Example #1
0
    def testProcess(self):
        """Tests the Process function."""
        key_path = u'\\Microsoft\\Some Windows\\InterestingApp\\MRU'
        values = []

        values.append(
            dfwinreg_test_lib.TestRegValue(u'MRUList',
                                           u'acb'.encode(u'utf_16_le'),
                                           dfwinreg_definitions.REG_SZ,
                                           offset=123))
        values.append(
            dfwinreg_test_lib.TestRegValue(
                u'a',
                u'Some random text here'.encode(u'utf_16_le'),
                dfwinreg_definitions.REG_SZ,
                offset=1892))
        values.append(
            dfwinreg_test_lib.TestRegValue(u'b',
                                           u'c:/evil.exe'.encode(u'utf_16_le'),
                                           dfwinreg_definitions.REG_BINARY,
                                           offset=612))
        values.append(
            dfwinreg_test_lib.TestRegValue(
                u'c',
                u'C:/looks_legit.exe'.encode(u'utf_16_le'),
                dfwinreg_definitions.REG_SZ,
                offset=1001))

        timestamp = timelib.Timestamp.CopyFromString(
            u'2012-08-28 09:23:49.002031')
        winreg_key = dfwinreg_test_lib.TestRegKey(key_path, timestamp, values,
                                                  1456)

        event_queue_consumer = self._ParseKeyWithPlugin(
            self._plugin, winreg_key)
        event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)

        self.assertEqual(len(event_objects), 1)

        event_object = event_objects[0]

        # This should just be the plugin name, as we're invoking it directly,
        # and not through the parser.
        self.assertEqual(event_object.parser, self._plugin.plugin_name)

        expected_timestamp = timelib.Timestamp.CopyFromString(
            u'2012-08-28 09:23:49.002031')
        self.assertEqual(event_object.timestamp, expected_timestamp)

        expected_msg = (
            u'[{0:s}] '
            u'Index: 1 [MRU Value a]: Some random text here '
            u'Index: 2 [MRU Value c]: C:/looks_legit.exe '
            u'Index: 3 [MRU Value b]: c:/evil.exe').format(key_path)

        expected_msg_short = (
            u'[{0:s}] Index: 1 [MRU Value a]: Some ran...').format(key_path)

        self._TestGetMessageStrings(event_object, expected_msg,
                                    expected_msg_short)
Example #2
0
    def testProcess(self):
        """Tests the Process function."""
        key_path = u'\\Software\\WinRAR\\ArcHistory'

        values = []

        value_data = u'C:\\Downloads\\The Sleeping Dragon CD1.iso'.encode(
            u'utf_16_le')
        values.append(
            dfwinreg_test_lib.TestRegValue(u'0',
                                           value_data,
                                           dfwinreg_definitions.REG_SZ,
                                           offset=1892))

        value_data = u'C:\\Downloads\\plaso-static.rar'.encode(u'utf_16_le')
        values.append(
            dfwinreg_test_lib.TestRegValue(u'1',
                                           value_data,
                                           dfwinreg_definitions.REG_SZ,
                                           offset=612))

        expected_timestamp = timelib.Timestamp.CopyFromString(
            u'2012-08-28 09:23:49.002031')

        winreg_key = dfwinreg_test_lib.TestRegKey(key_path,
                                                  expected_timestamp,
                                                  values,
                                                  offset=1456)

        event_queue_consumer = self._ParseKeyWithPlugin(
            self._plugin, winreg_key)
        event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)

        self.assertEqual(len(event_objects), 2)

        event_object = event_objects[0]

        # This should just be the plugin name, as we're invoking it directly,
        # and not through the parser.
        self.assertEqual(event_object.parser, self._plugin.plugin_name)

        self.assertEqual(event_object.timestamp, expected_timestamp)

        expected_string = (
            u'[{0:s}] 0: C:\\Downloads\\The Sleeping Dragon CD1.iso'
        ).format(key_path)
        self._TestGetMessageStrings(event_object, expected_string,
                                    expected_string)

        event_object = event_objects[1]

        self.assertEqual(event_object.timestamp, 0)

        expected_string = u'[{0:s}] 1: C:\\Downloads\\plaso-static.rar'.format(
            key_path)
        self._TestGetMessageStrings(event_object, expected_string,
                                    expected_string)
Example #3
0
    def testProcess(self):
        """Tests the Process function."""
        key_path = u'\\Software\\Microsoft\\Terminal Server Client\\Default'
        values = []

