def _csv_open_save_mru(self, str_opensave_mru):
"""Extracts OpenSaveMRU containing information about opened and saved windows"""
# TODO : Win XP
self.logger.info("Extracting open save MRU")
hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, str_opensave_mru)
to_csv_list = []
for item in hive_list:
if item[self.VALUE_NAME] != "MRUListEx":
l_printable = extract_filename_from_pidlmru(item[self.VALUE_DATA])
# FIXME: (dirty) if the list is empty it's probably because the string is off by 1...
if len(l_printable) == 0:
# So we take away the first char to have a correct offset (modulo 2)
l_printable = extract_filename_from_pidlmru(item[self.VALUE_DATA][1:])
if len(l_printable) != 0:
str_printable = l_printable[-1]
if item[self.KEY_VALUE_STR] == "VALUE":
to_csv_list.append((self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS",
item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR],
registry_obj.get_str_type(item[self.VALUE_TYPE]), str_printable))
else: # if the length is still 0 then don't know
if item[self.KEY_VALUE_STR] == "VALUE":
to_csv_list.append((self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS",
item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR],
registry_obj.get_str_type(item[self.VALUE_TYPE]), item[self.VALUE_DATA]))
with open(self.output_dir + "\\" + self.computer_name + "_opensaveMRU.csv", "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def csv_shell_bags(self):
"""Extracts shellbags: size, view, icon and position for Explorer folders"""
# TODO Check Vista and under
self.logger.info("Extracting shell bags")
paths = [r"Software\Microsoft\Windows\Shell\Bags",
r"Software\Microsoft\Windows\Shell\BagMRU",
r"Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags",
r"Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU"]
hive_list = []
for path in paths:
hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path)
to_csv_list = []
for item in hive_list:
try:
datas = decode_shellbag_itempos_data(item[self.VALUE_NAME], item[self.VALUE_DATA])
except IndexError:
self.logger.error("Error in shellbag data format for " + item[self.VALUE_NAME])
datas = None
if datas:
for data in datas:
if item[self.KEY_VALUE_STR] == "VALUE":
to_csv_list.append((self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS",
item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR],
registry_obj.get_str_type(item[self.VALUE_TYPE])) + tuple(data))
else:
if item[self.KEY_VALUE_STR] == "VALUE":
to_csv_list.append((self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS",
item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR],
registry_obj.get_str_type(item[self.VALUE_TYPE]), item[self.VALUE_DATA]))
with open(self.output_dir + "\\" + self.computer_name + "_shellbags.csv", "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def csv_shell_bags(self):
"""
Extracts shellbags: size, view, icon and position of graphical windows
In particular, executed graphical programs will leave a key here
"""
self.logger.info("Extracting shell bags")
paths = [
r"Software\Microsoft\Windows\Shell\Bags",
r"Software\Microsoft\Windows\Shell\BagMRU"
]
paths_usrclass = [
r"Local Settings\Software\Microsoft\Windows\Shell\Bags",
r"Local Settings\Software\Microsoft\Windows\Shell\BagMRU"
]
hive_list = []
for path in paths:
hive_list += self._get_list_from_registry_key(
registry_obj.HKEY_USERS, path)
for path in paths_usrclass:
hive_list += self._get_list_from_registry_key(
registry_obj.HKEY_USERS, path, is_usrclass=True)
to_csv_list = [
("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH",
"ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")
]
for item in hive_list:
if "ItemPos" in item[VALUE_NAME]:
try:
data = decode_shellbag_itempos_data(item[VALUE_DATA])
except IndexError:
self.logger.error("Error in shellbag data format for " +
item[VALUE_NAME])
data = None
if data:
if item[KEY_VALUE_STR] == "VALUE":
for data in data:
for d in data:
to_csv_list.append(
(self.computer_name, "shellbags",
item[VALUE_LAST_WRITE_TIME], "HKEY_USERS",
