winreg-artifacts 0.1.0

Forensic artifact decoders for Windows Registry
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152

//! WSL distro registration parser — HKCU\Software\Microsoft\Windows\CurrentVersion\Lxss

use std::io::Cursor;
use std::path::PathBuf;

use winreg_core::hive::Hive;

// ── Types ─────────────────────────────────────────────────────────────────────

#[derive(Debug, Clone, PartialEq, Eq, serde::Serialize)]
pub enum DistroVersion {
    Wsl1,
    Wsl2,
    Unknown,
}

#[derive(Debug, Clone, PartialEq, Eq, serde::Serialize)]
pub enum DistroState {
    Installed,
    Running,
    Unknown,
}

#[derive(Debug, Clone, serde::Serialize)]
pub struct LxssDistro {
    pub guid: String,
    pub distribution_name: String,
    pub package_family_name: Option<String>,
    pub base_path: String,
    pub state: DistroState,
    pub version: DistroVersion,
    pub default_uid: Option<u32>,
    pub is_default: bool,
}

impl LxssDistro {
    /// Returns the path to `ext4.vhdx` for WSL2 distros; `None` for WSL1.
    ///
    /// WSL2 stores the Linux filesystem at `<BasePath>\ext4.vhdx`.
    /// WSL1 uses a directory tree under `%LOCALAPPDATA%\lxss\` instead.
    pub fn vhdx_path(&self) -> Option<PathBuf> {
        if self.version != DistroVersion::Wsl2 {
            return None;
        }
        let mut path = PathBuf::from(&self.base_path);
        path.push("ext4.vhdx");
        Some(path)
    }
}

// ── Key paths ─────────────────────────────────────────────────────────────────

const LXSS_PATH: &str = "Software\\Microsoft\\Windows\\CurrentVersion\\Lxss";

// ── Helpers ───────────────────────────────────────────────────────────────────

/// Returns true for GUID-format names like `{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}`.
fn is_guid(name: &str) -> bool {
    let s = name.trim();
    if s.len() != 38 {
        return false;
    }
    let b = s.as_bytes();
    b[0] == b'{'
        && b[37] == b'}'
        && b[9] == b'-'
        && b[14] == b'-'
        && b[19] == b'-'
        && b[24] == b'-'
        && b[1..9].iter().all(|c| c.is_ascii_hexdigit())
        && b[10..14].iter().all(|c| c.is_ascii_hexdigit())
        && b[15..19].iter().all(|c| c.is_ascii_hexdigit())
        && b[20..24].iter().all(|c| c.is_ascii_hexdigit())
        && b[25..37].iter().all(|c| c.is_ascii_hexdigit())
}

fn str_val(key: &winreg_core::key::Key<'_>, name: &str) -> Option<String> {
    key.value(name)
        .ok()
        .flatten()
        .and_then(|v| v.as_string().ok())
}

fn u32_val(key: &winreg_core::key::Key<'_>, name: &str) -> Option<u32> {
    key.value(name).ok().flatten().and_then(|v| v.as_u32().ok())
}

// ── Parser ────────────────────────────────────────────────────────────────────

/// Parse WSL distro registrations from an NTUSER.DAT hive.
pub fn parse(hive: &Hive<Cursor<Vec<u8>>>) -> Vec<LxssDistro> {
    let lxss_key = match hive.open_key(LXSS_PATH) {
        Ok(Some(k)) => k,
        _ => return Vec::new(),
    };

    let default_guid = str_val(&lxss_key, "DefaultDistribution").unwrap_or_default();

    let subkeys = match lxss_key.subkeys() {
        Ok(s) => s,
        Err(_) => return Vec::new(),
    };

    let mut distros = Vec::new();

    for subkey in subkeys {
        let guid = subkey.name();
        if !is_guid(&guid) {
            continue;
        }

        let distribution_name = match str_val(&subkey, "DistributionName") {
            Some(n) => n,
            None => continue,
        };

        let base_path = match str_val(&subkey, "BasePath") {
            Some(p) => p,
            None => continue,
        };

        let package_family_name = str_val(&subkey, "PackageFamilyName");

        let state = match u32_val(&subkey, "State") {
            Some(1) => DistroState::Installed,
            Some(4) => DistroState::Running,
            _ => DistroState::Unknown,
        };

        let version = match u32_val(&subkey, "Version") {
            Some(1) => DistroVersion::Wsl1,
            Some(2) => DistroVersion::Wsl2,
            _ => DistroVersion::Unknown,
        };

        let default_uid = u32_val(&subkey, "DefaultUid");
        let is_default = !default_guid.is_empty() && guid == default_guid;

        distros.push(LxssDistro {
            guid,
            distribution_name,
            package_family_name,
            base_path,
            state,
            version,
            default_uid,
            is_default,
        });
    }

    distros
}