Manipulate Microsoft registry hive files from Python

I’ve written a small utility in Python that has the capability to manipulate the binary data files that hold the Microsoft Windows registry. These files are called hives.

The utility can read and dump all the keys found in a hive file. This can be useful in order to examine the exact contents of the registry. Sometimes, rootkits manage to hide themselves by altering the behaviour of the Windows Registry API functions. By reading the hive files directly, somebody can detect those discrepancies. Also, the utility can fix small errors in the hive files that can cause problems like the common boot error message “Windows XP could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SYSTEM”. It achieves that by deleting erroneous entries from the registry. It is common that deleting those entries enables the system to boot and operate correctly. Although, this is not guaranteed.

You can download the utility from here. The information for the hive files was gather from various source available in the Internet:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: