Quarantine registry-value findings (HKLM, HKCU, ...)

[OpenSource-For-Freedom]

Summary

Follow-up to #27 (directory-shaped quarantine). scanner/browser_scanner.py emits a fair number of findings whose path is a registry value — browser-hijack run-keys, native-messaging hosts, side-loaded extension registrations. The vault couldn't contain them: File.Exists is false for HKLM\…, so the value stayed in the live registry and the scan report ended with Quarantine skipped (path not on disk).

What changed

QuarantineService.cs

• IsRegistryPath(string?) matches HKLM, HKCU, HKCR, HKU (and the long-form HKEY_* variants) on the first segment.
• QuarantineFile checks IsRegistryPath before NormalizeFullPath — otherwise Path.GetFullPath would mangle the string into a CWD-relative file path.
• QuarantineRegistryEntry parses the path, opens the parent key writable, and looks for a value with the matching last-segment name. If found, GetValueKind + GetValue(DoNotExpandEnvironmentNames) capture the value verbatim — important for REG_EXPAND_SZ entries that legitimately use %SystemRoot% etc. (without DoNotExpandEnvironmentNames, the restore would write a fully-expanded path that breaks on a different machine state).
• The export — hive, subkey, value name, kind, payload — is written as <leaf>.reg.json into the vault. DeleteValue runs only after the export is durable, so a crash mid-quarantine leaves the live registry intact.
• Restore for an IsRegistry record reads the JSON, opens (or creates) the subkey, and writes the captured kind + payload back via SetValue. The export file is deleted on success.
• DeleteFromVault is unchanged — the export is just another file in the vault directory.
• QuarantineRecord gains an IsRegistry flag, mutually exclusive with IsDirectory. Old records on disk default both to false and continue to behave as files.

AutomatedResponseService.cs — the existence gate now accepts registry paths alongside files and directories:

if (!File.Exists(containmentPath)
    && !Directory.Exists(containmentPath)
    && !QuarantineService.IsRegistryPath(containmentPath))
{
    report.Messages.Add($"Quarantine skipped (path not on disk): {containmentPath}");
    continue;
}

Scope choice

Value-level containment covers every shape browser_scanner.py actually emits today. Whole-key (subtree) quarantine would need recursive export + ACL preservation — a separate feature. If a path resolves to a subkey rather than a value, QuarantineRegistryEntry throws NotSupportedException with "Registry KEY quarantine is not yet implemented" instead of silently failing, so the operator sees an actionable error.

Test plan

• Plant a synthetic run-key value (HKCU\Software\Microsoft\Windows\CurrentVersion\Run, e.g. WraithTest → C:\does-not-exist.exe) and rescan. Expect the value to disappear from regedit and a WraithTest.reg.json entry to appear in the vault.
• Restore the entry from the Quarantine window. Expect the value to reappear in regedit with the original kind (REG_SZ) and data.
• Repeat with a REG_EXPAND_SZ value using %SystemRoot%\notepad.exe. Restore must preserve %SystemRoot% literally rather than expanding to the absolute path.
• Try a path that resolves to a subkey (no matching value name). Expect the scan log to surface NotSupportedException: Registry KEY quarantine is not yet implemented instead of a silent skip.
• Try an HKLM path under an unelevated build (manually disable the manifest). Expect a clear UnauthorizedAccessException rather than a corrupted half-quarantine.

https://claude.ai/code/session_01LJscMnf6U5HycjwB89m1zU

---

Generated by Claude Code

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.