        values.append(
            dfwinreg_test_lib.TestRegValue(
                u'MRU0',
                u'192.168.16.60'.encode(u'utf_16_le'),
                dfwinreg_definitions.REG_SZ,
                offset=1892))
        values.append(
            dfwinreg_test_lib.TestRegValue(
                u'MRU1', u'computer.domain.com'.encode(u'utf_16_le'),
                dfwinreg_definitions.REG_SZ, 612))

        expected_timestamp = timelib.Timestamp.CopyFromString(
            u'2012-08-28 09:23:49.002031')
        winreg_key = dfwinreg_test_lib.TestRegKey(key_path, expected_timestamp,
                                                  values, 1456)

        event_queue_consumer = self._ParseKeyWithPlugin(
            self._plugin, winreg_key)
        event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)

        self.assertEqual(len(event_objects), 2)

        event_object = event_objects[0]

        # This should just be the plugin name, as we're invoking it directly,
        # and not through the parser.
        self.assertEqual(event_object.parser, self._plugin.plugin_name)

        self.assertEqual(event_object.timestamp, expected_timestamp)

        expected_msg = u'[{0:s}] MRU0: 192.168.16.60'.format(key_path)
        expected_msg_short = u'[{0:s}] MRU0: 192.168.16.60'.format(key_path)

        self._TestGetMessageStrings(event_object, expected_msg,
                                    expected_msg_short)

        event_object = event_objects[1]

        self.assertEqual(event_object.timestamp, 0)

        expected_msg = u'[{0:s}] MRU1: computer.domain.com'.format(key_path)
        expected_msg_short = u'[{0:s}] MRU1: computer.domain.com'.format(
            key_path)

        self._TestGetMessageStrings(event_object, expected_msg,
                                    expected_msg_short)
Example #4
0
    def testProcess(self):
        """Tests the Process function."""
        key_path = u'\\Software\\Microsoft\\Terminal Server Client\\Servers'
        values = []

        values.append(
            dfwinreg_test_lib.TestRegValue(
                u'UsernameHint',
                u'DOMAIN\\username'.encode(u'utf_16_le'),
                dfwinreg_definitions.REG_SZ,
                offset=1892))

        expected_timestamp = timelib.Timestamp.CopyFromString(
            u'2012-08-28 09:23:49.002031')

        server_key_path = (
            u'\\Software\\Microsoft\\Terminal Server Client\\Servers\\myserver.com'
        )
        server_key = dfwinreg_test_lib.TestRegKey(server_key_path,
                                                  expected_timestamp,
                                                  values,
                                                  offset=1456)

        winreg_key = dfwinreg_test_lib.TestRegKey(key_path,
                                                  expected_timestamp,
                                                  None,
                                                  offset=865,
                                                  subkeys=[server_key])

        event_queue_consumer = self._ParseKeyWithPlugin(
            self._plugin, winreg_key)
        event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)

        self.assertEqual(len(event_objects), 1)

        event_object = event_objects[0]

        # This should just be the plugin name, as we're invoking it directly,
        # and not through the parser.
        self.assertEqual(event_object.parser, self._plugin.plugin_name)

        self.assertEqual(event_object.timestamp, expected_timestamp)

        expected_msg = u'[{0:s}] UsernameHint: DOMAIN\\username'.format(
            key_path)
        expected_msg_short = (
            u'[{0:s}] UsernameHint: DOMAIN\\use...').format(key_path)

        self._TestGetMessageStrings(event_object, expected_msg,
                                    expected_msg_short)
Example #5
0
    def _CreateTestAppCompatCache(self, time_string, binary_data):
        """Creates a AppCompatCache Registry key and value for testing.

    Args:
      time_string: string containing the key last written date and time.
      binary_data: the binary data of the AppCompatCache Registry value.

