def UserAssist_F4E():
try:
registry = Registry.Registry(NTUSER)
path = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\" \
"{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count"
key = registry.open(path)
result = []
for v in key.values():
program_name = decode.ROT13(v.name())
program_name = decode.GUID_to_display_name(program_name)
run_count = int.from_bytes(v.value()[4:8],
byteorder="little",
signed=False)
if v.value(
)[60:
68] == b'\x00\x00\x00\x00\x00\x00\x00\x00' or program_name == "UEME_CTLSESSION":
last_executed_time = None
else:
last_executed_time = decode.convert_time(v.value()[60:68])
result.append([program_name, run_count, last_executed_time])
return result
except:
print(
"Error while parsing UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}"
)
return None
def others():
computer_name = None
default_user_name = None
last_used_user_name = None
shutdown_time = None
registry = Registry.Registry(SYSTEM)
path = ControlSet00n + "\\Control\\ComputerName\\ComputerName"
key = registry.open(path)
for v in key.values():
if v.name() == "ComputerName":
computer_name = v.value()
registry = Registry.Registry(SOFTWARE)
path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"
key = registry.open(path)
for v in key.values():
if v.name() == "DefaultUserName":
default_user_name = v.value()
if v.name() == "LastUsedUsername":
last_used_user_name = v.value()
registry = Registry.Registry(SYSTEM)
path = ControlSet00n + "\\Control\\Windows"
key = registry.open(path)
for v in key.values():
if v.name() == "ShutdownTime":
shutdown_time = decode.convert_time(v.value())
result = [
computer_name, default_user_name, last_used_user_name, shutdown_time
]
return result
def BAM():
registry = Registry.Registry(sys_reg)
path = ControlSet00n + "\\Services\\bam\\State\\UserSettings"
key = registry.open(path)
sid = []
for v in key.subkeys():
sid.append(v.name())
result = []
for s in sid:
sub_path = path + "\\" + s
sub_key = registry.open(sub_path)
for v in sub_key.values():
if v.name() != "Version" and v.name() != "SequenceNumber":
last_executed = decode.convert_time(v.value()[0:8])
result.append([s, v.name(), last_executed])
return result
def UserAssist_CEB():
registry = Registry.Registry(NTUSER)
path = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count"
key = registry.open(path)
result = []
for v in key.values():
program_name = decode.ROT13(v.name())
program_name = decode.GUID_to_display_name(program_name)
run_count = int.from_bytes(v.value()[4:8],
byteorder="little",
signed=False)
if v.value(
)[60:
68] == b'\x00\x00\x00\x00\x00\x00\x00\x00' or program_name == "UEME_CTLSESSION":
last_executed_time = None
else:
last_executed_time = decode.convert_time(v.value()[60:68])
result.append([program_name, run_count, last_executed_time])
return result
def user_account():
try:
registry = Registry.Registry(SAM)
# Users 경로의 하위 키들을 구합니다.
path = "SAM\\Domains\\Account\\Users"
key = registry.open(path)
RID = [] # Relative ID :Users의 하위 키
for v in key.subkeys():
if v.name() != "Names":
RID.append(v.name())
# 각 하위 키에 대해 F와 V 값을 구해 계정 정보를 얻습니다.
accounts = []
for r in RID:
sub_path = path + "\\" + r
sub_key = registry.open(sub_path)
rid = None
last_login_t = None
last_password_change_t = None
expires_on_t = None
last_incorrect_password_t = None
logon_failure_count = None
logon_success_count = None
account_name = None
complete_account_name = None
comment = None
homedir = None
for v in sub_key.values():
if v.name() == "F":
F = v.value()
last_login_t = decode.convert_time(F[8:16])
last_password_change_t = decode.convert_time(F[24:32])
expires_on_t = decode.convert_time(F[32:40])
last_incorrect_password_t = decode.convert_time(F[40:48])
rid = int.from_bytes(F[48:52], byteorder="little")
logon_failure_count = int.from_bytes(F[64:66],
byteorder="little",
signed=False)
logon_success_count = int.from_bytes(F[66:68],
byteorder="little",
signed=False)
if v.name() == "V":
V = v.value()
account_name_offset = int.from_bytes(
V[12:16], byteorder="little") + 204
account_name_len = int.from_bytes(V[16:20],
byteorder="little")
account_name = V[account_name_offset:account_name_offset +
account_name_len].decode("utf-16")
complete_account_offset = int.from_bytes(
V[24:28], byteorder="little") + 204
complete_account_name_len = int.from_bytes(
V[28:32], byteorder="little")
complete_account_name = V[
complete_account_offset:complete_account_offset +
complete_account_name_len].decode("utf-16")
comment_offset = int.from_bytes(V[36:40],
byteorder="little") + 204
comment_len = int.from_bytes(V[40:44], byteorder="little")
comment = V[comment_offset:comment_offset +
comment_len].decode("utf-16")
homedir_offset = int.from_bytes(V[72:76],
byteorder="little") + 204
homedir_len = int.from_bytes(V[76:80], byteorder="little")
homedir = V[homedir_offset:homedir_offset +
homedir_len].decode("utf-16")
accounts.append([
r, rid, last_login_t, last_password_change_t, expires_on_t,
last_incorrect_password_t, logon_failure_count,
logon_success_count, account_name, complete_account_name,
comment, homedir
])
# Names 키의 timestamp에서 계정 생성 시간을 얻습니다
key = registry.open("SAM\\Domains\\Account\\Users\\Names")
timestamp = []
for v in key.subkeys():
timestamp.append(
[v.name(),
v.timestamp().strftime("%Y-%m-%d %H:%M:%S")])
for a in accounts:
for t in timestamp:
if a[8] == t[0]:
a.append(t[1])
return accounts
except:
print("Error while parsing user accounts")
return None