def testProcessWindows10Creator(self):
"""Tests the Process function for Windows 10 Creator AppCompatCache data."""
test_file_entry = TestFileEntry('SYSTEM-Windows10-Creator')
registry_key = self._CreateTestKey('2015-06-15 11:53:37.043061',
self._TEST_DATA_10_CREATOR)
plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry,
parser_chain=plugin.NAME)
self.assertEqual(storage_writer.number_of_events, 1)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
events = list(storage_writer.GetEvents())
expected_event_values = {
'date_time':
'2017-03-16 22:56:01.2487145',
'data_type':
'windows:registry:appcompatcache',
'entry_index':
1,
'key_path':
self._TEST_KEY_PATH,
'path': ('C:\\Program Files (x86)\\NVIDIA Corporation\\3D Vision\\'
'nvstreg.exe')
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testProcessWindows7(self):
"""Tests the Process function for Windows 7 AppCompatCache data."""
test_file_entry = self._GetTestFileEntry(['SYSTEM'])
key_path = ('HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control\\'
'Session Manager\\AppCompatCache')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry,
parser_chain=plugin.NAME)
self.assertEqual(storage_writer.number_of_events, 330)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
events = list(storage_writer.GetEvents())
expected_event_values = {
'date_time': '2012-04-04 01:46:37.9329644',
'data_type': 'windows:registry:appcompatcache',
'entry_index': 10,
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
'parser': plugin.NAME,
'path': '\\??\\C:\\Windows\\PSEXESVC.EXE'
}
self.CheckEventValues(storage_writer, events[9], expected_event_values)
def testProcessWindows10(self):
"""Tests the Process function for Windows 10 AppCompatCache data."""
test_file_entry = TestFileEntry('SYSTEM-Windows10')
registry_key = self._CreateTestKey('2015-06-15 11:53:37.043061',
self._TEST_DATA_10)
plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry,
parser_chain=plugin.NAME)
self.assertEqual(storage_writer.number_of_events, 1)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
events = list(storage_writer.GetEvents())
expected_event_values = {
'date_time': '2014-09-22 06:42:39.0000000',
'data_type': 'windows:registry:appcompatcache',
'entry_index': 1,
'key_path': self._TEST_KEY_PATH,
'path': 'C:\\Windows\\system32\\MpSigStub.exe'
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testProcessWindows2003(self):
"""Tests the Process function for Windows 2003 AppCompatCache data."""
test_file_entry = TestFileEntry('SYSTEM-Windows2003')
registry_key = self._CreateTestKey('2015-06-15 11:53:37.043061',
self._TEST_DATA_2003)
plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry,
parser_chain=plugin.NAME)
self.assertEqual(storage_writer.number_of_events, 1)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
events = list(storage_writer.GetEvents())
expected_event_values = {
'date_time':
'2003-03-24 20:32:18.0000000',
'data_type':
'windows:registry:appcompatcache',
'entry_index':
1,
'key_path':
self._TEST_KEY_PATH,
'path':
('\\??\\C:\\WINDOWS\\Microsoft.NET\\Framework\\v1.1.4322\\ngen.exe'
)
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testProcessWindowsVista(self):
"""Tests the Process function for Windows Vista AppCompatCache data."""
test_file_entry = TestFileEntry('SYSTEM-Vista')
registry_key = self._CreateTestKey('2015-06-15 11:53:37.043061',
self._TEST_DATA_VISTA)
plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry,
parser_chain=plugin.NAME)
self.assertEqual(storage_writer.number_of_events, 1)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
events = list(storage_writer.GetEvents())
expected_event_values = {
'date_time': '2006-11-02 12:35:24.7041218',
'data_type': 'windows:registry:appcompatcache',
'entry_index': 1,
'key_path': self._TEST_KEY_PATH,
'path': '\\??\\C:\\Windows\\SYSTEM32\\WISPTIS.EXE'
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testProcessWindows10(self):
"""Tests the Process function for Windows 10 AppCompatCache data."""
test_file_entry = TestFileEntry('SYSTEM-Windows10')
registry_key = self._CreateTestKey('2015-06-15 11:53:37.043061',
self._TEST_DATA_10)
plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(
registry_key,
plugin,
file_entry=test_file_entry,
parser_chain=plugin.plugin_name)
self.assertEqual(storage_writer.number_of_errors, 0)
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
event_index = 0
event = events[event_index]
expected_path = 'C:\\Windows\\system32\\MpSigStub.exe'
expected_message = '[{0:s}] Cached entry: {1:d} Path: {2:s}'.format(
event.key_path, event_index + 1, expected_path)
expected_short_message = 'Path: {0:s}'.format(expected_path)
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testProcessWindowsXP(self):
"""Tests the Process function for Windows XP AppCompatCache data."""
test_file_entry = TestFileEntry('SYSTEM-XP')
registry_key = self._CreateTestKey('2015-06-15 11:53:37.043061',
self._TEST_DATA_XP)
plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry,
parser_chain=plugin.NAME)
self.assertEqual(storage_writer.number_of_events, 2)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
events = list(storage_writer.GetEvents())
expected_event_values = {
'date_time': '2004-08-04 14:00:00.0000000',
'data_type': 'windows:registry:appcompatcache',
'entry_index': 1,
'key_path': self._TEST_KEY_PATH,
'path': '\\??\\C:\\WINDOWS\\system32\\hticons.dll'
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testProcessWindows10Creator(self):
"""Tests the Process function for Windows 10 Creator AppCompatCache data."""
