def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts the UserAssist information from a NTUSER.DAT Registry file.'
))
argument_parser.add_argument(
'--codepage',
dest='codepage',
action='store',
metavar='CODEPAGE',
default='cp1252',
help='the codepage of the extended ASCII strings.')
argument_parser.add_argument('-d',
'--debug',
dest='debug',
action='store_true',
default=False,
help='enable debug output.')
argument_parser.add_argument(
'source',
nargs='?',
action='store',
metavar='PATH',
default=None,
help=('path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory, '
'or the path of a NTUSER.DAT Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(level=logging.INFO,
format='[%(levelname)s] %(message)s')
output_writer = output_writers.StdoutOutputWriter()
if not output_writer.Open():
print('Unable to open output writer.')
print('')
return False
mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)
volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
volume_scanner_options.partitions = ['all']
volume_scanner_options.snapshots = ['none']
volume_scanner_options.volumes = ['none']
if not scanner.ScanForWindowsVolume(options.source,
options=volume_scanner_options):
print(
('Unable to retrieve the volume with the Windows directory from: '
'{0:s}.').format(options.source))
print('')
return False
# TODO: map collector to available Registry keys.
collector_object = userassist.UserAssistCollector(
debug=options.debug, output_writer=output_writer)
result = collector_object.Collect(scanner.registry)
if not result:
print('No UserAssist key found.')
else:
guid = None
for user_assist_entry in collector_object.user_assist_entries:
if user_assist_entry.guid != guid:
print('GUID\t\t: {0:s}'.format(user_assist_entry.guid))
guid = user_assist_entry.guid
print('Name\t\t: {0:s}'.format(user_assist_entry.name))
print('Original name\t: {0:s}'.format(
user_assist_entry.value_name))
print('')
output_writer.Close()
return True
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts the services information from a SYSTEM Registry file.'))
argument_parser.add_argument(
'--all',
dest='all_control_sets',
action='store_true',
default=False,
help=(
'Process all control sets instead of only the current control set.'
))
argument_parser.add_argument(
'--diff',
dest='diff_control_sets',
action='store_true',
default=False,
help='Only list differences between control sets.')
argument_parser.add_argument('--tsv',
dest='use_tsv',
action='store_true',
default=False,
help='Use tab separated value (TSV) output.')
argument_parser.add_argument('-d',
'--debug',
dest='debug',
action='store_true',
default=False,
help='enable debug output.')
argument_parser.add_argument(
'source',
nargs='?',
action='store',
metavar='PATH',
default=None,
help=('path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory, '
'or the path of a SYSTEM Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(level=logging.INFO,
format='[%(levelname)s] %(message)s')
mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)
volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
volume_scanner_options.partitions = ['all']
volume_scanner_options.snapshots = ['none']
volume_scanner_options.volumes = ['none']
if not scanner.ScanForWindowsVolume(options.source,
options=volume_scanner_options):
print(
('Unable to retrieve the volume with the Windows directory from: '
'{0:s}.').format(options.source))
print('')
return False
collector_object = services.WindowsServicesCollector(debug=options.debug)
output_writer_object = StdoutWriter(use_tsv=options.use_tsv)
if not output_writer_object.Open():
print('Unable to open output writer.')
print('')
return False
try:
if options.diff_control_sets:
has_results = collector_object.Compare(scanner.registry,
output_writer_object)
else:
has_results = False
for windows_service in collector_object.Collect(
scanner.registry,
all_control_sets=options.all_control_sets):
output_writer_object.WriteWindowsService(windows_service)
has_results = True
finally:
output_writer_object.Close()
if not has_results:
print('No Services key found.')
return True
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts Windows Event Log providers from the Windows Registry.'))
argument_parser.add_argument('-d',
'--debug',
dest='debug',
action='store_true',
default=False,
help='enable debug output.')
argument_parser.add_argument(
'source',
nargs='?',
action='store',
metavar='PATH',
default=None,
help=('path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory, '
'or the path of a SOFTWARE or SYSTEM Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(level=logging.INFO,
format='[%(levelname)s] %(message)s')
mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)
volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
volume_scanner_options.partitions = ['all']
volume_scanner_options.snapshots = ['none']
volume_scanner_options.volumes = ['none']
if not scanner.ScanForWindowsVolume(options.source,
options=volume_scanner_options):
print(
('Unable to retrieve the volume with the Windows directory from: '
'{0:s}.').format(options.source))
print('')
return False
collector_object = eventlog_providers.EventLogProvidersCollector(
debug=options.debug)
output_writer_object = StdoutWriter()
if not output_writer_object.Open():
print('Unable to open output writer.')
