18 stable releases (4 major)

4.2.1	Apr 17, 2024
4.0.2	Mar 9, 2024
4.0.1	Aug 23, 2023
4.0.0	Jul 25, 2023
0.1.1	Apr 20, 2022

#33 in Windows APIs

546 downloads per month
Used in 3 crates

GPL-3.0 license

85KB
2K SLoC

nt_hive2

Warning The tools of this repository have been moved to https://github.com/dfir-dd/dfir-toolkit

You can install the tools by running cargo install dfir-toolkit

The lib itself will stay available here

This crates aims to be a replacement of https://github.com/ColinFinck/nt-hive, with the following differences:

use of BinRead to parse hive files
support of displaying last written timestamps
recovery of deleted cells

Usage example for developers

use std::fs::File;
use nt_hive2::*;

#
let hive_file = File::open("tests/data/testhive")?;
let mut hive = Hive::new(hive_file)?;
let root_key = hive.root_key_node()?;

for sk in root_key.subkeys(&mut hive)?.iter() {
    println!("\n[{}]; last written: {}", sk.borrow().name(), sk.borrow().timestamp());
    for value in sk.borrow().values() {
        println!("\"{}\" = {}", value.name(), value.value());
    }
}

License: GPL-3.0

`lib.rs`:

This crates aims to be a replacement of https://github.com/ColinFinck/nt-hive, with the following differences:

use of BinRead to parse hive files
support of displaying last written timestamps
possibly recovery of deleted cells (might be added in the future)

Usage example

use std::fs::File;
use nt_hive2::*;

#
let hive_file = File::open("tests/data/testhive")?;
let mut hive = Hive::new(hive_file, HiveParseMode::NormalWithBaseBlock)?;
let root_key = hive.root_key_node()?;

for sk in root_key.subkeys(&mut hive)?.iter() {
    println!("\n[{}]; last written: {}", sk.borrow().name(), sk.borrow().timestamp());
    for value in sk.borrow().values() {
        println!("\"{}\" = {}", value.name(), value.value());
    }
}

Dependencies

~7MB
~197K SLoC