def testProcess(self):
"""Tests the Process function."""
key_path = u'\\Software\\Microsoft\\Terminal Server Client\\Servers'
values = []
values.append(
dfwinreg_test_lib.TestRegValue(
u'UsernameHint',
u'DOMAIN\\username'.encode(u'utf_16_le'),
dfwinreg_definitions.REG_SZ,
offset=1892))
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2012-08-28 09:23:49.002031')
server_key_path = (
u'\\Software\\Microsoft\\Terminal Server Client\\Servers\\myserver.com'
)
server_key = dfwinreg_test_lib.TestRegKey(server_key_path,
expected_timestamp,
values,
offset=1456)
winreg_key = dfwinreg_test_lib.TestRegKey(key_path,
expected_timestamp,
None,
offset=865,
subkeys=[server_key])
event_queue_consumer = self._ParseKeyWithPlugin(
self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 1)
event_object = event_objects[0]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_object.parser, self._plugin.plugin_name)
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_msg = u'[{0:s}] UsernameHint: DOMAIN\\username'.format(
key_path)
expected_msg_short = (
u'[{0:s}] UsernameHint: DOMAIN\\use...').format(key_path)
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def testProcess(self):
"""Tests the Process function."""
key_path = u'\\Microsoft\\Some Windows\\InterestingApp\\MRU'
values = []
values.append(
dfwinreg_test_lib.TestRegValue(u'MRUList',
u'acb'.encode(u'utf_16_le'),
dfwinreg_definitions.REG_SZ,
offset=123))
values.append(
dfwinreg_test_lib.TestRegValue(
u'a',
u'Some random text here'.encode(u'utf_16_le'),
dfwinreg_definitions.REG_SZ,
offset=1892))
values.append(
dfwinreg_test_lib.TestRegValue(u'b',
u'c:/evil.exe'.encode(u'utf_16_le'),
dfwinreg_definitions.REG_BINARY,
offset=612))
values.append(
dfwinreg_test_lib.TestRegValue(
u'c',
u'C:/looks_legit.exe'.encode(u'utf_16_le'),
dfwinreg_definitions.REG_SZ,
offset=1001))
timestamp = timelib.Timestamp.CopyFromString(
u'2012-08-28 09:23:49.002031')
winreg_key = dfwinreg_test_lib.TestRegKey(key_path, timestamp, values,
1456)
event_queue_consumer = self._ParseKeyWithPlugin(
self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 1)
event_object = event_objects[0]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_object.parser, self._plugin.plugin_name)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2012-08-28 09:23:49.002031')
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_msg = (
u'[{0:s}] '
u'Index: 1 [MRU Value a]: Some random text here '
u'Index: 2 [MRU Value c]: C:/looks_legit.exe '
u'Index: 3 [MRU Value b]: c:/evil.exe').format(key_path)
expected_msg_short = (
u'[{0:s}] Index: 1 [MRU Value a]: Some ran...').format(key_path)
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def testProcess(self):
"""Tests the Process function."""
key_path = u'\\Software\\WinRAR\\ArcHistory'
values = []
value_data = u'C:\\Downloads\\The Sleeping Dragon CD1.iso'.encode(
u'utf_16_le')
values.append(
dfwinreg_test_lib.TestRegValue(u'0',
value_data,
dfwinreg_definitions.REG_SZ,
offset=1892))
value_data = u'C:\\Downloads\\plaso-static.rar'.encode(u'utf_16_le')
values.append(
dfwinreg_test_lib.TestRegValue(u'1',
value_data,
dfwinreg_definitions.REG_SZ,
offset=612))
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2012-08-28 09:23:49.002031')
winreg_key = dfwinreg_test_lib.TestRegKey(key_path,
expected_timestamp,
values,
offset=1456)
event_queue_consumer = self._ParseKeyWithPlugin(
self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 2)
event_object = event_objects[0]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_object.parser, self._plugin.plugin_name)
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_string = (
u'[{0:s}] 0: C:\\Downloads\\The Sleeping Dragon CD1.iso'
).format(key_path)
self._TestGetMessageStrings(event_object, expected_string,
expected_string)
event_object = event_objects[1]
self.assertEqual(event_object.timestamp, 0)
expected_string = u'[{0:s}] 1: C:\\Downloads\\plaso-static.rar'.format(
key_path)
self._TestGetMessageStrings(event_object, expected_string,
expected_string)
def testProcess(self):
"""Tests the Process function."""
key_path = u'\\Software\\Microsoft\\Terminal Server Client\\Default'
values = []
values.append(
dfwinreg_test_lib.TestRegValue(
u'MRU0',
u'192.168.16.60'.encode(u'utf_16_le'),
dfwinreg_definitions.REG_SZ,
offset=1892))
values.append(
dfwinreg_test_lib.TestRegValue(
u'MRU1', u'computer.domain.com'.encode(u'utf_16_le'),
dfwinreg_definitions.REG_SZ, 612))
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2012-08-28 09:23:49.002031')
winreg_key = dfwinreg_test_lib.TestRegKey(key_path, expected_timestamp,
values, 1456)
event_queue_consumer = self._ParseKeyWithPlugin(
self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 2)
event_object = event_objects[0]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_object.parser, self._plugin.plugin_name)
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_msg = u'[{0:s}] MRU0: 192.168.16.60'.format(key_path)
expected_msg_short = u'[{0:s}] MRU0: 192.168.16.60'.format(key_path)
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
event_object = event_objects[1]
self.assertEqual(event_object.timestamp, 0)
expected_msg = u'[{0:s}] MRU1: computer.domain.com'.format(key_path)
expected_msg_short = u'[{0:s}] MRU1: computer.domain.com'.format(
key_path)
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def _CreateTestAppCompatCache(self, time_string, binary_data):
"""Creates a AppCompatCache Registry key and value for testing.
Args:
time_string: string containing the key last written date and time.
binary_data: the binary data of the AppCompatCache Registry value.
Returns:
A Windows Registry key object (instance of TestRegKey).
"""
key_path = u'\\ControlSet001\\Control\\Session Manager\\AppCompatCache'
timestamp = timelib.Timestamp.CopyFromString(time_string)
values = [
dfwinreg_test_lib.TestRegValue(u'AppCompatCache', binary_data,
dfwinreg_definitions.REG_BINARY)
]
return dfwinreg_test_lib.TestRegKey(key_path,
timestamp,
values,
offset=1456)
def testProcess(self):
"""Tests the Process function."""
key_path = u'\\Software\\Microsoft\\Office\\15.0\\Outlook\\Search'
values = []
values.append(
dfwinreg_test_lib.TestRegValue(
(u'C:\\Users\\username\\AppData\\Local\\Microsoft\\Outlook\\'
u'*****@*****.**'),
b'\xcf\x2b\x37\x00',
dfwinreg_definitions.REG_DWORD,
offset=1892))
winreg_key = dfwinreg_test_lib.TestRegKey(key_path, 1346145829002031,
values, 1456)
event_queue_consumer = self._ParseKeyWithPlugin(
self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
expected_msg = (
u'[{0:s}] '
u'C:\\Users\\username\\AppData\\Local\\Microsoft\\Outlook\\'
u'[email protected]: 0x00372bcf').format(key_path)
expected_msg_short = u'[{0:s}] C:\\Users\\username\\AppData\\Lo...'.format(
key_path)
self.assertEqual(len(event_objects), 1)
event_object = event_objects[0]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_object.parser, self._plugin.plugin_name)
self.assertEqual(event_object.timestamp, 1346145829002031)
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
def testProcess(self):
"""Tests the Process function."""
key_path = u'\\ControlSet001\\Control\\BootVerificationProgram'
values = []
value_data = u'C:\\WINDOWS\\system32\\googleupdater.exe'.encode(
u'utf_16_le')
values.append(dfwinreg_test_lib.TestRegValue(
u'ImagePath', value_data, dfwinreg_definitions.REG_SZ, offset=123))
timestamp = timelib.Timestamp.CopyFromString(u'2012-08-31 20:45:29')
winreg_key = dfwinreg_test_lib.TestRegKey(key_path, timestamp, values, 153)
knowledge_base_values = {u'current_control_set': u'ControlSet001'}
event_queue_consumer = self._ParseKeyWithPlugin(
self._plugin, winreg_key, knowledge_base_values=knowledge_base_values)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 1)
event_object = event_objects[0]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_object.parser, self._plugin.plugin_name)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2012-08-31 20:45:29')
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_msg = (
u'[{0:s}] '
u'ImagePath: C:\\WINDOWS\\system32\\googleupdater.exe').format(
key_path)
expected_msg_short = (
u'[{0:s}] ImagePath: C:\\WINDOWS\\system...').format(key_path)
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self):
"""Tests the Process function."""
