def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
registry = dfwinreg_registry.WinRegistry()
key_path_prefix = 'HKEY_LOCAL_MACHINE\\Security'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey('Cache')
registry_file.AddKeyByPath('\\', registry_key)
registry_key = dfwinreg_fake.FakeWinRegistryKey('PolSecretEncryptionKey')
registry_file.AddKeyByPath('\\Policy', registry_key)
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'', data=self._POLICY_ENCRYPTION_DATA,
data_type=dfwinreg_definitions.REG_BINARY)
registry_key.AddValue(registry_value)
registry_key = dfwinreg_fake.FakeWinRegistryKey('CurrVal')
registry_file.AddKeyByPath('\\Policy\\Secrets\\NL$KM', registry_key)
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'', data=self._NL_KEY_MATERIAL_DATA,
data_type=dfwinreg_definitions.REG_BINARY)
registry_key.AddValue(registry_value)
registry_file.Open(None)
registry.MapFile(key_path_prefix, registry_file)
key_path_prefix = 'HKEY_LOCAL_MACHINE\\System'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey('Select')
registry_file.AddKeyByPath('\\', registry_key)
value_data = b'\x01\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Current', data=value_data, data_type=dfwinreg_definitions.REG_DWORD)
registry_key.AddValue(registry_value)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
'Data', class_name='902a3f2c')
registry_file.AddKeyByPath('\\ControlSet001\\Control\\Lsa', registry_key)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
'GBG', class_name='c0d054a4')
registry_file.AddKeyByPath('\\ControlSet001\\Control\\Lsa', registry_key)
registry_key = dfwinreg_fake.FakeWinRegistryKey('JD', class_name='1ae33251')
registry_file.AddKeyByPath('\\ControlSet001\\Control\\Lsa', registry_key)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
'Skew1', class_name='be6a589c')
registry_file.AddKeyByPath('\\ControlSet001\\Control\\Lsa', registry_key)
registry_file.Open(None)
registry.MapFile(key_path_prefix, registry_file)
return registry
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path (str): Windows Registry key path.
time_string (str): key last written date and time.
Returns:
dfwinreg.WinRegistryKey: Windows Registry key.
"""
filetime = dfdatetime_filetime.Filetime()
filetime.CopyFromDateTimeString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
'Network', key_path=key_path,
last_written_time=filetime.timestamp, offset=153)
# Setup H drive.
h_key = dfwinreg_fake.FakeWinRegistryKey(
'H', last_written_time=filetime.timestamp)
registry_key.AddSubkey(h_key)
value_data = b'\x00\x00\x00\x01'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ConnectionType', data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
h_key.AddValue(registry_value)
value_data = b'\x00\x00\x00\x04'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'DeferFlags', data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
h_key.AddValue(registry_value)
value_data = b'\x00\x00\x00\x01'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ProviderFlags', data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
h_key.AddValue(registry_value)
value_data = 'Microsoft Windows Network'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ProviderName', data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
h_key.AddValue(registry_value)
value_data = b'\x00\x02\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ProviderType', data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
h_key.AddValue(registry_value)
value_data = '\\\\acme.local\\Shares\\User_Data\\John.Doe'.encode(
'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'RemotePath', data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
h_key.AddValue(registry_value)
value_data = b'\x00\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'UserName', data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
h_key.AddValue(registry_value)
# Setup Z drive.
z_key = dfwinreg_fake.FakeWinRegistryKey(
'Z', last_written_time=filetime.timestamp)
registry_key.AddSubkey(z_key)
value_data = b'\x00\x00\x00\x01'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ConnectionType', data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
z_key.AddValue(registry_value)
value_data = b'\x00\x00\x00\x04'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'DeferFlags', data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
z_key.AddValue(registry_value)
value_data = b'\x00\x00\x00\x01'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ProviderFlags', data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
z_key.AddValue(registry_value)
value_data = 'Microsoft Windows Network'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ProviderName', data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
z_key.AddValue(registry_value)
value_data = b'\x00\x02\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ProviderType', data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
z_key.AddValue(registry_value)
value_data = '\\\\secret_computer\\Media'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'RemotePath', data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
z_key.AddValue(registry_value)
value_data = b'\x00\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'UserName', data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
z_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path (str): Windows Registry key path.
time_string (str): key last written date and time.
