Showing preview only (873K chars total). Download the full file or copy to clipboard to get everything.
Repository: libyal/winreg-kb
Branch: main
Commit: 86dfd461ed7f
Files: 200
Total size: 63.0 MB
Directory structure:
gitextract_od6kibol/
├── .github/
│ └── workflows/
│ ├── test_docker.yml
│ ├── test_docs.yml
│ ├── test_macos.yml
│ └── test_tox.yml
├── .gitignore
├── .pylintrc
├── .readthedocs.yaml
├── .yamllint.yaml
├── ACKNOWLEDGEMENTS
├── AUTHORS
├── LICENSE
├── MANIFEST.in
├── MANIFEST.test_data.in
├── README.md
├── appveyor.yml
├── config/
│ ├── appveyor/
│ │ └── install.ps1
│ ├── dpkg/
│ │ ├── changelog
│ │ ├── clean
│ │ ├── compat
│ │ ├── control
│ │ ├── copyright
│ │ ├── python3-winregrc.install
│ │ ├── rules
│ │ └── source/
│ │ └── format
│ └── pylint/
│ └── spelling-private-dict
├── dependencies.ini
├── docs/
│ ├── conf.py
│ ├── index.rst
│ ├── requirements.txt
│ └── sources/
│ ├── EventLog-keys.md
│ ├── api/
│ │ ├── modules.rst
│ │ ├── winregrc.rst
│ │ └── winregrc.scripts.rst
│ ├── application-keys/
│ │ ├── 7-Zip.md
│ │ ├── CCleaner.md
│ │ ├── MSDN-web-browser.md
│ │ ├── Microsoft-Office.md
│ │ ├── Terminal-server-client.md
│ │ ├── WinRAR.md
│ │ └── index.rst
│ ├── explorer-keys/
│ │ ├── Bit-bucket.md
│ │ ├── Control-panel-item-identifiers.md
│ │ ├── Delegate-folders.md
│ │ ├── Known-folder-identifiers.md
│ │ ├── MUI-cache.md
│ │ ├── Most-recently-used.md
│ │ ├── Mount-points.md
│ │ ├── Program-cache.md
│ │ ├── Shell-folders.md
│ │ ├── Typed-paths.md
│ │ ├── User-assist.md
│ │ └── index.rst
│ ├── internet-explorer-keys/
│ │ ├── Browser-helper-objects.md
│ │ ├── Policies.md
│ │ ├── Types-URLs.md
│ │ └── index.rst
│ ├── security-accounts-manager-keys/
│ │ ├── Domains.md
│ │ ├── Security-accounts-manager.md
│ │ └── index.rst
│ ├── system-keys/
│ │ ├── Application-compatibility-cache.md
│ │ ├── Background-activity-moderator.md
│ │ ├── Boot-verification.md
│ │ ├── COM-class-identifiers.md
│ │ ├── Cached-credentials.md
│ │ ├── Certificates.md
│ │ ├── Codepage.md
│ │ ├── Current-control-set.md
│ │ ├── Environment-variables.md
│ │ ├── File-system.md
│ │ ├── Language.md
│ │ ├── Local-security-authority.md
│ │ ├── Mounted-devices.md
│ │ ├── Prefetch.md
│ │ ├── Run-and-RunOnce.md
│ │ ├── Services-and-drivers.md
│ │ ├── Session-manager.md
│ │ ├── Shell-folder-identifiers.md
│ │ ├── System-restore.md
│ │ ├── Task-scheduler.md
│ │ ├── Time-zones.md
│ │ ├── USB-storage.md
│ │ ├── Volume-shadow-copies.md
│ │ ├── Windows-error-reporting.md
│ │ ├── Windows-product-information.md
│ │ ├── Windows-system-locations.md
│ │ └── index.rst
│ └── windows-registry/
│ ├── Files.md
│ ├── Hives.md
│ ├── MUI-form.md
│ └── index.rst
├── pyproject.toml
├── run_tests.py
├── test_data/
│ ├── NTUSER.DAT.LOG
│ ├── SAM
│ ├── SECURITY
│ ├── SOFTWARE
│ └── SYSTEM
├── test_dependencies.ini
├── tests/
│ ├── __init__.py
│ ├── appcompatcache.py
│ ├── application_identifiers.py
│ ├── cached_credentials.py
│ ├── data_format.py
│ ├── environment_variables.py
│ ├── eventlog_providers.py
│ ├── filters.py
│ ├── hexdump.py
│ ├── interface.py
│ ├── knownfolders.py
│ ├── mounted_devices.py
│ ├── mru.py
│ ├── msie_zone_info.py
│ ├── output_writer.py
│ ├── profiles.py
│ ├── programscache.py
│ ├── sam.py
│ ├── services.py
│ ├── shellfolders.py
│ ├── sysinfo.py
│ ├── task_cache.py
│ ├── test_lib.py
│ ├── type_libraries.py
│ └── userassist.py
├── tox.ini
├── utils/
│ ├── __init__.py
│ ├── check_dependencies.py
│ ├── dependencies.py
│ └── update_release.sh
├── winreg-kb.ini
└── winregrc/
├── __init__.py
├── appcompatcache.py
├── appcompatcache.yaml
├── application_identifiers.py
├── cached_credentials.py
├── catalog.py
├── controlpanel_items.py
├── data/
│ └── observed_shellfolders.yaml
├── data_format.py
├── delegatefolders.py
├── environment_variables.py
├── errors.py
├── eventlog_providers.py
├── filters.py
├── hexdump.py
├── interface.py
├── knownfolders.py
├── mounted_devices.py
├── mounted_devices.yaml
├── mru.py
├── mru.yaml
├── msie_zone_info.py
├── output_writers.py
├── profiles.py
├── programscache.py
├── programscache.yaml
├── sam.py
├── sam.yaml
├── scripts/
│ ├── __init__.py
│ ├── appcompatcache.py
│ ├── application_identifiers.py
│ ├── cached_credentials.py
│ ├── catalog.py
│ ├── controlpanel_items.py
│ ├── delegatefolders.py
│ ├── environment_variables.py
│ ├── eventlog_providers.py
│ ├── knownfolders.py
│ ├── mounted_devices.py
│ ├── mru.py
│ ├── msie_zone_info.py
│ ├── profiles.py
│ ├── programscache.py
│ ├── sam.py
│ ├── services.py
│ ├── shellfolders.py
│ ├── srum_extensions.py
│ ├── sysinfo.py
│ ├── syskey.py
│ ├── task_cache.py
│ ├── time_zones.py
│ ├── type_libraries.py
│ ├── usbstor.py
│ └── userassist.py
├── services.py
├── shell_property_keys.py
├── shellfolders.py
├── srum_extensions.py
├── sysinfo.py
├── syskey.py
├── task_cache.py
├── task_cache.yaml
├── time_zone_information.yaml
├── time_zones.py
├── type_libraries.py
├── usbstor.py
├── usbstor.yaml
├── userassist.py
├── userassist.yaml
├── versions.py
└── volume_scanner.py
================================================
FILE CONTENTS
================================================
================================================
FILE: .github/workflows/test_docker.yml
================================================
# Run tests on Fedora and Ubuntu Docker images using GIFT COPR and GIFT PPA on commit
name: test_docker
on: [push]
permissions: read-all
jobs:
test_fedora:
runs-on: ubuntu-latest
strategy:
matrix:
version: ['43']
container:
image: registry.fedoraproject.org/fedora:${{ matrix.version }}
steps:
- uses: actions/checkout@v6
- name: Set up container
run: |
dnf install -y dnf-plugins-core langpacks-en
- name: Install dependencies
run: |
dnf copr -y enable @gift/dev
dnf install -y @development-tools libbde-python3 libcaes-python3 libcreg-python3 libewf-python3 libfcrypto-python3 libfsapfs-python3 libfsext-python3 libfsfat-python3 libfshfs-python3 libfsntfs-python3 libfsxfs-python3 libfvde-python3 libfwnt-python3 libfwps-python3 libfwsi-python3 libhmac-python3 libluksde-python3 libmodi-python3 libphdi-python3 libqcow-python3 libregf-python3 libsigscan-python3 libsmdev-python3 libsmraw-python3 libvhdi-python3 libvmdk-python3 libvsapm-python3 libvsgpt-python3 libvshadow-python3 libvslvm-python3 python3 python3-acstore python3-artifacts python3-build python3-devel python3-dfdatetime python3-dfimagetools python3-dfvfs python3-dfwinreg python3-dtfabric python3-pytsk3 python3-pyyaml python3-setuptools python3-wheel python3-xattr
- name: Run tests
env:
LANG: C.utf8
run: |
python3 ./run_tests.py
- name: Run end-to-end tests
run: |
if test -f tests/end-to-end.py; then PYTHONPATH=. python3 ./tests/end-to-end.py --debug -c config/end-to-end.ini; fi
- name: Build source distribution (sdist)
run: |
python3 -m build --no-isolation --sdist
- name: Build binary distribution (wheel)
run: |
python3 -m build --no-isolation --wheel
test_ubuntu:
runs-on: ubuntu-latest
strategy:
matrix:
version: ['26.04']
container:
image: ubuntu:${{ matrix.version }}
steps:
- uses: actions/checkout@v6
- name: Set up container
env:
DEBIAN_FRONTEND: noninteractive
run: |
apt-get update -q
apt-get install -y libterm-readline-gnu-perl locales software-properties-common
locale-gen en_US.UTF-8
ln -f -s /usr/share/zoneinfo/UTC /etc/localtime
- name: Install dependencies
run: |
add-apt-repository -y ppa:gift/dev
apt-get update -q
apt-get install -y build-essential libbde-python3 libcaes-python3 libcreg-python3 libewf-python3 libfcrypto-python3 libfsapfs-python3 libfsext-python3 libfsfat-python3 libfshfs-python3 libfsntfs-python3 libfsxfs-python3 libfvde-python3 libfwnt-python3 libfwps-python3 libfwsi-python3 libhmac-python3 libluksde-python3 libmodi-python3 libphdi-python3 libqcow-python3 libregf-python3 libsigscan-python3 libsmdev-python3 libsmraw-python3 libvhdi-python3 libvmdk-python3 libvsapm-python3 libvsgpt-python3 libvshadow-python3 libvslvm-python3 python3 python3-acstore python3-artifacts python3-build python3-dev python3-dfdatetime python3-dfimagetools python3-dfvfs python3-dfwinreg python3-dtfabric python3-pip python3-pytsk3 python3-setuptools python3-venv python3-wheel python3-xattr python3-yaml
- name: Run tests
env:
LANG: en_US.UTF-8
run: |
python3 ./run_tests.py
- name: Run end-to-end tests
env:
LANG: en_US.UTF-8
run: |
if test -f tests/end-to-end.py; then PYTHONPATH=. python3 ./tests/end-to-end.py --debug -c config/end-to-end.ini; fi
- name: Build source distribution (sdist)
run: |
python3 -m build --no-isolation --sdist
- name: Build binary distribution (wheel)
run: |
python3 -m build --no-isolation --wheel
================================================
FILE: .github/workflows/test_docs.yml
================================================
# Run docs tox tests on Ubuntu Docker images using the deadsnakes and GIFT PPAs
name: test_docs
on:
pull_request:
branches:
- main
push:
branches:
- main
permissions: read-all
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ['3.12']
container:
image: ubuntu:24.04
steps:
- uses: actions/checkout@v6
- name: Set up container
env:
DEBIAN_FRONTEND: noninteractive
run: |
apt-get update -q
apt-get install -y libterm-readline-gnu-perl locales software-properties-common
locale-gen en_US.UTF-8
ln -f -s /usr/share/zoneinfo/UTC /etc/localtime
- name: Install dependencies
env:
DEBIAN_FRONTEND: noninteractive
run: |
add-apt-repository -y universe
add-apt-repository -y ppa:deadsnakes/ppa
add-apt-repository -y ppa:gift/dev
apt-get update -q
apt-get install -y build-essential git libffi-dev pkg-config python${{ matrix.python-version }} python${{ matrix.python-version }}-dev python${{ matrix.python-version }}-venv libbde-python3 libcaes-python3 libcreg-python3 libewf-python3 libfcrypto-python3 libfsapfs-python3 libfsext-python3 libfsfat-python3 libfshfs-python3 libfsntfs-python3 libfsxfs-python3 libfvde-python3 libfwnt-python3 libfwps-python3 libfwsi-python3 libhmac-python3 libluksde-python3 libmodi-python3 libphdi-python3 libqcow-python3 libregf-python3 libsigscan-python3 libsmdev-python3 libsmraw-python3 libvhdi-python3 libvmdk-python3 libvsapm-python3 libvsgpt-python3 libvshadow-python3 libvslvm-python3 python3-acstore python3-artifacts python3-dfdatetime python3-dfimagetools python3-dfvfs python3-dfwinreg python3-dtfabric python3-pip python3-pytsk3 python3-setuptools python3-xattr python3-yaml tox
- name: Run tests
env:
LANG: en_US.UTF-8
run: |
tox -e docs
================================================
FILE: .github/workflows/test_macos.yml
================================================
# Run tests on Mac OS.
name: test_macos
on: [push, pull_request]
permissions: read-all
jobs:
test_macos:
runs-on: ${{ matrix.os }}
strategy:
matrix:
include:
- os: macos-26
python-version: '3.14'
toxenv: 'py314'
steps:
- uses: actions/checkout@v6
- name: Install dependencies
run: |
brew update -q
brew install -q gettext gnu-sed python@${{ matrix.python-version }} tox || true
brew link --force gettext
- name: Run tests
run: |
tox -e ${{ matrix.toxenv }}
================================================
FILE: .github/workflows/test_tox.yml
================================================
# Run tox tests on Ubuntu Docker images using the deadsnakes and GIFT PPAs
name: test_tox
on:
pull_request:
branches:
- main
push:
branches:
- main
permissions: read-all
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
include:
- python-version: '3.10'
toxenv: 'py310'
- python-version: '3.11'
toxenv: 'py311'
- python-version: '3.12'
toxenv: 'py312'
- python-version: '3.13'
toxenv: 'py313'
- python-version: '3.14'
toxenv: 'py314'
container:
image: ubuntu:24.04
steps:
- uses: actions/checkout@v6
- name: Set up container
env:
DEBIAN_FRONTEND: noninteractive
run: |
apt-get update -q
apt-get install -y libterm-readline-gnu-perl locales software-properties-common
locale-gen en_US.UTF-8
ln -f -s /usr/share/zoneinfo/UTC /etc/localtime
- name: Install dependencies
env:
DEBIAN_FRONTEND: noninteractive
run: |
add-apt-repository -y universe
add-apt-repository -y ppa:deadsnakes/ppa
add-apt-repository -y ppa:gift/dev
apt-get update -q
apt-get install -y build-essential git libffi-dev pkg-config python${{ matrix.python-version }} python${{ matrix.python-version }}-dev python${{ matrix.python-version }}-venv libbde-python3 libcaes-python3 libcreg-python3 libewf-python3 libfcrypto-python3 libfsapfs-python3 libfsext-python3 libfsfat-python3 libfshfs-python3 libfsntfs-python3 libfsxfs-python3 libfvde-python3 libfwnt-python3 libfwps-python3 libfwsi-python3 libhmac-python3 libluksde-python3 libmodi-python3 libphdi-python3 libqcow-python3 libregf-python3 libsigscan-python3 libsmdev-python3 libsmraw-python3 libvhdi-python3 libvmdk-python3 libvsapm-python3 libvsgpt-python3 libvshadow-python3 libvslvm-python3 python3-acstore python3-artifacts python3-dfdatetime python3-dfimagetools python3-dfvfs python3-dfwinreg python3-dtfabric python3-pip python3-pytsk3 python3-setuptools python3-xattr python3-yaml tox
- name: Run tests
env:
LANG: en_US.UTF-8
run: |
tox -e ${{ matrix.toxenv }},wheel
coverage:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ['3.12']
container:
image: ubuntu:24.04
steps:
- uses: actions/checkout@v6
- name: Set up container
env:
DEBIAN_FRONTEND: noninteractive
run: |
apt-get update -q
apt-get install -y libterm-readline-gnu-perl locales software-properties-common
locale-gen en_US.UTF-8
ln -f -s /usr/share/zoneinfo/UTC /etc/localtime
- name: Install dependencies
env:
DEBIAN_FRONTEND: noninteractive
run: |
add-apt-repository -y universe
add-apt-repository -y ppa:deadsnakes/ppa
add-apt-repository -y ppa:gift/dev
apt-get update -q
apt-get install -y build-essential curl git libffi-dev pkg-config python${{ matrix.python-version }} python${{ matrix.python-version }}-dev python${{ matrix.python-version }}-venv libbde-python3 libcaes-python3 libcreg-python3 libewf-python3 libfcrypto-python3 libfsapfs-python3 libfsext-python3 libfsfat-python3 libfshfs-python3 libfsntfs-python3 libfsxfs-python3 libfvde-python3 libfwnt-python3 libfwps-python3 libfwsi-python3 libhmac-python3 libluksde-python3 libmodi-python3 libphdi-python3 libqcow-python3 libregf-python3 libsigscan-python3 libsmdev-python3 libsmraw-python3 libvhdi-python3 libvmdk-python3 libvsapm-python3 libvsgpt-python3 libvshadow-python3 libvslvm-python3 python3-acstore python3-artifacts python3-dfdatetime python3-dfimagetools python3-dfvfs python3-dfwinreg python3-dtfabric python3-pip python3-pytsk3 python3-setuptools python3-xattr python3-yaml tox
- name: Run tests with coverage
env:
LANG: en_US.UTF-8
run: |
tox -e coverage
- name: Upload coverage report to Codecov
uses: codecov/codecov-action@v6
with:
token: ${{ secrets.CODECOV_TOKEN }}
lint:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ['3.12']
container:
image: ubuntu:24.04
steps:
- uses: actions/checkout@v6
- name: Set up container
env:
DEBIAN_FRONTEND: noninteractive
run: |
apt-get update -q
apt-get install -y libterm-readline-gnu-perl locales software-properties-common
locale-gen en_US.UTF-8
ln -f -s /usr/share/zoneinfo/UTC /etc/localtime
- name: Install dependencies
env:
DEBIAN_FRONTEND: noninteractive
run: |
add-apt-repository -y universe
add-apt-repository -y ppa:deadsnakes/ppa
add-apt-repository -y ppa:gift/dev
apt-get update -q
apt-get install -y build-essential git libffi-dev pkg-config python${{ matrix.python-version }} python${{ matrix.python-version }}-dev python${{ matrix.python-version }}-venv libbde-python3 libcaes-python3 libcreg-python3 libewf-python3 libfcrypto-python3 libfsapfs-python3 libfsext-python3 libfsfat-python3 libfshfs-python3 libfsntfs-python3 libfsxfs-python3 libfvde-python3 libfwnt-python3 libfwps-python3 libfwsi-python3 libhmac-python3 libluksde-python3 libmodi-python3 libphdi-python3 libqcow-python3 libregf-python3 libsigscan-python3 libsmdev-python3 libsmraw-python3 libvhdi-python3 libvmdk-python3 libvsapm-python3 libvsgpt-python3 libvshadow-python3 libvslvm-python3 python3-acstore python3-artifacts python3-dfdatetime python3-dfimagetools python3-dfvfs python3-dfwinreg python3-dtfabric python3-pip python3-pytsk3 python3-setuptools python3-xattr python3-yaml tox
- name: Run linter
env:
LANG: en_US.UTF-8
run: |
tox -e lint
================================================
FILE: .gitignore
================================================
# Files to ignore by git
# Back-up files
*~
*.swp
# Generic auto-generated build files
*.pyc
*.pyo
# Specific auto-generated build files
/.tox
/__pycache__
/build
/dist
/MANIFEST.test_data
/winregrc.egg-info
================================================
FILE: .pylintrc
================================================
# Pylint 3.2.x configuration file
#
# This file is generated by l2tdevtools update-dependencies.py, any dependency
# related changes should be made in dependencies.ini.
[MAIN]
# Analyse import fallback blocks. This can be used to support both Python 2 and
# 3 compatible code, which means that the block might have code that exists
# only in one or another interpreter, leading to false positives when analysed.
analyse-fallback-blocks=no
# Clear in-memory caches upon conclusion of linting. Useful if running pylint
# in a server-like mode.
clear-cache-post-run=no
# Load and enable all available extensions. Use --list-extensions to see a list
# all available extensions.
#enable-all-extensions=
# In error mode, messages with a category besides ERROR or FATAL are
# suppressed, and no reports are done by default. Error mode is compatible with
# disabling specific errors.
#errors-only=
# Always return a 0 (non-error) status code, even if lint errors are found.
# This is primarily useful in continuous integration scripts.
#exit-zero=
# A comma-separated list of package or module names from where C extensions may
# be loaded. Extensions are loading into the active Python interpreter and may
# run arbitrary code.
# extension-pkg-allow-list=
extension-pkg-allow-list=pybde,pycaes,pycreg,pyewf,pyfcrypto,pyfsapfs,pyfsext,pyfsfat,pyfshfs,pyfsntfs,pyfsxfs,pyfvde,pyfwnt,pyfwps,pyfwsi,pyhmac,pyluksde,pymodi,pyphdi,pyqcow,pyregf,pysigscan,pysmdev,pysmraw,pytsk3,pyvhdi,pyvmdk,pyvsapm,pyvsgpt,pyvshadow,pyvslvm,xattr
# A comma-separated list of package or module names from where C extensions may
# be loaded. Extensions are loading into the active Python interpreter and may
# run arbitrary code. (This is an alternative name to extension-pkg-allow-list
# for backward compatibility.)
extension-pkg-whitelist=
# Return non-zero exit code if any of these messages/categories are detected,
# even if score is above --fail-under value. Syntax same as enable. Messages
# specified are enabled, while categories only check already-enabled messages.
fail-on=
# Specify a score threshold under which the program will exit with error.
fail-under=10
# Interpret the stdin as a python script, whose filename needs to be passed as
# the module_or_package argument.
#from-stdin=
# Files or directories to be skipped. They should be base names, not paths.
ignore=CVS
# Add files or directories matching the regular expressions patterns to the
# ignore-list. The regex matches against paths and can be in Posix or Windows
# format. Because '\\' represents the directory delimiter on Windows systems,
# it can't be used as an escape character.
ignore-paths=
# Files or directories matching the regular expression patterns are skipped.
# The regex matches against base names, not paths. The default value ignores
# Emacs file locks
ignore-patterns=^\.#
# List of module names for which member attributes should not be checked and
# will not be imported (useful for modules/projects where namespaces are
# manipulated during runtime and thus existing member attributes cannot be
# deduced by static analysis). It supports qualified module names, as well as
# Unix pattern matching.
ignored-modules=
# Python code to execute, usually for sys.path manipulation such as
# pygtk.require().
#init-hook=
# Use multiple processes to speed up Pylint. Specifying 0 will auto-detect the
# number of processors available to use, and will cap the count on Windows to
# avoid hangs.
jobs=1
# Control the amount of potential inferred values when inferring a single
# object. This can help the performance when dealing with large functions or
# complex, nested conditions.
limit-inference-results=100
# List of plugins (as comma separated values of python module names) to load,
# usually to register additional checkers.
# load-plugins=
load-plugins=pylint.extensions.docparams
# Pickle collected data for later comparisons.
persistent=yes
# Resolve imports to .pyi stubs if available. May reduce no-member messages and
# increase not-an-iterable messages.
prefer-stubs=no
# Minimum Python version to use for version dependent checks. Will default to
# the version used to run pylint.
py-version=3.12
# Discover python modules and packages in the file system subtree.
# recursive=no
recursive=yes
# Add paths to the list of the source roots. Supports globbing patterns. The
# source root is an absolute path or a path relative to the current working
# directory used to determine a package namespace for modules located under the
# source root.
source-roots=
# When enabled, pylint would attempt to guess common misconfiguration and emit
# user-friendly hints instead of false-positive error messages.
suggestion-mode=yes
# Allow loading of arbitrary C extensions. Extensions are imported into the
# active Python interpreter and may run arbitrary code.
unsafe-load-any-extension=no
# In verbose mode, extra non-checker-related info will be displayed.
#verbose=
[BASIC]
# Naming style matching correct argument names.
argument-naming-style=snake_case
# Regular expression matching correct argument names. Overrides argument-
# naming-style. If left empty, argument names will be checked with the set
# naming style.
#argument-rgx=
argument-rgx=(([a-z][a-z0-9_]*)|(_[a-z0-9_]*))$
# Naming style matching correct attribute names.
attr-naming-style=snake_case
# Regular expression matching correct attribute names. Overrides attr-naming-
# style. If left empty, attribute names will be checked with the set naming
# style.
#attr-rgx=
attr-rgx=(([a-z][a-z0-9_]*)|(_[a-z0-9_]*))$
# Bad variable names which should always be refused, separated by a comma.
bad-names=foo,
bar,
baz,
toto,
tutu,
tata
# Bad variable names regexes, separated by a comma. If names match any regex,
# they will always be refused
bad-names-rgxs=
# Naming style matching correct class attribute names.
class-attribute-naming-style=any
# Regular expression matching correct class attribute names. Overrides class-
# attribute-naming-style. If left empty, class attribute names will be checked
# with the set naming style.
#class-attribute-rgx=
class-attribute-rgx=([A-Za-z_][A-Za-z0-9_]*|(__.*__))$
# Naming style matching correct class constant names.
class-const-naming-style=UPPER_CASE
# Regular expression matching correct class constant names. Overrides class-
# const-naming-style. If left empty, class constant names will be checked with
# the set naming style.
#class-const-rgx=
# Naming style matching correct class names.
class-naming-style=PascalCase
# Regular expression matching correct class names. Overrides class-naming-
# style. If left empty, class names will be checked with the set naming style.
#class-rgx=
class-rgx=[A-Z_][a-zA-Z0-9]+$
# Naming style matching correct constant names.
const-naming-style=UPPER_CASE
# Regular expression matching correct constant names. Overrides const-naming-
# style. If left empty, constant names will be checked with the set naming
# style.
#const-rgx=
const-rgx=(([a-zA-Z_][a-zA-Z0-9_]*)|(__.*__))$
# Minimum line length for functions/classes that require docstrings, shorter
# ones are exempt.
docstring-min-length=-1
# Naming style matching correct function names.
function-naming-style=snake_case
# Regular expression matching correct function names. Overrides function-
# naming-style. If left empty, function names will be checked with the set
# naming style.
#function-rgx=
function-rgx=[A-Z_][a-zA-Z0-9_]*$
# Good variable names which should always be accepted, separated by a comma.
good-names=i,
j,
k,
ex,
Run,
_
# Good variable names regexes, separated by a comma. If names match any regex,
# they will always be accepted
good-names-rgxs=
# Include a hint for the correct naming format with invalid-name.
include-naming-hint=no
# Naming style matching correct inline iteration names.
inlinevar-naming-style=any
# Regular expression matching correct inline iteration names. Overrides
# inlinevar-naming-style. If left empty, inline iteration names will be checked
# with the set naming style.
#inlinevar-rgx=
inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$
# Naming style matching correct method names.
method-naming-style=snake_case
# Regular expression matching correct method names. Overrides method-naming-
# style. If left empty, method names will be checked with the set naming style.
#method-rgx=
method-rgx=(test|[A-Z_])[a-zA-Z0-9_]*$
# Naming style matching correct module names.
module-naming-style=snake_case
# Regular expression matching correct module names. Overrides module-naming-
# style. If left empty, module names will be checked with the set naming style.
#module-rgx=
module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$
# Colon-delimited sets of names that determine each other's naming style when
# the name regexes allow several styles.
name-group=
# Regular expression which should only match function or class names that do
# not require a docstring.
no-docstring-rgx=^_
# List of decorators that produce properties, such as abc.abstractproperty. Add
# to this list to register other decorators that produce valid properties.
# These decorators are taken in consideration only for invalid-name.
property-classes=abc.abstractproperty
# Regular expression matching correct type alias names. If left empty, type
# alias names will be checked with the set naming style.
#typealias-rgx=
# Regular expression matching correct type variable names. If left empty, type
# variable names will be checked with the set naming style.
#typevar-rgx=
# Naming style matching correct variable names.
variable-naming-style=snake_case
# Regular expression matching correct variable names. Overrides variable-
# naming-style. If left empty, variable names will be checked with the set
# naming style.
#variable-rgx=
variable-rgx=(([a-z][a-z0-9_]*)|(_[a-z0-9_]*))$
[CLASSES]
# Warn about protected attribute access inside special methods
check-protected-access-in-special-methods=no
# List of method names used to declare (i.e. assign) instance attributes.
defining-attr-methods=__init__,
__new__,
setUp,
asyncSetUp,
__post_init__
# List of member names, which should be excluded from the protected access
# warning.
exclude-protected=_asdict,_fields,_replace,_source,_make,os._exit
# List of valid names for the first argument in a class method.
valid-classmethod-first-arg=cls
# List of valid names for the first argument in a metaclass class method.
# valid-metaclass-classmethod-first-arg=mcs
valid-metaclass-classmethod-first-arg=cls
[DESIGN]
# List of regular expressions of class ancestor names to ignore when counting
# public methods (see R0903)
exclude-too-few-public-methods=
# List of qualified class names to ignore when counting class parents (see
# R0901)
ignored-parents=
# Maximum number of arguments for function / method.
# max-args=5
max-args=10
# Maximum number of attributes for a class (see R0902).
max-attributes=7
# Maximum number of boolean expressions in an if statement (see R0916).
max-bool-expr=5
# Maximum number of branch for function / method body.
max-branches=12
# Maximum number of locals for function / method body.
max-locals=15
# Maximum number of parents for a class (see R0901).
max-parents=7
# Maximum number of public methods for a class (see R0904).
max-public-methods=20
# Maximum number of return / yield for function / method body.
max-returns=6
# Maximum number of statements in function / method body.
max-statements=50
# Minimum number of public methods for a class (see R0903).
min-public-methods=2
[EXCEPTIONS]
# Exceptions that will emit a warning when caught.
overgeneral-exceptions=builtins.BaseException,builtins.Exception
[FORMAT]
# Expected format of line ending, e.g. empty (any line ending), LF or CRLF.
expected-line-ending-format=
# Regexp for a line that is allowed to be longer than the limit.
ignore-long-lines=^\s*(# )?<?https?://\S+>?$
# Number of spaces of indent required inside a hanging or continued line.
indent-after-paren=4
# String used as indentation unit. This is usually " " (4 spaces) or "\t" (1
# tab).
# indent-string=' '
indent-string=' '
# Maximum number of characters on a single line.
# max-line-length=100
max-line-length=80
# Maximum number of lines in a module.
max-module-lines=1000
# Allow the body of a class to be on the same line as the declaration if body
# contains single statement.
single-line-class-stmt=no
# Allow the body of an if to be on the same line as the test if there is no
# else.
single-line-if-stmt=no
[IMPORTS]
# List of modules that can be imported at any level, not just the top level
# one.
allow-any-import-level=
# Allow explicit reexports by alias from a package __init__.
allow-reexport-from-package=no
# Allow wildcard imports from modules that define __all__.
allow-wildcard-with-all=no
# Deprecated modules which should not be used, separated by a comma.
deprecated-modules=
# Output a graph (.gv or any supported image format) of external dependencies
# to the given file (report RP0402 must not be disabled).
ext-import-graph=
# Output a graph (.gv or any supported image format) of all (i.e. internal and
# external) dependencies to the given file (report RP0402 must not be
# disabled).
import-graph=
# Output a graph (.gv or any supported image format) of internal dependencies
# to the given file (report RP0402 must not be disabled).
int-import-graph=
# Force import order to recognize a module as part of the standard
# compatibility libraries.
known-standard-library=
# Force import order to recognize a module as part of a third party library.
known-third-party=enchant
# Couples of modules and preferred modules, separated by a comma.
preferred-modules=
[LOGGING]
# The type of string formatting that logging methods do. `old` means using %
# formatting, `new` is for `{}` formatting.
logging-format-style=old
# Logging modules to check that the string format arguments are in logging
# function parameter format.
logging-modules=logging
[MESSAGES CONTROL]
# Only show warnings with the listed confidence levels. Leave empty to show
# all. Valid levels: HIGH, CONTROL_FLOW, INFERENCE, INFERENCE_FAILURE,
# UNDEFINED.
confidence=HIGH,
CONTROL_FLOW,
INFERENCE,
INFERENCE_FAILURE,
UNDEFINED
# Disable the message, report, category or checker with the given id(s). You
# can either give multiple identifiers separated by comma (,) or put this
# option multiple times (only on the command line, not in the configuration
# file where it should appear only once). You can also use "--disable=all" to
# disable everything first and then re-enable specific checks. For example, if
# you want to run only the similarities checker, you can use "--disable=all
# --enable=similarities". If you want to run only the classes checker, but have
# no Warning level messages displayed, use "--disable=all --enable=classes
# --disable=W".
disable=assignment-from-none,
bad-inline-option,
deprecated-pragma,
duplicate-code,
file-ignored,
fixme,
locally-disabled,
logging-format-interpolation,
logging-fstring-interpolation,
missing-param-doc,
raise-missing-from,
raw-checker-failed,
suppressed-message,
too-few-public-methods,
too-many-ancestors,
too-many-boolean-expressions,
too-many-branches,
too-many-instance-attributes,
too-many-lines,
too-many-locals,
too-many-nested-blocks,
too-many-positional-arguments,
too-many-public-methods,
too-many-return-statements,
too-many-statements,
unsubscriptable-object,
use-implicit-booleaness-not-comparison-to-string,
use-implicit-booleaness-not-comparison-to-zero,
useless-suppression,
use-symbolic-message-instead
# Enable the message, report, category or checker with the given id(s). You can
# either give multiple identifier separated by comma (,) or put this option
# multiple time (only on the command line, not in the configuration file where
# it should appear only once). See also the "--disable" option for examples.
# enable=
enable=c-extension-no-member
[METHOD_ARGS]
# List of qualified names (i.e., library.method) which require a timeout
# parameter e.g. 'requests.api.get,requests.api.post'
timeout-methods=requests.api.delete,requests.api.get,requests.api.head,requests.api.options,requests.api.patch,requests.api.post,requests.api.put,requests.api.request
[MISCELLANEOUS]
# List of note tags to take in consideration, separated by a comma.
notes=FIXME,
XXX,
TODO
# Regular expression of note tags to take in consideration.
notes-rgx=
[REFACTORING]
# Maximum number of nested blocks for function / method body
max-nested-blocks=5
# Complete name of functions that never returns. When checking for
# inconsistent-return-statements if a never returning function is called then
# it will be considered as an explicit return statement and no message will be
# printed.
never-returning-functions=sys.exit,argparse.parse_error
# Let 'consider-using-join' be raised when the separator to join on would be
# non-empty (resulting in expected fixes of the type: ``"- " + " -
# ".join(items)``)
suggest-join-with-non-empty-separator=yes
[REPORTS]
# Python expression which should return a score less than or equal to 10. You
# have access to the variables 'fatal', 'error', 'warning', 'refactor',
# 'convention', and 'info' which contain the number of messages in each
# category, as well as 'statement' which is the total number of statements
# analyzed. This score is used by the global evaluation report (RP0004).
evaluation=max(0, 0 if fatal else 10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10))
