plaso.parsers.winreg_plugins package¶

Submodules¶

plaso.parsers.winreg_plugins.appcompatcache module¶

Windows Registry plugin to parse the Application Compatibility Cache key.

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheCachedEntry[source]¶

Bases: object

Class that contains the Application Compatibility Cache cached entry.

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheEventData[source]¶

Bases: plaso.containers.events.EventData

Class that defines AppCompatCache event data.

entry_index¶: int – cache entry index number for the record.

key_path¶: str – Windows Registry key path.

path¶: str – full path to the executable.

DATA_TYPE = 'windows:registry:appcompatcache'¶

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheHeader[source]¶

Bases: object

Class that contains the Application Compatibility Cache header.

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Class that parses the Application Compatibility Cache Registry data.

DESCRIPTION = 'Parser for Application Compatibility Cache Registry data.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Raises:	`ParseError` – if the value data could not be parsed.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'appcompatcache'¶

URLS = ['https://github.com/libyal/winreg-kb/blob/master/documentation/Application%20Compatibility%20Cache%20key.asciidoc']¶

plaso.parsers.winreg_plugins.bagmru module¶

This file contains BagMRU Windows Registry plugins (shellbags).

class plaso.parsers.winreg_plugins.bagmru.BagMRUWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Class that defines a BagMRU Windows Registry plugin.

DESCRIPTION = 'Parser for BagMRU Registry data.'¶

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'bagmru'¶

URLS = ['https://github.com/libyal/winreg-kb/blob/master/documentation/MRU%20keys.asciidoc#bagmru-key']¶

plaso.parsers.winreg_plugins.ccleaner module¶

Parser for the CCleaner Registry key.

class plaso.parsers.winreg_plugins.ccleaner.CCleanerPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Gathers the CCleaner Keys for NTUSER hive.

DESCRIPTION = 'Parser for CCleaner Registry data.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'ccleaner'¶

URLS = ['http://cheeky4n6monkey.blogspot.com/2012/02/writing-ccleaner-regripper-plugin-part_05.html']¶

class plaso.parsers.winreg_plugins.ccleaner.CCleanerUpdateEventData[source]¶

Bases: plaso.containers.events.EventData

CCleaner update event data.

key_path¶: str – Windows Registry key path.

DATA_TYPE = 'ccleaner:update'¶

plaso.parsers.winreg_plugins.default module¶

The default Windows Registry plugin.

class plaso.parsers.winreg_plugins.default.DefaultPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Default plugin that extracts minimum information from every registry key.

The default plugin will parse every registry key that is passed to it and extract minimum information, such as a list of available values and if possible content of those values. The timestamp used is the timestamp when the registry key was last modified.

DESCRIPTION = 'Parser for Registry data.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

NAME = 'winreg_default'¶

plaso.parsers.winreg_plugins.dtfabric_plugin module¶

Shared functionality for dtFabric-based data format Registry plugins.

class plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Shared functionality for dtFabric-based data format Registry plugins.

A dtFabric-based data format Windows Registry parser plugin defines its data format structures in dtFabric definition file, for example “dtfabric.yaml”:

name: int32 type: integer description: 32-bit signed integer type .. attribute:: format

signed

size¶: 4

units¶: bytes

— name: point3d aliases: [POINT] type: structure description: Point in 3 dimensional space. .. attribute:: byte_order

little-endian

members: - name: x

aliases: [XCOORD] data_type: int32

name: y data_type: int32
name: z data_type: int32

The path to the definition file is defined in the class constant “_DEFINITION_FILE” and will be read on class instantiation.

The definition files contains data type definitions such as “int32” and “point3d” in the previous example.

A data type map can be used to create a Python object that represent the data type definition mapped to a byte stream, for example if we have the following byte stream: 01 00 00 00 02 00 00 00 03 00 00 00

The corresponding “point3d” Python object would be: point3d(x=1, y=2, z=3)

A parser that wants to implement a dtFabric-based data format parser needs to: * define a definition file and override _DEFINITION_FILE; * implement the ParseFileObject method.

The _GetDataTypeMap method of this class can be used to retrieve data type maps from the “fabric”, which is the collection of the data type definitions in definition file. Data type maps are cached for reuse.