print('')
return False
try:
has_results = False
for eventlog_provider in collector_object.Collect(scanner.registry):
output_writer_object.WriteEventLogProvider(eventlog_provider)
has_results = True
finally:
output_writer_object.Close()
if not has_results:
print('No Windows Event Log providers found.')
return True
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts time zone information for the Windows Registry.'))
argument_parser.add_argument(
'-d', '--debug', dest='debug', action='store_true', default=False,
help='enable debug output.')
argument_parser.add_argument(
'--csv', dest='csv_file', action='store', metavar='time_zones.csv',
default=None, help='path of the CSV file to write to.')
argument_parser.add_argument(
'source', nargs='?', action='store', metavar='PATH', default=None,
help=(
'path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory, '
'or the path of a SOFTWARE Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(
level=logging.INFO, format='[%(levelname)s] %(message)s')
if options.csv_file:
output_writer_object = CSVFileWriter(options.csv_file)
else:
output_writer_object = StdoutWriter()
if not output_writer_object.Open():
print('Unable to open output writer.')
print('')
return False
mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)
volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
volume_scanner_options.partitions = ['all']
volume_scanner_options.snapshots = ['none']
volume_scanner_options.volumes = ['none']
if not scanner.ScanForWindowsVolume(
options.source, options=volume_scanner_options):
print(('Unable to retrieve the volume with the Windows directory from: '
'{0:s}.').format(options.source))
print('')
return False
# TODO: map collector to available Registry keys.
collector_object = time_zones.TimeZonesCollector(debug=options.debug)
result = collector_object.Collect(scanner.registry, output_writer_object)
if not result:
print('No "Time Zones" key found.')
output_writer_object.Close()
return True
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts Application Compatibility Cache information from '
'a SYSTEM Registry file.'))
argument_parser.add_argument(
'--all',
dest='all_control_sets',
action='store_true',
default=False,
help=(
'Process all control sets instead of only the current control set.'
))
argument_parser.add_argument('-d',
'--debug',
dest='debug',
action='store_true',
default=False,
help='enable debug output.')
argument_parser.add_argument(
'source',
nargs='?',
action='store',
metavar='PATH',
default=None,
help=('path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory, '
'or the path of a SYSTEM Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(level=logging.INFO,
format='[%(levelname)s] %(message)s')
mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)
volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
volume_scanner_options.partitions = ['all']
volume_scanner_options.snapshots = ['none']
volume_scanner_options.volumes = ['none']
if not scanner.ScanForWindowsVolume(options.source,
options=volume_scanner_options):
print(
('Unable to retrieve the volume with the Windows directory from: '
'{0:s}.').format(options.source))
print('')
return False
output_writer = output_writers.StdoutOutputWriter()
if not output_writer.Open():
print('Unable to open output writer.')
print('')
return False
try:
collector_object = appcompatcache.AppCompatCacheCollector(
debug=options.debug, output_writer=output_writer)
# TODO: change collector to generate AppCompatCacheCachedEntry
has_results = collector_object.Collect(
scanner.registry, all_control_sets=options.all_control_sets)
if has_results:
for cached_entry in collector_object.cached_entries:
output_writer.WriteFiletimeValue(
'Last modification time',
cached_entry.last_modification_time)
output_writer.WriteValue('Path', cached_entry.path)
output_writer.WriteText('\n')
finally:
output_writer.Close()
if not has_results:
print('No application compatibility cache entries found.')
return True
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts the cached credentials from a SECURITY Registry file.'))
argument_parser.add_argument('-d',
'--debug',
dest='debug',
action='store_true',
default=False,
help=('enable debug output.'))
argument_parser.add_argument(
'source',
nargs='?',
action='store',
metavar='PATH',
default=None,
help=('path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory, '
'or the path of a SECURITY and SYSTEM Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(level=logging.INFO,
format='[%(levelname)s] %(message)s')
output_writer = output_writers.StdoutOutputWriter()
if not output_writer.Open():
print('Unable to open output writer.')
