Beispiel #1
0
def Main():
    """The main program function.

  Returns:
    bool: True if successful or False if not.
  """
    argument_parser = argparse.ArgumentParser(description=(
        'Extracts the UserAssist information from a NTUSER.DAT Registry file.'
    ))

    argument_parser.add_argument(
        '--codepage',
        dest='codepage',
        action='store',
        metavar='CODEPAGE',
        default='cp1252',
        help='the codepage of the extended ASCII strings.')

    argument_parser.add_argument('-d',
                                 '--debug',
                                 dest='debug',
                                 action='store_true',
                                 default=False,
                                 help='enable debug output.')

    argument_parser.add_argument(
        'source',
        nargs='?',
        action='store',
        metavar='PATH',
        default=None,
        help=('path of the volume containing C:\\Windows, the filename of '
              'a storage media image containing the C:\\Windows directory, '
              'or the path of a NTUSER.DAT Registry file.'))

    options = argument_parser.parse_args()

    if not options.source:
        print('Source value is missing.')
        print('')
        argument_parser.print_help()
        print('')
        return False

    logging.basicConfig(level=logging.INFO,
                        format='[%(levelname)s] %(message)s')

    output_writer = output_writers.StdoutOutputWriter()

    if not output_writer.Open():
        print('Unable to open output writer.')
        print('')
        return False

    mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
    scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)

    volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
    volume_scanner_options.partitions = ['all']
    volume_scanner_options.snapshots = ['none']
    volume_scanner_options.volumes = ['none']

    if not scanner.ScanForWindowsVolume(options.source,
                                        options=volume_scanner_options):
        print(
            ('Unable to retrieve the volume with the Windows directory from: '
             '{0:s}.').format(options.source))
        print('')
        return False

    # TODO: map collector to available Registry keys.
    collector_object = userassist.UserAssistCollector(
        debug=options.debug, output_writer=output_writer)

    result = collector_object.Collect(scanner.registry)
    if not result:
        print('No UserAssist key found.')
    else:
        guid = None
        for user_assist_entry in collector_object.user_assist_entries:
            if user_assist_entry.guid != guid:
                print('GUID\t\t: {0:s}'.format(user_assist_entry.guid))
                guid = user_assist_entry.guid

            print('Name\t\t: {0:s}'.format(user_assist_entry.name))
            print('Original name\t: {0:s}'.format(
                user_assist_entry.value_name))

    print('')
    output_writer.Close()

    return True
Beispiel #2
0
def Main():
    """The main program function.

  Returns:
    bool: True if successful or False if not.
  """
    argument_parser = argparse.ArgumentParser(description=(
        'Extracts the services information from a SYSTEM Registry file.'))

    argument_parser.add_argument(
        '--all',
        dest='all_control_sets',
        action='store_true',
        default=False,
        help=(
            'Process all control sets instead of only the current control set.'
        ))

    argument_parser.add_argument(
        '--diff',
        dest='diff_control_sets',
        action='store_true',
        default=False,
        help='Only list differences between control sets.')

    argument_parser.add_argument('--tsv',
                                 dest='use_tsv',
                                 action='store_true',
                                 default=False,
                                 help='Use tab separated value (TSV) output.')

    argument_parser.add_argument('-d',
                                 '--debug',
                                 dest='debug',
                                 action='store_true',
                                 default=False,
                                 help='enable debug output.')

    argument_parser.add_argument(
        'source',
        nargs='?',
        action='store',
        metavar='PATH',
        default=None,
        help=('path of the volume containing C:\\Windows, the filename of '
              'a storage media image containing the C:\\Windows directory, '
              'or the path of a SYSTEM Registry file.'))

