Getting 'modified date' for registry

Question

Hi guys can I know how to extract timestamp for registry? Cause I am building a program to track the changes in the registry.

So far i managed to read the registry but there is only name, type and data in my registry editor. Can I know how else can i get the modified date?

size = winreg.QueryInfoKey(key)[1]
for i in range(size):
    data = winreg.EnumValue(key, i)
    dict[data[0]] = data[1]

for the above code the output i got is

{'CVListTTL': 0, 'UnattendLoaded': 1, 'IECompatVersionHigh': 268435456, ...

Another question, can I just scan the whole system instead of a specific subkey like

result = winreg.OpenKey(winreg.HKEY_CURRENT_USER, r"Software\Microsoft\\Internet Explorer\\CodeIntegrity")

@martineau with the queryinfokey function i guess edit: also when i export it as txt file it shows last write time — dropoutzxc, Oct 16 '19 at 09:58

score 1 · Answer 1 · answered Oct 16 '19 at 17:49

According to the online documentation, the third value in the tuple winreg.QueryInfoKey() returns is:

An integer giving when the key was last modified (if available) as 100’s of nanoseconds since Jan 1, 1601.

Since it seems likely you may want to convert that value to a POSIX timestamp to make it more compatible with the rest of date and time modules in Python, here's an example showing how that might be done:

import datetime
import time
import winreg


# https://stackoverflow.com/questions/6161776/convert-windows-filetime-to-second-in-unix-linux
def windows_ticks_to_unix_seconds(windows_ticks):
    return windows_ticks/10000000 - 11644473600

key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE,
                     r"SOFTWARE\Microsoft\Internet Explorer\Image Caching")

reg_win_ts = winreg.QueryInfoKey(key)[2]  # 100’s of nanoseconds since 1601/01/01.
print(f'reg_win_ts: {reg_win_ts}')

reg_key_ts = windows_ticks_to_unix_seconds(reg_win_ts)
print(f'reg_key_ts: {reg_key_ts}')

dt = datetime.datetime.fromtimestamp(reg_key_ts)  # Convert to datatime.
print(f'dt: {dt}')
print(f'dt.strftime("%Y-%b-%d"): {dt.strftime("%Y-%b-%d")}')
print(f'dt.isoformat(): {dt.isoformat()}')

I don't know the answer to part 2 of your question regarding the scanning of the whole system instead of a specific subkey.

score 1 · Answer 2 · answered Oct 04 '21 at 16:19

I've built a PyPI package that makes the abstraction layer for winreg, and adds support to get the last modification timestamp of a value.

Install with pip install windows_tools.registry

Usage to get a single value:

from windows_tools.registry import *

get_value(hive=HKEY_LOCAL_MACHINE, key=r'SOFTWARE\Microsoft\Windows NT\CurrentVersion', value='ProductName', arch=KEY_WOW64_32KEY | KEY_WOW64_64KEY, last_modified=True)

Notice the last_modified=True argument that fetches the date the key was modified.

Usage to get multiple values based on filters

uninstall = get_values(hive=HKEY_LOCAL_MACHINE, key=r'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall',names=['DisplayName', 'Version'], arch=KEY_WOW64_32KEY | KEY_WOW64_64KEY, last_modified=True)

Usage to fetch whole registry trees

uninstall_recursive = get_keys(hive=HKEY_LOCAL_MACHINE, key=r'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', recursion_level=2, filter_on_names=['DisplayName', 'Version'], arch=KEY_WOW64_32KEY | KEY_WOW64_64KEY, last_modified=True)

Getting 'modified date' for registry

2 Answers2