def testGetRootKey(self): """Tests the GetRootKey function.""" path = self._GetTestFilePath(['NTUSER.DAT']) registry_file = regf.REGFWinRegistryFile() with open(path, 'rb') as file_object: registry_file.Open(file_object) registry_key = registry_file.GetRootKey() self.assertIsNotNone(registry_key) self.assertEqual(registry_key.path, '\\') registry_file.Close() path = self._GetTestFilePath(['NTUSER.DAT.LOG']) registry_file = regf.REGFWinRegistryFile() with open(path, 'rb') as file_object: registry_file.Open(file_object) root_key = registry_file.GetRootKey() self.assertIsNone(root_key) registry_file.Close()
def testRecurseKeys(self): """Tests the RecurseKeys function.""" path = self._GetTestFilePath(['NTUSER.DAT']) registry_file = regf.REGFWinRegistryFile() with open(path, 'rb') as file_object: registry_file.Open(file_object) registry_keys = list(registry_file.RecurseKeys()) registry_file.Close() self.assertEqual(len(registry_keys), 1597) path = self._GetTestFilePath(['NTUSER.DAT.LOG']) registry_file = regf.REGFWinRegistryFile() with open(path, 'rb') as file_object: registry_file.Open(file_object) registry_keys = list(registry_file.RecurseKeys()) registry_file.Close() self.assertEqual(len(registry_keys), 0)
def testCollect(self): """Tests the Collect function.""" test_path = self._GetTestFilePath(['SOFTWARE']) self._SkipIfPathNotExists(test_path) registry = dfwinreg_registry.WinRegistry() with open(test_path, 'rb') as file_object: registry_file = dfwinreg_regf.REGFWinRegistryFile( ascii_codepage='cp1252') registry_file.Open(file_object) key_path_prefix = registry.GetRegistryFileMapping(registry_file) registry_file.SetKeyPathPrefix(key_path_prefix) registry.MapFile(key_path_prefix, registry_file) collector_object = msie_zone_info.MSIEZoneInformationCollector() test_results = list(collector_object.Collect(registry)) self.assertEqual(len(test_results), 1724) zone_information = test_results[0] self.assertEqual(zone_information.zone, '0') self.assertEqual(zone_information.zone_name, 'Computer') self.assertEqual(zone_information.control, '1809') self.assertEqual(zone_information.control_value, 3)
def Open(self, path, ascii_codepage=u'cp1252'): """Opens the Windows Registry file specificed by the path. Args: path: string containing the path of the Windows Registry file. The path is a Windows path relative to the root of the file system that contains the specfic Windows Registry file. E.g. C:\\Windows\\System32\\config\\SYSTEM ascii_codepage: optional ASCII string codepage. Returns: The Windows Registry file (instance of WinRegistryFile) or None. """ file_object = self._volume_scanner.OpenFile(path) if file_object is None: return registry_file = dfwinreg_regf.REGFWinRegistryFile( ascii_codepage=ascii_codepage) try: registry_file.Open(file_object) except IOError: file_object.close() return return registry_file
def testGetSubkeyByName(self): """Tests the GetSubkeyByName function.""" test_path = self._GetTestFilePath(['NTUSER.DAT']) self._SkipIfPathNotExists(test_path) registry_file = regf.REGFWinRegistryFile( key_path_prefix='HKEY_CURRENT_USER') with open(test_path, 'rb') as file_object: registry_file.Open(file_object) registry_key = registry_file.GetRootKey() key_name = 'Software' sub_registry_key = registry_key.GetSubkeyByName(key_name) self.assertIsNotNone(sub_registry_key) self.assertEqual(sub_registry_key.name, key_name) expected_key_path = 'HKEY_CURRENT_USER\\Software' self.assertEqual(sub_registry_key.path, expected_key_path) key_name = 'Bogus' sub_registry_key = registry_key.GetSubkeyByName(key_name) self.assertIsNone(sub_registry_key) registry_file.Close()