test_file_entry = TestFileEntry('SYSTEM-Windows10-Creator')
registry_key = self._CreateTestKey('2015-06-15 11:53:37.043061',
self._TEST_DATA_10_CREATOR)
plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(
registry_key,
plugin,
file_entry=test_file_entry,
parser_chain=plugin.plugin_name)
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
event_index = 0
event = events[event_index]
expected_path = (
'C:\\Program Files (x86)\\NVIDIA Corporation\\3D Vision\\nvstreg.exe'
)
expected_message = '[{0:s}] Cached entry: {1:d} Path: {2:s}'.format(
event.key_path, event_index + 1, expected_path)
expected_short_message = 'Path: {0:s}'.format(expected_path)
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testProcessWindows2003(self):
"""Tests the Process function for Windows 2003 AppCompatCache data."""
test_file_entry = TestFileEntry('SYSTEM-Windows2003')
registry_key = self._CreateTestKey('2015-06-15 11:53:37.043061',
self._TEST_DATA_2003)
plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(
registry_key,
plugin,
file_entry=test_file_entry,
parser_chain=plugin.plugin_name)
self.assertEqual(storage_writer.number_of_errors, 0)
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
event_index = 0
event = events[event_index]
expected_path = (
'\\??\\C:\\WINDOWS\\Microsoft.NET\\Framework\\v1.1.4322\\ngen.exe')
expected_message = '[{0:s}] Cached entry: {1:d} Path: {2:s}'.format(
event.key_path, event_index + 1, expected_path)
expected_short_message = 'Path: {0:s}'.format(expected_path)
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testProcessWindowsVista(self):
"""Tests the Process function for Windows Vista AppCompatCache data."""
test_file_entry = TestFileEntry('SYSTEM-Vista')
registry_key = self._CreateTestKey('2015-06-15 11:53:37.043061',
self._TEST_DATA_VISTA)
plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(
registry_key,
plugin,
file_entry=test_file_entry,
parser_chain=plugin.plugin_name)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
event_index = 0
event = events[event_index]
event_data = self._GetEventDataOfEvent(storage_writer, event)
expected_path = '\\??\\C:\\Windows\\SYSTEM32\\WISPTIS.EXE'
expected_message = '[{0:s}] Cached entry: {1:d} Path: {2:s}'.format(
event_data.key_path, event_index + 1, expected_path)
expected_short_message = 'Path: {0:s}'.format(expected_path)
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testProcessWindows7(self):
"""Tests the Process function for Windows 7 AppCompatCache data."""
test_file_entry = self._GetTestFileEntry(['SYSTEM'])
key_path = (
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control\\'
'Session Manager\\AppCompatCache')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(
registry_key, plugin, file_entry=test_file_entry,
parser_chain=plugin.plugin_name)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 330)
events = list(storage_writer.GetEvents())
event_index = 9
event = events[event_index]
self.CheckTimestamp(event.timestamp, '2012-04-04 01:46:37.932964')
self.assertEqual(event.pathspec, test_file_entry.path_spec)
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event.parser, plugin.plugin_name)
expected_path = '\\??\\C:\\Windows\\PSEXESVC.EXE'
expected_message = '[{0:s}] Cached entry: {1:d} Path: {2:s}'.format(
event.key_path, event_index + 1, expected_path)
expected_short_message = 'Path: {0:s}'.format(expected_path)
self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testProcessWindows8_1(self):
"""Tests the Process function for Windows 8.1 AppCompatCache data."""
test_file_entry = TestFileEntry('SYSTEM-Windows8.1')
registry_key = self._CreateTestKey(
'2015-06-15 11:53:37.043061', self._TEST_DATA_8_1)
plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(
registry_key, plugin, file_entry=test_file_entry,
parser_chain=plugin.NAME)
number_of_events = storage_writer.GetNumberOfAttributeContainers('event')
self.assertEqual(number_of_events, 1)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetEvents())
expected_event_values = {
'date_time': '2013-08-22 12:35:25.3750709',
'data_type': 'windows:registry:appcompatcache',
'entry_index': 1,
'key_path': self._TEST_KEY_PATH,
'path': 'SYSVOL\\Windows\\System32\\dllhost.exe'}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testProcessWindows8_0(self):
"""Tests the Process function for Windows 8.0 AppCompatCache data."""
test_file_entry = TestFileEntry('SYSTEM-Windows8.0')
registry_key = self._CreateTestKey('2015-06-15 11:53:37.043061',
self._TEST_DATA_8_0)
plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(
registry_key,
plugin,
file_entry=test_file_entry,
parser_chain=plugin.plugin_name)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
expected_event_values = {
'data_type': 'windows:registry:appcompatcache',
'entry_index': 1,
'key_path': self._TEST_KEY_PATH,
'path': 'SYSVOL\\Windows\\System32\\wbem\\WmiPrvSE.exe',
'timestamp': '2012-02-18 05:18:23.935000'
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testFilters(self):
"""Tests the FILTERS class attribute."""
plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin()
key_path = ('HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\'
'Session Manager\\AppCompatibility')
self._AssertFiltersOnKeyPath(plugin, key_path)
key_path = ('HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\'
'Session Manager\\AppCompatCache')
self._AssertFiltersOnKeyPath(plugin, key_path)
self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')
