scapy.layers.windows.registry

Windows Registry RPCs

This file provides high-level wrapping over Windows Registry related RPCs. (scapy.layers.msrpce.raw.ms_rrp)

class scapy.layers.windows.registry.RRP_Client(auth_level=RPC_C_AUTHN_LEVEL.PKT_INTEGRITY, verb=True, **kwargs)[source]

Bases: DCERPC_Client

High level [MS-RRP] (Windows Registry) Client

bind()[source]: This calls DCERPC_Client’s bind

close_key(key_handle: NDRContextHandle, timeout: int = 5) → None[source]

Close a given registry key handle.

Parameters:

client – The DCERPC client.
hKey – The handle to the registry key (root key or subkey).
timeout – The timeout for the request.

connect(host, **kwargs)[source]: This calls DCERPC_Client’s connect

create_subkey(root_key_handle: NDRContextHandle, subkey_path: str, desired_access_rights: int = 33554432, options: RegOptions = <RegOptions.REG_OPTION_NON_VOLATILE: 0>, security_attributes: PRPC_SECURITY_ATTRIBUTES = None, timeout: int = 5) → NDRContextHandle[source]

Create a given subkey under a registry key.

Parameters:

client – The DCERPC client.
root_key_handle – The handle to the root key.
subkey_path – The name of the subkey to create.
desired_access_rights – The desired access rights for the subkey.
options – The options for the subkey.
security_attributes – Security attributes for the created key.
timeout – The timeout for the request.

Returns:

The handle to the created subkey.

delete_subkey(root_key_handle: NDRContextHandle, subkey_path: str, timeout: int = 5) → None[source]

Delete a given subkey from a registry key.

Parameters:

client – The DCERPC client.
hKey – The handle to the root key.
subkey_path – The name of the subkey to remove.
timeout – The timeout for the request.

delete_value(key_handle: NDRContextHandle, value_name: str, timeout: int = 5) → None[source]

Delete a given value from a registry key.

Parameters:

client – The DCERPC client.
hKey – The handle to the subkey to remove.
value_name – The name of the value to delete.
timeout – The timeout for the request.

enum_subkeys(key_handle: NDRContextHandle, timeout: int = 5) → List[str][source]

Enumerate subkeys of a given registry key.

Parameters:

hKey – The handle to the registry key (root key or subkey).
timeout – The timeout for the request.

Returns:

A generator yielding the responses for each enumerated subkey.

enum_values(key_handle: NDRContextHandle, timeout: int = 5) → List[RegEntry][source]

Enumerate values of a given registry key.

Parameters:

hKey – The handle to the registry key (root key or subkey).
timeout – The timeout for the request.

Returns:

A generator yielding the responses for each enumerated value.

get_key_info(key_handle: NDRContextHandle, timeout: int = 5) → BaseRegQueryInfoKey_Response[source]

Get information about a given registry key.

Parameters:

hKey – The handle to the registry key (root key or subkey).
timeout – The timeout for the request.

Returns:

The response packet containing the key information.

get_key_security(key_handle: NDRContextHandle, security_information: int = None, timeout: int = 5) → SECURITY_DESCRIPTOR[source]

Get the security descriptor of a given registry key.

Parameters:

hKey – The handle to the registry key (root key or subkey).
security_information – The security information to retrieve.
timeout – The timeout for the request.

Returns:

The response packet containing the security descriptor.

get_root_key_handle(root_key_name: RootKeys, sam_desired: int = 33554432, timeout: int = 5) → NDRContextHandle | None[source]

Get a handle to a root key.

Parameters:

root_key_name – The name of the root key to open. Must be one of the RootKeys enum values.
sam_desired – The desired access rights for the key.
ServerName – The server name. The ServerName SHOULD be sent as NULL, and MUST be ignored when it is received because binding to the server is already complete at this stage

Returns:

The handle to the opened root key.

get_subkey_handle(root_key_handle: NDRContextHandle, subkey_path: str, desired_access_rights: int = 33554432, options: RegOptions = <RegOptions.REG_OPTION_NON_VOLATILE: 0>, timeout: int = 5) → NDRContextHandle[source]

Get a handle to a subkey.

