Search code examples
pythonwindowshiveregistrywindows-10

Open registry hive file with Python

I need to open a registry hive file with Python 3. This is supposed to work live on a Windows system as well as with hive files copied from another system.

Unfortunately, I'm not able to open or even see the files with Python:

#!/usr/bin/env python3

import os.path
import os

hive_dir = os.path.join(os.path.expandvars(r"%SystemRoot%"), "System32", "Config")
HIVES = ["System", "San", "Security", "Software", "Ntuser.dat"]

def main():
    print("Hive directory {} exists: {}".format(hive_dir, os.path.exists(hive_dir)))
    print("Content of {}: {}".format(hive_dir, os.listdir(hive_dir)))
    for hive in HIVES:
        hive_path = os.path.join(hive_dir, hive)
        print("{} exists: {}".format(hive_path, os.path.exists(hive_path)))

if __name__ == '__main__':
    main()

The script first checks the directory where the hive files are supposed to be as well as if the files are actually there. The output is:

Hive directory C:\WINDOWS\System32\Config exists: True
Content of C:\WINDOWS\System32\Config: ['Journal', 'RegBack', 'systemprofile', 'TxR']
C:\WINDOWS\System32\Config\System exists: False
C:\WINDOWS\System32\Config\San exists: False
C:\WINDOWS\System32\Config\Security exists: False
C:\WINDOWS\System32\Config\Software exists: False
C:\WINDOWS\System32\Config\Ntuser.dat exists: False

According to Microsofts MSDN documentation, the files should be there and opening the directory in Windows Explorer indeed shows files:

file listing.

Using PowerShell, I'm also able to verify that files are in place:

PS C:\Users\test> dir "$env:SystemRoot\System32\Config"

    Verzeichnis: C:\WINDOWS\System32\Config

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       05.12.2016     13:38                bbimigrate
d-----       16.07.2016     13:47                Journal
d-----       14.03.2017     10:19                RegBack
d-----       05.12.2016     13:19                systemprofile
d-----       16.03.2017     10:14                TxR
-a----       16.03.2017     10:16        1048576 BBI
-a----       05.12.2016     13:15          28672 BCD-Template
-a----       20.03.2017     09:32       91488256 COMPONENTS
-a----       16.03.2017     10:16        1572864 DEFAULT
-a----       16.03.2017     12:16        5259264 DRIVERS
-a----       05.12.2016     14:02          32768 ELAM
-a----       20.03.2017     09:22            120 netlogon.ftl
-a----       05.12.2016     13:12          73728 SAM
-a----       16.03.2017     10:16          73728 SECURITY
-a----       16.03.2017     10:16      103022592 SOFTWARE
-a----       16.03.2017     10:16       19136512 SYSTEM
-a----       05.12.2016     12:39           8192 userdiff
-a----       16.07.2016     13:45           4096 VSMIDK

PS C:\Users\test> Test-Path "$env:SystemRoot\System32\Config\SECURITY"
True

I'm running 64-bit Windows 10 Enterprise and Python 3.5. I verified the behavior on my productive system as well as on a virtual machine. Running Python as admin did not change anything.

What's wrong here?

Solution

  • You're running 32-bit Python and looking at SysWOW64\config due to WOW64 file-system redirection. A 32-bit process that's running on 64-bit Windows can access the native system directory as "%SystemRoot%\SysNative". This directory is virtual and doesn't exist in a native process, so first check that it exists.

    Also, "San" is a typo; it should be "SAM". And there shouldn't be an "NTUSER.DAT" in the system config directory. That file only exists in user-profile directories.