regfi
|
The regfi library is a read-only NT registry library which serves as the main engine behind the reglookup tool. It is designed with digital forensic analysis in mind, but it should also be useful in other tools which need to efficiently traverse and query registry data structures.
The library is broken down into four main parts, the Base Layer, which any code dependent on the library will likely need to rely on, as well as three main functional layers:
Most users will find that a combination of the Base Layer and the Iterator Layer will be sufficient for accessing registry hive files. Those who are willing to dive deep into registry data structures, for instance to recover deleted data structures or to research Windows registry behavior in detail, will find the Parse Layer to be quite useful.