def testGetRootKey(self):
"""Tests the GetRootKey function."""
path = self._GetTestFilePath(['NTUSER.DAT'])
registry_file = regf.REGFWinRegistryFile()
with open(path, 'rb') as file_object:
registry_file.Open(file_object)
registry_key = registry_file.GetRootKey()
self.assertIsNotNone(registry_key)
self.assertEqual(registry_key.path, '\\')
registry_file.Close()
path = self._GetTestFilePath(['NTUSER.DAT.LOG'])
registry_file = regf.REGFWinRegistryFile()
with open(path, 'rb') as file_object:
registry_file.Open(file_object)
root_key = registry_file.GetRootKey()
self.assertIsNone(root_key)
registry_file.Close()
def testRecurseKeys(self):
"""Tests the RecurseKeys function."""
path = self._GetTestFilePath(['NTUSER.DAT'])
registry_file = regf.REGFWinRegistryFile()
with open(path, 'rb') as file_object:
registry_file.Open(file_object)
registry_keys = list(registry_file.RecurseKeys())
registry_file.Close()
self.assertEqual(len(registry_keys), 1597)
path = self._GetTestFilePath(['NTUSER.DAT.LOG'])
registry_file = regf.REGFWinRegistryFile()
with open(path, 'rb') as file_object:
registry_file.Open(file_object)
registry_keys = list(registry_file.RecurseKeys())
registry_file.Close()
self.assertEqual(len(registry_keys), 0)
def testCollect(self):
"""Tests the Collect function."""
test_path = self._GetTestFilePath(['SOFTWARE'])
self._SkipIfPathNotExists(test_path)
registry = dfwinreg_registry.WinRegistry()
with open(test_path, 'rb') as file_object:
registry_file = dfwinreg_regf.REGFWinRegistryFile(
ascii_codepage='cp1252')
registry_file.Open(file_object)
key_path_prefix = registry.GetRegistryFileMapping(registry_file)
registry_file.SetKeyPathPrefix(key_path_prefix)
registry.MapFile(key_path_prefix, registry_file)
collector_object = msie_zone_info.MSIEZoneInformationCollector()
test_results = list(collector_object.Collect(registry))
self.assertEqual(len(test_results), 1724)
zone_information = test_results[0]
self.assertEqual(zone_information.zone, '0')
self.assertEqual(zone_information.zone_name, 'Computer')
self.assertEqual(zone_information.control, '1809')
self.assertEqual(zone_information.control_value, 3)
def Open(self, path, ascii_codepage=u'cp1252'):
"""Opens the Windows Registry file specificed by the path.
Args:
path: string containing the path of the Windows Registry file. The path
is a Windows path relative to the root of the file system that
contains the specfic Windows Registry file. E.g.
C:\\Windows\\System32\\config\\SYSTEM
ascii_codepage: optional ASCII string codepage.
Returns:
The Windows Registry file (instance of WinRegistryFile) or None.
"""
file_object = self._volume_scanner.OpenFile(path)
if file_object is None:
return
registry_file = dfwinreg_regf.REGFWinRegistryFile(
ascii_codepage=ascii_codepage)
try:
registry_file.Open(file_object)
except IOError:
file_object.close()
return
return registry_file
def testGetSubkeyByName(self):
"""Tests the GetSubkeyByName function."""
test_path = self._GetTestFilePath(['NTUSER.DAT'])
self._SkipIfPathNotExists(test_path)
registry_file = regf.REGFWinRegistryFile(
key_path_prefix='HKEY_CURRENT_USER')
with open(test_path, 'rb') as file_object:
registry_file.Open(file_object)
registry_key = registry_file.GetRootKey()
key_name = 'Software'
sub_registry_key = registry_key.GetSubkeyByName(key_name)
self.assertIsNotNone(sub_registry_key)
self.assertEqual(sub_registry_key.name, key_name)
expected_key_path = 'HKEY_CURRENT_USER\\Software'
self.assertEqual(sub_registry_key.path, expected_key_path)
key_name = 'Bogus'
sub_registry_key = registry_key.GetSubkeyByName(key_name)
self.assertIsNone(sub_registry_key)
registry_file.Close()
def testPropertiesWindowsXP(self):
"""Tests the properties functions on a Windows XP NTUSER.DAT file."""
