volatility3.plugins.windows.registry package

Windows registry plugins.

NOTE: This file is important for core plugins to run (which certain components such as the windows registry layers) are dependent upon, please DO NOT alter or remove this file unless you know the consequences of doing so.

The framework is configured this way to allow plugin developers/users to override any plugin functionality whether existing or new.

When overriding the plugins directory, you must include a file like this in any subdirectories that may be necessary.

Submodules

• volatility3.plugins.windows.registry.amcache module
  • Amcache
    • Amcache.build_configuration()
    • Amcache.config
    • Amcache.config_path
    • Amcache.context
    • Amcache.generate_timeline()
    • Amcache.get_amcache_hive()
    • Amcache.get_requirements()
    • Amcache.make_subconfig()
    • Amcache.open
    • Amcache.parse_driver_binary_key()
    • Amcache.parse_file_key()
    • Amcache.parse_inventory_app_file_key()
    • Amcache.parse_inventory_app_key()
    • Amcache.parse_programs_key()
    • Amcache.run()
    • Amcache.set_open_method()
    • Amcache.unsatisfied()
    • Amcache.version
  • AmcacheEntryType
    • AmcacheEntryType.Driver
    • AmcacheEntryType.File
    • AmcacheEntryType.Program
    • AmcacheEntryType.as_integer_ratio()
    • AmcacheEntryType.bit_count()
    • AmcacheEntryType.bit_length()
    • AmcacheEntryType.conjugate()
    • AmcacheEntryType.denominator
    • AmcacheEntryType.from_bytes()
    • AmcacheEntryType.imag
    • AmcacheEntryType.numerator
    • AmcacheEntryType.real
    • AmcacheEntryType.to_bytes()
  • Win10DriverBinaryValName
    • Win10DriverBinaryValName.DriverCompany
    • Win10DriverBinaryValName.DriverId
    • Win10DriverBinaryValName.DriverName
    • Win10DriverBinaryValName.DriverTimeStamp
    • Win10DriverBinaryValName.Product
    • Win10DriverBinaryValName.Service
  • Win10InvAppFileValName
    • Win10InvAppFileValName.FileId
    • Win10InvAppFileValName.LinkDate
    • Win10InvAppFileValName.LowerCaseLongPath
    • Win10InvAppFileValName.ProductName
    • Win10InvAppFileValName.ProductVersion
    • Win10InvAppFileValName.ProgramID
    • Win10InvAppFileValName.Publisher
  • Win10InvAppValName
    • Win10InvAppValName.InstallDate
    • Win10InvAppValName.Name
    • Win10InvAppValName.Publisher
    • Win10InvAppValName.RootDirPath
    • Win10InvAppValName.Version
  • Win8FileValName
    • Win8FileValName.Company
    • Win8FileValName.CompileTime
    • Win8FileValName.CreateTime
    • Win8FileValName.LastModTime
    • Win8FileValName.LastModTime2
    • Win8FileValName.PEHeaderChecksum
    • Win8FileValName.Path
    • Win8FileValName.Product
    • Win8FileValName.ProgramID
    • Win8FileValName.SHA1Hash
    • Win8FileValName.Size
    • Win8FileValName.SizeOfImage
    • Win8FileValName.Version
  • Win8ProgramValName
    • Win8ProgramValName.InstallTime
    • Win8ProgramValName.MSIPackageCode
    • Win8ProgramValName.MSIProductCode
    • Win8ProgramValName.PackageCode
    • Win8ProgramValName.Product
    • Win8ProgramValName.ProductCode
    • Win8ProgramValName.Publisher
    • Win8ProgramValName.Version
• volatility3.plugins.windows.registry.cachedump module
  • Cachedump
    • Cachedump.build_configuration()
    • Cachedump.config
    • Cachedump.config_path
    • Cachedump.context
    • Cachedump.decrypt_hash()
    • Cachedump.get_nlkm()
    • Cachedump.get_requirements()
    • Cachedump.make_subconfig()
    • Cachedump.open
    • Cachedump.parse_cache_entry()
    • Cachedump.parse_decrypted_cache()
    • Cachedump.run()
    • Cachedump.set_open_method()
    • Cachedump.unsatisfied()
    • Cachedump.version
• volatility3.plugins.windows.registry.getcellroutine module
  • GetCellRoutine
    • GetCellRoutine.build_configuration()
    • GetCellRoutine.config
    • GetCellRoutine.config_path
    • GetCellRoutine.context
    • GetCellRoutine.get_requirements()
    • GetCellRoutine.make_subconfig()
    • GetCellRoutine.open
    • GetCellRoutine.run()
    • GetCellRoutine.set_open_method()
    • GetCellRoutine.unsatisfied()
    • GetCellRoutine.version
• volatility3.plugins.windows.registry.hashdump module
  • Hashdump
    • Hashdump.almpassword
