def setUp(self):
"""Sets up the needed objects used throughout the test."""
pre_obj = event.PreprocessObject()
registry_cache = cache.WinRegistryCache()
registry_cache.attributes['current_control_set'] = 'ControlSet001'
self._plugin = lfu.BootExecutePlugin(pre_obj=pre_obj,
reg_cache=registry_cache)
def testProcess(self):
"""Tests the Process function."""
key_path = (
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control\\Session Manager'
)
time_string = '2012-08-31 20:45:29'
registry_key = self._CreateTestKey(key_path, time_string)
plugin = lfu.BootExecutePlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key, plugin)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 2)
events = list(storage_writer.GetEvents())
event = events[0]
self.CheckTimestamp(event.timestamp, '2012-08-31 20:45:29.000000')
event_data = self._GetEventDataOfEvent(storage_writer, event)
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_data.parser, plugin.plugin_name)
self.assertEqual(event_data.data_type, 'windows:registry:boot_execute')
expected_message = (
'[{0:s}] '
'BootExecute: autocheck autochk *').format(key_path)
expected_short_message = '{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
event = events[1]
self.CheckTimestamp(event.timestamp, '2012-08-31 20:45:29.000000')
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.data_type, 'windows:registry:key_value')
expected_message = (
'[{0:s}] '
'CriticalSectionTimeout: [REG_SZ] 2592000 '
'ExcludeFromKnownDlls: [REG_MULTI_SZ] [] '
'GlobalFlag: [REG_SZ] 0 '
'HeapDeCommitFreeBlockThreshold: [REG_SZ] 0 '
'HeapDeCommitTotalFreeThreshold: [REG_SZ] 0 '
'HeapSegmentCommit: [REG_SZ] 0 '
'HeapSegmentReserve: [REG_SZ] 0 '
'NumberOfInitialSessions: [REG_SZ] 2').format(key_path)
expected_short_message = '{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
def testFilters(self):
"""Tests the FILTERS class attribute."""
plugin = lfu.BootExecutePlugin()
key_path = (
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control\\Session Manager')
self._AssertFiltersOnKeyPath(plugin, key_path)
self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')
def testProcess(self):
"""Tests the Process function."""
key_path = (
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control\\Session Manager')
time_string = '2012-08-31 20:45:29'
registry_key = self._CreateTestKey(key_path, time_string)
plugin = lfu.BootExecutePlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key, plugin)
number_of_events = storage_writer.GetNumberOfAttributeContainers('event')
self.assertEqual(number_of_events, 2)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetEvents())
expected_event_values = {
'date_time': '2012-08-31 20:45:29.0000000',
'data_type': 'windows:registry:boot_execute',
'key_path': key_path,
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
'parser': plugin.NAME,
'value': 'autocheck autochk *'}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
expected_values = (
'CriticalSectionTimeout: [REG_SZ] 2592000 '
'ExcludeFromKnownDlls: [REG_MULTI_SZ] [] '
'GlobalFlag: [REG_SZ] 0 '
'HeapDeCommitFreeBlockThreshold: [REG_SZ] 0 '
'HeapDeCommitTotalFreeThreshold: [REG_SZ] 0 '
'HeapSegmentCommit: [REG_SZ] 0 '
'HeapSegmentReserve: [REG_SZ] 0 '
'NumberOfInitialSessions: [REG_SZ] 2')
expected_event_values = {
'date_time': '2012-08-31 20:45:29.0000000',
'data_type': 'windows:registry:key_value',
'key_path': key_path,
'values': expected_values}
self.CheckEventValues(storage_writer, events[1], expected_event_values)
def testProcess(self):
"""Tests the Process function."""
key_path = (
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control\\Session Manager'
)
time_string = '2012-08-31 20:45:29'
registry_key = self._CreateTestKey(key_path, time_string)
plugin = lfu.BootExecutePlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key, plugin)
self.assertEqual(storage_writer.number_of_events, 2)
events = list(storage_writer.GetEvents())
event = events[0]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event.parser, plugin.plugin_name)
expected_timestamp = timelib.Timestamp.CopyFromString(time_string)
self.assertEqual(event.timestamp, expected_timestamp)
expected_message = (
'[{0:s}] BootExecute: autocheck autochk *').format(key_path)
expected_short_message = '{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
event = events[1]
expected_message = ('[{0:s}] '
'CriticalSectionTimeout: 2592000 '
'ExcludeFromKnownDlls: [] '
'GlobalFlag: 0 '
'HeapDeCommitFreeBlockThreshold: 0 '
'HeapDeCommitTotalFreeThreshold: 0 '
'HeapSegmentCommit: 0 '
'HeapSegmentReserve: 0 '
'NumberOfInitialSessions: 2').format(key_path)
expected_short_message = '{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def setUp(self):
"""Makes preparations before running an individual test."""
self._plugin = lfu.BootExecutePlugin()
def setUp(self): """Sets up the needed objects used throughout the test.""" self._plugin = lfu.BootExecutePlugin()