path = self._GetTestFilePath(['NTUSER.DAT'])
registry_file = regf.REGFWinRegistryFile()
with open(path, 'rb') as file_object:
registry_file.Open(file_object)
registry_key = registry_file.GetKeyByPath('\\Console')
value_name = 'ColorTable14'
registry_value = registry_key.GetValueByName(value_name)
expected_data = b'\xff\xff\x00\x00'
self.assertIsNotNone(registry_value)
self.assertEqual(registry_value.data_type, 4)
self.assertEqual(registry_value.data_type_string, 'REG_DWORD_LE')
self.assertEqual(registry_value.GetDataAsObject(), 65535)
self.assertEqual(registry_value.name, value_name)
self.assertEqual(registry_value.offset, 29516)
self.assertEqual(registry_value.data, expected_data)
registry_key = registry_file.GetKeyByPath(
'\\AppEvents\\EventLabels\\CriticalBatteryAlarm')
value_name = 'DispFileName'
registry_value = registry_key.GetValueByName(value_name)
expected_data = (
b'@\x00m\x00m\x00s\x00y\x00s\x00.\x00c\x00p\x00l\x00,\x00-\x005\x008'
b'\x002\x007\x00\x00\x00')
self.assertIsNotNone(registry_value)
self.assertEqual(registry_value.data_type, 1)
self.assertEqual(registry_value.data_type_string, 'REG_SZ')
self.assertEqual(registry_value.GetDataAsObject(),
'@mmsys.cpl,-5827')
self.assertEqual(registry_value.name, value_name)
self.assertEqual(registry_value.offset, 6012)
self.assertEqual(registry_value.data, expected_data)
registry_key = registry_file.GetKeyByPath(
'\\Software\\Microsoft\\Windows\\ShellNoRoam\\BagMRU')
value_name = '0'
registry_value = registry_key.GetValueByName(value_name)
expected_data = (
b'\x14\x00\x1fP\xe0O\xd0 \xea:i\x10\xa2\xd8\x08\x00+00\x9d\x00\x00'
)
self.assertIsNotNone(registry_value)
self.assertEqual(registry_value.data_type, 3)
self.assertEqual(registry_value.data_type_string, 'REG_BINARY')
self.assertEqual(registry_value.GetDataAsObject(), expected_data)
self.assertEqual(registry_value.name, value_name)
self.assertEqual(registry_value.offset, 404596)
self.assertEqual(registry_value.data, expected_data)
registry_value._pyregf_value = FakePyREGFValue()
with self.assertRaises(errors.WinRegistryValueError):
_ = registry_value.data
registry_file.Close()
def testBuildFindSpecsWithRegistry(self):
"""Tests the BuildFindSpecs function on Windows Registry sources."""
knowledge_base = knowledge_base_engine.KnowledgeBase()
artifact_filter_names = ['TestRegistry', 'TestRegistryValue']
test_filters_helper = self._CreateTestArtifactDefinitionsFiltersHelper(
knowledge_base)
test_filters_helper.BuildFindSpecs(artifact_filter_names)
# There should be 3 Windows Registry find specifications.
self.assertEqual(
len(test_filters_helper.included_file_system_find_specs), 0)
self.assertEqual(len(test_filters_helper.registry_find_specs), 3)
file_entry = self._GetTestFileEntry(['SYSTEM'])
file_object = file_entry.GetFileObject()
registry_file = dfwinreg_regf.REGFWinRegistryFile(
ascii_codepage='cp1252', emulate_virtual_keys=False)
registry_file.Open(file_object)
win_registry = dfwinreg_registry.WinRegistry()
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
registry_file.SetKeyPathPrefix(key_path_prefix)
win_registry.MapFile(key_path_prefix, registry_file)
searcher = dfwinreg_registry_searcher.WinRegistrySearcher(win_registry)
key_paths = list(searcher.Find(
find_specs=test_filters_helper.registry_find_specs))
self.assertIsNotNone(key_paths)
self.assertEqual(len(key_paths), 8)
def testProcessWindows101(self):
"""Tests the Process function on a Windows 10 1807 AMCache.hve file."""
test_file_entry = self._GetTestFileEntry(['win10-Amcache.hve'])
file_object = test_file_entry.GetFileObject()
registry_file = dfwinreg_regf.REGFWinRegistryFile(
ascii_codepage='cp1252', emulate_virtual_keys=False)
registry_file.Open(file_object)
registry_key = registry_file.GetKeyByPath('\\Root')
plugin = amcache.AMCachePlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_events, 236)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
events = list(storage_writer.GetSortedEvents())
expected_event_values = {
'data_type': 'windows:registry:amcache',
'date_time': '1997-01-10 22:26:24',
'full_path': 'c:\\windows\\system32\\svchost.exe',
'timestamp_desc': definitions.TIME_DESCRIPTION_LINK_TIME
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def _OpenPathSpec(self, path_spec, ascii_codepage=u'cp1252'):
"""Opens the Windows Registry file specificed by the path specification.
Args:
path_spec: a path specfication (instance of dfvfs.PathSpec).
ascii_codepage: optional ASCII string codepage. The default is cp1252
(or windows-1252).
Returns:
The Windows Registry file (instance of WinRegistryFile) or None.
"""
if not path_spec:
return
file_entry = self._searcher.GetFileEntryByPathSpec(path_spec)
if file_entry is None:
return
file_object = file_entry.GetFileObject()
if file_object is None:
return
registry_file = regf.REGFWinRegistryFile(ascii_codepage=ascii_codepage)
try:
registry_file.Open(file_object)
except IOError as exception:
logging.warning(
u'Unable to open Windows Registry file with error: {0:s}'.format(
exception))
file_object.close()
return
return registry_file
def testGetSubkeyByIndex(self):
"""Tests the GetSubkeyByIndex function."""
path = self._GetTestFilePath(['NTUSER.DAT'])
registry_file = regf.REGFWinRegistryFile(
key_path_prefix='HKEY_CURRENT_USER')
with open(path, 'rb') as file_object:
registry_file.Open(file_object)
registry_key = registry_file.GetRootKey()
key_name = 'AppEvents'
sub_registry_key = registry_key.GetSubkeyByIndex(0)
self.assertIsNotNone(sub_registry_key)
self.assertEqual(sub_registry_key.name, key_name)
expected_key_path = 'HKEY_CURRENT_USER\\AppEvents'
self.assertEqual(sub_registry_key.path, expected_key_path)
with self.assertRaises(IndexError):
registry_key.GetSubkeyByIndex(-1)
registry_key._pyregf_key = FakePyREGFKey()
sub_registry_key = registry_key.GetSubkeyByIndex(0)
self.assertIsNone(sub_registry_key)
registry_file.Close()
def _OpenPathSpec(self, path_specification, ascii_codepage=u'cp1252'):
"""Opens the Windows Registry file specified by the path specification.
Args:
path_specification (dfvfs.PathSpec): path specfication.
ascii_codepage (Optional[str]): ASCII string codepage.
Returns:
WinRegistryFile: Windows Registry file or None.
"""
if not path_specification:
return
file_entry = self._file_system.GetFileEntryByPathSpec(
path_specification)
if file_entry is None:
return
file_object = file_entry.GetFileObject()
if file_object is None:
return
registry_file = dfwinreg_regf.REGFWinRegistryFile(
ascii_codepage=ascii_codepage)
try:
registry_file.Open(file_object)
except IOError as exception:
logging.warning(
u'Unable to open Windows Registry file with error: {0:s}'.
format(exception))
file_object.close()
return
return registry_file
def testGetKeyByPath(self):
"""Tests the GetKeyByPath function."""
path = self._GetTestFilePath(['NTUSER.DAT'])
registry_file = regf.REGFWinRegistryFile()
with open(path, 'rb') as file_object:
registry_file.Open(file_object)
key_path = '\\'
registry_key = registry_file.GetKeyByPath(key_path)
self.assertIsNotNone(registry_key)
self.assertEqual(registry_key.path, key_path)
key_path = '\\Software'
registry_key = registry_file.GetKeyByPath(key_path)
self.assertIsNotNone(registry_key)
self.assertEqual(registry_key.path, key_path)
key_path = '\\Bogus'
registry_key = registry_file.GetKeyByPath(key_path)
self.assertIsNone(registry_key)
key_path = 'Bogus'
registry_key = registry_file.GetKeyByPath(key_path)
self.assertIsNone(registry_key)
registry_file.Close()
def testGetSubkeyByPath(self):
"""Tests the GetSubkeyByPath function."""
path = self._GetTestFilePath(['NTUSER.DAT'])
registry_file = regf.REGFWinRegistryFile(
key_path_prefix='HKEY_CURRENT_USER')
with open(path, 'rb') as file_object:
registry_file.Open(file_object)
registry_key = registry_file.GetRootKey()
key_path = 'Software\\Microsoft'
sub_registry_key = registry_key.GetSubkeyByPath(key_path)
self.assertIsNotNone(sub_registry_key)
self.assertEqual(sub_registry_key.name, 'Microsoft')
expected_key_path = 'HKEY_CURRENT_USER\\Software\\Microsoft'
self.assertEqual(sub_registry_key.path, expected_key_path)
key_path = 'Software\\Bogus'
sub_registry_key = registry_key.GetSubkeyByPath(key_path)
self.assertIsNone(sub_registry_key)
registry_file.Close()
def Open(self, path, ascii_codepage='cp1252'):
"""Opens the Windows Registry file specified by the path.
Args:
path (str): path of the Windows Registry file. The path is a Windows
path relative to the root of the file system that contains the
specific Windows Registry file, such as:
C:\\Windows\\System32\\config\\SYSTEM
ascii_codepage (Optional[str]): ASCII string codepage.
Returns:
WinRegistryFile: Windows Registry file or None the file does not exist or
cannot be opened.
"""
file_object = self._volume_scanner.OpenFile(path)
if file_object is None:
return None
registry_file = dfwinreg_regf.REGFWinRegistryFile(
ascii_codepage=ascii_codepage)
try:
registry_file.Open(file_object)
except IOError:
file_object.close()
return None
return registry_file
def testGetValueByName(self):
"""Tests the GetValueByName function."""
path = self._GetTestFilePath(['NTUSER.DAT'])
registry_file = regf.REGFWinRegistryFile()
with open(path, 'rb') as file_object:
registry_file.Open(file_object)
registry_key = registry_file.GetKeyByPath('\\Console')
value_name = 'ColorTable14'
registry_value = registry_key.GetValueByName(value_name)
self.assertIsNotNone(registry_value)
self.assertEqual(registry_value.name, value_name)
value_name = 'Bogus'
registry_value = registry_key.GetValueByName(value_name)
self.assertIsNone(registry_value)
# Test retrieving the default (or nameless) value.
registry_key = registry_file.GetKeyByPath(
'\\AppEvents\\EventLabels\\.Default')
registry_value = registry_key.GetValueByName('')
self.assertIsNotNone(registry_value)
self.assertIsNone(registry_value.name)
registry_file.Close()
def Collect(self, path, output_writer):
"""Collects the catalog descriptors from a Windows Registry file.
Args:
path (str): path to Windows Registry file.
output_writer (OutputWriter): output writer.
Returns:
bool: True if a root key was found, False if not.
