def csv_windows_values(self):
# outputs winlogon's values to file
self.logger.info('Getting windows values from registry')
path = 'Software\Microsoft\Windows NT\CurrentVersion\Windows\\'
with open(
self.output_dir + '\\' + self.computer_name +
'_windows_values.csv', 'wb') as output:
aReg = ConnectRegistry(None, HKEY_LOCAL_MACHINE)
csv_writer = get_csv_writer(output)
try:
self._dump_csv_registry_to_output('HKEY_LOCAL_MACHINE',
path,
aReg,
csv_writer,
is_recursive=False)
aReg = ConnectRegistry(None, HKEY_USERS)
for index_sid in range(
QueryInfoKey(aReg)[0]): # the number of subkeys
# in HKEY_USERS, we have a list of subkeys which are SIDs
str_sid = EnumKey(aReg, index_sid)
username = str_sid2username(str_sid)
full_path = str_sid + '\\' + path
try:
self._dump_csv_registry_to_output('HKEY_USERS',
full_path,
aReg,
csv_writer,
username,
is_recursive=False)
except WindowsError:
pass
except WindowsError:
pass
CloseKey(aReg)
def csv_recent_docs(self):
# Shows where recently opened files are saved and when they were opened
self.logger.info('Getting recent_docs from registry')
path = '\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\\'
aReg = ConnectRegistry(None,HKEY_USERS)
with open(self.output_dir + '\\' + self.computer_name + '_recent_docs.csv', 'wb') as output:
csv_writer = get_csv_writer(output)
for index_sid in range(QueryInfoKey(aReg)[0]): # the number of subkeys (SIDs)
str_sid = EnumKey(aReg, index_sid)
full_path = str_sid + path
try:
username = str_sid2username(str_sid)
result = [username, str_sid]
reg_recent_docs = OpenKey(aReg, full_path)
# Get values of RecentDocs itself
for index_value in range(QueryInfoKey(reg_recent_docs)[1]): # the number of values (RecentDocs)
str_value_name = EnumValue(reg_recent_docs, index_value)[0]
str_value_datatmp = EnumValue(reg_recent_docs, index_value)[1]
if str_value_name != "MRUListEx":
value_decoded = self.__decode_recent_docs_MRU(str_value_datatmp)
write_to_csv(result + value_decoded, csv_writer)
# Get values of RecentDocs subkeys
for index_recent_docs_subkey in range(QueryInfoKey(reg_recent_docs)[0]): # the number of subkeys (RecentDocs)
recent_docs_subkey = EnumKey(reg_recent_docs, index_recent_docs_subkey)
reg_recent_docs_subkey = OpenKey(aReg, full_path + recent_docs_subkey)
for index_value in range(QueryInfoKey(reg_recent_docs_subkey)[1]): # the number of values (RecentDocs subkeys)
str_value_name = EnumValue(reg_recent_docs_subkey, index_value)[0]
str_value_datatmp = EnumValue(reg_recent_docs_subkey, index_value)[1]
if str_value_name != "MRUListEx":
value_decoded = self.__decode_recent_docs_MRU(str_value_datatmp)
write_to_csv(result + value_decoded, csv_writer)
#self._dump_csv_registry_to_output('HKEY_USERS', full_path, aReg, csv_writer, username)
except WindowsError:
pass
CloseKey(aReg)
def csv_shell_bags(self):
''' Exports the shell bags from Windows registry in a csv '''
# TODO Check Vista and under
self.logger.info("Getting shell bags from registry")
aReg = ConnectRegistry(None, HKEY_USERS)
with open(
self.output_dir + '\\' + self.computer_name + '_shellbags.csv',
'wb') as output:
csv_writer = get_csv_writer(output)
for index_sid in range(
QueryInfoKey(aReg)[0]): # the number of subkeys
# in HKEY_USERS, we have a list of subkeys which are SIDs
str_sid = EnumKey(aReg, index_sid)
username = str_sid2username(str_sid)
paths = [
'\\Software\\Microsoft\\Windows\\Shell\\Bags\\',
'\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\',
'\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\Bags\\',
'\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\'
]
for path in paths:
try:
full_path = str_sid + path
self._dump_csv_registry_to_output(
'HKEY_USERS', full_path, aReg, csv_writer,
username, self.__decode_shellbag_itempos_data)
except WindowsError:
pass
CloseKey(aReg)
def _csv_user_assist(self, count_offset, is_win7_or_further):
