def test_ntuser_apply_transaction_logs(transaction_ntuser, transaction_log):
output_path = os.path.join(mkdtemp(), 'recovered_hive.dat')
restored_hive_path, recovered_dirty_pages_count = apply_transaction_logs(
transaction_ntuser, transaction_log, restored_hive_path=output_path)
assert recovered_dirty_pages_count == 132
found_differences = compare_hives(transaction_ntuser, restored_hive_path)
assert len(found_differences) == 588
assert len([x for x in found_differences if x[0] == 'new_subkey']) == 527
assert len([x for x in found_differences if x[0] == 'new_value']) == 60
def test_system_apply_transaction_logs(transaction_system, transaction_log_1, transaction_log_2):
output_path = os.path.join(mkdtemp(), 'recovered_hive.dat')
restored_hive_path, recovered_dirty_pages_count = apply_transaction_logs(transaction_system,
primary_log_path=transaction_log_1,
secondary_log_path=transaction_log_2,
restored_hive_path=output_path)
assert recovered_dirty_pages_count == 315
found_differences = compare_hives(transaction_system, restored_hive_path)
assert len(found_differences) == 2486
assert len([x for x in found_differences if x[0] == 'new_subkey']) == 2472
assert len([x for x in found_differences if x[0] == 'new_value']) == 13
def test_system_apply_transaction_logs_2(transaction_usrclass, usrclass_tr_log_1, usrclass_tr_log_2):
output_path = os.path.join(mkdtemp(), 'recovered_hive.dat')
restored_hive_path, recovered_dirty_pages_count = apply_transaction_logs(transaction_usrclass,
primary_log_path=usrclass_tr_log_1,
secondary_log_path=usrclass_tr_log_2,
restored_hive_path=output_path)
assert recovered_dirty_pages_count == 158
found_differences = compare_hives(transaction_usrclass, restored_hive_path)
assert len(found_differences) == 73
assert len([x for x in found_differences if x[0] == 'new_subkey']) == 33
assert len([x for x in found_differences if x[0] == 'new_value']) == 40
def test_ntuser_apply_transaction_logs(transaction_ntuser, transaction_log):
output_path = os.path.join(mkdtemp(), 'recovered_hive.dat')
restored_hive_path, recovered_dirty_pages_count = apply_transaction_logs(
transaction_ntuser, transaction_log, restored_hive_path=output_path)
assert recovered_dirty_pages_count == 132
found_differences = compare_hives(transaction_ntuser, restored_hive_path)
assert len(found_differences) == 587
assert len([x for x in found_differences if x[0] == 'new_subkey']) == 527
assert len([x for x in found_differences if x[0] == 'new_value']) == 59
# TODO:
# Have a REG file of a couple of registry hives, and compare with output of regipy
def parse_transaction_log(hive_path, primary_log_path, secondary_log_path, output_path, verbose):
with logbook.NestedSetup(_get_log_handlers(verbose=verbose)).applicationbound():
logger.info(f'Processing hive {hive_path} with transaction log {primary_log_path}')
if secondary_log_path:
logger.info(f'Processing hive {hive_path} with secondary transaction log {primary_log_path}')
restored_hive_path, recovered_dirty_pages_count = apply_transaction_logs(hive_path, primary_log_path,
secondary_log_path=secondary_log_path,
restored_hive_path=output_path,
verbose=verbose)
if recovered_dirty_pages_count:
click.secho(
f'Recovered {recovered_dirty_pages_count} dirty pages. Restored hive is at {restored_hive_path}',
fg='green')
def parse_transaction_log(hive_path, primary_log_path, secondary_log_path,
output_path, verbose):
_setup_logging(verbose=verbose)
logger.info(
f'Processing hive {hive_path} with transaction log {primary_log_path}')
if secondary_log_path:
logger.info(
f'Processing hive {hive_path} with secondary transaction log {primary_log_path}'
)
restored_hive_path, recovered_dirty_pages_count = apply_transaction_logs(
hive_path,
primary_log_path,
secondary_log_path=secondary_log_path,
restored_hive_path=output_path,
verbose=verbose)
if recovered_dirty_pages_count:
click.secho(
f'Recovered {recovered_dirty_pages_count} dirty pages. Restored hive is at {restored_hive_path}',
fg='green')