"""
with open(options.source, 'rb') as file_object:
try:
registry_file = dfwinreg_regf.REGFWinRegistryFile()
registry_file.Open(file_object)
except IOError:
registry_file = None
if not registry_file:
try:
registry_file = dfwinreg_creg.CREGWinRegistryFile()
registry_file.Open(file_object)
except IOError:
registry_file = None
if not registry_file:
return False
root_key = registry_file.GetRootKey()
if not root_key:
return False
return True
def testProperties(self):
"""Tests the properties functions."""
path = self._GetTestFilePath(['NTUSER.DAT'])
registry_file = regf.REGFWinRegistryFile()
with open(path, 'rb') as file_object:
registry_file.Open(file_object)
key_path = '\\Software'
registry_key = registry_file.GetKeyByPath(key_path)
self.assertIsNotNone(registry_key)
self.assertIsNone(registry_key.class_name)
self.assertEqual(registry_key.name, 'Software')
self.assertEqual(registry_key.number_of_subkeys, 7)
self.assertEqual(registry_key.number_of_values, 0)
self.assertEqual(registry_key.offset, 4372)
self.assertEqual(registry_key.path, key_path)
self.assertIsNotNone(registry_key.last_written_time)
timestamp = registry_key.last_written_time.timestamp
self.assertEqual(timestamp, 131205170396534120)
registry_key._pyregf_key = FakePyREGFKey()
self.assertIsNotNone(registry_key.last_written_time)
date_time_string = registry_key.last_written_time.CopyToDateTimeString(
)
self.assertEqual(date_time_string, 'Not set')
registry_file.Close()
def testCollect(self):
"""Tests the Collect function."""
test_path = self._GetTestFilePath(['NTUSER.DAT'])
self._SkipIfPathNotExists(test_path)
registry = dfwinreg_registry.WinRegistry()
with open(test_path, 'rb') as file_object:
registry_file = dfwinreg_regf.REGFWinRegistryFile(
ascii_codepage='cp1252')
registry_file.Open(file_object)
key_path_prefix = registry.GetRegistryFileMapping(registry_file)
registry_file.SetKeyPathPrefix(key_path_prefix)
registry.MapFile(key_path_prefix, registry_file)
test_output_writer = test_lib.TestOutputWriter()
collector_object = programscache.ProgramsCacheCollector(
output_writer=test_output_writer)
result = collector_object.Collect(registry)
self.assertTrue(result)
test_output_writer.Close()
def testGetDataAsObject(self):
"""Tests the GetDataAsObject function."""
path = self._GetTestFilePath(['NTUSER.DAT'])
registry_file = regf.REGFWinRegistryFile()
with open(path, 'rb') as file_object:
registry_file.Open(file_object)
registry_key = registry_file.GetKeyByPath('\\Console')
value_name = 'ColorTable14'
registry_value = registry_key.GetValueByName(value_name)
registry_value._pyregf_value = FakePyREGFValue(value_type='REG_SZ')
with self.assertRaises(errors.WinRegistryValueError):
registry_value.GetDataAsObject()
registry_value._pyregf_value = FakePyREGFValue(
value_type='REG_DWORD_LE')
with self.assertRaises(errors.WinRegistryValueError):
registry_value.GetDataAsObject()
registry_value._pyregf_value = FakePyREGFValue(
value_type='REG_MULTI_SZ')
with self.assertRaises(errors.WinRegistryValueError):
registry_value.GetDataAsObject()
def ParseFileObject(self, parser_mediator, file_object):
"""Parses a Windows Registry file-like object.
Args:
parser_mediator (ParserMediator): parser mediator.
file_object (dfvfs.FileIO): a file-like object.
