import ctypes from ctypes import wintypes ntdll = ctypes.WinDLL('ntdll') REG_SZ = 1 RTL_REGISTRY_CONTROL = 2 NTSTATUS = wintypes.LONG PRTL_QUERY_REGISTRY_ROUTINE = ctypes.WINFUNCTYPE(NTSTATUS, wintypes.LPWSTR, # ValueName wintypes.ULONG, # ValueType wintypes.LPVOID, # ValueData wintypes.ULONG, # ValueLength wintypes.LPVOID, # Context wintypes.LPVOID) # EntryContext class RTL_QUERY_REGISTRY_TABLE(ctypes.Structure): _fields_ = (('QueryRoutine', PRTL_QUERY_REGISTRY_ROUTINE), ('Flags', wintypes.ULONG), ('Name', wintypes.LPWSTR), ('EntryContext', wintypes.LPVOID), ('DefaultType', wintypes.ULONG), ('DefaultData', wintypes.LPVOID), ('DefaultLength', wintypes.ULONG)) PRTL_QUERY_REGISTRY_TABLE = ctypes.POINTER(RTL_QUERY_REGISTRY_TABLE) ntdll.RtlQueryRegistryValues.restype = NTSTATUS ntdll.RtlQueryRegistryValues.argtypes = ( wintypes.ULONG, # _In_ RelativeTo wintypes.LPCWSTR, # _In_ Path PRTL_QUERY_REGISTRY_TABLE, # _Inout_ QueryTable wintypes.LPVOID, # _In_opt_ Context wintypes.LPVOID) # _In_opt_ Environment if __name__ == '__main__': relative_to = RTL_REGISTRY_CONTROL path = 'Session Manager' value_name = 'PendingFileRenameOperations' @PRTL_QUERY_REGISTRY_ROUTINE def query_routine(value_name, value_type, value_data, value_length, context, entry_context): if value_type == REG_SZ: value_type = 'REG_SZ' value_data = ctypes.cast(value_data, wintypes.LPWSTR).value if not value_data: value_data = '' print(value_name, value_type, value_data, sep=', ') return 0 query_table = (RTL_QUERY_REGISTRY_TABLE * 2)( (query_routine, 0, 'PendingFileRenameOperations')) status = ntdll.RtlQueryRegistryValues(relative_to, path, query_table, None, None) assert status == 0