[Vol-users] Volatile registry keys

Dear vol-users, I'm trying to get data from a volatile registry key using the regapi / rawreg classes in volatility. The key I'm looking for is under HKCU\Software\Classes\, and is called CLSID vol.py --plugins='/Users/tomchop/Infosec/Forensics-RE/volatility-plugins/volatility-autoruns' -f Windows\ 7\ x64-aa76b309.vmem --profile=Win7SP1x64 printkey -K "Software\\Classes\\CLSID" Volatility Foundation Volatility Framework 2.4 Legend: (S) = Stable (V) = Volatile The requested key could not be found in the hive(s) searched So I go up one level: vol.py --plugins='/Users/tomchop/Infosec/Forensics-RE/volatility-plugins/volatility-autoruns' -f Windows\ 7\ x64-aa76b309.vmem --profile=Win7SP1x64 printkey -K "Software\\Classes" Volatility Foundation Volatility Framework 2.4 Legend: (S) = Stable (V) = Volatile ---------------------------- Registry: \??\C:\Users\admin\ntuser.dat Key name: Classes (V) Last updated: 2015-04-11 18:04:18 UTC+0000 Subkeys: Values: REG_LINK SymbolicLinkValue : (V) \Registry \User\S-1-5-21-978483858-511166411-2750856381-1000_Classes ---------------------------- Registry: \SystemRoot\System32\Config\DEFAULT Key name: Classes (S) Last updated: 2009-07-14 04:48:57 UTC+0000 Subkeys: (S) Local Settings Values: How can I query this key and keep on drilling its subkeys ? Also, my plugin is making extensive use of rawreg because I try to get each individual NTUSER.dat hive, and I don't know which hive_name to pass on to regapi. Should I use the full hive name, as in self.hive_name(obj.Object("_CMHIVE", vm = addr_space, offset = hive_offset)), or is there a better way of doing it? Any help is greatly appreciated. Have a great day! -- Thomas Chopitea