item[VALUE_PATH], item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(
item[VALUE_TYPE]), d))
else:
if item[KEY_VALUE_STR] == "VALUE":
to_csv_list.append(
(self.computer_name, "shellbags",
item[VALUE_LAST_WRITE_TIME], "HKEY_USERS",
item[VALUE_PATH], item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(item[VALUE_TYPE]),
item[VALUE_DATA]))
with open(
self.output_dir + "\\" + self.computer_name + "_shellbags" +
self.rand_ext, "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def _csv_user_assist(self, count_offset, is_win7_or_further):
"""
Extracts information from UserAssist registry key which contains information about executed programs
The count offset is for Windows versions before 7, where it would start at 6
"""
self.logger.info("Extracting user assist")
path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\\UserAssist"
count = "\Count"
# logged on users
users = registry_obj.RegistryKey(registry_obj.HKEY_USERS)
hive_list = []
for i in xrange(users.get_number_of_sub_keys()):
user = users.get_sub_key(i)
user_assist_key = user.get_sub_key_by_path(path)
if user_assist_key:
for j in xrange(user_assist_key.get_number_of_sub_keys()):
# getting Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*\Count
path_no_sid = "\\".join(user_assist_key.get_sub_key(j).get_path().split("\\")[1:])
hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path_no_sid + count)
if is_win7_or_further:
to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
"ATTR_TYPE", "ATTR_DATA", "DATA_SESSION", "DATA_COUNT", "DATA_FOCUS", "DATA_LAST_EXEC")]
else:
to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
"ATTR_TYPE", "ATTR_DATA", "DATA_SESSION", "DATA_COUNT", "DATA_LAST_EXEC")]
for item in hive_list:
if item[KEY_VALUE_STR] == "VALUE":
str_value_name = codecs.decode(item[VALUE_NAME], "rot_13")
str_value_datatmp = item[VALUE_DATA]
# some data are less than 16 bytes for some reason...
if len(str_value_datatmp) < 16:
to_csv_list.append((self.computer_name,
"userassist",
item[VALUE_LAST_WRITE_TIME],
"HKEY_USERS",
item[VALUE_PATH],
item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(item[VALUE_TYPE]),
str_value_name))
else:
if is_win7_or_further:
data = csv_user_assist_value_decode_win7_and_after(str_value_datatmp, count_offset)
else:
data = csv_user_assist_value_decode_before_win7(str_value_datatmp, count_offset)
to_csv_list.append((self.computer_name,
"user_assist",
item[VALUE_LAST_WRITE_TIME],
"HKEY_USERS",
item[VALUE_PATH],
item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(item[VALUE_TYPE]),
str_value_name) + tuple(data))
with open(self.output_dir + "\\" + self.computer_name + "_user_assist.csv", "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def _csv_user_assist(self, count_offset, is_win7_or_further):
"""
Extracts information from UserAssist registry key which contains information about executed programs
The count offset is for Windows versions before 7, where it would start at 6
"""
self.logger.info("Extracting user assist")
path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\\UserAssist"
count = "\Count"
# logged on users
users = registry_obj.RegistryKey(registry_obj.HKEY_USERS)
hive_list = []
for i in xrange(users.get_number_of_sub_keys()):
user = users.get_sub_key(i)
user_assist_key = user.get_sub_key_by_path(path)
if user_assist_key:
for j in xrange(user_assist_key.get_number_of_sub_keys()):
# getting Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*\Count
path_no_sid = "\\".join(user_assist_key.get_sub_key(j).get_path().split("\\")[1:])
hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path_no_sid + count)
if is_win7_or_further:
to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
"ATTR_TYPE", "ATTR_DATA", "DATA_SESSION", "DATA_COUNT", "DATA_FOCUS", "DATA_LAST_EXEC")]
else:
to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
"ATTR_TYPE", "ATTR_DATA", "DATA_SESSION", "DATA_COUNT", "DATA_LAST_EXEC")]
for item in hive_list:
if item[KEY_VALUE_STR] == "VALUE":
str_value_name = codecs.decode(item[VALUE_NAME], "rot_13")
str_value_datatmp = item[VALUE_DATA]
