Registry value (metadata) More...
Public Member Functions | |
| def | fetch_data (self) |
| Retrieves the Value's data according to advertised type. More... | |
| def | fetch_raw_data (self) |
| Retrieves raw representation of Value's data. More... | |
 Public Member Functions inherited from pyregfi._StructureWrapper | |
| def | __eq__ (self, other) |
| Test for equality. More... | |
Static Public Attributes | |
| tuple | name_raw = (b"...") |
| The raw Value name as an uninterpreted bytearray. | |
| string | name = "..." |
| The name of the Value as a (unicode) string. | |
| string | name_encoding = "ascii" |
| The string encoding used to store the Value's name ("ascii" or "utf-16-le") | |
| int | offset = 0xCAFEBABE |
| The absolute file offset of the Value record's cell in the Hive file. | |
| int | data_size = 0xCAFEBABE |
| The length of data advertised in the VK record. | |
| type = DATA_TYPES.NONE | |
| An integer which represents the data type for this Value's data Typically this value is one of 12 types defined in DATA_TYPES, but in some cases (the SAM hive) it may be used for other purposes. | |
| int | flags = 0x10110001 |
| The VK record's flags field. | |
Detailed Description
Registry value (metadata)
These represent registry values (REGFI_VK records) and provide access to their associated data.
- Note
- Value instances may provide access to more attributes than are documented here. However, undocumented attributes may change over time and are not officially supported. If you need access to an attribute not shown here, see pyregfi.structures.
Member Function Documentation
◆ fetch_data()
| def pyregfi.Value.fetch_data | ( | self | ) |
Retrieves the Value's data according to advertised type.
Data is loaded from its cell(s) and then interpreted based on the data type recorded in the Value. It is not uncommon for data to be stored with the wrong type or even with invalid types. If you have difficulty obtaining desired data here, use fetch_raw_data().
- Returns
- The interpreted representation of the data as one of several possible Python types, as listed below. None if any failure occurred during extraction or conversion.
- Return values
-
string for SZ, EXPAND_SZ, and LINK int for DWORD, DWORD_BE, and QWORD list(string) for MULTI_SZ bytearray for NONE, BINARY, RESOURCE_LIST, FULL_RESOURCE_DESCRIPTOR, and RESOURCE_REQUIREMENTS_LIST
References pyregfi._StructureWrapper._base, pyregfi._StructureWrapper._hive, pyregfi._GenericList._hive, and pyregfi.HiveIterator._hive.
◆ fetch_raw_data()
| def pyregfi.Value.fetch_raw_data | ( | self | ) |
Retrieves raw representation of Value's data.
- Returns
- A bytearray containing the data
References pyregfi._StructureWrapper._base, pyregfi._StructureWrapper._hive, pyregfi._GenericList._hive, pyregfi.HiveIterator._hive, pyregfi.Key.name_encoding, pyregfi.Value.name_encoding, REGFI_VK.name_raw, REGFI_NK.name_raw, pyregfi.Key.name_raw, and pyregfi.Value.name_raw.
The documentation for this class was generated from the following file:
- __init__.py