key_path = u'\\ControlSet001\\Control\\Session Manager'
values = []
value_data = u'autocheck autochk *\x00'.encode(u'utf_16_le')
values.append(dfwinreg_test_lib.TestRegValue(
u'BootExecute', value_data, dfwinreg_definitions.REG_MULTI_SZ,
offset=123))
value_data = u'2592000'.encode(u'utf_16_le')
values.append(dfwinreg_test_lib.TestRegValue(
u'CriticalSectionTimeout', value_data, dfwinreg_definitions.REG_SZ,
offset=153))
value_data = u'\x00'.encode(u'utf_16_le')
values.append(dfwinreg_test_lib.TestRegValue(
u'ExcludeFromKnownDlls', value_data, dfwinreg_definitions.REG_MULTI_SZ,
offset=163))
value_data = u'0'.encode(u'utf_16_le')
values.append(dfwinreg_test_lib.TestRegValue(
u'GlobalFlag', value_data, dfwinreg_definitions.REG_SZ, offset=173))
value_data = u'0'.encode(u'utf_16_le')
values.append(dfwinreg_test_lib.TestRegValue(
u'HeapDeCommitFreeBlockThreshold', value_data,
dfwinreg_definitions.REG_SZ, offset=183))
value_data = u'0'.encode(u'utf_16_le')
values.append(dfwinreg_test_lib.TestRegValue(
u'HeapDeCommitTotalFreeThreshold', value_data,
dfwinreg_definitions.REG_SZ, offset=203))
value_data = u'0'.encode(u'utf_16_le')
values.append(dfwinreg_test_lib.TestRegValue(
u'HeapSegmentCommit', value_data, dfwinreg_definitions.REG_SZ,
offset=213))
value_data = u'0'.encode(u'utf_16_le')
values.append(dfwinreg_test_lib.TestRegValue(
u'HeapSegmentReserve', value_data, dfwinreg_definitions.REG_SZ,
offset=223))
value_data = u'2'.encode(u'utf_16_le')
values.append(dfwinreg_test_lib.TestRegValue(
u'NumberOfInitialSessions', value_data, dfwinreg_definitions.REG_SZ,
offset=243))
timestamp = timelib.Timestamp.CopyFromString(u'2012-08-31 20:45:29')
winreg_key = dfwinreg_test_lib.TestRegKey(key_path, timestamp, values, 153)
knowledge_base_values = {u'current_control_set': u'ControlSet001'}
event_queue_consumer = self._ParseKeyWithPlugin(
self._plugin, winreg_key, knowledge_base_values=knowledge_base_values)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 2)
event_object = event_objects[0]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_object.parser, self._plugin.plugin_name)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2012-08-31 20:45:29')
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_string = (
u'[{0:s}] BootExecute: autocheck autochk *').format(key_path)
self._TestGetMessageStrings(event_object, expected_string, expected_string)
event_object = event_objects[1]
expected_msg = (
u'[{0:s}] '
u'CriticalSectionTimeout: 2592000 '
u'ExcludeFromKnownDlls: [] '
u'GlobalFlag: 0 '
u'HeapDeCommitFreeBlockThreshold: 0 '
u'HeapDeCommitTotalFreeThreshold: 0 '
u'HeapSegmentCommit: 0 '
u'HeapSegmentReserve: 0 '
u'NumberOfInitialSessions: 2').format(key_path)
expected_msg_short = (
u'[{0:s}] CriticalSectionTimeout: 2592000 Excl...').format(key_path)
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self):
"""Tests the Process function on a virtual key."""
