Python For 4N6
Let’s learn how to utilize python to access information from Registry.
Windows Registry
Registry is the core component of the windows operating system(OS) which has abundant information with potential evidentiary value. Registry is a hierarchal database present in all windows OS after Windows 95 which is responsible to stores information about the system configuration, its users, devices attached, and applications.
In this tutorial we will learn how to list all users that are present on the machine using Registry only.
from winreg import *To Interact with registry we need to utilize “winreg” library.
Let’s open registry editor to see how many SIDs are present on the system.
How to Open Registry Editor:
In the search box on the taskbar, type regedit, then select Registry Editor (Desktop app) from the results.
Now navigate to following path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileListWe can see all the user’s SID.
reg_path="SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"k = OpenKey(HKEY_LOCAL_MACHINE,reg_path)
To access the subkey that is located within hive we have utilize OpenKey function.
n = QueryInfoKey(k)[1]To retrieve values found within the key we need to pass previous output to “QueryInfoKey” function.
As we have seen in previous screenshot, ProfileList contains serveral subkey. Now let’s iterate through each subkey to get the values.
for i in range(n):
sub_key = EnumKey(k,i)EnumKey function help us to Enumerates subkeys of an open registry key.
Now we need to open all the subkeys one by one to get the values.
new_reg_path = reg_path+'\\'+sub_key
k1 = OpenKey(HKEY_LOCAL_MACHINE,new_reg_path)
n1 = QueryInfoKey(k1)[1]Now let’s use EnumValue function to retrieve values.
for i1 in range(n1):
v = EnumValue(k1,i1)So now Let’s see final script which will retrieve all the SID and Username from the registry.
Output:
Code can be accessed via following link:
Reference:
