def csv_user_assist_value_decode_before_win7(str_value_datatmp, count_offset): """ The Count registry key contains values representing the programs Each value is separated as : first 4 bytes are session following 4 bytes are number of times the program has been run next 8 bytes are the timestamp of last execution each of those values are in big endian which have to be converted in little endian :return: An array containing these information """ # 16 bytes data str_value_data_session = str_value_datatmp[0:4] str_value_data_session = unicode(struct.unpack("<I", str_value_data_session)[0]) str_value_data_count = str_value_datatmp[4:8] str_value_data_count = unicode(struct.unpack("<I", str_value_data_count)[0] + count_offset + 1) str_value_data_timestamp = str_value_datatmp[8:16] try: timestamp = struct.unpack("<I", str_value_data_timestamp)[0] date_last_exec = convert_windate(timestamp) except ValueError: date_last_exec = None arr_data = [str_value_data_session, str_value_data_count] if date_last_exec: arr_data.append(date_last_exec) else: arr_data.append("") return arr_data
def csv_user_assist_value_decode_win7_and_after(str_value_datatmp, count_offset): """The value in user assist has changed since Win7. It is taken into account here.""" # 16 bytes data str_value_data_session = str_value_datatmp[0:4] str_value_data_session = unicode( struct.unpack("<I", str_value_data_session)[0]) str_value_data_count = str_value_datatmp[4:8] str_value_data_count = unicode( struct.unpack("<I", str_value_data_count)[0] + count_offset + 1) str_value_data_focus = str_value_datatmp[12:16] str_value_data_focus = unicode( struct.unpack("<I", str_value_data_focus)[0]) str_value_data_timestamp = str_value_datatmp[60:68] try: timestamp = struct.unpack("<Q", str_value_data_timestamp)[0] date_last_exec = convert_windate(timestamp) except ValueError: date_last_exec = None arr_data = [ str_value_data_session, str_value_data_count, str_value_data_focus ] if date_last_exec: arr_data.append(date_last_exec) else: arr_data.append("") return arr_data
def csv_user_assist_value_decode_win7_and_after(str_value_datatmp, count_offset): """The value in user assist has changed since Win7. It is taken into account here.""" # 16 bytes data str_value_data_session = str_value_datatmp[0:4] str_value_data_session = unicode(struct.unpack("<I", str_value_data_session)[0]) str_value_data_count = str_value_datatmp[4:8] str_value_data_count = unicode(struct.unpack("<I", str_value_data_count)[0] + count_offset + 1) str_value_data_focus = str_value_datatmp[12:16] str_value_data_focus = unicode(struct.unpack("<I", str_value_data_focus)[0]) str_value_data_timestamp = str_value_datatmp[60:68] try: timestamp = struct.unpack("<Q", str_value_data_timestamp)[0] date_last_exec = convert_windate(timestamp) except ValueError: date_last_exec = None arr_data = [str_value_data_session, str_value_data_count, str_value_data_focus] if date_last_exec: arr_data.append(date_last_exec) else: arr_data.append("") return arr_data