search

williballenthin / python-registry

Pure Python parser for Windows Registry hives.
Apache License 2.0
425 stars 103 forks source link

Support Wine registry #106

Closed KOLANICH closed 1 year ago

KOLANICH commented 1 year ago

It turns out Wine registry format differs somehow from Windows one.

williballenthin commented 1 year ago

interesting, can you provide an example?

KOLANICH commented 1 year ago

For now no sample files (I guess I should generate them, not just dump the files from my system), but https://source.winehq.org/source/dlls/kernelbase/registry.c and https://source.winehq.org/source/include/winreg.h should be useful.

williballenthin commented 1 year ago

I think the loading of the registry files is done here: https://source.winehq.org/source/server/registry.c#1717

notably, it appears the format is a simple textual one, almost like what is used by *.reg files and not like a typical registry hive. i can see that there might be some interest in being able to programmatically query this data, and the interface to do so might be like python-registry, but im not sure if this is the right place.

given that this is a textual format and not much like a transactional database, i don't think there's likely to be any slack space or other interesting metadata to inspect. i think it might already be human readable, but i'm only guessing based on the source code.

williballenthin commented 1 year ago

here's an example of a wine registry file: https://www.virustotal.com/gui/file/6693cae85214a0f40b7f6f850e916cefc49978a073f814d43576c01aab9860c9

(found using signature "WINE REGISTRY Version 2")

WINE REGISTRY Version 2
;; All keys relative to \\User\\S-1-5-21-0-0-0-1000

#arch=win32

[AppEvents\\Schemes\\Apps\\Explorer\\Navigating\\.Current] 1292887532
@=""

[Control Panel\\Accessibility\\Blind Access] 1409858653
"On"="0"

[Control Panel\\Accessibility\\Keyboard Preference] 1409858653
"On"="1"

[Control Panel\\Accessibility\\ShowSounds] 1409858653
"On"="0"

[Control Panel\\Colors] 1292887535
"background"="0 0 0"

[Control Panel\\Desktop] 1409858653
"ActiveWndTrackTimeout"=dword:00000000
"BlockSendInputResets"="0"
"CaretWidth"=dword:00000001
"ClickLockTime"=dword:000004b0
"DoubleClickHeight"="4"
"DoubleClickWidth"="4"
"DragFullWindows"="0"
"DragHeight"="4"
"DragWidth"="4"
"FocusBorderHeight"=dword:00000001
"FocusBorderWidth"=dword:00000001
"FontSmoothing"="1"
"FontSmoothingGamma"=dword:00000000
"FontSmoothingOrientation"=dword:00000001
"FontSmoothingType"=dword:00000001
...
williballenthin commented 1 year ago

the number next to the key path is the modification timestamp:

 path                                                      timestamp
[AppEvents\\Schemes\\Apps\\Explorer\\Navigating\\.Current] 1292887532

https://source.winehq.org/source/server/registry.c#1468

KOLANICH commented 1 year ago

Thanks for your research. I was surprised to know that the format is a textual one and wastly different from the one used on Windows for the files with the same names. I also think, that since that format is not a variant of Windows format (I had been assumming it given the exceptions I got from this and the another lib for parsing hives) it may be out of scope of this project to parse that text format.

So it makes more sense to embed it into some .reg parser libs. Unfortunately I have found no Pythkn package for that, but it seems there is some related code: