Skip to content

Create keyboard inputlocales artifact #1165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Guzzy711 wants to merge 3 commits into from
Closed

Create keyboard inputlocales artifact #1165

Guzzy711 wants to merge 3 commits into from

Conversation

@Guzzy711
Copy link

@Guzzy711 Guzzy711 commented Jan 3, 2026

No description provided.

@CLAassistant
Copy link

CLAassistant commented Jan 3, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@Guzzy711
Enhance KeyboardInputLocales artifact description
8d34f8b 
Updated description to include USERS registry hive and corrected a reference link.
@Guzzy711
Modify author field in KeyboardInputLocales.yaml
d161b9a 
Updated author information in KeyboardInputLocales.yaml
@mgreen27
Copy link
Collaborator

mgreen27 commented Jan 5, 2026

I think you definitely want to have a MTime output for each row on this one.
I cant comment too much on workflow at scale yet for this one, I have found also outputting some of the other fields in the system keys are helpful context.

@scudette
Copy link
Collaborator

scudette commented Jan 5, 2026

  • This is probably better written with read_reg_key()
  • I think this needs to go in the registry hunter rather than its own separate artifact. Probably we dont want to have thousands of separate artifacts for registry artifacts.

@Guzzy711
Copy link
Author

Guzzy711 commented Jan 5, 2026

Sure, I will look at making it use the registry hunter. But from reading the docs, is it required to import the registry hunter, or is it part of newer versions of Velociraptor?

@scudette
Copy link
Collaborator

scudette commented Jan 5, 2026
edited
Loading

I added the rules to the registry hunter here https://github.com/Velocidex/registry_hunter/blob/a7e0abc27274d84bde40f4dbbbb5eb4faa71faf2/Rules/Velociraptor-Rules.yaml#L912

i also realized that there is no document that helps people when they want to add new rules - so I made it here
https://registry-hunter.velocidex.com/docs/registry_hunter/develop/

It is better to use the registry hunter for this artifact because it takes care of the user hives by itself - this artifact does not handle the case where a user is not currently logged in and the raw registry hive needs to be parsed.

@Guzzy711
Copy link
Author

Guzzy711 commented Jan 7, 2026

I finally had the time to look at the registry hunter. I like the idea about the whole idea about rules and making it easier to write artifacts without reinventing the wheel. Will def use that for the future. In terms of this PR, what would be the approach, since I guess it doesn't really make sense to merge this artifact into the exchange, hence we got it in the registry hunter library?

@scudette
Copy link
Collaborator

scudette commented Jan 7, 2026

We have a to-do to remove pure registry artifacts from the exchange in favor of the registry hunter - I think we should drop this PR.

@Guzzy711
Copy link
Author

Guzzy711 commented Jan 7, 2026

Aight, let's go with that. 😄

@Guzzy711 Guzzy711 closed this Jan 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Guzzy711 @CLAassistant @mgreen27 @scudette