def testProcessOnWin7(self):
"""Tests the Process function on a Windows 7 Registry file."""
test_file_entry = self._GetTestFileEntry(['NTUSER-WIN7.DAT'])
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = userassist.UserAssistPlugin()
storage_writer = self._ParseKeyWithPlugin(
registry_key, plugin, file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 61)
events = list(storage_writer.GetEvents())
expected_event_values = {
'application_focus_count': 21,
'application_focus_duration': 420000,
'key_path': '{0:s}\\Count'.format(key_path),
'number_of_executions': 14,
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
'parser': plugin.plugin_name,
'timestamp': '2010-11-10 07:49:37.078068',
'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_RUN,
'value_name': 'Microsoft.Windows.GettingStarted'}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testProcessOnWinXP(self):
"""Tests the Process function on a Windows XP Registry file."""
test_file_entry = self._GetTestFileEntry(['NTUSER.DAT'])
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Explorer\\UserAssist\\{75048700-EF1F-11D0-9888-006097DEACF9}')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = userassist.UserAssistPlugin()
storage_writer = self._ParseKeyWithPlugin(
registry_key, plugin, file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 14)
events = list(storage_writer.GetEvents())
expected_event_values = {
'key_path': '{0:s}\\Count'.format(key_path),
'number_of_executions': 14,
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
'parser': plugin.plugin_name,
'timestamp': '2009-08-04 15:11:22.811068',
'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_RUN,
'value_name': 'UEME_RUNPIDL:%csidl2%\\MSN.lnk'}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testFilters(self):
"""Tests the FILTERS class attribute."""
plugin = userassist.UserAssistPlugin()
for guid in self._TEST_GUIDS:
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Explorer\\UserAssist\\{0:s}').format(guid)
self._AssertFiltersOnKeyPath(plugin, key_path)
self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')
def testProcessOnWin7(self):
"""Tests the Process function on a Windows 7 Registry file."""
test_file_entry = self._GetTestFileEntry(['NTUSER-WIN7.DAT'])
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = userassist.UserAssistPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 61)
events = list(storage_writer.GetEvents())
event = events[0]
self.CheckTimestamp(event.timestamp, '2010-11-10 07:49:37.078068')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_LAST_RUN)
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.pathspec, test_file_entry.path_spec)
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_data.parser, plugin.plugin_name)
expected_value_name = 'Microsoft.Windows.GettingStarted'
self.assertEqual(event_data.value_name, expected_value_name)
self.assertEqual(event_data.number_of_executions, 14)
self.assertEqual(event_data.application_focus_count, 21)
self.assertEqual(event_data.application_focus_duration, 420000)
expected_message = ('[{0:s}\\Count] '
'UserAssist entry: 1 '
'Value name: {1:s} '
'Count: 14 '
'Application focus count: 21 '
'Application focus duration: 420000').format(
key_path, expected_value_name)
expected_short_message = '{0:s} Count: 14'.format(expected_value_name)
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
def testProcessOnWinXP(self):
"""Tests the Process function on a Windows XP Registry file."""
test_file_entry = self._GetTestFileEntry(['NTUSER.DAT'])
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Explorer\\UserAssist\\{75048700-EF1F-11D0-9888-006097DEACF9}')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = userassist.UserAssistPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 14)
events = list(storage_writer.GetEvents())
event = events[0]
self.CheckTimestamp(event.timestamp, '2009-08-04 15:11:22.811068')
self.assertEqual(event.timestamp_desc,
definitions.TIME_DESCRIPTION_LAST_RUN)
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.pathspec, test_file_entry.path_spec)
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_data.parser, plugin.plugin_name)
expected_value_name = 'UEME_RUNPIDL:%csidl2%\\MSN.lnk'
self.assertEqual(event_data.value_name, expected_value_name)
self.assertEqual(event_data.number_of_executions, 14)
expected_message = ('[{0:s}\\Count] '
'Value name: {1:s} '
'Count: 14').format(key_path, expected_value_name)
expected_short_message = '{0:s} Count: 14'.format(expected_value_name)
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
def setUp(self):
"""Makes preparations before running an individual test."""
self._plugin = userassist.UserAssistPlugin()
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._plugin = userassist.UserAssistPlugin()
