A library for fast import of Windows NT Registry(REGF) into Elasticsearch.

Related tags

Search reg2es
Overview

reg2es

MIT License PyPI version Python Versions

reg2es logo

A library for fast import of Windows NT Registry(REGF) into Elasticsearch.
reg2es uses C library libregf.

Usage

When using from the commandline interface:

$ reg2es /path/to/your/file.DAT

When using from the python-script:

from reg2es import reg2es

if __name__ == '__main__':
  filepath = '/path/to/your/file.DAT'
  reg2es(filepath)

Arguments

reg2es supports importing from multiple files.

$ reg2es NTUSER.DAT SYSTEM SAM

Also, possible to import recursively from a specific directory.

Note: In this case, the filename will not be checked, please check for unnecessary files before execute.

$ tree .
regfiles/
  ├── NTUSER.DAT
  ├── NTUSER.MAN
  ├── SAM
  └── subdirectory/
    ├── SOFTWARE
    └── subsubdirectory/
      ├── SYSTEM
      └── UsrClass.dat

$ reg2es /regfiles/ # The Path is recursively expanded to file1~6.reg.

Options

--version, -v

--help, -h

--quiet, -q
  Flag to suppress standard output
  (default: False)

--host:
  ElasticSearch host address
  (default: localhost)

--port:
  ElasticSearch port number
  (default: 9200)

--index:
  Index name of Import destination
  (default: reg2es)

--scheme:
  Scheme to use (http, or https)
  (default: http)

--pipeline
  Elasticsearch Ingest Pipeline to use
  (default: )

--login:
  The login to use if Elastic Security is enable
  (default: )

--pwd:
  The password linked to the login provided
  (default: )

--fields-limit
  index.mapping.total_fields.limit settings
  (default: 10000)

Examples

When using from the commandline interface:

$ reg2es /path/to/your/file.dat --host=localhost --port=9200 --index=foobar

When using from the python-script:

if __name__ == '__main__':
    reg2es('/path/to/your/file.dat', host=localhost, port=9200, index='foobar')

With the Amazon Elasticsearch Serivce (ES):

$ reg2es /path/to/your/file.dat --host=example.us-east-1.es.amazonaws.com --port=443 --scheme=https --index=foobar

With credentials for Elastic Security:

$ reg2es /path/to/your/file.dat --host=localhost --port=9200 --index=foobar --login=elastic --pwd=******

Note: The current version does not verify the certificate.

Appendix

Reg2json

Extra feature. 🍣 🍣 🍣

Convert from Windows NT Registry(REGF) to json file.

$ reg2json /path/to/your/file.DAT /path/to/output/target.json

Convert from Windows NT Registry(REGF) to Python dict object.

from reg2es import reg2json

if __name__ == '__main__':
  filepath = '/path/to/your/file.DAT'
  result: dict = reg2json(filepath)

Output Format

The structures is not well optimized for searchable with Elasticsearch. I'm waiting for your PR!!

{
  "ROOT": {
    "AppEvents": {
      "meta": {
        "last_written_time": "2015-10-30T07:24:57.814133"
      },
      "EventLabels": {
        "meta": {
          "last_written_time": "2015-10-30T07:25:51.735838"
        },
        "Default": {
          "meta": {
            "last_written_time": "2015-10-30T07:24:57.861009"
          },
          "_": {
            "type": 1,
            "identifier": "REG_SZ",
            "size": 26,
            "data": "Default Beep"
          },
          "DispFileName": {
            "type": 1,
            "identifier": "REG_SZ",
            "size": 34,
            "data": "@mmres.dll,-5824"
          }
        },
        "ActivatingDocument": {
          "meta": {
            "last_written_time": "2015-10-30T07:24:57.861009"
          },
          "_": {
            "type": 1,
            "identifier": "REG_SZ",
            "size": 40,
            "data": "Complete Navigation"
          },
          "DispFileName": {
            "type": 1,
            "identifier": "REG_SZ",
            "size": 40,
            "data": "@ieframe.dll,-10321"
          }
        }
        ...
      }
    }
  }
}

Installation

via PyPI

$ pip install reg2es

Known Issues

elasticsearch.exceptions.RequestError: RequestError(400, 'illegal_argument_exception', 'Limit of total fields [1000] in index [reg2es] has been exceeded')

Windows NT Registry has a large number of elements per document and is caught in the initial value of the limit. Therefore, please use the --fields-limit(default: 10000) option to remove the limit.