key_path = u'\\ControlSet001\\services\\TestDriver'
values = []
values.append(dfwinreg_test_lib.TestRegValue(
u'Type', b'\x02\x00\x00\x00', dfwinreg_definitions.REG_DWORD,
offset=123))
values.append(dfwinreg_test_lib.TestRegValue(
u'Start', b'\x02\x00\x00\x00', dfwinreg_definitions.REG_DWORD,
offset=127))
values.append(dfwinreg_test_lib.TestRegValue(
u'ErrorControl', b'\x01\x00\x00\x00', dfwinreg_definitions.REG_DWORD,
offset=131))
values.append(dfwinreg_test_lib.TestRegValue(
u'Group', u'Pnp Filter'.encode(u'utf_16_le'),
dfwinreg_definitions.REG_SZ, offset=140))
values.append(dfwinreg_test_lib.TestRegValue(
u'DisplayName', u'Test Driver'.encode(u'utf_16_le'),
dfwinreg_definitions.REG_SZ, offset=160))
values.append(dfwinreg_test_lib.TestRegValue(
u'DriverPackageId',
u'testdriver.inf_x86_neutral_dd39b6b0a45226c4'.encode(u'utf_16_le'),
dfwinreg_definitions.REG_SZ, offset=180))
values.append(dfwinreg_test_lib.TestRegValue(
u'ImagePath', u'C:\\Dell\\testdriver.sys'.encode(u'utf_16_le'),
dfwinreg_definitions.REG_SZ, offset=200))
timestamp = timelib.Timestamp.CopyFromString(
u'2012-08-28 09:23:49.002031')
winreg_key = dfwinreg_test_lib.TestRegKey(
key_path, timestamp, values, 1456)
event_queue_consumer = self._ParseKeyWithPlugin(self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 1)
event_object = event_objects[0]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_object.parser, self._plugin.plugin_name)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2012-08-28 09:23:49.002031')
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_msg = (
u'[{0:s}] '
u'DisplayName: Test Driver '
u'DriverPackageId: testdriver.inf_x86_neutral_dd39b6b0a45226c4 '
u'ErrorControl: Normal (1) '
u'Group: Pnp Filter '
u'ImagePath: C:\\Dell\\testdriver.sys '
u'Start: Auto Start (2) '
u'Type: File System Driver (0x2)').format(key_path)
expected_msg_short = (
u'[{0:s}] '
u'DisplayName: Test Driver '
u'DriverPackageId...').format(key_path)
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcessMock(self):
"""Tests the Process function on created key."""
knowledge_base_values = {u'current_control_set': u'ControlSet001'}
key_path = u'\\ControlSet001\\Control\\TimeZoneInformation'
values = []
values.append(
dfwinreg_test_lib.TestRegValue(
u'ActiveTimeBias', b'\xff\xff\xff\xc4',
dfwinreg_definitions.REG_DWORD_BIG_ENDIAN))
values.append(
dfwinreg_test_lib.TestRegValue(
u'Bias', b'\xff\xff\xff\xc4',
dfwinreg_definitions.REG_DWORD_BIG_ENDIAN))
values.append(
dfwinreg_test_lib.TestRegValue(
u'DaylightBias', b'\xff\xff\xff\xc4',
dfwinreg_definitions.REG_DWORD_BIG_ENDIAN))
values.append(
dfwinreg_test_lib.TestRegValue(
u'DaylightName', u'@tzres.dll,-321'.encode(u'utf_16_le'),
dfwinreg_definitions.REG_SZ))
value_data = (
b'\x00\x00\x03\x00\x05\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00'
)
values.append(
dfwinreg_test_lib.TestRegValue(u'DaylightStart', value_data,
dfwinreg_definitions.REG_BINARY))
values.append(
dfwinreg_test_lib.TestRegValue(
u'DynamicDaylightTimeDisabled', b'\x00\x00\x00\x00',
dfwinreg_definitions.REG_DWORD_BIG_ENDIAN))
values.append(
dfwinreg_test_lib.TestRegValue(
u'StandardBias', b'\x00\x00\x00\x00',
dfwinreg_definitions.REG_DWORD_BIG_ENDIAN))
values.append(
dfwinreg_test_lib.TestRegValue(
u'StandardName', u'@tzres.dll,-322'.encode(u'utf_16_le'),
dfwinreg_definitions.REG_SZ))
value_data = (
b'\x00\x00\x0A\x00\x05\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00'
)
values.append(
dfwinreg_test_lib.TestRegValue(u'StandardStart', value_data,
dfwinreg_definitions.REG_BINARY))
values.append(
dfwinreg_test_lib.TestRegValue(
u'TimeZoneKeyName',