    Returns:
      A Windows Registry key object (instance of TestRegKey).
    """
        key_path = u'\\ControlSet001\\Control\\Session Manager\\AppCompatCache'
        timestamp = timelib.Timestamp.CopyFromString(time_string)
        values = [
            dfwinreg_test_lib.TestRegValue(u'AppCompatCache', binary_data,
                                           dfwinreg_definitions.REG_BINARY)
        ]

        return dfwinreg_test_lib.TestRegKey(key_path,
                                            timestamp,
                                            values,
                                            offset=1456)
Example #6
0
    def testProcess(self):
        """Tests the Process function."""
        key_path = u'\\Software\\Microsoft\\Office\\15.0\\Outlook\\Search'
        values = []

        values.append(
            dfwinreg_test_lib.TestRegValue(
                (u'C:\\Users\\username\\AppData\\Local\\Microsoft\\Outlook\\'
                 u'*****@*****.**'),
                b'\xcf\x2b\x37\x00',
                dfwinreg_definitions.REG_DWORD,
                offset=1892))

        winreg_key = dfwinreg_test_lib.TestRegKey(key_path, 1346145829002031,
                                                  values, 1456)

        event_queue_consumer = self._ParseKeyWithPlugin(
            self._plugin, winreg_key)
        event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)

        expected_msg = (
            u'[{0:s}] '
            u'C:\\Users\\username\\AppData\\Local\\Microsoft\\Outlook\\'
            u'[email protected]: 0x00372bcf').format(key_path)

        expected_msg_short = u'[{0:s}] C:\\Users\\username\\AppData\\Lo...'.format(
            key_path)

        self.assertEqual(len(event_objects), 1)

        event_object = event_objects[0]

        # This should just be the plugin name, as we're invoking it directly,
        # and not through the parser.
        self.assertEqual(event_object.parser, self._plugin.plugin_name)

        self.assertEqual(event_object.timestamp, 1346145829002031)

        self._TestGetMessageStrings(event_object, expected_msg,
                                    expected_msg_short)
Example #7
0
  def testProcess(self):
    """Tests the Process function."""
    key_path = u'\\ControlSet001\\Control\\BootVerificationProgram'
    values = []

    value_data = u'C:\\WINDOWS\\system32\\googleupdater.exe'.encode(
        u'utf_16_le')
    values.append(dfwinreg_test_lib.TestRegValue(
        u'ImagePath', value_data, dfwinreg_definitions.REG_SZ, offset=123))

    timestamp = timelib.Timestamp.CopyFromString(u'2012-08-31 20:45:29')
    winreg_key = dfwinreg_test_lib.TestRegKey(key_path, timestamp, values, 153)

    knowledge_base_values = {u'current_control_set': u'ControlSet001'}
    event_queue_consumer = self._ParseKeyWithPlugin(
        self._plugin, winreg_key, knowledge_base_values=knowledge_base_values)
    event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)

    self.assertEqual(len(event_objects), 1)

    event_object = event_objects[0]

    # This should just be the plugin name, as we're invoking it directly,
    # and not through the parser.
    self.assertEqual(event_object.parser, self._plugin.plugin_name)

    expected_timestamp = timelib.Timestamp.CopyFromString(
        u'2012-08-31 20:45:29')
    self.assertEqual(event_object.timestamp, expected_timestamp)

    expected_msg = (
        u'[{0:s}] '
        u'ImagePath: C:\\WINDOWS\\system32\\googleupdater.exe').format(
            key_path)

    expected_msg_short = (
        u'[{0:s}] ImagePath: C:\\WINDOWS\\system...').format(key_path)

    self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
Example #8
0
  def testProcess(self):
    """Tests the Process function."""
    key_path = u'\\ControlSet001\\Control\\Session Manager'
    values = []

    value_data = u'autocheck autochk *\x00'.encode(u'utf_16_le')
    values.append(dfwinreg_test_lib.TestRegValue(
        u'BootExecute', value_data, dfwinreg_definitions.REG_MULTI_SZ,
        offset=123))

    value_data = u'2592000'.encode(u'utf_16_le')
    values.append(dfwinreg_test_lib.TestRegValue(
        u'CriticalSectionTimeout', value_data, dfwinreg_definitions.REG_SZ,
        offset=153))

    value_data = u'\x00'.encode(u'utf_16_le')
    values.append(dfwinreg_test_lib.TestRegValue(
        u'ExcludeFromKnownDlls', value_data, dfwinreg_definitions.REG_MULTI_SZ,
        offset=163))

    value_data = u'0'.encode(u'utf_16_le')
    values.append(dfwinreg_test_lib.TestRegValue(
        u'GlobalFlag', value_data, dfwinreg_definitions.REG_SZ, offset=173))

    value_data = u'0'.encode(u'utf_16_le')
    values.append(dfwinreg_test_lib.TestRegValue(
        u'HeapDeCommitFreeBlockThreshold', value_data,
        dfwinreg_definitions.REG_SZ, offset=183))

