Notatin

Notatin is a Rust library for parsing offline Windows Registry files. It includes Python bindings for the library (pynotatin) and binaries for working directly with registry files.

Features

Implemented using 100% safe Rust, and works on all platforms supported by Rust (that have stdlib). Tested in Windows and Ubuntu.
Supports applying transaction logs, and recovering deleted and modified keys and values.
Supports exporting to JSONL, XLSX, TSV, and Eric Zimmerman's common registry format (https://github.com/EricZimmerman/Registry).
Python bindings are included in the project (pynotatin).

notatin (crate)

notatin is a library that parses offline Windows Registry files.

reg_dump (utility)

reg_dump is a binary utility. It parses registry files, or a tree of registry files using the --recurse argument, and exports to JSONL, XLSX, TSV, or common format. An optional key path filter may also be supplied. Optional recovery of deleted and prior versions of keys and values is also supported.

JSONL dumps all the data. The --full-field-info argument will include file offset information for each field.

XLSX and TSV dump some of the data; the data in both outputs is the same but XLSX has context-specific formatting which is especially helpful when reviewing recovered data. And, if you are focusing on recovered items, the --recovered-only argument will return only items that are modified, deleted, or that contain a modified or deleted value.

Common dumps what common wants.

``` Usage: reg_dump [OPTIONS] --input --output -t

Options: -i, --input Base registry file, or root folder if recursing -o, --output Output file. or folder if recursing -t output type [default: jsonl] [possible values: jsonl, xlsx, tsv, common] -r, --recurse Recurse through input looking for registry files --recover Recover deleted and versioned keys and values --recovered-only Only export recovered items (applicable to tsv and xlsx output) --full-field-info Get the offset and length for each key/value field (applicable to jsonl output) -s, --skip-logs Skip transaction log files -f, --filter [] Key path for filter (ex: 'ControlSet001\Services') -h, --help Print help -V, --version Print version ```

reg_compare (utility)

reg_compare is a binary utility. It will compare two registry files, or trees of files using --recurse argument (the structure of the trees must match). The default output is a report of the differences in a format similar to that of Regshot. The --diff argument will format the results in a unified diff format.

``` Usage: reg_compare [OPTIONS] --base --compare --output

Options: -b, --base Base registry file or root folder to search -c, --compare Registry file or root folder to search for comparison -o, --output Output file or folder -r, --recurse Recurse through base and comparison folders looking for registry files; file trees must match -f, --filter [] Key path for filter (ex: 'ControlSet001\Services') -d, --diff Export unified diff format output -s, --skip-logs Skip transaction log files -h, --help Print help -V, --version Print version ```

Library usage

```rust,norun use notatin::{ err::Error, parserbuilder::{ParserBuilder, ParserBuilderTrait}, };

fn main() -> Result<(), Error> { let mut parser = ParserBuilder::frompath("system") .recoverdeleted(false) .withtransactionlog("system.log1") .withtransactionlog("system.log2") .build()?;

for key in parser.iter() {
    println!("{}", key.path);
    for value in key.value_iter() {
        println!("\t{} {:?}", value.value_name, value.get_content());
    }
}
Ok(())

} Opening files and iterating the results is intended to be straightforward. By default, iteration is prefix order (displayed in the code sample above). Postorder traversal (children before parents) is available as well:rust,norun for key in parser.iterpostorder() { //... } Result filters are optional, but they can speed up processing as Notatin will skip parsing what doesn't match. Filters may include regular expressions and/or literal paths and are applied at iteration time.rust,norun let filter = FilterBuilder::new() .addliteralsegment("control Panel") .addregexsegment("access.*") .addregexsegment("keyboard.+") .returnchild_keys(false) .build(); ```

pynotatin (Python bindings)

Please see the pynotatin README.md for details on using pynotatin.

## What is Notatin? Notatin is another name for the enzyme glucose oxidase. Glucose oxidase catalyzes the oxidation of glucose to hydrogen peroxide. It is present in honey because honeybees synthesize the enzyme and deposit it into the honey, where it acts as a natural preservative. So, Notatin helps preserve things in hives. * https://en.wikipedia.org/wiki/Glucoseoxidase * https://en.wikipedia.org/wiki/WindowsRegistry#Hives