def testProcess(self):
"""Tests the Process function."""
test_file_entry = self._GetTestFileEntry(['NTUSER-WIN7.DAT'])
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Explorer\\ComDlg32\\OpenSavePidlMRU')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = mrulistex.MRUListExShellItemListWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 65)
events = list(storage_writer.GetEvents())
# A MRUListEx event.
event = events[40]
self.assertEqual(event.pathspec, test_file_entry.path_spec)
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event.parser, plugin.plugin_name)
self.CheckTimestamp(event.timestamp, '2011-08-28 22:48:28.159309')
expected_message = (
'[{0:s}\\exe] '
'Index: 1 [MRU Value 1]: Shell item path: <My Computer> '
'P:\\Application Tools\\Firefox 6.0\\Firefox Setup 6.0.exe '
'Index: 2 [MRU Value 0]: Shell item path: <Computers and Devices> '
'<UNKNOWN: 0x00>\\\\controller\\WebDavShare\\Firefox Setup 3.6.12.exe'
'').format(key_path)
expected_short_message = '{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
# A shell item event.
event = events[0]
self.CheckTimestamp(event.timestamp, '2012-03-08 22:16:02.000000')
expected_message = (
'Name: ALLOYR~1 '
'Long name: Alloy Research '
'NTFS file reference: 44518-33 '
'Shell item path: <Shared Documents Folder (Users Files)> '
'<UNKNOWN: 0x00>\\Alloy Research '
'Origin: {0:s}\\*').format(key_path)
expected_short_message = ('Name: Alloy Research '
'NTFS file reference: 44518-33 '
'Origin: HKEY_CURRENT_USER\\...')
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testProcess(self):
"""Tests the Process function."""
test_file_entry = self._GetTestFileEntry(['NTUSER-WIN7.DAT'])
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Explorer\\ComDlg32\\OpenSavePidlMRU')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = mrulistex.MRUListExShellItemListWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 65)
events = list(storage_writer.GetEvents())
# A MRUListEx event.
expected_entries = (
'Index: 1 [MRU Value 1]: Shell item path: <My Computer> '
'P:\\Application Tools\\Firefox 6.0\\Firefox Setup 6.0.exe '
'Index: 2 [MRU Value 0]: Shell item path: <Computers and '
'Devices> <UNKNOWN: 0x00>\\\\controller\\WebDavShare\\Firefox '
'Setup 3.6.12.exe')
expected_event_values = {
'data_type': 'windows:registry:mrulistex',
'entries': expected_entries,
'key_path': '{0:s}\\exe'.format(key_path),
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
'parser': plugin.plugin_name,
'timestamp': '2011-08-28 22:48:28.159309'
}
self.CheckEventValues(storage_writer, events[40],
expected_event_values)
# A shell item event.
expected_event_values = {
'data_type':
'windows:shell_item:file_entry',
'name':
'ALLOYR~1',
'long_name':
'Alloy Research',
'file_reference':
'44518-33',
'origin':
'{0:s}\\*'.format(key_path),
'shell_item_path': ('<Shared Documents Folder (Users Files)> '
'<UNKNOWN: 0x00>\\Alloy Research'),
'timestamp':
'2012-03-08 22:16:02.000000'
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testFilters(self):
"""Tests the FILTERS class attribute."""
plugin = mrulistex.MRUListExShellItemListWindowsRegistryPlugin()
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Explorer\\ComDlg32\\OpenSavePidlMRU')
self._AssertFiltersOnKeyPath(plugin, key_path)
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Explorer\\StreamMRU')
self._AssertFiltersOnKeyPath(plugin, key_path)
self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')