# Template used to display messages. This is a python new-style format string
# used to format the message information. See doc for all details.
msg-template=
# Set the output format. Available formats are: text, parseable, colorized,
# json2 (improved json format), json (old json format) and msvs (visual
# studio). You can also give a reporter class, e.g.
# mypackage.mymodule.MyReporterClass.
#output-format=
# Tells whether to display a full report or only the messages.
reports=no
# Activate the evaluation score.
# score=yes
score=no
[SIMILARITIES]
# Comments are removed from the similarity computation
ignore-comments=yes
# Docstrings are removed from the similarity computation
ignore-docstrings=yes
# Imports are removed from the similarity computation
ignore-imports=yes
# Signatures are removed from the similarity computation
ignore-signatures=yes
# Minimum lines number of a similarity.
min-similarity-lines=4
[SPELLING]
# Limits count of emitted suggestions for spelling mistakes.
max-spelling-suggestions=4
# Spelling dictionary name. Available dictionaries: en_AG (hunspell), en_AU
# (hunspell), en_BS (hunspell), en_BW (hunspell), en_BZ (hunspell), en_CA
# (hunspell), en_DK (hunspell), en_GB (hunspell), en_GH (hunspell), en_HK
# (hunspell), en_IE (hunspell), en_IN (hunspell), en_JM (hunspell), en_MW
# (hunspell), en_NA (hunspell), en_NG (hunspell), en_NZ (hunspell), en_PH
# (hunspell), en_SG (hunspell), en_TT (hunspell), en_US (hunspell), en_ZA
# (hunspell), en_ZM (hunspell), en_ZW (hunspell).
spelling-dict=
# List of comma separated words that should be considered directives if they
# appear at the beginning of a comment and should not be checked.
spelling-ignore-comment-directives=fmt: on,fmt: off,noqa:,noqa,nosec,isort:skip,mypy:
# List of comma separated words that should not be checked.
spelling-ignore-words=
# A path to a file that contains the private dictionary; one word per line.
spelling-private-dict-file=
# Tells whether to store unknown words to the private dictionary (see the
# --spelling-private-dict-file option) instead of raising a message.
spelling-store-unknown-words=no
[STRING]
# This flag controls whether inconsistent-quotes generates a warning when the
# character used as a quote delimiter is used inconsistently within a module.
check-quote-consistency=no
# This flag controls whether the implicit-str-concat should generate a warning
# on implicit string concatenation in sequences defined over several lines.
check-str-concat-over-line-jumps=no
[TYPECHECK]
# List of decorators that produce context managers, such as
# contextlib.contextmanager. Add to this list to register other decorators that
# produce valid context managers.
contextmanager-decorators=contextlib.contextmanager
# List of members which are set dynamically and missed by pylint inference
# system, and so shouldn't trigger E1101 when accessed. Python regular
# expressions are accepted.
generated-members=
# Tells whether to warn about missing members when the owner of the attribute
# is inferred to be None.
ignore-none=yes
# This flag controls whether pylint should warn about no-member and similar
# checks whenever an opaque object is returned when inferring. The inference
# can return multiple potential results while evaluating a Python object, but
# some branches might not be evaluated, which results in partial inference. In
# that case, it might be useful to still emit no-member and other checks for
# the rest of the inferred objects.
ignore-on-opaque-inference=yes
# List of symbolic message names to ignore for Mixin members.
ignored-checks-for-mixins=no-member,
not-async-context-manager,
not-context-manager,
attribute-defined-outside-init
# List of class names for which member attributes should not be checked (useful
# for classes with dynamically set attributes). This supports the use of
# qualified names.
ignored-classes=optparse.Values,thread._local,_thread._local,argparse.Namespace
# Show a hint with possible names when a member name was not found. The aspect
# of finding the hint is based on edit distance.
missing-member-hint=yes
# The minimum edit distance a name should have in order to be considered a
# similar match for a missing member name.
missing-member-hint-distance=1
# The total number of similar names that should be taken in consideration when
# showing a hint for a missing member.
missing-member-max-choices=1
# Regex pattern to define which classes are considered mixins.
mixin-class-rgx=.*[Mm]ixin
# List of decorators that change the signature of a decorated function.
signature-mutators=
[VARIABLES]
# List of additional names supposed to be defined in builtins. Remember that
# you should avoid defining new builtins when possible.
additional-builtins=
# Tells whether unused global variables should be treated as a violation.
allow-global-unused-variables=yes
# List of names allowed to shadow builtins
allowed-redefined-builtins=
# List of strings which can identify a callback function by name. A callback
# name must start or end with one of those strings.
callbacks=cb_,
_cb
# A regular expression matching the name of dummy variables (i.e. expected to
# not be used).
dummy-variables-rgx=_+$|(_[a-zA-Z0-9_]*[a-zA-Z0-9]+?$)|dummy|^ignored_|^unused_
# Argument names that match this expression will be ignored.
ignored-argument-names=_.*|^ignored_|^unused_
# Tells whether we should check for unused import in __init__ files.
init-import=no
# List of qualified module names which can have objects that can redefine
# builtins.
redefining-builtins-modules=six.moves,past.builtins,future.builtins,builtins,io
================================================
FILE: .readthedocs.yaml
================================================
# Read the Docs configuration file for Sphinx projects
# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
version: 2
build:
os: ubuntu-24.04
tools:
python: "3.12"
sphinx:
configuration: docs/conf.py
fail_on_warning: false
python:
install:
- requirements: docs/requirements.txt
================================================
FILE: .yamllint.yaml
================================================
extends: default
rules:
line-length: disable
indentation:
spaces: consistent
indent-sequences: false
check-multi-line-strings: true
================================================
FILE: ACKNOWLEDGEMENTS
================================================
Acknowledgements: winreg-kb
Copyright (c) 2013-2022, Joachim Metz <joachim.metz@gmail.com>
Copied with permission from [the Greendale data set](https://github.com/dfirlabs/greendale-specimens).
* regf/studentpc8/NTUSER.DAT
* regf/studentpc8/NTUSER.DAT.LOG
* regf/studentpc8/SAM
* regf/studentpc8/SECURITY
* regf/studentpc8/SOFTWARE
* regf/studentpc8/SYSTEM
* regf/studentpc8/UsrClass.dat
================================================
FILE: AUTHORS
================================================
# Names should be added to this file with this pattern:
#
# For individuals:
# Name (email address)
#
# For organizations:
# Organization (fnmatch pattern)
#
# See python fnmatch module documentation for more information.
Joachim Metz (joachim.metz@gmail.com)
================================================
FILE: LICENSE
================================================
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
================================================
FILE: MANIFEST.in
================================================
include ACKNOWLEDGEMENTS AUTHORS LICENSE README.md
include dependencies.ini run_tests.py utils/dependencies.py
include utils/check_dependencies.py
exclude .gitignore
exclude *.pyc
recursive-exclude winregrc *.pyc
# Do not include the test data otherwise the sdist will be too large for PyPI.
recursive-exclude test_data *
# The test scripts are not required in a binary distribution package they
# are considered source distribution files and excluded by find_package().
recursive-include tests *.py
================================================
FILE: MANIFEST.test_data.in
================================================
include ACKNOWLEDGEMENTS AUTHORS LICENSE README.md
include dependencies.ini run_tests.py utils/dependencies.py
include utils/check_dependencies.py
exclude .gitignore
exclude *.pyc
recursive-exclude winregrc *.pyc
recursive-include test_data *
# The test scripts are not required in a binary distribution package they
# are considered source distribution files and excluded by find_package().
recursive-include tests *.py
================================================
FILE: README.md
================================================
winreg-kb is a project to build a Windows Registry Knowledge Base.
winregrc is a Python module part of winreg-kb to allow reuse of Windows
Registry Resources.
For more information see:
* Project documentation: https://winreg-kb.readthedocs.io/en/latest
================================================
FILE: appveyor.yml
================================================
environment:
matrix:
- DESCRIPTION: "Run tests on Windows with 32-bit Python 3.14"
MACHINE_TYPE: "x86"
APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022
PYTHON: "C:\\Python314"
PYTHON_VERSION: "3.14"
L2TBINARIES_TRACK: "dev"
TARGET: tests
- DESCRIPTION: "Run tests on Windows with 64-bit Python 3.14"
MACHINE_TYPE: "amd64"
APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022
PYTHON: "C:\\Python314-x64"
PYTHON_VERSION: "3.14"
L2TBINARIES_TRACK: "dev"
TARGET: tests
- DESCRIPTION: "Build wheel on Windows with 32-bit Python 3.14"
MACHINE_TYPE: "amd64"
APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022
PYTHON: "C:\\Python314-x64"
PYTHON_VERSION: "3.14"
L2TBINARIES_TRACK: "dev"
TARGET: wheel
- DESCRIPTION: "Build wheel on Windows with 64-bit Python 3.14"
MACHINE_TYPE: "amd64"
APPVEYOR_BUILD_WORKER_IMAGE: Visual Studio 2022
PYTHON: "C:\\Python314-x64"
PYTHON_VERSION: "3.14"
L2TBINARIES_TRACK: "dev"
TARGET: wheel
install:
- cmd: "%PYTHON%\\python.exe -m pip install -U build pip setuptools twine wheel"
- ps: .\config\appveyor\install.ps1
build_script:
- cmd: IF [%TARGET%]==[wheel] (
"%PYTHON%\\python.exe" -m build --wheel )
test_script:
- cmd: IF [%TARGET%]==[tests] (
"%PYTHON%\\python.exe" run_tests.py &&
IF EXIST "tests\\end-to-end.py" (
set PYTHONPATH=. &&
"%PYTHON%\\python.exe" "tests\\end-to-end.py" --debug -c "config\\end-to-end.ini" ) )
artifacts:
- path: dist\*.whl
================================================
FILE: config/appveyor/install.ps1
================================================
# Script to set up tests on AppVeyor Windows.
$Dependencies = "PyYAML acstore artifacts dfdatetime dfimagetools dfvfs dfwinreg dtfabric libbde libcaes libcreg libewf libfcrypto libfsapfs libfsext libfsfat libfshfs libfsntfs libfsxfs libfvde libfwnt libfwps libfwsi libhmac libluksde libmodi libphdi libqcow libregf libsigscan libsmdev libsmraw libvhdi libvmdk libvsapm libvsgpt libvshadow libvslvm pytsk3 xattr"
If ($Dependencies.Length -gt 0)
{
$Dependencies = ${Dependencies} -split " "
$Output = Invoke-Expression -Command "git clone https://github.com/log2timeline/l2tdevtools.git ..\l2tdevtools 2>&1" | %{ "$_" }
Write-Host (${Output} | Out-String)
If ($env:APPVEYOR_REPO_BRANCH -eq "main")
{
$Track = "stable"
}
Else
{
$Track = $env:APPVEYOR_REPO_BRANCH
}
New-Item -ItemType "directory" -Name "dependencies"
$env:PYTHONPATH = "..\l2tdevtools"
$Output = Invoke-Expression -Command "& '${env:PYTHON}\python.exe' ..\l2tdevtools\tools\update.py --download-directory dependencies --machine-type ${env:MACHINE_TYPE} --track ${env:L2TBINARIES_TRACK} ${Dependencies} 2>&1" | %{ "$_" }
Write-Host (${Output} | Out-String)
}
================================================
FILE: config/dpkg/changelog
================================================
winreg-kb (20260413-1) unstable; urgency=low
* Auto-generated
-- Joachim Metz <joachim.metz@gmail.com> Mon, 13 Apr 2026 06:58:45 +0200
================================================
FILE: config/dpkg/clean
================================================
winregrc/*.pyc
*.pyc
================================================
FILE: config/dpkg/compat
================================================
9
================================================
FILE: config/dpkg/control
================================================
Source: winreg-kb
Section: python
Priority: extra
Maintainer: Joachim Metz <joachim.metz@gmail.com>
Build-Depends: debhelper (>= 9), dh-python, python3-all (>= 3.10~), python3-setuptools, pybuild-plugin-pyproject
Standards-Version: 4.1.4
X-Python3-Version: >= 3.10
Homepage: https://github.com/libyal/winreg-kb
Package: python3-winregrc
Architecture: all
Depends: libbde-python3 (>= 20220121), libcaes-python3 (>= 20240114), libcreg-python3 (>= 20200725), libewf-python3 (>= 20131210), libfcrypto-python3 (>= 20240114), libfsapfs-python3 (>= 20220709), libfsext-python3 (>= 20220829), libfsfat-python3 (>= 20220925), libfshfs-python3 (>= 20220831), libfsntfs-python3 (>= 20211229), libfsxfs-python3 (>= 20220829), libfvde-python3 (>= 20220121), libfwnt-python3 (>= 20210717), libfwps-python3 (>= 20240225), libfwsi-python3 (>= 20240315), libhmac-python3 (>= 20230205), libluksde-python3 (>= 20220121), libmodi-python3 (>= 20210405), libphdi-python3 (>= 20220228), libqcow-python3 (>= 20201213), libregf-python3 (>= 20201002), libsigscan-python3 (>= 20230109), libsmdev-python3 (>= 20140529), libsmraw-python3 (>= 20140612), libvhdi-python3 (>= 20201014), libvmdk-python3 (>= 20140421), libvsapm-python3 (>= 20230506), libvsgpt-python3 (>= 20211115), libvshadow-python3 (>= 20160109), libvslvm-python3 (>= 20160109), python3-acstore (>= 20230101), python3-artifacts (>= 20220219), python3-dfdatetime (>= 20221112), python3-dfimagetools (>= 20240301), python3-dfvfs (>= 20240115), python3-dfwinreg (>= 20240229), python3-dtfabric (>= 20230518), python3-pytsk3 (>= 20210419), python3-xattr (>= 0.7.2), python3-yaml (>= 3.10), ${misc:Depends}
Description: Python 3 module of Windows Registry resources (winregrc)
winregrc is a Python module part of winreg-kb to allow reuse of
Windows Registry resources.
Package: winreg-kb-tools
Architecture: all
Depends: python3-winregrc (>= ${binary:Version}), ${misc:Depends}
Description: Tools for Windows Registry knowledge base (winreg-kb)
Winreg-kb is a project to build a Windows Registry knowledge base.
================================================
FILE: config/dpkg/copyright
================================================
Format: http://dep.debian.net/deps/dep5
Upstream-Name: dtfabric
Source: https://github.com/libyal/dtfabric
Files: *
Copyright: 2016-2017, Joachim Metz <joachim.metz@gmail.com>
License: Apache-2.0
License: Apache-2.0
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
.
http://www.apache.org/licenses/LICENSE-2.0
.
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
.
On Debian systems, the complete text of the Apache version 2.0 license
can be found in "/usr/share/common-licenses/Apache-2.0".
================================================
FILE: config/dpkg/python3-winregrc.install
================================================
usr/lib/python3*/dist-packages/winregrc/*.py
usr/lib/python3*/dist-packages/winregrc/*.yaml
usr/lib/python3*/dist-packages/winregrc*.dist-info/*
================================================
FILE: config/dpkg/rules
================================================
#!/usr/bin/make -f
%:
dh $@ --buildsystem=pybuild --with=python3
.PHONY: override_dh_auto_test
override_dh_auto_test:
================================================
FILE: config/dpkg/source/format
================================================
3.0 (quilt)
================================================
FILE: config/pylint/spelling-private-dict
================================================
appcompatcachecachedentry
argparse
args
backports
bool
cachedtask
codecs
codepage
config
csd
currentversion
datatypefabric
datatypemap
datatypemapcontext
datetimevalues
des
dev
dfdatetime
dfvfs
dfwinreg
dll
dpkg
dtfabric
endian
fileio
filename
filenames
filesystem
filetime
gid
guid
knownfolder
kwargs
lockdown
lsa
lzma
macos
mappingerror
mostrecentlyusedentry
mru
msi
nl
ons
os
outputwriter
parseheader
pathspec
posixtime
pre
py
pyfwsi
pyregf
rb
rc
readfp
regf
sdist
shellfolder
stdin
stdout
str
subkeys
sys
syskey
timestamp
timestamps
tuple
typelibrary
useraccount
userassistentry
username
vfsstat
volumescannermediator
windowsservice
windowsvolumescanner
winregistry
winregistrykey
winregistryvalue
winregrc
xp
================================================
FILE: dependencies.ini
================================================
[acstore]
dpkg_name: python3-acstore
minimum_version: 20230101
rpm_name: python3-acstore
version_property: __version__
[artifacts]
dpkg_name: python3-artifacts
minimum_version: 20220219
rpm_name: python3-artifacts
version_property: __version__
[dfdatetime]
dpkg_name: python3-dfdatetime
minimum_version: 20221112
rpm_name: python3-dfdatetime
version_property: __version__
[dfimagetools]
dpkg_name: python3-dfimagetools
minimum_version: 20240301
rpm_name: python3-dfimagetools
version_property: __version__
[dfvfs]
dpkg_name: python3-dfvfs
minimum_version: 20240115
rpm_name: python3-dfvfs
version_property: __version__
[dfwinreg]
dpkg_name: python3-dfwinreg
minimum_version: 20240229
rpm_name: python3-dfwinreg
version_property: __version__
[dtfabric]
dpkg_name: python3-dtfabric
minimum_version: 20230518
rpm_name: python3-dtfabric
version_property: __version__
[pybde]
dpkg_name: libbde-python3
l2tbinaries_name: libbde
minimum_version: 20220121
pypi_name: libbde-python
rpm_name: libbde-python3
version_property: get_version()
[pycaes]
dpkg_name: libcaes-python3
l2tbinaries_name: libcaes
minimum_version: 20240114
pypi_name: libcaes-python
rpm_name: libcaes-python3
version_property: get_version()
[pycreg]
dpkg_name: libcreg-python3
l2tbinaries_name: libcreg
minimum_version: 20200725
pypi_name: libcreg-python
rpm_name: libcreg-python3
version_property: get_version()
[pyewf]
dpkg_name: libewf-python3
l2tbinaries_name: libewf
minimum_version: 20131210
pypi_name: libewf-python
rpm_name: libewf-python3
version_property: get_version()
[pyfcrypto]
dpkg_name: libfcrypto-python3
l2tbinaries_name: libfcrypto
minimum_version: 20240114
pypi_name: libfcrypto-python
rpm_name: libfcrypto-python3
version_property: get_version()
[pyfsapfs]
dpkg_name: libfsapfs-python3
l2tbinaries_name: libfsapfs
minimum_version: 20220709
pypi_name: libfsapfs-python
rpm_name: libfsapfs-python3
version_property: get_version()
[pyfsext]
dpkg_name: libfsext-python3
l2tbinaries_name: libfsext
minimum_version: 20220829
pypi_name: libfsext-python
rpm_name: libfsext-python3
version_property: get_version()
[pyfsfat]
dpkg_name: libfsfat-python3
l2tbinaries_name: libfsfat
minimum_version: 20220925
pypi_name: libfsfat-python
rpm_name: libfsfat-python3
version_property: get_version()
[pyfshfs]
dpkg_name: libfshfs-python3
l2tbinaries_name: libfshfs
minimum_version: 20220831
pypi_name: libfshfs-python
rpm_name: libfshfs-python3
version_property: get_version()
[pyfsntfs]
dpkg_name: libfsntfs-python3
l2tbinaries_name: libfsntfs
minimum_version: 20211229
pypi_name: libfsntfs-python
rpm_name: libfsntfs-python3
version_property: get_version()
[pyfsxfs]
dpkg_name: libfsxfs-python3
l2tbinaries_name: libfsxfs
minimum_version: 20220829
pypi_name: libfsxfs-python
rpm_name: libfsxfs-python3
version_property: get_version()
[pyfvde]
dpkg_name: libfvde-python3
l2tbinaries_name: libfvde
minimum_version: 20220121
pypi_name: libfvde-python
rpm_name: libfvde-python3
version_property: get_version()
[pyfwnt]
dpkg_name: libfwnt-python3
l2tbinaries_name: libfwnt
minimum_version: 20210717
pypi_name: libfwnt-python
rpm_name: libfwnt-python3
version_property: get_version()
[pyfwps]
dpkg_name: libfwps-python3
l2tbinaries_name: libfwps
minimum_version: 20240225
pypi_name: libfwps-python
rpm_name: libfwps-python3
version_property: get_version()
[pyfwsi]
dpkg_name: libfwsi-python3
l2tbinaries_name: libfwsi
minimum_version: 20240315
pypi_name: libfwsi-python
rpm_name: libfwsi-python3
version_property: get_version()
[pyhmac]
dpkg_name: libhmac-python3
l2tbinaries_name: libhmac
minimum_version: 20230205
pypi_name: libhmac-python
rpm_name: libhmac-python3
version_property: get_version()
[pyluksde]
dpkg_name: libluksde-python3
l2tbinaries_name: libluksde
minimum_version: 20220121
pypi_name: libluksde-python
rpm_name: libluksde-python3
version_property: get_version()
[pymodi]
dpkg_name: libmodi-python3
l2tbinaries_name: libmodi
minimum_version: 20210405
pypi_name: libmodi-python
rpm_name: libmodi-python3
version_property: get_version()
[pyphdi]
dpkg_name: libphdi-python3
l2tbinaries_name: libphdi
minimum_version: 20220228
pypi_name: libphdi-python
rpm_name: libphdi-python3
version_property: get_version()
[pyqcow]
dpkg_name: libqcow-python3
l2tbinaries_name: libqcow
minimum_version: 20201213
pypi_name: libqcow-python
rpm_name: libqcow-python3
version_property: get_version()
[pyregf]
dpkg_name: libregf-python3
l2tbinaries_name: libregf
minimum_version: 20201002
pypi_name: libregf-python
rpm_name: libregf-python3
version_property: get_version()
[pysigscan]
dpkg_name: libsigscan-python3
l2tbinaries_name: libsigscan
minimum_version: 20230109
pypi_name: libsigscan-python
rpm_name: libsigscan-python3
version_property: get_version()
[pysmdev]
dpkg_name: libsmdev-python3
l2tbinaries_name: libsmdev
minimum_version: 20140529
pypi_name: libsmdev-python
rpm_name: libsmdev-python3
version_property: get_version()
[pysmraw]
dpkg_name: libsmraw-python3
l2tbinaries_name: libsmraw
minimum_version: 20140612
pypi_name: libsmraw-python
rpm_name: libsmraw-python3
version_property: get_version()
[pytsk3]
dpkg_name: python3-pytsk3
minimum_version: 20210419
rpm_name: python3-pytsk3
version_property: get_version()
[pyvhdi]
dpkg_name: libvhdi-python3
l2tbinaries_name: libvhdi
minimum_version: 20201014
pypi_name: libvhdi-python
rpm_name: libvhdi-python3
version_property: get_version()
[pyvmdk]
dpkg_name: libvmdk-python3
l2tbinaries_name: libvmdk
minimum_version: 20140421
pypi_name: libvmdk-python
rpm_name: libvmdk-python3
version_property: get_version()
[pyvsapm]
dpkg_name: libvsapm-python3
l2tbinaries_name: libvsapm
minimum_version: 20230506
pypi_name: libvsapm-python
rpm_name: libvsapm-python3
version_property: get_version()
[pyvsgpt]
dpkg_name: libvsgpt-python3
l2tbinaries_name: libvsgpt
minimum_version: 20211115
pypi_name: libvsgpt-python
rpm_name: libvsgpt-python3
version_property: get_version()
[pyvshadow]
dpkg_name: libvshadow-python3
l2tbinaries_name: libvshadow
minimum_version: 20160109
pypi_name: libvshadow-python
rpm_name: libvshadow-python3
version_property: get_version()
[pyvslvm]
dpkg_name: libvslvm-python3
l2tbinaries_name: libvslvm
minimum_version: 20160109
pypi_name: libvslvm-python
rpm_name: libvslvm-python3
version_property: get_version()
[xattr]
dpkg_name: python3-xattr
is_optional: true
minimum_version: 0.7.2
pypi_name: xattr
rpm_name: python3-xattr
version_property: __version__
[yaml]
dpkg_name: python3-yaml
l2tbinaries_name: PyYAML
minimum_version: 3.10
pypi_name: PyYAML
rpm_name: python3-pyyaml
version_property: __version__
================================================
FILE: docs/conf.py
================================================
"""Sphinx build configuration file."""
import os
import sys
from sphinx.ext import apidoc
from docutils import nodes
from docutils import transforms
# Change PYTHONPATH to include winregrc module and dependencies.
sys.path.insert(0, os.path.abspath('..'))
import winregrc # pylint: disable=wrong-import-position
import utils.dependencies # pylint: disable=wrong-import-position
# -- General configuration ------------------------------------------------
# If your documentation needs a minimal Sphinx version, state it here.
needs_sphinx = '2.0.1'
# Add any Sphinx extension module names here, as strings. They can be
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
# ones.
extensions = [
'recommonmark',
'sphinx.ext.autodoc',
'sphinx.ext.coverage',
'sphinx.ext.doctest',
'sphinx.ext.napoleon',
'sphinx.ext.viewcode',
'sphinx_markdown_tables',
'sphinx_rtd_theme',
]
# We cannot install architecture dependent Python modules on readthedocs,
# therefore we mock most imports.
pip_installed_modules = set()
dependency_helper = utils.dependencies.DependencyHelper(
dependencies_file=os.path.join('..', 'dependencies.ini'),
test_dependencies_file=os.path.join('..', 'test_dependencies.ini'))
modules_to_mock = set(dependency_helper.dependencies.keys())
modules_to_mock = modules_to_mock.difference(pip_installed_modules)
autodoc_mock_imports = sorted(modules_to_mock)
# Options for the Sphinx Napoleon extension, which reads Google-style
# docstrings.
napoleon_google_docstring = True
napoleon_numpy_docstring = False
napoleon_include_init_with_doc = True
napoleon_include_private_with_doc = False
napoleon_include_special_with_doc = True
# General information about the project.
# pylint: disable=redefined-builtin
project = 'Windows Registry knowledge base (winreg-kb)'
copyright = 'The Windows Registry knowledge base (winreg-kb) authors'
version = winregrc.__version__
release = winregrc.__version__
# Add any paths that contain templates here, relative to this directory.
templates_path = ['_templates']
# List of patterns, relative to source directory, that match files and
# directories to ignore when looking for source files.
exclude_patterns = ['_build']
# The master toctree document.
master_doc = 'index'
# The name of the Pygments (syntax highlighting) style to use.
pygments_style = 'sphinx'
# -- Options for HTML output ----------------------------------------------
# The theme to use for HTML and HTML Help pages. See the documentation for
# a list of builtin themes.
html_theme = 'sphinx_rtd_theme'
# Output file base name for HTML help builder.
htmlhelp_basename = 'winregkbdoc'
# -- Options linkcheck ----------------------------------------------------
linkcheck_ignore = [
]
# -- Code to rewrite links for readthedocs --------------------------------
# This function is a Sphinx core event callback, the format of which is detailed
# here: https://www.sphinx-doc.org/en/master/extdev/appapi.html#events
# pylint: disable=unused-argument
def RunSphinxAPIDoc(app):
"""Runs sphinx-apidoc to auto-generate documentation.
Args:
app (sphinx.application.Sphinx): Sphinx application. Required by the
the Sphinx event callback API.
"""
current_directory = os.path.abspath(os.path.dirname(__file__))
module_path = os.path.join(current_directory, '..', 'winregrc')
api_directory = os.path.join(current_directory, 'sources', 'api')
apidoc.main(['-o', api_directory, module_path, '--force'])
class MarkdownLinkFixer(transforms.Transform):
"""Transform definition to parse .md references to internal pages."""
default_priority = 1000
_URI_PREFIXES = []
def _FixLinks(self, node):
"""Corrects links to .md files not part of the documentation.
Args:
node (docutils.nodes.Node): docutils node.
Returns:
docutils.nodes.Node: docutils node, with correct URIs outside
of Markdown pages outside the documentation.
"""
if isinstance(node, nodes.reference) and 'refuri' in node:
reference_uri = node['refuri']
for uri_prefix in self._URI_PREFIXES:
if (reference_uri.startswith(uri_prefix) and not (
reference_uri.endswith('.asciidoc') or
reference_uri.endswith('.md'))):
node['refuri'] = reference_uri + '.md'
break
return node
def _Traverse(self, node):
"""Traverses the document tree rooted at node.
Args:
node (docutils.nodes.Node): docutils node.
"""
self._FixLinks(node)
for child_node in node.children:
self._Traverse(child_node)
# pylint: disable=arguments-differ
def apply(self):
"""Applies this transform on document tree."""
self._Traverse(self.document)
# pylint: invalid-name
def setup(app):
"""Called at Sphinx initialization.
Args:
app (sphinx.application.Sphinx): Sphinx application.
"""
# Triggers sphinx-apidoc to generate API documentation.
app.connect('builder-inited', RunSphinxAPIDoc)
app.add_config_value(
'recommonmark_config', {'enable_auto_toc_tree': True}, True)
app.add_transform(MarkdownLinkFixer)
================================================
FILE: docs/index.rst
================================================
Welcome to the winreg-kb documentation
========================================
winreg-kb is a project to build a Windows Registry Knowledge Base.
winregrc is a Python module part of winreg-kb to allow reuse of Windows
Registry Resources.
The source code is available from the `project page <https://github.com/libyal/winreg-kb>`__.
.. toctree::
:maxdepth: 2
sources/windows-registry/index
.. toctree::
:maxdepth: 2
sources/system-keys/index
.. toctree::
:maxdepth: 2
sources/security-accounts-manager-keys/index
.. toctree::
:maxdepth: 2
sources/explorer-keys/index
.. toctree::
:maxdepth: 2
Windows EventLog keys <sources/EventLog-keys>
.. toctree::
:maxdepth: 2
sources/internet-explorer-keys/index
.. toctree::
:maxdepth: 2
sources/application-keys/index
.. toctree::
:maxdepth: 2
API documentation <sources/api/winregrc>
Indices and tables
==================
* :ref:`genindex`
* :ref:`modindex`
================================================
FILE: docs/requirements.txt
================================================
certifi >= 2023.11.17
docutils
Markdown
recommonmark
sphinx >= 4.1.0
sphinx-markdown-tables
sphinx-rtd-theme >= 0.5.1
================================================
FILE: docs/sources/EventLog-keys.md
================================================
# EventLog keys
## EventLog providers
Information about EventLog providers is stored across multiple keys:
* the Services\EventLog key, which has been around since at least Windows NT 3.5
* the WINEVT\Publishers key, which was introduced in Windows Vista
Note that the combined information of both keys can be needed, for example
the Services\EventLog key:
```
Log type : System
Log source : Microsoft-Windows-Time-Service
Identifier : {06edcfeb-0fd0-4e53-acca-a6f8bbf81bcb}
Event message files : %SystemRoot%\system32\w32time.dll
```
```
Log type : System
Log source : W32Time
Identifier : {06edcfeb-0fd0-4e53-acca-a6f8bbf81bcb}
Event message files : %SystemRoot%\system32\w32time.dll
```
In combination with the corresponding WINEVT\Publishers key:
```
Name : Microsoft-Windows-Time-Service
Identifier : {06edcfeb-0fd0-4e53-acca-a6f8bbf81bcb}
Event message files : %SystemRoot%\system32\w32time.dll
```
Is the following EvenLog provider:
```
Name : Microsoft-Windows-Time-Service
Identifier : {06edcfeb-0fd0-4e53-acca-a6f8bbf81bcb}
Log type : System
Log source(s) : Microsoft-Windows-Time-Service
: W32Time
Event message files : %SystemRoot%\system32\w32time.dll
```
Note that an EventLog provider can have multiple log types and log sources.
It is not known if a log source that matches the EventLog provider name can be
deduplicated.
Or as specified as Event XML:
```
<Provider Name='Microsoft-Windows-Time-Service'
Guid='{06edcfeb-0fd0-4e53-acca-a6f8bbf81bcb}'
EventSourceName='W32Time'/>
```
## Services\EventLog key
The event sources are stored in the Services\EventLog key:
```
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\
```
On Windows NT it can be found in the SYSTEM Registry file.
The Services\EventLog key contains a per EventLog type sub key, for example
for the "System" EventLog type:
```
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System\
```
Common EventLog types are:
* Application
* Security
* System
The EventLog type sub key contains a per EventLog source-per-type sub key,
for example for the "Workstation" EventLog source:
```
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System\Workstation\
```
Note that the log source is case insensitive; so "Workstation" and "workstation"
are considered equivalent.
### Services\EventLog type sub key
Values:
Name | Data type | Description
--- | --- | ---
Sources | | Array of strings with end-of-string character containing the names of the event sources
#### Services\EventLog source-per-type sub key
The Services\EventLog source-per-type sub key contains information about
a single event source.
Values:
Name | Data type | Description
--- | --- | ---
CategoryCount | REG_DWORD | Number of event categories supported
CategoryMessageFile | REG_EXPAND_SZ | Path to the category message file. A category message file contains language-dependent strings that describe the categories.
EventMessageFile | REG_EXPAND_SZ | Path to event message files. An event message file contains language-dependent strings that describe the events. Note that this value can contain multiple filenames, for example "C:\WINDOWS\system32\COMRES.DLL;C:\WINDOWS\system32\xpsp2res.dll". Multiple files are delimited using a semicolon.
ParameterMessageFile | REG_EXPAND_SZ | Path to the parameter message file. A parameter message file contains language-independent strings that are to be inserted into the event description strings.
ProviderGuid | REG_SZ | Identifier, in the form "{%GUID%}", of the event provider.
TypesSupported | REG_DWORD | Bitmask of supported types
##### TypesSupported value data
Value | Identifier | Description
--- | --- | ---
0x0001 | EVENTLOG_ERROR_TYPE |
0x0002 | EVENTLOG_WARNING_TYPE |
0x0004 | EVENTLOG_INFORMATION_TYPE |
0x0008 | EVENTLOG_AUDIT_SUCCESS |
0x0010 | EVENTLOG_AUDIT_FAILURE |
## WINEVT\Publishers key
The event publishers (or providers) are stored in the WINEVT\Publishers key:
```
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers
```
On Windows Vista or later it can be found in the SOFTWARE Registry file.
The WINEVT\Publishers key contains a GUID type sub key, for example
"{de513a55-c345-438b-9a74-e18cac5c5cc5}":
```
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\%GUID%
```
### WINEVT\Publishers GUID sub key
A WINEVT\Publishers GUID sub key contains information about a single event
publisher.
Values:
Name | Data type | Description
--- | --- | ---
(default) | REG_SZ | Case insensitive log source.
MessageFileName | REG_EXPAND_SZ | Path to an event message file. An event message file contains language-dependent strings that describe the events.
ResourceFileName | REG_EXPAND_SZ | Path to an event resource file.
ParameterFileName | REG_EXPAND_SZ | Path to an event parameter file.