$ reg2es --fields-limit 10000 NTUSER.DAT

Contributing

CONTRIBUTING

The source code for reg2es is hosted at GitHub, and you may download, fork, and review it from this repository(https://github.com/sumeshi/reg2es). Please report issues and feature requests. 🍣 🍣 🍣

License

reg2es is released under the MIT License.

Powered by libregf.

You might also like...
Aggrokatz is an aggressor plugin extension for Cobalt Strike which enables pypykatz to interface with the beacons remotely and allows it to parse LSASS dump files and registry hive files to extract credentials and other secrets stored without downloading the file and without uploading any suspicious code to the beacon. In this repository, I have developed an end to end Automatic speech recognition project. I have developed the neural network model for automatic speech recognition with PyTorch and used MLflow to manage the ML lifecycle, including experimentation, reproducibility, deployment, and a central model registry.
Give you a better view of your Docker registry disk usage.

registry-du Give you a better view of your Docker registry disk usage. This small tool will analysis your Docker registry(vanilla or Harbor both work)

Watch your Docker registry project size, then monitor it with Grafana.
Watch your Docker registry project size, then monitor it with Grafana.

Watch your Docker registry project size, then monitor it with Grafana.

Push Container Image To Docker Registry In Python

push-container-image-to-docker-registry 概要 push-container-image-to-docker-registry は、エッジコンピューティング環境において、特定のエッジ端末上の Private Docker Registry に特定のコンテナイメー

Modify version of impacket wmiexec.py, get output(data,response) from registry, don't need SMB connection, also bypassing antivirus-software in lateral movement like WMIHACKER.
Modify version of impacket wmiexec.py, get output(data,response) from registry, don't need SMB connection, also bypassing antivirus-software in lateral movement like WMIHACKER.

wmiexec-RegOut Modify version of impacket wmiexec.py,wmipersist.py. Got output(data,response) from registry, don't need SMB connection, but I'm in the

A SageMaker Projects template to deploy a model from Model Registry, choosing your preferred method of deployment among async (Asynchronous Inference), batch (Batch Transform), realtime (Real-time Inference Endpoint). More to be added soon! A terminal application for managing images and artifacts in Azure Container Registry.
A terminal application for managing images and artifacts in Azure Container Registry.

acr-browser acr-browser is a terminal-based user interface for managing container images and artifacts in Azure Container Registry. 🚀 This project ow

Autopsy Module to analyze Registry Hives based on bookmarks provided by EricZimmerman for his tool RegistryExplorer
Autopsy Module to analyze Registry Hives based on bookmarks provided by EricZimmerman for his tool RegistryExplorer

Autopsy Module to analyze Registry Hives based on bookmarks provided by EricZimmerman for his tool RegistryExplorer

A test repository to build a python package and publish the package to Artifact Registry using GCB

A test repository to build a python package and publish the package to Artifact Registry using GCB. Then have the package be a dependency in a GCF function.

Backup dc registry - A simple POC that abuses Backup Operator privileges to remote dump SAM, SYSTEM, and SECURITY
Backup dc registry - A simple POC that abuses Backup Operator privileges to remote dump SAM, SYSTEM, and SECURITY

Backup Operator Registry Backup to Domain Compromise A simple POC that abuses Ba

 YBlade - Import QBlade blades into Fusion 360
YBlade - Import QBlade blades into Fusion 360

YBlade - Import QBlade blades into Fusion 360 Simple script for Fusion 360 that takes QBlade blade description and constructs the blade: Usage First,

This is django-import-export module that exports data into many formats
This is django-import-export module that exports data into many formats

django-import-export This is django-import-export module which exports data into many formats, you can implement this in your admin panel. - Dehydrat

Uses the Duke Energy Gateway to import near real time energy usage into Home Assistant
Uses the Duke Energy Gateway to import near real time energy usage into Home Assistant

Duke Energy Gateway This is a custom integration for Home Assistant. It pulls near-real-time energy usage from Duke Energy via the Duke Energy Gateway

💰 Import your ING Germany bank statements via FinTS into YNAB.
💰 Import your ING Germany bank statements via FinTS into YNAB.

