def testProcessStartPage2(self):
"""Tests the Process function on a StartPage2 key."""
test_file_entry = self._GetTestFileEntry(['NTUSER-WIN7.DAT'])
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Explorer\\StartPage2')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = programscache.ExplorerProgramsCacheWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 118)
events = list(storage_writer.GetEvents())
event = events[0]
expected_parser = 'explorer_programscache/shell_items'
self.assertEqual(event.parser, expected_parser)
self.CheckTimestamp(event.timestamp, '2010-11-10 07:50:38.000000')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_CREATION)
expected_data_type = 'windows:shell_item:file_entry'
self.assertEqual(event.data_type, expected_data_type)
def testProcessStartPage2(self):
"""Tests the Process function on a StartPage2 key."""
test_file_entry = self._GetTestFileEntry(['NTUSER-WIN7.DAT'])
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Explorer\\StartPage2')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = programscache.ExplorerProgramsCacheWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_events, 118)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
events = list(storage_writer.GetEvents())
expected_event_values = {
'date_time': '2010-11-10 07:50:38',
'data_type': 'windows:shell_item:file_entry',
'origin': '{0:s} ProgramsCache'.format(key_path),
'parser': 'explorer_programscache/shell_items',
'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testFilters(self):
"""Tests the FILTERS class attribute."""
plugin = programscache.ExplorerProgramsCacheWindowsRegistryPlugin()
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Explorer\\StartPage')
self._AssertFiltersOnKeyPath(plugin, key_path)
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Explorer\\StartPage2')
self._AssertFiltersOnKeyPath(plugin, key_path)
self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')
def testProcessStartPage(self):
"""Tests the Process function on a StartPage key."""
test_file_entry = self._GetTestFileEntry(['NTUSER.DAT'])
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Explorer\\StartPage')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = programscache.ExplorerProgramsCacheWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 77)
events = list(storage_writer.GetEvents())
# The ProgramsCache entry shell item event.
event = events[0]
expected_parser = 'explorer_programscache/shell_items'
self.assertEqual(event.parser, expected_parser)
self.CheckTimestamp(event.timestamp, '2009-08-04 15:12:24.000000')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_CREATION)
expected_data_type = 'windows:shell_item:file_entry'
self.assertEqual(event.data_type, expected_data_type)
expected_message = ('Name: Programs '
'Long name: Programs '
'Localized name: @shell32.dll,-21782 '
'Shell item path: Programs '
'Origin: {0:s} ProgramsCache').format(key_path)
expected_short_message = (
'Name: Programs '
'Origin: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\'
'CurrentVe...')
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
# The ProgramsCache list event.
event = events[75]
expected_parser = 'explorer_programscache'
self.assertEqual(event.parser, expected_parser)
self.CheckTimestamp(event.timestamp, '2009-08-04 15:22:18.419625')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_WRITTEN)
expected_data_type = 'windows:registry:list'
self.assertEqual(event.data_type, expected_data_type)
expected_message = (
'Key: {0:s} '
'Value: ProgramsCache '
'List: ProgramsCache ['
'0: Programs '
'1: Internet Explorer.lnk '
'2: Outlook Express.lnk '
'3: Remote Assistance.lnk '
'4: Windows Media Player.lnk '
'5: Programs Accessories '
'6: Address Book.lnk '
'7: Command Prompt.lnk '
'8: Notepad.lnk '
'9: Program Compatibility Wizard.lnk '
'10: Synchronize.lnk '
'11: Tour Windows XP.lnk '
'12: Windows Explorer.lnk '
'13: Programs Accessories\\Accessibility '
'14: Magnifier.lnk '
'15: Narrator.lnk '
'16: On-Screen Keyboard.lnk '
'17: Utility Manager.lnk '
'18: Programs Accessories\\System Tools '
'19: Internet Explorer (No Add-ons).lnk]').format(key_path)
expected_short_message = '{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
# The Windows Registry key event.
event = events[76]
expected_parser = 'explorer_programscache'
self.assertEqual(event.parser, expected_parser)
self.CheckTimestamp(event.timestamp, '2009-08-04 15:22:18.419625')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_WRITTEN)
expected_data_type = 'windows:registry:key_value'
self.assertEqual(event.data_type, expected_data_type)
def testProcessStartPage(self):
"""Tests the Process function on a StartPage key."""
test_file_entry = self._GetTestFileEntry(['NTUSER.DAT'])
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Explorer\\StartPage')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = programscache.ExplorerProgramsCacheWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_events, 77)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
events = list(storage_writer.GetEvents())
# The ProgramsCache entry shell item event.
expected_event_values = {
'date_time': '2009-08-04 15:12:24',
'data_type': 'windows:shell_item:file_entry',
'localized_name': '@shell32.dll,-21782',
'long_name': 'Programs',
'name': 'Programs',
'origin': '{0:s} ProgramsCache'.format(key_path),
'parser': 'explorer_programscache/shell_items',
'shell_item_path': 'Programs',
'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
# The ProgramsCache list event.
expected_entries = ('0: Programs '
'1: Internet Explorer.lnk '
'2: Outlook Express.lnk '
'3: Remote Assistance.lnk '
'4: Windows Media Player.lnk '
'5: Programs Accessories '
'6: Address Book.lnk '
'7: Command Prompt.lnk '
'8: Notepad.lnk '
'9: Program Compatibility Wizard.lnk '
'10: Synchronize.lnk '
'11: Tour Windows XP.lnk '
'12: Windows Explorer.lnk '
'13: Programs Accessories\\Accessibility '
'14: Magnifier.lnk '
'15: Narrator.lnk '
'16: On-Screen Keyboard.lnk '
'17: Utility Manager.lnk '
'18: Programs Accessories\\System Tools '
'19: Internet Explorer (No Add-ons).lnk')
expected_event_values = {
'date_time': '2009-08-04 15:22:18.4196250',
'data_type': 'windows:registry:explorer:programcache',
'entries': expected_entries,
'key_path': key_path,
'parser': 'explorer_programscache',
'timestamp_desc': definitions.TIME_DESCRIPTION_WRITTEN
}
self.CheckEventValues(storage_writer, events[75],
expected_event_values)
# The Windows Registry key event.
expected_values = ('Favorites: [REG_BINARY] (55 bytes) '
'FavoritesChanges: [REG_DWORD_LE] 1 '
'FavoritesResolve: [REG_BINARY] (8 bytes) '
'StartMenu_Balloon_Time: [REG_BINARY] (8 bytes) '
'StartMenu_Start_Time: [REG_BINARY] (8 bytes)')
expected_event_values = {
'date_time': '2009-08-04 15:22:18.4196250',
'data_type': 'windows:registry:key_value',
'key_path': key_path,
'parser': 'explorer_programscache',
'timestamp_desc': definitions.TIME_DESCRIPTION_WRITTEN,
'values': expected_values
}
self.CheckEventValues(storage_writer, events[76],
expected_event_values)