# some data are less than 16 bytes for some reason...
if len(str_value_datatmp) < 16:
to_csv_list.append((self.computer_name,
"userassist",
item[VALUE_LAST_WRITE_TIME],
"HKEY_USERS",
item[VALUE_PATH],
item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(item[VALUE_TYPE]),
str_value_name))
else:
if is_win7_or_further:
data = csv_user_assist_value_decode_win7_and_after(str_value_datatmp, count_offset)
else:
data = csv_user_assist_value_decode_before_win7(str_value_datatmp, count_offset)
to_csv_list.append((self.computer_name,
"user_assist",
item[VALUE_LAST_WRITE_TIME],
"HKEY_USERS",
item[VALUE_PATH],
item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(item[VALUE_TYPE]),
str_value_name) + tuple(data))
with open(self.output_dir + "\\" + self.computer_name + "_user_assist" + self.rand_ext, "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def csv_shell_bags(self):
"""
Extracts shellbags: size, view, icon and position of graphical windows
In particular, executed graphical programs will leave a key here
"""
self.logger.info("Extracting shell bags")
paths = [r"Software\Microsoft\Windows\Shell\Bags",
r"Software\Microsoft\Windows\Shell\BagMRU"]
paths_usrclass = [r"Local Settings\Software\Microsoft\Windows\Shell\Bags",
r"Local Settings\Software\Microsoft\Windows\Shell\BagMRU"]
hive_list = []
for path in paths:
hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path)
for path in paths_usrclass:
hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path, is_usrclass=True)
to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
"ATTR_TYPE", "ATTR_DATA")]
for item in hive_list:
if "ItemPos" in item[VALUE_NAME]:
try:
data = decode_shellbag_itempos_data(item[VALUE_DATA])
except IndexError:
self.logger.error("Error in shellbag data format for " + item[VALUE_NAME])
data = None
if data:
if item[KEY_VALUE_STR] == "VALUE":
for data in data:
for d in data:
to_csv_list.append((self.computer_name,
"shellbags",
item[VALUE_LAST_WRITE_TIME],
"HKEY_USERS",
item[VALUE_PATH],
item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(item[VALUE_TYPE]),
d))
else:
if item[KEY_VALUE_STR] == "VALUE":
to_csv_list.append((self.computer_name,
"shellbags",
item[VALUE_LAST_WRITE_TIME],
"HKEY_USERS",
item[VALUE_PATH],
item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(item[VALUE_TYPE]),
item[VALUE_DATA]))
with open(self.output_dir + "\\" + self.computer_name + "_shellbags" + self.rand_ext, "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def _generate_hku_csv_list(self, to_csv_list, path, is_recursive=True):
hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, path, is_recursive=is_recursive)
for item in hive_list:
if item[self.KEY_VALUE_STR] == "VALUE":
to_csv_list.append((self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS",
item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR],
registry_obj.get_str_type(item[self.VALUE_TYPE]), item[self.VALUE_DATA]))
def _csv_open_save_mru(self, str_opensave_mru):
"""Extracts OpenSaveMRU containing information about files selected in the Open and Save view"""
# TODO : Win XP
self.logger.info("Extracting open save MRU")
hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS,
str_opensave_mru)
to_csv_list = [
("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH",
"ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")
]
for item in hive_list:
if item[KEY_VALUE_STR] == 'VALUE':
if item[VALUE_NAME] != "MRUListEx":
pidl = shell.StringAsPIDL(item[VALUE_DATA])
path = shell.SHGetPathFromIDList(pidl)
to_csv_list.append(
(self.computer_name, "opensaveMRU",
item[VALUE_LAST_WRITE_TIME], "HKEY_USERS",
item[VALUE_PATH], item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(item[VALUE_TYPE]), path))
with open(
self.output_dir + "\\" + self.computer_name + "_opensaveMRU" +
self.rand_ext, "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def csv_recent_docs(self):
"""Extracts information about recently opened files saved location and opened date"""
self.logger.info("Extracting recent docs")
path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs"
hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS,
path)
to_csv_list = [
("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH",
"ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")
]
for item in hive_list:
if item[KEY_VALUE_STR] == "VALUE":
if item[VALUE_NAME] != "MRUListEx":
values_decoded = decode_recent_docs_mru(item[VALUE_DATA])
for value_decoded in values_decoded:
to_csv_list.append(
(self.computer_name, "recent_docs",
item[VALUE_LAST_WRITE_TIME], "HKEY_USERS",
item[VALUE_PATH], item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(item[VALUE_TYPE]),
value_decoded))
with open(
self.output_dir + "\\" + self.computer_name + "_recent_docs" +
self.rand_ext, "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def _generate_hku_csv_list(self, to_csv_list, csv_type, path, is_recursive=True):
"""
Generates a generic list suitable for CSV output.