## Message file paths
A message file path can be defined in numerous different ways for example:
As an absolute path
```
C:\Windows\System32\mscoree.dll
```
As a relative path:
```
mscoree.dll
```
As a path using environment variables:
```
%SystemDrive%\Windows\System32\mscoree.dll
%SystemRoot%\System32\mscoree.dll
%WinDir%\System32\mscoree.dll
```
As a path using universal OEM runtime macros:
```
$(runtime.system32)\mscoree.dll
```
```
\SystemRoot\system32\mscoree.dll
```
## EventLog provider with multiple provider GUIDs
Seen on Windows 8.0, 8.1, 10, 11 and 2012:
```
Key path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application\Microsoft-Windows-KdsSvc
Name: Microsoft-Windows-KdsSvc
Last written time: Oct 30, 2015 07:25:12.126588100 UTC
Value: 0 providerGuid
Type: string (REG_SZ)
Data size: 78
Data: {d4be7726-dc7a-11df-a6e6-0902dfd72085}
```
```
Key path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{89203471-d554-47d4-bde4-7552ec219999}
Name: {89203471-d554-47d4-bde4-7552ec219999}
Last written time: Oct 30, 2015 07:25:53.860831900 UTC
Value: 0 (default)
Type: string (REG_SZ)
Data size: 50
Data: Microsoft-Windows-KdsSvc
Value: 1 ResourceFileName
Type: expandable string (REG_EXPAND_SZ)
Data size: 66
Data: %SystemRoot%\system32\KdsCli.dll
Value: 2 MessageFileName
Type: expandable string (REG_EXPAND_SZ)
Data size: 66
Data: %SystemRoot%\system32\KdsCli.dll
```
## EventLog provider with multiple log types
Seen on Windows 10:
```
Key path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application\Microsoft-Windows-EventCollector
Name: Microsoft-Windows-EventCollector
Last written time: Sep 13, 2014 07:27:56.080450600 UTC
Value: 0 ProviderGuid
Type: string (REG_SZ)
Data size: 78
Data: {b977cf02-76f6-df84-cc1a-6a4b232322b6}
Value: 1 EventMessageFile
Type: expandable string (REG_EXPAND_SZ)
Data size: 66
Data: %SystemRoot%\system32\wecsvc.dll
```
```
Key path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System\Microsoft-Windows-EventCollector
Name: Microsoft-Windows-EventCollector
Last written time: Sep 13, 2014 07:27:56.080450600 UTC
Value: 0 ProviderGuid
Type: string (REG_SZ)
Data size: 78
Data: {b977cf02-76f6-df84-cc1a-6a4b232322b6}
Value: 1 EventMessageFile
Type: expandable string (REG_EXPAND_SZ)
Data size: 66
Data: %SystemRoot%\system32\wecsvc.dll
```
```
Key path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{b977cf02-76f6-df84-cc1a-6a4b232322b6}
Name: {b977cf02-76f6-df84-cc1a-6a4b232322b6}
Last written time: Sep 13, 2014 07:27:56.080450600 UTC
Value: 0 (default)
Type: string (REG_SZ)
Data size: 66
Data: Microsoft-Windows-EventCollector
Value: 1 ResourceFileName
Type: expandable string (REG_EXPAND_SZ)
Data size: 66
Data: %SystemRoot%\system32\wecsvc.dll
Value: 2 MessageFileName
Type: expandable string (REG_EXPAND_SZ)
Data size: 66
Data: %SystemRoot%\system32\wecsvc.dll
```
## External Links
* [Eventlog Key](https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key)
* [Event Sources](https://learn.microsoft.com/en-us/windows/win32/eventlog/event-sources)
* [winevt.h header](https://learn.microsoft.com/en-us/windows/win32/api/winevt/)
* [Windows Event Log](https://learn.microsoft.com/en-us/windows/win32/api/_wes/)
================================================
FILE: docs/sources/api/modules.rst
================================================
winregrc
========
.. toctree::
:maxdepth: 4
winregrc
================================================
FILE: docs/sources/api/winregrc.rst
================================================
winregrc package
================
Subpackages
-----------
.. toctree::
:maxdepth: 4
winregrc.scripts
Submodules
----------
winregrc.appcompatcache module
------------------------------
.. automodule:: winregrc.appcompatcache
:members:
:show-inheritance:
:undoc-members:
winregrc.application\_identifiers module
----------------------------------------
.. automodule:: winregrc.application_identifiers
:members:
:show-inheritance:
:undoc-members:
winregrc.cached\_credentials module
-----------------------------------
.. automodule:: winregrc.cached_credentials
:members:
:show-inheritance:
:undoc-members:
winregrc.catalog module
-----------------------
.. automodule:: winregrc.catalog
:members:
:show-inheritance:
:undoc-members:
winregrc.controlpanel\_items module
-----------------------------------
.. automodule:: winregrc.controlpanel_items
:members:
:show-inheritance:
:undoc-members:
winregrc.data\_format module
----------------------------
.. automodule:: winregrc.data_format
:members:
:show-inheritance:
:undoc-members:
winregrc.delegatefolders module
-------------------------------
.. automodule:: winregrc.delegatefolders
:members:
:show-inheritance:
:undoc-members:
winregrc.environment\_variables module
--------------------------------------
.. automodule:: winregrc.environment_variables
:members:
:show-inheritance:
:undoc-members:
winregrc.errors module
----------------------
.. automodule:: winregrc.errors
:members:
:show-inheritance:
:undoc-members:
winregrc.eventlog\_providers module
-----------------------------------
.. automodule:: winregrc.eventlog_providers
:members:
:show-inheritance:
:undoc-members:
winregrc.filters module
-----------------------
.. automodule:: winregrc.filters
:members:
:show-inheritance:
:undoc-members:
winregrc.hexdump module
-----------------------
.. automodule:: winregrc.hexdump
:members:
:show-inheritance:
:undoc-members:
winregrc.interface module
-------------------------
.. automodule:: winregrc.interface
:members:
:show-inheritance:
:undoc-members:
winregrc.knownfolders module
----------------------------
.. automodule:: winregrc.knownfolders
:members:
:show-inheritance:
:undoc-members:
winregrc.mounted\_devices module
--------------------------------
.. automodule:: winregrc.mounted_devices
:members:
:show-inheritance:
:undoc-members:
winregrc.mru module
-------------------
.. automodule:: winregrc.mru
:members:
:show-inheritance:
:undoc-members:
winregrc.msie\_zone\_info module
--------------------------------
.. automodule:: winregrc.msie_zone_info
:members:
:show-inheritance:
:undoc-members:
winregrc.output\_writers module
-------------------------------
.. automodule:: winregrc.output_writers
:members:
:show-inheritance:
:undoc-members:
winregrc.profiles module
------------------------
.. automodule:: winregrc.profiles
:members:
:show-inheritance:
:undoc-members:
winregrc.programscache module
-----------------------------
.. automodule:: winregrc.programscache
:members:
:show-inheritance:
:undoc-members:
winregrc.sam module
-------------------
.. automodule:: winregrc.sam
:members:
:show-inheritance:
:undoc-members:
winregrc.services module
------------------------
.. automodule:: winregrc.services
:members:
:show-inheritance:
:undoc-members:
winregrc.shell\_property\_keys module
-------------------------------------
.. automodule:: winregrc.shell_property_keys
:members:
:show-inheritance:
:undoc-members:
winregrc.shellfolders module
----------------------------
.. automodule:: winregrc.shellfolders
:members:
:show-inheritance:
:undoc-members:
winregrc.srum\_extensions module
--------------------------------
.. automodule:: winregrc.srum_extensions
:members:
:show-inheritance:
:undoc-members:
winregrc.sysinfo module
-----------------------
.. automodule:: winregrc.sysinfo
:members:
:show-inheritance:
:undoc-members:
winregrc.syskey module
----------------------
.. automodule:: winregrc.syskey
:members:
:show-inheritance:
:undoc-members:
winregrc.task\_cache module
---------------------------
.. automodule:: winregrc.task_cache
:members:
:show-inheritance:
:undoc-members:
winregrc.time\_zones module
---------------------------
.. automodule:: winregrc.time_zones
:members:
:show-inheritance:
:undoc-members:
winregrc.type\_libraries module
-------------------------------
.. automodule:: winregrc.type_libraries
:members:
:show-inheritance:
:undoc-members:
winregrc.usbstor module
-----------------------
.. automodule:: winregrc.usbstor
:members:
:show-inheritance:
:undoc-members:
winregrc.userassist module
--------------------------
.. automodule:: winregrc.userassist
:members:
:show-inheritance:
:undoc-members:
winregrc.versions module
------------------------
.. automodule:: winregrc.versions
:members:
:show-inheritance:
:undoc-members:
winregrc.volume\_scanner module
-------------------------------
.. automodule:: winregrc.volume_scanner
:members:
:show-inheritance:
:undoc-members:
Module contents
---------------
.. automodule:: winregrc
:members:
:show-inheritance:
:undoc-members:
================================================
FILE: docs/sources/api/winregrc.scripts.rst
================================================
winregrc.scripts package
========================
Submodules
----------
winregrc.scripts.appcompatcache module
--------------------------------------
.. automodule:: winregrc.scripts.appcompatcache
:members:
:show-inheritance:
:undoc-members:
winregrc.scripts.application\_identifiers module
------------------------------------------------
.. automodule:: winregrc.scripts.application_identifiers
:members:
:show-inheritance:
:undoc-members:
winregrc.scripts.cached\_credentials module
-------------------------------------------
.. automodule:: winregrc.scripts.cached_credentials
:members:
:show-inheritance:
:undoc-members:
winregrc.scripts.catalog module
-------------------------------
.. automodule:: winregrc.scripts.catalog
:members:
:show-inheritance:
:undoc-members:
winregrc.scripts.controlpanel\_items module
-------------------------------------------
.. automodule:: winregrc.scripts.controlpanel_items
:members:
:show-inheritance:
:undoc-members:
winregrc.scripts.delegatefolders module
---------------------------------------
.. automodule:: winregrc.scripts.delegatefolders
:members:
:show-inheritance:
:undoc-members:
winregrc.scripts.environment\_variables module
----------------------------------------------
.. automodule:: winregrc.scripts.environment_variables
:members:
:show-inheritance:
:undoc-members:
winregrc.scripts.eventlog\_providers module
-------------------------------------------
.. automodule:: winregrc.scripts.eventlog_providers
:members:
:show-inheritance:
:undoc-members:
winregrc.scripts.knownfolders module
------------------------------------
.. automodule:: winregrc.scripts.knownfolders
:members:
:show-inheritance:
:undoc-members:
winregrc.scripts.mounted\_devices module
----------------------------------------
.. automodule:: winregrc.scripts.mounted_devices
:members:
:show-inheritance:
:undoc-members:
winregrc.scripts.mru module
---------------------------
.. automodule:: winregrc.scripts.mru
:members:
:show-inheritance:
:undoc-members:
winregrc.scripts.msie\_zone\_info module
----------------------------------------
.. automodule:: winregrc.scripts.msie_zone_info
:members:
:show-inheritance:
:undoc-members:
winregrc.scripts.profiles module
--------------------------------
.. automodule:: winregrc.scripts.profiles
:members:
:show-inheritance:
:undoc-members:
winregrc.scripts.programscache module
-------------------------------------
.. automodule:: winregrc.scripts.programscache
:members:
:show-inheritance:
:undoc-members:
winregrc.scripts.sam module
---------------------------
.. automodule:: winregrc.scripts.sam
:members:
:show-inheritance:
:undoc-members:
winregrc.scripts.services module
--------------------------------
.. automodule:: winregrc.scripts.services
:members:
:show-inheritance:
:undoc-members:
winregrc.scripts.shellfolders module
------------------------------------
.. automodule:: winregrc.scripts.shellfolders
:members:
:show-inheritance:
:undoc-members:
winregrc.scripts.srum\_extensions module
----------------------------------------
.. automodule:: winregrc.scripts.srum_extensions
:members:
:show-inheritance:
:undoc-members:
winregrc.scripts.sysinfo module
-------------------------------
.. automodule:: winregrc.scripts.sysinfo
:members:
:show-inheritance:
:undoc-members:
winregrc.scripts.syskey module
------------------------------
.. automodule:: winregrc.scripts.syskey
:members:
:show-inheritance:
:undoc-members:
winregrc.scripts.task\_cache module
-----------------------------------
.. automodule:: winregrc.scripts.task_cache
:members:
:show-inheritance:
:undoc-members:
winregrc.scripts.time\_zones module
-----------------------------------
.. automodule:: winregrc.scripts.time_zones
:members:
:show-inheritance:
:undoc-members:
winregrc.scripts.type\_libraries module
---------------------------------------
.. automodule:: winregrc.scripts.type_libraries
:members:
:show-inheritance:
:undoc-members:
winregrc.scripts.usbstor module
-------------------------------
.. automodule:: winregrc.scripts.usbstor
:members:
:show-inheritance:
:undoc-members:
winregrc.scripts.userassist module
----------------------------------
.. automodule:: winregrc.scripts.userassist
:members:
:show-inheritance:
:undoc-members:
Module contents
---------------
.. automodule:: winregrc.scripts
:members:
:show-inheritance:
:undoc-members:
================================================
FILE: docs/sources/application-keys/7-Zip.md
================================================
# 7-Zip
**TODO this page currently contains rough notes, fine tune these**
The 7-Zip application uses the following Windows Registry key to store various
user specific information.
```
HKEY_CURRENT_USER\Software\7-Zip
```
Sub keys:
Name | Description
--- | ---
FM |
Values:
Name | Data type | Description
--- | --- | ---
Lang | | Language tag, for example "en-US" or "-" if empty.
## 7-Zip FM sub key
Sub keys:
Name | Description
--- | ---
Columns |
Values:
Name | Data type | Description
--- | --- | ---
FlatViewArc# | | Where # is a numeric value e.g. 0 or 1
FolderShortcuts | |
FolderHistory | | Contains a list of UTF-16 little-endian encoded strings with an end-of-string character
ListMode | |
Panels | |
PanelPath# | | Where # is a numeric value e.g. 0 or 1 <br> Contains an UTF-16 little-endian encoded string
Position | |
### 7-Zip FM Columns sub key
Values:
Name | Data type | Description
--- | --- | ---
7-Zip.Rar | REG_BINARY |
7-Zip.7z | REG_BINARY |
================================================
FILE: docs/sources/application-keys/CCleaner.md
================================================
# CCleaner
**TODO this page currently contains rough notes, fine tune these**
The CCleaner application uses the following Windows Registry key to store its
configuration.
```
HKEY_CURRENT_USER\Software\Piriform\CCleaner
```
Values:
Name | Data type | Description
--- | --- | ---
(App)Program Name | REG_SZ |
AutoClose | | Automatically close program after cleaning, where 0 = Disabled and 1 = Enabled
BackupDir | | Default path for the Issues Registry back up
BackupPrompt | | Prompts user to back up the contents of the Issues Registry before removing them, where 0 = Disabled and 1 = Enabled
BrowserMonitoring | | Whether automatic browser cleaning is active (CCleaner Professional), where 0 = Disabled and 1 = Enabled
CookiesToSave | REG_SZ | Lists of cookies to preserve
DefaultDetailedView | | Show detailed view screen (for the whole analysis or cleaning) after the operation finishes, where 0 = Disabled and 1 = Enabled
DelayTemp | | Delete temporary (Windows) files older than 48 hours, where 0 = Disabled and 1 = Enabled
FFDetailed | | Display a detailed log of Firefox/Mozilla temporary files, where 0 = Disabled and 1 = Enabled
HideWarnings | | Hide warnings when advanced items is selected in the cleaning options tree, where 0 = Disabled and 1 = Enabled
HomeScreen | | Starts on Health Check or Custom Clean, where 0 = Custom Clean and 1 = Health Check
IEDetailed | | Display a detailed log of Internet Explorer temporary files, where 0 = Disabled and 1 = Enabled
Language | | Language, contains a locale identifier (LCID).
MinimizeSystemTray | | Minimize program to system tray on close, where 0 = Disabled and 1 = Enabled
Monitoring | | Have Smart Cleaning, where 0 = Disabled and 1 = Enabled
MSG_CONFIRMCLEAN | | Ask for confirmation before starting the Cleaning operation, where the value can be "True" or "False"
MSG_WARNCHROMECACHE | | Warn when cleaning the Internet Cache in Google Chrome, where the value can be "True" or "False"
MSG_WARNMOZCACHE | | Warn when cleaning the Internet Cache in Mozilla Firefox, where the value can be "True" or "False"
RunICS | | No longer used, will automatically be set to 0
SecureDeleteMethod | | Secure deletion method, where 0 = Simple Overwrite (1 pass), 1 = DOD 5220.22-M (3 passes), 2 = NSA (7 passes) or 3 = Gutmann (35 passes)
SecureDeleteType | | Use a secure deletion method, where 0 = Disabled and 1 = Enabled
SystemMonitoring | | Activate System Smart Cleaning (or Active Monitoring for CCleaner Professional), where 0 = Disabled and 1 = Enabled
SystemMonitoringSavingsAction | | System Smart Cleaning (or Active Monitoring for CCleaner Professional) mode, where 3 = "prompt to clean", 4 = "auto clean with notification" and 5 = "auto clean without notification"
UpdateBackgroundCheck | | Check for software updates every 10 minutes (after program start), where 0 = Disabled and 1 = Enabled
UpdateKey | REG_SZ | The last update check date and time formatted as: "MM/DD/YYYY hh:mm:ss [A|P]M", for example "07/13/2013 10:03:14 AM".
WINDOW_HEIGHT | REG_SZ | Window height dimension in number of pixels.
WINDOW_LEFT | REG_SZ | Window left position in number of pixels.
WINDOW_MAX | REG_SZ | Windows is maximized, where 0 = not maximized
WINDOW_TOP | REG_SZ | Window top position in number of pixels.
WINDOW_WIDTH | REG_SZ | Window width dimension in number of pixels.
WipeMFTFreeSpace | | Wipe free space in the NTFS Master File Table (MFT), where 0 = Disabled and 1 = Enabled
## (App)Program Name
These entries indicate programs that are not part of the default set of enabled
Cleaning Rules, and whether they should be cleaned.
Note: Making an entry of "App(Your Program)]=true" will not allow CCleaner to
clean it, as you would instead need to use the methods listed here.
True = Checkbox selected when you start CCleaner.
False = Checkbox cleared when you start CCleaner.
Known Cleaning Rules:
* (App)Cookies, contains "True" if the cookies should be cleaned;
* (App)Delete Index.dat files
* (App)History
* (App)Last Download Location
* (App)Other Explorer MRUs
* (App)Recent Documents
* (App)Recently Typed URLs
* (App)Run (in Start Menu)
* (App)Temporary Internet Files
* (App)Thumbnail Cache
## IncludeX (e.g. Include1, Include2)
Custom files or folders that should be included in cleaning
[PATH|FILE]|Path|Filename
## ExcludeX (e.g. Exclude1, Exclude2)
Custom files or folders that should be excluded from cleaning.
[REG|PATH|FILE]|Path|Filename
## FinderIncludeX (e.g. FinderInclude1, FinderInclude2)
Drives or folders CCleaner to use when searching for duplicate files.
PATH|PATH\|Filetype|[RECURSE]
## FinderIncludeStates
Whether the checkboxes have been checked or unchecked for folders referenced
by FinderIncludeX.
0 = Cleared
1 = Selected
For example, if there are three FinderIncludeX statements, you can specify the
checked/cleared status using the pipe symbol:
FinderIncludeStates=1|0|1 would check the first and last items, and the middle
one would be unchecked.
## External Links
* [Writing a CCleaner RegRipper Plugin Part 1](https://cheeky4n6monkey.blogspot.com/2012/02/writing-ccleaner-regripper-plugin-part.html)
* [Writing a CCleaner RegRipper Plugin Part 2](http://cheeky4n6monkey.blogspot.com/2012/02/writing-ccleaner-regripper-plugin-part_05.html)
================================================
FILE: docs/sources/application-keys/MSDN-web-browser.md
================================================
# MSDN web browser
**TODO this page currently contains rough notes, fine tune these**
```
HKEY_CURRENT_USER\Software\Microsoft\MSDN\9.0\WebBrowser\MRU
```
Values:
Name | Data type | Description
--- | --- | ---
%NUMERIC% | REG_SZ | Where %NUMERIC% is a string in the form: "[0-9]+"
================================================
FILE: docs/sources/application-keys/Microsoft-Office.md
================================================
# Microsoft Office
**TODO this page currently contains rough notes, fine tune these**
## Microsoft Outlook keys
```
HKEY_CURRENT_USER\Software\Microsoft\Office\%VERSION%\Outlook\
```
Where %VERSION% corresponds to:
Value | Description
--- | ---
8.0 | Outlook 97
8.5 | Outlook 98
9.0 | Outlook 2000
10.0 | Outlook 2002/XP
11.0 | Outlook 2003
12.0 | Outlook 2007
14.0 | Outlook 2010
15.0 | Outlook 2013
Values:
Name | Data type | Description
--- | --- | ---
ForcePSTPath | REG_EXPAND_SZ |
```
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Catalog
```
```
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Search
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Search\Catalog
```
```
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Search
```
Values:
Name | Data type | Description
--- | --- | ---
%FILENAME% | REG_DWORD |
Where %FILENAME% is the full filename of Outlook file.
```
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Search\Catalog
```
Values:
Name | Data type | Description
--- | --- | ---
%FILENAME% | REG_BINARY |
Where %FILENAME% is the full filename of Outlook file.
For "file/options/search" allow to search through "deleted items"
```
Key: HKCU\Software\Microsoft\Office\14.0\Outlook\Search
Value: IncludeDeletedItems
```
Where the value data is:
```
1 = Yes
```
Outlook generates log files in %temp%\Outlook logging:
```
Key: HKEY_CURRENT_USER\Software\Microsoft\Office\version number\Outlook\Search
Value: EnableLogging = 0xffff0000
```
Protected View mode
```
Key: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security
Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\14.0\Outlook\Security
Value: MarkInternalAsUnsafe
```
Where the value data is:
```
1 = Yes
```
### Offline Address Book (OAB)
```
HKEY_CURRENT_USER\Software\Microsoft\Office\%VERSION%\Outlook\Cached Mode
```
Values:
Name | Data type | Description
--- | --- | ---
DownloadOAB | REG_DWORD |
Setting the value to zero prevents Offline Address Book (OAB) download and
forces Outlook to use the global address list. If the "Cached Mode" key does
not exist, create it.
### Secure Temp Folder
```
HKEY_CURRENT_USER\Software\Microsoft\Office\%VERSION%\Outlook\Security
```
Values:
Name | Data type | Description
--- | --- | ---
OutlookSecureTempFolder | REG_SZ |
## Most Recently Used (MRU) keys
### File Name MRU keys
Values:
Name | Data type | Description
--- | --- | ---
Maximum Entries | | Numeric value
Value | | Numeric value
```
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Excel\Settings\Open\File Name MRU
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\Open Find\Microsoft Office Excel\Settings\Save As\File Name MRU
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Excel\Settings\Open\File Name MRU
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Excel\Settings\Save As\File Name MRU
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Save As\File Name MRU
```
### Item MRU keys
Values:
Name | Data type | Description
--- | --- | ---
%ITEM% | | Where %ITEM% is a string in the form: "Item [0-9]+"
```
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\File MRU
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Options\MRUFuncs
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\PowerPoint\File MRU
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\PowerPoint\RecentAnimationList\EntranceMRU
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\PowerPoint\RecentAnimationList\EmphasisMRU
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\PowerPoint\RecentAnimationList\ExitMRU
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\PowerPoint\RecentAnimationList\MotionPathMRU
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\PowerPoint\Slide Libraries\Taskpane MRU
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\File MRU
```
Every %ITEM% value contains:
in Office 12
```
[F00000000][T%FILETIME%]*\\%FILENAME%
```
in Office 14
```
[F00000000][T%FILETIME%][O00000000]*%FILENAME%
```
Where T%FILETIME% contains a FILETIME timestamp as a hexadecimal string (base-16), in upper case, e.g. T01CD10EC460129A0
### Other MRU keys
Find Contact toolbar button (Outlook 97 – 2003)
```
HKEY_CURRENT_USER\Software\Microsoft\Office\%VERSION%\Outlook\Contact\QuickFindMRU\QuickfindMRU
```
Find Pane’s Look in list
```
HKEY_CURRENT_USER\Software\Microsoft\Office\%VERSION%\Outlook\Contact\StripSearchMRU\StripSearchMRU
```
Appointment Locations
```
HKEY_CURRENT_USER\Software\Microsoft\Office\%VERSION%\Outlook\Preferences\LocationMRU
```
Advanced Find’s Search for Word(s)
```
HKEY_CURRENT_USER\Software\Microsoft\Office\%VERSION%\Outlook\Office Finder\MRU 1
```
Advanced Find’s More Choices, Categories
```
HKEY_CURRENT_USER\Software\Microsoft\Office\%VERSION%\Outlook\Office Finder\MRU 3
```
Choose Form dialog (New Item-> More Items-> Choose Form) (Outlook 2010 – 2013)
```
HKEY_CURRENT_USER\Software\Microsoft\Office\%VERSION%\Outlook\Office
```
## External links
* [Administering the offline address book in Outlook](https://support.microsoft.com/en-us/topic/administering-the-offline-address-book-in-outlook-51958cc8-684a-83f9-aea5-97d4dddc0af4)
================================================
FILE: docs/sources/application-keys/Terminal-server-client.md
================================================
# Terminal server client
The most recent used (MRU) connnections of the Terminal server client can
be found in the key:
```
HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default
```
Values:
Name | Data type | Description
--- | --- | ---
MRU# | REG_SZ | The most recently used connection. <br> Where # is a string in the form: "[0-9]+"
The contents of MRU# is either an IP address, e.g. 192.168.16.60, or a hostname, e.g. computer.domain.com.
## External Links
* [How to Remove Entries from the Remote Desktop Connection Computer Box](https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer)
================================================
FILE: docs/sources/application-keys/WinRAR.md
================================================
# WinRAR
**TODO this page currently contains rough notes, fine tune these**
The WinRAR application uses the following Windows Registry key to store various
user specific information.
```
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ArcName
HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
```
Values:
Name | Data type | Description
--- | --- | ---
%ITEM% | REG_SZ | Where %ITEM% is a string in the form: "[0-9]+"
================================================
FILE: docs/sources/application-keys/index.rst
================================================
################
Application keys
################
.. toctree::
:maxdepth: 1
7-Zip <7-Zip>
CCleaner <CCleaner>
Microsoft Office <Microsoft-Office>
Terminal server client <Terminal-server-client>
WinRAR <WinRAR>
================================================
FILE: docs/sources/explorer-keys/Bit-bucket.md
================================================
# Bit bucket
The Windows Explorer bit bucket key contains Recycler configuration
properties and information about the Recycler of connected volumes.
```
HKEY_CURRENT_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
```
Seen on Windows 2000, XP and 2003.
Sub keys:
Name | Description
--- | ---
%NAME% | Where %NAME% contains a drive letter, for example "c"
Values:
Name | Data type | Description
--- | --- | ---
NoRecycleFiles | REG_DWORD |
NukeOnDelete | REG_DWORD |
Percent | REG_DWORD |
UseGlobalSettings | REG_DWORD |
## BitBucket\\%NAME% sub key
Values:
Name | Data type | Description
--- | --- | ---
IsUnicode | REG_DWORD |
VolumeSerialNumber | REG_DWORD |
================================================
FILE: docs/sources/explorer-keys/Control-panel-item-identifiers.md
================================================
# Control panel item identifiers
A control panel item identifier is a GUID that identifies a specific control
panel item.
```
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{%GUID%}
```
Values:
Name | Data type | Description
--- | --- | ---
Category | REG_DWORD |
(default) | REG_SZ | Module name of the control panel item
PreferredPlan | REG_SZ |
================================================
FILE: docs/sources/explorer-keys/Delegate-folders.md
================================================
# Delegate folders keys
Windows explorer uses delegate folders to provide alternative graphical
representations.
```
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\*\NameSpace\DelegateFolders\{%GUID%}
```
Values:
Name | Data type | Description
--- | --- | ---
(default) | REG_SZ | Name (or description) of the delegate folder.
## External links
* [DELEGATEITEMID structure (shobjidl_core.h)](https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/ns-shobjidl_core-delegateitemid)
================================================
FILE: docs/sources/explorer-keys/Known-folder-identifiers.md
================================================
# Known folder identifier keys
A known folder identifier is a GUID that identifies a system folder. It was
introduced in Windows Vista to replace the constant special item identifier list
(CSIDL).
```
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
```
Values:
Name | Data type | Description
--- | --- | ---
Attributes | REG_DWORD |
Category | REG_DWORD |
Name | REG_SZ | Name of the known folder
LocalizedName | REG_EXPAND_SZ | Localized name of the known folder
ParentFolder | REG_SZ | Path of the parent directory known folder, can contain a known folder identifier
PreCreate | REG_DWORD |
RelativePath | REG_SZ | Relative path of the known folder
### LocalizedName value data
The LocalizedName value contains a localized version of the folder name, e.g.
on Windows XP the folder identifier key:
```
HKEY_CLASSES_ROOT\CLSID\{450d8fba-ad25-11d0-98a8-0800361b1103}
```
Has a LocalizedString value with the following data:
```
@%SystemRoot%\system32\SHELL32.dll,-9227
```
Which is the [MUI Form](https://winreg-kb.readthedocs.io/en/latest/sources/windows-registry/MUI-form.html)
for "My Documents".
## External links
* [libfwsi: Known Folder Identifiers](https://github.com/libyal/libfwsi/wiki/Known-Folder-Identifiers)
================================================
FILE: docs/sources/explorer-keys/MUI-cache.md
================================================
# Multilingual User Interface (MUI) cache
Seen on Windows XP and 2003
```
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
```
Seen on Windows Vista and later
```
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
```
================================================
FILE: docs/sources/explorer-keys/Most-recently-used.md
================================================
# Most recently used (MRU)
The Windows Registry contains various keys with information about Most Recently
files Used (MRU). Windows Explorer (or Windows shell), extensively uses such
keys. Several different variants of MRU keys are known to be used, such as:
* Keys with a MRUList value
* Keys with a MRUListEx value
* BagMRU key
## Keys with a MRUList value
Values:
Name | Data type | Description
--- | --- | ---
MRUList | | Contains a list of the most recently used (MRU) items. <br/> Consists of an array of UTF-16 little-endian formatted character value. <br/> The first value represents the most recently used item, the second the second recently used item and so forth. The last value indicates the end of the list and should be 0 (0x0000).
%ALPHA% | | Where %ALPHA% is a string in the form: "[a-z]" <br/> The value name corresponds to a string value in the MRUList value. E.g. a MRUList value of "a" (0x0061) corresponds to the value "a".
### String MRUList values
The following keys with a MRUList value contain %ALPHA% values that consists of
an UTF-16 little-endian formatted string with an end-of-string character.
Sub keys of: `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\`
Registry key | Windows version | Description
--- | --- | ---
ComDlg32\LastVisitedMRU | 2000, XP |
ComDlg32\OpenSaveMRU\%EXTENSION% | 2000, XP | <br/> Where %EXTENSION% is a file extension like "exe" or "\*"
Doc Find Spec MRU | | Most recently used "Find Files" commands
FileExts\%EXTENSION%\OpenWithList | 2000, XP, Vista | Most recently used "Open With" commands <br/> Where %EXTENSION% is a file extension like ".exe"
FindComputerMRU | | Most recently used "Find Computer" commands
Map Network Drive MRU | XP | Most recently used mapped network drives
PrnPortsMRU | | Most recently used printer ports
RecentDocs | 2000, XP |
RecentDocs\%EXTENSION% | 2000, XP | <br/> Where %EXTENSION% is a file extension like ".exe" or "Folder"
RunMRU | NT4, 2000, XP, Vista | Most recently used "Run" commands
WordWheelQuery | |
### Shell Item List MRUList values
The following keys with a MRUList value contain %ALPHA% values that consists of
a Shell Item List.
Sub keys of: `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\`
Registry key | Windows version | Description
--- | --- | ---
DesktopStreamMRU | NT4 | How icons are arranged on the desktop. <br/> Although the key is present on later versions of Windows it does not seem to be used anymore.
## Keys with a MRUListEx value
Values:
Name | Data type | Description
--- | --- | ---
MRUListEx | | Contains a list of the most recently used (MRU) items. <br/> Consists of an array of 4-byte little-endian values. <br/> The first value represents the most recently used item, the second the second recently used item and so forth. The last value indicates the end of the list and should be -1 (0xffffffff).
%NUMERIC% | | Where %NUMERIC% is a string in the form: "[0-9]+" <br/> The value name corresponds to a 4-byte numeric value in the MRUListEx value. E.g. a MRUListEx value of 0x00000001 corresponds to the value named "1".
The value data of the numeric value depends on the sub key.
### String MRUListEx values
The following keys with a MRUListEx value contain %NUMERIC% values that
consists of an UTF-16 little-endian formatted string with an end-of-string
character.
### Shell Item List MRUListEx values
The following keys with a MRUListEx value contain %NUMERIC% values that
consists of a Shell Item List.
Sub keys of: `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\`
Registry key | Windows version | Description
--- | --- | ---
ComDlg32\OpenSavePidlMRU\%EXTENSION% | Vista | <br/> Where %EXTENSION% is a file extension like "exe" or "\*"
StreamMRU | 2000, XP |
### String and Shell Item MRUListEx values
The following keys with a MRUListEx value contain %NUMERIC% values that
consists of a String and Shell Item. The String and Shell Item is variable of
size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | ... | | The filename stored as an UTF-16 little-endian formatted string with end-of-string character
... | ... | | The filename stored as a Shell Item. <br/> The Shell Item is empty if not set.
Sub keys of: `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\`
Registry key | Windows version | Description
--- | --- | ---
RecentDocs | Vista |
RecentDocs\%EXTENSION% | Vista | Where %EXTENSION% is a file extension like .exe or Folder
### String and Shell Item List MRUListEx values
The following keys with a MRUListEx value contain %NUMERIC% values that
consists of a String and Shell Item List. The String and Shell Item List is
variable of size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | ... | | The filename stored as an UTF-16 little-endian formatted string with end-of-string character
... | ... | | The path stored as a Shell Item List. <br/> The first Shell Item is empty if not set.
Sub keys of: `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\`
Registry key | Windows version | Description
--- | --- | ---
ComDlg32\LastVisitedPidlMRU | Vista, 7 |
## BagMRU key
The values in the BagMRU and sub keys are also referred to as "shellbags".
BagMRU keys as of XP (stored in NTUSER.DAT)
```
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU
```
Additional BagMRU keys as of Vista (stored in USRCLASS.DAT)
```
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\ShellNoRoam\BagMRU
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\ShellNoRoam\BagMRU
```
Seen in Windows 7:
```
HKEY_CURRENT_USER\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
```
The BagMRU sub keys form a hierarchy similar to a folder structure.