''' Extracts information from UserAssist registry key which contains information about executed programs '''
''' The count offset is for Windows versions before 7, where it would start at 6... '''
self.logger.info('Getting user_assist from registry')
aReg = ConnectRegistry(None, HKEY_USERS)
str_user_assist = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\'
with open(
self.output_dir + '\\' + self.computer_name +
'_userassist.csv', 'wb') as output:
csv_writer = get_csv_writer(output)
for index_sid in range(
QueryInfoKey(aReg)[0]): # the number of subkeys
# in HKEY_USERS, we have a list of subkeys which are SIDs
str_sid = EnumKey(aReg, index_sid)
try:
path = str_sid + '\\' + str_user_assist
username = str_sid2username(str_sid)
reg_user_assist = OpenKey(aReg, path)
for index_clsid in range(QueryInfoKey(reg_user_assist)
[0]): # the number of subkeys
# in UserAssist, we have a list of IDs which may vary between different Windows versions
str_clsid = EnumKey(reg_user_assist, index_clsid)
result = [username, str_sid, str_clsid]
reg_count = OpenKey(aReg, path + str_clsid + '\\Count')
date_last_mod = convert_windate(
QueryInfoKey(reg_count)[2])
for index_value in range(QueryInfoKey(reg_count)
[1]): # the number of values
# the name of the value is encoded with ROT13
str_value_name = EnumValue(reg_count,
index_value)[0]
str_value_name = codecs.decode(
str_value_name, 'rot_13')
str_value_datatmp = EnumValue(
reg_count, index_value)[1]
# some data are less than 16 bytes for some reason...
if len(str_value_datatmp) < 16:
write_to_csv(
result + [str_value_name, date_last_mod],
csv_writer)
else:
if is_win7_or_further:
arr_output = result + [
str_value_name, date_last_mod
] + self.__csv_user_assist_value_decode_win7_and_after(
str_value_datatmp, count_offset)
write_to_csv(arr_output, csv_writer)
else:
write_to_csv(
result +
[str_value_name, date_last_mod] + self.
__csv_user_assist_value_decode_before_win7(
str_value_datatmp, count_offset),
csv_writer)
CloseKey(reg_count)
CloseKey(reg_user_assist)
except WindowsError:
pass
CloseKey(aReg)
def csv_startup_programs(self):
''' Exports the programs running at startup '''
''' [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
'''
self.logger.info("Getting startup programs from registry")
software = '\Software'
wow = '\Wow6432Node'
with open(self.output_dir + '\\' + self.computer_name + '_startup.csv', 'wb') as output:
csv_writer = get_csv_writer(output)
aReg = ConnectRegistry(None, HKEY_USERS)
for index_sid in range(QueryInfoKey(aReg)[0]): # the number of subkeys
# in HKEY_USERS, we have a list of subkeys which are SIDs
str_sid = EnumKey(aReg, index_sid)
username = str_sid2username(str_sid)
paths = ['\Microsoft\Windows\CurrentVersion\Run\\', '\Microsoft\Windows\CurrentVersion\RunOnce\\',
'\Software\Microsoft\Windows\CurrentVersion\RunOnceEx',
'\Microsoft\Windows\CurrentVersion\RunServices\\',
'\Microsoft\Windows\CurrentVersion\RunServicesOnce\\',
'\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit\\']
for path in paths:
try:
full_path = str_sid + software + path
self._dump_csv_registry_to_output('HKEY_USERS', full_path, aReg, csv_writer, username)
full_path = str_sid + software + wow + path
self._dump_csv_registry_to_output('HKEY_USERS', full_path, aReg, csv_writer, username)
except WindowsError:
pass
CloseKey(aReg)
with open(self.output_dir + '\\' + self.computer_name + '_startup.csv', 'ab') as output:
csv_writer = get_csv_writer(output)
aReg = ConnectRegistry(None, HKEY_LOCAL_MACHINE)
paths = ['\Microsoft\Windows\CurrentVersion\Run\\', '\Microsoft\Windows\CurrentVersion\RunOnce\\',
'\Software\Microsoft\Windows\CurrentVersion\RunOnceEx',
'\Microsoft\Windows\CurrentVersion\RunServices\\',
'\Microsoft\Windows\CurrentVersion\RunServicesOnce\\',
'\Microsoft\Windows NT\CurrentVersion\Windows\\',