The _ReadStructure method of this class can be used to read structure data from a file-like object and create a Python object using a data type map.

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

plaso.parsers.winreg_plugins.interface module¶

The Windows Registry plugin interface.

class plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter[source]¶

Bases: object

Class that defines the Windows Registry key filter interface.

Match(registry_key)[source]¶

Determines if a Windows Registry key matches the filter.

Parameters:	registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns:	True if the keys match.
Return type:	bool

key_paths¶: List of key paths defined by the filter.

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter(key_path)[source]¶

Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key path filter.

Match(registry_key)[source]¶

Determines if a Windows Registry key matches the filter.

Parameters:	registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns:	True if the keys match.
Return type:	bool

key_paths¶: List of key paths defined by the filter.

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathPrefixFilter(key_path_prefix)[source]¶

Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key path prefix filter.

Match(registry_key)[source]¶

Determines if a Windows Registry key matches the filter.

Parameters:	registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns:	True if the keys match.
Return type:	bool

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathSuffixFilter(key_path_suffix)[source]¶

Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key path suffix filter.

Match(registry_key)[source]¶

Determines if a Windows Registry key matches the filter.

Parameters:	registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns:	True if the keys match.
Return type:	bool

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter(value_names)[source]¶

Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key with values filter.

Match(registry_key)[source]¶

Determines if a Windows Registry key matches the filter.

Parameters:	registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns:	True if the keys match.
Return type:	bool

class plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin[source]¶

Bases: plaso.parsers.plugins.BasePlugin

The Windows Registry plugin interface.

DESCRIPTION = 'Parser for Windows Registry value data.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset()¶

NAME = 'winreg_plugin'¶

Process(parser_mediator, registry_key, **kwargs)[source]¶

Processes a Windows Registry key or value.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Raises:	`ValueError` – If the Windows Registry key is not set.

URLS = []¶

UpdateChainAndProcess(parser_mediator, registry_key, **kwargs)[source]¶

Updates the parser chain and processes a Windows Registry key or value.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Raises:	`ValueError` – If the Windows Registry key is not set.

plaso.parsers.winreg_plugins.lfu module¶

Plug-in to collect the Less Frequently Used Keys.

class plaso.parsers.winreg_plugins.lfu.BootExecutePlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect the BootExecute Value from the Session Manager key.

DESCRIPTION = 'Parser for Boot Execution Registry data.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'windows_boot_execute'¶

URLS = ['http://technet.microsoft.com/en-us/library/cc963230.aspx']¶

class plaso.parsers.winreg_plugins.lfu.BootVerificationPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect the Boot Verification Key.

DESCRIPTION = 'Parser for Boot Verification Registry data.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'windows_boot_verify'¶

URLS = ['http://technet.microsoft.com/en-us/library/cc782537(v=ws.10).aspx']¶

plaso.parsers.winreg_plugins.mountpoints module¶

This file contains the MountPoints2 plugin.

class plaso.parsers.winreg_plugins.mountpoints.MountPoints2Plugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the MountPoints2 key.

DESCRIPTION = 'Parser for mount points Registry data.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'explorer_mountpoints2'¶

URLS = ['http://support.microsoft.com/kb/932463']¶

plaso.parsers.winreg_plugins.mrulist module¶

This file contains a MRUList Registry plugin.

class plaso.parsers.winreg_plugins.mrulist.BaseMRUListWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Class for common MRUList Windows Registry plugin functionality.

class plaso.parsers.winreg_plugins.mrulist.MRUListShellItemListWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.mrulist.BaseMRUListWindowsRegistryPlugin

Windows Registry plugin to parse a shell item list MRUList.

DESCRIPTION = 'Parser for Most Recently Used (MRU) Registry data.'¶

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'mrulist_shell_item_list'¶

URLS = ['https://github.com/libyal/winreg-kb/wiki/MRU-keys']¶

class plaso.parsers.winreg_plugins.mrulist.MRUListStringRegistryKeyFilter[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter

Windows Registry key with values filter.

Match(registry_key)[source]¶

Determines if a Windows Registry key matches the filter.

