software_plugin - Retrieves persistence entries
app_paths - Parses application paths registry entries
appinit_dlls - Parses AppInit_DLLs persistence entries
appcert_dlls - Parses AppCertDLLs persistence entries
appcompat_flags - Parses application compatibility flags
windows_defender - Parses Windows Defender configuration
powershell_logging - Parses PowerShell logging configuration
execution_policy - Parses PowerShell execution policies
networklist - Parses network connection history
SYSTEM Plugins:
shimcache - Parses Shimcache/AppCompatCache
services - Enumerates services and parameters
usbstor_plugin - Parses connected USB storage devices
background_activity_moderator - Gets BAM execution data
network_data - Gets network interface configuration
routes - Gets network routes
computer_name - Gets the computer name
timezone_data / timezone_data2 - Gets timezone configuration
safeboot_configuration - Gets safeboot configuration
active_control_set - Gets the active control set
backuprestore_plugin - Gets backup/restore exclusion entries
processor_architecture - Gets processor architecture info
previous_winver_plugin - Gets previous Windows version info
codepage - Gets system codepage information
host_domain_name - Gets host and domain name
crash_dump - Gets crash control information
diag_sr - Gets diagnostic system restore information
disable_last_access - Gets LastAccessTime disable status
wdigest - Gets WDIGEST authentication configuration
bootkey - Extracts the Windows boot key
shutdown - Gets shutdown time data
usb_devices - Parses USB device connection history
mounted_devices - Parses mounted device information
shares - Parses network share configuration
pagefile - Parses pagefile configuration
lsa_packages - Parses LSA security packages
pending_file_rename - Parses pending file rename operations
SAM Plugins:
local_sid - Extracts the machine local SID
samparse - Parses user accounts from SAM hive
SECURITY Plugins:
domain_sid - Extracts domain name and SID
AMCACHE Plugins:
amcache - Parses Amcache application execution history
BCD Plugins:
boot_entry_list - Lists Windows BCD boot entries
USRCLASS Plugins:
usrclass_shellbag_plugin - Parses USRCLASS Shellbag items
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file regipy-6.2.1.tar.gz.
File metadata
- Download URL: regipy-6.2.1.tar.gz
- Upload date:
- Size: 101.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4e09623cdeb23ba4ad9bd73a0f107c9c60aab2fe9a5dea0ba48c71af1e070dfd
|
|
| MD5 |
3c013d2f502f5e3d1af5532f202eba83
|
|
| BLAKE2b-256 |
ba80dd0a588b1762c9e1016f96ae59e3c984269cbcc94ca7b63a3d097bb96416
|
File details
Details for the file regipy-6.2.1-py3-none-any.whl.
File metadata
- Download URL: regipy-6.2.1-py3-none-any.whl
- Upload date:
- Size: 134.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b03110e5c4e12385e1ba53c032ccd120c6dcde1b71afb8c3b7aa4717a5a24e43
|
|
| MD5 |
2311acd99477d730ad7988b5919ac871
|
|
| BLAKE2b-256 |
65ebdb13ab9b8d54e04f42b6619acca417ee37b07eb141a54884d13d20d7459e
|