"""
registry_find_specs = getattr(
parser_mediator.collection_filters_helper, 'registry_find_specs',
None)
registry_file = dfwinreg_regf.REGFWinRegistryFile(
ascii_codepage=parser_mediator.codepage,
emulate_virtual_keys=False)
try:
registry_file.Open(file_object)
except IOError as exception:
parser_mediator.ProduceExtractionWarning(
'unable to open Windows Registry file with error: {0!s}'.
format(exception))
return
try:
win_registry = dfwinreg_registry.WinRegistry()
key_path_prefix = win_registry.GetRegistryFileMapping(
registry_file)
registry_file.SetKeyPathPrefix(key_path_prefix)
root_key = registry_file.GetRootKey()
if root_key:
# For now treat AMCache.hve seperately.
if root_key.name.lower() in self._AMCACHE_ROOT_KEY_NAMES:
self._ParseRecurseKeys(parser_mediator, root_key)
elif not registry_find_specs:
self._ParseRecurseKeys(parser_mediator, root_key)
elif not self._ARTIFACTS_FILTER_HELPER.CheckKeyCompatibility(
key_path_prefix):
logger.warning((
'Artifacts filters are not supported for Windows Registry '
'file with key path prefix: "{0:s}".'
).format(key_path_prefix))
else:
win_registry.MapFile(key_path_prefix, registry_file)
# Note that win_registry will close the mapped registry_file.
registry_file = None
self._ParseKeysFromFindSpecs(parser_mediator, win_registry,
registry_find_specs)
except IOError as exception:
parser_mediator.ProduceExtractionWarning('{0!s}'.format(exception))
finally:
if registry_file:
registry_file.Close()
def testCollect(self):
"""Tests the Collect function."""
software_test_path = self._GetTestFilePath(['SOFTWARE'])
self._SkipIfPathNotExists(software_test_path)
system_test_path = self._GetTestFilePath(['SYSTEM'])
self._SkipIfPathNotExists(system_test_path)
registry = dfwinreg_registry.WinRegistry()
with open(software_test_path, 'rb') as software_file_object:
with open(system_test_path, 'rb') as system_file_object:
registry_file = dfwinreg_regf.REGFWinRegistryFile(
ascii_codepage='cp1252')
registry_file.Open(software_file_object)
key_path_prefix = registry.GetRegistryFileMapping(
registry_file)
registry_file.SetKeyPathPrefix(key_path_prefix)
registry.MapFile(key_path_prefix, registry_file)
registry_file = dfwinreg_regf.REGFWinRegistryFile(
ascii_codepage='cp1252')
registry_file.Open(system_file_object)
key_path_prefix = registry.GetRegistryFileMapping(
registry_file)
registry_file.SetKeyPathPrefix(key_path_prefix)
registry.MapFile(key_path_prefix, registry_file)
collector_object = eventlog_providers.EventLogProvidersCollector(
)
test_results = list(collector_object.Collect(registry))
self.assertEqual(len(test_results), 974)
eventlog_provider = test_results[0]
self.assertIsNone(eventlog_provider.identifier)
self.assertIsNone(eventlog_provider.name)
self.assertEqual(eventlog_provider.log_sources, ['.NET Runtime'])
self.assertEqual(eventlog_provider.log_types, ['Application'])
self.assertEqual(eventlog_provider.category_message_files, set())
self.assertEqual(eventlog_provider.event_message_files,
set(['C:\\Windows\\System32\\mscoree.dll']))
self.assertEqual(eventlog_provider.parameter_message_files, set())
def testProperties(self):
"""Tests the properties functions on a NTUSER.DAT file."""