    • Hashdump.antpassword
    • Hashdump.anum
    • Hashdump.aqwerty
    • Hashdump.bootkey_perm_table
    • Hashdump.build_configuration()
    • Hashdump.config
    • Hashdump.config_path
    • Hashdump.context
    • Hashdump.decrypt_single_hash()
    • Hashdump.decrypt_single_salted_hash()
    • Hashdump.empty_lm
    • Hashdump.empty_nt
    • Hashdump.get_bootkey()
    • Hashdump.get_hbootkey()
    • Hashdump.get_hive_key()
    • Hashdump.get_requirements()
    • Hashdump.get_user_hashes()
    • Hashdump.get_user_keys()
    • Hashdump.get_user_name()
    • Hashdump.lmkey
    • Hashdump.make_subconfig()
    • Hashdump.odd_parity
    • Hashdump.open
    • Hashdump.run()
    • Hashdump.set_open_method()
    • Hashdump.sid_to_key()
    • Hashdump.sidbytes_to_key()
    • Hashdump.unsatisfied()
    • Hashdump.version
• volatility3.plugins.windows.registry.hivelist module
  • HiveGenerator
    • HiveGenerator.invalid
  • HiveList
    • HiveList.build_configuration()
    • HiveList.config
    • HiveList.config_path
    • HiveList.context
    • HiveList.get_requirements()
    • HiveList.list_hive_objects()
    • HiveList.list_hives()
    • HiveList.make_subconfig()
    • HiveList.open
    • HiveList.run()
    • HiveList.set_open_method()
    • HiveList.unsatisfied()
    • HiveList.version
• volatility3.plugins.windows.registry.hivescan module
  • HiveScan
    • HiveScan.build_configuration()
    • HiveScan.config
    • HiveScan.config_path
    • HiveScan.context
    • HiveScan.get_requirements()
    • HiveScan.make_subconfig()
    • HiveScan.open
    • HiveScan.run()
    • HiveScan.scan_hives()
    • HiveScan.set_open_method()
    • HiveScan.unsatisfied()
    • HiveScan.version
• volatility3.plugins.windows.registry.lsadump module
  • Lsadump
    • Lsadump.build_configuration()
    • Lsadump.config
    • Lsadump.config_path
    • Lsadump.context
    • Lsadump.decrypt_aes()
    • Lsadump.decrypt_secret()
    • Lsadump.get_lsa_key()
    • Lsadump.get_requirements()
    • Lsadump.get_secret_by_name()
    • Lsadump.make_subconfig()
    • Lsadump.open
    • Lsadump.run()
    • Lsadump.set_open_method()
    • Lsadump.unsatisfied()
    • Lsadump.version
• volatility3.plugins.windows.registry.printkey module
  • PrintKey
    • PrintKey.build_configuration()
    • PrintKey.config
    • PrintKey.config_path
    • PrintKey.context
    • PrintKey.get_requirements()
    • PrintKey.key_iterator()
    • PrintKey.make_subconfig()
    • PrintKey.open
    • PrintKey.run()
    • PrintKey.set_open_method()
    • PrintKey.unsatisfied()
    • PrintKey.version
• volatility3.plugins.windows.registry.scheduled_tasks module
  • ActionSet
    • ActionSet.actions
    • ActionSet.context
    • ActionSet.decode()
  • ActionType
    • ActionType.ComHandler
    • ActionType.Email
    • ActionType.Exe
    • ActionType.MessageBox
  • DynamicInfo
    • DynamicInfo.creation_time
    • DynamicInfo.decode()
    • DynamicInfo.last_error_code
    • DynamicInfo.last_run_time
    • DynamicInfo.last_successful_run_time
  • JobBucket
    • JobBucket.crc32
    • JobBucket.display_name
    • JobBucket.flags
    • JobBucket.optional_settings
    • JobBucket.principal_id
    • JobBucket.user_info
  • Months
    • Months.April
    • Months.August
    • Months.December
    • Months.February
    • Months.January
    • Months.July
    • Months.June
    • Months.March
    • Months.May
    • Months.November
    • Months.October
    • Months.September
  • OptionalSettings
    • OptionalSettings.Deadline
    • OptionalSettings.DeleteExpiredTaskAfter
    • OptionalSettings.Exclusive
    • OptionalSettings.ExecutionTimeLimitSeconds
    • OptionalSettings.IdleDurationSeconds
    • OptionalSettings.NetworkId
    • OptionalSettings.Periodicity
    • OptionalSettings.Priority
    • OptionalSettings.Privileges
    • OptionalSettings.RestartOnFailureDelay
    • OptionalSettings.RestartOnFailureRetries
    • OptionalSettings.idleWaitTimeoutSeconds
  • Privileges
    • Privileges.SeAssignPrimaryTokenPrivilege
    • Privileges.SeAuditPrivilege
    • Privileges.SeBackupPrivilege
    • Privileges.SeChangeNotifyPrivilege
    • Privileges.SeCreateGlobalPrivilege
    • Privileges.SeCreatePagefilePrivilege
    • Privileges.SeCreatePermanentPrivilege