Returns:
dfwinreg.WinRegistryKey: a Windows Registry key.
"""
filetime = dfdatetime_filetime.Filetime()
filetime.CopyFromDateTimeString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
'Winlogon',
key_path=key_path,
last_written_time=filetime.timestamp,
offset=153)
# Setup Winlogon values.
value_data = '1'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'AutoAdminLogon',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = b'\x00\x00\x00\x01'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'AutoRestartShell',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
registry_key.AddValue(registry_value)
value_data = '0 0 0'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Background',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = '10'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'CachedLogonsCount',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = 'no'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'DebugServerCommand',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = ''.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'DefaultDomainName',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = 'user'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'DefaultUserName',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = b'\x00\x00\x00\x01'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'DisableCAD',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
registry_key.AddValue(registry_value)
value_data = b'\x00\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ForceUnlockLogon',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
registry_key.AddValue(registry_value)
value_data = ''.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'LegalNoticeCaption',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = ''.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'LegalNoticeText',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = b'\x00\x00\x00\x05'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'PasswordExpiryWarning',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
registry_key.AddValue(registry_value)
value_data = '0'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'PowerdownAfterShutdown',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = '{A520A1A4-1780-4FF6-BD18-167343C5AF16}'.encode(
'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'PreCreateKnownFolders',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = '1'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ReportBootOk',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = 'explorer.exe'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Shell', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = b'\x00\x00\x00\x2b'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ShutdownFlags',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
registry_key.AddValue(registry_value)
value_data = '0'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ShutdownWithoutLogon',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = 'C:\\Windows\\system32\\userinit.exe'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Userinit', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = 'SystemPropertiesPerformance.exe/pagefile'.encode(
'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'VMApplet', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = '0'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'WinStationsDisabled',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
# Setup registered event handlers.
notify_key_name = 'Notify'
notify_key = dfwinreg_fake.FakeWinRegistryKey(notify_key_name)
registry_key.AddSubkey(notify_key_name, notify_key)
navlogon_key_name = 'NavLogon'
navlogon_key = dfwinreg_fake.FakeWinRegistryKey(
navlogon_key_name, last_written_time=filetime.timestamp)
notify_key.AddSubkey(navlogon_key_name, navlogon_key)
value_data = 'NavLogon.dll'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'DllName', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
navlogon_key.AddValue(registry_value)
value_data = 'NavLogoffEvent'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Logoff', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
navlogon_key.AddValue(registry_value)
value_data = 'NavStartShellEvent'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'StartShell',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
navlogon_key.AddValue(registry_value)
secret_malware_key_name = 'SecretMalware'
secret_malware_key = dfwinreg_fake.FakeWinRegistryKey(
secret_malware_key_name, last_written_time=filetime.timestamp)
notify_key.AddSubkey(secret_malware_key_name, secret_malware_key)
value_data = b'\x00\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Asynchronous',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
secret_malware_key.AddValue(registry_value)
value_data = 'secret_malware.dll'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'DllName', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
secret_malware_key.AddValue(registry_value)
value_data = b'\x00\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Impersonate',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
secret_malware_key.AddValue(registry_value)
value_data = 'secretEventLock'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Lock', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
secret_malware_key.AddValue(registry_value)
value_data = 'secretEventLogoff'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Logoff', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
secret_malware_key.AddValue(registry_value)
value_data = 'secretEventLogon'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Logon', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
secret_malware_key.AddValue(registry_value)
value_data = 'secretEventShutdown'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Shutdown', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
secret_malware_key.AddValue(registry_value)
value_data = 'secretEventSmartCardLogonNotify'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'SmartCardLogonNotify',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
secret_malware_key.AddValue(registry_value)
value_data = 'secretEventStartShell'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'StartShell',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
secret_malware_key.AddValue(registry_value)
value_data = 'secretEventStartup'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Startup', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
secret_malware_key.AddValue(registry_value)
value_data = 'secretEventStopScreenSaver'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'StopScreenSaver',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
secret_malware_key.AddValue(registry_value)
value_data = 'secretEventUnlock'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Unlock', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
secret_malware_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path (str): Windows Registry key path.
time_string (str): key last written date and time.