def testPropertiesWindowsXP(self): """Tests the properties functions on a Windows XP NTUSER.DAT file.""" path = self._GetTestFilePath(['NTUSER.DAT']) registry_file = regf.REGFWinRegistryFile() with open(path, 'rb') as file_object: registry_file.Open(file_object) registry_key = registry_file.GetKeyByPath('\\Console') value_name = 'ColorTable14' registry_value = registry_key.GetValueByName(value_name) expected_data = b'\xff\xff\x00\x00' self.assertIsNotNone(registry_value) self.assertEqual(registry_value.data_type, 4) self.assertEqual(registry_value.data_type_string, 'REG_DWORD_LE') self.assertEqual(registry_value.GetDataAsObject(), 65535) self.assertEqual(registry_value.name, value_name) self.assertEqual(registry_value.offset, 29516) self.assertEqual(registry_value.data, expected_data) registry_key = registry_file.GetKeyByPath( '\\AppEvents\\EventLabels\\CriticalBatteryAlarm') value_name = 'DispFileName' registry_value = registry_key.GetValueByName(value_name) expected_data = ( b'@\x00m\x00m\x00s\x00y\x00s\x00.\x00c\x00p\x00l\x00,\x00-\x005\x008' b'\x002\x007\x00\x00\x00') self.assertIsNotNone(registry_value) self.assertEqual(registry_value.data_type, 1) self.assertEqual(registry_value.data_type_string, 'REG_SZ') self.assertEqual(registry_value.GetDataAsObject(), '@mmsys.cpl,-5827') self.assertEqual(registry_value.name, value_name) self.assertEqual(registry_value.offset, 6012) self.assertEqual(registry_value.data, expected_data) registry_key = registry_file.GetKeyByPath( '\\Software\\Microsoft\\Windows\\ShellNoRoam\\BagMRU') value_name = '0' registry_value = registry_key.GetValueByName(value_name) expected_data = ( b'\x14\x00\x1fP\xe0O\xd0 \xea:i\x10\xa2\xd8\x08\x00+00\x9d\x00\x00' ) self.assertIsNotNone(registry_value) self.assertEqual(registry_value.data_type, 3) self.assertEqual(registry_value.data_type_string, 'REG_BINARY') self.assertEqual(registry_value.GetDataAsObject(), expected_data) self.assertEqual(registry_value.name, value_name) self.assertEqual(registry_value.offset, 404596) self.assertEqual(registry_value.data, expected_data) registry_value._pyregf_value = FakePyREGFValue() with self.assertRaises(errors.WinRegistryValueError): _ = registry_value.data registry_file.Close()
def testBuildFindSpecsWithRegistry(self): """Tests the BuildFindSpecs function on Windows Registry sources.""" knowledge_base = knowledge_base_engine.KnowledgeBase() artifact_filter_names = ['TestRegistry', 'TestRegistryValue'] test_filters_helper = self._CreateTestArtifactDefinitionsFiltersHelper( knowledge_base) test_filters_helper.BuildFindSpecs(artifact_filter_names) # There should be 3 Windows Registry find specifications. self.assertEqual( len(test_filters_helper.included_file_system_find_specs), 0) self.assertEqual(len(test_filters_helper.registry_find_specs), 3) file_entry = self._GetTestFileEntry(['SYSTEM']) file_object = file_entry.GetFileObject() registry_file = dfwinreg_regf.REGFWinRegistryFile( ascii_codepage='cp1252', emulate_virtual_keys=False) registry_file.Open(file_object) win_registry = dfwinreg_registry.WinRegistry() key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) registry_file.SetKeyPathPrefix(key_path_prefix) win_registry.MapFile(key_path_prefix, registry_file) searcher = dfwinreg_registry_searcher.WinRegistrySearcher(win_registry) key_paths = list(searcher.Find( find_specs=test_filters_helper.registry_find_specs)) self.assertIsNotNone(key_paths) self.assertEqual(len(key_paths), 8)
