def testProcess(self):
"""Tests the Process function."""
key_path = (
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion'
)
time_string = '2012-08-31 20:09:55.123521'
registry_key = self._CreateTestKey(key_path, time_string)
plugin = windows_version.WindowsVersionPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key, plugin)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 2)
events = list(storage_writer.GetEvents())
event = events[0]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event.parser, plugin.plugin_name)
self.assertEqual(event.data_type, 'windows:registry:key_value')
self.CheckTimestamp(event.timestamp, '2012-08-31 20:09:55.123521')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_WRITTEN)
expected_message = (
'[{0:s}] '
'CSDVersion: Service Pack 1 '
'CurrentVersion: 5.1 '
'ProductName: MyTestOS '
'RegisteredOwner: A Concerned Citizen').format(key_path)
expected_short_message = '{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
event = events[1]
self.assertEqual(event.data_type, 'windows:registry:installation')
self.CheckTimestamp(event.timestamp, '2012-08-31 20:09:55.000000')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_INSTALLATION)
self.assertEqual(event.key_path, key_path)
self.assertEqual(event.owner, 'A Concerned Citizen')
self.assertEqual(event.product_name, 'MyTestOS')
self.assertEqual(event.service_pack, 'Service Pack 1')
self.assertEqual(event.version, '5.1')
expected_message = ('MyTestOS 5.1 Service Pack 1 '
'Owner: A Concerned Citizen '
'Origin: {0:s}').format(key_path)
expected_short_message = (
'MyTestOS 5.1 Service Pack 1 '
'Origin: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Win...')
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testProcessFile(self):
"""Tests the Process function on a Windows Registry file."""
test_file_entry = self._GetTestFileEntry(['SOFTWARE-RunTests'])
key_path = (
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion'
)
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = windows_version.WindowsVersionPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 2)
events = list(storage_writer.GetEvents())
event = events[0]
self.CheckTimestamp(event.timestamp, '2012-03-15 07:09:20.671875')
event_data = self._GetEventDataOfEvent(storage_writer, event)
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_data.parser, plugin.plugin_name)
self.assertEqual(event_data.data_type, 'windows:registry:key_value')
expected_message = (
'[{0:s}] '
'BuildGUID: [REG_SZ] f4bf21b9-55fe-4ee8-a84b-0e91cbd5fe5d '
'BuildLab: [REG_SZ] 7601.win7sp1_gdr.111118-2330 '
'BuildLabEx: [REG_SZ] 7601.17727.amd64fre.win7sp1_gdr.111118-2330 '
'CSDBuildNumber: [REG_SZ] 1130 '
'CSDVersion: [REG_SZ] Service Pack 1 '
'CurrentBuild: [REG_SZ] 7601 '
'CurrentBuildNumber: [REG_SZ] 7601 '
'CurrentType: [REG_SZ] Multiprocessor Free '
'CurrentVersion: [REG_SZ] 6.1 '
'DigitalProductId: [REG_BINARY] (164 bytes) '
'DigitalProductId4: [REG_BINARY] (1272 bytes) '
'EditionID: [REG_SZ] Ultimate '
'InstallationType: [REG_SZ] Client '
'PathName: [REG_SZ] C:\\Windows '
'ProductId: [REG_SZ] 00426-065-0381817-86216 '
'ProductName: [REG_SZ] Windows 7 Ultimate '
'RegisteredOrganization: [REG_SZ] '
'RegisteredOwner: [REG_SZ] Windows User '
'SoftwareType: [REG_SZ] System '
'SystemRoot: [REG_SZ] C:\\Windows').format(key_path)
expected_short_message = '{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
def testFilters(self):
"""Tests the FILTERS class attribute."""
plugin = windows_version.WindowsVersionPlugin()
key_path = (
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion')
self._AssertFiltersOnKeyPath(plugin, key_path)
self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')
def testProcess(self):
"""Tests the Process function."""
key_path = (
u'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion')
time_string = u'2012-08-31 20:09:55.123521'
registry_key = self._CreateTestKey(key_path, time_string)
plugin_object = windows_version.WindowsVersionPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key, plugin_object)
self.assertEqual(len(storage_writer.events), 2)
event_object = storage_writer.events[0]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_object.parser, plugin_object.plugin_name)
expected_timestamp = timelib.Timestamp.CopyFromString(time_string)
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_data_type = u'windows:registry:key_value'
self.assertEqual(event_object.data_type, expected_data_type)
expected_message = (
u'[{0:s}] '
u'Owner: A Concerned Citizen '
u'Product name: MyTestOS '
u'Service pack: Service Pack 1 '
u'Windows Version Information: 5.1').format(key_path)
expected_short_message = u'{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(
event_object, expected_message, expected_short_message)
event_object = storage_writer.events[1]
self.assertEqual(
event_object.timestamp_desc, eventdata.EventTimestamp.INSTALLATION_TIME)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2012-08-31 20:09:55')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(event_object.data_type, 'windows:registry:installation')
expected_data_type = u'windows:registry:installation'
self.assertEqual(event_object.data_type, expected_data_type)
expected_message = (
u'MyTestOS 5.1 Service Pack 1 '
u'Owner: owner '
u'Origin: {0:s}').format(key_path)
expected_short_message = (
u'MyTestOS 5.1 Service Pack 1 '
u'Origin: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Win...')