Returns:
dfwinreg.WinRegistryKey: a Windows Registry key.
"""
filetime = dfdatetime_filetime.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'Session Manager',
key_path=key_path,
last_written_time=filetime.timestamp,
offset=153)
value_data = u'autocheck autochk *\x00'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'BootExecute',
data=value_data,
data_type=dfwinreg_definitions.REG_MULTI_SZ,
offset=123)
registry_key.AddValue(registry_value)
value_data = u'2592000'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'CriticalSectionTimeout',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=153)
registry_key.AddValue(registry_value)
value_data = u'\x00'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'ExcludeFromKnownDlls',
data=value_data,
data_type=dfwinreg_definitions.REG_MULTI_SZ,
offset=163)
registry_key.AddValue(registry_value)
value_data = u'0'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'GlobalFlag',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=173)
registry_key.AddValue(registry_value)
value_data = u'0'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'HeapDeCommitFreeBlockThreshold',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=183)
registry_key.AddValue(registry_value)
value_data = u'0'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'HeapDeCommitTotalFreeThreshold',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=203)
registry_key.AddValue(registry_value)
value_data = u'0'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'HeapSegmentCommit',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=213)
registry_key.AddValue(registry_value)
value_data = u'0'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'HeapSegmentReserve',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=223)
registry_key.AddValue(registry_value)
value_data = u'2'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'NumberOfInitialSessions',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=243)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path (str): Windows Registry key path.
time_string (str): key last written date and time.
Returns:
dfwinreg.WinRegistryKey: a Windows Registry key.
"""
filetime = dfdatetime_filetime.Filetime()
filetime.CopyFromDateTimeString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
'TimeZoneInformation',
key_path=key_path,
last_written_time=filetime.timestamp,
offset=153)
value_data = 'C:\\Downloads\\plaso-static.rar'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'1',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=612)
registry_key.AddValue(registry_value)
value_data = b'\xff\xff\xff\xc4'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ActiveTimeBias',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
registry_key.AddValue(registry_value)
value_data = b'\xff\xff\xff\xc4'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Bias',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
registry_key.AddValue(registry_value)
value_data = b'\xff\xff\xff\xc4'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'DaylightBias',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
registry_key.AddValue(registry_value)
value_data = '@tzres.dll,-321'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'DaylightName',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = (
b'\x00\x00\x03\x00\x05\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00'
)
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'DaylightStart',
data=value_data,
data_type=dfwinreg_definitions.REG_BINARY)
registry_key.AddValue(registry_value)
value_data = b'\x00\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'DynamicDaylightTimeDisabled',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
registry_key.AddValue(registry_value)
value_data = b'\x00\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'StandardBias',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
registry_key.AddValue(registry_value)
value_data = '@tzres.dll,-322'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'StandardName',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = (
b'\x00\x00\x0A\x00\x05\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00'
)
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'StandardStart',
data=value_data,
data_type=dfwinreg_definitions.REG_BINARY)
registry_key.AddValue(registry_value)
value_data = 'W. Europe Standard Time'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'TimeZoneKeyName',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path (str): Windows Registry key path.
time_string (str): key last written date and time.
Returns:
dfwinreg.WinRegistryKey: a Windows Registry key.
"""
filetime = dfdatetime_filetime.Filetime()
filetime.CopyFromDateTimeString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
'TestDriver',
key_path=key_path,
last_written_time=filetime.timestamp,
offset=1456)
value_data = b'\x02\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Type',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD,
offset=123)
registry_key.AddValue(registry_value)
value_data = b'\x02\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Start',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD,
offset=127)
registry_key.AddValue(registry_value)
value_data = b'\x01\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ErrorControl',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD,
offset=131)
registry_key.AddValue(registry_value)
value_data = 'Pnp Filter'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Group',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=140)
registry_key.AddValue(registry_value)
value_data = 'Test Driver'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'DisplayName',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=160)
registry_key.AddValue(registry_value)
value_data = 'testdriver.inf_x86_neutral_dd39b6b0a45226c4'.encode(
'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'DriverPackageId',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=180)
registry_key.AddValue(registry_value)
value_data = 'C:\\Dell\\testdriver.sys'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ImagePath',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=200)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path (str): Windows Registry key path.
time_string (str): key last written date and time.