Values:
Name | Data type | Description
--- | --- | ---
NodeSlot | REG_DWORD | Contains the node slot index number (also referred to as bag number) <br/> This number corresponds to the sub key name the corresponding Bags sub key. <br/> E.g. bag number 1 in HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU relates to the Bags sub key HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1
NodeSlots | | Only present in the root BagMRU key.
MRUListEx | REG_BINARY | Contains a list of the most recently used (MRU) items. <br/> Consists of an array of 4-byte little-endian values. <br/> The first value represents the most recently used item, the second the second recently used item and so forth. The last value indicates the end of the list and should be -1 (0xffffffff).
%NUMERIC% | REG_BINARY | Where %NUMERIC% is a string in the form: "[0-9]+" <br/> The value name corresponds to a 4-byte numeric value in the MRUListEx value. E.g. a MRUListEx value of 0x00000001 corresponds to the value named "1". <br/> Contains a shell item
### Bag number shell sub key
The numbered sub keys of the Bags key have a Shell sub key e.g.
```
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Shell
```
This key contains various values:
Name | Data type | Description
--- | --- | ---
Address | |
Buttons | |
Col | |
ColInfo | |
FolderType | |
FFlags | |
HotKey | |
Links | |
MinPos%GEOMETRY%(1).bottom | | Where %GEOMETRY% is the screen geometry in the form 1100x705
MinPos%GEOMETRY%(1).left | | Where %GEOMETRY% is the screen geometry in the form 1100x705
MinPos%GEOMETRY%(1).right | | Where %GEOMETRY% is the screen geometry in the form 1100x705
MinPos%GEOMETRY%(1).top | | Where %GEOMETRY% is the screen geometry in the form 1100x705
MinPos%GEOMETRY%(1).x | | Where %GEOMETRY% is the screen geometry in the form 1100x705
MinPos%GEOMETRY%(1).y | | Where %GEOMETRY% is the screen geometry in the form 1100x705
Mode | |
Rev | |
ScrollPos%GEOMETRY%(1).x | | Where %GEOMETRY% is the screen geometry in the form 1100x705
ScrollPos%GEOMETRY%(1).y | | Where %GEOMETRY% is the screen geometry in the form 1100x705
ShowCmd | |
Sort | |
SortDir | |
Vid | |
WFlags | |
## Notes
This section contains some notes on explorer MRU keys that need to be completed.
### Wallpaper MRU key MRUListEx value
Sub keys of: `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\`
Registry key | Windows version | Description
--- | --- | ---
Wallpaper\MRU | XP, 2003 | Most recently used wallpapers
```
00000000 43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00 |C.:.\.W.I.N.D.O.|
00000010 57 00 53 00 5c 00 42 00 6c 00 75 00 65 00 20 00 |W.S.\.B.l.u.e. .|
00000020 4c 00 61 00 63 00 65 00 20 00 31 00 36 00 2e 00 |L.a.c.e. .1.6...|
00000030 62 00 6d 00 70 00 00 00 70 00 00 00 00 00 00 00 |b.m.p...p.......|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 00 00 78 01 08 00 00 00 00 00 00 00 00 00 |....x...........|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000a0 00 00 00 00 28 f6 0b 00 00 00 00 00 70 4b 0c 00 |....(.......pK..|
000000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000c0 00 00 00 00 00 00 00 00 28 f6 0b 00 00 00 00 00 |........(.......|
000000d0 78 5b 0c 00 00 00 00 00 20 f6 0b 00 00 00 00 00 |x[...... .......|
000000e0 78 01 08 00 00 00 00 00 00 00 00 00 00 00 00 00 |x...............|
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000110 00 00 00 00 00 00 00 00 78 01 08 00 92 02 00 00 |........x.......|
00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000170 00 00 00 00 00 00 00 00 28 f6 0b 00 00 00 00 00 |........(.......|
00000180 01 02 00 00 00 00 00 00 68 4b 0c 00 08 10 00 00 |........hK......|
00000190 68 4b 0c 00 00 00 00 00 70 4b 0c 00 78 01 08 00 |hK......pK..x...|
000001a0 08 10 00 00 2f 2d f4 77 51 8e e4 77 f8 00 00 00 |..../-.wQ..w....|
000001b0 00 00 00 00 00 00 00 00 00 00 00 00 50 f4 a2 00 |............P...|
000001c0 70 4b 0c 00 00 10 00 00 03 00 00 00 28 8d e4 77 |pK..........(..w|
000001d0 f4 dc 0b 00 36 8e e4 77 04 01 00 00 ab 3d 29 77 |....6..w.....=)w|
000001e0 40 fd a2 00 00 00 00 00 d6 0f 00 00 a8 4e 0c 00 |@............N..|
000001f0 00 d0 fd 7f 00 00 00 00 be 20 08 00 01 00 00 00 |......... ......|
00000200 e0 dc 0b 00 08 00 00 00 30 00 00 00 30 00 00 00 |........0...0...|
00000210 00 60 a9 0f c6 f2 c2 01 |.`......|
```
### Explorer MRUList
```
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MRU
```
### CIDSizeMRU MRUListEx
Seen on Windows Vista
```
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
```
```
00000000 66 00 69 00 72 00 65 00 66 00 6f 00 78 00 2e 00 |f.i.r.e.f.o.x...|
00000010 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 |e.x.e...........|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
...
00000200 00 00 00 00 00 00 00 00 12 00 00 00 0b 00 00 00 |................|
00000210 22 04 00 00 15 03 00 00 00 00 00 00 00 00 00 00 |"...............|
00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000230 00 00 00 00 00 00 00 00 1a 00 00 00 27 00 00 00 |............'...|
00000240 7c 02 00 00 d6 00 00 00 00 00 00 00 00 00 00 00 |...............|
```
MRUListEx
```
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder
```
Contains an UTF-16 little-endian formatted string.
## External Links
* [Windows Shell Item format specification](https://github.com/libyal/libfwsi/blob/main/documentation/Windows%20Shell%20Item%20format.asciidoc)
================================================
FILE: docs/sources/explorer-keys/Mount-points.md
================================================
# Moint points
## MountPoints
```
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints
```
Seen on:
* Windows 2000
Sub keys:
Name | Description
--- | ---
%NAME% | Where %NAME% contains the name of the mount point (or drive mapping).
Where the following forms of %NAME% have been observed:
* Drive letter, for example "C"
### MountPoints name sub key
Sub keys:
Name | Description
--- | ---
`_Autorun` |
`_DIL` |
`_LabelFromReg` |
Values:
Name | Data type | Description
--- | --- | ---
`_UB` | REG_BINARY |
BaseClass | REG_SZ |
Version | REG_DWORD |
## MountPoints2
```
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
```
Seen on:
* Windows XP
* Windows 2003
* Windows Vista
* Windows 2008
* Windows 7
* Windows 8.0
* Windows 8.1
* Windows 10
Sub keys:
Name | Description
--- | ---
CPC | (Introduced in Windows Vista?)
CPC\LocalMOF | (Introduced in Windows 7?)
CPC\Volume | (Introduced in Windows Vista?)
%NAME% | Where %NAME% contains the name of the mount point (or drive mapping).
Where the following variants of %NAME% have been observed:
* Drive letter, for example "C"
* Volume identifier (GUID), for example "{01234567-89ab-cdef-0123-456789abcdef}"
* UNC path, for example "##1.2.3.4#username"
### MountPoints2 name sub key
Sub keys:
Name | Description
--- | ---
`_Autorun` |
`_Autorun\Action` |
`_Autorun\DefaultIcon` |
`_Autorun\DefaultLabel` |
Shell |
Shell\Autoplay |
Shell\Autoplay\DropTarget |
Shell\AutoRun |
Shell\AutoRun\Command |
Values:
Name | Data type | Description
--- | --- | ---
BaseClass | REG_SZ |
================================================
FILE: docs/sources/explorer-keys/Program-cache.md
================================================
# Program cache
The Windows explorer ProgramsCache Registry values can be stored in
the following Windows Registry keys.
* Explorer\\StartPage key
* Explorer\\StartPage2 key
## Explorer\\StartPage key
```
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
```
Seen in Windows XP, 2003 and Vista.
Values:
Name | Data type | Description
--- | --- | ---
ProgramsCache | REG_BINARY | All the started the programs. <br> <mark style="background-color: yellow">**Contains a Jump list?**</mark>
## Explorer\\StartPage2 key
```
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2
```
Seen in Windows 7.
Values:
Name | Data type | Description
--- | --- | ---
ProgramsCache | REG_BINARY | All the started the programs. <br> <mark style="background-color: yellow">**Contains a Jump list?**</mark>
ProgramsCacheSMP | REG_BINARY | The applications pinned to the Start Menu. <br> Contains a Jump list.
ProgramsCacheTBP | REG_BINARY | The applications pinned to the Taskband. <br> Contains a Jump list.
Note that the format of the ProgramsCache value data slightly differs from that
of the ProgramsCacheSMP and ProgramsCacheTBP value data.
## ProgramsCache value data format
ProgramsCacheSMP - Empty list
```
00000000 01 00 00 00 |.........|
00000000 00 00 00 00 |.........|
00000000 02 |.........|
```
ProgramsCacheTBP
```
0x00000000 01 00 00 00 0b 00 00 00 01 aa 02 00 00 ................
0x00000000 01 00 00 00 07 00 00 00 01 0e 03 00 00 ................
00000000 01 00 00 00 |................|
number of entries?
00000000 0e 00 00 00 |................|
start of entry marker?
00000000 01 |................|
relative offset to next entry?
00000000 f2 02 00 00 |................|
00000000 14 00 1f |................|
shell item list
00000010 80 c8 27 34 1f 10 5c 10 42 aa 03 2e e4 52 87 d6 |..'4..\.B....R..|
...
000002f0 00 78 00 65 00 00 00 00 00 00 00 1c 00 |.x.e............|
end of list?
000002f0 00 00 |.x.e............|
start of entry marker?
000002f0 01 |.x.e............|
00000300 3c 02 00 00 |<........'4..\.B|
shell item list
00000300 14 00 1f 80 c8 27 34 1f 10 5c 10 42 |<........'4..\.B|
...
00000bb0 4f 00 4b 00 2e 00 45 00 58 00 45 00 00 00 00 00 |O.K...E.X.E.....|
00000bc0 00 00 1c 00 |.......|
end of list?
00000bc0 00 00 |.......|
00000bc0 02 |.......|
```
StartPage2\ProgramsCache
```
Window 7
00000000 13 00 00 00 c3 53 5b 62 48 ab c1 4e ba 1f a1 ef |.....S[bH..N....|
00000010 41 46 fc 19 00 80 00 00 00 |AF.......~.1....|
shell item list?
00000010 7e 00 31 00 00 00 00 |AF.......~.1....|
00000020 00 6a 3d 6c 3e 11 00 50 72 6f 67 72 61 6d 73 00 |.j=l>..Programs.|
00000030 00 66 00 08 00 04 00 ef be 6a 3d 53 3e 6a 3d 6c |.f.......j=S>j=l|
00000040 3e 2a 00 00 00 c1 e2 00 00 00 00 01 00 00 00 00 |>*..............|
00000050 00 00 00 00 00 3c 00 00 00 00 00 50 00 72 00 6f |.....<.....P.r.o|
00000060 00 67 00 72 00 61 00 6d 00 73 00 00 00 40 00 73 |.g.r.a.m.s...@.s|
00000070 00 68 00 65 00 6c 00 6c 00 33 00 32 00 2e 00 64 |.h.e.l.l.3.2...d|
00000080 00 6c 00 6c 00 2c 00 2d 00 32 00 31 00 37 00 38 |.l.l.,.-.2.1.7.8|
00000090 00 32 00 00 00 18 00 00 00 |.2........<...:.|
00000090 01 3c 02 00 00 |.2........<...:.|
shell item list?
00000090 3a 02 |.2........<...:.|
000000a0 32 00 85 05 00 00 30 3f 97 a9 20 00 49 4e 54 45 |2.....0?.. .INTE|
000000b0 52 4e 7e 31 2e 4c 4e 4b 00 00 b8 00 08 00 04 00 |RN~1.LNK........|
000000c0 ef be 6a 3d 6c 3e 6a 3d 6c 3e 2a 00 00 00 b8 e3 |..j=l>j=l>*.....|
...
00012e80 00 00 00 00 00 00 1c 00 00 00 02 |...........|
0x00019890 6d 00 2e 00 65 00 78 00 65 00 00 00 00 00 00 00 m...e.x.e.......
0x000198a0 20 00 00 00 ......9....O.'H
TODO: edge case or remnant data?
0x000198a0 02 ab 95 39 9e 9c 1f 13 4f b8 27 48 ......9....O.'H
0x000198b0 b2 4b 6c 71 74 00 .Klqt.T...R.1...
0x000198b0 54 00 00 00 52 00 31 00 00 00 .Klqt.T...R.1...
0x000198c0 00 00 0c 3d a4 33 11 00 54 61 73 6b 42 61 72 00 ...=.3..TaskBar.
0x000198d0 3c 00 08 00 04 00 ef be 0c 3d a4 33 0c 3d a4 33 <........=.3.=.3
0x000198e0 2a 00 00 00 69 ee 00 00 00 00 04 00 00 00 00 00 *...i...........
```
StartPage\ProgramsCache
```
Windows XP and 2003
00000000 09 00 00 00 0b 00 |......V...T.1...|
data size
00000000 56 00 00 00 |......V...T.1...|
shell item list
00000000 54 00 31 00 00 00 |......V...T.1...|
00000010 00 00 04 3b a3 79 11 00 50 72 6f 67 72 61 6d 73 |...;.y..Programs|
00000020 00 00 3c 00 03 00 04 00 ef be 04 3b 8c 79 04 3b |..<........;.y.;|
00000030 a3 79 14 00 26 00 50 00 72 00 6f 00 67 00 72 00 |.y..&.P.r.o.g.r.|
00000040 61 00 6d 00 73 00 00 00 40 73 68 65 6c 6c 33 32 |a.m.s...@shell32|
00000050 2e 64 6c 6c 2c 2d 32 31 37 38 32 00 18 00 00 00 |.dll,-21782.....|
00000060 01 d4 00 00 00 |.......2.#....;.|
00000060 d2 00 32 00 23 03 00 00 04 3b a3 |.......2.#....;.|
00000070 79 20 00 49 4e 54 45 52 4e 7e 31 2e 4c 4e 4b 00 |y .INTERN~1.LNK.|
00000080 00 42 00 03 00 04 00 ef be 04 3b a3 79 04 3b a3 |.B........;.y.;.|
...
0x000003e0 1c 00 00 00 .........T.1....
sentinel of 0x00 seen before shell item list with more than one shell item?
0x000003e0 00 b0 00 00 00 .........T.1....
shell item list
0x000003e0 54 00 31 00 00 00 00 .........T.1....
0x000003f0 00 04 3b a3 79 11 00 50 72 6f 67 72 61 6d 73 00 ..;.y..Programs.
...
0x00001020 00 00 00 00 00 1c 00 00 00 ................
unknown data 9 bytes (0x02 end marker?)
0x00001020 02 16 00 02 00 00 00 ................
0x00001030 00 00 .........2.....:
data size
0x00001030 01 ea 00 00 00 .........2.....:
shell item list
0x00001030 e8 00 32 00 1b 06 00 00 3a .........2.....:
...
0x00004a40 00 65 00 78 00 65 00 00 00 00 00 1c 00 00 00 .e.x.e..........
unknown data 11 bytes
0x00004a40 02 .e.x.e..........
0x00004a50 10 02 19 00 02 00 00 00 00 00 ................
0x00004a50 01 ca 00 00 00 ................
0x00004a50 c8 ................
0x00004a60 00 32 00 42 06 00 00 04 3b 12 7a 20 00 4d 4f 5a .2.B....;.z .MOZ
...
00004b10 00 65 00 66 00 6f 00 78 00 2e 00 65 00 78 00 65 |.e.f.o.x...e.x.e|
00004b20 00 00 00 00 00 1c 00 00 00 |..........|
00004b20 02 |..........|
```
```
Windows Vista (c3535b62-48ab-c14e-ba1f-a1ef4146fc19 FOLDERID_StartMenu)
0x00000000 0c 00 00 00 c3 53 5b 62 48 ab c1 4e ba 1f a1 ef .....S[bH..N....
0x00000010 41 46 fc 19 AF...|...z.1....
0x00000010 00 7c 00 00 00 AF...|...z.1....
...
0x00009fe0 72 00 33 00 32 00 2e 00 65 00 78 00 65 00 00 00 r.3.2...e.x.e...
0x00009ff0 00 00 00 00 1c 00 00 00 .........a.O..M.
TODO: edge case or remnant data?
0x00009ff0 02 61 ae 4f 05 d8 4d 87 .........a.O..M.
0x0000a000 47 80 b6 09 02 20 c4 b7 00 02 G.... ....
```
Value data header Windows XP and 2003.
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 4 | 0x00000009 | Format version
4 | 2 | 0x000b | <mark style="background-color: yellow">**Unknown**</mark>
Value data header Windows Vista.
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 4 | 0x0000000c | Format version
4 | 16 | | Known folder identifier <br> Contains a GUID <br> c3535b62-48ab-c14e-ba1f-a1ef4146fc19 (FOLDERID_StartMenu)
20 | 1 | | <mark style="background-color: yellow">**Unknown (sentinel?)**</mark>
ProgramsCache value data header Windows 7 and 2008.
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 4 | 0x00000013 | Format version
4 | 16 | | Known folder identifier <br> Contains a GUID <br> c3535b62-48ab-c14e-ba1f-a1ef4146fc19 (FOLDERID_StartMenu)
20 | 1 | | <mark style="background-color: yellow">**Unknown (sentinel?)**</mark>
ProgramsCacheSMP and ProgramsCacheTBP value data header Windows 7 and 2008.
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 4 | 0x00000001 | Format version
4 | 4 | | <mark style="background-color: yellow">**Unknown**</mark>
5 | 1 | | <mark style="background-color: yellow">**Unknown (sentinel?)**</mark>
Value data entry.
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 4 | | Entry data size
4 | ... | | Entry data <br> Contains a shell item list
... | 1 | | <mark style="background-color: yellow">**Unknown (sentinel?)**</mark> <br> <mark style="background-color: yellow">**Seen 0x00, 0x01, 0x02 (end marker?)**</mark>
<mark style="background-color: yellow">**if sentinel is 0x02 and there is more data then look
for 0x00 which should be followed by 02 00 00 00 00 00 01**</mark>
================================================
FILE: docs/sources/explorer-keys/Shell-folders.md
================================================
# Shell folders
Shell Folder identifiers are class identifiers with Shell Folder sub key. In
the Windows Registry Some Class identifiers (CLSID) have a ShellFolder sub key
for example:
```
HKEY_LOCAL_MACHINE\Software\CLSID\{%GUID%}\ShellFolder
```
Where {%GUID%} is a GUID in the form: {00000000-0000-0000-0000-000000000000}.
A shell folder can be system or user specific.
System shell folders:
```
HKEY_CURRENT_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Backup
```
WoW64 (Windows 32-bit on Windows 64-bit) system shell folders:
```
HKEY_CURRENT_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Backup
```
Per-user shell folders:
```
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
```
Values:
Name | Data type | Description
--- | --- | ---
%NAME% | REG_SZ or REG_EXPAND_SZ | Path to the corresponding directory
================================================
FILE: docs/sources/explorer-keys/Typed-paths.md
================================================
# Typed paths
```
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
```
Value| Data type| Description
--- | --- | ---
%ITEM% | REG_SZ | Where %ITEM% is a string in the form: "url[0-9]+"
================================================
FILE: docs/sources/explorer-keys/User-assist.md
================================================
# User Assist key
The User Assist key contains settings and data of programs that were launched
via Windows Explorer (explorer.exe).
```
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist
```
Sub keys:
Name | Description
--- | ---
{%GUID%} | The User Assist logged data
Settings | Settings to control User Assist logging
Note that the Settings sub key does not exist by default.
## Known GUIDs
GUID | Windows Versions | Description
--- | --- | ---
{0D6D4F41-2994-4BA0-8FEF-620E43CD2812} | XP, Vista | *TODO assumed as: IE7*
{5E6AB780-7743-11CF-A12B-00AA004AE837} | 2000, XP, 2003, Vista | Microsoft Internet Toolbar
{75048700-EF1F-11D0-9888-006097DEACF9} | 2000, XP, 2003, Vista | ActiveDesktop
{9E04CAB2-CC14-11DF-BB8C-A2F1DED72085} | 8, 10 |
{A3D53349-6E61-4557-8FC7-0028EDCEEBF6} | 8, 10 |
{B267E3AD-A825-4A09-82B9-EEC22AA3B847} | 8 |
{BCB48336-4DDD-48FF-BB0B-D3190DACB3E2} | 8.1 |
{CAA59E3C-4792-41A5-9909-6A6A8D32490E} | 8 |
{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} | 2008 (R2?), 7, 8, 10 | *TODO assumed as: Application or Executable File Execution*
{F2A1CB5A-E3CC-4A2E-AF9D-505A7009D442} | 8, 10 |
{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} | 2008 (R2?), 7, 8, 10 | *TODO assumed as: Shortcut File Execution*
{FA99DFC7-6AC2-453A-A5E2-5E2AFF4507BD} | 8, 10 |
Note that the User Assist key does not seem to be present on NT4, therefore this
functionality was likely introduced in Windows 2000.
Sometimes more information about the GUID can be found in the key:
```
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{%GUID%}\
```
## GUID sub key
Sub keys:
Name | Description
--- | ---
Count | Contains the User Assist log entries
Values:
Name | Data type | Description
--- | --- | ---
Version | REG_DWORD | Indicates the User Assist log format version
### Version value data
Value | Windows Versions
--- | ---
3 | 2000, XP, 2003, Vista
5 | 2008 (R2?), 7, 8
### Count sub key
Values:
Name | Data type | Description
--- | --- | ---
%NAME% | REG_SZ | Where %NAME% is obfuscated using a technique described below.
Windows Versions | Obfuscation technique
--- | ---
2000, XP, 2003, Vista, 2008 (R2?), 7, 8 | ROT-13 of character values in the ASCII `[A-Za-z]` range. +
Values outside of this range e.g. `[0-9]` and values outside the basic ASCII range (>= 0x80) are not obfuscated.
7 beta | Vigenère cipher with key: BWHQNKTEZYFSLMRGXADUJOPIVC
#### Named value
Value | Description
--- | ---
UEME_CTLSESSION | Session identifier
UEME_CTLCUACount:ctor |
UEME_RUNCPL | Executed control applets (.cpl)
UEME_RUNPATH | Executed programs
UEME_RUNPIDL | Programs started via a PIDL (shell item list) e.g. using a Shortcut
UEME_RUNWMCMD | Programs started via a Run Command
UEME_UIHOTKEY | Programs started via a Hotkey
UEME_UIQCUT | Programs started via a Quick Launch menu shortcut
UEME_UISCUT | Programs started via a Desktop shortcut
UEME_UITOOLBAR | Programs started via Windows Explorer Toolbar buttons
Note does UEME stand for User Experience Monitoring Element/Extension?
Note does CTL stand for client?
Note does CUA stand for current user (file) associations?
With the exception of the UEME_CTLSESSION value, these values appear to use
a similar data types. The structure of a data type depends on the Version value
of the GUID sub key. The following versions have been observed:
* version 3, that is used by Windows 2000, XP, 2003 and Vista.
* version 5, that is used by Windows 2008 (R2?), 7, 8.
#### UEME_CTLSESSION value data
##### UEME_CTLSESSION value data - version 3
The UEME_CTLSESSION value data - version 3 is 8 bytes of size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 4 | | Unknown
4 | 4 | | Current session identifier
##### UEME_CTLSESSION value data - version 5
The UEME_CTLSESSION value data - version 5 is 1612 bytes of size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 4 | 1 | Unknown (version?)
4 | 4 | | Unknown
8 | 4 | | Unknown
12 | 4 | | Unknown
16 | ... | | Unknown (array of 3x records at offset 0x10, 0x224, 0x438)
The UEME_CTLSESSION value data - version 5 record is 532 bytes of size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 4 | | Unknown
8 | 4 | | Unknown
12 | 4 | | Unknown
16 | ... | | Unknown (UTF-16 little-endian string with end-of-string character)
... | ... | | Unknown
#### Other value data
##### Other value data - version 3
The other value data - version 3 is 16 bytes of size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 4 | | Session identifier
4 | 4 | | Number of executions
8 | 8 | | Last execution time, which contains a FILETIME
##### Other value data - version 5
The other value data - version 5 is 72 bytes of size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 4 | | Unknown (Seen: 0, -1 (0xffffffff) or 1)
4 | 4 | | Number or executions
8 | 4 | | Unknown (sometimes referred to as number of application focuses)
12 | 4 | | Unknown (sometimes referred to as application focus time, does its meaning differ per GUID?)
16 | 4 | | Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?)
20 | 4 | | Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?)
24 | 4 | | Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?)
28 | 4 | | Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?)
32 | 4 | | Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?)
36 | 4 | | Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?)
40 | 4 | | Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?)
44 | 4 | | Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?)
48 | 4 | | Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?)
52 | 4 | | Unknown (Contains a 32-bit floating point, 0.0 or -1.0 if not set ?)
56 | 4 | | Unknown, sometimes -1 (0xffffffff)
60 | 8 | | Last execution time, contains a FILETIME or 0 if not set
68 | 4 | 0 | Unknown (empty value ?)
## Settings sub key
Values:
Name | Data type | Description
--- | --- | ---
NoLog | REG_DWORD | Turn of logging. Set to 1 to disable logging of the User Assist information
NoEncrypt | REG_DWORD | Turn of obfuscation of %NAME% values. Set to 1 to disable name obfuscation
## External links
* [UserAssist](https://blog.didierstevens.com/programs/userassist), by Didier Stevens
* [Windows 7 Beta: ROT13 Replaced With Vigenère? Great Joke!](https://blog.didierstevens.com/2009/01/18/quickpost-windows-7-beta-rot13-replaced-with-vigenere-great-joke/)
* [Windows-userassist-keys](https://www.aldeid.com/wiki/Windows-userassist-keys)
* [libfwsi: Known Folder Identifiers](https://github.com/libyal/libfwsi/wiki/Known-Folder-Identifiers)
================================================
FILE: docs/sources/explorer-keys/index.rst
================================================
#####################
Windows explorer keys
#####################
.. toctree::
:maxdepth: 1
Bit bucket <Bit-bucket>
Control panel item identifiers <Control-panel-item-identifiers>
Delegate folders <Delegate-folders>
Known folder identifiers <Known-folder-identifiers>
Mount points <Mount-points>
Most recently used (MRU) <Most-recently-used>
Multilingual User Interface (MUI) cache <MUI-cache>
Program cache <Program-cache>
Shell folders <Shell-folders>
Typed paths <Typed-paths>
User assist <User-assist>
================================================
FILE: docs/sources/internet-explorer-keys/Browser-helper-objects.md
================================================
# Browser helper objects (BHO)
```
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
```
================================================
FILE: docs/sources/internet-explorer-keys/Policies.md
================================================
# Policies
The Internet Explorer polices are stored in multiple keys.
Order of application:
1. HKEY_LOCAL_MACHINE policy key (Administrative override)
1. HKEY_CURRENT_USER policy key
1. HKEY_CURRENT_USER preference key
1. HKEY_LOCAL_MACHINE preference key (System default settings)
Note that the location of the HKEY_LOCAL_MACHINE policy and preference key
is dependent on the usage of WoW64 (Windows 32-bit on Windows 64-bit).
Normal:
1. HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl
1. HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl
1. HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl
1. HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl
WoW64:
1. HKEY_LOCAL_MACHINE\\Wow6432Node\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl
1. HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl
1. HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl
1. HKEY_LOCAL_MACHINE\\Wow6432Node\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl
## Policies
```
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
```
Values:
Value | Data type | Description
--- | --- | ---
Download Directory | REG_SZ | The user specific download directory
### Download policies
```
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Download
```
Values:
Value | Data type | Description
--- | --- | ---
CheckExeSignatures | REG_SZ |
RunInvalidSignatures | REG_DOWRD |
## Feature controls
### Security Zones
Value | Description
--- | ---
0 | My Computer
1 | Local Intranet Zone
2 | Trusted sites Zone
3 | Internet Zone
4 | Restricted Sites Zone
Also stored in "Description" Registry value in zone-specific Registry key.
### Local Machine Zone Lockdown
Applies the Lockdown Zones instead of the Zones.
```
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\
```
Add a REG_DWORD value to this key named for your application (for example,
MyApplication.exe) and set it to 1. Any other setting for this value will
disable Local Machine Zone Lockdown for the application.
### Network Protocol Lockdown
```
HKEY_LOCAL_MACHINE\Software\(Policies)\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
HKEY_CURRENT_USER\Software\(Policies)\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
```
### HTML from CD
```
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings\LOCALMACHINE_CD_UNLOCK
```
## Notes
```
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy
```
## External Links
* [About URL Security Zones](https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537183(v=vs.85))
* [Internet Explorer Local Machine Zone Lockdown](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc782928(v=ws.10))
* [Internet Explorer Network Protocol Lockdown](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc737488(v=ws.10))
* [Internet Explorer Protected Mode Elevation Policy and Administrative Templates](https://learn.microsoft.com/en-us/archive/blogs/juanand/internet-explorer-protected-mode-elevation-policy-and-administrative-templates)
* [Internet Explorer security zones registry entries for advanced users](https://learn.microsoft.com/en-us/previous-versions/troubleshoot/browsers/security-privacy/ie-security-zones-registry-entries)
* [Internet Feature Controls](https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/general-info/ee330720(v=vs.85))
* [Introduction to Feature Controls](https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537184(v=vs.85))
* [Understanding user-agent strings](https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/ms537503(v=vs.85))
================================================
FILE: docs/sources/internet-explorer-keys/Types-URLs.md
================================================
# Typed URLs
....
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
....
Values:
Name | Data type | Description
--- | --- | ---
%ITEM% | REG_SZ | Where %ITEM% is a string in the form: "url[0-9]+"
================================================
FILE: docs/sources/internet-explorer-keys/index.rst
================================================
######################
Internet explorer keys
######################
.. toctree::
:maxdepth: 1
Browser helper objects <Browser-helper-objects>
Policies <Policies>
Typed URLs <Typed-URLs>
================================================
FILE: docs/sources/security-accounts-manager-keys/Domains.md
================================================
# Domains
The Security Accounts Manager (SAM) domains are stored in the key:
```
HKEY_LOCAL_MACHINE\SAM\SAM\Domains
```
Sub keys:
Name | Description
--- | ---
Account | user, group, and local group accounts.
Builtin | built-in local groups, such as the Administrators and Users groups, that are established when the operating system is installed.
Values:
Name | Data type | Description
--- | --- | ---
(default) | |
## Account or Builtin sub key
Sub keys:
Name | Description
--- | ---
Aliases |
Groups |
Users |
Values:
Name | Data type | Description
--- | --- | ---
F | REG_BINARY |
V | REG_BINARY |
### F value data
Offset | Size | Value | Description
--- | --- | --- | ---
0 | ... | | <mark style="background-color: yellow">**Unknown**</mark>
### V value data
The V value data consists of:
* 17 x user information descriptors
* security descriptor
* username
* full name
* comment
* user comment
* <mark style="background-color: yellow">**Unknown**</mark>
* home directory
* home directory connect
* script path
* profile path
* workstations
* hours allowed
* <mark style="background-color: yellow">**Unknown**</mark>
* LM hash (LANMAN)
* NTLM hash
* <mark style="background-color: yellow">**Unknown**</mark>
* <mark style="background-color: yellow">**Unknown**</mark>
* user information data
#### User information descriptor
A user information descriptor is 12 byte of size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 4 | | Data offset <br> The offset is relative to the end of the last user information descriptor
4 | 4 | | Data size
8 | 4 | | <mark style="background-color: yellow">**Unknown**</mark>
## Aliases sub key
Sub keys:
Name | Description
--- | ---
Members |
Names |
%RID% |
Where %RID% is the relative identifier (RID) which corresponds to the last sub authority of the SID.
### Aliases RID sub key
Values:
Name | Data type | Description
--- | --- | ---
C | REG_BINARY |
#### C value data
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 4 | | The relative identifier (RID)
4 | 4 | | <mark style="background-color: yellow">**Unknown (empty values)**</mark>
8 | 4 | | Size of unknown data at offset 52
12 | 2 | 2 | <mark style="background-color: yellow">**Unknown: major format version ?**</mark>
14 | 2 | 1 | <mark style="background-color: yellow">**Unknown: minor format version ?**</mark>
16 | 4 | | Name string offset <br> Relative from offset 52
20 | 4 | | Name string size <br> Contains number of bytes
24 | 4 | | <mark style="background-color: yellow">**Unknown (empty values)**</mark>
28 | 4 | | Description string offset <br> Relative from offset 52
32 | 4 | | Description string size <br> Contains number of bytes
36 | 4 | | <mark style="background-color: yellow">**Unknown (empty values)**</mark>
40 | 4 | | SID array offset <br> Relative from offset 52
44 | 4 | | SID array size
48 | 4 | | SID array number of values
52 | ... | | Contains an https://code.google.com/p/libfwnt/wiki/SecurityDescriptor[NT security descriptor]
... | ... | | Name string <br> Contains an UTF-16 little-endian formatted string without end-of-string character <br> The data is stored using 4-byte alignment
... | ... | | Description string <br> Contains an UTF-16 little-endian formatted string without end-of-string character <br> The data is stored using 4-byte alignment
... | ... | | SID array <br> Contains Windows NT Security Identifiers (SIDs)
### Aliases Members sub key
Sub keys:
Name | Description
--- | ---
%SID% |
Where %SID% is the security identifier (SID) in the form of a string e.g. S-1-5.
#### Aliases Members SID sub key
Sub keys:
Name | Description
--- | ---
%RID% |
Where %RID% is the relative identifier (RID) which corresponds to the last sub authority of the SID.
## Groups sub key
Sub keys:
Name | Description
--- | ---
Names |
%RID% |
### C value data
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 2 | 2 | <mark style="background-color: yellow">**Unknown: major format version ?**</mark>
2 | 2 | 1 | <mark style="background-color: yellow">**Unknown: minor format version ?**</mark>
4 | 4 | | The relative identifier (RID)
8 | 20 | | <mark style="background-color: yellow">**Unknown (empty values)**</mark>
28 | 2 | 2 | <mark style="background-color: yellow">**Unknown: major format version ?**</mark>
30 | 2 | 1 | <mark style="background-color: yellow">**Unknown: minor format version ?**</mark>
32 | 4 | | Name string offset <br> Relative from offset 68
36 | 4 | | Name string size <br> Contains number of bytes
40 | 4 | | <mark style="background-color: yellow">**Unknown (empty values)**</mark>
44 | 4 | | Description string offset <br> Relative from offset 68
48 | 4 | | Description string size <br> Contains number of bytes
52 | 4 | | <mark style="background-color: yellow">**Unknown (empty values)**</mark>
56 | 4 | | Group member array offset <br> Relative from offset 68
60 | 4 | | Group member array size <br> Contains number of bytes
64 | 4 | | Group member array number of values
68 | ... | | Contains a [security descriptor](https://github.com/libyal/libfwnt/blob/main/documentation/Security%20Descriptor.asciidoc)
... | ... | | Name string <br> Contains an UTF-16 little-endian formatted string without end-of-string character <br> The data is stored using 4-byte alignment
... | ... | | Description string <br> Contains an UTF-16 little-endian formatted string without end-of-string character <br> The data is stored using 4-byte alignment
... | ... | | Group member array <br> Contains 4-byte RID values
## Users sub key
Sub keys:
Name | Description
--- | ---
Names |
%RID% |
Where %RID% is the relative identifier (RID) which corresponds to the last sub authority of the SID.
