How to get the actual registry key name?

[msilva-basis]

Is there a way to get the actual name for the registry keys using MemProcFS. The names can have certain characters which MemProcFS is replacing with '_' so that the name becomes a valid file name. Is there a way to retrieve the original name? I could not find the original name in the MemProcFS file structure or using the API.

Example using python API:

import memprocfs

vmm = memprocfs.Vmm(['-device', 'C:\\memory_images\\win10.raw'])    
regkey_userassist = vmm.reg_key('HKU\\User1\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count')

for regvalue in regkey_userassist.values():
    print(regvalue.name)

This example does not print out the actual names, it outputs the names with the ':' and '\' characters replaced by '_'.

[ufrisk]

This is quite an oversight from my part. It's currently not possible to retrieve the correct non-mangled name of a reg value.

I should add it as name_nomangle or name_original or something on both keys and values.

To resolve this it most probably requires breaking API changes to the C/C++ API, and I'd rather not do it mid-version (and I just released 5.13). I'll give it some thoughts and maybe it would be possible for me to add support for it anyway, otherwise it will have to wait until 5.14 which is due for next year. I'll keep you updated in this thread.

As for querying keys with names with illegal file system chars in the path directly by vmm.reg_key or vmm.reg_value I'm afraid that won't be possible. Backslash \ is the path separator and I really have to treat it that way. I don't know if it's possible to query values/keys with : though, and I guess that should be possible to support. But never backslash unfortunately. To get values containing a backslash you'd have to do an enumeration like you do in your example...

I'll keep you updated on this.