Parameters:	registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns:	True if the Windows Registry key matches the filter.
Return type:	bool

class plaso.parsers.winreg_plugins.mrulist.MRUListStringWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.mrulist.BaseMRUListWindowsRegistryPlugin

Windows Registry plugin to parse a string MRUList.

DESCRIPTION = 'Parser for Most Recently Used (MRU) Registry data.'¶

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.mrulist.MRUListStringRegistryKeyFilter object>})¶

NAME = 'mrulist_string'¶

URLS = ['http://forensicartifacts.com/tag/mru/']¶

plaso.parsers.winreg_plugins.mrulistex module¶

This file contains MRUListEx Windows Registry plugins.

class plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Class for common MRUListEx Windows Registry plugin functionality.

class plaso.parsers.winreg_plugins.mrulistex.MRUListExShellItemListWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a shell item list MRUListEx.

DESCRIPTION = 'Parser for Most Recently Used (MRU) Registry data.'¶

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'mrulistex_shell_item_list'¶

class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemListWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a string and shell item list MRUListEx.

DESCRIPTION = 'Parser for Most Recently Used (MRU) Registry data.'¶

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'mrulistex_string_and_shell_item_list'¶

class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a string and shell item MRUListEx.

DESCRIPTION = 'Parser for Most Recently Used (MRU) Registry data.'¶

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'mrulistex_string_and_shell_item'¶

class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringRegistryKeyFilter[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter

Windows Registry key with values filter.

Match(registry_key)[source]¶

Determines if a Windows Registry key matches the filter.

Parameters:	registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns:	True if the Windows Registry key matches the filter.
Return type:	bool

class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a string MRUListEx.

DESCRIPTION = 'Parser for Most Recently Used (MRU) Registry data.'¶

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key. codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.mrulistex.MRUListExStringRegistryKeyFilter object>})¶

NAME = 'mrulistex_string'¶

URLS = ['http://forensicartifacts.com/2011/02/recentdocs/', 'https://github.com/libyal/winreg-kb/wiki/MRU-keys']¶

plaso.parsers.winreg_plugins.msie_zones module¶

This file contains the MSIE zone settings plugin.

class plaso.parsers.winreg_plugins.msie_zones.MsieZoneSettingsPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the MSIE Zones settings.

The MSIE Feature controls are stored in the Zone specific subkeys in:: Internet SettingsZones key Internet SettingsLockdown_Zones key

DESCRIPTION = 'Parser for Internet Explorer zone settings Registry data.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'msie_zone'¶

URLS = ['http://support.microsoft.com/kb/182569']¶

plaso.parsers.winreg_plugins.network_drives module¶

This file contains the Network registry plugin.

class plaso.parsers.winreg_plugins.network_drives.NetworkDrivesPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the Network key.

DESCRIPTION = 'Parser for Network Registry data.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'network_drives'¶

plaso.parsers.winreg_plugins.networks module¶

This file contains the NetworkList registry plugin.

class plaso.parsers.winreg_plugins.networks.NetworksWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Windows Registry plugin for parsing the NetworkList key.

DESCRIPTION = 'Parser for NetworkList data.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'networks'¶

class plaso.parsers.winreg_plugins.networks.WindowsRegistryNetworkEventData[source]¶

Bases: plaso.containers.events.EventData

Windows network event data.

connection_type¶: str – type of connection.

default_gateway_mac¶: str – MAC address for the default gateway.

description¶: str – description of the wireless connection.

dns_suffix¶: str – DNS suffix.

ssid¶: str – SSID of the connection.

DATA_TYPE = 'windows:registry:network'¶

plaso.parsers.winreg_plugins.officemru module¶

“Windows Registry plugin for the Microsoft Office MRU.

class plaso.parsers.winreg_plugins.officemru.OfficeMRUPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plugin that parses Microsoft Office MRU keys.

DESCRIPTION = 'Parser for Microsoft Office MRU Registry data.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'microsoft_office_mru'¶

class plaso.parsers.winreg_plugins.officemru.OfficeMRUWindowsRegistryEventData[source]¶

Bases: plaso.containers.events.EventData

Microsoft Office MRU Windows Registry event data.

key_path¶: str – Windows Registry key path.

value_string¶: str – MRU value.

