Is there a pure Python library for parsing a Windows Registry file?

Question

Is there a pure Python (ie. fully cross-platform) library for parsing Windows Registry files (NTUSER.DAT)? Read-only access is acceptable.

If there is not, what resources exist that document the reverse-engineered structure of the Registry files?

Thanks!

Update Since it seemed that a pure Python solution did not exist at the time this question was asked, I went ahead and wrote one. python-registry exposes a Pythonic, read-only interface to Windows Registry files.

Answer 1

winreg is obviously Windows only, and does not read registry hive files (NTUSER.DAT, etc.), but rather accesses the registry directly.

What you're looking for is a library for parsing hive files, and it seems like this one might work:

http://rwmj.wordpress.com/2010/11/28/use-hivex-from-python-to-read-and-write-windows-registry-hive-files/

The example code seems promising:

# Use hivex to pull out a registry key.
h = hivex.Hivex ("/tmp/ntuser.dat")

key = h.root ()
key = h.node_get_child (key, "Software")
key = h.node_get_child (key, "Microsoft")
key = h.node_get_child (key, "Internet Explorer")
key = h.node_get_child (key, "Main")

val = h.node_get_value (key, "Start Page")
start_page = h.value_value (val)
#print start_page

# The registry key is encoded as UTF-16LE, so reencode it.
start_page = start_page[1].decode ('utf-16le').encode ('utf-8')

print "User %s's IE home page is %s" % (username, start_page)

The downside is that it's still not pure python, but rather a python wrapper for another cross-platform library.

Edit:

If you must have pure python code with no binary dependencies, you can take a look at this project: http://code.google.com/p/creddump/

It seems to be pure python, and able to read registry hives in a cross platform manner, but a special-purpose tool and not a library - the code there will probably need some adaptation.