def _csv_open_save_mru(self, str_opensave_mru):
"""Extracts OpenSaveMRU containing information about files selected in the Open and Save view"""
# TODO : Win XP
self.logger.info("Extracting open save MRU")
hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS,
str_opensave_mru)
to_csv_list = [
("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH",
"ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")
]
for item in hive_list:
if item[KEY_VALUE_STR] == 'VALUE':
if item[VALUE_NAME] != "MRUListEx":
pidl = shell.StringAsPIDL(item[VALUE_DATA])
path = shell.SHGetPathFromIDList(pidl)
to_csv_list.append(
(self.computer_name, "opensaveMRU",
item[VALUE_LAST_WRITE_TIME], "HKEY_USERS",
item[VALUE_PATH], item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(item[VALUE_TYPE]), path))
with open(
self.output_dir + "\\" + self.computer_name + "_opensaveMRU" +
self.rand_ext, "wb") as output:
csv_writer = get_csv_writer(output)
write_list_to_csv(to_csv_list, csv_writer)
def __get_powerpoint_mru(self, str_powerpoint_mru):
"""Extracts PowerPoint user mru"""
# TODO : Win XP
self.logger.info("Extracting PowerPoint MRU")
hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, str_powerpoint_mru)
to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE",
"ATTR_TYPE", "ATTR_DATA")]
for item in hive_list:
if item[KEY_VALUE_STR] == 'VALUE':
if item[VALUE_NAME] != "MRUListEx":
pidl = shell.StringAsPIDL(item[VALUE_DATA])
path = shell.SHGetPathFromIDList(pidl)
to_csv_list.append((self.computer_name,
"PowerPointMRU",
item[VALUE_LAST_WRITE_TIME],
"HKEY_USERS",
item[VALUE_PATH],
item[VALUE_NAME],
item[KEY_VALUE_STR],
registry_obj.get_str_type(item[VALUE_TYPE]), path))
return to_csv_list
def _rtPIDL(self, pidl):
pidl_str = shell.PIDLAsString(pidl)
pidl_rt = shell.StringAsPIDL(pidl_str)
self.assertEqual(pidl_rt, pidl)
pidl_str_rt = shell.PIDLAsString(pidl_rt)
self.assertEqual(pidl_str_rt, pidl_str)
def _rtPIDL(self, pidl):
pidl_str = shell.PIDLAsString(pidl)
pidl_rt = shell.StringAsPIDL(pidl_str)
assert pidl_rt == pidl
pidl_str_rt = shell.PIDLAsString(pidl_rt)
assert pidl_str_rt == pidl_str
def testBadShortPIDL(self):
# A too-short child element: cb pidl cb
pidl = str2bytes("\01\00" "\1")
with pytest.raises(ValueError):
shell.StringAsPIDL(pidl)
