def GetWMIAccount(self, result, sid, homedir, known_sids):
if result["SID"] not in known_sids:
# There could be a user in another domain with the same name,
# we just ignore this.
return None
response = {
"username": result["Name"],
"domain": result["Domain"],
"sid": result["SID"],
"homedir": homedir
}
profile_folders = self.GetSpecialFolders(sid)
if not profile_folders:
# TODO(user): The user's registry file is not mounted. The right
# way would be to open the ntuser.dat and parse the keys from there
# but we don't have registry file reading capability yet. For now,
# we just try to guess the folders.
folders_found = {}
for (_, folder, field) in self.special_folders:
path = os.path.join(homedir, folder)
try:
os.stat(path)
folders_found[field] = path
except exceptions.WindowsError:
pass
profile_folders = rdfvalue.FolderInformation(**folders_found)
response["special_folders"] = profile_folders
return response
def testConvertToKnowledgeBaseUser(self):
folders = rdfvalue.FolderInformation(desktop="/usr/local/test/Desktop")
user = rdfvalue.User(username="******", domain="test.com",
homedir="/usr/local/test",
special_folders=folders)
kbuser = user.ToKnowledgeBaseUser()
self.assertEqual(kbuser.username, "test")
self.assertEqual(kbuser.userdomain, "test.com")
self.assertEqual(kbuser.homedir, "/usr/local/test")
self.assertEqual(kbuser.desktop, "/usr/local/test/Desktop")
def FromKnowledgeBaseUser(self, kbuser):
"""Convert a KnowledgeBaseUser into a User value."""
folders = rdfvalue.FolderInformation()
for old_pb_name, new_pb_name in self.kb_user_mapping.items():
val = getattr(kbuser, new_pb_name)
if val:
if len(old_pb_name.split(".")) > 1:
folders.Set(old_pb_name.split(".")[1], val)
else:
self.Set(old_pb_name, val)
self.Set("special_folders", folders)
return self
def Run(self, unused_args):
"""Enumerate all users on this machine."""
self.special_folders = constants.profile_folders
homedirs = self.GetUsersAndHomeDirs()
known_sids = [sid for (_, sid, _) in homedirs]
for (user, sid, homedir) in homedirs:
# This query determines if the sid corresponds to a real user account.
for acc in RunWMIQuery("SELECT * FROM Win32_UserAccount "
"WHERE name=\"%s\"" % user):
if acc["SID"] not in known_sids:
# There could be a user in another domain with the same name,
# we just ignore this.
continue
response = {
"username": acc["Name"],
"domain": acc["Domain"],
"sid": acc["SID"],
"homedir": homedir
}
profile_folders = self.GetSpecialFolders(sid)
if not profile_folders:
# TODO(user): The user's registry file is not mounted. The right
# way would be to open the ntuser.dat and parse the keys from there
# but we don't have registry file reading capability yet. For now,
# we just try to guess the folders.
folders_found = {}
for (_, folder, field) in self.special_folders:
path = os.path.join(homedir, folder)
try:
os.stat(path)
folders_found[field] = path
except exceptions.WindowsError:
pass
profile_folders = rdfvalue.FolderInformation(
**folders_found)
response["special_folders"] = profile_folders
self.SendReply(**response)
def GetSpecialFolders(self, sid):
"""Retrieves all the special folders from the registry."""
folders_key = (r"%s\Software\Microsoft\Windows"
r"\CurrentVersion\Explorer\Shell Folders")
try:
key = _winreg.OpenKey(_winreg.HKEY_USERS, folders_key % sid)
except exceptions.WindowsError:
# For users that are not logged in this key will not exist. If we return
# None here, they will be guessed for now.
return
response = {}
for (reg_key, _, pb_field) in self.special_folders:
try:
(folder, _) = _winreg.QueryValueEx(key, reg_key)
if folder:
response[pb_field] = folder
except exceptions.WindowsError:
pass
return rdfvalue.FolderInformation(**response)