DATA_TYPE = 'windows:registry:office_mru'¶

plaso.parsers.winreg_plugins.outlook module¶

This file contains an Outlook Registry parser.

class plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin parsing Outlook Search MRU keys.

DESCRIPTION = 'Parser for Microsoft Outlook search MRU Registry data.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'microsoft_outlook_mru'¶

plaso.parsers.winreg_plugins.programscache module¶

Windows Registry plugin to parse the Explorer ProgramsCache key.

class plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Class that parses the Explorer ProgramsCache Registry data.

DESCRIPTION = 'Parser for Explorer ProgramsCache Registry data.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'explorer_programscache'¶

URLS = ['https://github.com/libyal/winreg-kb/blob/master/documentation/Programs%20Cache%20values.asciidoc']¶

plaso.parsers.winreg_plugins.run module¶

This file contains the Run/RunOnce Key plugins for Plaso.

class plaso.parsers.winreg_plugins.run.AutoRunsPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing user specific auto runs.

DESCRIPTION = 'Parser for run and run once Registry data.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'windows_run'¶

URLS = ['http://msdn.microsoft.com/en-us/library/aa376977(v=vs.85).aspx']¶

plaso.parsers.winreg_plugins.sam_users module¶

“Windows Registry plugin for SAM Users Account information.

class plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryEventData[source]¶

Bases: plaso.containers.events.EventData

Class that defines SAM users Windows Registry event data.

account_rid¶: int – account relative identifier (RID).

comments¶: str – comments.

fullname¶: str – full name.

key_path¶: str – Windows Registry key path.

login_count¶: int – login count.

username¶: str – a string containing the username.

DATA_TYPE = 'windows:registry:sam_users'¶

class plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Windows Registry plugin for SAM Users Account information.

DESCRIPTION = 'Parser for SAM Users and Names Registry keys.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'windows_sam_users'¶

plaso.parsers.winreg_plugins.services module¶

Plug-in to format the Services and Drivers key with Start and Type values.

class plaso.parsers.winreg_plugins.services.ServicesPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to format the Services and Drivers keys having Type and Start.

DESCRIPTION = 'Parser for services and drivers Registry data.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter object>})¶

GetServiceDll(key)[source]¶

Get the Service DLL for a service, if it exists.

Checks for a ServiceDLL for in the Parameters subkey of a service key in the Registry.

Parameters:	key (dfwinreg.WinRegistryKey) – a Windows Registry key.
Returns:	path of the service DLL or None.
Return type:	str

NAME = 'windows_services'¶

URLS = ['http://support.microsoft.com/kb/103000']¶

plaso.parsers.winreg_plugins.shutdown module¶

Windows Registry plugin for parsing the last shutdown time of a system.

class plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryEventData[source]¶

Bases: plaso.containers.events.EventData

Shutdown Windows Registry event data.

key_path¶: str – Windows Registry key path.

value_name¶: str – name of the Windows Registry value.

DATA_TYPE = 'windows:registry:shutdown'¶

class plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Windows Registry plugin for parsing the last shutdown time of a system.

DESCRIPTION = 'Parser for ShutdownTime Registry value.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a ShutdownTime Windows Registry value.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'windows_shutdown'¶

plaso.parsers.winreg_plugins.task_scheduler module¶

This file contains the Task Scheduler Registry keys plugins.

class plaso.parsers.winreg_plugins.task_scheduler.TaskCacheEventData[source]¶

Bases: plaso.containers.events.EventData

Task Cache event data.

task_name¶: str – name of the task.

task_identifier¶: str – identifier of the task.

DATA_TYPE = 'task_scheduler:task_cache:entry'¶

class plaso.parsers.winreg_plugins.task_scheduler.TaskCacheWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Plugin that parses a Task Cache key.

DESCRIPTION = 'Parser for Task Scheduler cache Registry data.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'windows_task_cache'¶

URLS = ['https://github.com/libyal/winreg-kb/blob/master/documentation/Task%20Scheduler%20Keys.asciidoc']¶

plaso.parsers.winreg_plugins.terminal_server module¶

This file contains the Terminal Server Registry plugins.

class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for Terminal Server Client Connection MRUs keys.