Import your ING Germany bank statements via FinTS into YNAB. Setup Before setting this up, please register your FinTS product – it's free and takes on

Import entity definition document into SQLie3. Manage the entity. Also, create a "Create Table SQL file".

EntityDocumentMaker Version 1.00 After importing the entity definition (Excel file), store the data in sqlite3. エンティティ定義(Excelファイル)をインポートした後、データをsqlit

Import, connect and transform data into Excel

xlwings_query Import, connect and transform data into Excel. Description The concept is to apply data transformations to a main query object. When the

Roamtologseq - A script loads a json export of a Roam graph and cleans it up for import into Logseq

Roam to Logseq The script loads a json export of a Roam graph and cleans it up f

It converts ING BANK account historic into a csv file you can import in HomeBank application.

ing2homebank It converts your ING Bank account historic csv file into another csv file you can import in HomeBank application

Owner
S.Nakano
DFIR Researcher / Software Developer
S.Nakano
Eland is a Python Elasticsearch client for exploring and analyzing data in Elasticsearch with a familiar Pandas-compatible API.

Python Client and Toolkit for DataFrames, Big Data, Machine Learning and ETL in Elasticsearch

elastic 463 Dec 30, 2022
High level Python client for Elasticsearch

Elasticsearch DSL Elasticsearch DSL is a high-level library whose aim is to help with writing and running queries against Elasticsearch. It is built o

elastic 3.6k Dec 30, 2022
esguard provides a Python decorator that waits for processing while monitoring the load of Elasticsearch.

esguard esguard provides a Python decorator that waits for processing while monitoring the load of Elasticsearch. Quick Start You need to launch elast

po3rin 5 Dec 8, 2021
A real-time tech course finder, created using Elasticsearch, Python, React+Redux, Docker, and Kubernetes.

A real-time tech course finder, created using Elasticsearch, Python, React+Redux, Docker, and Kubernetes.

Dinesh Sonachalam 130 Dec 20, 2022
Es-schema - Common Data Schemas for Elasticsearch

Common Data Schemas for Elasticsearch The Common Data Schema for Elasticsearch i

Tim Schnell 2 Jan 25, 2022
A fast, efficiency python package for searching and getting search results with many different search engines

search A fast, efficiency python package for searching and getting search results with many different search engines. Installation To install the pack

Neurs 0 Oct 6, 2022
A Python web searcher library with different search engines

Robert A simple Python web searcher library with different search engines. Install pip install roberthelper Usage from robert import GoogleSearcher

null 1 Dec 23, 2021
A library for fast parse & import of Windows Prefetch into Elasticsearch.

prefetch2es Fast import of Windows Prefetch(.pf) into Elasticsearch. prefetch2es uses C library libscca. Usage When using from the commandline interfa

S.Nakano 5 Nov 24, 2022
Eland is a Python Elasticsearch client for exploring and analyzing data in Elasticsearch with a familiar Pandas-compatible API.

Python Client and Toolkit for DataFrames, Big Data, Machine Learning and ETL in Elasticsearch

elastic 463 Dec 30, 2022
Python library for serializing any arbitrary object graph into JSON. It can take almost any Python object and turn the object into JSON. Additionally, it can reconstitute the object back into Python.

jsonpickle jsonpickle is a library for the two-way conversion of complex Python objects and JSON. jsonpickle builds upon the existing JSON encoders, s

null 1.1k Jan 2, 2023