I’m attempting to read thought an offline SYSTEM registry file to parse specific data. I could use the NirSoft tool RegFileExport to output the relevant keys to a .txt file and then parse the data from this but that relies on additional software so I really want to do it all using Python.
I’ve found Regipy which appears to be the only library around that will parse offline registry files, but I’m having problems getting it to work.
Rather than try to insert Regipy into my code from the off, I used some of the example code supplied with Regipy to get things working initially. I’ve got an offline SYSTEM registry file (file header ‘regf’) that I read in and then print each subkey name as follows:
from regipy.Registy import RegistryHive
offline_SYSTEM_registry = '<location of my offline SYSTEM registry file>'
SYSTEM_data = RegistryHive(offline_SYSTEM_registry)
for entry in SYSTEM_data.recurse_subkeys(fetch_values = True, as_json = True):
print(entry.subkey_name)
When I run the above it will output some of the subkeys but it also outputs errors as follows:
...
Protected
CI
Could not parse data as string, formating to hex: 'utf-8' codec can't decode byte 0x80 in position 132: invalid start byte
0006
{6a3433f4-5626-40e8-a9b9-dbd9ecd2884b}
Properties
{05f5cfe2-4733-4950-a6bb-07aad01a3a84}
Properties
{1264760F-A5C8-4BFE-B314-D56A7B44A362}
Could not parse data as string, formating to hex: 'utf-8' codec can't decode byte 0x80 in position 132: invalid start byte
0006
{6a3433f4-5626-40e8-a9b9-dbd9ecd2884b}
Properties
{13e42dfa-85d9-424d-8646-28a70f864f9c}
0000
Could not parse data as string, formating to hex: 'utf-8' codec can't decode byte 0x80 in position 132: invalid start byte
0006
{6a3433f4-5626-40e8-a9b9-dbd9ecd2884b}
Properties
...
I have two issues/questions.
- I don’t want to parse the entire registry. I’m interested in the SourceOS entries so rather than start from the root, I want to start from the ROOT\Setup key. I can’t figure out a way to do that.
- How do I suppress the ‘Could not parse data as string…’ messages?