path = self._GetTestFilePath(['NTUSER.DAT'])
registry_file = regf.REGFWinRegistryFile()
with open(path, 'rb') as file_object:
registry_file.Open(file_object)
registry_key = registry_file.GetKeyByPath('\\Console')
value_name = 'ColorTable14'
registry_value = registry_key.GetValueByName(value_name)
expected_data = b'\xff\xff\x00\x00'
self.assertIsNotNone(registry_value)
self.assertEqual(registry_value.data_type, 4)
self.assertEqual(registry_value.data_type_string, 'REG_DWORD_LE')
self.assertEqual(registry_value.GetDataAsObject(), 65535)
self.assertEqual(registry_value.name, value_name)
self.assertEqual(registry_value.offset, 105212)
self.assertEqual(registry_value.data, expected_data)
registry_key = registry_file.GetKeyByPath(
'\\AppEvents\\EventLabels\\CriticalBatteryAlarm')
value_name = 'DispFileName'
registry_value = registry_key.GetValueByName(value_name)
expected_data = (
b'@\x00m\x00m\x00r\x00e\x00s\x00.\x00d\x00l\x00l\x00,\x00-\x005\x008'
b'\x002\x007\x00\x00\x00')
self.assertIsNotNone(registry_value)
self.assertEqual(registry_value.data_type, 1)
self.assertEqual(registry_value.data_type_string, 'REG_SZ')
self.assertEqual(registry_value.GetDataAsObject(),
'@mmres.dll,-5827')
self.assertEqual(registry_value.name, value_name)
self.assertEqual(registry_value.offset, 62028)
self.assertEqual(registry_value.data, expected_data)
registry_key = registry_file.GetKeyByPath(
'\\Control Panel\\Appearance')
value_name = 'SchemeLangID'
registry_value = registry_key.GetValueByName(value_name)
expected_data = b'\x00\x00'
self.assertIsNotNone(registry_value)
self.assertEqual(registry_value.data_type, 3)
self.assertEqual(registry_value.data_type_string, 'REG_BINARY')
self.assertEqual(registry_value.GetDataAsObject(), expected_data)
self.assertEqual(registry_value.name, value_name)
self.assertEqual(registry_value.offset, 46468)
self.assertEqual(registry_value.data, expected_data)
registry_value._pyregf_value = FakePyREGFValue()
with self.assertRaises(errors.WinRegistryValueError):
_ = registry_value.data
registry_file.Close()
def ParseFileObject(self, parser_mediator, file_object):
"""Parses a Windows Registry file-like object.
Args:
parser_mediator (ParserMediator): parser mediator.
file_object (dfvfs.FileIO): a file-like object.
"""
# TODO: set codepage from mediator.
registry_file = dfwinreg_regf.REGFWinRegistryFile(
ascii_codepage='cp1252', emulate_virtual_keys=False)
try:
registry_file.Open(file_object)
except IOError as exception:
parser_mediator.ProduceExtractionWarning(
'unable to open Windows Registry file with error: {0!s}'.
format(exception))
return
try:
win_registry = dfwinreg_registry.WinRegistry()
key_path_prefix = win_registry.GetRegistryFileMapping(
registry_file)
registry_file.SetKeyPathPrefix(key_path_prefix)
root_key = registry_file.GetRootKey()
if root_key:
registry_find_specs = getattr(
parser_mediator.collection_filters_helper,
'registry_find_specs', None)
if not registry_find_specs:
self._ParseRecurseKeys(parser_mediator, root_key)
else:
artifacts_filters_helper = (
artifact_filters.ArtifactDefinitionsFiltersHelper)
if not artifacts_filters_helper.CheckKeyCompatibility(
key_path_prefix):
logger.warning((
'Artifacts filters are not supported for Windows Registry file '
'with key path prefix: "{0:s}".'
).format(key_path_prefix))
else:
win_registry.MapFile(key_path_prefix, registry_file)
# Note that win_registry will close the mapped registry_file.
registry_file = None
self._ParseKeysFromFindSpecs(parser_mediator,
win_registry,
registry_find_specs)
except IOError as exception:
parser_mediator.ProduceExtractionWarning('{0!s}'.format(exception))
finally:
if registry_file:
registry_file.Close()
def testOpenClose(self):
"""Tests the Open and Close functions."""