print('')
return False
mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)
volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
volume_scanner_options.partitions = ['all']
volume_scanner_options.snapshots = ['none']
volume_scanner_options.volumes = ['none']
if not scanner.ScanForWindowsVolume(options.source,
options=volume_scanner_options):
print(
('Unable to retrieve the volume with the Windows directory from: '
'{0:s}.').format(options.source))
print('')
return False
if scanner.IsSingleFileRegistry():
print('Both SECURITY and SYSYEM Registry files are required.')
print('')
return False
# TODO: map collector to available Registry keys.
collector_object = cached_credentials.CachedCredentialsKeyCollector(
debug=options.debug, output_writer=output_writer)
result = collector_object.Collect(scanner.registry)
if not result:
print('No Cache key found.')
else:
output_writer.WriteText('\n')
output_writer.Close()
return True
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts the shell folder class identifiers from the Windows Registry.'))
argument_parser.add_argument(
'-d', '--debug', dest='debug', action='store_true', default=False,
help='enable debug output.')
argument_parser.add_argument(
'--db', dest='database', action='store', metavar='shellitems.db',
default=None, help='path of the sqlite3 database to write to.')
argument_parser.add_argument(
'-w', '--windows_version', '--windows-version',
dest='windows_version', action='store', metavar='Windows XP',
default=None, help='string that identifies the Windows version.')
argument_parser.add_argument(
'source', nargs='?', action='store', metavar='PATH', default=None,
help=(
'path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory, '
'or the path of a SOFTWARE Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
if options.database and not options.windows_version:
print('Windows version missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(
level=logging.INFO, format='[%(levelname)s] %(message)s')
mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)
volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
volume_scanner_options.partitions = ['all']
volume_scanner_options.snapshots = ['none']
volume_scanner_options.volumes = ['none']
if not scanner.ScanForWindowsVolume(
options.source, options=volume_scanner_options):
print(('Unable to retrieve the volume with the Windows directory from: '
'{0:s}.').format(options.source))
print('')
return False
# TODO: map collector to available Registry keys.
collector_object = shellfolders.ShellFoldersCollector(
debug=options.debug)
if options.database:
output_writer_object = Sqlite3DatabaseFileWriter(
options.database, options.windows_version)
else:
output_writer_object = StdoutWriter()
if not output_writer_object.Open():
print('Unable to open output writer.')
print('')
return False
try:
has_results = False
for shell_folder in collector_object.Collect(scanner.registry):
output_writer_object.WriteShellFolder(shell_folder)
has_results = True
finally:
output_writer_object.Close()
if not has_results:
print('No shell folder identifiers found.')
return True
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts Most Recently Used information from a NTUSER.DAT Registry '
'file.'))
argument_parser.add_argument('-d',
'--debug',
dest='debug',
action='store_true',
default=False,
help='enable debug output.')
argument_parser.add_argument(
'source',
nargs='?',
action='store',
metavar='PATH',
default=None,
help=('path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory, '
'or the path of a NTUSER.DAT Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(level=logging.INFO,
format='[%(levelname)s] %(message)s')
output_writer = StdoutWriter()
if not output_writer.Open():
print('Unable to open output writer.')
print('')
return False
mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)
volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
volume_scanner_options.partitions = ['all']
volume_scanner_options.snapshots = ['none']
volume_scanner_options.volumes = ['none']
if not scanner.ScanForWindowsVolume(options.source,
options=volume_scanner_options):
print(
('Unable to retrieve the volume with the Windows directory from: '
'{0:s}.').format(options.source))
print('')
return False
collector_object = mru.MostRecentlyUsedCollector(
debug=options.debug, output_writer=output_writer)
# TODO: change collector to generate MostRecentlyUsedEntry
result = collector_object.Collect(scanner.registry)
if not result:
print('No Most Recently Used key found.')
