def PrecacheSids(self):
"""Search for known sids that we can cache."""
sid_cache = self.context["sid_cache"]
sid_cache.update(getsids.well_known_sids)
# Search for all known user sids.
for hive_offset in self.hive_offsets:
hive_address_space = registry.HiveAddressSpace(
base=self.kernel_address_space,
hive_addr=hive_offset,
profile=self.profile)
reg = registry.Registry(profile=self.profile,
address_space=hive_address_space)
# We get the user names according to the name of the diretory where
# their profile is. This is not very accurate - should we check the
# SAM instead?
profiles = reg.open_key(
'Microsoft\\Windows NT\\CurrentVersion\\ProfileList')
for profile in profiles.subkeys():
path = profile.open_value("ProfileImagePath").DecodedData
if path:
sid_cache[utils.SmartUnicode(
profile.Name)] = (utils.SmartUnicode(
ntpath.basename(path)))
# Search for all service sids.
getservicesids = self.get_plugin("getservicesids")
for sid, service_name in getservicesids.get_service_sids():
sid_cache[sid] = "(Service: %s)" % service_name
def find_count_keys(self):
for hive_offset in self.hive_offsets:
hive_address_space = registry.HiveAddressSpace(
base=self.kernel_address_space, session=self.session,
hive_addr=hive_offset, profile=self.profile)
reg = registry.Registry(
profile=self.profile, address_space=hive_address_space)
key = reg.open_key("software\\microsoft\\windows\\currentversion\\"
"explorer\\userassist\\")
for subkey in key.subkeys():
yield reg, subkey.open_subkey("Count")