Returns:
dfwinreg.WinRegistryKey: a Windows Registry key.
"""
filetime = dfdatetime_filetime.Filetime()
filetime.CopyFromDateTimeString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
'NetworkList',
key_path=key_path,
last_written_time=filetime.timestamp,
offset=153)
# Setup Profiles.
profiles = dfwinreg_fake.FakeWinRegistryKey('Profiles')
registry_key.AddSubkey(profiles)
profile_1 = dfwinreg_fake.FakeWinRegistryKey(
'{B358E985-4464-4ABD-AF99-7D4A0AF66BB7}')
profiles.AddSubkey(profile_1)
value_data = b'\x00\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Category',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
profile_1.AddValue(registry_value)
value_data = (
b'\xde\x07\x0c\x00\x02\x00\x10\x00\x08\x00\x04\x00\x27\x00\x6a\x00'
)
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'DateCreated',
data=value_data,
data_type=dfwinreg_definitions.REG_BINARY)
profile_1.AddValue(registry_value)
value_data = (
b'\xdf\x07\x01\x00\x02\x00\x1b\x00\x0f\x00\x0f\x00\x1b\x00\xc5\x03'
)
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'DateLastConnected',
data=value_data,
data_type=dfwinreg_definitions.REG_BINARY)
profile_1.AddValue(registry_value)
value_data = 'My Awesome Wifi Hotspot'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Description',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
profile_1.AddValue(registry_value)
value_data = b'\x00\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Managed',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
profile_1.AddValue(registry_value)
value_data = b'\x00\x00\x00\x47'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'NameType',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
profile_1.AddValue(registry_value)
value_data = 'My Awesome Wifi Hotspot'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ProfileName',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
profile_1.AddValue(registry_value)
profile_2 = dfwinreg_fake.FakeWinRegistryKey(
'{C1C57B58-BFE2-428B-818C-9D69A873AD3D}')
profiles.AddSubkey(profile_2)
value_data = b'\x00\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Category',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
profile_2.AddValue(registry_value)
value_data = (
b'\xde\x07\x05\x00\x02\x00\x06\x00\x11\x00\x02\x00\x13\x00\x1b\x03'
)
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'DateCreated',
data=value_data,
data_type=dfwinreg_definitions.REG_BINARY)
profile_2.AddValue(registry_value)
value_data = (
b'\xde\x07\x05\x00\x02\x00\x06\x00\x11\x00\x07\x00\x36\x00\x0a\x00'
)
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'DateLastConnected',
data=value_data,
data_type=dfwinreg_definitions.REG_BINARY)
profile_2.AddValue(registry_value)
value_data = 'Network'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Description',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
profile_2.AddValue(registry_value)
value_data = b'\x00\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Managed',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
profile_2.AddValue(registry_value)
value_data = b'\x00\x00\x00\x06'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'NameType',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
profile_2.AddValue(registry_value)
value_data = 'Network'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ProfileName',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
profile_2.AddValue(registry_value)
