winreg-artifacts 0.1.0

Forensic artifact decoders for Windows Registry
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196

//! Generic registry key/value walker — foundation module for forensic artifact extraction.
//!
//! Produces `RegistryKeyInfo` and `RegistryValueInfo` structs for every key and value
//! in a hive, suitable for downstream artifact decoders.

use std::io::Cursor;

use winreg_core::hive::Hive;

/// Metadata for a single registry key.
#[derive(Debug, Clone, serde::Serialize)]
pub struct RegistryKeyInfo {
    /// Full path from root, e.g. `"SOFTWARE\\Microsoft\\Windows"`.
    pub path: String,
    /// Just the key name (last component).
    pub name: String,
    /// ISO 8601 timestamp, or `None` if not set / zero FILETIME.
    pub last_written: Option<String>,
    /// Number of direct subkeys.
    pub subkey_count: usize,
    /// Number of values attached to this key.
    pub value_count: usize,
}

/// Metadata for a single registry value.
#[derive(Debug, Clone, serde::Serialize)]
pub struct RegistryValueInfo {
    /// Full path of the parent key.
    pub key_path: String,
    /// Value name; empty string for the default (unnamed) value.
    pub name: String,
    /// Human-readable type string, e.g. `"REG_SZ"`, `"REG_DWORD"`.
    pub data_type: String,
    /// Human-readable preview of the data, truncated at 256 chars.
    pub data_preview: String,
    /// Raw data size in bytes.
    pub raw_size: usize,
}

/// Walk all keys in the hive (BFS order), returning metadata for each.
pub fn walk_keys(hive: &Hive<Cursor<Vec<u8>>>) -> Vec<RegistryKeyInfo> {
    let iter = match hive.iter_bfs() {
        Ok(it) => it,
        Err(_) => return Vec::new(),
    };

    let mut result = Vec::new();
    for item in iter {
        let key = match item {
            Ok(k) => k,
            Err(_) => continue,
        };

        let path = if key.is_root() {
            // Root key: path is empty string (no path from root to root)
            String::new()
        } else {
            key.path().unwrap_or_default()
        };

        let last_written = key
            .last_written()
            .map(|dt| dt.format("%Y-%m-%dT%H:%M:%S").to_string());

        result.push(RegistryKeyInfo {
            name: key.name(),
            path,
            last_written,
            subkey_count: key.subkey_count() as usize,
            value_count: key.value_count() as usize,
        });
    }
    result
}

/// Walk all values under a specific key path.
///
/// Returns an empty `Vec` if the path is not found or the key has no values.
pub fn walk_values(hive: &Hive<Cursor<Vec<u8>>>, key_path: &str) -> Vec<RegistryValueInfo> {
    let key = match hive.open_key(key_path) {
        Ok(Some(k)) => k,
        _ => return Vec::new(),
    };

    let values = match key.values() {
        Ok(v) => v,
        Err(_) => return Vec::new(),
    };

    values
        .into_iter()
        .map(|v| value_to_info(v, key_path))
        .collect()
}

/// Walk all keys AND their values recursively (BFS), returning a `RegistryValueInfo`
/// for every value in the hive.
pub fn walk_all_values(hive: &Hive<Cursor<Vec<u8>>>) -> Vec<RegistryValueInfo> {
    let iter = match hive.iter_bfs() {
        Ok(it) => it,
        Err(_) => return Vec::new(),
    };

    let mut result = Vec::new();
    for item in iter {
        let key = match item {
            Ok(k) => k,
            Err(_) => continue,
        };

        let key_path = if key.is_root() {
            String::new()
        } else {
            key.path().unwrap_or_default()
        };

        let values = match key.values() {
            Ok(v) => v,
            Err(_) => continue,
        };

        for v in values {
            result.push(value_to_info(v, &key_path));
        }
    }
    result
}

// ── Internal helpers ────────────────────────────────────────────────────────

/// Convert a `winreg_core::value::Value` into a `RegistryValueInfo`.
fn value_to_info(v: winreg_core::value::Value<'_>, key_path: &str) -> RegistryValueInfo {
    let data_type = v.data_type().to_string();
    let raw_size = v.data_size() as usize;
    let data_preview = build_preview(&v);

    RegistryValueInfo {
        key_path: key_path.to_string(),
        name: v.name(),
        data_type,
        data_preview,
        raw_size,
    }
}

/// Build a human-readable preview of the value data, truncated at 256 chars.
fn build_preview(v: &winreg_core::value::Value<'_>) -> String {
    use winreg_format::flags::ValueType;

    match v.data_type() {
        ValueType::Sz | ValueType::ExpandSz | ValueType::Link => {
            let s = v.as_string().unwrap_or_default();
            truncate_string(s, 256)
        }
        ValueType::Dword => {
            let n = v.as_u32().unwrap_or(0);
            format!("0x{n:08X} ({n})")
        }
        ValueType::DwordBigEndian => {
            let n = v.as_u32_be().unwrap_or(0);
            format!("0x{n:08X} ({n})")
        }
        ValueType::Qword => {
            let n = v.as_u64().unwrap_or(0);
            format!("0x{n:016X} ({n})")
        }
        ValueType::MultiSz => {
            let parts = v.as_multi_string().unwrap_or_default();
            let joined = parts.join(" | ");
            truncate_string(joined, 256)
        }
        _ => {
            // Binary / Unknown: hex preview up to 32 bytes
            let data = v.raw_data().unwrap_or_default();
            let preview_len = data.len().min(32);
            let hex: Vec<String> = data[..preview_len]
                .iter()
                .map(|b| format!("{b:02X}"))
                .collect();
            let s = hex.join(" ");
            if data.len() > 32 {
                format!("{s}...")
            } else {
                s
            }
        }
    }
}

/// Truncate a `String` to at most `max_chars` characters.
fn truncate_string(mut s: String, max_chars: usize) -> String {
    if s.chars().count() > max_chars {
        s = s.chars().take(max_chars).collect();
    }
    s
}