path = self._GetTestFilePath(['NTUSER.DAT'])
registry_file = regf.REGFWinRegistryFile()
with open(path, 'rb') as file_object:
registry_file.Open(file_object)
registry_file.Close()
def Open(self, path, ascii_codepage='cp1252'):
LOGGER.info("open registry %s", path)
""" Opens a path within the dfVFS volume """
realpath = path.replace('\\', '/')
if path in self.not_present:
return None
# check for variables and if we know them
realpath = path
for match in re.finditer('%[a-zA-Z0-9_]+%', path):
key = match.group(0)
val = self.windows_system.get_var(key)
if val:
realpath = realpath.replace(key, val)
else:
LOGGER.warning("Could not resolve variable %s", key)
return None
realpath = realpath.replace('\\', '/')
if realpath.lower().startswith('c:/'): # catch absolute paths
realpath = '/' + realpath[3:]
if not realpath[0] == '/':
realpath = '/' + realpath
if realpath in self.not_present:
return None
path_specs = list(
self.dfvfs.find_paths([realpath], partitions=[self.partition]))
if not path_specs:
LOGGER.warning("Could not find requested registry hive %s [%s]",
path, realpath)
self.not_present.add(path)
self.not_present.add(realpath)
return None
if len(path_specs) > 1:
LOGGER.warning(
"Found multiple registry hives for query %s, using %s", path,
dfvfs_helper.reconstruct_full_path(path_specs[0]))
# extract the file locally
filename = realpath.replace('/', '_')
dfvfs_helper.export_file(path_specs[0], self.tmpfs, filename)
try:
file_object = self.tmpfs.open(filename, 'rb')
except ResourceNotFound:
files = self.tmpfs.listdir("/")
LOGGER.warning("Could not open registry hive %s [%s] (%s)", path,
realpath, files)
return None
self.open_handles.append((filename, file_object))
reg_file = regfile_impl.REGFWinRegistryFile(
ascii_codepage=ascii_codepage)
reg_file.Open(file_object)
return reg_file
def testRecurseKeys(self):
"""Tests the RecurseKeys function."""
path = self._GetTestFilePath(['NTUSER.DAT'])
registry_file = regf.REGFWinRegistryFile()
with open(path, 'rb') as file_object:
registry_file.Open(file_object)
key_path = '\\Software'
registry_key = registry_file.GetKeyByPath(key_path)
registry_keys = list(registry_key.RecurseKeys())
registry_file.Close()
self.assertEqual(len(registry_keys), 1219)
def testGetValues(self):
"""Tests the GetValues function."""
path = self._GetTestFilePath(['NTUSER.DAT'])
registry_file = regf.REGFWinRegistryFile()
with open(path, 'rb') as file_object:
registry_file.Open(file_object)
key_path = '\\Console'
registry_key = registry_file.GetKeyByPath(key_path)
values = list(registry_key.GetValues())
self.assertEqual(len(values), 37)
registry_file.Close()
def _OpenREGFRegistryFile(self, filename):
"""Opens a REGF Windows Registry file.
Args:
filename: the name of the file relative to the test file path.
Returns:
The Windows Registry file object (instance of REGFWinRegistryFileTest) or
None.
"""
path = self._GetTestFilePath([filename])
file_object = open(path, 'rb')
registry_file = regf.REGFWinRegistryFile()
registry_file.Open(file_object)
return registry_file
def testGetSubkeys(self):
"""Tests the GetSubkeys function."""
test_path = self._GetTestFilePath(['NTUSER.DAT'])
self._SkipIfPathNotExists(test_path)
registry_file = regf.REGFWinRegistryFile()
with open(test_path, 'rb') as file_object:
registry_file.Open(file_object)
key_path = '\\Software'
registry_key = registry_file.GetKeyByPath(key_path)
sub_registry_keys = list(registry_key.GetSubkeys())
self.assertEqual(len(sub_registry_keys), 7)
registry_file.Close()
def _OpenREGFRegistryFile(self, filename, key_path_prefix=''):
"""Opens a REGF Windows Registry file.
Args:
filename (str): name of the file relative to the test file path.
key_path_prefix (Optional[str]): Windows Registry key path prefix.
Returns:
REGFWinRegistryFileTest: Windows Registry file or None.
"""
path = self._GetTestFilePath([filename])
file_object = open(path, 'rb')
registry_file = regf.REGFWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_file.Open(file_object)
return registry_file
