def testProcess(self): """Tests the Process function.""" key_path = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion' ) time_string = '2012-08-31 20:09:55.123521' registry_key = self._CreateTestKey(key_path, time_string) plugin = windows_version.WindowsVersionPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 2) events = list(storage_writer.GetEvents()) event = events[0] # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event.parser, plugin.plugin_name) self.assertEqual(event.data_type, 'windows:registry:key_value') self.CheckTimestamp(event.timestamp, '2012-08-31 20:09:55.123521') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_WRITTEN) expected_message = ( '[{0:s}] ' 'CSDVersion: Service Pack 1 ' 'CurrentVersion: 5.1 ' 'ProductName: MyTestOS ' 'RegisteredOwner: A Concerned Citizen').format(key_path) expected_short_message = '{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event, expected_message, expected_short_message) event = events[1] self.assertEqual(event.data_type, 'windows:registry:installation') self.CheckTimestamp(event.timestamp, '2012-08-31 20:09:55.000000') self.assertEqual(event.timestamp_desc, definitions.TIME_DESCRIPTION_INSTALLATION) self.assertEqual(event.key_path, key_path) self.assertEqual(event.owner, 'A Concerned Citizen') self.assertEqual(event.product_name, 'MyTestOS') self.assertEqual(event.service_pack, 'Service Pack 1') self.assertEqual(event.version, '5.1') expected_message = ('MyTestOS 5.1 Service Pack 1 ' 'Owner: A Concerned Citizen ' 'Origin: {0:s}').format(key_path) expected_short_message = ( 'MyTestOS 5.1 Service Pack 1 ' 'Origin: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Win...') self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testProcessFile(self): """Tests the Process function on a Windows Registry file.""" test_file_entry = self._GetTestFileEntry(['SOFTWARE-RunTests']) key_path = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion' ) win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin = windows_version.WindowsVersionPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin, file_entry=test_file_entry) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 2) events = list(storage_writer.GetEvents()) event = events[0] self.CheckTimestamp(event.timestamp, '2012-03-15 07:09:20.671875') event_data = self._GetEventDataOfEvent(storage_writer, event) # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event_data.parser, plugin.plugin_name) self.assertEqual(event_data.data_type, 'windows:registry:key_value') expected_message = ( '[{0:s}] ' 'BuildGUID: [REG_SZ] f4bf21b9-55fe-4ee8-a84b-0e91cbd5fe5d ' 'BuildLab: [REG_SZ] 7601.win7sp1_gdr.111118-2330 ' 'BuildLabEx: [REG_SZ] 7601.17727.amd64fre.win7sp1_gdr.111118-2330 ' 'CSDBuildNumber: [REG_SZ] 1130 ' 'CSDVersion: [REG_SZ] Service Pack 1 ' 'CurrentBuild: [REG_SZ] 7601 ' 'CurrentBuildNumber: [REG_SZ] 7601 ' 'CurrentType: [REG_SZ] Multiprocessor Free ' 'CurrentVersion: [REG_SZ] 6.1 ' 'DigitalProductId: [REG_BINARY] (164 bytes) ' 'DigitalProductId4: [REG_BINARY] (1272 bytes) ' 'EditionID: [REG_SZ] Ultimate ' 'InstallationType: [REG_SZ] Client ' 'PathName: [REG_SZ] C:\\Windows ' 'ProductId: [REG_SZ] 00426-065-0381817-86216 ' 'ProductName: [REG_SZ] Windows 7 Ultimate ' 'RegisteredOrganization: [REG_SZ] ' 'RegisteredOwner: [REG_SZ] Windows User ' 'SoftwareType: [REG_SZ] System ' 'SystemRoot: [REG_SZ] C:\\Windows').format(key_path) expected_short_message = '{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event_data, expected_message, expected_short_message)
def testFilters(self): """Tests the FILTERS class attribute.""" plugin = windows_version.WindowsVersionPlugin() key_path = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion') self._AssertFiltersOnKeyPath(plugin, key_path) self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')
def testProcess(self): """Tests the Process function.""" key_path = ( u'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion') time_string = u'2012-08-31 20:09:55.123521' registry_key = self._CreateTestKey(key_path, time_string) plugin_object = windows_version.WindowsVersionPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin_object) self.assertEqual(len(storage_writer.events), 2) event_object = storage_writer.events[0] # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event_object.parser, plugin_object.plugin_name) expected_timestamp = timelib.Timestamp.CopyFromString(time_string) self.assertEqual(event_object.timestamp, expected_timestamp) expected_data_type = u'windows:registry:key_value' self.assertEqual(event_object.data_type, expected_data_type) expected_message = ( u'[{0:s}] ' u'Owner: A Concerned Citizen ' u'Product name: MyTestOS ' u'Service pack: Service Pack 1 ' u'Windows Version Information: 5.1').format(key_path) expected_short_message = u'{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings( event_object, expected_message, expected_short_message) event_object = storage_writer.events[1] self.assertEqual( event_object.timestamp_desc, eventdata.EventTimestamp.INSTALLATION_TIME) expected_timestamp = timelib.Timestamp.CopyFromString( u'2012-08-31 20:09:55') self.assertEqual(event_object.timestamp, expected_timestamp) self.assertEqual(event_object.data_type, 'windows:registry:installation') expected_data_type = u'windows:registry:installation' self.assertEqual(event_object.data_type, expected_data_type) expected_message = ( u'MyTestOS 5.1 Service Pack 1 ' u'Owner: owner ' u'Origin: {0:s}').format(key_path) expected_short_message = ( u'MyTestOS 5.1 Service Pack 1 ' u'Origin: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Win...') self._TestGetMessageStrings( event_object, expected_message, expected_short_message)
def testProcess(self): """Tests the Process function.""" key_path = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion' ) registry_key = self._CreateTestKey(key_path, '2012-08-31 20:09:55.123521') plugin = windows_version.WindowsVersionPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 2) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetEvents()) expected_values = ('CSDVersion: [REG_SZ] Service Pack 1 ' 'CurrentVersion: [REG_SZ] 5.1 ' 'ProductName: [REG_SZ] MyTestOS ' 'RegisteredOwner: [REG_SZ] A Concerned Citizen') expected_event_values = { 'date_time': '2012-08-31 20:09:55.1235210', 'data_type': 'windows:registry:key_value', 'key_path': key_path, # This should just be the plugin name, as we're invoking it directly, # and not through the parser. 'parser': plugin.NAME, 'timestamp_desc': definitions.TIME_DESCRIPTION_WRITTEN, 'values': expected_values } self.CheckEventValues(storage_writer, events[1], expected_event_values) expected_event_values = { 'date_time': '2012-08-31 20:09:55', 'data_type': 'windows:registry:installation', 'key_path': key_path, 'owner': 'A Concerned Citizen', 'product_name': 'MyTestOS', 'service_pack': 'Service Pack 1', 'timestamp_desc': definitions.TIME_DESCRIPTION_INSTALLATION, 'version': '5.1' } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testProcessFile(self): """Tests the Process function on a Windows Registry file.""" test_file_entry = self._GetTestFileEntry(['SOFTWARE-RunTests']) key_path = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion') win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin = windows_version.WindowsVersionPlugin() storage_writer = self._ParseKeyWithPlugin( registry_key, plugin, file_entry=test_file_entry) self.assertEqual(storage_writer.number_of_events, 2) self.assertEqual(storage_writer.number_of_extraction_warnings, 0) self.assertEqual(storage_writer.number_of_recovery_warnings, 0) events = list(storage_writer.GetEvents()) expected_values = ( 'BuildGUID: [REG_SZ] f4bf21b9-55fe-4ee8-a84b-0e91cbd5fe5d ' 'BuildLab: [REG_SZ] 7601.win7sp1_gdr.111118-2330 ' 'BuildLabEx: [REG_SZ] 7601.17727.amd64fre.win7sp1_gdr.111118-2330 ' 'CSDBuildNumber: [REG_SZ] 1130 ' 'CSDVersion: [REG_SZ] Service Pack 1 ' 'CurrentBuild: [REG_SZ] 7601 ' 'CurrentBuildNumber: [REG_SZ] 7601 ' 'CurrentType: [REG_SZ] Multiprocessor Free ' 'CurrentVersion: [REG_SZ] 6.1 ' 'DigitalProductId: [REG_BINARY] (164 bytes) ' 'DigitalProductId4: [REG_BINARY] (1272 bytes) ' 'EditionID: [REG_SZ] Ultimate ' 'InstallationType: [REG_SZ] Client ' 'PathName: [REG_SZ] C:\\Windows ' 'ProductId: [REG_SZ] 00426-065-0381817-86216 ' 'ProductName: [REG_SZ] Windows 7 Ultimate ' 'RegisteredOrganization: [REG_SZ] ' 'RegisteredOwner: [REG_SZ] Windows User ' 'SoftwareType: [REG_SZ] System ' 'SystemRoot: [REG_SZ] C:\\Windows') expected_event_values = { 'date_time': '2012-03-15 07:09:20.6718750', 'data_type': 'windows:registry:key_value', 'key_path': key_path, # This should just be the plugin name, as we're invoking it directly, # and not through the parser. 'parser': plugin.NAME, 'values': expected_values} self.CheckEventValues(storage_writer, events[1], expected_event_values)
def testProcessFile(self): """Tests the Process function on a Windows Registry file.""" test_file_entry = self._GetTestFileEntry(['SOFTWARE-RunTests']) key_path = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion' ) win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin = windows_version.WindowsVersionPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin, file_entry=test_file_entry) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 2) events = list(storage_writer.GetEvents()) event = events[0] # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event.parser, plugin.plugin_name) self.CheckTimestamp(event.timestamp, '2012-03-15 07:09:20.671875') self.assertEqual(event.data_type, 'windows:registry:key_value') expected_message = ( '[{0:s}] ' 'Owner: Windows User ' 'Product name: Windows 7 Ultimate ' 'Service pack: Service Pack 1 ' 'Windows Version Information: 6.1').format(key_path) expected_short_message = '{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event, expected_message, expected_short_message)