def testProcess(self): """Tests the Process function.""" test_file_entry = self._GetTestFileEntry(['NTUSER-WIN7.DAT']) key_path = ( 'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'Explorer\\ComDlg32\\LastVisitedPidlMRU') win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin = mrulistex.MRUListExStringAndShellItemListWindowsRegistryPlugin( ) storage_writer = self._ParseKeyWithPlugin(registry_key, plugin, file_entry=test_file_entry) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 31) events = list(storage_writer.GetEvents()) # A MRUListEx event. expected_entries = ( 'Index: 1 [MRU Value 1]: Path: chrome.exe, ' 'Shell item path: <Users Libraries> <UNKNOWN: 0x00> <UNKNOWN: 0x00> ' '<UNKNOWN: 0x00> ' 'Index: 2 [MRU Value 7]: ' 'Path: {48E1ED6B-CF49-4609-B1C1-C082BFC3D0B4}, ' 'Shell item path: <Shared Documents Folder (Users Files)> ' '<UNKNOWN: 0x00>\\Alloy Research ' 'Index: 3 [MRU Value 6]: ' 'Path: {427865A0-03AF-4F25-82EE-10B6CB1DED3E}, ' 'Shell item path: <Users Libraries> <UNKNOWN: 0x00> <UNKNOWN: 0x00> ' 'Index: 4 [MRU Value 5]: ' 'Path: {24B5C9BB-48B5-47FF-8343-40481DBA1E2B}, ' 'Shell item path: <My Computer> C:\\Users\\nfury\\Documents ' 'Index: 5 [MRU Value 4]: ' 'Path: {0B8CFE96-DB69-4D33-8E3C-36EAB4F709E0}, ' 'Shell item path: <My Computer> C:\\Users\\nfury\\Documents\\' 'Alloy Research ' 'Index: 6 [MRU Value 3]: ' 'Path: {D4F85F66-003D-4127-BCE9-CAD7A57B2857}, ' 'Shell item path: <Users Libraries> <UNKNOWN: 0x00> <UNKNOWN: 0x00> ' 'Index: 7 [MRU Value 0]: Path: iexplore.exe, ' 'Shell item path: <My Computer> P:\\Application Tools\\Firefox 6.0 ' 'Index: 8 [MRU Value 2]: Path: Skype.exe, ' 'Shell item path: <Users Libraries> <UNKNOWN: 0x00>') expected_event_values = { 'data_type': 'windows:registry:mrulistex', 'entries': expected_entries, 'key_path': key_path, # This should just be the plugin name, as we're invoking it directly, # and not through the parser. 'parser': plugin.plugin_name, 'timestamp': '2012-04-01 13:52:38.966290' } self.CheckEventValues(storage_writer, events[30], expected_event_values)
def testFilters(self): """Tests the FILTERS class attribute.""" plugin = mrulistex.MRUListExStringAndShellItemListWindowsRegistryPlugin() key_path = ( 'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'Explorer\\ComDlg32\\LastVisitedPidlMRU') self._AssertFiltersOnKeyPath(plugin, key_path) self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')