# Setup signatures.
signatures = dfwinreg_fake.FakeWinRegistryKey('Signatures')
registry_key.AddSubkey(signatures)
managed = dfwinreg_fake.FakeWinRegistryKey('Managed')
signatures.AddSubkey(managed)
unmanaged = dfwinreg_fake.FakeWinRegistryKey('Unmanaged')
signatures.AddSubkey(unmanaged)
unmanaged_subkey = dfwinreg_fake.FakeWinRegistryKey(
'010103000F0000F0080000000F0000F0E8982FB31F37E52AF30A6575A4898CE667'
'6E8C2F99C4C5131D84F64BD823E0')
unmanaged.AddSubkey(unmanaged_subkey)
value_data = b'\x00\x50\x56\xea\x6c\xec'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'DefaultGatewayMac',
data=value_data,
data_type=dfwinreg_definitions.REG_BINARY)
unmanaged_subkey.AddValue(registry_value)
value_data = 'Network'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Description',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
unmanaged_subkey.AddValue(registry_value)
value_data = 'localdomain'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'DnsSuffix',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
unmanaged_subkey.AddValue(registry_value)
value_data = 'Network'.encode('utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'FirstNetwork',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
unmanaged_subkey.AddValue(registry_value)
value_data = '{C1C57B58-BFE2-428B-818C-9D69A873AD3D}'.encode(
'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ProfileGuid',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
unmanaged_subkey.AddValue(registry_value)
value_data = b'\x00\x00\x00\x08'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Source',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
unmanaged_subkey.AddValue(registry_value)
return registry_key
def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
key_path_prefix = 'HKEY_LOCAL_MACHINE\\Software'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey('CurrentVersion')
registry_file.AddKeyByPath('\\Microsoft\\Windows NT', registry_key)
value_data = self._CSD_VERSION.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'CSDVersion',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = self._CURRENT_BUILD_NUMBER.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'CurrentBuildNumber',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = self._CURRENT_TYPE.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'CurrentType',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = self._CURRENT_VERSION.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'CurrentVersion',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = b'\x47\xc8\xda\x4c'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'InstallDate',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD)
registry_key.AddValue(registry_value)
value_data = self._PRODUCT_IDENTIFIER.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ProductId',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = self._PRODUCT_NAME.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ProductName',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
# TODO: add more values.
registry_file.Open(None)
registry = dfwinreg_registry.WinRegistry()
registry.MapFile(key_path_prefix, registry_file)
return registry
def testGetDataAsObject(self):
"""Tests the GetDataAsObject function."""
registry_value = fake.FakeWinRegistryValue(
'MRUListEx', data_type=definitions.REG_BINARY)
value_data = registry_value.GetDataAsObject()
self.assertIsNone(value_data)
registry_value = fake.FakeWinRegistryValue(
'MRUListEx', data=b'DATA', data_type=definitions.REG_BINARY)
value_data = registry_value.GetDataAsObject()
self.assertEqual(value_data, b'DATA')
data = 'ValueData'.encode('utf-16-le')
registry_value = fake.FakeWinRegistryValue(
'MRU', data=data, data_type=definitions.REG_SZ)
value_data = registry_value.GetDataAsObject()
self.assertEqual(value_data, 'ValueData')
data = '\xed\x44'
registry_value = fake.FakeWinRegistryValue(
'MRU', data=data, data_type=definitions.REG_SZ)
with self.assertRaises(errors.WinRegistryValueError):
registry_value.GetDataAsObject()
registry_value = fake.FakeWinRegistryValue(
'Count', data=b'\x11\x22\x33\x44', data_type=definitions.REG_DWORD)
value_data = registry_value.GetDataAsObject()
self.assertEqual(value_data, 0x44332211)
registry_value = fake.FakeWinRegistryValue(
'Count', data=b'\x11\x22\x33\x44',
data_type=definitions.REG_DWORD_BIG_ENDIAN)
value_data = registry_value.GetDataAsObject()
self.assertEqual(value_data, 0x11223344)
registry_value = fake.FakeWinRegistryValue(
'Count', data=b'\x88\x77\x66\x55\x44\x33\x22\x11',
data_type=definitions.REG_QWORD)
value_data = registry_value.GetDataAsObject()
self.assertEqual(value_data, 0x1122334455667788)
# Test REG_MULTI_SZ without additional empty string.
data = b'\x65\x00\x6e\x00\x2d\x00\x55\x00\x53\x00\x00\x00'
registry_value = fake.FakeWinRegistryValue(
'MRU', data=data, data_type=definitions.REG_MULTI_SZ)
value_data = registry_value.GetDataAsObject()
self.assertEqual(value_data, ['en-US'])