### Users RID sub key
Values:
Name | Data type | Description
--- | --- | ---
F | REG_BINARY |
V | REG_BINARY |
#### F value data
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 2 | 2 | <mark style="background-color: yellow">**Unknown: major version ?**</mark>
2 | 2 | 2 | <mark style="background-color: yellow">**Unknown: minor version ?**</mark>
4 | 2 | | <mark style="background-color: yellow">**Unknown: Extended data flags ?**</mark>
6 | 2 | | <mark style="background-color: yellow">**Unknown: Extended data size ?**</mark>
8 | 8 | | Last logon date and time (lastLogon) <br> Contains a FILETIME
16 | 8 | | <mark style="background-color: yellow">**Unknown (lastLogoff?)**</mark>
24 | 8 | | Password last set date and time (pwdLastSet) <br> Contains a FILETIME
32 | 8 | | Account expires date and time (accountExpires) <br> Contains a FILETIME, where 0x7fffffffffffffff represents Never
40 | 8 | | Last password failure date and time (badPasswordTime) <br> Contains a FILETIME
48 | 4 | | Relative identifier (UserId) <br> The relative identifier (RID) corresponds to the the last authority of the SID
52 | 4 | | Primary group identifier (PrimaryGroupId)
56 | 4 | | User account control flags (UserAccountControl) <br> See section: [User account control flags](#user-account-control-flags)
60 | 2 | | Country code (countryCode) <br> See section: [Country code](#country-code)
62 | 2 | | Codepage (codePage)
64 | 2 | | Number of password failures (badPwdCount)
66 | 2 | | Number of logons (logonCount)
68 | 4 | | <mark style="background-color: yellow">**Unknown**</mark>
72 | 4 | | <mark style="background-color: yellow">**Unknown**</mark>
76 | 4 | | <mark style="background-color: yellow">**Unknown (checksum?)**</mark>
Extended data:
Offset | Size | Value | Description
--- | --- | --- | ---
80 | | |
Note that the relative identifier (RID) is sometimes referred to as user number
or user identifier.
##### User account control flags
The user account control flags (or USER_ACCOUNT Codes) are defined in subauth.h
Value | Identifier | Description
--- | --- | ---
0x00000001 | USER_ACCOUNT_DISABLED | Account disabled (inactive)
0x00000002 | USER_HOME_DIRECTORY_REQUIRED | Home directory required
0x00000004 | USER_PASSWORD_NOT_REQUIRED | User password not required
0x00000008 | USER_TEMP_DUPLICATE_ACCOUNT | Temporary duplicate account
0x00000010 | USER_NORMAL_ACCOUNT | Normal user account
0x00000020 | USER_MNS_LOGON_ACCOUNT | Majority Node Set (MNS) logon user account
0x00000040 | USER_INTERDOMAIN_TRUST_ACCOUNT | Interdomain trust account
0x00000080 | USER_WORKSTATION_TRUST_ACCOUNT | Workstation trust account
0x00000100 | USER_SERVER_TRUST_ACCOUNT | Server trust account <br> Object is a domain controller (DC)
0x00000200 | USER_DONT_EXPIRE_PASSWORD | User password does not expire
0x00000400 | USER_ACCOUNT_AUTO_LOCKED | Account auto locked
0x00000800 | USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED | Encryped text password is allowed
0x00001000 | USER_SMARTCARD_REQUIRED | Smart Card required
0x00002000 | USER_TRUSTED_FOR_DELEGATION | Trusted for Delegation
0x00004000 | USER_NOT_DELEGATED | Not delegated
0x00008000 | USER_USE_DES_KEY_ONLY | Use DES key only
0x00010000 | USER_DONT_REQUIRE_PREAUTH | Preauth not required
0x00020000 | USER_PASSWORD_EXPIRED | Password Expired
0x00040000 | USER_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION | Used by Kerberos see MS-KILE
0x00080000 | USER_NO_AUTH_DATA_REQUIRED | Used by Kerberos see RFC4120
0x00100000 | USER_PARTIAL_SECRETS_ACCOUNT | Partial secrets account <br> Object is a read-only domain controller (RODC)
0x00200000 | USER_USE_AES_KEYS | Use AES keys
Note that these flags differ from ADS_USER_FLAG_ENUM. Mappings between the two
are defined in "MS-SAMR: userAccountControl Mapping Table".
Note that the samba project defines these as flags with the WBC_ACB prefix,
where WBC is short for winbind client.
##### Country code
<mark style="background-color: yellow">**Unknown. Is this suppose to be the country phone prefix?**</mark>
Value | Description
--- | ---
000 | System Default
001 | United States
002 | Canada (French)
003 | Latin America
031 | Netherlands
032 | Belgium
033 | France
034 | Spain
039 | Italy
041 | Switzerland
044 | United Kingdom
045 | Denmark
046 | Sweden
047 | Norway
049 | Germany
061 | Australia
081 | Japan
082 | Korea
086 | China (PRC)
088 | Taiwan
099 | Asia
351 | Portugal
358 | Finland
785 | Arabic
972 | Hebrew
#### V value data
### Account types
Value | Identifier | Description
--- | --- | ---
0x00000000 | SAM_DOMAIN_OBJECT | Represents a domain object
0x10000000 | SAM_GROUP_OBJECT | Represents a group object
0x10000001 | SAM_NON_SECURITY_GROUP_OBJECT | Represents a group object that is not used for authorization context generation
0x20000000 | SAM_ALIAS_OBJECT | Represents an alias object
0x20000001 | SAM_NON_SECURITY_ALIAS_OBJECT | Represents an alias object that is not used for authorization context generation
0x30000000 | SAM_USER_OBJECT | Represents a user object
0x30000001 | SAM_MACHINE_ACCOUNT | Represents a computer object
0x30000002 | SAM_TRUST_ACCOUNT | Represents a user object that is used for domain trusts
0x40000000 | SAM_APP_BASIC_GROUP | Represents an application-defined group
0x40000001 | SAM_APP_QUERY_GROUP | Represents an application-defined group whose members are determined by the results of a query
### Predefined RIDs
Value | Identifier | Description
--- | --- | ---
0x000001f4 | DOMAIN_USER_RID_ADMIN | User: Administrator
0x000001f5 | DOMAIN_USER_RID_GUEST | User: Guest
0x000001f6 | DOMAIN_USER_RID_KRBTGT | User: krbtgt (Key Distribution Center Service)
0x00000201 | DOMAIN_GROUP_RID_USERS | Group: Domain Users
0x00000203 | DOMAIN_GROUP_RID_COMPUTERS | Group: Domain Computers
0x00000204 | DOMAIN_GROUP_RID_CONTROLLERS | Group: Domain Controllers
0x00000220 | DOMAIN_ALIAS_RID_ADMINS | Group: Administrators
0x00000209 | DOMAIN_GROUP_RID_READONLY_CONTROLLERS | Group: Read-only Domain Controllers
## External Links
* [ACCOUNT_TYPE Values](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/e742be45-665d-4576-b872-0bc99d1e1fbe)
* [Built-in and Account Domains](https://learn.microsoft.com/en-us/windows/win32/secmgmt/built-in-and-account-domains)
* [Predefined RIDs](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/565a6584-3061-4ede-a531-f5c53826504b)
* [SAMPR_USER_ALL_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/dc966b81-da27-4dae-a28c-ec16534f1cb9)
* [Security Account Manager (SAM)](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10))
* [SysKey and the SAM](https://moyix.blogspot.com/2008/02/syskey-and-sam.html), by Brendan Dolan-Gavitt, February 21, 2008
* [USER_ACCOUNT Codes](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec)
* [userAccountControl Mapping Table](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/8a193181-a7a2-49df-a8b1-f689aaa6987c)
* [USER_ALL_INFORMATION structure](https://learn.microsoft.com/en-us/windows/win32/api/subauth/ns-subauth-user_all_information)
* [Well-known SIDs](https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids)
================================================
FILE: docs/sources/security-accounts-manager-keys/Security-accounts-manager.md
================================================
# Security Accounts Manager (SAM)
The Security Accounts Manager (SAM) is stored in the key:
```
HKEY_LOCAL_MACHINE\SAM\SAM
```
Sub keys:
Name | Description
--- | ---
Domains | Built-in and account domains
RXACT |
Values:
Name | Data type | Description
--- | --- | ---
C | REG_BINARY |
### C value data
The C value data is variable of size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 2 | | <mark style="background-color: yellow">**Unknown (Format version?)**</mark>
2 | 2 | | <mark style="background-color: yellow">**Unknown**</mark>
4 | 4 | | <mark style="background-color: yellow">**Unknown (empty?)**</mark>
8 | 4 | | Security descriptor data size
12 | 2 | | <mark style="background-color: yellow">**Unknown**</mark>
14 | 2 | | <mark style="background-color: yellow">**Unknown**</mark>
16 | ... | | Security descriptor data
#### Format version
Value | Description
--- | ---
1 | Used in Windows NT 3.1
2 | Used in Windows NT 3.5
3 | Used in Windows NT 4
6 | Used in Windows 2000
7 | Used in Windows XP and later
9 | Used in Windows Windows 11
================================================
FILE: docs/sources/security-accounts-manager-keys/index.rst
================================================
##############################
Security accounts manager keys
##############################
.. toctree::
:maxdepth: 1
Security accounts manager <Security-accounts-manager>
Domains <Domains>
================================================
FILE: docs/sources/system-keys/Application-compatibility-cache.md
================================================
# Application compatibility cache
The Application compatibility cache can be found in the following Windows
Registry keys.
In Windows 2000 and XP:
```
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility
```
In Windows 2003 and later:
```
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
```
Note that several sources claim that the Application Compatibility Cache is
part of the [Application Compatibility Database](https://learn.microsoft.com/en-us/windows/win32/devnotes/application-compatibility-database).
However unfortunately these claims are not backed by sources or facts. Since
the previous article does not mention the relationship between the cache and
the database, this document the Application Compatibility Cache to part of
the Windows Application Compatibility subsystem instead.
Note that the actual difference between the Application Compatibility Cache
and Shim (Database) Cache is currently unknown. Be aware that in other sources
the terms can be used interchangeable. Since MSDN explicitly defines
BaseFlushAppcompatCache and ShimFlushCache, there is likely a subtle difference
to what data is cached. Also see: [Understanding Shims](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-7/dd837644(v=ws.10)).
## Windows 2000
Windows 2000 stores Application Compatibility related data in subkeys in:
```
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility
```
At this time it is unclear if these subkeys serve the same purpose as the
AppCompatCache value in later versions of Windows.
The subkeys are named as the executable files e.g. `Uninstall.exe` and have been
seen to contain the following values:
Name | Data type | Description
--- | --- | ---
%NAME% | | <mark style="background-color: yellow">**Unknown (seen: x, 462)**</mark>
DllPatch-%NAME% | | <mark style="background-color: yellow">**Unknown**</mark>
Also seen values named like `00008 WindowsNT4.0`.
### Windows 2000 unknown value
The Windows 2000 unknown value is variable of size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 4 | 0x0000000c | <mark style="background-color: yellow">**Unknown 1 (header size?)**</mark>
4 | 4 | | <mark style="background-color: yellow">**Unknown 2 (empty values)**</mark>
8 | 4 | | <mark style="background-color: yellow">**Unknown 3**</mark>
12 | 4 | | <mark style="background-color: yellow">**Unknown 4**</mark>
Contains additional data if "Unknown 4 > 0"
```
Empty?
00000000 0c 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 |................|
With data:
00000000 0c 00 00 00 00 00 00 00 06 00 00 00 04 00 00 00 |................|
00000010 10 00 00 00 00 00 00 00 00 00 15 00 ff ff ff ff |................|
00000020 ff ff ff ff 0f 00 00 00 |........(...A.u.|
Sting byte size followed by string:
00000020 28 00 00 00 41 00 75 00 |........(...A.u.|
00000030 74 00 6f 00 43 00 41 00 44 00 20 00 41 00 70 00 |t.o.C.A.D. .A.p.|
00000040 70 00 6c 00 69 00 63 00 61 00 74 00 69 00 6f 00 |p.l.i.c.a.t.i.o.|
00000050 6e 00 00 00 |n.......|
00000050 00 00 00 00 |n.......|
```
### Windows 2000 DllPatch value
The Windows 2000 DllPatch value is variable of size and contains an UTF-16
little-endian formatted string with end-of-string character e.g. 'shcmn.dll 7'.
<mark style="background-color: yellow">**It is currently unclear what the trailing number represents.**</mark>
## Windows XP
Windows XP stores the application compatibility cache in the value:
AppCompatCache.
The value data consists of:
* header
* array of LRU cache entry index values
* array of cache entries (suggested that the maximum is 92)
Note that 64-bit versions of Windows XP will use the Windows 2003 64-bit format.
### Windows XP application compat cache header
The Windows XP application compat cache header is 400 bytes of size and
consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 4 | 0xef, 0xbe, 0xad, 0xde | Signature
4 | 4 | | Number of cached entries
8 | 4 | | Number of LRU array entries
12 | 4 | | <mark style="background-color: yellow">**Unknown (empty values)**</mark>
16 | ... | | LRU array <br> Contains 32-bit value of the index within the array of cache entries <br> <mark style="background-color: yellow">**Currently it is unclear if the top or the bottom of the array is the LRU**</mark>
... | ... | | <mark style="background-color: yellow">**Unknown (padding?)**</mark> <br> Contains 0-byte values
### Windows XP 32-bit application compat cache entry
The Windows XP 32-bit application compat cache entry is 552 bytes of size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 2 x ( MAX_PATH + 4 ) = 528 | | Path <br> UTF-16 little-endian string with end-of-character <br> Note that the unused bytes can contain remnant data
528 | 8 | | Last modification time <br> Contains a FILETIME
536 | 8 | | File size
544 | 8 | | Last update time <br> Contains a FILETIME
Note that the last modification time applies to that of the file e.g. for NTFS
this is the last modified time of the file as stored in the
$STANDARD_INFORMATION attribute.
## Windows 2003
Windows 2003 stores the application compatibility cache in the value: AppCompatCache
The value data consists of:
* header
* array of cache entries (suggested that the maximum is 512)
* string data
### Windows 2003 application compat cache header
The Windows 2003 application compat cache header is 8 bytes of size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 4 | 0xfe, 0x0f, 0xdc, 0xba | Signature
4 | 4 | | Number of cached entries
### Windows 2003 32-bit application compat cache entry
The Windows 2003 32-bit application compat cache entry is 24 bytes of size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 2 | | Path size
2 | 2 | | Maximum path size
4 | 4 | | Path offset <br> The offset value is relative to the start of the header
8 | 8 | | Last modification time <br> Contains a FILETIME
16 | 8 | | File size
Note that the last modification time applies to that of the file e.g. for NTFS
this is the last modified time of the file as stored in the
$STANDARD_INFORMATION attribute.
### Windows 2003 64-bit application compat cache entry
The Windows 2003 64-bit application compat cache entry is 32 bytes of size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 2 | | Path size
2 | 2 | | Maximum path size
4 | 4 | | <mark style="background-color: yellow">**Unknown (padding)**</mark>
8 | 8 | | Path offset <br> The offset value is relative to the start of the header
16 | 8 | | Last modification time <br> Contains a FILETIME
24 | 8 | | File size
Note that the last modification time applies to that of the file e.g. for NTFS
this is the last modified time of the file as stored in the
$STANDARD_INFORMATION attribute.
## Windows Vista and 2008
Windows Vista and 2008 store the application compatibility cache in the value: AppCompatCache
The value data consists of:
* header
* array of cache entries (suggested that the maximum is 1024)
* string data
[NOTE]
If the cache is empty it will only consists of a header.
### Windows Vista application compat cache header
The Windows Vista application compat cache header is 8 bytes of size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 4 | 0xfe, 0x0f, 0xdc, 0xba | Signature
4 | 4 | | Number of cached entries
### Windows Vista 32-bit application compat cache entry
The Windows Vista 32-bit application compat cache entry is 24 bytes of size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 2 | | Path size
2 | 2 | | Maximum path size
4 | 4 | | Path offset <br> The offset value is relative to the start of the header
8 | 8 | | Last modification time <br> Contains a FILETIME
16 | 4 | | Insertion flags
20 | 4 | | Shim flags
Note that the last modification time applies to that of the file e.g. for NTFS
this is the last modified time of the file as stored in the
$STANDARD_INFORMATION attribute.
### Windows Vista 64-bit application compat cache entry
The Windows Vista 64-bit application compat cache entry is 32 bytes of size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 2 | | Path size
2 | 2 | | Maximum path size
4 | 4 | | <mark style="background-color: yellow">**Unknown (padding)**</mark>
8 | 8 | | Path offset <br> The offset value is relative to the start of the header
16 | 8 | | Last modification time <br> Contains a FILETIME
24 | 4 | | Insertion flags
28 | 4 | | Shim flags
Note that the last modification time applies to that of the file e.g. for NTFS
this is the last modified time of the file as stored in the
$STANDARD_INFORMATION attribute.
## Windows 7 and 2008 R2
Windows 7 and 2008 R2 store the application compatibility cache in the value: AppCompatCache
The value data consists of:
* header
* array of cache entries (suggested that the maximum is 1024)
* data
* string data
### Windows 7 application compat cache header
The Windows 7 application compat cache header is 128 bytes of size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 4 | 0xee, 0x0f, 0xdc, 0xba | Signature
4 | 4 | | Number of cached entries
8 | 4 | 120 | <mark style="background-color: yellow">**Unknown (size?)**</mark>
12 | 116 | | <mark style="background-color: yellow">**Unknown (cache statistics?)**</mark>
### Windows 7 32-bit application compat cache entry
The Windows 7 32-bit application compat cache entry is 32 bytes of size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 2 | | Path size <br> The byte of the path without the end-of-string character
2 | 2 | | Maximum path size <br> The byte of the path with the end-of-string character
4 | 4 | | Path offset <br> The offset value is relative to the start of the header
8 | 8 | | Last modification time <br> Contains a FILETIME
16 | 4 | | Insertion flags
20 | 4 | | Shim flags
24 | 4 | | Data size
28 | 4 | | Data offset <br> The offset value is relative to the start of the header
Note that the last modification time applies to that of the file e.g. for NTFS
this is the last modified time of the file as stored in the
$STANDARD_INFORMATION attribute.
### Windows 7 64-bit application compat cache entry
The Windows 7 64-bit application compat cache entry is 48 bytes of size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 2 | | Path size <br> The byte of the path without the end-of-string character
2 | 2 | | Maximum path size <br> The byte of the path with the end-of-string character
4 | 4 | | <mark style="background-color: yellow">**Unknown (padding)**</mark>
8 | 8 | | Path offset <br> The offset value is relative to the start of the header
16 | 8 | | Last modification time <br> Contains a FILETIME
24 | 4 | | Insertion flags
28 | 4 | | Shim flags
32 | 8 | | Data size
40 | 8 | | Data offset <br> The offset value is relative to the start of the header
Note that the last modification time applies to that of the file e.g. for NTFS
this is the last modified time of the file as stored in the
$STANDARD_INFORMATION attribute.
## Windows 8
Windows 8 store the application compatibility cache in the value: AppCompatCache
The value data consists of:
* header
* array of cache entries
### Windows 8 application compat cache header
The Windows 8 application compat cache header is 128 bytes of size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 4 | 128 | Header size (or cache entry array offset)
4 | 4 | | <mark style="background-color: yellow">**Unknown**</mark>
8 | 120 | | <mark style="background-color: yellow">**Unknown**</mark>
### Windows 8.0 application compat cache entry
The Windows 8.0 application compat cache entry is variable bytes of size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 4 | "00ts" | Signature
4 | 4 | | <mark style="background-color: yellow">**Unknown**</mark>
8 | 4 | | Cache entry data size <br> The size of the cache entry without the first 12 bytes
12 | 2 | | Path size
14 | ... | | Path <br> UTF-16 little-endian string without end-of-character
... | 4 | | <mark style="background-color: yellow">**Unknown (Insertion flags?)**</mark>
... | 4 | | <mark style="background-color: yellow">**Unknown (Shim flags?)**</mark>
... | 8 | | Last modification time <br> Contains a FILETIME
... | 4 | | Data size
... | ... | | Data
Note that the last modification time applies to that of the file e.g. for NTFS
this is the last modified time of the file as stored in the
$STANDARD_INFORMATION attribute.
### Windows 8.1 application compat cache entry
The Windows 8.1 application compat cache entry is variable bytes of size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 4 | "10ts" | Signature
4 | 4 | | <mark style="background-color: yellow">**Unknown**</mark>
8 | 4 | | Cache entry data size <br> The size of the cache entry without the first 12 bytes
12 | 2 | | Path size
14 | ... | | Path <br> UTF-16 little-endian string without end-of-character
... | 4 | | <mark style="background-color: yellow">**Unknown (Insertion flags?)**</mark>
... | 4 | | <mark style="background-color: yellow">**Unknown (Shim flags?)**</mark>
... | 2 | | <mark style="background-color: yellow">**Unknown**</mark>
... | 8 | | Last modification time <br> Contains a FILETIME
... | 4 | | Data size
... | ... | | Data
Note that the last modification time applies to that of the file e.g. for NTFS
this is the last modified time of the file as stored in the
$STANDARD_INFORMATION attribute.
## Windows 10
Windows 10 store the application compatibility cache in the value: AppCompatCache
The value data consists of:
* header
* array of cache entries
### Windows 10 application compat cache header
The Windows 10 application compat cache header is 48 bytes of size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 4 | 48 | Header size (or cache entry array offset)
4 | 4 | | <mark style="background-color: yellow">**Unknown**</mark>
8 | 4 | | <mark style="background-color: yellow">**Unknown (empty values)**</mark>
12 | 4 | | <mark style="background-color: yellow">**Unknown**</mark>
16 | 4 | | <mark style="background-color: yellow">**Unknown**</mark>
20 | 16 | | <mark style="background-color: yellow">**Unknown (empty values)**</mark>
36 | 4 | | Number of cached entries
40 | 8 | | <mark style="background-color: yellow">**Unknown (empty values)**</mark>
The Windows 10 Creator update application compat cache header is 52 bytes of
size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 4 | 52 | Header size (or cache entry array offset)
4 | 4 | | <mark style="background-color: yellow">**Unknown**</mark>
8 | 4 | | <mark style="background-color: yellow">**Unknown (empty values)**</mark>
12 | 4 | | <mark style="background-color: yellow">**Unknown**</mark>
16 | 4 | | <mark style="background-color: yellow">**Unknown**</mark>
20 | 8 | | <mark style="background-color: yellow">**Unknown (empty values)**</mark>
28 | 4 | | <mark style="background-color: yellow">**Unknown**</mark>
32 | 8 | | <mark style="background-color: yellow">**Unknown (empty values)**</mark>
40 | 4 | | Number of cached entries
44 | 8 | | <mark style="background-color: yellow">**Unknown (empty values)**</mark>
### Windows 10 application compat cache entry
The Windows 10 application compat cache entry is variable bytes of size and consists of:
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 4 | "10ts" | Signature
4 | 4 | | <mark style="background-color: yellow">**Unknown**</mark>
8 | 4 | | Cache entry data size <br> The size of the cache entry without the first 12 bytes
12 | 2 | | Path size
14 | ... | | Path <br> UTF-16 little-endian string without end-of-character
... | 8 | | Last modification time <br> Contains a FILETIME
... | 4 | | Data size
... | ... | | Data
Note that the last modification time applies to that of the file e.g. for NTFS
this is the last modified time of the file as stored in the
$STANDARD_INFORMATION attribute.
## Insertion flags
<mark style="background-color: yellow">**TODO describe**</mark>
Value | Identifier | Description
--- | --- | ---
0x00000001 | |
0x00000002 | | <mark style="background-color: yellow">**Indicated as executed by CSRSS.EXE flag**</mark> <br> <mark style="background-color: yellow">**Client/Server Runtime Subsystem (CSRSS)**</mark>
0x00000004 | |
0x00000008 | |
0x00000010 | | <mark style="background-color: yellow">**Unknown (Seen in Windows 8.0, 8.1)**</mark>
0x00000020 | | <mark style="background-color: yellow">**Unknown (Seen in Windows 8.0, 8.1)**</mark>
0x00000040 | | <mark style="background-color: yellow">**Unknown (Seen in Windows 8.0, 8.1)**</mark>
0x00000080 | | <mark style="background-color: yellow">**Unknown (Seen in Windows 8.0, 8.1)**</mark>
| |
0x00010000 | | <mark style="background-color: yellow">**Unknown (Seen in Windows 8.1)**</mark>
0x00020000 | | <mark style="background-color: yellow">**Unknown (Seen in Windows 8.1)**</mark>
0x00030000 | | <mark style="background-color: yellow">**Unknown (Seen in Windows 8.1)**</mark>
0x00040000 | | <mark style="background-color: yellow">**Unknown (Seen in Windows 8.1)**</mark>
0x00100000 | | <mark style="background-color: yellow">**Unknown (Seen in Windows 8.1)**</mark>
0x00200000 | | <mark style="background-color: yellow">**Unknown (Seen in Windows 8.1)**</mark>
0x00400000 | | <mark style="background-color: yellow">**Unknown (Seen in Windows 8.1)**</mark>
0x00800000 | | <mark style="background-color: yellow">**Unknown (Seen in Windows 8.1)**</mark>
## Shim flags
<mark style="background-color: yellow">**TODO describe**</mark>
Value | Identifier | Description
--- | --- | ---
0x00000001 | | <mark style="background-color: yellow">**Unknown (Has data?)**</mark>
| |
0x00000020 | |
| |
0x00000100 | | <mark style="background-color: yellow">**Unknown (Seen in Windows 7)**</mark>
| |
0x00001000 | | <mark style="background-color: yellow">**Unknown (Seen in Windows 7, 8.0)**</mark>
| |
0x00010000 | | <mark style="background-color: yellow">**Unknown (Seen in Windows 8.0, 8.1)**</mark>
0x00020000 | | <mark style="background-color: yellow">**Unknown (Seen in Windows 8.0)**</mark>
| |
0x00100000 | | <mark style="background-color: yellow">**Unknown (Seen in Windows 8.1)**</mark>
0x00200000 | | <mark style="background-color: yellow">**Unknown (Seen in Windows 8.1)**</mark>
| |
0x01000000 | | <mark style="background-color: yellow">**Unknown (Seen in Windows 8.0, 8.1)**</mark>
0x02000000 | | <mark style="background-color: yellow">**Unknown (Seen in Windows 8.0)**</mark>
| |
0x10000000 | | <mark style="background-color: yellow">**Unknown (Seen in Windows 8.1)**</mark>
## Data
<mark style="background-color: yellow">**TODO describe**</mark>
## Notes
```
https://technet.microsoft.com/en-us/library/cc787360(v=ws.10).aspx
Are these related?
0x00000001 MS-DOS-based program
0x00000002 OS/2-based program
0x00000004 Windows-based 16-bit program
0x00000008 Windows-based 32-bit program
0x0000000C Windows-based 16-bit and 32-bit program
0x0000000F Any version of a program
0x00000010 Return user name instead of computer name for GetComputerName.
0x00000020 Return Terminal Server build number instead of Windows 2000 build number for GetVersion.
0x00000040 Synchronize user .ini file to system version.*
0x00000080 Do not substitute user \Windows directory.**
0x00000100 Disable registry mapping for program or registry key.
0x00000200 Per-object user/system global mapping
0x00000400 Return system \Windows directory instead of user \Windows directory for GetWindowsDir.
0x00000800 Limit the reported physical memory for GlobalMemoryStatus.
0x00001000 Log object creation to file.
0x20000000 Do not put program to sleep on unsuccessful keyboard polling (Windows-based 16-bit programs only).
```
Related DLLs:
* apphelp.dll; related to "AppHelp" functionality and Application Compatibility database
* kernel32.dll; base cache management functionality
Is the Application compatibility cache in Windows also referred to as
AppHelpCache?
AppHelp: https://msdn.microsoft.com/en-us/library/bb432181(v=vs.85).aspx
Different shim types? MSIE and RPC shim types?
Related Registry keys:
```
HKLM\Sofware\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
```
Flushing the cache Windows Vista and later:
```
Rundll32.exe apphelp.dll,ShimFlushCache
```
Flushing the cache Windows XP and Windows Server 2003
```
Rundll32.exe kernel32.dll,BaseFlushAppcompatCache
```
================================================
FILE: docs/sources/system-keys/Background-activity-moderator.md
================================================
# Background activity moderator (BAM)
The Background Activity Moderator (BAM) key seems to have been introduced in
Windows 10 after version 1709.
The BAM keys can be found in the following Registry paths:
```
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\UserSettings\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\
```
Within the UserSettings key, there is a key for each user SID containing
a value for each tracked executable.
## Example Entry
Registry Key:
```
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-321011808-3761883066-353627080-1000
```
Value Name:
```
\Device\HarddiskVolume1\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
```
Value Data:
```
00000000 15 3e ae 36 57 de d4 01 00 00 00 00 00 00 00 00 |.>®6WÞÔ.........|
00000010 00 00 00 00 02 00 00 00 |........|
```
## Value Data Format
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 8 | | Execution time <br> Contains a FILETIME
8 | 8 | | <mark style="background-color: yellow">**Unknown (empty values)**</mark>
16 | 4 | | Flag indicating whether the entry is a "Windows app"
20 | 4 | 0x02, 0x00, 0x00, 0x00 | <mark style="background-color: yellow">**Unknown (always 2)**</mark>
================================================
FILE: docs/sources/system-keys/Boot-verification.md
================================================
# Boot Verification key
```
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BootVerification
```
The BootVerification key stores configuration for Bootvrfy.exe, a program
included in Windows Server 2003 that notifies the system that startup was
successful. Bootvrfy.exe can be run on a local or remote computer.
Known values of the BootVerification key:
Name | Data type | Description
--- | --- | ---
ErrorControl | REG_DWORD | Known value: 1
%SERVICE%\ImagePath | REG_EXPAND_SZ | Known value: "Bootvrfy.exe"
ObjectName | REG_SZ | Known value: "LocalSystem"
Start Entry | REG_DWORD | Known value: 3
Type Entry | REG_DWORD | Known value: 2
To run a custom startup verification program the standard startup verification
functions in Winlogon need to be disabled. This can be done by setting the
Winlogon ReportBootOk value to 0.
```
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
```
## Boot Verification Program key
```
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BootVerificationProgram
```
The BootVerificationProgram key stores configuration for a custom startup
verification program.
Known values of the BootVerificationProgram key:
Name | Data type | Description
--- | --- | ---
ImagePath | REG_SZ, REG_EXPAND_SZ | path of a custom startup verification program
According Windows server 2003 documentation Bootvrfy.exe and a custom startup
verification program cannot be used in parallel.
## External links
* [BootVerification](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc778559(v=ws.10))
* [BootVerificationProgram](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc782537(v=ws.10))
* [BootVerificationProgram\ImagePath](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc786702(v=ws.10))
* [ReportBootOk](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc739989(v=ws.10))
================================================
FILE: docs/sources/system-keys/COM-class-identifiers.md
================================================
# Component object model (COM) class identifiers (CLSIDs)
The component object model (COM) class Identifier (CLSID) key can be found in:
```
HKEY_CLASSES_ROOT\CLSID\{%GUID%}
HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{%GUID%}
```
Sub keys:
Name | Description
--- | ---
AuxUserType | Application's short display name and names
CLSID | Class identifiers
Control | ActiveX Control settings
Conversion | Convert dialog box format conversion settings
DataFormats | Data formats supported by an application
DefaultIcon | Default icon settings
Implemented Categories |
InprocServer | 16-bit in-process server settings
InProcServer32 | 32-bit (and 64-bit) in-process server settings
Insertable | Insert Object dialog box list box settings
Interface | Supported interface IDs (IIDs)
LocalServer32 | 32-bit local server application settings
MiscStatus | Settings how to create and display the object
PersistentHandler |
Verb | Application verbs
MSDN defines DefaultIcon as a REG_SZ value but in Windows XP it seems to be a
key where the icon resource identifier is stored in the default value of the
key.
Values:
Name | Data type | Description
--- | --- | ---
AppID | REG_SZ | Associated application identifier <br> Contains a string in the form: "{GUID}"
AutoConvertTo | REG_SZ | Automatic conversion class identifier
AutoTreatAs | REG_SZ | Automatically treat as (emulation) class identifier
InprocHandler | REG_SZ | 16-bit custom in-process handler
InprocHandler32 | REG_SZ | 32-bit custom in-process handler
LocalServer | REG_SZ| 16-bit local server application
ProgID | REG_SZ | Associated program identifier <br> Contains a string in the form: "Program.Component"
ToolBoxBitmap32 | REG_SZ | Toolbar or toolbox button bitmap <br> Contains a resource identifier
TreatAs | REG_SZ | Identifier of class that can emulate the current class
Version | REG_SZ | version number
VersionIndependentProgID | REG_SZ | Version independent associated program identifier
## Type libraries key
The type libraries (typelib or tlb) key can be found in:
```
HKEY_CLASSES_ROOT\TypeLib\{%GUID%}
HKEY_CLASSES_ROOT\Wow6432Node\TypeLib\{%GUID%}
```
Sub keys:
Name | Description
--- | ---
%GUID% | Type library identifier
## Type library identifier subkey
Sub keys:
Name | Description
--- | ---
%VERSION% | Type library version in the format: "major.minor"
Values:
Name | Data type | Description
--- | --- | ---
(Default) | REG_SZ | Type library description
### Type library version subkey
Sub keys:
Name | Description
--- | ---
%LCID% | Locale identifier such as: "409", where "0" is the system default language (LANG_SYSTEM_DEFAULT).
FLAGS |
HELPDIR |
TODO: Determine what MSDN means with the LCID may have a neutral sublanguage
ID. Is 0 the neutral sublanguage ID?
#### Type library locale subkey
Sub keys:
Name | Description
--- | ---
%PLATFORM% | Platform identifier such as: "win32"
##### Type library platform subkey
Values:
Name | Data type | Description
--- | --- | ---
(Default) | REG_SZ | Path to the type library file. <br> This can be a stand-alone .tlb file or the "typelib" resource inside a PE/COFF file.