self._TestGetMessageStrings(
event_object, expected_message, expected_short_message)
def testProcess(self):
"""Tests the Process function."""
key_path = (
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion'
)
registry_key = self._CreateTestKey(key_path,
'2012-08-31 20:09:55.123521')
plugin = windows_version.WindowsVersionPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key, plugin)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 2)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetEvents())
expected_values = ('CSDVersion: [REG_SZ] Service Pack 1 '
'CurrentVersion: [REG_SZ] 5.1 '
'ProductName: [REG_SZ] MyTestOS '
'RegisteredOwner: [REG_SZ] A Concerned Citizen')
expected_event_values = {
'date_time': '2012-08-31 20:09:55.1235210',
'data_type': 'windows:registry:key_value',
'key_path': key_path,
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
'parser': plugin.NAME,
'timestamp_desc': definitions.TIME_DESCRIPTION_WRITTEN,
'values': expected_values
}
self.CheckEventValues(storage_writer, events[1], expected_event_values)
expected_event_values = {
'date_time': '2012-08-31 20:09:55',
'data_type': 'windows:registry:installation',
'key_path': key_path,
'owner': 'A Concerned Citizen',
'product_name': 'MyTestOS',
'service_pack': 'Service Pack 1',
'timestamp_desc': definitions.TIME_DESCRIPTION_INSTALLATION,
'version': '5.1'
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testProcessFile(self):
"""Tests the Process function on a Windows Registry file."""
test_file_entry = self._GetTestFileEntry(['SOFTWARE-RunTests'])
key_path = (
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = windows_version.WindowsVersionPlugin()
storage_writer = self._ParseKeyWithPlugin(
registry_key, plugin, file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_events, 2)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
events = list(storage_writer.GetEvents())
expected_values = (
'BuildGUID: [REG_SZ] f4bf21b9-55fe-4ee8-a84b-0e91cbd5fe5d '
'BuildLab: [REG_SZ] 7601.win7sp1_gdr.111118-2330 '
'BuildLabEx: [REG_SZ] 7601.17727.amd64fre.win7sp1_gdr.111118-2330 '
'CSDBuildNumber: [REG_SZ] 1130 '
'CSDVersion: [REG_SZ] Service Pack 1 '
'CurrentBuild: [REG_SZ] 7601 '
'CurrentBuildNumber: [REG_SZ] 7601 '
'CurrentType: [REG_SZ] Multiprocessor Free '
'CurrentVersion: [REG_SZ] 6.1 '
'DigitalProductId: [REG_BINARY] (164 bytes) '
'DigitalProductId4: [REG_BINARY] (1272 bytes) '
'EditionID: [REG_SZ] Ultimate '
'InstallationType: [REG_SZ] Client '
'PathName: [REG_SZ] C:\\Windows '
'ProductId: [REG_SZ] 00426-065-0381817-86216 '
'ProductName: [REG_SZ] Windows 7 Ultimate '
'RegisteredOrganization: [REG_SZ] '
'RegisteredOwner: [REG_SZ] Windows User '
'SoftwareType: [REG_SZ] System '
'SystemRoot: [REG_SZ] C:\\Windows')
expected_event_values = {
'date_time': '2012-03-15 07:09:20.6718750',
'data_type': 'windows:registry:key_value',
'key_path': key_path,
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
'parser': plugin.NAME,
'values': expected_values}
self.CheckEventValues(storage_writer, events[1], expected_event_values)
def testProcessFile(self):
"""Tests the Process function on a Windows Registry file."""
test_file_entry = self._GetTestFileEntry(['SOFTWARE-RunTests'])
key_path = (
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion'
)
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = windows_version.WindowsVersionPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 2)
events = list(storage_writer.GetEvents())
event = events[0]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event.parser, plugin.plugin_name)
self.CheckTimestamp(event.timestamp, '2012-03-15 07:09:20.671875')
self.assertEqual(event.data_type, 'windows:registry:key_value')
expected_message = (
'[{0:s}] '
'Owner: Windows User '
'Product name: Windows 7 Ultimate '
'Service pack: Service Pack 1 '
'Windows Version Information: 6.1').format(key_path)
expected_short_message = '{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