    options = argument_parser.parse_args()

    if not options.source:
        print('Source value is missing.')
        print('')
        argument_parser.print_help()
        print('')
        return False

    logging.basicConfig(level=logging.INFO,
                        format='[%(levelname)s] %(message)s')

    mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
    scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)

    volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
    volume_scanner_options.partitions = ['all']
    volume_scanner_options.snapshots = ['none']
    volume_scanner_options.volumes = ['none']

    if not scanner.ScanForWindowsVolume(options.source,
                                        options=volume_scanner_options):
        print(
            ('Unable to retrieve the volume with the Windows directory from: '
             '{0:s}.').format(options.source))
        print('')
        return False

    collector_object = services.WindowsServicesCollector(debug=options.debug)

    output_writer_object = StdoutWriter(use_tsv=options.use_tsv)

    if not output_writer_object.Open():
        print('Unable to open output writer.')
        print('')
        return False

    try:
        if options.diff_control_sets:
            has_results = collector_object.Compare(scanner.registry,
                                                   output_writer_object)

        else:
            has_results = False
            for windows_service in collector_object.Collect(
                    scanner.registry,
                    all_control_sets=options.all_control_sets):
                output_writer_object.WriteWindowsService(windows_service)
                has_results = True

    finally:
        output_writer_object.Close()

    if not has_results:
        print('No Services key found.')

    return True
def Main():
    """The main program function.

  Returns:
    bool: True if successful or False if not.
  """
    argument_parser = argparse.ArgumentParser(description=(
        'Extracts Windows Event Log providers from the Windows Registry.'))

    argument_parser.add_argument('-d',
                                 '--debug',
                                 dest='debug',
                                 action='store_true',
                                 default=False,
                                 help='enable debug output.')

    argument_parser.add_argument(
        'source',
        nargs='?',
        action='store',
        metavar='PATH',
        default=None,
        help=('path of the volume containing C:\\Windows, the filename of '
              'a storage media image containing the C:\\Windows directory, '
              'or the path of a SOFTWARE or SYSTEM Registry file.'))

    options = argument_parser.parse_args()

    if not options.source:
        print('Source value is missing.')
        print('')
        argument_parser.print_help()
        print('')
        return False

    logging.basicConfig(level=logging.INFO,
                        format='[%(levelname)s] %(message)s')

    mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
    scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)

    volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
    volume_scanner_options.partitions = ['all']
    volume_scanner_options.snapshots = ['none']
    volume_scanner_options.volumes = ['none']

    if not scanner.ScanForWindowsVolume(options.source,
                                        options=volume_scanner_options):
        print(
            ('Unable to retrieve the volume with the Windows directory from: '
             '{0:s}.').format(options.source))
        print('')
        return False

    collector_object = eventlog_providers.EventLogProvidersCollector(
        debug=options.debug)

    output_writer_object = StdoutWriter()
    if not output_writer_object.Open():
        print('Unable to open output writer.')
        print('')
        return False

    try:
        has_results = False
        for eventlog_provider in collector_object.Collect(scanner.registry):
            output_writer_object.WriteEventLogProvider(eventlog_provider)
            has_results = True

    finally:
        output_writer_object.Close()

    if not has_results:
        print('No Windows Event Log providers found.')

    return True
Beispiel #4
0
def Main():
  """The main program function.

  Returns:
    bool: True if successful or False if not.
  """
  argument_parser = argparse.ArgumentParser(description=(
      'Extracts time zone information for the Windows Registry.'))

  argument_parser.add_argument(
      '-d', '--debug', dest='debug', action='store_true', default=False,
      help='enable debug output.')

  argument_parser.add_argument(
      '--csv', dest='csv_file', action='store', metavar='time_zones.csv',
      default=None, help='path of the CSV file to write to.')

  argument_parser.add_argument(
      'source', nargs='?', action='store', metavar='PATH', default=None,
      help=(
          'path of the volume containing C:\\Windows, the filename of '
          'a storage media image containing the C:\\Windows directory, '
          'or the path of a SOFTWARE Registry file.'))