#### Type library help directory subkey
Values:
Name | Data type | Description
--- | --- | ---
(Default) | REG_SZ | Path of the directory where the Help file for type library is located
## External Links
* [CLSID Key](https://learn.microsoft.com/en-us/windows/win32/com/clsid-key-hklm)
* [ProxyStubClsid](https://learn.microsoft.com/en-us/windows/win32/com/proxystubclsid)
* [Registering a Type Library](https://learn.microsoft.com/en-us/previous-versions/windows/desktop/automat/registering-a-type-library)
================================================
FILE: docs/sources/system-keys/Cached-credentials.md
================================================
# Cached credentials
```
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
```
Values:
Name | Data type | Description
--- | --- | ---
CachedLogonsCount | REG_SZ | Number of cached log-ons. <br/> According to MSDN the value must be in the range "0" - "50"
## Credentials cache
```
HKEY_LOCAL_MACHINE\Security\Cache
```
Values:
Name | Description
--- | ---
NL$Control |
NL$%NUMBER% | Cached credential
Where %NUMBER% contains the number of the cached credential.
### NL$Control value
```
00000000 04 00 01 00 0a 00 00 00 |........|
```
### NL$%NUMBER% value
Offset | Size | Value | Description
--- | --- | --- | ---
_Metadata_ |||
0 | 2 | | Username string size
2 | 2 | | Hostname string size
4 | 2 | | <mark style="background-color: yellow">**Unknown (username string size)**</mark>
6 | 2 | | <mark style="background-color: yellow">**Unknown (Full name string size)**</mark>
8 | 4 | | <mark style="background-color: yellow">**Unknown**</mark>
12 | 2 | | <mark style="background-color: yellow">**Unknown (Profile path string size)**</mark>
14 | 2 | | <mark style="background-color: yellow">**Unknown (Profile mount drive letter string size)**</mark>
16 | 4 | | <mark style="background-color: yellow">**Unknown**</mark>
20 | 4 | | <mark style="background-color: yellow">**Unknown**</mark>
24 | 4 | | <mark style="background-color: yellow">**Unknown**</mark>
28 | 2 | | <mark style="background-color: yellow">**Unknown**</mark>
30 | 2 | | <mark style="background-color: yellow">**Unknown**</mark>
32 | 8 | | <mark style="background-color: yellow">**Unknown (date and time)**</mark> <br/> Contains a FILETIME timestamp
40 | 2 | | <mark style="background-color: yellow">**Unknown**</mark>
42 | 2 | | <mark style="background-color: yellow">**Unknown**</mark>
44 | 4 | | <mark style="background-color: yellow">**Unknown**</mark>
48 | 4 | | <mark style="background-color: yellow">**Unknown**</mark>
52 | 4 | | <mark style="background-color: yellow">**Unknown**</mark>
56 | 4 | | <mark style="background-color: yellow">**Unknown**</mark>
60 | 2 | | Hostname with domain string size
62 | 2 | | <mark style="background-color: yellow">**Unknown**</mark>
_Data_ |||
64 | 16 | | <mark style="background-color: yellow">**Unknown (CH)**</mark>
80 | 16 | | <mark style="background-color: yellow">**Unknown (T)**</mark>
96 | ... | | Encrypted data
```
metadata
* username size
* domain size
* Length of the full domain name
0x00000000 0e 00 14 00 0e 00 1c 00 00 00 00 00 38 00 04 00 ............8...
0x00000010 53 04 00 00 01 02 00 00 02 00 00 00 14 00 18 00 S...............
0x00000020 72 0f 92 b3 b1 f8 cc 01 r...............
FILETIME
0x00000020 04 00 01 00 01 00 00 00 r...............
0x00000030 01 00 00 00 20 00 00 00 10 00 00 00 20 00 00 00 .... ....... ...
CH: random 16 byte key that is used to generate the decryption key for the encrypted data
0x00000040 e6 ad 1f 22 b9 d1 d3 48 22 f6 d6 61 33 d7 32 74 ..."...H"..a3.2t
T
0x00000050 29 4c 83 1b af bc ca c9 fc 27 9c be 1e 44 2b 69 )L.......'...D+i
Encrypted data
0x00000060 52 46 67 5f f6 85 b0 0f 7a a3 69 03 cc 72 4b 8b RFg_....z.i..rK.
0x00000070 8b 51 e9 9c 4a 65 92 2d 19 7d 6f 94 d2 81 93 0d .Q..Je.-.}o.....
0x00000080 f2 9e 7d 2e 11 17 46 a0 31 ac 2c 65 49 89 c2 c0 ..}...F.1.,eI...
0x00000090 92 7a 63 6c ca b2 74 ba 5f 73 c0 d3 6c 0c 58 51 .zcl..t._s..l.XQ
0x000000a0 46 e9 45 48 9b ce 86 a1 68 ae f7 12 f8 d2 c7 7e F.EH....h......~
0x000000b0 4d 39 a9 bd d4 ad fc e8 b0 b1 94 36 c5 4d 1f 3b M9.........6.M.;
0x000000c0 3c ce b8 dc a9 50 41 54 f4 5a 31 61 57 66 66 7a <....PAT.Z1aWffz
0x000000d0 0d 54 9a c0 7e d4 1a a8 e6 af 83 fb cd 61 a1 fe .T..~........a..
0x000000e0 85 31 ce c9 24 fa f3 a5 7e 71 c9 a4 81 11 e3 b7 .1..$...~q......
0x000000f0 7c ce fb 38 b0 81 b9 75 cc 78 7e 66 9c 7b 4d a7 |..8...u.x~f.{M.
0x00000100 7d 6e 55 d6 8d 22 2d e9 8d 48 0c 22 f1 bc 6b 58 }nU.."-..H."..kX
0x00000110 17 84 db 5b ba 91 8a 39 70 a1 d8 b5 16 df 99 cf ...[...9p.......
0x00000120 ea f1 af dc 75 27 ea 83 22 ff 8a 5e 63 b2 a9 f9 ....u'.."..^c...
0x00000130 b4 05 47 26 b8 e7 e4 b7 06 bc d9 4b 0f 20 92 25 ..G&.......K. .%
0x00000140 07 7a a5 6b 4e 54 4a 19 19 51 bf 5f c2 09 8b 5e .z.kNTJ..Q._...^
0x00000150 f1 a3 be aa 1f c3 66 c3 cd 09 7b 85 45 02 0d 28 ......f...{.E..(
0x00000160 02 a5 f8 8a f2 b1 52 a3 a3 dc a4 c7 ed f5 ca 6c ......R........l
0x00000170 13 3c e5 18 3d fe b3 fc 28 3f be 9b 62 d0 1a 5a .<..=...(?..b..Z
0x00000180 90 ce e2 a6 c2 aa 2d 40 78 d8 cc db a4 a7 44 e8 ......-@x.....D.
0x00000190 0d ff c8 08 49 19 5b 21 67 f2 62 be 7b f2 be d3 ....I.[!g.b.{...
0x000001a0 37 18 53 33 61 3e 21 7a e6 08 e3 f2 d5 1c 81 ce 7.S3a>!z........
0x000001b0 9a 45 71 85 bf a6 e9 fd ea 7e b7 2f 01 0d 7d c7 .Eq......~./..}.
0x000001c0 46 9f e5 73 F..s
```
Offset | Size | Value | Description
--- | --- | --- | ---
0 | 16 | | <mark style="background-color: yellow">**Unknown (password hash)**</mark>
16 | 16 | | <mark style="background-color: yellow">**Unknown**</mark>
32 | 8 | | <mark style="background-color: yellow">**Unknown**</mark>
40 | 4 | | <mark style="background-color: yellow">**Unknown**</mark>
44 | 4 | | <mark style="background-color: yellow">**Unknown**</mark>
48 | 8 | | <mark style="background-color: yellow">**Unknown**</mark>
56 | 16 | | <mark style="background-color: yellow">**Unknown**</mark>
72 | ... | | Username string
... | ... | | 32-bit alignment padding
... | ... | | Hostname string
... | ... | | 32-bit alignment padding
... | ... | | Hostname and domain string
... | ... | | 32-bit alignment padding
... | ... | | Profile path string
... | ... | | 32-bit alignment padding
... | ... | | Profile mount drive letter string
... | ... | | 32-bit alignment padding
```
Decrypted data:
0x00000000 6e 37 5e e6 a7 99 6c 5c 55 85 74 67 09 af a0 65 n7^...l\U.tg...e
0x00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000020 01 00 00 00 00 00 00 00 c4 01 00 00 02 00 00 00 ................
0x00000030 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00000040 00 00 00 00 00 00 00 00 ........t.d.u.n.
Sizes from metadata
0e 00 14 00 0e 00 1c 00
0x00000040 74 00 64 00 75 00 6e 00 ........t.d.u.n.
0x00000050 67 00 61 00 6e 00
gitextract_od6kibol/
├── .github/
│ └── workflows/
│ ├── test_docker.yml
│ ├── test_docs.yml
│ ├── test_macos.yml
│ └── test_tox.yml
├── .gitignore
├── .pylintrc
├── .readthedocs.yaml
├── .yamllint.yaml
├── ACKNOWLEDGEMENTS
├── AUTHORS
├── LICENSE
├── MANIFEST.in
├── MANIFEST.test_data.in
├── README.md
├── appveyor.yml
├── config/
│ ├── appveyor/
│ │ └── install.ps1
│ ├── dpkg/
│ │ ├── changelog
│ │ ├── clean
│ │ ├── compat
│ │ ├── control
│ │ ├── copyright
│ │ ├── python3-winregrc.install
│ │ ├── rules
│ │ └── source/
│ │ └── format
│ └── pylint/
│ └── spelling-private-dict
├── dependencies.ini
├── docs/
│ ├── conf.py
│ ├── index.rst
│ ├── requirements.txt
│ └── sources/
│ ├── EventLog-keys.md
│ ├── api/
│ │ ├── modules.rst
│ │ ├── winregrc.rst
│ │ └── winregrc.scripts.rst
│ ├── application-keys/
│ │ ├── 7-Zip.md
│ │ ├── CCleaner.md
│ │ ├── MSDN-web-browser.md
│ │ ├── Microsoft-Office.md
│ │ ├── Terminal-server-client.md
│ │ ├── WinRAR.md
│ │ └── index.rst
│ ├── explorer-keys/
│ │ ├── Bit-bucket.md
│ │ ├── Control-panel-item-identifiers.md
│ │ ├── Delegate-folders.md
│ │ ├── Known-folder-identifiers.md
│ │ ├── MUI-cache.md
│ │ ├── Most-recently-used.md
│ │ ├── Mount-points.md
│ │ ├── Program-cache.md
│ │ ├── Shell-folders.md
│ │ ├── Typed-paths.md
│ │ ├── User-assist.md
│ │ └── index.rst
│ ├── internet-explorer-keys/
│ │ ├── Browser-helper-objects.md
│ │ ├── Policies.md
│ │ ├── Types-URLs.md
│ │ └── index.rst
│ ├── security-accounts-manager-keys/
│ │ ├── Domains.md
│ │ ├── Security-accounts-manager.md
│ │ └── index.rst
│ ├── system-keys/
│ │ ├── Application-compatibility-cache.md
│ │ ├── Background-activity-moderator.md
│ │ ├── Boot-verification.md
│ │ ├── COM-class-identifiers.md
│ │ ├── Cached-credentials.md
│ │ ├── Certificates.md
│ │ ├── Codepage.md
│ │ ├── Current-control-set.md
│ │ ├── Environment-variables.md
│ │ ├── File-system.md
│ │ ├── Language.md
│ │ ├── Local-security-authority.md
│ │ ├── Mounted-devices.md
│ │ ├── Prefetch.md
│ │ ├── Run-and-RunOnce.md
│ │ ├── Services-and-drivers.md
│ │ ├── Session-manager.md
│ │ ├── Shell-folder-identifiers.md
│ │ ├── System-restore.md
│ │ ├── Task-scheduler.md
│ │ ├── Time-zones.md
│ │ ├── USB-storage.md
│ │ ├── Volume-shadow-copies.md
│ │ ├── Windows-error-reporting.md
│ │ ├── Windows-product-information.md
│ │ ├── Windows-system-locations.md
│ │ └── index.rst
│ └── windows-registry/
│ ├── Files.md
│ ├── Hives.md
│ ├── MUI-form.md
│ └── index.rst
├── pyproject.toml
├── run_tests.py
├── test_data/
│ ├── NTUSER.DAT.LOG
│ ├── SAM
│ ├── SECURITY
│ ├── SOFTWARE
│ └── SYSTEM
├── test_dependencies.ini
├── tests/
│ ├── __init__.py
│ ├── appcompatcache.py
│ ├── application_identifiers.py
│ ├── cached_credentials.py
│ ├── data_format.py
│ ├── environment_variables.py
│ ├── eventlog_providers.py
│ ├── filters.py
│ ├── hexdump.py
│ ├── interface.py
│ ├── knownfolders.py
│ ├── mounted_devices.py
│ ├── mru.py
│ ├── msie_zone_info.py
│ ├── output_writer.py
│ ├── profiles.py
│ ├── programscache.py
│ ├── sam.py
│ ├── services.py
│ ├── shellfolders.py
│ ├── sysinfo.py
│ ├── task_cache.py
│ ├── test_lib.py
│ ├── type_libraries.py
│ └── userassist.py
├── tox.ini
├── utils/
│ ├── __init__.py
│ ├── check_dependencies.py
│ ├── dependencies.py
│ └── update_release.sh
├── winreg-kb.ini
└── winregrc/
├── __init__.py
├── appcompatcache.py
├── appcompatcache.yaml
├── application_identifiers.py
├── cached_credentials.py
├── catalog.py
├── controlpanel_items.py
├── data/
│ └── observed_shellfolders.yaml
├── data_format.py
├── delegatefolders.py
├── environment_variables.py
├── errors.py
├── eventlog_providers.py
├── filters.py
├── hexdump.py
├── interface.py
├── knownfolders.py
├── mounted_devices.py
├── mounted_devices.yaml
├── mru.py
├── mru.yaml
├── msie_zone_info.py
├── output_writers.py
├── profiles.py
├── programscache.py
├── programscache.yaml
├── sam.py
├── sam.yaml
├── scripts/
│ ├── __init__.py
│ ├── appcompatcache.py
│ ├── application_identifiers.py
│ ├── cached_credentials.py
│ ├── catalog.py
│ ├── controlpanel_items.py
│ ├── delegatefolders.py
│ ├── environment_variables.py
│ ├── eventlog_providers.py
│ ├── knownfolders.py
│ ├── mounted_devices.py
│ ├── mru.py
│ ├── msie_zone_info.py
│ ├── profiles.py
│ ├── programscache.py
│ ├── sam.py
│ ├── services.py
│ ├── shellfolders.py
│ ├── srum_extensions.py
│ ├── sysinfo.py
│ ├── syskey.py
│ ├── task_cache.py
│ ├── time_zones.py
│ ├── type_libraries.py
│ ├── usbstor.py
│ └── userassist.py
├── services.py
├── shell_property_keys.py
├── shellfolders.py
├── srum_extensions.py
├── sysinfo.py
├── syskey.py
├── task_cache.py
├── task_cache.yaml
├── time_zone_information.yaml
├── time_zones.py
├── type_libraries.py
├── usbstor.py
├── usbstor.yaml
├── userassist.py
├── userassist.yaml
├── versions.py
└── volume_scanner.py
SYMBOL INDEX (519 symbols across 84 files)
FILE: docs/conf.py
function RunSphinxAPIDoc (line 101) | def RunSphinxAPIDoc(app):
class MarkdownLinkFixer (line 114) | class MarkdownLinkFixer(transforms.Transform):
method _FixLinks (line 121) | def _FixLinks(self, node):
method _Traverse (line 142) | def _Traverse(self, node):
method apply (line 154) | def apply(self):
function setup (line 160) | def setup(app):
FILE: tests/appcompatcache.py
class TestOutputWriter (line 226) | class TestOutputWriter(output_writers.StdoutOutputWriter):
method __init__ (line 234) | def __init__(self):
method WriteCachedEntry (line 239) | def WriteCachedEntry(self, cached_entry):
class AppCompatCacheDataParserTest (line 249) | class AppCompatCacheDataParserTest(test_lib.BaseTestCase):
method testCheckSignature (line 254) | def testCheckSignature(self):
method testParseHeader (line 284) | def testParseHeader(self):
class AppCompatCacheCollectorTest (line 318) | class AppCompatCacheCollectorTest(test_lib.BaseTestCase):
method _CreateTestRegistry (line 321) | def _CreateTestRegistry(self):
method testCollect (line 355) | def testCollect(self):
method testCollectEmpty (line 370) | def testCollectEmpty(self):
FILE: tests/application_identifiers.py
class ApplicationIdentifiersCollectorTest (line 15) | class ApplicationIdentifiersCollectorTest(shared_test_lib.BaseTestCase):
method _CreateTestRegistry (line 18) | def _CreateTestRegistry(self):
method testCollect (line 44) | def testCollect(self):
method testCollectEmpty (line 59) | def testCollectEmpty(self):
FILE: tests/cached_credentials.py
class TestOutputWriter (line 16) | class TestOutputWriter(output_writers.StdoutOutputWriter):
method __init__ (line 24) | def __init__(self):
method WriteCachedEntry (line 29) | def WriteCachedEntry(self, cached_entry):
class CachedCredentialsKeyCollectorTest (line 39) | class CachedCredentialsKeyCollectorTest(test_lib.BaseTestCase):
method _CreateTestRegistry (line 62) | def _CreateTestRegistry(self):
method testGetBootKey (line 126) | def testGetBootKey(self):
method testGetLSAKey (line 135) | def testGetLSAKey(self):
method testGetNLKey (line 145) | def testGetNLKey(self):
method testCollect (line 160) | def testCollect(self):
method testCollectEmpty (line 176) | def testCollectEmpty(self):
FILE: tests/data_format.py
class ErrorBytesIO (line 16) | class ErrorBytesIO(io.BytesIO):
method read (line 22) | def read(self, size=None): # pylint: disable=redundant-returns-doc,un...
class ErrorDataTypeMap (line 38) | class ErrorDataTypeMap(dtfabric_data_maps.DataTypeMap):
method FoldByteStream (line 43) | def FoldByteStream(self, mapped_value, **unused_kwargs):
method MapByteStream (line 59) | def MapByteStream(self, byte_stream, **unused_kwargs):
class BinaryDataFormatTest (line 76) | class BinaryDataFormatTest(test_lib.BaseTestCase):
method testDebugPrintData (line 117) | def testDebugPrintData(self):
method testDebugPrintDecimalValue (line 132) | def testDebugPrintDecimalValue(self):
method testDebugPrintValue (line 145) | def testDebugPrintValue(self):
method testDebugPrintText (line 156) | def testDebugPrintText(self):
method testReadStructureFromByteStream (line 170) | def testReadStructureFromByteStream(self):
FILE: tests/environment_variables.py
class EnvironmentVariablesCollectorTest (line 15) | class EnvironmentVariablesCollectorTest(shared_test_lib.BaseTestCase):
method _CreateTestRegistry (line 18) | def _CreateTestRegistry(self):
method testCollect (line 44) | def testCollect(self):
method testCollectEmpty (line 58) | def testCollectEmpty(self):
FILE: tests/eventlog_providers.py
class EventLogProvidersCollectorTest (line 14) | class EventLogProvidersCollectorTest(shared_test_lib.BaseTestCase):
method testCollect (line 17) | def testCollect(self):
method testCollectEmpty (line 62) | def testCollectEmpty(self):
FILE: tests/filters.py
class WindowsRegistryKeyPathFilterTest (line 11) | class WindowsRegistryKeyPathFilterTest(shared_test_lib.BaseTestCase):
method testInitialize (line 14) | def testInitialize(self):
class WindowsRegistryKeyPathPrefixFilterTest (line 23) | class WindowsRegistryKeyPathPrefixFilterTest(shared_test_lib.BaseTestCase):
method testInitialize (line 26) | def testInitialize(self):
class WindowsRegistryKeyPathSuffixFilterTest (line 34) | class WindowsRegistryKeyPathSuffixFilterTest(shared_test_lib.BaseTestCase):
method testInitialize (line 37) | def testInitialize(self):
class WindowsRegistryKeyWithValuesFilterTest (line 45) | class WindowsRegistryKeyWithValuesFilterTest(shared_test_lib.BaseTestCase):
method testInitialize (line 48) | def testInitialize(self):
FILE: tests/hexdump.py
class HexdumpTest (line 11) | class HexdumpTest(shared_test_lib.BaseTestCase):
method testHexdump (line 14) | def testHexdump(self):
FILE: tests/interface.py
class WindowsRegistryKeyCollectorTest (line 14) | class WindowsRegistryKeyCollectorTest(shared_test_lib.BaseTestCase):
method testGetStringValueFromKey (line 19) | def testGetStringValueFromKey(self):
method testGetValueDataFromKey (line 57) | def testGetValueDataFromKey(self):
method testGetValueFromKey (line 72) | def testGetValueFromKey(self):
FILE: tests/knownfolders.py
class KnownFoldersCollectorTest (line 15) | class KnownFoldersCollectorTest(shared_test_lib.BaseTestCase):
method _CreateTestRegistry (line 22) | def _CreateTestRegistry(self):
method testCollect (line 57) | def testCollect(self):
method testCollectEmpty (line 73) | def testCollectEmpty(self):
FILE: tests/mounted_devices.py
class MountedDevicesCollectorTest (line 15) | class MountedDevicesCollectorTest(shared_test_lib.BaseTestCase):
method _CreateTestRegistry (line 18) | def _CreateTestRegistry(self):
method testCollect (line 44) | def testCollect(self):
method testCollectEmpty (line 59) | def testCollectEmpty(self):
FILE: tests/mru.py
class MostRecentlyUsedCollectorTest (line 15) | class MostRecentlyUsedCollectorTest(test_lib.BaseTestCase):
method _CreateTestRegistry (line 18) | def _CreateTestRegistry(self):
method testCollect (line 50) | def testCollect(self):
method testCollectEmpty (line 69) | def testCollectEmpty(self):
FILE: tests/msie_zone_info.py
class MSIEZoneInformationCollectorTest (line 14) | class MSIEZoneInformationCollectorTest(shared_test_lib.BaseTestCase):
method testCollect (line 17) | def testCollect(self):
method testCollectEmpty (line 44) | def testCollectEmpty(self):
FILE: tests/output_writer.py
class StdoutOutputWriterTest (line 11) | class StdoutOutputWriterTest(shared_test_lib.BaseTestCase):
method testFormatDataInHexadecimal (line 16) | def testFormatDataInHexadecimal(self):
method testOpenClose (line 58) | def testOpenClose(self):
method testWriteDebugData (line 67) | def testWriteDebugData(self):
method testWriteValue (line 73) | def testWriteValue(self):
method testWriteText (line 79) | def testWriteText(self):
FILE: tests/profiles.py
class UserProfilesCollectorTest (line 15) | class UserProfilesCollectorTest(shared_test_lib.BaseTestCase):
method _CreateTestRegistry (line 21) | def _CreateTestRegistry(self):
method testCollect (line 51) | def testCollect(self):
method testCollectEmpty (line 65) | def testCollectEmpty(self):
FILE: tests/programscache.py
class TestOutputWriter (line 16) | class TestOutputWriter(output_writers.StdoutOutputWriter):
method __init__ (line 23) | def __init__(self):
method WriteText (line 28) | def WriteText(self, text):
class ProgramsCacheDataParserTest (line 37) | class ProgramsCacheDataParserTest(test_lib.BaseTestCase):
method testParse (line 40) | def testParse(self):
class ProgramsCacheCollectorTest (line 48) | class ProgramsCacheCollectorTest(test_lib.BaseTestCase):
method testCollect (line 51) | def testCollect(self):
method testCollectEmpty (line 78) | def testCollectEmpty(self):
FILE: tests/sam.py
class SecurityAccountManagerDataParserTest (line 78) | class SecurityAccountManagerDataParserTest(test_lib.BaseTestCase):
method testParseFValue (line 81) | def testParseFValue(self):
method testParseVValue (line 105) | def testParseVValue(self):
class SecurityAccountManagerCollectorTest (line 125) | class SecurityAccountManagerCollectorTest(test_lib.BaseTestCase):
method _CreateTestRegistry (line 130) | def _CreateTestRegistry(self):
method testCollect (line 161) | def testCollect(self):
method testCollectEmpty (line 180) | def testCollectEmpty(self):
FILE: tests/services.py
class WindowsServicesCollectorTest (line 15) | class WindowsServicesCollectorTest(shared_test_lib.BaseTestCase):
method _CreateTestRegistry (line 23) | def _CreateTestRegistry(self):
method testCollect (line 80) | def testCollect(self):
method testCollectEmpty (line 99) | def testCollectEmpty(self):
FILE: tests/shellfolders.py
class ShellFoldersCollectorTest (line 15) | class ShellFoldersCollectorTest(shared_test_lib.BaseTestCase):
method _CreateTestRegistry (line 23) | def _CreateTestRegistry(self):
method testCollect (line 66) | def testCollect(self):
method testCollectEmpty (line 89) | def testCollectEmpty(self):
FILE: tests/sysinfo.py
class SystemInfoCollectorTest (line 15) | class SystemInfoCollectorTest(test_lib.BaseTestCase):
method _CreateTestRegistry (line 32) | def _CreateTestRegistry(self):
method testParseInstallDate (line 93) | def testParseInstallDate(self):
method testCollect (line 116) | def testCollect(self):
method testCollectEmpty (line 150) | def testCollectEmpty(self):
FILE: tests/task_cache.py
class TaskCacheDataParserTest (line 26) | class TaskCacheDataParserTest(test_lib.BaseTestCase):
method testParseDynamicInfo (line 29) | def testParseDynamicInfo(self):
class TaskCacheCollectorTest (line 50) | class TaskCacheCollectorTest(test_lib.BaseTestCase):
method _CreateTestRegistry (line 65) | def _CreateTestRegistry(self):
method _CreateTestRegistryEmpty (line 146) | def _CreateTestRegistryEmpty(self):
method testCollect (line 168) | def testCollect(self):
method testCollectEmpty (line 200) | def testCollectEmpty(self):
FILE: tests/test_lib.py
class BaseTestCase (line 9) | class BaseTestCase(unittest.TestCase):
method _GetTestFilePath (line 18) | def _GetTestFilePath(self, path_segments):
method _SkipIfPathNotExists (line 31) | def _SkipIfPathNotExists(self, path):
class TestOutputWriter (line 45) | class TestOutputWriter(output_writers.StdoutOutputWriter):
method __init__ (line 52) | def __init__(self):
method Close (line 57) | def Close(self):
method Open (line 61) | def Open(self):
method WriteText (line 65) | def WriteText(self, text):
FILE: tests/type_libraries.py
class TypeLibraryTest (line 15) | class TypeLibraryTest(test_lib.BaseTestCase):
method testInitialize (line 23) | def testInitialize(self):
class TypeLibraryCollectorTest (line 30) | class TypeLibraryCollectorTest(test_lib.BaseTestCase):
method _CreateTestRegistry (line 43) | def _CreateTestRegistry(self):
method testCollect (line 104) | def testCollect(self):
method testCollectEmpty (line 125) | def testCollectEmpty(self):
FILE: tests/userassist.py
class UserAssistDataParserTest (line 28) | class UserAssistDataParserTest(test_lib.BaseTestCase):
method testParseEntry (line 31) | def testParseEntry(self):
class UserAssistCollectorTest (line 40) | class UserAssistCollectorTest(test_lib.BaseTestCase):
method _CreateTestRegistry (line 52) | def _CreateTestRegistry(self):
method testCollect (line 92) | def testCollect(self):
method testCollectEmpty (line 109) | def testCollectEmpty(self):
FILE: utils/dependencies.py
class DependencyDefinition (line 8) | class DependencyDefinition:
method __init__ (line 32) | def __init__(self, name):
class DependencyDefinitionReader (line 54) | class DependencyDefinitionReader:
method _GetConfigValue (line 71) | def _GetConfigValue(self, config_parser, section_name, value_name):
method Read (line 87) | def Read(self, file_object):
class DependencyHelper (line 108) | class DependencyHelper:
method __init__ (line 118) | def __init__(
method _CheckPythonModule (line 144) | def _CheckPythonModule(self, dependency):
method _CheckPythonModuleVersion (line 168) | def _CheckPythonModuleVersion(
method _ImportPythonModule (line 249) | def _ImportPythonModule(self, module_name):
method _PrintCheckDependencyStatus (line 270) | def _PrintCheckDependencyStatus(
method CheckDependencies (line 292) | def CheckDependencies(self, verbose_output=True):
method CheckTestDependencies (line 322) | def CheckTestDependencies(self, verbose_output=True):
FILE: winregrc/appcompatcache.py
class AppCompatCacheHeader (line 12) | class AppCompatCacheHeader:
method __init__ (line 20) | def __init__(self):
class AppCompatCacheCachedEntry (line 27) | class AppCompatCacheCachedEntry:
method __init__ (line 42) | def __init__(self):
class AppCompatCacheDataParser (line 55) | class AppCompatCacheDataParser(data_format.BinaryDataFormat):
method __init__ (line 97) | def __init__(self, debug=False, output_writer=None):
method _DebugPrintCachedEntryXP (line 108) | def _DebugPrintCachedEntryXP(self, cached_entry):
method _DebugPrintCachedEntry2003 (line 131) | def _DebugPrintCachedEntry2003(self, cached_entry):
method _DebugPrintCachedEntry8 (line 167) | def _DebugPrintCachedEntry8(self, cached_entry_header, cached_entry_bo...
method _DebugPrintHeader (line 207) | def _DebugPrintHeader(self, format_type, header):
method _GetCachedEntryDataTypeMap (line 240) | def _GetCachedEntryDataTypeMap(
method _ParseCommon2003CachedEntry (line 293) | def _ParseCommon2003CachedEntry(self, value_data, cached_entry_offset):
method CheckSignature (line 331) | def CheckSignature(self, value_data):
method ParseCachedEntry (line 372) | def ParseCachedEntry(
method ParseHeader (line 542) | def ParseHeader(self, format_type, value_data):
class AppCompatCacheCollector (line 618) | class AppCompatCacheCollector(interface.WindowsRegistryKeyCollector):
method __init__ (line 625) | def __init__(self, debug=False, output_writer=None):
method _CollectAppCompatCacheFromKey (line 638) | def _CollectAppCompatCacheFromKey(self, app_compat_cache_key):
method Collect (line 692) | def Collect(self, registry, all_control_sets=False):
FILE: winregrc/application_identifiers.py
class ApplicationIdentifier (line 6) | class ApplicationIdentifier:
method __init__ (line 14) | def __init__(self, guid, description):
class ApplicationIdentifiersCollector (line 26) | class ApplicationIdentifiersCollector(interface.WindowsRegistryKeyCollec...
method _CollectApplicationIdentifiers (line 32) | def _CollectApplicationIdentifiers(self, application_identifiers_key):
method Collect (line 51) | def Collect(self, registry):
FILE: winregrc/cached_credentials.py
class CachedCredentialsKeyCollector (line 13) | class CachedCredentialsKeyCollector(interface.WindowsRegistryKeyCollector):
method __init__ (line 45) | def __init__(self, debug=False, output_writer=None):
method _DecryptARC4 (line 55) | def _DecryptARC4(self, key, data):
method _DecryptTripleDES (line 70) | def _DecryptTripleDES(self, key, data):
method _GetBootKey (line 86) | def _GetBootKey(self, registry):
method _GetLSAKey (line 134) | def _GetLSAKey(self, registry, boot_key):
method _GetNLKey (line 167) | def _GetNLKey(self, registry, lsa_key):
method _UnpackLSAKey (line 215) | def _UnpackLSAKey(self, lsa_key):
method Collect (line 240) | def Collect(self, registry): # pylint: disable=arguments-differ
FILE: winregrc/catalog.py
class CatalogKeyDescriptor (line 6) | class CatalogKeyDescriptor:
method __init__ (line 16) | def __init__(self):
class CatalogCollector (line 24) | class CatalogCollector:
method __init__ (line 27) | def __init__(self, group_keys=False):
method _CollectCatalogKeyDescriptors (line 36) | def _CollectCatalogKeyDescriptors(self, registry_key):
method Collect (line 58) | def Collect(self, root_key):
FILE: winregrc/controlpanel_items.py
class ControlPanelItem (line 6) | class ControlPanelItem:
method __init__ (line 15) | def __init__(self, identifier, module_name):
class ControlPanelItemsCollector (line 28) | class ControlPanelItemsCollector(interface.WindowsRegistryKeyCollector):
method _CollectControlPanelItems (line 35) | def _CollectControlPanelItems(self, control_panel_namespace_key):
method Collect (line 51) | def Collect(self, registry):
FILE: winregrc/data_format.py
class BinaryDataFormat (line 13) | class BinaryDataFormat:
method __init__ (line 26) | def __init__(self, debug=False, output_writer=None):
method _DebugPrintData (line 39) | def _DebugPrintData(self, description, data):
method _DebugPrintDecimalValue (line 52) | def _DebugPrintDecimalValue(self, description, value):
method _DebugPrintFiletimeValue (line 61) | def _DebugPrintFiletimeValue(self, description, value):
method _DebugPrintStructureObject (line 82) | def _DebugPrintStructureObject(self, structure_object, debug_info):
method _DebugPrintText (line 92) | def _DebugPrintText(self, text):
method _DebugPrintValue (line 101) | def _DebugPrintValue(self, description, value):
method _FormatDataInHexadecimal (line 112) | def _FormatDataInHexadecimal(self, data):
method _FormatIntegerAsDecimal (line 176) | def _FormatIntegerAsDecimal(self, integer):
method _FormatIntegerAsFiletime (line 187) | def _FormatIntegerAsFiletime(self, integer):
method _FormatIntegerAsHexadecimal2 (line 209) | def _FormatIntegerAsHexadecimal2(self, integer):
method _FormatIntegerAsHexadecimal4 (line 220) | def _FormatIntegerAsHexadecimal4(self, integer):
method _FormatIntegerAsHexadecimal8 (line 231) | def _FormatIntegerAsHexadecimal8(self, integer):
method _FormatStructureObject (line 242) | def _FormatStructureObject(self, structure_object, debug_info):
method _FormatValue (line 282) | def _FormatValue(self, description, value):
method _GetDataTypeMap (line 296) | def _GetDataTypeMap(self, name):
method _ReadDefinitionFile (line 315) | def _ReadDefinitionFile(self, filename):
method _ReadStructureFromByteStream (line 335) | def _ReadStructureFromByteStream(
FILE: winregrc/delegatefolders.py
class DelegateFolder (line 6) | class DelegateFolder:
method __init__ (line 15) | def __init__(self, identifier, name, namespace):
class DelegateFoldersCollector (line 29) | class DelegateFoldersCollector(interface.WindowsRegistryKeyCollector):
method _CollectDelegateFolders (line 36) | def _CollectDelegateFolders(self, delegate_folders_key, namespace):
method Collect (line 51) | def Collect(self, registry):
FILE: winregrc/environment_variables.py
class EnvironmentVariable (line 6) | class EnvironmentVariable:
method __init__ (line 14) | def __init__(self, name, value):
class EnvironmentVariablesCollector (line 26) | class EnvironmentVariablesCollector(interface.WindowsRegistryKeyCollector):
method _CollectEnvironmentVariablesFromEnvironmentKey (line 59) | def _CollectEnvironmentVariablesFromEnvironmentKey(self, registry_key):
method _CollectEnvironmentVariablesWithMappings (line 73) | def _CollectEnvironmentVariablesWithMappings(self, registry_key, mappi...