# Test REG_MULTI_SZ with additional empty string.
data = (
b'\x2e\x00\x62\x00\x6d\x00\x70\x00\x00\x00\x2e\x00\x63\x00\x6f\x00'
b'\x6e\x00\x74\x00\x61\x00\x63\x00\x74\x00\x00\x00\x2e\x00\x6a\x00'
b'\x6e\x00\x74\x00\x00\x00\x2e\x00\x6c\x00\x69\x00\x62\x00\x72\x00'
b'\x61\x00\x72\x00\x79\x00\x2d\x00\x6d\x00\x73\x00\x00\x00\x2e\x00'
b'\x6c\x00\x6e\x00\x6b\x00\x00\x00\x2e\x00\x72\x00\x74\x00\x66\x00'
b'\x00\x00\x2e\x00\x74\x00\x78\x00\x74\x00\x00\x00\x2e\x00\x7a\x00'
b'\x69\x00\x70\x00\x00\x00\x46\x00\x6f\x00\x6c\x00\x64\x00\x65\x00'
b'\x72\x00\x00\x00\x00\x00')
registry_value = fake.FakeWinRegistryValue(
'MRU', data=data, data_type=definitions.REG_MULTI_SZ)
expected_value_data = [
'.bmp', '.contact', '.jnt', '.library-ms', '.lnk', '.rtf', '.txt',
'.zip', 'Folder']
value_data = registry_value.GetDataAsObject()
self.assertEqual(value_data, expected_value_data)
data = '\xed\x44'
registry_value = fake.FakeWinRegistryValue(
'MRU', data=data, data_type=definitions.REG_MULTI_SZ)
with self.assertRaises(errors.WinRegistryValueError):
registry_value.GetDataAsObject()
registry_value = fake.FakeWinRegistryValue(
'MRU', data=('bogus', 0), data_type=definitions.REG_SZ)
with self.assertRaises(errors.WinRegistryValueError):
registry_value.GetDataAsObject()
registry_value = fake.FakeWinRegistryValue(
'MRU', data=('bogus', 0), data_type=definitions.REG_MULTI_SZ)
with self.assertRaises(errors.WinRegistryValueError):
registry_value.GetDataAsObject()
def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
key_path_prefix = 'HKEY_LOCAL_MACHINE\\Software'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey(self._GUID1)
registry_file.AddKeyByPath(
'\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks',
registry_key)
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'DynamicInfo',
data=_DYNAMIC_INFO_DATA,
data_type=dfwinreg_definitions.REG_BINARY)
registry_key.AddValue(registry_value)
value_data = self._PATH.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Path', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
registry_key = dfwinreg_fake.FakeWinRegistryKey(self._NAME1)
registry_file.AddKeyByPath((
'\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\'
'Microsoft\\Windows\\Active Directory Rights Management Services '
'Client'), registry_key)
value_data = '{8905ECD8-016F-4DC2-90E6-A5F1FA6A841A}\x00'.encode(
'utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Id', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
registry_key = dfwinreg_fake.FakeWinRegistryKey(self._GUID2)
registry_file.AddKeyByPath(
'\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks',
registry_key)
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'DynamicInfo',
data=_DYNAMIC_INFO2_DATA,
data_type=dfwinreg_definitions.REG_BINARY)
registry_key.AddValue(registry_value)
registry_key = dfwinreg_fake.FakeWinRegistryKey(self._NAME2)
registry_file.AddKeyByPath((
'\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\'
'Microsoft\\Windows\\Location'), registry_key)
value_data = '{F93C7104-998A-4A38-B935-775A3138B3C3}\x00'.encode(
'utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Id', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
registry_key = dfwinreg_fake.FakeWinRegistryKey(self._GUID3)
registry_file.AddKeyByPath(
'\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks',
registry_key)
registry_key = dfwinreg_fake.FakeWinRegistryKey(self._NAME3)
registry_file.AddKeyByPath((
'\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\'
'Microsoft\\Windows\\SideShow'), registry_key)
value_data = '{FE7B674F-2430-40A1-9162-AFC3727E3DC3}\x00'.encode(
'utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Id', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
registry_file.Open(None)
registry = dfwinreg_registry.WinRegistry()
registry.MapFile(key_path_prefix, registry_file)
return registry
def testGetDataAsObject(self):
"""Tests the GetDataAsObject function."""