DESCRIPTION = 'Parser for Terminal Server Client MRU Registry data.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Terminal Server Client MRU Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'mstsc_rdp_mru'¶

class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for Terminal Server Client Connection keys.

DESCRIPTION = 'Parser for Terminal Server Client Connection Registry data.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Terminal Server Client Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'mstsc_rdp'¶

plaso.parsers.winreg_plugins.timezone module¶

Plug-in to collect information about the Windows timezone settings.

class plaso.parsers.winreg_plugins.timezone.WinRegTimezonePlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect information about the Windows timezone settings.

DESCRIPTION = 'Parser for Windows timezone settings.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'windows_timezone'¶

plaso.parsers.winreg_plugins.typedurls module¶

File containing a Windows Registry plugin to parse the typed URLs key.

class plaso.parsers.winreg_plugins.typedurls.TypedURLsPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

A Windows Registry plugin for typed URLs history.

DESCRIPTION = 'Parser for Explorer typed URLs Registry data.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'windows_typed_urls'¶

plaso.parsers.winreg_plugins.usb module¶

File containing a Windows Registry plugin to parse the USB Device key.

class plaso.parsers.winreg_plugins.usb.USBPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

USB Windows Registry plugin for last connection time.

DESCRIPTION = 'Parser for USB device Registry entries.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'windows_usb_devices'¶

URLS = ['https://msdn.microsoft.com/en-us/library/windows/hardware/jj649944%28v=vs.85%29.aspx']¶

plaso.parsers.winreg_plugins.usbstor module¶

File containing a Windows Registry plugin to parse the USBStor key.

class plaso.parsers.winreg_plugins.usbstor.USBStorPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

USBStor key plugin.

DESCRIPTION = 'Parser for USB Plug And Play Manager USBStor Registry Key.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'windows_usbstor_devices'¶

URLS = ['http://www.forensicswiki.org/wiki/USB_History_Viewing']¶

plaso.parsers.winreg_plugins.userassist module¶

The UserAssist Windows Registry plugin.

class plaso.parsers.winreg_plugins.userassist.UserAssistPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Plugin that parses an UserAssist key.

DESCRIPTION = 'Parser for User Assist Registry data.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>})¶

NAME = 'userassist'¶

URLS = ['http://blog.didierstevens.com/programs/userassist/', 'https://code.google.com/p/winreg-kb/wiki/UserAssistKeys', 'http://intotheboxes.files.wordpress.com/2010/04/intotheboxes_2010_q1.pdf']¶

class plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryEventData[source]¶

Bases: plaso.containers.events.EventData

UserAssist Windows Registry event data.

application_focus_count¶: int – application focus count.

application_focus_duration¶: int – application focus duration.

entry_index¶: int – entry index.

key_path¶: str – Windows Registry key path.

number_of_executions¶: int – nubmer of executions.

regvalue¶: dict[str, str] – UserAssist values.

value_name¶: str – name of the Windows Registry value.

DATA_TYPE = 'windows:registry:userassist'¶

class plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter(user_assist_guid)[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter

UserAssist Windows Registry key path filter.

plaso.parsers.winreg_plugins.windows_version module¶

Plug-in to collect information about the Windows version.

class plaso.parsers.winreg_plugins.windows_version.WindowsVersionPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect information about the Windows version.

DESCRIPTION = 'Parser for Windows version Registry data.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'windows_version'¶

plaso.parsers.winreg_plugins.winlogon module¶

This file contains the Winlogon Registry plugin.

class plaso.parsers.winreg_plugins.winlogon.WinlogonPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the Winlogon key.

DESCRIPTION = 'Parser for winlogon Registry data.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'winlogon'¶

plaso.parsers.winreg_plugins.winrar module¶

This file contains a Windows Registry plugin for WinRAR Registry key.

class plaso.parsers.winreg_plugins.winrar.WinRarHistoryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing WinRAR History keys.

DESCRIPTION = 'Parser for WinRAR History Registry data.'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters:	parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs. registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'winrar_mru'¶

Module contents¶

Imports for the Windows Registry parser.