def testProcessWindows10Creator(self): """Tests the Process function for Windows 10 Creator AppCompatCache data.""" test_file_entry = TestFileEntry('SYSTEM-Windows10-Creator') registry_key = self._CreateTestKey('2015-06-15 11:53:37.043061', self._TEST_DATA_10_CREATOR) plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin, file_entry=test_file_entry, parser_chain=plugin.NAME) self.assertEqual(storage_writer.number_of_events, 1) self.assertEqual(storage_writer.number_of_extraction_warnings, 0) self.assertEqual(storage_writer.number_of_recovery_warnings, 0) events = list(storage_writer.GetEvents()) expected_event_values = { 'date_time': '2017-03-16 22:56:01.2487145', 'data_type': 'windows:registry:appcompatcache', 'entry_index': 1, 'key_path': self._TEST_KEY_PATH, 'path': ('C:\\Program Files (x86)\\NVIDIA Corporation\\3D Vision\\' 'nvstreg.exe') } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testProcessWindows7(self): """Tests the Process function for Windows 7 AppCompatCache data.""" test_file_entry = self._GetTestFileEntry(['SYSTEM']) key_path = ('HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control\\' 'Session Manager\\AppCompatCache') win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin, file_entry=test_file_entry, parser_chain=plugin.NAME) self.assertEqual(storage_writer.number_of_events, 330) self.assertEqual(storage_writer.number_of_extraction_warnings, 0) self.assertEqual(storage_writer.number_of_recovery_warnings, 0) events = list(storage_writer.GetEvents()) expected_event_values = { 'date_time': '2012-04-04 01:46:37.9329644', 'data_type': 'windows:registry:appcompatcache', 'entry_index': 10, # This should just be the plugin name, as we're invoking it directly, # and not through the parser. 'parser': plugin.NAME, 'path': '\\??\\C:\\Windows\\PSEXESVC.EXE' } self.CheckEventValues(storage_writer, events[9], expected_event_values)
def testProcessWindows10(self): """Tests the Process function for Windows 10 AppCompatCache data.""" test_file_entry = TestFileEntry('SYSTEM-Windows10') registry_key = self._CreateTestKey('2015-06-15 11:53:37.043061', self._TEST_DATA_10) plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin, file_entry=test_file_entry, parser_chain=plugin.NAME) self.assertEqual(storage_writer.number_of_events, 1) self.assertEqual(storage_writer.number_of_extraction_warnings, 0) self.assertEqual(storage_writer.number_of_recovery_warnings, 0) events = list(storage_writer.GetEvents()) expected_event_values = { 'date_time': '2014-09-22 06:42:39.0000000', 'data_type': 'windows:registry:appcompatcache', 'entry_index': 1, 'key_path': self._TEST_KEY_PATH, 'path': 'C:\\Windows\\system32\\MpSigStub.exe' } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testProcessWindows2003(self): """Tests the Process function for Windows 2003 AppCompatCache data.""" test_file_entry = TestFileEntry('SYSTEM-Windows2003') registry_key = self._CreateTestKey('2015-06-15 11:53:37.043061', self._TEST_DATA_2003) plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin, file_entry=test_file_entry, parser_chain=plugin.NAME) self.assertEqual(storage_writer.number_of_events, 1) self.assertEqual(storage_writer.number_of_extraction_warnings, 0) self.assertEqual(storage_writer.number_of_recovery_warnings, 0) events = list(storage_writer.GetEvents()) expected_event_values = { 'date_time': '2003-03-24 20:32:18.0000000', 'data_type': 'windows:registry:appcompatcache', 'entry_index': 1, 'key_path': self._TEST_KEY_PATH, 'path': ('\\??\\C:\\WINDOWS\\Microsoft.NET\\Framework\\v1.1.4322\\ngen.exe' ) } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testProcessWindowsVista(self): """Tests the Process function for Windows Vista AppCompatCache data.""" test_file_entry = TestFileEntry('SYSTEM-Vista') registry_key = self._CreateTestKey('2015-06-15 11:53:37.043061', self._TEST_DATA_VISTA) plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin, file_entry=test_file_entry, parser_chain=plugin.NAME) self.assertEqual(storage_writer.number_of_events, 1) self.assertEqual(storage_writer.number_of_extraction_warnings, 0) self.assertEqual(storage_writer.number_of_recovery_warnings, 0) events = list(storage_writer.GetEvents()) expected_event_values = { 'date_time': '2006-11-02 12:35:24.7041218', 'data_type': 'windows:registry:appcompatcache', 'entry_index': 1, 'key_path': self._TEST_KEY_PATH, 'path': '\\??\\C:\\Windows\\SYSTEM32\\WISPTIS.EXE' } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testProcessWindows10(self): """Tests the Process function for Windows 10 AppCompatCache data.""" test_file_entry = TestFileEntry('SYSTEM-Windows10') registry_key = self._CreateTestKey('2015-06-15 11:53:37.043061', self._TEST_DATA_10) plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin() storage_writer = self._ParseKeyWithPlugin( registry_key, plugin, file_entry=test_file_entry, parser_chain=plugin.plugin_name) self.assertEqual(storage_writer.number_of_errors, 0) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event_index = 0 event = events[event_index] expected_path = 'C:\\Windows\\system32\\MpSigStub.exe' expected_message = '[{0:s}] Cached entry: {1:d} Path: {2:s}'.format( event.key_path, event_index + 1, expected_path) expected_short_message = 'Path: {0:s}'.format(expected_path) self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testProcessWindowsXP(self): """Tests the Process function for Windows XP AppCompatCache data.""" test_file_entry = TestFileEntry('SYSTEM-XP') registry_key = self._CreateTestKey('2015-06-15 11:53:37.043061', self._TEST_DATA_XP) plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin, file_entry=test_file_entry, parser_chain=plugin.NAME) self.assertEqual(storage_writer.number_of_events, 2) self.assertEqual(storage_writer.number_of_extraction_warnings, 0) self.assertEqual(storage_writer.number_of_recovery_warnings, 0) events = list(storage_writer.GetEvents()) expected_event_values = { 'date_time': '2004-08-04 14:00:00.0000000', 'data_type': 'windows:registry:appcompatcache', 'entry_index': 1, 'key_path': self._TEST_KEY_PATH, 'path': '\\??\\C:\\WINDOWS\\system32\\hticons.dll' } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testProcessWindows10Creator(self): """Tests the Process function for Windows 10 Creator AppCompatCache data.""" test_file_entry = TestFileEntry('SYSTEM-Windows10-Creator') registry_key = self._CreateTestKey('2015-06-15 11:53:37.043061', self._TEST_DATA_10_CREATOR) plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin() storage_writer = self._ParseKeyWithPlugin( registry_key, plugin, file_entry=test_file_entry, parser_chain=plugin.plugin_name) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event_index = 0 event = events[event_index] expected_path = ( 'C:\\Program Files (x86)\\NVIDIA Corporation\\3D Vision\\nvstreg.exe' ) expected_message = '[{0:s}] Cached entry: {1:d} Path: {2:s}'.format( event.key_path, event_index + 1, expected_path) expected_short_message = 'Path: {0:s}'.format(expected_path) self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testProcessWindows2003(self): """Tests the Process function for Windows 2003 AppCompatCache data.""" test_file_entry = TestFileEntry('SYSTEM-Windows2003') registry_key = self._CreateTestKey('2015-06-15 11:53:37.043061', self._TEST_DATA_2003) plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin() storage_writer = self._ParseKeyWithPlugin( registry_key, plugin, file_entry=test_file_entry, parser_chain=plugin.plugin_name) self.assertEqual(storage_writer.number_of_errors, 0) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event_index = 0 event = events[event_index] expected_path = ( '\\??