# -*- coding: utf-8 -*-
"""This file contains an Outlook Registry parser."""
from __future__ import unicode_literals
from plaso.containers import time_events
from plaso.containers import windows_events
from plaso.lib import definitions
from plaso.parsers import winreg
from plaso.parsers.winreg_plugins import interface
[docs]class OutlookSearchMRUPlugin(interface.WindowsRegistryPlugin):
"""Windows Registry plugin parsing Outlook Search MRU keys."""
NAME = 'microsoft_outlook_mru'
DESCRIPTION = 'Parser for Microsoft Outlook search MRU Registry data.'
FILTERS = frozenset([
interface.WindowsRegistryKeyPathFilter(
'HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\14.0\\Outlook\\'
'Search'),
interface.WindowsRegistryKeyPathFilter(
'HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\'
'Search')])
# TODO: The catalog for Office 2013 (15.0) contains binary values not
# dword values. Check if Office 2007 and 2010 have the same. Re-enable the
# plug-ins once confirmed and OutlookSearchMRUPlugin has been extended to
# handle the binary data or create a OutlookSearchCatalogMRUPlugin.
# Registry keys for:
# MS Outlook 2007 Search Catalog:
# 'HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\12.0\\Outlook\\'
# 'Catalog'
# MS Outlook 2010 Search Catalog:
# 'HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\14.0\\Outlook\\'
# 'Search\\Catalog'
# MS Outlook 2013 Search Catalog:
# 'HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\'
# 'Search\\Catalog'
_SOURCE_APPEND = ': PST Paths'
# pylint 1.9.3 wants a docstring for kwargs, but this is not useful to add.
# pylint: disable=missing-param-doc
parser_mediator.ProduceEventWithEventData(event, event_data)
winreg.WinRegistryParser.RegisterPlugin(OutlookSearchMRUPlugin)