Extracts information from HKEY_USERS hives.
"""
hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, path, is_recursive=is_recursive)
for item in hive_list:
if item[KEY_VALUE_STR] == "VALUE":
try:
value_data = item[VALUE_DATA].decode('UTF-16')
if '\x00' not in value_data:
value_data = item[VALUE_DATA]
except:
value_data = item[VALUE_DATA]
to_csv_list.append((self.computer_name,
csv_type,
item[VALUE_LAST_WRITE_TIME],
"HKEY_USERS",
item[VALUE_PATH],
item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(item[VALUE_TYPE]),
value_data))
def csv_shell_bags(self):
"""Extracts shellbags: size, view, icon and position for Explorer folders"""
# TODO Check Vista and under
self.logger.info("Extracting shell bags")
paths = [
r"Software\Microsoft\Windows\Shell\Bags",
r"Software\Microsoft\Windows\Shell\BagMRU",
r"Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags",
r"Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU"
]
hive_list = []
for path in paths:
hive_list += self._get_list_from_registry_key(
registry_obj.HKEY_USERS, path)
to_csv_list = []
for item in hive_list:
try:
datas = decode_shellbag_itempos_data(item[self.VALUE_NAME],
item[self.VALUE_DATA])
except IndexError:
self.logger.error("Error in shellbag data format for " +
item[self.VALUE_NAME])
datas = None
if datas:
for data in datas:
if item[self.KEY_VALUE_STR] == "VALUE":
to_csv_list.append((
self.computer_name,
item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS",
item[self.VALUE_PATH], item[self.VALUE_NAME],
item[self.KEY_VALUE_STR],
registry_obj.get_str_type(item[self.VALUE_TYPE])) +
tuple(data))
else:
if item[self.KEY_VALUE_STR] == "VALUE":
to_csv_list.append(
(self.computer_name, item[self.VALUE_LAST_WRITE_TIME],
"HKEY_USERS", item[self.VALUE_PATH],
item[self.VALUE_NAME], item[self.KEY_VALUE_STR],
registry_obj.get_str_type(item[self.VALUE_TYPE]),
item[self.VALUE_DATA]))
with open(
self.output_dir + "\\" + self.computer_name + "_shellbags.csv",
"wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def _generate_hklm_csv_list(self, to_csv_list, path, is_recursive=True):
hive_list = self._get_list_from_registry_key(
registry_obj.HKEY_LOCAL_MACHINE, path, is_recursive=is_recursive)
for item in hive_list:
if item[self.KEY_VALUE_STR] == "VALUE":
to_csv_list.append(
(self.computer_name, item[self.VALUE_LAST_WRITE_TIME],
"HKEY_LOCAL_MACHINE", item[self.VALUE_PATH],
item[self.VALUE_NAME], item[self.KEY_VALUE_STR],
registry_obj.get_str_type(item[self.VALUE_TYPE]),
item[self.VALUE_DATA]))
def _csv_open_save_mru(self, str_opensave_mru):
"""Extracts OpenSaveMRU containing information about opened and saved windows"""
# TODO : Win XP
self.logger.info("Extracting open save MRU")
hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS,
str_opensave_mru)
to_csv_list = []
for item in hive_list:
if item[self.VALUE_NAME] != "MRUListEx":
l_printable = extract_filename_from_pidlmru(
item[self.VALUE_DATA])
