How can I read a reg_qword in winreg in python 3.4?

Question

I inserted a registry key, HKEY_LOCAL_MACHINE\SOFTWARE\test\test_qword of type REG_QWORD and value 20150509091344 (0x1253a7efba10).

I then tried to load it using winreg with the following code in Python 3.4:

import winreg
key_dir = r"SOFTWARE\test"
reg = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, key_dir, 0,
                     winreg.KEY_WOW64_64KEY+winreg.KEY_ALL_ACCESS)
test_dir = list(winreg.QueryValueEx(reg, r'test_qword'))[0]
print(test_dir)
ans = "".join(map(lambda b: format(b, "02x"), test_dir))
print(ans)
print(int(ans, 16))

and got the following console output:

b'\x10\xba\xef\xa7S\x12\x00\x00'
10baefa753120000
1205539352207294464

Which is not my original value. How can I retrieve my original value with winreg?

Answer 1

The code you wrote interprets the value as a big-endian-stored integer. However, REG_QWORD is stored as a little-endian number.

There's a much easier way to convert the bytes value of a 64-bit integer: using struct.unpack(). The format '<q' will read a signed 64-bit little-endian integer:

>>> struct.unpack('<q', b'\x10\xba\xef\xa7S\x12\x00\x00')
(20150509091344,)

And if you wanted to read it as big-endian:

>>> struct.unpack('>q', b'\x10\xba\xef\xa7S\x12\x00\x00')
(1205539352207294464,)

you can see it gives you the same incorrect value you were getting in your code.

More information on the format codes for struct.unpack() and its inverse, struct.pack(), are in the docs for the struct module.