u'W. Europe Standard Time'.encode(u'utf_16_le'),
dfwinreg_definitions.REG_SZ))
timestamp = timelib.Timestamp.CopyFromString(u'2013-01-30 10:47:57')
winreg_key = dfwinreg_test_lib.TestRegKey(key_path, timestamp, values,
153)
event_queue_consumer = self._ParseKeyWithPlugin(
self._plugin,
winreg_key,
knowledge_base_values=knowledge_base_values)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 1)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2013-01-30 10:47:57')
self.assertEqual(event_objects[0].timestamp, expected_timestamp)
expected_msg = (
u'[{0:s}] '
u'ActiveTimeBias: -60 '
u'Bias: -60 '
u'DaylightBias: -60 '
u'DaylightName: @tzres.dll,-321 '
u'DynamicDaylightTimeDisabled: 0 '
u'StandardBias: 0 '
u'StandardName: @tzres.dll,-322 '
u'TimeZoneKeyName: W. Europe Standard Time').format(key_path)
expected_msg_short = (u'[{0:s}] '
u'ActiveTimeBias: -60 '
u'Bias: -60 '
u'Da...').format(key_path)
self._TestGetMessageStrings(event_objects[0], expected_msg,
expected_msg_short)
def testProcess(self):
"""Tests the Process function."""
key_path = (
u'\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\'
u'DesktopStreamMRU')
values = []
data = b''.join(
map(chr, [
0x14, 0x00, 0x1f, 0x00, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a,
0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30, 0x30, 0x9d,
0x19, 0x00, 0x23, 0x43, 0x3a, 0x5c, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x11, 0xee, 0x15, 0x00, 0x31, 0x00, 0x00,
0x00, 0x00, 0x00, 0x2e, 0x3e, 0x7a, 0x60, 0x10, 0x80, 0x57,
0x69, 0x6e, 0x6e, 0x74, 0x00, 0x00, 0x18, 0x00, 0x31, 0x00,
0x00, 0x00, 0x00, 0x00, 0x2e, 0x3e, 0xe4, 0x62, 0x10, 0x00,
0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x00, 0x00,
0x25, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2e, 0x3e,
0xe4, 0x62, 0x10, 0x00, 0x41, 0x64, 0x6d, 0x69, 0x6e, 0x69,
0x73, 0x74, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x00, 0x41, 0x44,
0x4d, 0x49, 0x4e, 0x49, 0x7e, 0x31, 0x00, 0x17, 0x00, 0x31,
0x00, 0x00, 0x00, 0x00, 0x00, 0x2e, 0x3e, 0xe4, 0x62, 0x10,
0x00, 0x44, 0x65, 0x73, 0x6b, 0x74, 0x6f, 0x70, 0x00, 0x00,
0x00, 0x00
]))
values.append(
dfwinreg_test_lib.TestRegValue(u'MRUList',
u'a'.encode(u'utf_16_le'),
dfwinreg_definitions.REG_SZ,
offset=123))
values.append(
dfwinreg_test_lib.TestRegValue(u'a',
data,
dfwinreg_definitions.REG_BINARY,
offset=612))
timestamp = timelib.Timestamp.CopyFromString(
u'2012-08-28 09:23:49.002031')
winreg_key = dfwinreg_test_lib.TestRegKey(key_path, timestamp, values,
1456)
event_queue_consumer = self._ParseKeyWithPlugin(
self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 5)
# A MRUList event object.
event_object = event_objects[4]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_object.parser, self._plugin.plugin_name)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2012-08-28 09:23:49.002031')
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_msg = (
u'[{0:s}] '
u'Index: 1 [MRU Value a]: Shell item path: '
u'<My Computer> C:\\Winnt\\Profiles\\Administrator\\Desktop'
).format(key_path)
expected_msg_short = u'[{0:s}] Index:...'.format(key_path)
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)
# A shell item event object.
event_object = event_objects[0]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2011-01-14 12:03:52')
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_msg = (u'Name: Winnt '
u'Shell item path: <My Computer> C:\\Winnt '
u'Origin: {0:s}').format(key_path)
expected_msg_short = (
u'Name: Winnt '
u'Origin: \\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\'
u'Deskt...')
self._TestGetMessageStrings(event_object, expected_msg,
expected_msg_short)