    value_data = u'0'.encode(u'utf_16_le')
    values.append(dfwinreg_test_lib.TestRegValue(
        u'HeapDeCommitTotalFreeThreshold', value_data,
        dfwinreg_definitions.REG_SZ, offset=203))

    value_data = u'0'.encode(u'utf_16_le')
    values.append(dfwinreg_test_lib.TestRegValue(
        u'HeapSegmentCommit', value_data, dfwinreg_definitions.REG_SZ,
        offset=213))

    value_data = u'0'.encode(u'utf_16_le')
    values.append(dfwinreg_test_lib.TestRegValue(
        u'HeapSegmentReserve', value_data, dfwinreg_definitions.REG_SZ,
        offset=223))

    value_data = u'2'.encode(u'utf_16_le')
    values.append(dfwinreg_test_lib.TestRegValue(
        u'NumberOfInitialSessions', value_data, dfwinreg_definitions.REG_SZ,
        offset=243))

    timestamp = timelib.Timestamp.CopyFromString(u'2012-08-31 20:45:29')
    winreg_key = dfwinreg_test_lib.TestRegKey(key_path, timestamp, values, 153)

    knowledge_base_values = {u'current_control_set': u'ControlSet001'}
    event_queue_consumer = self._ParseKeyWithPlugin(
        self._plugin, winreg_key, knowledge_base_values=knowledge_base_values)
    event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)

    self.assertEqual(len(event_objects), 2)

    event_object = event_objects[0]

    # This should just be the plugin name, as we're invoking it directly,
    # and not through the parser.
    self.assertEqual(event_object.parser, self._plugin.plugin_name)

    expected_timestamp = timelib.Timestamp.CopyFromString(
        u'2012-08-31 20:45:29')
    self.assertEqual(event_object.timestamp, expected_timestamp)

    expected_string = (
        u'[{0:s}] BootExecute: autocheck autochk *').format(key_path)

    self._TestGetMessageStrings(event_object, expected_string, expected_string)

    event_object = event_objects[1]

    expected_msg = (
        u'[{0:s}] '
        u'CriticalSectionTimeout: 2592000 '
        u'ExcludeFromKnownDlls: [] '
        u'GlobalFlag: 0 '
        u'HeapDeCommitFreeBlockThreshold: 0 '
        u'HeapDeCommitTotalFreeThreshold: 0 '
        u'HeapSegmentCommit: 0 '
        u'HeapSegmentReserve: 0 '
        u'NumberOfInitialSessions: 2').format(key_path)

    expected_msg_short = (
        u'[{0:s}] CriticalSectionTimeout: 2592000 Excl...').format(key_path)

    self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
Example #9
0
  def testProcess(self):
    """Tests the Process function on a virtual key."""
    key_path = u'\\ControlSet001\\services\\TestDriver'

    values = []
    values.append(dfwinreg_test_lib.TestRegValue(
        u'Type', b'\x02\x00\x00\x00', dfwinreg_definitions.REG_DWORD,
        offset=123))
    values.append(dfwinreg_test_lib.TestRegValue(
        u'Start', b'\x02\x00\x00\x00', dfwinreg_definitions.REG_DWORD,
        offset=127))
    values.append(dfwinreg_test_lib.TestRegValue(
        u'ErrorControl', b'\x01\x00\x00\x00', dfwinreg_definitions.REG_DWORD,
        offset=131))
    values.append(dfwinreg_test_lib.TestRegValue(
        u'Group', u'Pnp Filter'.encode(u'utf_16_le'),
        dfwinreg_definitions.REG_SZ, offset=140))
    values.append(dfwinreg_test_lib.TestRegValue(
        u'DisplayName', u'Test Driver'.encode(u'utf_16_le'),
        dfwinreg_definitions.REG_SZ, offset=160))
    values.append(dfwinreg_test_lib.TestRegValue(
        u'DriverPackageId',
        u'testdriver.inf_x86_neutral_dd39b6b0a45226c4'.encode(u'utf_16_le'),
        dfwinreg_definitions.REG_SZ, offset=180))
    values.append(dfwinreg_test_lib.TestRegValue(
        u'ImagePath', u'C:\\Dell\\testdriver.sys'.encode(u'utf_16_le'),
        dfwinreg_definitions.REG_SZ, offset=200))

    timestamp = timelib.Timestamp.CopyFromString(
        u'2012-08-28 09:23:49.002031')
    winreg_key = dfwinreg_test_lib.TestRegKey(
        key_path, timestamp, values, 1456)

    event_queue_consumer = self._ParseKeyWithPlugin(self._plugin, winreg_key)
    event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)

    self.assertEqual(len(event_objects), 1)

    event_object = event_objects[0]