method Collect (line 88) | def Collect(self, registry):
FILE: winregrc/errors.py
class Error (line 4) | class Error(Exception):
class ParseError (line 8) | class ParseError(Error):
FILE: winregrc/eventlog_providers.py
class EventLogProvider (line 6) | class EventLogProvider:
method __init__ (line 22) | def __init__(self):
class EventLogProvidersCollector (line 35) | class EventLogProvidersCollector(interface.WindowsRegistryKeyCollector):
method _CollectEventLogProviders (line 45) | def _CollectEventLogProviders(
method _CollectEventLogProvidersFromPublishersKeys (line 122) | def _CollectEventLogProvidersFromPublishersKeys(self, winevt_publisher...
method _CollectEventLogProvidersFromServicesKey (line 146) | def _CollectEventLogProvidersFromServicesKey(self, services_eventlog_k...
method _GetEventLogProviderSortedKey (line 181) | def _GetEventLogProviderSortedKey(self, event_log_provider):
method _GetMessageFilePathsFromKey (line 195) | def _GetMessageFilePathsFromKey(self, registry_key, value_name):
method _MergeEventLogProviders (line 217) | def _MergeEventLogProviders(
method _NormalizeMessageFiles (line 240) | def _NormalizeMessageFiles(self, message_files):
method Collect (line 259) | def Collect(self, registry):
FILE: winregrc/filters.py
class BaseWindowsRegistryKeyFilter (line 6) | class BaseWindowsRegistryKeyFilter:
method key_paths (line 13) | def key_paths(self):
method Match (line 18) | def Match(self, registry_key):
class WindowsRegistryKeyPathFilter (line 29) | class WindowsRegistryKeyPathFilter(BaseWindowsRegistryKeyFilter):
method __init__ (line 42) | def __init__(self, key_path):
method key_paths (line 88) | def key_paths(self):
method Match (line 98) | def Match(self, registry_key):
class WindowsRegistryKeyPathPrefixFilter (line 126) | class WindowsRegistryKeyPathPrefixFilter(BaseWindowsRegistryKeyFilter):
method __init__ (line 129) | def __init__(self, key_path_prefix):
method Match (line 138) | def Match(self, registry_key):
class WindowsRegistryKeyPathSuffixFilter (line 150) | class WindowsRegistryKeyPathSuffixFilter(BaseWindowsRegistryKeyFilter):
method __init__ (line 153) | def __init__(self, key_path_suffix):
method Match (line 162) | def Match(self, registry_key):
class WindowsRegistryKeyWithValuesFilter (line 174) | class WindowsRegistryKeyWithValuesFilter(BaseWindowsRegistryKeyFilter):
method __init__ (line 179) | def __init__(self, value_names):
method Match (line 188) | def Match(self, registry_key):
FILE: winregrc/hexdump.py
function Hexdump (line 8) | def Hexdump(data):
FILE: winregrc/interface.py
class WindowsRegistryKeyCollector (line 4) | class WindowsRegistryKeyCollector:
method __init__ (line 7) | def __init__(self, debug=False):
method _GetStringValueFromKey (line 16) | def _GetStringValueFromKey(
method _GetValueDataFromKey (line 40) | def _GetValueDataFromKey(self, registry_key, value_name):
method _GetValueFromKey (line 59) | def _GetValueFromKey(self, registry_key, value_name, default_value=None):
FILE: winregrc/knownfolders.py
class KnownFolder (line 6) | class KnownFolder:
method __init__ (line 16) | def __init__(self, identifier, display_name, localized_display_name):
class KnownFoldersCollector (line 31) | class KnownFoldersCollector(interface.WindowsRegistryKeyCollector):
method _CollectKnownFolders (line 38) | def _CollectKnownFolders(self, folder_descriptions_key):
method Collect (line 55) | def Collect(self, registry):
FILE: winregrc/mounted_devices.py
class MountedDevice (line 7) | class MountedDevice:
method __init__ (line 18) | def __init__(self, identifier):
class MountedDevicesCollector (line 32) | class MountedDevicesCollector(data_format.BinaryDataFormat):
method _ParseMountedDevicesValue (line 40) | def _ParseMountedDevicesValue(self, registry_value):
method Collect (line 91) | def Collect(self, registry):
FILE: winregrc/mru.py
class MostRecentlyUsedEntry (line 9) | class MostRecentlyUsedEntry:
method __init__ (line 20) | def __init__(
class MostRecentlyUsedCollector (line 40) | class MostRecentlyUsedCollector(data_format.BinaryDataFormat):
method __init__ (line 101) | def __init__(self, debug=False, output_writer=None):
method _InKeyPaths (line 112) | def _InKeyPaths(self, key_path, key_paths):
method _ProcessKey (line 129) | def _ProcessKey(self, registry_key):
method _ProcessKeyWithMRUListValue (line 156) | def _ProcessKeyWithMRUListValue(self, registry_key):
method _ProcessKeyWithMRUListExValue (line 234) | def _ProcessKeyWithMRUListExValue(self, registry_key):
method _ProcessMRUEntryShellItem (line 314) | def _ProcessMRUEntryShellItem(self, key_path, value_name, value_data):
method _ProcessMRUEntryShellItemList (line 329) | def _ProcessMRUEntryShellItemList(self, key_path, value_name, value_da...
method _ProcessMRUEntryString (line 345) | def _ProcessMRUEntryString(self, key_path, value_name, value_data):
method _ProcessMRUEntryStringAndShellItem (line 378) | def _ProcessMRUEntryStringAndShellItem(
method _ProcessMRUEntryStringAndShellItemList (line 414) | def _ProcessMRUEntryStringAndShellItemList(
method Collect (line 450) | def Collect(self, registry): # pylint: disable=arguments-differ
FILE: winregrc/msie_zone_info.py
class MSIEZoneInformation (line 6) | class MSIEZoneInformation:
method __init__ (line 16) | def __init__(self, zone, zone_name, control, control_value):
class MSIEZoneInformationCollector (line 32) | class MSIEZoneInformationCollector(interface.WindowsRegistryKeyCollector):
method _CollectZoneInformationFromLockdownKey (line 84) | def _CollectZoneInformationFromLockdownKey(self, lockdown_key):
method _CollectZoneInformationFromZonesKey (line 107) | def _CollectZoneInformationFromZonesKey(self, zones_key):
method Collect (line 139) | def Collect(self, registry):
FILE: winregrc/output_writers.py
class OutputWriter (line 11) | class OutputWriter:
method _FormatDataInHexadecimal (line 20) | def _FormatDataInHexadecimal(self, data):
method _FormatFATDateTimeValue (line 84) | def _FormatFATDateTimeValue(self, value):
method _FormatFiletimeValue (line 103) | def _FormatFiletimeValue(self, value):
method Close (line 127) | def Close(self):
method DebugPrintData (line 130) | def DebugPrintData(self, description, data):
method DebugPrintValue (line 142) | def DebugPrintValue(self, description, value):
method DebugPrintText (line 153) | def DebugPrintText(self, text):
method Open (line 162) | def Open(self):
method WriteDebugData (line 170) | def WriteDebugData(self, description, data):
method WriteIntegerValueAsDecimal (line 179) | def WriteIntegerValueAsDecimal(self, description, value):
method WriteFiletimeValue (line 188) | def WriteFiletimeValue(self, description, value):
method WriteText (line 197) | def WriteText(self, text):
method WriteValue (line 205) | def WriteValue(self, description, value):
class StdoutOutputWriter (line 214) | class StdoutOutputWriter(OutputWriter):
method Close (line 217) | def Close(self):
method Open (line 221) | def Open(self):
method WriteDebugData (line 229) | def WriteDebugData(self, description, data):
method WriteFiletimeValue (line 242) | def WriteFiletimeValue(self, description, value):
method WriteIntegerValueAsDecimal (line 252) | def WriteIntegerValueAsDecimal(self, description, value):
method WriteText (line 261) | def WriteText(self, text):
method WriteValue (line 269) | def WriteValue(self, description, value):
FILE: winregrc/profiles.py
class UserProfile (line 6) | class UserProfile:
method __init__ (line 14) | def __init__(self, security_identifier, profile_path):
class UserProfilesCollector (line 26) | class UserProfilesCollector(interface.WindowsRegistryKeyCollector):
method _CollectUserProfiles (line 33) | def _CollectUserProfiles(self, profile_list_key):
method Collect (line 47) | def Collect(self, registry):
FILE: winregrc/programscache.py
class ProgramsCacheDataParser (line 15) | class ProgramsCacheDataParser(data_format.BinaryDataFormat):
method _DebugPrintEntryFooter (line 20) | def _DebugPrintEntryFooter(self, entry_footer):
method _DebugPrintEntryHeader (line 28) | def _DebugPrintEntryHeader(self, entry_header):
method _DebugPrintHeader (line 36) | def _DebugPrintHeader(self, header):
method _DebugPrintShellItem (line 44) | def _DebugPrintShellItem(self, shell_item):
method _ParseEntryFooter (line 56) | def _ParseEntryFooter(self, value_data, value_data_offset):
method _ParseHeader (line 94) | def _ParseHeader(self, value_data):
method Parse (line 130) | def Parse(self, value_data):
class ProgramsCacheCollector (line 247) | class ProgramsCacheCollector(interface.WindowsRegistryKeyCollector):
method __init__ (line 258) | def __init__(self, debug=False, output_writer=None):
method _CollectProgramsCacheFromValue (line 269) | def _CollectProgramsCacheFromValue(self, registry, key_path, value_name):
method Collect (line 293) | def Collect(self, registry): # pylint: disable=arguments-differ
FILE: winregrc/sam.py
class UserAccount (line 13) | class UserAccount:
method __init__ (line 37) | def __init__(self):
class SecurityAccountManagerDataParser (line 57) | class SecurityAccountManagerDataParser(data_format.BinaryDataFormat):
method _DebugPrintUserInformationDescriptor (line 143) | def _DebugPrintUserInformationDescriptor(
method _FormatSecurityDescriptor (line 172) | def _FormatSecurityDescriptor(self, security_descriptor_data):
method _FormatUserAccountControlFlags (line 202) | def _FormatUserAccountControlFlags(self, user_account_control_flags):
method ParseCValue (line 223) | def ParseCValue(self, value_data):
method _ParseFiletime (line 244) | def _ParseFiletime(self, filetime):
method ParseFValue (line 261) | def ParseFValue(self, value_data, user_account):
method ParseVValue (line 299) | def ParseVValue(self, value_data, user_account):
class SecurityAccountManagerCollector (line 375) | class SecurityAccountManagerCollector(interface.WindowsRegistryKeyCollec...
method __init__ (line 385) | def __init__(self, debug=False, output_writer=None):
method Collect (line 398) | def Collect(self, registry): # pylint: disable=arguments-differ
FILE: winregrc/scripts/appcompatcache.py
function Main (line 15) | def Main():
FILE: winregrc/scripts/application_identifiers.py
class StdoutWriter (line 15) | class StdoutWriter(output_writers.StdoutOutputWriter):
method WriteApplicationIdentifier (line 18) | def WriteApplicationIdentifier(self, application_identifier):
function Main (line 28) | def Main():
FILE: winregrc/scripts/cached_credentials.py
function Main (line 15) | def Main():
FILE: winregrc/scripts/catalog.py
class StdoutWriter (line 17) | class StdoutWriter(output_writers.StdoutOutputWriter):
method WriteKeyPath (line 20) | def WriteKeyPath(self, key_path):
method WriteValueDescriptor (line 28) | def WriteValueDescriptor(self, value_name, value_data_type):
function Main (line 38) | def Main():
FILE: winregrc/scripts/controlpanel_items.py
class StdoutWriter (line 15) | class StdoutWriter(output_writers.StdoutOutputWriter):
method WriteHeader (line 20) | def WriteHeader(self):
method WriteKnownFolder (line 24) | def WriteKnownFolder(self, control_panel_item, windows_versions):
function Main (line 46) | def Main():
FILE: winregrc/scripts/delegatefolders.py
class StdoutWriter (line 15) | class StdoutWriter(output_writers.StdoutOutputWriter):
method WriteDelegateFolder (line 18) | def WriteDelegateFolder(self, delegate_folder):
function Main (line 31) | def Main():
FILE: winregrc/scripts/environment_variables.py
class StdoutWriter (line 15) | class StdoutWriter(output_writers.StdoutOutputWriter):
method WriteEnvironmentVariable (line 18) | def WriteEnvironmentVariable(self, environment_variable):
function Main (line 27) | def Main():
FILE: winregrc/scripts/eventlog_providers.py
class StdoutWriter (line 15) | class StdoutWriter(output_writers.StdoutOutputWriter):
method WriteEventLogProvider (line 18) | def WriteEventLogProvider(self, eventlog_provider):
function Main (line 76) | def Main():
FILE: winregrc/scripts/knownfolders.py
class StdoutWriter (line 15) | class StdoutWriter(output_writers.StdoutOutputWriter):
method WriteHeader (line 20) | def WriteHeader(self):
method WriteKnownFolder (line 24) | def WriteKnownFolder(self, known_folder, windows_versions):
function Main (line 51) | def Main():
FILE: winregrc/scripts/mounted_devices.py
class StdoutWriter (line 15) | class StdoutWriter(output_writers.StdoutOutputWriter):
method WriteMountedDevice (line 18) | def WriteMountedDevice(self, mounted_device):
function Main (line 44) | def Main():
FILE: winregrc/scripts/mru.py
class StdoutWriter (line 19) | class StdoutWriter(output_writers.StdoutOutputWriter):
method _WritePropertyStore (line 22) | def _WritePropertyStore(self, fwps_store):
method _WriteShellItem (line 70) | def _WriteShellItem(self, fwsi_item):
method _WriteShellItemCompressedFolder (line 168) | def _WriteShellItemCompressedFolder(self, fwsi_item):
method _WriteShellItemControlPanelCategory (line 176) | def _WriteShellItemControlPanelCategory(self, fwsi_item):
method _WriteShellItemControlPanelItem (line 186) | def _WriteShellItemControlPanelItem(self, fwsi_item):
method _WriteShellItemFileEntry (line 194) | def _WriteShellItemFileEntry(self, fwsi_item):
method _WriteShellItemNetworkLocation (line 212) | def _WriteShellItemNetworkLocation(self, fwsi_item):
method _WriteShellItemUsersPropertyView (line 226) | def _WriteShellItemUsersPropertyView(self, fwsi_item):
method _WriteShellItemVolume (line 238) | def _WriteShellItemVolume(self, fwsi_item):
method WriteShellItem (line 255) | def WriteShellItem(self, fwsi_item):
method WriteShellItemList (line 264) | def WriteShellItemList(self, fwsi_item_list):
function Main (line 281) | def Main():
FILE: winregrc/scripts/msie_zone_info.py
class StdoutWriter (line 15) | class StdoutWriter(output_writers.StdoutOutputWriter):
method _GetControlValueDescription (line 123) | def _GetControlValueDescription(self, control, control_value):
method WriteZoneInformation (line 151) | def WriteZoneInformation(self, zone_information):
function Main (line 190) | def Main():
FILE: winregrc/scripts/profiles.py
class StdoutWriter (line 15) | class StdoutWriter(output_writers.StdoutOutputWriter):
method WriteUserProfile (line 18) | def WriteUserProfile(self, user_profile):
function Main (line 29) | def Main():
FILE: winregrc/scripts/programscache.py
function Main (line 15) | def Main():
FILE: winregrc/scripts/sam.py
function Main (line 15) | def Main():
FILE: winregrc/scripts/services.py
class StdoutWriter (line 15) | class StdoutWriter(output_writers.StdoutOutputWriter):
method __init__ (line 18) | def __init__(self, use_tsv=False):
method WriteWindowsService (line 28) | def WriteWindowsService(self, service):
function Main (line 82) | def Main():
FILE: winregrc/scripts/shellfolders.py
class StdoutWriter (line 15) | class StdoutWriter(output_writers.StdoutOutputWriter):
method WriteHeader (line 20) | def WriteHeader(self):
method WriteShellFolder (line 24) | def WriteShellFolder(self, shell_folder, windows_versions):
function Main (line 54) | def Main():
FILE: winregrc/scripts/srum_extensions.py
class StdoutWriter (line 15) | class StdoutWriter(output_writers.StdoutOutputWriter):
method WriteSRUMExtension (line 18) | def WriteSRUMExtension(self, srum_extension):
function Main (line 27) | def Main():
FILE: winregrc/scripts/sysinfo.py
function Main (line 15) | def Main():
FILE: winregrc/scripts/syskey.py
function Main (line 16) | def Main():
FILE: winregrc/scripts/task_cache.py
function Main (line 15) | def Main():
FILE: winregrc/scripts/time_zones.py
class CSVFileWriter (line 15) | class CSVFileWriter(output_writers.OutputWriter):
method __init__ (line 20) | def __init__(self, path):
method Close (line 30) | def Close(self):
method Open (line 35) | def Open(self):
method WriteTimeZone (line 45) | def WriteTimeZone(self, time_zone):
method WriteText (line 63) | def WriteText(self, text):
class StdoutWriter (line 72) | class StdoutWriter(output_writers.StdoutOutputWriter):
method WriteTimeZone (line 75) | def WriteTimeZone(self, time_zone):
function Main (line 94) | def Main():
FILE: winregrc/scripts/type_libraries.py
function Main (line 15) | def Main():
FILE: winregrc/scripts/usbstor.py
class StdoutWriter (line 15) | class StdoutWriter(output_writers.StdoutOutputWriter):
method WriteUserProfile (line 47) | def WriteUserProfile(self, storage_device):
function Main (line 91) | def Main():
FILE: winregrc/scripts/userassist.py
function Main (line 15) | def Main():
FILE: winregrc/services.py
class WindowsService (line 6) | class WindowsService:
method __init__ (line 41) | def __init__(
method __eq__ (line 64) | def __eq__(self, other):
method __ne__ (line 80) | def __ne__(self, other):
method GetObjectNameDescription (line 96) | def GetObjectNameDescription(self):
method GetServiceTypeDescription (line 104) | def GetServiceTypeDescription(self):
method GetStartValueDescription (line 113) | def GetStartValueDescription(self):
class WindowsServicesCollector (line 123) | class WindowsServicesCollector(interface.WindowsRegistryKeyCollector):
method _CollectWindowsServicesFromServicesKey (line 126) | def _CollectWindowsServicesFromServicesKey(self, services_key):
method _CollectWindowsServicesFromSystemKey (line 147) | def _CollectWindowsServicesFromSystemKey(self, system_key):
method Collect (line 162) | def Collect(self, registry, all_control_sets=False):
method Compare (line 185) | def Compare(self, registry, output_writer):
FILE: winregrc/shellfolders.py
class WindowsShellFolder (line 6) | class WindowsShellFolder:
method __init__ (line 17) | def __init__(self, identifier=None, localized_string=None):
class ShellFoldersCollector (line 32) | class ShellFoldersCollector(interface.WindowsRegistryKeyCollector):
method __init__ (line 37) | def __init__(self, debug=False):
method _CollectShellFolders (line 46) | def _CollectShellFolders(self, class_identifiers_key):
method _GetShellFolderName (line 81) | def _GetShellFolderName(self, class_identifier_key):
method Collect (line 111) | def Collect(self, registry):
FILE: winregrc/srum_extensions.py
class SRUMExtension (line 6) | class SRUMExtension:
method __init__ (line 14) | def __init__(self, guid, dll_name):
class SRUMExtensionsCollector (line 26) | class SRUMExtensionsCollector(interface.WindowsRegistryKeyCollector):
method Collect (line 33) | def Collect(self, registry, output_writer):
FILE: winregrc/sysinfo.py
class SystemInformation (line 9) | class SystemInformation:
method __init__ (line 26) | def __init__(self):
class SystemInfoCollector (line 42) | class SystemInfoCollector(interface.WindowsRegistryKeyCollector):
method __init__ (line 64) | def __init__(self, debug=False, output_writer=None):
method _ParseInstallDate (line 75) | def _ParseInstallDate(self, registry_value):
method Collect (line 93) | def Collect(self, registry): # pylint: disable=arguments-differ
FILE: winregrc/syskey.py
class SystemKey (line 8) | class SystemKey:
method __init__ (line 15) | def __init__(self):
class SystemKeyCollector (line 21) | class SystemKeyCollector(interface.WindowsRegistryKeyCollector):
method __init__ (line 31) | def __init__(self, debug=False, output_writer=None):
method _GetBootKey (line 42) | def _GetBootKey(self, registry):
method Collect (line 90) | def Collect(self, registry): # pylint: disable=arguments-differ
FILE: winregrc/task_cache.py
class CachedTask (line 15) | class CachedTask:
method __init__ (line 26) | def __init__(self):
class TaskCacheDataParser (line 35) | class TaskCacheDataParser(data_format.BinaryDataFormat):
method __init__ (line 40) | def __init__(self, debug=False, output_writer=None):
method _ParseFiletime (line 51) | def _ParseFiletime(self, filetime):
method ParseDynamicInfo (line 68) | def ParseDynamicInfo(self, value_data, cached_task):
class TaskCacheCollector (line 130) | class TaskCacheCollector(interface.WindowsRegistryKeyCollector):
method __init__ (line 141) | def __init__(self, debug=False, output_writer=None):
method _GetIdValue (line 153) | def _GetIdValue(self, registry_key):
method Collect (line 171) | def Collect(self, registry): # pylint: disable=arguments-differ
FILE: winregrc/time_zones.py
class TimeZone (line 8) | class TimeZone:
method __init__ (line 17) | def __init__(self, name):
class TimeZoneInformationDataParser (line 29) | class TimeZoneInformationDataParser(data_format.BinaryDataFormat):
method _FormatSystemTime (line 51) | def _FormatSystemTime(self, systemtime):
method ParseTZIValue (line 74) | def ParseTZIValue(self, value_data, time_zone):
class TimeZonesCollector (line 102) | class TimeZonesCollector(interface.WindowsRegistryKeyCollector):
method Collect (line 109) | def Collect(self, registry, output_writer):
FILE: winregrc/type_libraries.py
class TypeLibrary (line 6) | class TypeLibrary:
method __init__ (line 16) | def __init__(self, identifier, version, description, typelib_filename):
class TypeLibrariesCollector (line 32) | class TypeLibrariesCollector(interface.WindowsRegistryKeyCollector):
method __init__ (line 42) | def __init__(self, debug=False, output_writer=None):
method Collect (line 53) | def Collect(self, registry): # pylint: disable=arguments-differ
FILE: winregrc/usbstor.py
class USBStorageDeviceProperty (line 10) | class USBStorageDeviceProperty:
method __init__ (line 20) | def __init__(self, property_set, identifier):
class USBStorageDevice (line 34) | class USBStorageDevice:
method __init__ (line 47) | def __init__(self):
class USBStorageDeviceCollector (line 59) | class USBStorageDeviceCollector(data_format.BinaryDataFormat):
method _CollectUSBStorageDevices (line 67) | def _CollectUSBStorageDevices(self, usbstor_key):
method _GetPropertyValueData (line 79) | def _GetPropertyValueData(self, property_value_key, value_type):
method _GetPropertyValueType (line 116) | def _GetPropertyValueType(self, property_value_key):
method _GetStringValueFromKey (line 140) | def _GetStringValueFromKey(
method _GetValueDataFromKey (line 164) | def _GetValueDataFromKey(self, registry_key, value_name):
method _ParseDeviceKey (line 183) | def _ParseDeviceKey(self, device_key):
method _ParseFiletime (line 238) | def _ParseFiletime(self, filetime):
method Collect (line 255) | def Collect(self, registry):
FILE: winregrc/userassist.py
class UserAssistEntry (line 11) | class UserAssistEntry:
method __init__ (line 20) | def __init__(self, guid=None, name=None, value_name=None):
class UserAssistDataParser (line 34) | class UserAssistDataParser(data_format.BinaryDataFormat):
method _DebugPrintEntry (line 40) | def _DebugPrintEntry(self, format_version, user_assist_entry):
method ParseEntry (line 83) | def ParseEntry(self, format_version, entry_data):
class UserAssistCollector (line 125) | class UserAssistCollector(interface.WindowsRegistryKeyCollector):
method __init__ (line 136) | def __init__(self, debug=False, output_writer=None):
method _CollectUserAssistFromKey (line 149) | def _CollectUserAssistFromKey(self, guid_subkey):
method Collect (line 203) | def Collect(self, registry): # pylint: disable=arguments-differ
FILE: winregrc/versions.py
class WindowsVersions (line 4) | class WindowsVersions:
method KeyFunction (line 41) | def KeyFunction(cls, windows_version):
FILE: winregrc/volume_scanner.py
class VolumeScannerOptions (line 15) | class VolumeScannerOptions(dfvfs_volume_scanner.VolumeScannerOptions):
method __init__ (line 30) | def __init__(self):
class SingleFileWindowsRegistryFileReader (line 36) | class SingleFileWindowsRegistryFileReader(
method __init__ (line 40) | def __init__(self, path):
method Open (line 49) | def Open(self, path, ascii_codepage='cp1252'):
class WindowsRegistryVolumeScanner (line 86) | class WindowsRegistryVolumeScanner(dfvfs_volume_scanner.WindowsVolumeSca...
method __init__ (line 93) | def __init__(self, mediator=None):
method _GetUsername (line 106) | def _GetUsername(self, options):
method IsSingleFileRegistry (line 163) | def IsSingleFileRegistry(self):
method ScanForWindowsVolume (line 171) | def ScanForWindowsVolume(self, source_path, options=None):
class WindowsRegistryVolumeScannerMediator (line 214) | class WindowsRegistryVolumeScannerMediator(
method GetUsername (line 222) | def GetUsername(self, usernames):
method _PrintUsernames (line 260) | def _PrintUsernames(self, usernames):
Condensed preview — 200 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (884K chars).
