# -*- coding: utf-8 -*-
"""Windows Registry plugin for parsing the last shutdown time of a system."""
from __future__ import unicode_literals
from dfdatetime import filetime as dfdatetime_filetime
from dfdatetime import semantic_time as dfdatetime_semantic_time
from plaso.containers import events
from plaso.containers import time_events
from plaso.lib import definitions
from plaso.lib import errors
from plaso.parsers import winreg
from plaso.parsers.winreg_plugins import dtfabric_plugin
from plaso.parsers.winreg_plugins import interface
[docs]class ShutdownWindowsRegistryEventData(events.EventData):
"""Shutdown Windows Registry event data.
Attributes:
key_path (str): Windows Registry key path.
value_name (str): name of the Windows Registry value.
"""
DATA_TYPE = 'windows:registry:shutdown'
def __init__(self):
"""Initializes event data."""
super(ShutdownWindowsRegistryEventData, self).__init__(
data_type=self.DATA_TYPE)
self.key_path = None
self.value_name = None
[docs]class ShutdownWindowsRegistryPlugin(
dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin):
"""Windows Registry plugin for parsing the last shutdown time of a system."""
NAME = 'windows_shutdown'
DESCRIPTION = 'Parser for ShutdownTime Registry value.'
FILTERS = frozenset([
interface.WindowsRegistryKeyPathFilter(
'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Windows')])
_DEFINITION_FILE = 'filetime.yaml'
def _ParseFiletime(self, byte_stream):
"""Parses a FILETIME date and time value from a byte stream.
Args:
byte_stream (bytes): byte stream.
Returns:
dfdatetime.Filetime: FILETIME date and time value or None if no
value is set.
Raises:
ParseError: if the FILETIME could not be parsed.
"""
filetime_map = self._GetDataTypeMap('filetime')
try:
filetime = self._ReadStructureFromByteStream(
byte_stream, 0, filetime_map)
except (ValueError, errors.ParseError) as exception:
raise errors.ParseError(
'Unable to parse FILETIME value with error: {0!s}'.format(
exception))
if filetime == 0:
return None
try:
return dfdatetime_filetime.Filetime(timestamp=filetime)
except ValueError:
raise errors.ParseError(
'Invalid FILETIME value: 0x{0:08x}'.format(filetime))
# pylint 1.9.3 wants a docstring for kwargs, but this is not useful to add.
# pylint: disable=missing-param-doc
parser_mediator.ProduceEventWithEventData(event, event_data)
winreg.WinRegistryParser.RegisterPlugin(ShutdownWindowsRegistryPlugin)