def testFilters(self):
"""Tests the FILTERS class attribute."""
plugin = bagmru.BagMRUWindowsRegistryPlugin()
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU')
self._AssertFiltersOnKeyPath(plugin, key_path)
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\ShellNoRoam\\'
'BagMRU')
self._AssertFiltersOnKeyPath(plugin, key_path)
key_path = (
'HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\'
'Microsoft\\Windows\\Shell\\BagMRU')
self._AssertFiltersOnKeyPath(plugin, key_path)
key_path = (
'HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\'
'Microsoft\\Windows\\ShellNoRoam\\BagMRU')
self._AssertFiltersOnKeyPath(plugin, key_path)
key_path = (
'HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\'
'Shell\\BagMRU')
self._AssertFiltersOnKeyPath(plugin, key_path)
key_path = (
'HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\'
'ShellNoRoam\\BagMRU')
self._AssertFiltersOnKeyPath(plugin, key_path)
self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')
def testProcess(self):
"""Tests the Process function."""
plugin = bagmru.BagMRUWindowsRegistryPlugin()
test_file_entry = self._GetTestFileEntry(['NTUSER.DAT'])
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\ShellNoRoam\\BagMRU'
)
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 15)
events = list(storage_writer.GetEvents())
event = events[0]
self.assertEqual(event.data_type, 'windows:registry:bagmru')
self.assertEqual(event.pathspec, test_file_entry.path_spec)
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event.parser, plugin.plugin_name)
self.CheckTimestamp(event.timestamp, '2009-08-04 15:19:16.997750')
expected_message = ('[{0:s}] '
'Index: 1 [MRU Value 0]: '
'Shell item path: <My Computer>').format(key_path)
expected_short_message = '{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
event = events[1]
self.CheckTimestamp(event.timestamp, '2009-08-04 15:19:10.669625')
expected_message = (
'[{0:s}\\0] '
'Index: 1 [MRU Value 0]: '
'Shell item path: <My Computer> C:\\').format(key_path)
expected_short_message = '{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
event = events[14]
self.CheckTimestamp(event.timestamp, '2009-08-04 15:19:16.997750')
# The winreg_formatter will add a space after the key path even when there
# is not text.
expected_message = '[{0:s}\\0\\0\\0\\0\\0] '.format(key_path)
self._TestGetMessageStrings(event, expected_message, expected_message)
def testProcess(self):
"""Tests the Process function."""
plugin = bagmru.BagMRUWindowsRegistryPlugin()
test_file_entry = self._GetTestFileEntry(['NTUSER.DAT'])
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\ShellNoRoam\\BagMRU'
)
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 15)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetEvents())
expected_event_values = {
'date_time': '2009-08-04 15:19:16.9977500',
'data_type': 'windows:registry:bagmru',
'entries':
('Index: 1 [MRU Value 0]: Shell item path: <My Computer>'),
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
'parser': plugin.NAME
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
expected_event_values = {
'date_time':
'2009-08-04 15:19:10.6696250',
'entries':
('Index: 1 [MRU Value 0]: Shell item path: <My Computer> C:\\')
}
self.CheckEventValues(storage_writer, events[1], expected_event_values)
expected_event_values = {
'date_time': '2009-08-04 15:19:16.9977500',
'key_path': '{0:s}\\0\\0\\0\\0\\0'.format(key_path)
}
self.CheckEventValues(storage_writer, events[14],
expected_event_values)