# FIXME: (dirty) if the list is empty it's probably because the string is off by 1...
if len(l_printable) == 0:
# So we take away the first char to have a correct offset (modulo 2)
l_printable = extract_filename_from_pidlmru(
item[self.VALUE_DATA][1:])
if len(l_printable) != 0:
str_printable = l_printable[-1]
if item[self.KEY_VALUE_STR] == "VALUE":
to_csv_list.append(
(self.computer_name,
item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS",
item[self.VALUE_PATH], item[self.VALUE_NAME],
item[self.KEY_VALUE_STR],
registry_obj.get_str_type(item[self.VALUE_TYPE]),
str_printable))
else: # if the length is still 0 then don't know
if item[self.KEY_VALUE_STR] == "VALUE":
to_csv_list.append(
(self.computer_name,
item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS",
item[self.VALUE_PATH], item[self.VALUE_NAME],
item[self.KEY_VALUE_STR],
registry_obj.get_str_type(item[self.VALUE_TYPE]),
item[self.VALUE_DATA]))
with open(
self.output_dir + "\\" + self.computer_name +
"_opensaveMRU.csv", "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def csv_recent_docs(self):
"""Extracts information about recently opened files saved location and opened date"""
self.logger.info("Extracting recent docs")
path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs"
hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, path)
to_csv_list = []
for item in hive_list:
if item[self.KEY_VALUE_STR] == "VALUE":
if item[self.VALUE_NAME] != "MRUListEx":
value_decoded = decode_recent_docs_mru(item[self.VALUE_DATA])
to_csv_list.append((self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS",
item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR],
registry_obj.get_str_type(item[self.VALUE_TYPE])) + tuple(value_decoded))
with open(self.output_dir + "\\" + self.computer_name + "_recent_docs.csv", "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def _generate_hklm_csv_list(self, to_csv_list, csv_type, path, is_recursive=True):
"""
Generates a generic list suitable for CSV output.
Extracts information from HKEY_LOCAL_MACHINE hives.
"""
hive_list = self._get_list_from_registry_key(registry_obj.HKEY_LOCAL_MACHINE, path, is_recursive=is_recursive)
for item in hive_list:
if item[KEY_VALUE_STR] == "VALUE":
to_csv_list.append((self.computer_name,
csv_type,
item[VALUE_LAST_WRITE_TIME],
"HKEY_LOCAL_MACHINE",
item[VALUE_PATH],
item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(item[VALUE_TYPE]),
item[VALUE_DATA]))
def __get_powerpoint_mru(self, str_powerpoint_mru):
"""Extracts PowerPoint user mru"""
# TODO : Win XP
self.logger.info("Extracting PowerPoint MRU")
hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, str_powerpoint_mru)
to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
"ATTR_TYPE", "ATTR_DATA")]
for item in hive_list:
if item[KEY_VALUE_STR] == 'VALUE':
if item[VALUE_NAME] != "MRUListEx":
pidl = shell.StringAsPIDL(item[VALUE_DATA])
path = shell.SHGetPathFromIDList(pidl)
to_csv_list.append((self.computer_name,
"PowerPointMRU",
item[VALUE_LAST_WRITE_TIME],
"HKEY_USERS",
item[VALUE_PATH],
item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(item[VALUE_TYPE]), path))
return to_csv_list
def __get_open_save_mru(self, str_opensave_mru):
"""Extracts OpenSaveMRU containing information about files selected in the Open and Save view"""
# TODO : Win XP
self.logger.info("Extracting open save MRU")
hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, str_opensave_mru)
to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
"ATTR_TYPE", "ATTR_DATA")]
for item in hive_list:
if item[KEY_VALUE_STR] == 'VALUE':
if item[VALUE_NAME] != "MRUListEx":
pidl = shell.StringAsPIDL(item[VALUE_DATA])
path = shell.SHGetPathFromIDList(pidl)
to_csv_list.append((self.computer_name,
"opensaveMRU",
item[VALUE_LAST_WRITE_TIME],
"HKEY_USERS",
item[VALUE_PATH],
item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(item[VALUE_TYPE]), path))
return to_csv_list
def __get_recents_docs(self):
"""Extracts information about recently opened files saved location and opened date"""
self.logger.info("Extracting recent docs")
path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs"
hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, path)
to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
"ATTR_TYPE", "ATTR_DATA")]
for item in hive_list:
if item[KEY_VALUE_STR] == "VALUE":
if item[VALUE_NAME] != "MRUListEx":
values_decoded = decode_recent_docs_mru(item[VALUE_DATA])
for value_decoded in values_decoded:
to_csv_list.append((self.computer_name,
"recent_docs",
item[VALUE_LAST_WRITE_TIME],
"HKEY_USERS",
item[VALUE_PATH],
item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(item[VALUE_TYPE]),
value_decoded))
return to_csv_list