  options = argument_parser.parse_args()

  if not options.source:
    print('Source value is missing.')
    print('')
    argument_parser.print_help()
    print('')
    return False

  logging.basicConfig(
      level=logging.INFO, format='[%(levelname)s] %(message)s')

  if options.csv_file:
    output_writer_object = CSVFileWriter(options.csv_file)
  else:
    output_writer_object = StdoutWriter()

  if not output_writer_object.Open():
    print('Unable to open output writer.')
    print('')
    return False

  mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
  scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)

  volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
  volume_scanner_options.partitions = ['all']
  volume_scanner_options.snapshots = ['none']
  volume_scanner_options.volumes = ['none']

  if not scanner.ScanForWindowsVolume(
      options.source, options=volume_scanner_options):
    print(('Unable to retrieve the volume with the Windows directory from: '
           '{0:s}.').format(options.source))
    print('')
    return False

  # TODO: map collector to available Registry keys.
  collector_object = time_zones.TimeZonesCollector(debug=options.debug)

  result = collector_object.Collect(scanner.registry, output_writer_object)
  if not result:
    print('No "Time Zones" key found.')

  output_writer_object.Close()

  return True
def Main():
    """The main program function.

  Returns:
    bool: True if successful or False if not.
  """
    argument_parser = argparse.ArgumentParser(description=(
        'Extracts Application Compatibility Cache information from '
        'a SYSTEM Registry file.'))

    argument_parser.add_argument(
        '--all',
        dest='all_control_sets',
        action='store_true',
        default=False,
        help=(
            'Process all control sets instead of only the current control set.'
        ))

    argument_parser.add_argument('-d',
                                 '--debug',
                                 dest='debug',
                                 action='store_true',
                                 default=False,
                                 help='enable debug output.')

    argument_parser.add_argument(
        'source',
        nargs='?',
        action='store',
        metavar='PATH',
        default=None,
        help=('path of the volume containing C:\\Windows, the filename of '
              'a storage media image containing the C:\\Windows directory, '
              'or the path of a SYSTEM Registry file.'))

    options = argument_parser.parse_args()

    if not options.source:
        print('Source value is missing.')
        print('')
        argument_parser.print_help()
        print('')
        return False

    logging.basicConfig(level=logging.INFO,
                        format='[%(levelname)s] %(message)s')

    mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
    scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)

    volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
    volume_scanner_options.partitions = ['all']
    volume_scanner_options.snapshots = ['none']
    volume_scanner_options.volumes = ['none']

    if not scanner.ScanForWindowsVolume(options.source,
                                        options=volume_scanner_options):
        print(
            ('Unable to retrieve the volume with the Windows directory from: '
             '{0:s}.').format(options.source))
        print('')
        return False

    output_writer = output_writers.StdoutOutputWriter()

    if not output_writer.Open():
        print('Unable to open output writer.')
        print('')
        return False

    try:
        collector_object = appcompatcache.AppCompatCacheCollector(
            debug=options.debug, output_writer=output_writer)

        # TODO: change collector to generate AppCompatCacheCachedEntry
        has_results = collector_object.Collect(
            scanner.registry, all_control_sets=options.all_control_sets)
        if has_results:
            for cached_entry in collector_object.cached_entries:
                output_writer.WriteFiletimeValue(
                    'Last modification time',
                    cached_entry.last_modification_time)
                output_writer.WriteValue('Path', cached_entry.path)
                output_writer.WriteText('\n')

    finally:
        output_writer.Close()

    if not has_results:
        print('No application compatibility cache entries found.')

    return True
Beispiel #6
0
def Main():
    """The main program function.

