Bottom Page

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
 Windows reg extractor
I have written code to extract the software version and name from the Windows 10 registry.

But i have noticed it extracts all named software folders correctly but fails to extract any software names and versions from any software using a GUID in curly brackets.

Is there a switch I can use to include ALL registry entries which will include curly bracket entries?
what library do you use? Maybe show code...
aReg = ConnectRegistry(None, HKEY_LOCAL_MACHINE)
#The following opens the registry to extract all software version numbers
aKey = OpenKey(aReg, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"\
    , access=KEY_READ)
bKey = OpenKey(aReg, r"SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall"\
    , access=KEY_READ)
savfile = open(r’D:/Test/‘ + pathFin + '/' + result + ‘/Test/Software Versions.txt', 'a')
savfile.write('All software versions extracted from ' + \
    pcname +'\n' + '-----------------------------' + '\n')

for i in range(100):
        asubkey_name = EnumKey(aKey, i)
        asubkey = OpenKey(aKey, asubkey_name)
        sofname = QueryValueEx(asubkey, "DisplayName")
        sofver = QueryValueEx(asubkey, "DisplayVersion")
        #print(sofname + sofver)
        outp = str(sofname + sofver)
        savfile = open(r’D:/Test/‘ + pathFin + '/' + result + ‘/Test/Software Versions.txt', 'a')
        savfile.write(outp + '\n')
    except FileNotFoundError:
    except OSError:
for a in range(100):
        bsubkey_name = EnumKey(bKey, a)
        bsubkey = OpenKey(bKey, bsubkey_name)
        sofFed = QueryValueEx(bsubkey, "DisplayName")
        outFed = str(sofFed)
        savfile = open(r’D:/Test/‘ + opathFin + '/' + result + ‘/Test/Software Versions.txt', 'a')
        savfile.write(outFed + '\n')
    except FileNotFoundError:
    except OSError:

I query 2 locations in the registry to get all the software.

Just looking at that I have just realised I may not be giving the loop enough loops! I may increase that and see what happens. Although the GUID curly bracket entries are at the beginning of the registry entry.
buran wrote May-22-2020, 10:18 AM:
Please, use proper tags when post code, traceback, output, etc. This time I have added tags for you.
See BBcode help for more info.
Can try something like this,just something hacked together from some code found online.
Some time since i looked at this,usually if remember right so is finding a way to loop all registry the tricky part,then extract stuff is pretty stray forward.
import errno, os, winreg

proc_arch = os.environ['PROCESSOR_ARCHITECTURE'].lower()
proc_arch64 = os.environ['PROCESSOR_ARCHITEW6432'].lower()

if proc_arch == 'x86' and not proc_arch64:
    arch_keys = {0}
elif proc_arch == 'x86' or proc_arch == 'amd64':
    arch_keys = {winreg.KEY_WOW64_32KEY, winreg.KEY_WOW64_64KEY}
    raise Exception(f"Unhandled arch: {proc_arch}")

for arch_key in arch_keys:
    key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall", 0, winreg.KEY_READ | arch_key)
    for i in range(0, winreg.QueryInfoKey(key)[0]):
        skey_name = winreg.EnumKey(key, i)
        skey = winreg.OpenKey(key, skey_name)
            print(winreg.QueryValueEx(skey, 'DisplayName')[0])
            print(winreg.QueryValueEx(skey, 'DisplayVersion')[0])
            print(winreg.QueryValueEx(skey, 'InstallSource')[0])
        except OSError as e:
            if e.errno == errno.ENOENT:
                # DisplayName doesn't exist in this skey
buran likes this post
Thank you, I will give that a go.

Top Page

Possibly Related Threads...
Thread Author Replies Views Last Post
  Archive (.7z, .zip, .rar, .tar, etc) Password Extractor btforensics 1 1,290 Jul-08-2018, 08:29 PM
Last Post: Larz60+

Forum Jump:

Users browsing this thread: 1 Guest(s)