Parameters:

root_key_handle – The handle to the root key.
subkey_path – The name of the subkey to open.
desired_access_rights – The desired access rights for the subkey.
timeout – The timeout for the request.

Returns:

The handle to the opened subkey.

get_value(key_handle: NDRContextHandle, value_name: str, timeout: int = 5) → RegEntry[source]

Get the value of a given registry key.

Parameters:

hKey – The handle to the registry key (root key or subkey).
value_name – The name of the value to retrieve.
timeout – The timeout for the request.

Returns:

The response packet containing the value data.

get_version(key_handle: NDRContextHandle, timeout: int = 5) → Packet[source]

Get the version of the registry server.

Parameters:

client – The DCERPC client.
timeout – The timeout for the request.

Returns:

The response packet containing the version information.

save_subkey(key_handle: NDRContextHandle, file_path: str, security_attributes: PRPC_SECURITY_ATTRIBUTES = None, timeout: int = 5) → None[source]

Save a given registry key to a file.

Parameters:

hKey – The handle to the registry key (root key or subkey).
file_path – The path to the file where the key will be saved. Default path is %WINDIR%System32, which is readable by all users.
security_attributes – Security attributes for the saved key.
timeout – The timeout for the request.

set_value(key_handle: NDRContextHandle, entry: RegEntry, timeout: int = 5) → None[source]

Set a given value for a registry key.

Parameters:

hKey – The handle to the registry key (root key or subkey).
entry – The ‘RegEntry’ entry to set, containing the name, type and data of the value.
timeout – The timeout for the request.

class scapy.layers.windows.registry.RegEntry(reg_name: str, reg_type: int, reg_data: list | str | bytes | int)[source]

Bases: object

RegEntry represents a Registry Value, inside a Registry Key.

Parameters:

reg_name – the name of the registry value
reg_type – the type of the registry value
reg_data – the data of the registry value

encode() → bytes[source]: Encode data based on the type.

static frombytes(reg_name: str, reg_type: RegType, data: bytes)[source]: Create a RegEntry from bytes read on the network.

static fromstr(reg_name: str, reg_type: RegType, data: str)[source]: Create a RegEntry from user input.

class scapy.layers.windows.registry.RegOptions(*values)[source]

Bases: IntFlag

Registry options for registry keys

REG_OPTION_BACKUP_RESTORE = 4

REG_OPTION_CREATE_LINK = 2

REG_OPTION_DONT_VIRTUALIZE = 16

REG_OPTION_NON_VOLATILE = 0

REG_OPTION_OPEN_LINK = 8

REG_OPTION_VOLATILE = 1

class scapy.layers.windows.registry.RegType(*values)[source]

Bases: IntEnum

Registry value types

REG_BINARY = 3

REG_DWORD = 4

REG_DWORD_BIG_ENDIAN = 5

REG_EXPAND_SZ = 2

REG_LINK = 6

REG_MULTI_SZ = 7

REG_NONE = 0

REG_QWORD = 11

REG_SZ = 1

UNK = 99999

classmethod fromstr(value: str | int) → RegType[source]

Convert a string to a RegType enum member.

Parameters:: value – The string representation of the registry type.
Returns:: The corresponding RegType enum member.

class scapy.layers.windows.registry.RootKeys(*values)[source]

Bases: StrEnum

Standard root keys for the Windows registry

HKEY_CLASSES_ROOT = 'HKCR'

HKEY_CURRENT_CONFIG = 'HKCC'

HKEY_CURRENT_USER = 'HKCU'

HKEY_LOCAL_MACHINE = 'HKLM'

HKEY_PERFORMANCE_DATA = 'HKPD'

HKEY_PERFORMANCE_NLSTEXT = 'HKPN'

HKEY_PERFORMANCE_TEXT = 'HKPT'

HKEY_USERS = 'HKU'