search

williballenthin / python-registry

Pure Python parser for Windows Registry hives.
Apache License 2.0
426 stars 101 forks source link

Can't read "Current Version\\Run". #69

Closed MariasStory closed 8 years ago

MariasStory commented 8 years ago

Hi, I am somewhat confused. I downloaded the NTUSER.DAT file and put it in hives sub-directory. Now I am trying to do:

f = open("hives/NTUSER.DAT", "rb") reg = Registry.Registry(f)

key = reg.open("SOFTWARE\Microsoft\Windows\Current Version\Run")

This gives me:

Traceback (most recent call last): File "C:\Users\c5211757\Documents\Programming\pythonRegistry\getRegValue1.py", line 10, in key = reg.open("SOFTWARE\Microsoft\Windows\Current Version\Run") File "C:\Users\c5211757\Documents\Programming\pythonRegistry\Registry\Registry.py", line 290, in open return RegistryKey(self._regf.first_key()).find_key(path) File "C:\Users\c5211757\Documents\Programming\pythonRegistry\Registry\Registry.py", line 254, in find_key return self.subkey(immediate).find_key(future) File "C:\Users\c5211757\Documents\Programming\pythonRegistry\Registry\Registry.py", line 217, in subkey for k in self._nkrecord.subkey_list().keys(): File "C:\Users\c5211757\Documents\Programming\pythonRegistry\Registry\RegistryParse.py", line 900, in keys yield NKRecord(self._buf, d.data_offset(), self) File "C:\Users\c5211757\Documents\Programming\pythonRegistry\Registry\RegistryParse.py", line 999, in init raise ParseException("Invalid NK Record ID") Registry.RegistryParse.ParseException: Registry Parse Exception(Invalid NK Record ID)

What am I doing wrong?

williballenthin commented 8 years ago

I downloaded the NTUSER.DAT

from where did you download this hive file?

the exception seems to suggest that the hive is corrupt. if the hive is public, then i can try to reproduce the issue.

MariasStory commented 8 years ago

Hi @williballenthin . I got it working. The problem was in a broken NTUSER.DAT as you suggested. Thanks.

Although I have to admit that the path to the key is different in my script to work: "Software\Microsoft\Windows\CurrentVersion\Run"

What about spaces?

williballenthin commented 8 years ago

this library doesn't do any special processing of spaces. it uses the \ character to split the registry path components, but thats about it. so if there's a subkey with an embedded space, you should be able to include it in your path without any issue.

feel free to open another issue if you're having any more trouble, and i'll be happy to help.