'\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run']
for path in paths:
try:
full_path = software + path
self._dump_csv_registry_to_output('HKEY_LOCAL_MACHINE', path, aReg, csv_writer)
full_path = software + wow + path
self._dump_csv_registry_to_output('HKEY_LOCAL_MACHINE', path, aReg, csv_writer)
except WindowsError:
pass
CloseKey(aReg)
def _csv_open_save_MRU(self, str_opensaveMRU):
''' Extracts information from OpenSaveMRU registry key which contains information about opened and saved windows '''
# TODO : Win XP
self.logger.info('Getting open_save_MRU from registry')
aReg = ConnectRegistry(None, HKEY_USERS)
with open(
self.output_dir + '\\' + self.computer_name +
'_opensaveMRU.csv', 'wb') as output:
csv_writer = get_csv_writer(output)
for index_sid in range(
QueryInfoKey(aReg)[0]): # the number of subkeys
# in HKEY_USERS, we have a list of subkeys which are SIDs
str_sid = EnumKey(aReg, index_sid)
try:
username = str_sid2username(str_sid)
path = str_sid + '\\' + str_opensaveMRU
reg_opensaveMRU = OpenKey(aReg, path)
for index_clsid in range(QueryInfoKey(reg_opensaveMRU)
[0]): # the number of subkeys
str_filetype = EnumKey(reg_opensaveMRU, index_clsid)
reg_filetype = OpenKey(aReg,
path + '\\' + str_filetype)
date_last_mod = convert_windate(
QueryInfoKey(reg_filetype)[2])
# now get the value from the SID subkey
for index_value in range(
QueryInfoKey(reg_filetype)
[1]): # the number of values
value_filetype = EnumValue(reg_filetype,
index_value)
# Here, it is quite... dirty, it is a binary MRU list in which we have to extract the interesting values
if value_filetype[0] != 'MRUListEx':
l_printable = self.__extract_filename_from_PIDLMRU(
value_filetype[1])
# VERY DIRTY, if the list is empty it's probably because the string is off by 1...
if len(l_printable) == 0:
# So we take away the first char to have a correct offset (modulo 2)
l_printable = self.__extract_filename_from_PIDLMRU(
value_filetype[1][1:])
if len(l_printable) != 0:
str_printable = l_printable[-1]
write_to_csv([
username, str_sid, str_filetype,
date_last_mod, str_printable
], csv_writer)
else: # if the length is still 0 then... I'm at a loss for words
write_to_csv([
username, str_sid, str_filetype,
date_last_mod
], csv_writer)
CloseKey(reg_filetype)
CloseKey(reg_opensaveMRU)
except WindowsError:
pass
CloseKey(aReg)
def _csv_user_assist(self, count_offset, is_win7_or_further):
''' Extracts information from UserAssist registry key which contains information about executed programs '''
''' The count offset is for Windows versions before 7, where it would start at 6... '''
self.logger.info('Getting user_assist from registry')
aReg = ConnectRegistry(None,HKEY_USERS)
str_user_assist = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\'
with open(self.output_dir + '\\' + self.computer_name + '_userassist.csv', 'wb') as output:
csv_writer = get_csv_writer(output)
for index_sid in range(QueryInfoKey(aReg)[0]): # the number of subkeys
# in HKEY_USERS, we have a list of subkeys which are SIDs
str_sid = EnumKey(aReg, index_sid)
try:
path = str_sid + '\\' + str_user_assist
username = str_sid2username(str_sid)
reg_user_assist = OpenKey(aReg, path)
for index_clsid in range(QueryInfoKey(reg_user_assist)[0]): # the number of subkeys
# in UserAssist, we have a list of IDs which may vary between different Windows versions
str_clsid = EnumKey(reg_user_assist, index_clsid)
result = [username, str_sid, str_clsid]
reg_count = OpenKey(aReg, path + str_clsid + '\\Count')
date_last_mod = convert_windate(QueryInfoKey(reg_count)[2])
for index_value in range(QueryInfoKey(reg_count)[1]): # the number of values
# the name of the value is encoded with ROT13
str_value_name = EnumValue(reg_count, index_value)[0]
str_value_name = codecs.decode(str_value_name, 'rot_13')
str_value_datatmp = EnumValue(reg_count, index_value)[1]