  Returns:
    bool: True if successful or False if not.
  """
    argument_parser = argparse.ArgumentParser(description=(
        'Extracts the cached credentials from a SECURITY Registry file.'))

    argument_parser.add_argument('-d',
                                 '--debug',
                                 dest='debug',
                                 action='store_true',
                                 default=False,
                                 help=('enable debug output.'))

    argument_parser.add_argument(
        'source',
        nargs='?',
        action='store',
        metavar='PATH',
        default=None,
        help=('path of the volume containing C:\\Windows, the filename of '
              'a storage media image containing the C:\\Windows directory, '
              'or the path of a SECURITY and SYSTEM Registry file.'))

    options = argument_parser.parse_args()

    if not options.source:
        print('Source value is missing.')
        print('')
        argument_parser.print_help()
        print('')
        return False

    logging.basicConfig(level=logging.INFO,
                        format='[%(levelname)s] %(message)s')

    output_writer = output_writers.StdoutOutputWriter()

    if not output_writer.Open():
        print('Unable to open output writer.')
        print('')
        return False

    mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
    scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)

    volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
    volume_scanner_options.partitions = ['all']
    volume_scanner_options.snapshots = ['none']
    volume_scanner_options.volumes = ['none']

    if not scanner.ScanForWindowsVolume(options.source,
                                        options=volume_scanner_options):
        print(
            ('Unable to retrieve the volume with the Windows directory from: '
             '{0:s}.').format(options.source))
        print('')
        return False

    if scanner.IsSingleFileRegistry():
        print('Both SECURITY and SYSYEM Registry files are required.')
        print('')
        return False

    # TODO: map collector to available Registry keys.
    collector_object = cached_credentials.CachedCredentialsKeyCollector(
        debug=options.debug, output_writer=output_writer)

    result = collector_object.Collect(scanner.registry)
    if not result:
        print('No Cache key found.')
    else:
        output_writer.WriteText('\n')

    output_writer.Close()

    return True
Beispiel #7
0
def Main():
  """The main program function.

  Returns:
    bool: True if successful or False if not.
  """
  argument_parser = argparse.ArgumentParser(description=(
      'Extracts the shell folder class identifiers from the Windows Registry.'))

  argument_parser.add_argument(
      '-d', '--debug', dest='debug', action='store_true', default=False,
      help='enable debug output.')

  argument_parser.add_argument(
      '--db', dest='database', action='store', metavar='shellitems.db',
      default=None, help='path of the sqlite3 database to write to.')

  argument_parser.add_argument(
      '-w', '--windows_version', '--windows-version',
      dest='windows_version', action='store', metavar='Windows XP',
      default=None, help='string that identifies the Windows version.')

  argument_parser.add_argument(
      'source', nargs='?', action='store', metavar='PATH', default=None,
      help=(
          'path of the volume containing C:\\Windows, the filename of '
          'a storage media image containing the C:\\Windows directory, '
          'or the path of a SOFTWARE Registry file.'))

  options = argument_parser.parse_args()

  if not options.source:
    print('Source value is missing.')
    print('')
    argument_parser.print_help()
    print('')
    return False

  if options.database and not options.windows_version:
    print('Windows version missing.')
    print('')
    argument_parser.print_help()
    print('')
    return False

  logging.basicConfig(
      level=logging.INFO, format='[%(levelname)s] %(message)s')

  mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
  scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)

  volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
  volume_scanner_options.partitions = ['all']
  volume_scanner_options.snapshots = ['none']
  volume_scanner_options.volumes = ['none']

  if not scanner.ScanForWindowsVolume(
      options.source, options=volume_scanner_options):
    print(('Unable to retrieve the volume with the Windows directory from: '
           '{0:s}.').format(options.source))
    print('')
    return False

  # TODO: map collector to available Registry keys.
  collector_object = shellfolders.ShellFoldersCollector(
      debug=options.debug)

  if options.database:
    output_writer_object = Sqlite3DatabaseFileWriter(
        options.database, options.windows_version)
  else:
    output_writer_object = StdoutWriter()

  if not output_writer_object.Open():
    print('Unable to open output writer.')
    print('')
    return False

  try:
    has_results = False
    for shell_folder in collector_object.Collect(scanner.registry):
      output_writer_object.WriteShellFolder(shell_folder)
      has_results = True

  finally:
    output_writer_object.Close()

  if not has_results:
    print('No shell folder identifiers found.')

  return True
Beispiel #8
0
def Main():
    """The main program function.