[
{
"path": ".github/workflows/test_docker.yml",
"chars": 3736,
"preview": "# Run tests on Fedora and Ubuntu Docker images using GIFT COPR and GIFT PPA on commit\nname: test_docker\non: [push]\npermi"
},
{
"path": ".github/workflows/test_docs.yml",
"chars": 1907,
"preview": "# Run docs tox tests on Ubuntu Docker images using the deadsnakes and GIFT PPAs\nname: test_docs\non:\n pull_request:\n "
},
{
"path": ".github/workflows/test_macos.yml",
"chars": 569,
"preview": "# Run tests on Mac OS.\nname: test_macos\non: [push, pull_request]\npermissions: read-all\njobs:\n test_macos:\n runs-on: "
},
{
"path": ".github/workflows/test_tox.yml",
"chars": 5778,
"preview": "# Run tox tests on Ubuntu Docker images using the deadsnakes and GIFT PPAs\nname: test_tox\non:\n pull_request:\n branch"
},
{
"path": ".gitignore",
"chars": 212,
"preview": "# Files to ignore by git\n\n# Back-up files\n*~\n*.swp\n\n# Generic auto-generated build files\n*.pyc\n*.pyo\n\n# Specific auto-ge"
},
{
"path": ".pylintrc",
"chars": 23747,
"preview": "# Pylint 3.2.x configuration file\n#\n# This file is generated by l2tdevtools update-dependencies.py, any dependency\n# rel"
},
{
"path": ".readthedocs.yaml",
"chars": 322,
"preview": "# Read the Docs configuration file for Sphinx projects\n# See https://docs.readthedocs.io/en/stable/config-file/v2.html f"
},
{
"path": ".yamllint.yaml",
"chars": 149,
"preview": "extends: default\n\nrules:\n line-length: disable\n indentation:\n spaces: consistent\n indent-sequences: false\n ch"
},
{
"path": "ACKNOWLEDGEMENTS",
"chars": 390,
"preview": "Acknowledgements: winreg-kb\n\nCopyright (c) 2013-2022, Joachim Metz <joachim.metz@gmail.com>\n\nCopied with permission from"
},
{
"path": "AUTHORS",
"chars": 265,
"preview": "# Names should be added to this file with this pattern:\n#\n# For individuals:\n# Name (email address)\n#\n# For organizati"
},
{
"path": "LICENSE",
"chars": 11358,
"preview": "\n Apache License\n Version 2.0, January 2004\n "
},
{
"path": "MANIFEST.in",
"chars": 501,
"preview": "include ACKNOWLEDGEMENTS AUTHORS LICENSE README.md\ninclude dependencies.ini run_tests.py utils/dependencies.py\ninclude u"
},
{
"path": "MANIFEST.test_data.in",
"chars": 422,
"preview": "include ACKNOWLEDGEMENTS AUTHORS LICENSE README.md\ninclude dependencies.ini run_tests.py utils/dependencies.py\ninclude u"
},
{
"path": "README.md",
"chars": 256,
"preview": "winreg-kb is a project to build a Windows Registry Knowledge Base.\n\nwinregrc is a Python module part of winreg-kb to all"
},
{
"path": "appveyor.yml",
"chars": 1513,
"preview": "environment:\n matrix:\n - DESCRIPTION: \"Run tests on Windows with 32-bit Python 3.14\"\n MACHINE_TYPE: \"x86\"\n APPVE"
},
{
"path": "config/appveyor/install.ps1",
"chars": 1145,
"preview": "# Script to set up tests on AppVeyor Windows.\n\n$Dependencies = \"PyYAML acstore artifacts dfdatetime dfimagetools dfvfs d"
},
{
"path": "config/dpkg/changelog",
"chars": 141,
"preview": "winreg-kb (20260413-1) unstable; urgency=low\n\n * Auto-generated\n\n -- Joachim Metz <joachim.metz@gmail.com> Mon, 13 Apr"
},
{
"path": "config/dpkg/clean",
"chars": 21,
"preview": "winregrc/*.pyc\n*.pyc\n"
},
{
"path": "config/dpkg/compat",
"chars": 2,
"preview": "9\n"
},
{
"path": "config/dpkg/control",
"chars": 2049,
"preview": "Source: winreg-kb\nSection: python\nPriority: extra\nMaintainer: Joachim Metz <joachim.metz@gmail.com>\nBuild-Depends: debhe"
},
{
"path": "config/dpkg/copyright",
"chars": 884,
"preview": "Format: http://dep.debian.net/deps/dep5\nUpstream-Name: dtfabric\nSource: https://github.com/libyal/dtfabric\n\nFiles: *\nCop"
},
{
"path": "config/dpkg/python3-winregrc.install",
"chars": 145,
"preview": "usr/lib/python3*/dist-packages/winregrc/*.py\nusr/lib/python3*/dist-packages/winregrc/*.yaml\nusr/lib/python3*/dist-packag"
},
{
"path": "config/dpkg/rules",
"chars": 122,
"preview": "#!/usr/bin/make -f\n\n%:\n\tdh $@ --buildsystem=pybuild --with=python3\n\n.PHONY: override_dh_auto_test\noverride_dh_auto_test:"
},
{
"path": "config/dpkg/source/format",
"chars": 12,
"preview": "3.0 (quilt)\n"
},
{
"path": "config/pylint/spelling-private-dict",
"chars": 714,
"preview": "appcompatcachecachedentry\nargparse\nargs\nbackports\nbool\ncachedtask\ncodecs\ncodepage\nconfig\ncsd\ncurrentversion\ndatatypefabr"
},
{
"path": "dependencies.ini",
"chars": 6586,
"preview": "[acstore]\ndpkg_name: python3-acstore\nminimum_version: 20230101\nrpm_name: python3-acstore\nversion_property: __version__\n\n"
},
{
"path": "docs/conf.py",
"chars": 5145,
"preview": "\"\"\"Sphinx build configuration file.\"\"\"\n\nimport os\nimport sys\n\nfrom sphinx.ext import apidoc\n\nfrom docutils import nodes\n"
},
{
"path": "docs/index.rst",
"chars": 971,
"preview": "Welcome to the winreg-kb documentation\n========================================\n\nwinreg-kb is a project to build a Windo"
},
{
"path": "docs/requirements.txt",
"chars": 118,
"preview": "certifi >= 2023.11.17\ndocutils\nMarkdown\nrecommonmark\nsphinx >= 4.1.0\nsphinx-markdown-tables\nsphinx-rtd-theme >= 0.5.1\n"
},
{
"path": "docs/sources/EventLog-keys.md",
"chars": 8369,
"preview": "# EventLog keys\n\n## EventLog providers\n\nInformation about EventLog providers is stored across multiple keys:\n\n* the Serv"
},
{
"path": "docs/sources/api/modules.rst",
"chars": 61,
"preview": "winregrc\n========\n\n.. toctree::\n :maxdepth: 4\n\n winregrc\n"
},
{
"path": "docs/sources/api/winregrc.rst",
"chars": 5412,
"preview": "winregrc package\n================\n\nSubpackages\n-----------\n\n.. toctree::\n :maxdepth: 4\n\n winregrc.scripts\n\nSubmodule"
},
{
"path": "docs/sources/api/winregrc.scripts.rst",
"chars": 4621,
"preview": "winregrc.scripts package\n========================\n\nSubmodules\n----------\n\nwinregrc.scripts.appcompatcache module\n-------"
},
{
"path": "docs/sources/application-keys/7-Zip.md",
"chars": 980,
"preview": "# 7-Zip\n\n**TODO this page currently contains rough notes, fine tune these**\n\nThe 7-Zip application uses the following Wi"
},
{
"path": "docs/sources/application-keys/CCleaner.md",
"chars": 5267,
"preview": "# CCleaner\n\n**TODO this page currently contains rough notes, fine tune these**\n\nThe CCleaner application uses the follow"
},
{
"path": "docs/sources/application-keys/MSDN-web-browser.md",
"chars": 286,
"preview": "# MSDN web browser\n\n**TODO this page currently contains rough notes, fine tune these**\n\n```\nHKEY_CURRENT_USER\\Software\\M"
},
{
"path": "docs/sources/application-keys/Microsoft-Office.md",
"chars": 5327,
"preview": "# Microsoft Office\n\n**TODO this page currently contains rough notes, fine tune these**\n\n## Microsoft Outlook keys\n\n```\nH"
},
{
"path": "docs/sources/application-keys/Terminal-server-client.md",
"chars": 681,
"preview": "# Terminal server client\n\nThe most recent used (MRU) connnections of the Terminal server client can\nbe found in the key:"
},
{
"path": "docs/sources/application-keys/WinRAR.md",
"chars": 483,
"preview": "# WinRAR\n\n**TODO this page currently contains rough notes, fine tune these**\n\nThe WinRAR application uses the following "
},
{
"path": "docs/sources/application-keys/index.rst",
"chars": 231,
"preview": "################\nApplication keys\n################\n\n.. toctree::\n :maxdepth: 1\n\n 7-Zip <7-Zip>\n CCleaner <CCleaner"
},
{
"path": "docs/sources/explorer-keys/Bit-bucket.md",
"chars": 699,
"preview": "# Bit bucket\n\nThe Windows Explorer bit bucket key contains Recycler configuration\nproperties and information about the R"
},
{
"path": "docs/sources/explorer-keys/Control-panel-item-identifiers.md",
"chars": 400,
"preview": "# Control panel item identifiers\n\nA control panel item identifier is a GUID that identifies a specific control\npanel ite"
},
{
"path": "docs/sources/explorer-keys/Delegate-folders.md",
"chars": 521,
"preview": "# Delegate folders keys\n\nWindows explorer uses delegate folders to provide alternative graphical\nrepresentations.\n\n```\nH"
},
{
"path": "docs/sources/explorer-keys/Known-folder-identifiers.md",
"chars": 1277,
"preview": "# Known folder identifier keys\n\nA known folder identifier is a GUID that identifies a system folder. It was\nintroduced i"
},
{
"path": "docs/sources/explorer-keys/MUI-cache.md",
"chars": 281,
"preview": "# Multilingual User Interface (MUI) cache\n\nSeen on Windows XP and 2003\n\n```\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows"
},
{
"path": "docs/sources/explorer-keys/Most-recently-used.md",
"chars": 12526,
"preview": "# Most recently used (MRU)\n\nThe Windows Registry contains various keys with information about Most Recently\nfiles Used ("
},
{
"path": "docs/sources/explorer-keys/Mount-points.md",
"chars": 1614,
"preview": "# Moint points\n\n## MountPoints\n\n```\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints\n```"
},
{
"path": "docs/sources/explorer-keys/Program-cache.md",
"chars": 10093,
"preview": "# Program cache\n\nThe Windows explorer ProgramsCache Registry values can be stored in\nthe following Windows Registry keys"
},
{
"path": "docs/sources/explorer-keys/Shell-folders.md",
"chars": 1402,
"preview": "# Shell folders\n\nShell Folder identifiers are class identifiers with Shell Folder sub key. In\nthe Windows Registry Some "
},
{
"path": "docs/sources/explorer-keys/Typed-paths.md",
"chars": 219,
"preview": "# Typed paths\n\n```\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths\n```\n\nValue| Data type"
},
{
"path": "docs/sources/explorer-keys/User-assist.md",
"chars": 6780,
"preview": "# User Assist key\n\nThe User Assist key contains settings and data of programs that were launched\nvia Windows Explorer (e"
},
{
"path": "docs/sources/explorer-keys/index.rst",
"chars": 544,
"preview": "#####################\nWindows explorer keys\n#####################\n\n.. toctree::\n :maxdepth: 1\n\n Bit bucket <Bit-buck"
},
{
"path": "docs/sources/internet-explorer-keys/Browser-helper-objects.md",
"chars": 134,
"preview": "# Browser helper objects (BHO)\n\n```\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper"
},
{
"path": "docs/sources/internet-explorer-keys/Policies.md",
"chars": 4611,
"preview": "# Policies\n\nThe Internet Explorer polices are stored in multiple keys.\n\nOrder of application:\n\n1. HKEY_LOCAL_MACHINE pol"
},
{
"path": "docs/sources/internet-explorer-keys/Types-URLs.md",
"chars": 215,
"preview": "# Typed URLs\n\n....\nHKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\TypedURLs\n....\n\nValues:\n\nName | Data type | De"
},
{
"path": "docs/sources/internet-explorer-keys/index.rst",
"chars": 201,
"preview": "######################\nInternet explorer keys\n######################\n\n.. toctree::\n :maxdepth: 1\n\n Browser helper ob"
},
{
"path": "docs/sources/security-accounts-manager-keys/Domains.md",
"chars": 13030,
"preview": "# Domains\n\nThe Security Accounts Manager (SAM) domains are stored in the key:\n\n```\nHKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\n``"
},
{
"path": "docs/sources/security-accounts-manager-keys/Security-accounts-manager.md",
"chars": 1091,
"preview": "# Security Accounts Manager (SAM)\n\nThe Security Accounts Manager (SAM) is stored in the key:\n\n```\nHKEY_LOCAL_MACHINE\\SAM"
},
{
"path": "docs/sources/security-accounts-manager-keys/index.rst",
"chars": 202,
"preview": "##############################\nSecurity accounts manager keys\n##############################\n\n.. toctree::\n :maxdepth:"
},
{
"path": "docs/sources/system-keys/Application-compatibility-cache.md",
"chars": 20874,
"preview": "# Application compatibility cache\n\nThe Application compatibility cache can be found in the following Windows\nRegistry ke"
},
{
"path": "docs/sources/system-keys/Background-activity-moderator.md",
"chars": 1290,
"preview": "# Background activity moderator (BAM)\n\nThe Background Activity Moderator (BAM) key seems to have been introduced in\nWind"
},
{
"path": "docs/sources/system-keys/Boot-verification.md",
"chars": 1992,
"preview": "# Boot Verification key\n\n```\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BootVerification\n```\n\nThe BootVerifica"
},
{
"path": "docs/sources/system-keys/COM-class-identifiers.md",
"chars": 3624,
"preview": "# Component object model (COM) class identifiers (CLSIDs)\n\nThe component object model (COM) class Identifier (CLSID) key"
},
{
"path": "docs/sources/system-keys/Cached-credentials.md",
"chars": 9378,
"preview": "# Cached credentials\n\n```\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\n```\n\nValues:\n\nName | "
},
{
"path": "docs/sources/system-keys/Certificates.md",
"chars": 265,
"preview": "# Certificates\n\n```\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\n```\n\n## External Link"
},
{
"path": "docs/sources/system-keys/Codepage.md",
"chars": 947,
"preview": "# Codepage\n\nThe codepage settings are stored in the key:\n\n```\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Co"
},
{
"path": "docs/sources/system-keys/Current-control-set.md",
"chars": 1482,
"preview": "# Current control set\n\nThe Windows Registry contains the Current control set key:\n\n```\nHKEY_LOCAL_MACHINE\\System\\Current"
},
{
"path": "docs/sources/system-keys/Environment-variables.md",
"chars": 2937,
"preview": "# Environment variables\n\nThe environment variables are stored in multiple keys.\n\n## Session Manager\\\\Environment key\n\n``"
},
{
"path": "docs/sources/system-keys/File-system.md",
"chars": 3165,
"preview": "# File system\n\nWindows file system settings are stored in the File system key.\n\n```\nHKEY_LOCAL_MACHINE\\System\\CurrentCon"
},
{
"path": "docs/sources/system-keys/Language.md",
"chars": 661,
"preview": "# Language\n\nThe language settings are stored in the key:\n\n```\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\La"
},
{
"path": "docs/sources/system-keys/Local-security-authority.md",
"chars": 4075,
"preview": "# Local Security Authority (LSA)\n\nWindows 2000 and later.\n\n```\nHKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\n`"
},
{
"path": "docs/sources/system-keys/Mounted-devices.md",
"chars": 3020,
"preview": "# Mounted devices\n\nThe mounted devices settings are stored in the key:\n\n```\nHKEY_LOCAL_MACHINE\\SYSTEM\\MountedDevices\n```"
},
{
"path": "docs/sources/system-keys/Prefetch.md",
"chars": 708,
"preview": "# Prefetch\n\n## Prefetch Parameters key\n\n```\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory M"
},
{
"path": "docs/sources/system-keys/Run-and-RunOnce.md",
"chars": 2490,
"preview": "# Run and RunOnce\n\nRun and RunOnce keys cause programs to run each time a user logs on. There are\nsystem and per-user Ru"
},
{
"path": "docs/sources/system-keys/Services-and-drivers.md",
"chars": 3664,
"preview": "# Services and drivers\n\n**TODO this page currently contains rough notes, fine tune these**\n\nSettings to load/run drivers"
},
{
"path": "docs/sources/system-keys/Session-manager.md",
"chars": 462,
"preview": "# Session manager\n\nThe session manager settings are stored in the key:\n\n```\nHKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\"
},
{
"path": "docs/sources/system-keys/Shell-folder-identifiers.md",
"chars": 2221,
"preview": "# Shell folder identifiers\n\nShell folder identifiers are class identifiers (CLSID) with ShellFolder sub\nkey of some [COM"
},
{
"path": "docs/sources/system-keys/System-restore.md",
"chars": 90,
"preview": "# System restore\n\n```\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\SystemRestore\n```\n\n"
},
{
"path": "docs/sources/system-keys/Task-scheduler.md",
"chars": 4337,
"preview": "# Task scheduler\n\n## SchedulingAgent key\n\nIn Windows XP:\n\n```\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\SchedulingAgent\n```\n"
},
{
"path": "docs/sources/system-keys/Time-zones.md",
"chars": 7419,
"preview": "# Time zones\n\n## Time zone information key\n\nThe time zone information is stored in the following key:\n\n```\nHKEY_LOCAL_MA"
},
{
"path": "docs/sources/system-keys/USB-storage.md",
"chars": 3104,
"preview": "# USB storage\n\nThe USBSTOR driver tracks various information about attached USB storage\ndevices in the key.\n\n```\nHKEY_LO"
},
{
"path": "docs/sources/system-keys/Volume-shadow-copies.md",
"chars": 552,
"preview": "# Volume shadow copies\n\n## FilesNotToSnapshot key\n\n```\nHKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\BackupRestore"
},
{
"path": "docs/sources/system-keys/Windows-error-reporting.md",
"chars": 4399,
"preview": "# Windows Error Reporting (WER) keys\n\n## Windows Error Reporting (WER) system key\n\n```\nHKEY_LOCAL_MACHINE\\Software\\Micro"
},
{
"path": "docs/sources/system-keys/Windows-product-information.md",
"chars": 998,
"preview": "# Windows product information\n\nWindows product information can be found in the key:\n\n```\nHKEY_LOCAL_MACHINE\\Software\\Mic"
},
{
"path": "docs/sources/system-keys/Windows-system-locations.md",
"chars": 1037,
"preview": "# Windows system locations\n\nWindows system locations can be found in the key:\n\n```\nHKEY_LOCAL_MACHINE\\Software\\Microsoft"
},
{
"path": "docs/sources/system-keys/index.rst",
"chars": 1191,
"preview": "###################\nWindows system keys\n###################\n\n.. toctree::\n :maxdepth: 1\n\n Application compatibility "
},
{
"path": "docs/sources/windows-registry/Files.md",
"chars": 6285,
"preview": "# Windows Registry files\n\n## Windows Registry files - Windows 3.1\n\nOn Windows 3.1 the SHCC file format is used to store "
},
{
"path": "docs/sources/windows-registry/Hives.md",
"chars": 867,
"preview": "# Windows Registry hives\n\nName | Short name | Description\n--- | --- | ---\nHKEY_CLASSES_ROOT | HKCR | Used by Windows 3.1"
},
{
"path": "docs/sources/windows-registry/MUI-form.md",
"chars": 1603,
"preview": "# Multilingual User Interface (MUI) form\n\nThe Multilingual User Interface (MUI) form is used to store strings in multipl"
},
{
"path": "docs/sources/windows-registry/index.rst",
"chars": 169,
"preview": "################\nWindows Registry\n################\n\n.. toctree::\n :maxdepth: 1\n\n Hives <Hives>\n Files <Files>\n M"
},
{
"path": "pyproject.toml",
"chars": 3505,
"preview": "[build-system]\nrequires = [\"setuptools\", \"wheel\"]\nbuild-backend = \"setuptools.build_meta\"\n\n[project]\nname = \"winregrc\"\nv"
},
{
"path": "run_tests.py",
"chars": 902,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to run the tests.\"\"\"\n\nimport sys\nimport unittest\n\n# Change PYTHONPATH to include winreg"
},
{
"path": "test_dependencies.ini",
"chars": 0,
"preview": ""
},
{
"path": "tests/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "tests/appcompatcache.py",
"chars": 20031,
"preview": "#!/usr/bin/env python3\n\"\"\"Tests for the Application Compatibility Cache collector.\"\"\"\n\nimport unittest\n\nfrom dfwinreg im"
},
{
"path": "tests/application_identifiers.py",
"chars": 2282,
"preview": "#!/usr/bin/env python3\n\"\"\"Tests for the Windows application identifiers (AppID) collector.\"\"\"\n\nimport unittest\n\nfrom dfw"
},
{
"path": "tests/cached_credentials.py",
"chars": 6747,
"preview": "#!/usr/bin/env python3\n\"\"\"Tests for the domain cached credentials collector.\"\"\"\n\nimport unittest\n\nfrom dfwinreg import d"
},
{
"path": "tests/data_format.py",
"chars": 5627,
"preview": "\"\"\"Tests for binary data format and file.\"\"\"\n\nimport io\nimport unittest\n\nfrom dtfabric import errors as dtfabric_errors\n"
},
{
"path": "tests/environment_variables.py",
"chars": 2205,
"preview": "#!/usr/bin/env python3\n\"\"\"Tests for the environment variables collector.\"\"\"\n\nimport unittest\n\nfrom dfwinreg import defin"
},
{
"path": "tests/eventlog_providers.py",
"chars": 2620,
"preview": "#!/usr/bin/env python3\n\"\"\"Tests for the Windows Event Log providers collector.\"\"\"\n\nimport unittest\n\nfrom dfwinreg import"
},
{
"path": "tests/filters.py",
"chars": 1637,
"preview": "#!/usr/bin/env python3\n\"\"\"Tests for the Windows Registry key and value filters.\"\"\"\n\nimport unittest\n\nfrom winregrc impor"
},
{
"path": "tests/hexdump.py",
"chars": 888,
"preview": "#!/usr/bin/env python3\n\"\"\"Tests for the hexadecimal representation functions.\"\"\"\n\nimport unittest\n\nfrom winregrc import "
},
{
"path": "tests/interface.py",
"chars": 3811,
"preview": "#!/usr/bin/env python3\n\"\"\"Tests for the Windows Registry key and value collector.\"\"\"\n\nimport unittest\n\nfrom dfwinreg imp"
},
{
"path": "tests/knownfolders.py",
"chars": 2767,
"preview": "#!/usr/bin/env python3\n\"\"\"Tests for the Windows known folders collector.\"\"\"\n\nimport unittest\n\nfrom dfwinreg import defin"
},
{
"path": "tests/mounted_devices.py",
"chars": 2211,
"preview": "#!/usr/bin/env python3\n\"\"\"Tests for the Windows mounted devices collector.\"\"\"\n\nimport unittest\n\nfrom dfwinreg import def"
},
{
"path": "tests/mru.py",
"chars": 2575,
"preview": "#!/usr/bin/env python3\n\"\"\"Tests for the Most Recently Used (MRU) collector.\"\"\"\n\nimport unittest\n\nfrom dfwinreg import de"
},
{
"path": "tests/msie_zone_info.py",
"chars": 1789,
"preview": "#!/usr/bin/env python3\n\"\"\"Tests for the Microsoft Internet Explorer (MSIE) zone collector.\"\"\"\n\nimport unittest\n\nfrom dfw"
},
{
"path": "tests/output_writer.py",
"chars": 2956,
"preview": "#!/usr/bin/env python3\n\"\"\"Tests for the output writer.\"\"\"\n\nimport unittest\n\nfrom winregrc import output_writers\n\nfrom te"
},
{
"path": "tests/profiles.py",
"chars": 2322,
"preview": "#!/usr/bin/env python3\n\"\"\"Tests for the user profiles collector.\"\"\"\n\nimport unittest\n\nfrom dfwinreg import definitions a"
},
{
"path": "tests/programscache.py",
"chars": 2459,
"preview": "#!/usr/bin/env python3\n\"\"\"Tests for the Programs Cache information collector.\"\"\"\n\nimport unittest\n\nfrom dfwinreg import "
},
{
"path": "tests/sam.py",
"chars": 8564,
"preview": "#!/usr/bin/env python3\n\"\"\"Tests for the Security Account Manager (SAM) collector.\"\"\"\n\nimport unittest\n\nfrom dfwinreg imp"
},
{
"path": "tests/services.py",
"chars": 3903,
"preview": "#!/usr/bin/env python3\n\"\"\"Tests for the services collector.\"\"\"\n\nimport unittest\n\nfrom dfwinreg import definitions as dfw"
},
{
"path": "tests/shellfolders.py",
"chars": 3324,
"preview": "#!/usr/bin/env python3\n\"\"\"Tests for the Windows shell folders collector.\"\"\"\n\nimport unittest\n\nfrom dfwinreg import defin"
},
{
"path": "tests/sysinfo.py",
"chars": 5658,
"preview": "#!/usr/bin/env python3\n\"\"\"Tests for the system information collector.\"\"\"\n\nimport unittest\n\nfrom dfwinreg import definiti"
},
{
"path": "tests/task_cache.py",
"chars": 7491,
"preview": "#!/usr/bin/env python3\n\"\"\"Tests for the Task Cache information collector.\"\"\"\n\nimport unittest\n\nfrom dfwinreg import defi"
},
{
"path": "tests/test_lib.py",
"chars": 1676,
"preview": "\"\"\"Shared test case.\"\"\"\n\nimport os\nimport unittest\n\nfrom winregrc import output_writers\n\n\nclass BaseTestCase(unittest.Te"
},
{
"path": "tests/type_libraries.py",
"chars": 4798,
"preview": "#!/usr/bin/env python3\n\"\"\"Tests for the type libraries collector.\"\"\"\n\nimport unittest\n\nfrom dfwinreg import definitions "
},
{
"path": "tests/userassist.py",
"chars": 4083,
"preview": "#!/usr/bin/env python3\n\"\"\"Tests for the Windows User Assist collector.\"\"\"\n\nimport unittest\n\nfrom dfwinreg import definit"
},
{
"path": "tox.ini",
"chars": 1022,
"preview": "[tox]\nenvlist = py3{10,11,12,13,14},coverage,docs,lint,wheel\n\n[testenv]\nallowlist_externals = ./run_tests.py\npip_pre = T"
},
{
"path": "utils/__init__.py",
"chars": 46,
"preview": "\"\"\"Data formats.\"\"\"\n\n__version__ = '20170423'\n"
},
{
"path": "utils/check_dependencies.py",
"chars": 399,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to check for the availability and version of dependencies.\"\"\"\n\nimport sys\n\n# Change PYT"
},
{
"path": "utils/dependencies.py",
"chars": 11469,
"preview": "\"\"\"Helper to check for availability and version of dependencies.\"\"\"\n\nimport configparser\nimport os\nimport re\n\n\nclass Dep"
},
{
"path": "utils/update_release.sh",
"chars": 874,
"preview": "#!/bin/bash\n#\n# Script that makes changes in preparation of a new release, such as updating\n# the version and documentat"
},
{
"path": "winreg-kb.ini",
"chars": 429,
"preview": "[project]\nname: winreg-kb\nstatus: experimental\nname_description: Windows Registry knowledge base (winreg-kb)\nmaintainer:"
},
{
"path": "winregrc/__init__.py",
"chars": 71,
"preview": "\"\"\"Windows Registry resources (winregrc).\"\"\"\n\n__version__ = '20260413'\n"
},
{
"path": "winregrc/appcompatcache.py",
"chars": 27129,
"preview": "\"\"\"Application Compatibility Cache collector.\"\"\"\n\nimport logging\n\nfrom dtfabric.runtime import data_maps as dtfabric_dat"
},
{
"path": "winregrc/appcompatcache.yaml",
"chars": 8287,
"preview": "# dtFabric format specification.\n---\nname: appcompatcache\ntype: format\ndescription: Application Compatibility Cache form"
},
{
"path": "winregrc/application_identifiers.py",
"chars": 1847,
"preview": "\"\"\"Windows application identifiers (AppID) collector.\"\"\"\n\nfrom winregrc import interface\n\n\nclass ApplicationIdentifier:\n"
},
{
"path": "winregrc/cached_credentials.py",
"chars": 8564,
"preview": "\"\"\"Domain cached credentials collector.\"\"\"\n\nimport codecs\nimport struct\n\nimport pyfcrypto\nimport pyhmac\n\nfrom winregrc i"
},
{
"path": "winregrc/catalog.py",
"chars": 2756,
"preview": "\"\"\"Catalog collector.\"\"\"\n\nimport re\n\n\nclass CatalogKeyDescriptor:\n \"\"\"Catalog key descriptor.\n\n Attributes:\n groupe"
},
{
"path": "winregrc/controlpanel_items.py",
"chars": 1885,
"preview": "\"\"\"Windows control panel items collector.\"\"\"\n\nfrom winregrc import interface\n\n\nclass ControlPanelItem:\n \"\"\"Control pane"
},
{
"path": "winregrc/data/observed_shellfolders.yaml",
"chars": 30313,
"preview": "# winreg-kb shellfolder definitions observed.\n---\nidentifier: \"{00020d75-0000-0000-c000-000000000046}\"\nname: \"Inbox\"\nwin"
},
{
"path": "winregrc/data_format.py",
"chars": 10722,
"preview": "\"\"\"Binary data format.\"\"\"\n\nimport os\n\nfrom dfdatetime import filetime as dfdatetime_filetime\n\nfrom dtfabric import error"
},
{
"path": "winregrc/delegatefolders.py",
"chars": 1824,
"preview": "\"\"\"Windows delegate folders collector.\"\"\"\n\nfrom winregrc import interface\n\n\nclass DelegateFolder:\n \"\"\"Delegate folder.\n"
},
{
"path": "winregrc/environment_variables.py",
"chars": 3680,
"preview": "\"\"\"Environment variables collector.\"\"\"\n\nfrom winregrc import interface\n\n\nclass EnvironmentVariable:\n \"\"\"Environment var"
},
{
"path": "winregrc/errors.py",
"chars": 170,
"preview": "\"\"\"The error objects.\"\"\"\n\n\nclass Error(Exception):\n \"\"\"The error interface.\"\"\"\n\n\nclass ParseError(Error):\n \"\"\"Error th"
},
{
"path": "winregrc/eventlog_providers.py",
"chars": 10046,
"preview": "\"\"\"Windows Event Log providers collector.\"\"\"\n\nfrom winregrc import interface\n\n\nclass EventLogProvider:\n \"\"\"Windows Even"
},
{
"path": "winregrc/filters.py",
"chars": 5806,
"preview": "\"\"\"The Windows Registry key and value filters.\"\"\"\n\nimport abc\n\n\nclass BaseWindowsRegistryKeyFilter:\n \"\"\"Windows Registr"
},
{
"path": "winregrc/hexdump.py",
"chars": 1891,
"preview": "\"\"\"Function to provide hexadecimal representation of data.\"\"\"\n\n\n_HEXDUMP_CHARACTER_MAP = [\n '.' if byte < 0x20 or byt"
},
{
"path": "winregrc/interface.py",
"chars": 2137,
"preview": "\"\"\"Windows Registry key and value collector.\"\"\"\n\n\nclass WindowsRegistryKeyCollector:\n \"\"\"Windows Registry key and value"
},
{
"path": "winregrc/knownfolders.py",
"chars": 2014,
"preview": "\"\"\"Windows known folders collector.\"\"\"\n\nfrom winregrc import interface\n\n\nclass KnownFolder:\n \"\"\"Known folder.\n\n Attrib"
},
{
"path": "winregrc/mounted_devices.py",
"chars": 3221,
"preview": "\"\"\"Windows mounted devices collector.\"\"\"\n\nfrom winregrc import data_format\nfrom winregrc import errors\n\n\nclass MountedDe"
},
{
"path": "winregrc/mounted_devices.yaml",
"chars": 934,
"preview": "# dtFabric format specification.\n---\nname: mounted_devices\ntype: format\ndescription: Windows Registry mounted devices fo"
},
{
"path": "winregrc/mru.py",
"chars": 16079,
"preview": "\"\"\"Most Recently Used (MRU) collector.\"\"\"\n\nfrom dtfabric.runtime import data_maps as dtfabric_data_maps\n\nfrom winregrc i"
},
{
"path": "winregrc/mru.yaml",
"chars": 805,
"preview": "# dtFabric format specification.\n---\nname: mru\ntype: format\ndescription: Most recently used (MRU) formats\n---\nname: byte"
},
{
"path": "winregrc/msie_zone_info.py",
"chars": 6276,
"preview": "\"\"\"Microsoft Internet Explorer (MSIE) zone information collector.\"\"\"\n\nfrom winregrc import interface\n\n\nclass MSIEZoneInf"
},
{
"path": "winregrc/output_writers.py",
"chars": 7008,
"preview": "\"\"\"Output writer.\"\"\"\n\nimport abc\n\nfrom dfdatetime import fat_date_time as dfdatetime_fat_date_time\nfrom dfdatetime impor"
},
{
"path": "winregrc/profiles.py",
"chars": 1595,
"preview": "\"\"\"Windows user profiles collector.\"\"\"\n\nfrom winregrc import interface\n\n\nclass UserProfile:\n \"\"\"User profile.\n\n Attrib"
},
{
"path": "winregrc/programscache.py",
"chars": 9593,
"preview": "\"\"\"Windows Programs Cache information collector.\"\"\"\n\nimport logging\nimport uuid\n\nfrom dtfabric.runtime import data_maps "
},
{
"path": "winregrc/programscache.yaml",
"chars": 915,
"preview": "# dtFabric format specification.\n---\nname: programcache\ntype: format\ndescription: Programs Cache format\n---\nname: uint8\n"
},
{
"path": "winregrc/sam.py",
"chars": 14632,
"preview": "\"\"\"Security Accounts Manager (SAM) collector.\"\"\"\n\nimport pyfwnt\n\nfrom dfdatetime import filetime as dfdatetime_filetime\n"
},
{
"path": "winregrc/sam.yaml",
"chars": 2292,
"preview": "# dtFabric format specification.\n---\nname: sam\ntype: format\ndescription: Security Accounts Manager (SAM) format\n---\nname"
},
{
"path": "winregrc/scripts/__init__.py",
"chars": 0,
"preview": ""
},
{
"path": "winregrc/scripts/appcompatcache.py",
"chars": 3086,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to extract Application Compatibility Cache information.\"\"\"\n\nimport argparse\nimport logg"
},
{
"path": "winregrc/scripts/application_identifiers.py",
"chars": 2990,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to extract Windows application identifiers (AppID).\"\"\"\n\nimport argparse\nimport logging\n"
},
{
"path": "winregrc/scripts/cached_credentials.py",
"chars": 2597,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to extract cached credentials.\"\"\"\n\nimport argparse\nimport logging\nimport sys\n\nfrom dfvf"
},
{
"path": "winregrc/scripts/catalog.py",
"chars": 3713,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to extract a catalog of Windows Registry keys and values.\"\"\"\n\nimport argparse\nimport lo"
},
{
"path": "winregrc/scripts/controlpanel_items.py",
"chars": 5877,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to extract Windows control panel items from the Windows Registry.\"\"\"\n\nimport argparse\ni"
},
{
"path": "winregrc/scripts/delegatefolders.py",
"chars": 2985,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to extract Windows delegate folders from the Windows Registry.\"\"\"\n\nimport argparse\nimpo"
},
{
"path": "winregrc/scripts/environment_variables.py",
"chars": 2976,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to extract environment variables.\"\"\"\n\nimport argparse\nimport logging\nimport sys\n\nfrom d"
},
{
"path": "winregrc/scripts/eventlog_providers.py",
"chars": 4462,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to extract Windows Event Log providers from the Windows Registry.\"\"\"\n\nimport argparse\ni"
},
{
"path": "winregrc/scripts/knownfolders.py",
"chars": 5888,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to extract Windows known folders from the Windows Registry.\"\"\"\n\nimport argparse\nimport "
},
{
"path": "winregrc/scripts/mounted_devices.py",
"chars": 3411,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to extract Windows mounted devices.\"\"\"\n\nimport argparse\nimport logging\nimport sys\n\nfrom"
},
{
"path": "winregrc/scripts/mru.py",
"chars": 13066,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to extract Most Recently Used (MRU) information.\"\"\"\n\nimport argparse\nimport logging\nimp"
},
{
"path": "winregrc/scripts/msie_zone_info.py",
"chars": 9309,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to extract MSIE zone information.\"\"\"\n\nimport argparse\nimport logging\nimport sys\n\nfrom d"
},
{
"path": "winregrc/scripts/profiles.py",
"chars": 2912,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to extract user profiles.\"\"\"\n\nimport argparse\nimport logging\nimport sys\n\nfrom dfvfs.hel"
},
{
"path": "winregrc/scripts/programscache.py",
"chars": 2485,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to extract the program cache.\"\"\"\n\nimport argparse\nimport logging\nimport sys\n\nfrom dfvfs"
},
{
"path": "winregrc/scripts/sam.py",
"chars": 3917,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to extract Security Account Manager (SAM) information.\"\"\"\n\nimport argparse\nimport loggi"
},
{
"path": "winregrc/scripts/services.py",
"chars": 5227,
"preview": "\n\"\"\"Script to extract services information.\"\"\"\n\nimport argparse\nimport logging\nimport sys\n\nfrom dfvfs.helpers import vol"
},
{
"path": "winregrc/scripts/shellfolders.py",
"chars": 5766,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to extract shell folder identifiers.\"\"\"\n\nimport argparse\nimport logging\nimport sys\nimpo"
},
{
"path": "winregrc/scripts/srum_extensions.py",
"chars": 2952,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to extract System Resource Usage Monitor (SRUM) extensions.\"\"\"\n\nimport argparse\nimport "
},
{
"path": "winregrc/scripts/sysinfo.py",
"chars": 3766,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to extract system information.\"\"\"\n\nimport argparse\nimport logging\nimport sys\n\nfrom dfvf"
},
{
"path": "winregrc/scripts/syskey.py",
"chars": 2545,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to extract system key.\"\"\"\n\nimport argparse\nimport codecs\nimport logging\nimport sys\n\nfro"
},
{
"path": "winregrc/scripts/task_cache.py",
"chars": 2442,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to extract Task Scheduler Task Cache information.\"\"\"\n\nimport argparse\nimport logging\nim"
},
{
"path": "winregrc/scripts/time_zones.py",
"chars": 4484,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to extract tize zone information from the Windows Registry.\"\"\"\n\nimport argparse\nimport "
},
{
"path": "winregrc/scripts/type_libraries.py",
"chars": 2618,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to extract type libraries.\"\"\"\n\nimport argparse\nimport logging\nimport sys\n\nfrom dfvfs.he"
},
{
"path": "winregrc/scripts/usbstor.py",
"chars": 5655,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to extract USB storage devices.\"\"\"\n\nimport argparse\nimport logging\nimport sys\n\nfrom dfv"
},
{
"path": "winregrc/scripts/userassist.py",
"chars": 2939,
"preview": "#!/usr/bin/env python3\n\"\"\"Script to extract UserAssist information.\"\"\"\n\nimport argparse\nimport logging\nimport sys\n\nfrom "
},
{
"path": "winregrc/services.py",
"chars": 7664,
"preview": "\"\"\"Windows services and drivers collector.\"\"\"\n\nfrom winregrc import interface\n\n\nclass WindowsService:\n \"\"\"Windows servi"
},
{
"path": "winregrc/shell_property_keys.py",
"chars": 110327,
"preview": "#!/usr/bin/env python3\n\"\"\"Windows serialized property to shell property key mappings.\n\nThis file was generated by the wi"
},
{
"path": "winregrc/shellfolders.py",
"chars": 3822,
"preview": "\"\"\"Windows Shell folder collector.\"\"\"\n\nfrom winregrc import interface\n\n\nclass WindowsShellFolder:\n \"\"\"Windows Shell fol"
},
{
"path": "winregrc/srum_extensions.py",
"chars": 1491,
"preview": "\"\"\"System Resource Usage Monitor (SRUM) extension collector.\"\"\"\n\nfrom winregrc import interface\n\n\nclass SRUMExtension:\n "
},
{
"path": "winregrc/sysinfo.py",
"chars": 3708,
"preview": "\"\"\"System information collector.\"\"\"\n\nfrom dfdatetime import posix_time as dfdatetime_posix_time\nfrom dfdatetime import s"
},
{
"path": "winregrc/syskey.py",
"chars": 2733,
"preview": "\"\"\"System key (syskey) collector.\"\"\"\n\nimport codecs\n\nfrom winregrc import interface\n\n\nclass SystemKey:\n \"\"\"System key.\n"
},
{
"path": "winregrc/task_cache.py",
"chars": 7233,
"preview": "\"\"\"Task Cache collector.\"\"\"\n\nimport logging\n\nfrom dfdatetime import filetime as dfdatetime_filetime\nfrom dfdatetime impo"
},
{
"path": "winregrc/task_cache.yaml",
"chars": 914,
"preview": "# dtFabric format specification.\n---\nname: task_cache\ntype: format\ndescription: Task Scheduler Cache format\n---\nname: ui"
},
{
"path": "winregrc/time_zone_information.yaml",
"chars": 1156,
"preview": "# dtFabric format specification.\n---\nname: time_zone_information\ntype: format\ndescription: Time Zone Information (TZI) f"
},
{
"path": "winregrc/time_zones.py",
"chars": 5418,
"preview": "\"\"\"Windows time zones collector.\"\"\"\n\nfrom winregrc import data_format\nfrom winregrc import errors\nfrom winregrc import i"
},
{
"path": "winregrc/type_libraries.py",
"chars": 2915,
"preview": "\"\"\"Windows type libraries collector.\"\"\"\n\nfrom winregrc import interface\n\n\nclass TypeLibrary:\n \"\"\"Type library.\n\n Attri"
},
{
"path": "winregrc/usbstor.py",
"chars": 8040,
"preview": "\"\"\"Windows USB storage device collector.\"\"\"\n\nfrom dfdatetime import filetime as dfdatetime_filetime\nfrom dfdatetime impo"
},
{
"path": "winregrc/usbstor.yaml",
"chars": 527,
"preview": "# dtFabric format specification.\n---\nname: usbstor\ntype: format\ndescription: USB storage device formats.\n---\nname: uint3"
},
{
"path": "winregrc/userassist.py",
"chars": 7371,
"preview": "\"\"\"Windows UserAssist information collector.\"\"\"\n\nimport codecs\nimport logging\n\nfrom winregrc import data_format\nfrom win"
},
{
"path": "winregrc/userassist.yaml",
"chars": 1522,
"preview": "# dtFabric format specification.\n---\nname: userassist\ntype: format\ndescription: UserAssist format\n---\nname: float32\ntype"
},
{
"path": "winregrc/versions.py",
"chars": 1393,
"preview": "\"\"\"Windows versions.\"\"\"\n\n\nclass WindowsVersions:\n \"\"\"Windows versions.\"\"\"\n\n _SORT_KEY_PER_VERSION = {\n # TODO: u"
},
{
"path": "winregrc/volume_scanner.py",
"chars": 8459,
"preview": "\"\"\"Windows Registry volume scanner.\"\"\"\n\nfrom dfimagetools import windows_registry\n\nfrom dfvfs.helpers import command_lin"
}
]
// ... and 5 more files (download for full content)
About this extraction
This page contains the full source code of the libyal/winreg-kb GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 200 files (63.0 MB), approximately 253.9k tokens, and a symbol index with 519 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.