# some data are less than 16 bytes for some reason...
if len(str_value_datatmp) < 16:
write_to_csv(result + [str_value_name, date_last_mod], csv_writer)
else:
if is_win7_or_further:
arr_output = result + [str_value_name, date_last_mod] + self.__csv_user_assist_value_decode_win7_and_after(str_value_datatmp, count_offset)
write_to_csv(arr_output, csv_writer)
else:
write_to_csv(result + [str_value_name, date_last_mod] + self.__csv_user_assist_value_decode_before_win7(str_value_datatmp, count_offset), csv_writer)
CloseKey(reg_count)
CloseKey(reg_user_assist)
except WindowsError:
pass
CloseKey(aReg)
def csv_shell_bags(self):
''' Exports the shell bags from Windows registry in a csv '''
# TODO Check Vista and under
self.logger.info("Getting shell bags from registry")
aReg = ConnectRegistry(None,HKEY_USERS)
with open(self.output_dir + '\\' + self.computer_name + '_shellbags.csv', 'wb') as output:
csv_writer = get_csv_writer(output)
for index_sid in range(QueryInfoKey(aReg)[0]): # the number of subkeys
# in HKEY_USERS, we have a list of subkeys which are SIDs
str_sid = EnumKey(aReg, index_sid)
username = str_sid2username(str_sid)
paths = ['\\Software\\Microsoft\\Windows\\Shell\\Bags\\', '\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\',
'\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\Bags\\',
'\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\']
for path in paths:
try:
full_path = str_sid + path
self._dump_csv_registry_to_output('HKEY_USERS', full_path, aReg, csv_writer, username, self.__decode_shellbag_itempos_data)
except WindowsError:
pass
CloseKey(aReg)
def _csv_open_save_MRU(self, str_opensaveMRU):
''' Extracts information from OpenSaveMRU registry key which contains information about opened and saved windows '''
# TODO : Win XP
self.logger.info('Getting open_save_MRU from registry')
aReg = ConnectRegistry(None,HKEY_USERS)
with open(self.output_dir + '\\' + self.computer_name + '_opensaveMRU.csv', 'wb') as output:
csv_writer = get_csv_writer(output)
for index_sid in range(QueryInfoKey(aReg)[0]): # the number of subkeys
# in HKEY_USERS, we have a list of subkeys which are SIDs
str_sid = EnumKey(aReg, index_sid)
try:
username = str_sid2username(str_sid)
path = str_sid + '\\' + str_opensaveMRU
reg_opensaveMRU = OpenKey(aReg, path)
for index_clsid in range(QueryInfoKey(reg_opensaveMRU)[0]): # the number of subkeys
str_filetype = EnumKey(reg_opensaveMRU, index_clsid)
reg_filetype = OpenKey(aReg, path + '\\' + str_filetype)
date_last_mod = convert_windate(QueryInfoKey(reg_filetype)[2])
# now get the value from the SID subkey
for index_value in range(QueryInfoKey(reg_filetype)[1]): # the number of values
value_filetype = EnumValue(reg_filetype, index_value)
# Here, it is quite... dirty, it is a binary MRU list in which we have to extract the interesting values
if value_filetype[0] != 'MRUListEx':
l_printable = self.__extract_filename_from_PIDLMRU(value_filetype[1])
# VERY DIRTY, if the list is empty it's probably because the string is off by 1...
if len(l_printable) == 0:
# So we take away the first char to have a correct offset (modulo 2)
l_printable = self.__extract_filename_from_PIDLMRU(value_filetype[1][1:])
if len(l_printable) != 0:
str_printable = l_printable[-1]
write_to_csv([username, str_sid, str_filetype, date_last_mod, str_printable], csv_writer)
else: # if the length is still 0 then... I'm at a loss for words
write_to_csv([username, str_sid, str_filetype, date_last_mod], csv_writer)
CloseKey(reg_filetype)
CloseKey(reg_opensaveMRU)
except WindowsError:
pass
CloseKey(aReg)
def csv_windows_values(self):
# outputs winlogon's values to file
self.logger.info('Getting windows values from registry')
path = 'Software\Microsoft\Windows NT\CurrentVersion\Windows\\'
with open(self.output_dir + '\\' + self.computer_name + '_windows_values.csv', 'wb') as output:
aReg = ConnectRegistry(None, HKEY_LOCAL_MACHINE)
csv_writer = get_csv_writer(output)
try:
self._dump_csv_registry_to_output('HKEY_LOCAL_MACHINE', path, aReg, csv_writer, is_recursive=False)
aReg = ConnectRegistry(None, HKEY_USERS)
for index_sid in range(QueryInfoKey(aReg)[0]): # the number of subkeys
# in HKEY_USERS, we have a list of subkeys which are SIDs
str_sid = EnumKey(aReg, index_sid)
username = str_sid2username(str_sid)
full_path = str_sid + '\\' + path
try:
self._dump_csv_registry_to_output('HKEY_USERS', full_path, aReg, csv_writer, username, is_recursive=False)
except WindowsError:
pass
except WindowsError:
pass
CloseKey(aReg)