def testProcessWindows101(self): """Tests the Process function on a Windows 10 1807 AMCache.hve file.""" test_file_entry = self._GetTestFileEntry(['win10-Amcache.hve']) file_object = test_file_entry.GetFileObject() registry_file = dfwinreg_regf.REGFWinRegistryFile( ascii_codepage='cp1252', emulate_virtual_keys=False) registry_file.Open(file_object) registry_key = registry_file.GetKeyByPath('\\Root') plugin = amcache.AMCachePlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin, file_entry=test_file_entry) self.assertEqual(storage_writer.number_of_events, 236) self.assertEqual(storage_writer.number_of_extraction_warnings, 0) self.assertEqual(storage_writer.number_of_recovery_warnings, 0) events = list(storage_writer.GetSortedEvents()) expected_event_values = { 'data_type': 'windows:registry:amcache', 'date_time': '1997-01-10 22:26:24', 'full_path': 'c:\\windows\\system32\\svchost.exe', 'timestamp_desc': definitions.TIME_DESCRIPTION_LINK_TIME } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def _OpenPathSpec(self, path_spec, ascii_codepage=u'cp1252'): """Opens the Windows Registry file specificed by the path specification. Args: path_spec: a path specfication (instance of dfvfs.PathSpec). ascii_codepage: optional ASCII string codepage. The default is cp1252 (or windows-1252). Returns: The Windows Registry file (instance of WinRegistryFile) or None. """ if not path_spec: return file_entry = self._searcher.GetFileEntryByPathSpec(path_spec) if file_entry is None: return file_object = file_entry.GetFileObject() if file_object is None: return registry_file = regf.REGFWinRegistryFile(ascii_codepage=ascii_codepage) try: registry_file.Open(file_object) except IOError as exception: logging.warning( u'Unable to open Windows Registry file with error: {0:s}'.format( exception)) file_object.close() return return registry_file
def testGetSubkeyByIndex(self): """Tests the GetSubkeyByIndex function.""" path = self._GetTestFilePath(['NTUSER.DAT']) registry_file = regf.REGFWinRegistryFile( key_path_prefix='HKEY_CURRENT_USER') with open(path, 'rb') as file_object: registry_file.Open(file_object) registry_key = registry_file.GetRootKey() key_name = 'AppEvents' sub_registry_key = registry_key.GetSubkeyByIndex(0) self.assertIsNotNone(sub_registry_key) self.assertEqual(sub_registry_key.name, key_name) expected_key_path = 'HKEY_CURRENT_USER\\AppEvents' self.assertEqual(sub_registry_key.path, expected_key_path) with self.assertRaises(IndexError): registry_key.GetSubkeyByIndex(-1) registry_key._pyregf_key = FakePyREGFKey() sub_registry_key = registry_key.GetSubkeyByIndex(0) self.assertIsNone(sub_registry_key) registry_file.Close()
def _OpenPathSpec(self, path_specification, ascii_codepage=u'cp1252'): """Opens the Windows Registry file specified by the path specification. Args: path_specification (dfvfs.PathSpec): path specfication. ascii_codepage (Optional[str]): ASCII string codepage. Returns: WinRegistryFile: Windows Registry file or None. """ if not path_specification: return file_entry = self._file_system.GetFileEntryByPathSpec( path_specification) if file_entry is None: return file_object = file_entry.GetFileObject() if file_object is None: return registry_file = dfwinreg_regf.REGFWinRegistryFile( ascii_codepage=ascii_codepage) try: registry_file.Open(file_object) except IOError as exception: logging.warning( u'Unable to open Windows Registry file with error: {0:s}'. format(exception)) file_object.close() return return registry_file