else:
for mru_entry in collector_object.mru_entries:
output_writer.WriteValue('Key path', mru_entry.key_path)
output_writer.WriteValue('Value name', mru_entry.value_name)
if mru_entry.string:
output_writer.WriteValue('String', mru_entry.string)
if mru_entry.shell_item_data:
shell_item = pyfwsi.item()
shell_item.copy_from_byte_stream(mru_entry.shell_item_data)
output_writer.WriteShellItem(shell_item)
elif mru_entry.shell_item_list_data:
shell_item_list = pyfwsi.item_list()
shell_item_list.copy_from_byte_stream(
mru_entry.shell_item_list_data)
for shell_item in iter(shell_item_list.items):
output_writer.WriteShellItem(shell_item)
output_writer.WriteText('')
output_writer.Close()
return True
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts the program cache from a NTUSER.DAT Registry file.'))
argument_parser.add_argument('-d',
'--debug',
dest='debug',
action='store_true',
default=False,
help='enable debug output.')
argument_parser.add_argument(
'source',
nargs='?',
action='store',
metavar='PATH',
default=None,
help=('path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory, '
'or the path of a NTUSER.DAT Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(level=logging.INFO,
format='[%(levelname)s] %(message)s')
# TODO: add support to select user.
mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)
volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
volume_scanner_options.partitions = ['all']
volume_scanner_options.snapshots = ['none']
volume_scanner_options.volumes = ['none']
if not scanner.ScanForWindowsVolume(options.source,
options=volume_scanner_options):
print(
('Unable to retrieve the volume with the Windows directory from: '
'{0:s}.').format(options.source))
print('')
return False
output_writer = output_writers.StdoutOutputWriter()
if not output_writer.Open():
print('Unable to open output writer.')
print('')
return False
try:
collector_object = programscache.ProgramsCacheCollector(
debug=options.debug, output_writer=output_writer)
# TODO: change collector to generate ProgramCacheEntry
has_results = collector_object.Collect(scanner.registry)
finally:
output_writer.Close()
if not has_results:
print('No program cache entries found.')
return True
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts Security Account Manager information from a SAM Registry '
'file.'))
argument_parser.add_argument('-d',
'--debug',
dest='debug',
action='store_true',
default=False,
help='enable debug output.')
argument_parser.add_argument(
'source',
nargs='?',
action='store',
metavar='PATH',
default=None,
help=('path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory, '
'or the path of a SAM Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(level=logging.INFO,
format='[%(levelname)s] %(message)s')
output_writer = output_writers.StdoutOutputWriter()
if not output_writer.Open():
print('Unable to open output writer.')
print('')
return False
mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)
volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
volume_scanner_options.partitions = ['all']
volume_scanner_options.snapshots = ['none']
volume_scanner_options.volumes = ['none']
if not scanner.ScanForWindowsVolume(options.source,
options=volume_scanner_options):
print(
('Unable to retrieve the volume with the Windows directory from: '
'{0:s}.').format(options.source))
print('')
return False
# TODO: map collector to available Registry keys.
collector_object = sam.SecurityAccountManagerCollector(
debug=options.debug, output_writer=output_writer)
result = collector_object.Collect(scanner.registry)
if not result:
output_writer.WriteText('No Security Account Manager key found.')
output_writer.WriteText('')
else:
for user_account in collector_object.user_accounts:
output_writer.WriteValue('Username', user_account.username)
output_writer.WriteValue('Relative identifier (RID)',
user_account.rid)
output_writer.WriteValue('Primary group identifier',
user_account.primary_gid)
if user_account.full_name:
output_writer.WriteValue('Full name', user_account.full_name)
if user_account.comment:
output_writer.WriteValue('Comment', user_account.comment)
if user_account.user_comment:
output_writer.WriteValue('User comment',
user_account.user_comment)
output_writer.WriteFiletimeValue('Last log-in time',
user_account.last_login_time)
output_writer.WriteFiletimeValue(
'Last password set time', user_account.last_password_set_time)
output_writer.WriteFiletimeValue(
'Account expiration time',
user_account.account_expiration_time)
output_writer.WriteFiletimeValue(
'Last password failure time',
user_account.last_password_failure_time)
output_writer.WriteValue('Number of log-ons',
user_account.number_of_logons)
output_writer.WriteValue('Number of password failures',
user_account.number_of_password_failures)
if user_account.codepage:
output_writer.WriteValue('Codepage', user_account.codepage)
output_writer.WriteText('\n')
output_writer.Close()
return True