def testGetAttributeNames(self):
"""Tests the GetAttributeNames function."""
attribute_container = windows_events.WindowsRegistryServiceEventData()
expected_attribute_names = [
'data_type', 'key_path', 'offset', 'query', 'regvalue',
'source_append', 'urls'
]
attribute_names = sorted(attribute_container.GetAttributeNames())
self.assertEqual(attribute_names, expected_attribute_names)
def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
"""Extracts events from a Windows Registry key.
Args:
parser_mediator (ParserMediator): mediates interactions between parsers
and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
"""
values_dict = {}
service_type_value = registry_key.GetValueByName(u'Type')
service_start_value = registry_key.GetValueByName(u'Start')
# Grab the ServiceDLL value if it exists.
if service_type_value and service_start_value:
service_dll = self.GetServiceDll(registry_key)
if service_dll:
values_dict[u'ServiceDll'] = service_dll
# Gather all the other string and integer values and insert as they are.
for value in registry_key.GetValues():
if not value.name:
continue
if value.name not in values_dict:
if value.DataIsString() or value.DataIsInteger():
values_dict[value.name] = value.GetDataAsObject()
elif value.DataIsMultiString():
values_dict[value.name] = u', '.join(
value.GetDataAsObject())
# Create a specific service event, so that we can recognize and expand
# certain values when we're outputting the event.
event_data = windows_events.WindowsRegistryServiceEventData()
event_data.key_path = registry_key.path
event_data.offset = registry_key.offset
event_data.regvalue = values_dict
event_data.urls = self.URLS
event = time_events.DateTimeValuesEvent(
registry_key.last_written_time,
definitions.TIME_DESCRIPTION_WRITTEN)
parser_mediator.ProduceEventWithEventData(event, event_data)