    # This should just be the plugin name, as we're invoking it directly,
    # and not through the parser.
    self.assertEqual(event_object.parser, self._plugin.plugin_name)

    expected_timestamp = timelib.Timestamp.CopyFromString(
        u'2012-08-28 09:23:49.002031')
    self.assertEqual(event_object.timestamp, expected_timestamp)

    expected_msg = (
        u'[{0:s}] '
        u'DisplayName: Test Driver '
        u'DriverPackageId: testdriver.inf_x86_neutral_dd39b6b0a45226c4 '
        u'ErrorControl: Normal (1) '
        u'Group: Pnp Filter '
        u'ImagePath: C:\\Dell\\testdriver.sys '
        u'Start: Auto Start (2) '
        u'Type: File System Driver (0x2)').format(key_path)
    expected_msg_short = (
        u'[{0:s}] '
        u'DisplayName: Test Driver '
        u'DriverPackageId...').format(key_path)

    self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
Example #10
0
    def testProcessMock(self):
        """Tests the Process function on created key."""
        knowledge_base_values = {u'current_control_set': u'ControlSet001'}
        key_path = u'\\ControlSet001\\Control\\TimeZoneInformation'
        values = []

        values.append(
            dfwinreg_test_lib.TestRegValue(
                u'ActiveTimeBias', b'\xff\xff\xff\xc4',
                dfwinreg_definitions.REG_DWORD_BIG_ENDIAN))

        values.append(
            dfwinreg_test_lib.TestRegValue(
                u'Bias', b'\xff\xff\xff\xc4',
                dfwinreg_definitions.REG_DWORD_BIG_ENDIAN))

        values.append(
            dfwinreg_test_lib.TestRegValue(
                u'DaylightBias', b'\xff\xff\xff\xc4',
                dfwinreg_definitions.REG_DWORD_BIG_ENDIAN))

        values.append(
            dfwinreg_test_lib.TestRegValue(
                u'DaylightName', u'@tzres.dll,-321'.encode(u'utf_16_le'),
                dfwinreg_definitions.REG_SZ))

        value_data = (
            b'\x00\x00\x03\x00\x05\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00'
        )
        values.append(
            dfwinreg_test_lib.TestRegValue(u'DaylightStart', value_data,
                                           dfwinreg_definitions.REG_BINARY))

        values.append(
            dfwinreg_test_lib.TestRegValue(
                u'DynamicDaylightTimeDisabled', b'\x00\x00\x00\x00',
                dfwinreg_definitions.REG_DWORD_BIG_ENDIAN))

        values.append(
            dfwinreg_test_lib.TestRegValue(
                u'StandardBias', b'\x00\x00\x00\x00',
                dfwinreg_definitions.REG_DWORD_BIG_ENDIAN))

        values.append(
            dfwinreg_test_lib.TestRegValue(
                u'StandardName', u'@tzres.dll,-322'.encode(u'utf_16_le'),
                dfwinreg_definitions.REG_SZ))

        value_data = (
            b'\x00\x00\x0A\x00\x05\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00'
        )
        values.append(
            dfwinreg_test_lib.TestRegValue(u'StandardStart', value_data,
                                           dfwinreg_definitions.REG_BINARY))

        values.append(
            dfwinreg_test_lib.TestRegValue(
                u'TimeZoneKeyName',
                u'W. Europe Standard Time'.encode(u'utf_16_le'),
                dfwinreg_definitions.REG_SZ))

        timestamp = timelib.Timestamp.CopyFromString(u'2013-01-30 10:47:57')
        winreg_key = dfwinreg_test_lib.TestRegKey(key_path, timestamp, values,
                                                  153)

        event_queue_consumer = self._ParseKeyWithPlugin(
            self._plugin,
            winreg_key,
            knowledge_base_values=knowledge_base_values)
        event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)

        self.assertEqual(len(event_objects), 1)

        expected_timestamp = timelib.Timestamp.CopyFromString(
            u'2013-01-30 10:47:57')
        self.assertEqual(event_objects[0].timestamp, expected_timestamp)

