RegRip.py standard classes

Before executing a plugin, the following objects are inserted into the global namespace. Please refer to Creating a plugin to learn how to develop a plugin yourself.

When using these objects from inside your plugin, do not specify the regrip. module, as these objects are directly injected, bypassing any import.

class regrippy.BasePlugin(reg, logger, hive_name, hive_path)[source]

Base class for all plugins. Provides several methods that can be used by plugins to perform common actions, like opening registry keys.

Variables

  • __REGHIVE__ (str_or_list) – The registry hive (or list thereof) you plugin works on

  • reg (Registry.Registry) – a handle to a Registry hive

  • logger (logging.Logger) – a preconfigured Logger. Use the info(), warning() and error() methods instead.

  • hive_name (str) – the name of the hive. It will always be one of the values in __REGHIVE__ (see Creating a plugin)

  • hive_path (str) – the full path to the hive file. Can be “-” if the hive was loaded from stdin.

display_human(result)[source]

Displays a result to a human. By default, it display the path and value of the result.

Parameters

result (regrip.PluginResult) – the result to display

display_machine(result)[source]

Displays a result for further processing by a machine (piping into mactime for example).

Parameters

result (regrip.PluginResult) – the result to display

error(msg)[source]

Logs a message at ERROR level

get_currentcontrolset_path()[source]

Fetches the path to CurrentControlSet

Returns

the path to the CurrentControlSet key, or None if an error happened

Return type

str

guess_username(default='')[source]

Tries to guess the user the current NTUSER.DAT hive corresponds to

Parameters

default (any type) – what to return in case we couldn’t determine the user name

Returns

the user name, or default if it wasn’t found

Return type

str

info(msg)[source]

Logs a message at INFO level

open_key(path)[source]

Opens and returns a registry key

Parameters

path (str) – the full path to a registry key

Returns

the key if it was found, otherwise None

Return type

Registry.RegistryKey

run()[source]

Main entry point of the plugin

warning(msg)[source]

Logs a message at WARNING level

class regrippy.PluginResult(*, key=None, value=None)[source]

A class which holds a single result of a plugin execution

Variables

  • custom (dict) – a dict you can use to store custom data for your result

  • mtime (int) – the “last-modified” time. Automatically set if you pass the key parameter.

  • atime (int) – the “last-accessed” time.

  • ctime (int) – the “last-changed” time.

  • btime" (int) – the “created” time.

  • path (str) – complete path to the key. Automatically set if you pass the key parameter.

  • key_name (str) – last part of the key path. Automatically set if you pass the key parameter

  • value_type (str) – the value type

  • value_name (str) – the name of the Value

  • value_data – the actual value data. The variable type depends on the type of the value.

regrippy.mactime(md5='0', name='', inode=0, mode_as_string='', uid=0, gid=0, size=0, atime=- 1, mtime=- 1, ctime=- 1, btime=- 1)[source]

Formats and returns a Bodyfile-format line. All parameters are optional