registry_value = fake.FakeWinRegistryValue(
'MRUListEx', data_type=definitions.REG_BINARY)
value_data = registry_value.GetDataAsObject()
self.assertIsNone(value_data)
registry_value = fake.FakeWinRegistryValue(
'MRUListEx', data=b'DATA', data_type=definitions.REG_BINARY)
value_data = registry_value.GetDataAsObject()
self.assertEqual(value_data, b'DATA')
data = 'ValueData'.encode('utf-16-le')
registry_value = fake.FakeWinRegistryValue(
'MRU', data=data, data_type=definitions.REG_SZ)
value_data = registry_value.GetDataAsObject()
self.assertEqual(value_data, 'ValueData')
data = '\xed\x44'
registry_value = fake.FakeWinRegistryValue(
'MRU', data=data, data_type=definitions.REG_SZ)
with self.assertRaises(errors.WinRegistryValueError):
registry_value.GetDataAsObject()
registry_value = fake.FakeWinRegistryValue(
'Count', data=b'\x11\x22\x33\x44', data_type=definitions.REG_DWORD)
value_data = registry_value.GetDataAsObject()
self.assertEqual(value_data, 0x44332211)
registry_value = fake.FakeWinRegistryValue(
'Count',
data=b'\x11\x22\x33\x44',
data_type=definitions.REG_DWORD_BIG_ENDIAN)
value_data = registry_value.GetDataAsObject()
self.assertEqual(value_data, 0x11223344)
registry_value = fake.FakeWinRegistryValue(
'Count',
data=b'\x88\x77\x66\x55\x44\x33\x22\x11',
data_type=definitions.REG_QWORD)
value_data = registry_value.GetDataAsObject()
self.assertEqual(value_data, 0x1122334455667788)
data = 'Multi\x00String\x00ValueData\x00'.encode('utf-16-le')
registry_value = fake.FakeWinRegistryValue(
'MRU', data=data, data_type=definitions.REG_MULTI_SZ)
value_data = registry_value.GetDataAsObject()
self.assertEqual(value_data, ['Multi', 'String', 'ValueData'])
data = '\xed\x44'
registry_value = fake.FakeWinRegistryValue(
'MRU', data=data, data_type=definitions.REG_MULTI_SZ)
with self.assertRaises(errors.WinRegistryValueError):
registry_value.GetDataAsObject()
registry_value = fake.FakeWinRegistryValue(
'MRU', data=('bogus', 0), data_type=definitions.REG_SZ)
with self.assertRaises(errors.WinRegistryValueError):
registry_value.GetDataAsObject()
registry_value = fake.FakeWinRegistryValue(
'MRU', data=('bogus', 0), data_type=definitions.REG_MULTI_SZ)
with self.assertRaises(errors.WinRegistryValueError):
registry_value.GetDataAsObject()
def _CreateTestRegistry(self):
"""Creates Registry keys and values for testing.
Returns:
dfwinreg.WinRegistry: Windows Registry for testing.
"""
key_path_prefix = 'HKEY_LOCAL_MACHINE\\System'
registry_file = dfwinreg_fake.FakeWinRegistryFile(
key_path_prefix=key_path_prefix)
registry_key = dfwinreg_fake.FakeWinRegistryKey('Select')
registry_file.AddKeyByPath('\\', registry_key)
value_data = b'\x01\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Current',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD)
registry_key.AddValue(registry_value)
registry_key = dfwinreg_fake.FakeWinRegistryKey('Services')
registry_file.AddKeyByPath('\\ControlSet001', registry_key)
subkey = dfwinreg_fake.FakeWinRegistryKey('WwanSvc')
registry_key.AddSubkey('WwanSvc', subkey)
value_data = self._DESCRIPTION.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Description',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
subkey.AddValue(registry_value)
value_data = self._DISPLAY_NAME.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'DisplayName',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
subkey.AddValue(registry_value)
value_data = self._IMAGE_PATH.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ImagePath',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
subkey.AddValue(registry_value)
value_data = self._OBJECT_NAME.encode('utf-16-le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'ObjectName',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
subkey.AddValue(registry_value)
value_data = b'\x03\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Start', data=value_data, data_type=dfwinreg_definitions.REG_DWORD)
subkey.AddValue(registry_value)
value_data = b'\x20\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
'Type', data=value_data, data_type=dfwinreg_definitions.REG_DWORD)
subkey.AddValue(registry_value)
registry_file.Open(None)
registry = dfwinreg_registry.WinRegistry()
registry.MapFile(key_path_prefix, registry_file)
return registry