From 8d9d6e5ffb333445fdebfcc3d515ab359d2c21db Mon Sep 17 00:00:00 2001 From: Joachim Metz Date: Thu, 7 Mar 2024 05:14:56 +0100 Subject: [PATCH] Changes for handling virtual keys (#229) --- config/dpkg/changelog | 4 ++-- dfwinreg/__init__.py | 2 +- dfwinreg/registry.py | 17 +++++++++++------ setup.cfg | 2 +- 4 files changed, 15 insertions(+), 10 deletions(-) diff --git a/config/dpkg/changelog b/config/dpkg/changelog index 0bb5d38..b61a775 100644 --- a/config/dpkg/changelog +++ b/config/dpkg/changelog @@ -1,5 +1,5 @@ -dfwinreg (20240301-1) unstable; urgency=low +dfwinreg (20240306-1) unstable; urgency=low * Auto-generated - -- Log2Timeline maintainers Fri, 01 Mar 2024 10:40:04 +0100 + -- Log2Timeline maintainers Wed, 06 Mar 2024 20:50:52 +0100 diff --git a/dfwinreg/__init__.py b/dfwinreg/__init__.py index 0bdd9ac..4efe915 100644 --- a/dfwinreg/__init__.py +++ b/dfwinreg/__init__.py @@ -5,4 +5,4 @@ provides read-only access to Windows Registry objects. """ -__version__ = '20240301' +__version__ = '20240306' diff --git a/dfwinreg/registry.py b/dfwinreg/registry.py index 8d9ebcd..322b205 100644 --- a/dfwinreg/registry.py +++ b/dfwinreg/registry.py @@ -112,7 +112,7 @@ class WinRegistry(object): 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\' 'ProfileList') - _USER_SOFTWARE_CLASSES_KEY_PATH = 'HKEY_CURRENT_USER\\Software\\Classes' + _USER_SOFTWARE_CLASSES_KEY_PATH = 'HKEY_CURRENT_USER\\SOFTWARE\\CLASSES' # TODO: add support for HKEY_CLASSES_ROOT # TODO: add support for HKEY_CURRENT_CONFIG @@ -582,11 +582,16 @@ def MapFile(self, key_path_prefix, registry_file): # key in the file. if key_path_prefix_upper == 'HKEY_CURRENT_USER' and isinstance( registry_file, regf.REGFWinRegistryFile): - registry_key = self.GetKeyByPath(self._USER_SOFTWARE_CLASSES_KEY_PATH) - if registry_key and isinstance(registry_key, regf.REGFWinRegistryKey): - # pylint: disable=protected-access - pyregf_key = registry_key._pyregf_key - registry_file.AddVirtualKey('\\Software\\Classes', pyregf_key) + key_path_prefix_upper, usrclass_registry_file = self._GetFileByPath( + self._USER_SOFTWARE_CLASSES_KEY_PATH) + if (key_path_prefix_upper == self._USER_SOFTWARE_CLASSES_KEY_PATH and + usrclass_registry_file is not None): + registry_key = usrclass_registry_file.GetKeyByPath( + '\\Software\\Classes') + if registry_key and isinstance(registry_key, regf.REGFWinRegistryKey): + # pylint: disable=protected-access + pyregf_key = registry_key._pyregf_key + registry_file.AddVirtualKey('\\Software\\Classes', pyregf_key) # If HKEY_LOCAL_MACHINE\\System set HKEY_LOCAL_MACHINE\\System\\ # CurrentControlSet as a virtual key in the file. diff --git a/setup.cfg b/setup.cfg index 787795c..6287734 100644 --- a/setup.cfg +++ b/setup.cfg @@ -1,6 +1,6 @@ [metadata] name = dfwinreg -version = 20240301 +version = 20240306 description = Digital Forensics Windows Registry (dfWinReg). long_description = dfWinReg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects. The goal of dfWinReg is to provide a generic interface for accessing Windows Registry objects that resembles the Registry key hierarchy as seen on a live Windows system. long_description_content_type = text/plain