Notifications

Clear all

How to Fix "No module named _winreg" in Volatility

General (Technical, Procedural, Software, Hardware etc.)

Last Post by jaclaz 6 years ago

3 Posts

2 Users

0 Reactions

6,245 Views

RSS

NeriMatrixx

(@nerimatrixx)

Eminent Member

Joined: 6 years ago

Posts: 26

Topic starter 25/07/2019 6:51 pm

Hello Experts,

I am a newbie at Memory Forensics, I have only played around with memory dumps 1 or 2 times. I have been watching some of 13Cubed videos on YT, in the Detecting Persistence in Memory video https://youtu.be/shF8hAprD4g he talks about the newer AutoRuns plugin WINESAP.

From Kali, I downloaded a copy of Winesap and copied all the .py files to path /usr/lib/python2.7/dist-packages/volatility/plugins. As suggested in 13Cubed video, i renamed the class "Autorun2". When I run volatility -h the newer autorun2 is listed as a plugin immediately after the original autorun plugin.

However, for all the other .py files that I copied over I get…

Volatility Foundation Volatility Framework 2.6
Failed to import volatility.plugins.installed_components (ImportError No module named _winreg)
Failed to import volatility.plugins.startup (ImportError No module named _winreg)
Failed to import volatility.plugins.image_file_exec_options (ImportError No module named _winreg)
Failed to import volatility.plugins.appinit_dlls (ImportError No module named _winreg)
Failed to import volatility.plugins.winlogon (ImportError No module named _winreg)
Failed to import volatility.plugins.service (ImportError No module named _winreg)
Failed to import volatility.plugins.winutils (ImportError No module named _winreg)
Failed to import volatility.plugins.scheduled_task (ImportError No module named _winreg)
Failed to import volatility.plugins.shortcuts (ImportError No module named _winreg)
Failed to import volatility.plugins.active_setup (ImportError No module named _winreg)
*** Failed to import volatility.plugins.run_keys (ImportError No module named _winreg)

The winutils.py file import winreg, then all the other files import winutils.

The volatility folder does NOT contain a winreg.py file, from my research it has to do with accessing Windows Registry but I can not find winreg.py anywhere online.

Quote

NeriMatrixx

(@nerimatrixx)

Eminent Member

Joined: 6 years ago

Posts: 26

Topic starter 26/07/2019 10:25 am

Where are the Volatility Gurus?

I thought this place was full of Experts…

ReplyQuote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

27/07/2019 11:52 am

Where are the Volatility Gurus?

I thought this place was full of Experts…

They are probably on vacation.

Have you actually installed the Windows libraries?
https://gitlab.unizar.es/rrodrigu/winesap

###Dependencies

pip install pywin32 in order to work with Windows registers.

winreg should be however in the "default" install of python.
It changed name between 2 and 3 , so ther may be issues with the environment
https://docs.python.org/2/library/_winreg.html

BUT AFAIK it is on Windows only
https://ubuntuforums.org/showthread.php?t=1323946

jaclaz

ReplyQuote

8 Forums
15.7 K Topics
92.3 K Posts
260 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed