def testFilters(self):
"""Tests the FILTERS class attribute."""
plugin = msie_zones.MsieZoneSettingsPlugin()
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Internet Settings\\Lockdown_Zones')
self._AssertFiltersOnKeyPath(plugin, key_path)
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Internet Settings\\Zones')
self._AssertFiltersOnKeyPath(plugin, key_path)
key_path = (
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Internet Settings\\Lockdown_Zones')
self._AssertFiltersOnKeyPath(plugin, key_path)
key_path = (
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Internet Settings\\Zones')
self._AssertFiltersOnKeyPath(plugin, key_path)
self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')
def testProcessNtuserZones(self):
"""Tests the Process function on a Zones key."""
test_file_entry = self._GetTestFileEntry([u'NTUSER-WIN7.DAT'])
key_path = (
u'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
u'Internet Settings\\Zones')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = msie_zones.MsieZoneSettingsPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_events, 6)
events = list(storage_writer.GetEvents())
event = events[1]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event.parser, plugin.plugin_name)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2011-09-16 21:12:40.145514')
self.assertEqual(event.timestamp, expected_timestamp)
regvalue_identifier = u'[1200] Run ActiveX controls and plug-ins'
expected_value = u'0 (Allow)'
self._TestRegvalue(event, regvalue_identifier, expected_value)
expected_message = (
u'[{0:s}\\0 (My Computer)] '
u'[1200] Run ActiveX controls and plug-ins: 0 (Allow) '
u'[1400] Active scripting: 0 (Allow) '
u'[2001] .NET: Run components signed with Authenticode: 3 (Not '
u'Allowed) '
u'[2004] .NET: Run components not signed with Authenticode: 3 (Not '
u'Allowed) '
u'[2007] UNKNOWN: 3 '
u'[CurrentLevel]: 0 '
u'[Description]: Your computer '
u'[DisplayName]: Computer '
u'[Flags]: 33 [Icon]: shell32.dll#0016 '
u'[LowIcon]: inetcpl.cpl#005422 '
u'[PMDisplayName]: Computer '
u'[Protected Mode]').format(key_path)
expected_short_message = u'{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testProcessNtuserLockdownZones(self):
"""Tests the Process function on a Lockdown_Zones key."""
test_file_entry = self._GetTestFileEntry(['NTUSER-WIN7.DAT'])
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Internet Settings\\Lockdown_Zones')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = msie_zones.MsieZoneSettingsPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 6)
events = list(storage_writer.GetEvents())
event = events[1]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event.parser, plugin.plugin_name)
self.CheckTimestamp(event.timestamp, '2011-09-16 21:12:40.145514')
regvalue_identifier = '[1200] Run ActiveX controls and plug-ins'
expected_value = '3 (Not Allowed)'
self._TestRegvalue(event, regvalue_identifier, expected_value)
expected_message = (
'[{0:s}\\0 (My Computer)] '
'[1200] Run ActiveX controls and plug-ins: 3 (Not Allowed) '
'[1400] Active scripting: 1 (Prompt User) '
'[CurrentLevel]: 0 '
'[Description]: Your computer '
'[DisplayName]: Computer '
'[Flags]: 33 '
'[Icon]: shell32.dll#0016 '
'[LowIcon]: inetcpl.cpl#005422 '
'[PMDisplayName]: Computer '
'[Protected Mode]').format(key_path)
expected_short_message = '{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testProcessSoftwareZones(self):
"""Tests the Process function on a Zones key."""
test_file_entry = self._GetTestFileEntry(['SOFTWARE'])
key_path = (
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Internet Settings\\Zones')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = msie_zones.MsieZoneSettingsPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_events, 6)
events = list(storage_writer.GetEvents())
event = events[1]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event.parser, plugin.plugin_name)
self.CheckTimestamp(event.timestamp, '2011-08-28 21:32:44.937675')
regvalue_identifier = '[1200] Run ActiveX controls and plug-ins'
expected_value = '0 (Allow)'
self._TestRegvalue(event, regvalue_identifier, expected_value)
expected_message = (
'[{0:s}\\0 (My Computer)] '
'[1001] Download signed ActiveX controls: 0 (Allow) '
'[1004] Download unsigned ActiveX controls: 0 (Allow) '
'[1200] Run ActiveX controls and plug-ins: 0 (Allow) '
'[1201] Initialize and script ActiveX controls not marked as safe: 1 '
'(Prompt User) '
'[1206] Allow scripting of IE Web browser control: 0 '
'[1207] Reserved: 0 '
'[1208] Allow previously unused ActiveX controls to run without '
'prompt: 0 '
'[1209] Allow Scriptlets: 0 '
'[120A] Override Per-Site (domain-based) ActiveX restrictions: 0 '
'[120B] Override Per-Site (domain-based) ActiveX restrictions: 0 '
'[1400] Active scripting: 0 (Allow) '
'[1402] Scripting of Java applets: 0 (Allow) '
'[1405] Script ActiveX controls marked as safe for scripting: 0 '
'(Allow) '
'[1406] Access data sources across domains: 0 (Allow) '
'[1407] Allow Programmatic clipboard access: 0 (Allow) '
'[1408] Reserved: 0 '
'[1409] UNKNOWN: 3 '
'[1601] Submit non-encrypted form data: 0 (Allow) '
'[1604] Font download: 0 (Allow) '
'[1605] Run Java: 0 '
'[1606] Userdata persistence: 0 (Allow) '
'[1607] Navigate sub-frames across different domains: 0 (Allow) '
'[1608] Allow META REFRESH: 0 (Allow) '
'[1609] Display mixed content: 1 (Prompt User) '
'[160A] Include local directory path when uploading files to a '
'server: 0 '
'[1802] Drag and drop or copy and paste files: 0 (Allow) '
'[1803] File Download: 0 (Allow) '
'[1804] Launching programs and files in an IFRAME: 0 (Allow) '
'[1805] Launching programs and files in webview: 0 '
'[1806] Launching applications and unsafe files: 0 '
'[1807] Reserved: 0 '
'[1808] Reserved: 0 '
'[1809] Use Pop-up Blocker: 3 (Not Allowed) '
'[180A] Reserved: 0 '
'[180C] Reserved: 0 '
'[180D] Reserved: 0 '
'[180E] UNKNOWN: 0 '
'[180F] UNKNOWN: 0 '
'[1A00] User Authentication: Logon: 0x00000000 (Automatic logon with '
'current user name and password) '
'[1A02] Allow persistent cookies that are stored on your computer: 0 '
'[1A03] Allow per-session cookies (not stored): 0 '
'[1A04] Don\'t prompt for client cert selection when no certs exists: '
'0 (Allow) '
'[1A05] Allow 3rd party persistent cookies: 0 '
'[1A06] Allow 3rd party session cookies: 0 '
'[1A10] Privacy Settings: 0 '
'[1C00] Java permissions: 0x00020000 (Medium safety) '
'[2000] Binary and script behaviors: 0 (Allow) '
'[2001] .NET: Run components signed with Authenticode: '
'3 (Not Allowed) '
'[2004] .NET: Run components not signed with Authenticode: '
'3 (Not Allowed) '
'[2005] UNKNOWN: 0 '
'[2007] UNKNOWN: 3 '
'[2100] Open files based on content, not file extension: 0 (Allow) '
'[2101] Web sites in less privileged zone can navigate into this '
'zone: 3 (Not Allowed) '
'[2102] Allow script initiated windows without size/position '
'constraints: 0 (Allow) '
'[2103] Allow status bar updates via script: 0 '
'[2104] Allow websites to open windows without address or status '
'bars: 0 '
'[2105] Allow websites to prompt for information using scripted '
'windows: 0 '
'[2106] UNKNOWN: 0 '
'[2107] UNKNOWN: 0 '
'[2200] Automatic prompting for file downloads: 0 (Allow) '
'[2201] Automatic prompting for ActiveX controls: 0 (Allow) '
'[2300] Allow web pages to use restricted protocols for active '
'content: 1 (Prompt User) '
'[2301] Use Phishing Filter: 3 '
'[2400] .NET: XAML browser applications: 0 '
'[2401] .NET: XPS documents: 0 '
'[2402] .NET: Loose XAML: 0 '
'[2500] Turn on Protected Mode: 3 '
'[2600] Enable .NET Framework setup: 0 '
'[2700] UNKNOWN: 3 '
'[2701] UNKNOWN: 0 '
'[2702] UNKNOWN: 3 '
'[2703] UNKNOWN: 3 '
'[2708] UNKNOWN: 0 '
'[2709] UNKNOWN: 0 '
'[CurrentLevel]: 0 '
'[Description]: Your computer '
'[DisplayName]: Computer '
'[Flags]: 33 '
'[Icon]: shell32.dll#0016 '
'[LowIcon]: inetcpl.cpl#005422 '
'[PMDisplayName]: Computer '
'[Protected Mode]').format(key_path)
expected_short_message = '{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._plugin = msie_zones.MsieZoneSettingsPlugin()
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._plugin = msie_zones.MsieZoneSettingsPlugin()
path_segments = [u'NTUSER-WIN7.DAT']
self._test_file = self._GetTestFilePath(path_segments)
self._file_entry = self._GetTestFileEntryFromPath(path_segments)
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._plugin = msie_zones.MsieZoneSettingsPlugin()
self._test_file = self._GetTestFilePath(['NTUSER-WIN7.DAT'])
def setUp(self): """Makes preparations before running an individual test.""" self._plugin = msie_zones.MsieZoneSettingsPlugin()