    • Privileges.SeCreateSymbolicLinkPrivilege
    • Privileges.SeCreateTokenPrivilege
    • Privileges.SeDebugPrivilege
    • Privileges.SeDelegateSessionUserImpersonatePrivilege
    • Privileges.SeEnableDelegationPrivilege
    • Privileges.SeImpersonatePrivilege
    • Privileges.SeIncreaseBasePriorityPrivilege
    • Privileges.SeIncreaseQuotaPrivilege
    • Privileges.SeIncreaseWorkingSetPrivilege
    • Privileges.SeLoadDriverPrivilege
    • Privileges.SeLockMemoryPrivilege
    • Privileges.SeMachineAccountPrivilege
    • Privileges.SeManageVolumePrivilege
    • Privileges.SeProfileSingleProcessPrivilege
    • Privileges.SeRelabelPrivilege
    • Privileges.SeRemoteShutdownPrivilege
    • Privileges.SeRestorePrivilege
    • Privileges.SeSecurityPrivilege
    • Privileges.SeShutdownPrivilege
    • Privileges.SeSyncAgentPrivilege
    • Privileges.SeSystemEnvironmentPrivilege
    • Privileges.SeSystemProfilePrivilege
    • Privileges.SeSystemtimePrivilege
    • Privileges.SeTakeOwnershipPrivilege
    • Privileges.SeTcbPrivilege
    • Privileges.SeTimeZonePrivilege
    • Privileges.SeTrustedCredManAccessPrivilege
    • Privileges.SeUndockPrivilege
  • ScheduledTasks
    • ScheduledTasks.build_configuration()
    • ScheduledTasks.config
    • ScheduledTasks.config_path
    • ScheduledTasks.context
    • ScheduledTasks.generate_timeline()
    • ScheduledTasks.get_requirements()
    • ScheduledTasks.get_software_hive()
    • ScheduledTasks.make_subconfig()
    • ScheduledTasks.open
    • ScheduledTasks.parse_actions_value()
    • ScheduledTasks.parse_dynamic_info_value()
    • ScheduledTasks.parse_triggers_value()
    • ScheduledTasks.run()
    • ScheduledTasks.set_open_method()
    • ScheduledTasks.unsatisfied()
    • ScheduledTasks.version
  • SessionState
    • SessionState.ConsoleConnect
    • SessionState.ConsoleDisconnect
    • SessionState.RemoteConnect
    • SessionState.RemoteDisconnect
    • SessionState.SessionLock
    • SessionState.SessionUnlock
    • SessionState.Unknown
  • SidType
    • SidType.Alias
    • SidType.Computer
    • SidType.DeletedAccount
    • SidType.Domain
    • SidType.Group
    • SidType.Invalid
    • SidType.Label
    • SidType.LogonSession
    • SidType.Unknown
    • SidType.User
    • SidType.WellKnownGroup
  • TaskAction
    • TaskAction.action
    • TaskAction.action_args
    • TaskAction.action_type
    • TaskAction.decode_messagebox_action()
    • TaskAction.working_directory
  • TaskSchedulerTimePeriod
    • TaskSchedulerTimePeriod.days
    • TaskSchedulerTimePeriod.hours
    • TaskSchedulerTimePeriod.minutes
    • TaskSchedulerTimePeriod.months
    • TaskSchedulerTimePeriod.seconds
    • TaskSchedulerTimePeriod.weeks
    • TaskSchedulerTimePeriod.years
  • TaskTrigger
    • TaskTrigger.description
    • TaskTrigger.enabled
    • TaskTrigger.end_boundary
    • TaskTrigger.repetition_interval_seconds
    • TaskTrigger.start_boundary
    • TaskTrigger.trigger_type
  • TimeMode
    • TimeMode.Daily
    • TimeMode.DaysInMonths
    • TimeMode.DaysInWeeksInMonths
    • TimeMode.Once
    • TimeMode.Unknown
    • TimeMode.Weekly
  • TriggerSet
    • TriggerSet.decode()
    • TriggerSet.job_bucket
    • TriggerSet.triggers
  • TriggerType
    • TriggerType.Boot
    • TriggerType.Event
    • TriggerType.Idle
    • TriggerType.Logon
    • TriggerType.Registration
    • TriggerType.Session
    • TriggerType.Time
    • TriggerType.WindowsNotificationFacility
  • UserInfo
    • UserInfo.sid
    • UserInfo.sid_type
    • UserInfo.username
  • Weekday
    • Weekday.Friday
    • Weekday.Monday
    • Weekday.Saturday
    • Weekday.Sunday
    • Weekday.Thursday
    • Weekday.Tuesday
    • Weekday.Wednesday
  • decode_sid()
• volatility3.plugins.windows.registry.userassist module
  • UserAssist
    • UserAssist.build_configuration()
    • UserAssist.config
    • UserAssist.config_path
    • UserAssist.context
    • UserAssist.generate_timeline()
    • UserAssist.get_requirements()
    • UserAssist.list_userassist()
    • UserAssist.make_subconfig()
    • UserAssist.open
    • UserAssist.parse_userassist_data()
    • UserAssist.run()
    • UserAssist.set_open_method()
    • UserAssist.unsatisfied()
    • UserAssist.version