        expected_msg = (
            u'[{0:s}] '
            u'ActiveTimeBias: -60 '
            u'Bias: -60 '
            u'DaylightBias: -60 '
            u'DaylightName: @tzres.dll,-321 '
            u'DynamicDaylightTimeDisabled: 0 '
            u'StandardBias: 0 '
            u'StandardName: @tzres.dll,-322 '
            u'TimeZoneKeyName: W. Europe Standard Time').format(key_path)

        expected_msg_short = (u'[{0:s}] '
                              u'ActiveTimeBias: -60 '
                              u'Bias: -60 '
                              u'Da...').format(key_path)

        self._TestGetMessageStrings(event_objects[0], expected_msg,
                                    expected_msg_short)
Example #11
0
    def testProcess(self):
        """Tests the Process function."""
        key_path = (
            u'\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\'
            u'DesktopStreamMRU')
        values = []

        data = b''.join(
            map(chr, [
                0x14, 0x00, 0x1f, 0x00, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a,
                0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30, 0x30, 0x9d,
                0x19, 0x00, 0x23, 0x43, 0x3a, 0x5c, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x11, 0xee, 0x15, 0x00, 0x31, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x2e, 0x3e, 0x7a, 0x60, 0x10, 0x80, 0x57,
                0x69, 0x6e, 0x6e, 0x74, 0x00, 0x00, 0x18, 0x00, 0x31, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x2e, 0x3e, 0xe4, 0x62, 0x10, 0x00,
                0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x00, 0x00,
                0x25, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2e, 0x3e,
                0xe4, 0x62, 0x10, 0x00, 0x41, 0x64, 0x6d, 0x69, 0x6e, 0x69,
                0x73, 0x74, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x00, 0x41, 0x44,
                0x4d, 0x49, 0x4e, 0x49, 0x7e, 0x31, 0x00, 0x17, 0x00, 0x31,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x2e, 0x3e, 0xe4, 0x62, 0x10,
                0x00, 0x44, 0x65, 0x73, 0x6b, 0x74, 0x6f, 0x70, 0x00, 0x00,
                0x00, 0x00
            ]))

        values.append(
            dfwinreg_test_lib.TestRegValue(u'MRUList',
                                           u'a'.encode(u'utf_16_le'),
                                           dfwinreg_definitions.REG_SZ,
                                           offset=123))
        values.append(
            dfwinreg_test_lib.TestRegValue(u'a',
                                           data,
                                           dfwinreg_definitions.REG_BINARY,
                                           offset=612))

        timestamp = timelib.Timestamp.CopyFromString(
            u'2012-08-28 09:23:49.002031')
        winreg_key = dfwinreg_test_lib.TestRegKey(key_path, timestamp, values,
                                                  1456)

        event_queue_consumer = self._ParseKeyWithPlugin(
            self._plugin, winreg_key)
        event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)

        self.assertEqual(len(event_objects), 5)

        # A MRUList event object.
        event_object = event_objects[4]

        # This should just be the plugin name, as we're invoking it directly,
        # and not through the parser.
        self.assertEqual(event_object.parser, self._plugin.plugin_name)

        expected_timestamp = timelib.Timestamp.CopyFromString(
            u'2012-08-28 09:23:49.002031')
        self.assertEqual(event_object.timestamp, expected_timestamp)

        expected_msg = (
            u'[{0:s}] '
            u'Index: 1 [MRU Value a]: Shell item path: '
            u'<My Computer> C:\\Winnt\\Profiles\\Administrator\\Desktop'
        ).format(key_path)

        expected_msg_short = u'[{0:s}] Index:...'.format(key_path)

        self._TestGetMessageStrings(event_object, expected_msg,
                                    expected_msg_short)

        # A shell item event object.
        event_object = event_objects[0]

        expected_timestamp = timelib.Timestamp.CopyFromString(
            u'2011-01-14 12:03:52')
        self.assertEqual(event_object.timestamp, expected_timestamp)

        expected_msg = (u'Name: Winnt '
                        u'Shell item path: <My Computer> C:\\Winnt '
                        u'Origin: {0:s}').format(key_path)

        expected_msg_short = (
            u'Name: Winnt '
            u'Origin: \\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\'
            u'Deskt...')

        self._TestGetMessageStrings(event_object, expected_msg,
                                    expected_msg_short)