  Returns:
    bool: True if successful or False if not.
  """
    argument_parser = argparse.ArgumentParser(description=(
        'Extracts Most Recently Used information from a NTUSER.DAT Registry '
        'file.'))

    argument_parser.add_argument('-d',
                                 '--debug',
                                 dest='debug',
                                 action='store_true',
                                 default=False,
                                 help='enable debug output.')

    argument_parser.add_argument(
        'source',
        nargs='?',
        action='store',
        metavar='PATH',
        default=None,
        help=('path of the volume containing C:\\Windows, the filename of '
              'a storage media image containing the C:\\Windows directory, '
              'or the path of a NTUSER.DAT Registry file.'))

    options = argument_parser.parse_args()

    if not options.source:
        print('Source value is missing.')
        print('')
        argument_parser.print_help()
        print('')
        return False

    logging.basicConfig(level=logging.INFO,
                        format='[%(levelname)s] %(message)s')

    output_writer = StdoutWriter()

    if not output_writer.Open():
        print('Unable to open output writer.')
        print('')
        return False

    mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
    scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)

    volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
    volume_scanner_options.partitions = ['all']
    volume_scanner_options.snapshots = ['none']
    volume_scanner_options.volumes = ['none']

    if not scanner.ScanForWindowsVolume(options.source,
                                        options=volume_scanner_options):
        print(
            ('Unable to retrieve the volume with the Windows directory from: '
             '{0:s}.').format(options.source))
        print('')
        return False

    collector_object = mru.MostRecentlyUsedCollector(
        debug=options.debug, output_writer=output_writer)

    # TODO: change collector to generate MostRecentlyUsedEntry
    result = collector_object.Collect(scanner.registry)
    if not result:
        print('No Most Recently Used key found.')
    else:
        for mru_entry in collector_object.mru_entries:
            output_writer.WriteValue('Key path', mru_entry.key_path)
            output_writer.WriteValue('Value name', mru_entry.value_name)

            if mru_entry.string:
                output_writer.WriteValue('String', mru_entry.string)

            if mru_entry.shell_item_data:
                shell_item = pyfwsi.item()
                shell_item.copy_from_byte_stream(mru_entry.shell_item_data)

                output_writer.WriteShellItem(shell_item)

            elif mru_entry.shell_item_list_data:
                shell_item_list = pyfwsi.item_list()
                shell_item_list.copy_from_byte_stream(
                    mru_entry.shell_item_list_data)

                for shell_item in iter(shell_item_list.items):
                    output_writer.WriteShellItem(shell_item)

            output_writer.WriteText('')

    output_writer.Close()

    return True
def Main():
    """The main program function.

  Returns:
    bool: True if successful or False if not.
  """
    argument_parser = argparse.ArgumentParser(description=(
        'Extracts the program cache from a NTUSER.DAT Registry file.'))

    argument_parser.add_argument('-d',
                                 '--debug',
                                 dest='debug',
                                 action='store_true',
                                 default=False,
                                 help='enable debug output.')

    argument_parser.add_argument(
        'source',
        nargs='?',
        action='store',
        metavar='PATH',
        default=None,
        help=('path of the volume containing C:\\Windows, the filename of '
              'a storage media image containing the C:\\Windows directory, '
              'or the path of a NTUSER.DAT Registry file.'))

    options = argument_parser.parse_args()

    if not options.source:
        print('Source value is missing.')
        print('')
        argument_parser.print_help()
        print('')
        return False

    logging.basicConfig(level=logging.INFO,
                        format='[%(levelname)s] %(message)s')

