vol.py --plugins='/Users/tomchop/Infosec/Forensics-RE/volatility-plugins/volatility-autoruns' -f Windows\ 7\ x64-aa76b309.vmem --profile=Win7SP1x64 printkey -K "Software\\Classes\\CLSID"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable (V) = Volatile
The requested key could not be found in the hive(s) searched
vol.py --plugins='/Users/tomchop/Infosec/Forensics-RE/volatility-plugins/volatility-autoruns' -f Windows\ 7\ x64-aa76b309.vmem --profile=Win7SP1x64 printkey -K "Software\\Classes"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \??\C:\Users\admin\ntuser.dat
Key name: Classes (V)
Last updated: 2015-04-11 18:04:18 UTC+0000
Subkeys:
Values:
REG_LINK SymbolicLinkValue : (V) \Registry\User\S-1-5-21-978483858-511166411-2750856381-1000_Classes
----------------------------
Registry: \SystemRoot\System32\Config\DEFAULT
Key name: Classes (S)
Last updated: 2009-07-14 04:48:57 UTC+0000
Subkeys:
(S) Local Settings
Values:
How can I query this key and keep on drilling its subkeys ?
Also, my plugin is making extensive use of rawreg because I try to get each individual NTUSER.dat hive, and I don't know which hive_name to pass on to regapi. Should I use the full hive name, as in self.hive_name(obj.Object("_CMHIVE", vm = addr_space, offset = hive_offset)), or is there a better way of doing it?
Any help is greatly appreciated. Have a great day!