\\C:\\WINDOWS\\Microsoft.NET\\Framework\\v1.1.4322\\ngen.exe') expected_message = '[{0:s}] Cached entry: {1:d} Path: {2:s}'.format( event.key_path, event_index + 1, expected_path) expected_short_message = 'Path: {0:s}'.format(expected_path) self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testProcessWindowsVista(self): """Tests the Process function for Windows Vista AppCompatCache data.""" test_file_entry = TestFileEntry('SYSTEM-Vista') registry_key = self._CreateTestKey('2015-06-15 11:53:37.043061', self._TEST_DATA_VISTA) plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin() storage_writer = self._ParseKeyWithPlugin( registry_key, plugin, file_entry=test_file_entry, parser_chain=plugin.plugin_name) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event_index = 0 event = events[event_index] event_data = self._GetEventDataOfEvent(storage_writer, event) expected_path = '\\??\\C:\\Windows\\SYSTEM32\\WISPTIS.EXE' expected_message = '[{0:s}] Cached entry: {1:d} Path: {2:s}'.format( event_data.key_path, event_index + 1, expected_path) expected_short_message = 'Path: {0:s}'.format(expected_path) self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testProcessWindows7(self): """Tests the Process function for Windows 7 AppCompatCache data.""" test_file_entry = self._GetTestFileEntry(['SYSTEM']) key_path = ( 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control\\' 'Session Manager\\AppCompatCache') win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin() storage_writer = self._ParseKeyWithPlugin( registry_key, plugin, file_entry=test_file_entry, parser_chain=plugin.plugin_name) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 330) events = list(storage_writer.GetEvents()) event_index = 9 event = events[event_index] self.CheckTimestamp(event.timestamp, '2012-04-04 01:46:37.932964') self.assertEqual(event.pathspec, test_file_entry.path_spec) # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event.parser, plugin.plugin_name) expected_path = '\\??\\C:\\Windows\\PSEXESVC.EXE' expected_message = '[{0:s}] Cached entry: {1:d} Path: {2:s}'.format( event.key_path, event_index + 1, expected_path) expected_short_message = 'Path: {0:s}'.format(expected_path) self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testProcessWindows8_1(self): """Tests the Process function for Windows 8.1 AppCompatCache data.""" test_file_entry = TestFileEntry('SYSTEM-Windows8.1') registry_key = self._CreateTestKey( '2015-06-15 11:53:37.043061', self._TEST_DATA_8_1) plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin() storage_writer = self._ParseKeyWithPlugin( registry_key, plugin, file_entry=test_file_entry, parser_chain=plugin.NAME) number_of_events = storage_writer.GetNumberOfAttributeContainers('event') self.assertEqual(number_of_events, 1) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetEvents()) expected_event_values = { 'date_time': '2013-08-22 12:35:25.3750709', 'data_type': 'windows:registry:appcompatcache', 'entry_index': 1, 'key_path': self._TEST_KEY_PATH, 'path': 'SYSVOL\\Windows\\System32\\dllhost.exe'} self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testProcessWindows8_0(self): """Tests the Process function for Windows 8.0 AppCompatCache data.""" test_file_entry = TestFileEntry('SYSTEM-Windows8.0') registry_key = self._CreateTestKey('2015-06-15 11:53:37.043061', self._TEST_DATA_8_0) plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin() storage_writer = self._ParseKeyWithPlugin( registry_key, plugin, file_entry=test_file_entry, parser_chain=plugin.plugin_name) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) expected_event_values = { 'data_type': 'windows:registry:appcompatcache', 'entry_index': 1, 'key_path': self._TEST_KEY_PATH, 'path': 'SYSVOL\\Windows\\System32\\wbem\\WmiPrvSE.exe', 'timestamp': '2012-02-18 05:18:23.935000' } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testFilters(self): """Tests the FILTERS class attribute.""" plugin = appcompatcache.AppCompatCacheWindowsRegistryPlugin() key_path = ('HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\' 'Session Manager\\AppCompatibility') self._AssertFiltersOnKeyPath(plugin, key_path) key_path = ('HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\' 'Session Manager\\AppCompatCache') self._AssertFiltersOnKeyPath(plugin, key_path) self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')