    # TODO: add support to select user.
    mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
    scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)

    volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
    volume_scanner_options.partitions = ['all']
    volume_scanner_options.snapshots = ['none']
    volume_scanner_options.volumes = ['none']

    if not scanner.ScanForWindowsVolume(options.source,
                                        options=volume_scanner_options):
        print(
            ('Unable to retrieve the volume with the Windows directory from: '
             '{0:s}.').format(options.source))
        print('')
        return False

    output_writer = output_writers.StdoutOutputWriter()

    if not output_writer.Open():
        print('Unable to open output writer.')
        print('')
        return False

    try:
        collector_object = programscache.ProgramsCacheCollector(
            debug=options.debug, output_writer=output_writer)

        # TODO: change collector to generate ProgramCacheEntry
        has_results = collector_object.Collect(scanner.registry)

    finally:
        output_writer.Close()

    if not has_results:
        print('No program cache entries found.')

    return True
Beispiel #10
0
def Main():
    """The main program function.

  Returns:
    bool: True if successful or False if not.
  """
    argument_parser = argparse.ArgumentParser(description=(
        'Extracts Security Account Manager information from a SAM Registry '
        'file.'))

    argument_parser.add_argument('-d',
                                 '--debug',
                                 dest='debug',
                                 action='store_true',
                                 default=False,
                                 help='enable debug output.')

    argument_parser.add_argument(
        'source',
        nargs='?',
        action='store',
        metavar='PATH',
        default=None,
        help=('path of the volume containing C:\\Windows, the filename of '
              'a storage media image containing the C:\\Windows directory, '
              'or the path of a SAM Registry file.'))

    options = argument_parser.parse_args()

    if not options.source:
        print('Source value is missing.')
        print('')
        argument_parser.print_help()
        print('')
        return False

    logging.basicConfig(level=logging.INFO,
                        format='[%(levelname)s] %(message)s')

    output_writer = output_writers.StdoutOutputWriter()

    if not output_writer.Open():
        print('Unable to open output writer.')
        print('')
        return False

    mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
    scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)

    volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
    volume_scanner_options.partitions = ['all']
    volume_scanner_options.snapshots = ['none']
    volume_scanner_options.volumes = ['none']

    if not scanner.ScanForWindowsVolume(options.source,
                                        options=volume_scanner_options):
        print(
            ('Unable to retrieve the volume with the Windows directory from: '
             '{0:s}.').format(options.source))
        print('')
        return False

    # TODO: map collector to available Registry keys.
    collector_object = sam.SecurityAccountManagerCollector(
        debug=options.debug, output_writer=output_writer)

    result = collector_object.Collect(scanner.registry)
    if not result:
        output_writer.WriteText('No Security Account Manager key found.')
        output_writer.WriteText('')

    else:
        for user_account in collector_object.user_accounts:
            output_writer.WriteValue('Username', user_account.username)
            output_writer.WriteValue('Relative identifier (RID)',
                                     user_account.rid)
            output_writer.WriteValue('Primary group identifier',
                                     user_account.primary_gid)

            if user_account.full_name:
                output_writer.WriteValue('Full name', user_account.full_name)

            if user_account.comment:
                output_writer.WriteValue('Comment', user_account.comment)

            if user_account.user_comment:
                output_writer.WriteValue('User comment',
                                         user_account.user_comment)

            output_writer.WriteFiletimeValue('Last log-in time',
                                             user_account.last_login_time)

            output_writer.WriteFiletimeValue(
                'Last password set time', user_account.last_password_set_time)

            output_writer.WriteFiletimeValue(
                'Account expiration time',
                user_account.account_expiration_time)

            output_writer.WriteFiletimeValue(
                'Last password failure time',
                user_account.last_password_failure_time)

            output_writer.WriteValue('Number of log-ons',
                                     user_account.number_of_logons)
            output_writer.WriteValue('Number of password failures',
                                     user_account.number_of_password_failures)

            if user_account.codepage:
                output_writer.WriteValue('Codepage', user_account.codepage)

            output_writer.WriteText('\n')

    output_writer.Close()

    return True