Use hivex from Python to read and write Windows Registry “hive” files

I added Python bindings to hivex today.

Here is an example using Python, libguestfs and hivex to download the user preferences registry from a Windows virtual machine and print out the Internet Explorer start page for a particular user. When you run it, it should print out something like:

User rjones's IE home page is http://go.microsoft.com/fwlink/?LinkId=69157

This example shows downloading and printing values, but libguestfs and hivex can also be used to make changes (but not to live guests).

#!/usr/bin/python

import guestfs
import hivex

# The name of a Windows virtual machine on this host.  This
# example script makes some assumptions about the registry
# location and contents which only apply on Windows Vista
# and later versions.
windows_domain = "Win7x32"

# Username on the Windows VM.
username = "rjones"

# Use libguestfs to download the HKEY_CURRENT_USER hive.
g = guestfs.GuestFS ()
g.add_domain (windows_domain, readonly=1)
g.launch ()

roots = g.inspect_os ()
root = roots[0]
g.mount_ro (root, "/")

path = "/users/%s/ntuser.dat" % username
path = g.case_sensitive_path (path)
g.download (path, "/tmp/ntuser.dat")

# Use hivex to pull out a registry key.
h = hivex.Hivex ("/tmp/ntuser.dat")

key = h.root ()
key = h.node_get_child (key, "Software")
key = h.node_get_child (key, "Microsoft")
key = h.node_get_child (key, "Internet Explorer")
key = h.node_get_child (key, "Main")

val = h.node_get_value (key, "Start Page")
start_page = h.value_value (val)
#print start_page

# The registry key is encoded as UTF-16LE, so reencode it.
start_page = start_page[1].decode ('utf-16le').encode ('utf-8')

print "User %s's IE home page is %s" % (username, start_page)
About these ads

7 Comments

Filed under Uncategorized

7 responses to “Use hivex from Python to read and write Windows Registry “hive” files

  1. Stan

    How hard would it be to tweak that example to work on a registry in a locally-mounted NTFS partition instead of a virtual machine?

  2. Thanks.

    This is awesome! I’ve been looking for something to read flat registry files in Python for a long time. Thanks so much for putting the bindings to hivex. Do you mind giving me a quick howto on how to install this if I am not familiar with using git and committing a diff? Thanks so much.

  3. Beth

    This is awesome! I’ve been afraid I was going to have to write python bindings for a registry parser myself. Or, rather, will be once I get it working right…

    I installed hivex on Ubuntu (10.6 I think) using “./configure”, “make”, and “make install”. it has gcc v4.4.5.

    When I go to run the test python, I get the error “ImportError: No module named libhivexmod”. It’s python 2.6. I ran”make install” and it’s not helping. I haven’t found a file named “libhivexmod.py”. Am I missing a step? Thanks!

    • rich

      This is not really the right place for support — if you have problems, try the mailing list. But I can tell you the Python bindings work fine for several users, and it just looks like a Python path problem. The file it is looking for is libhivexmod.so.

      You might ask the Ubuntu developer responsible for packaging hivex to update to a newer version that includes the Python bindings. The current Ubuntu version (1.2.2) is old and contains some potential security problems. They should really be packaging the latest version from git.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s