20 stable releases (4 major)
| 4.2.3 | Jul 17, 2024 |
|---|---|
| 4.2.1 | Apr 17, 2024 |
| 4.0.2 | Mar 9, 2024 |
| 4.0.1 | Aug 23, 2023 |
| 0.1.1 | Apr 20, 2022 |
#124 in Windows APIs
Used in 3 crates
85KB
2K
SLoC
nt_hive2
Warning The tools of this repository have been moved to https://github.com/dfir-dd/dfir-toolkit
You can install the tools by running
cargo install dfir-toolkitThe lib itself will stay available here
This crates aims to be a replacement of https://github.com/ColinFinck/nt-hive, with the following differences:
- use of BinRead to parse hive files
- support of displaying last written timestamps
- recovery of deleted cells
Usage example for developers
use std::fs::File;
use nt_hive2::*;
#
let hive_file = File::open("tests/data/testhive")?;
let mut hive = Hive::new(hive_file)?;
let root_key = hive.root_key_node()?;
for sk in root_key.subkeys(&mut hive)?.iter() {
println!("\n[{}]; last written: {}", sk.borrow().name(), sk.borrow().timestamp());
for value in sk.borrow().values() {
println!("\"{}\" = {}", value.name(), value.value());
}
}
License: GPL-3.0
lib.rs:
This crates aims to be a replacement of https://github.com/ColinFinck/nt-hive, with the following differences:
- use of BinRead to parse hive files
- support of displaying last written timestamps
- possibly recovery of deleted cells (might be added in the future)
Usage example
use std::fs::File;
use nt_hive2::*;
#
let hive_file = File::open("tests/data/testhive")?;
let mut hive = Hive::new(hive_file, HiveParseMode::NormalWithBaseBlock)?;
let root_key = hive.root_key_node()?;
for sk in root_key.subkeys(&mut hive)?.iter() {
println!("\n[{}]; last written: {}", sk.borrow().name(), sk.borrow().timestamp());
for value in sk.borrow().values() {
println!("\"{}\" = {}", value.name(), value.value());
}
}
Dependencies
~7MB
~185K SLoC