def testFilters(self):
"""Tests the FILTERS class attribute."""
plugin = task_scheduler.TaskCacheWindowsRegistryPlugin()
key_path = ('HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\'
'CurrentVersion\\Schedule\\TaskCache')
self._AssertFiltersOnKeyPath(plugin, key_path)
self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')
def testProcess(self):
"""Tests the Process function."""
test_file_entry = self._GetTestFileEntry(['SOFTWARE-RunTests'])
key_path = ('HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\'
'CurrentVersion\\Schedule\\TaskCache')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = task_scheduler.TaskCacheWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 174)
events = list(storage_writer.GetEvents())
event = events[0]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event.parser, plugin.plugin_name)
self.assertEqual(event.data_type, 'task_scheduler:task_cache:entry')
self.CheckTimestamp(event.timestamp, '2009-07-14 04:53:25.811618')
self.assertEqual(event.task_name, 'SynchronizeTime')
self.assertEqual(event.task_identifier,
'{044A6734-E90E-4F8F-B357-B2DC8AB3B5EC}')
expected_message = (
'[{0:s}] '
'Task: SynchronizeTime '
'[Identifier: {{044A6734-E90E-4F8F-B357-B2DC8AB3B5EC}}]'
).format(key_path)
expected_short_message = ('Task: SynchronizeTime')
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
event = events[1]
self.assertEqual(event.data_type, 'task_scheduler:task_cache:entry')
self.CheckTimestamp(event.timestamp, '2009-07-14 05:08:50.811627')
expected_message = (
'[{0:s}] '
'Task: SynchronizeTime '
'[Identifier: {{044A6734-E90E-4F8F-B357-B2DC8AB3B5EC}}]'
).format(key_path)
expected_short_message = ('Task: SynchronizeTime')
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testProcess(self):
"""Tests the Process function."""
test_file_entry = self._GetTestFileEntry(['SOFTWARE-RunTests'])
key_path = ('HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\'
'CurrentVersion\\Schedule\\TaskCache')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = task_scheduler.TaskCacheWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 174)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetEvents())
expected_event_values = {
'date_time': '2009-07-14 04:53:25.8116181',
'data_type': 'task_scheduler:task_cache:entry',
'key_path': key_path,
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
'parser': plugin.NAME,
'task_name': 'SynchronizeTime',
'task_identifier': '{044A6734-E90E-4F8F-B357-B2DC8AB3B5EC}'
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
expected_event_values = {
'date_time': '2009-07-14 05:08:50.8116269',
'data_type': 'task_scheduler:task_cache:entry',
'key_path': key_path,
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
'parser': plugin.NAME,
'task_name': 'SynchronizeTime',
'task_identifier': '{044A6734-E90E-4F8F-B357-B2DC8AB3B5EC}'
}
self.CheckEventValues(storage_writer, events[1], expected_event_values)
