Beispiel #1
0
    def testProcess(self):
        """Tests the Process function."""
        test_file_entry = self._GetTestFileEntry(['NTUSER-WIN7.DAT'])
        key_path = (
            'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
            'Explorer\\ComDlg32\\LastVisitedPidlMRU')

        win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
        registry_key = win_registry.GetKeyByPath(key_path)

        plugin = mrulistex.MRUListExStringAndShellItemListWindowsRegistryPlugin(
        )
        storage_writer = self._ParseKeyWithPlugin(registry_key,
                                                  plugin,
                                                  file_entry=test_file_entry)

        self.assertEqual(storage_writer.number_of_warnings, 0)
        self.assertEqual(storage_writer.number_of_events, 31)

        events = list(storage_writer.GetEvents())

        # A MRUListEx event.
        expected_entries = (
            'Index: 1 [MRU Value 1]: Path: chrome.exe, '
            'Shell item path: <Users Libraries> <UNKNOWN: 0x00> <UNKNOWN: 0x00> '
            '<UNKNOWN: 0x00> '
            'Index: 2 [MRU Value 7]: '
            'Path: {48E1ED6B-CF49-4609-B1C1-C082BFC3D0B4}, '
            'Shell item path: <Shared Documents Folder (Users Files)> '
            '<UNKNOWN: 0x00>\\Alloy Research '
            'Index: 3 [MRU Value 6]: '
            'Path: {427865A0-03AF-4F25-82EE-10B6CB1DED3E}, '
            'Shell item path: <Users Libraries> <UNKNOWN: 0x00> <UNKNOWN: 0x00> '
            'Index: 4 [MRU Value 5]: '
            'Path: {24B5C9BB-48B5-47FF-8343-40481DBA1E2B}, '
            'Shell item path: <My Computer> C:\\Users\\nfury\\Documents '
            'Index: 5 [MRU Value 4]: '
            'Path: {0B8CFE96-DB69-4D33-8E3C-36EAB4F709E0}, '
            'Shell item path: <My Computer> C:\\Users\\nfury\\Documents\\'
            'Alloy Research '
            'Index: 6 [MRU Value 3]: '
            'Path: {D4F85F66-003D-4127-BCE9-CAD7A57B2857}, '
            'Shell item path: <Users Libraries> <UNKNOWN: 0x00> <UNKNOWN: 0x00> '
            'Index: 7 [MRU Value 0]: Path: iexplore.exe, '
            'Shell item path: <My Computer> P:\\Application Tools\\Firefox 6.0 '
            'Index: 8 [MRU Value 2]: Path: Skype.exe, '
            'Shell item path: <Users Libraries> <UNKNOWN: 0x00>')

        expected_event_values = {
            'data_type': 'windows:registry:mrulistex',
            'entries': expected_entries,
            'key_path': key_path,
            # This should just be the plugin name, as we're invoking it directly,
            # and not through the parser.
            'parser': plugin.plugin_name,
            'timestamp': '2012-04-01 13:52:38.966290'
        }

        self.CheckEventValues(storage_writer, events[30],
                              expected_event_values)
Beispiel #2
0
  def testFilters(self):
    """Tests the FILTERS class attribute."""
    plugin = mrulistex.MRUListExStringAndShellItemListWindowsRegistryPlugin()

    key_path = (
        'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
        'Explorer\\ComDlg32\\LastVisitedPidlMRU')
    self._AssertFiltersOnKeyPath(plugin, key_path)

    self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')