def testGetKeyByPath(self): """Tests the GetKeyByPath function.""" path = self._GetTestFilePath(['NTUSER.DAT']) registry_file = regf.REGFWinRegistryFile() with open(path, 'rb') as file_object: registry_file.Open(file_object) key_path = '\\' registry_key = registry_file.GetKeyByPath(key_path) self.assertIsNotNone(registry_key) self.assertEqual(registry_key.path, key_path) key_path = '\\Software' registry_key = registry_file.GetKeyByPath(key_path) self.assertIsNotNone(registry_key) self.assertEqual(registry_key.path, key_path) key_path = '\\Bogus' registry_key = registry_file.GetKeyByPath(key_path) self.assertIsNone(registry_key) key_path = 'Bogus' registry_key = registry_file.GetKeyByPath(key_path) self.assertIsNone(registry_key) registry_file.Close()
def testGetSubkeyByPath(self): """Tests the GetSubkeyByPath function.""" path = self._GetTestFilePath(['NTUSER.DAT']) registry_file = regf.REGFWinRegistryFile( key_path_prefix='HKEY_CURRENT_USER') with open(path, 'rb') as file_object: registry_file.Open(file_object) registry_key = registry_file.GetRootKey() key_path = 'Software\\Microsoft' sub_registry_key = registry_key.GetSubkeyByPath(key_path) self.assertIsNotNone(sub_registry_key) self.assertEqual(sub_registry_key.name, 'Microsoft') expected_key_path = 'HKEY_CURRENT_USER\\Software\\Microsoft' self.assertEqual(sub_registry_key.path, expected_key_path) key_path = 'Software\\Bogus' sub_registry_key = registry_key.GetSubkeyByPath(key_path) self.assertIsNone(sub_registry_key) registry_file.Close()
def Open(self, path, ascii_codepage='cp1252'): """Opens the Windows Registry file specified by the path. Args: path (str): path of the Windows Registry file. The path is a Windows path relative to the root of the file system that contains the specific Windows Registry file, such as: C:\\Windows\\System32\\config\\SYSTEM ascii_codepage (Optional[str]): ASCII string codepage. Returns: WinRegistryFile: Windows Registry file or None the file does not exist or cannot be opened. """ file_object = self._volume_scanner.OpenFile(path) if file_object is None: return None registry_file = dfwinreg_regf.REGFWinRegistryFile( ascii_codepage=ascii_codepage) try: registry_file.Open(file_object) except IOError: file_object.close() return None return registry_file
def testGetValueByName(self): """Tests the GetValueByName function.""" path = self._GetTestFilePath(['NTUSER.DAT']) registry_file = regf.REGFWinRegistryFile() with open(path, 'rb') as file_object: registry_file.Open(file_object) registry_key = registry_file.GetKeyByPath('\\Console') value_name = 'ColorTable14' registry_value = registry_key.GetValueByName(value_name) self.assertIsNotNone(registry_value) self.assertEqual(registry_value.name, value_name) value_name = 'Bogus' registry_value = registry_key.GetValueByName(value_name) self.assertIsNone(registry_value) # Test retrieving the default (or nameless) value. registry_key = registry_file.GetKeyByPath( '\\AppEvents\\EventLabels\\.Default') registry_value = registry_key.GetValueByName('') self.assertIsNotNone(registry_value) self.assertIsNone(registry_value.name) registry_file.Close()
def Collect(self, path, output_writer): """Collects the catalog descriptors from a Windows Registry file. Args: path (str): path to Windows Registry file. output_writer (OutputWriter): output writer. Returns: bool: True if a root key was found, False if not. """ with open(options.source, 'rb') as file_object: try: registry_file = dfwinreg_regf.REGFWinRegistryFile() registry_file.Open(file_object) except IOError: registry_file = None if not registry_file: try: registry_file = dfwinreg_creg.CREGWinRegistryFile() registry_file.Open(file_object) except IOError: registry_file = None if not registry_file: return False root_key = registry_file.GetRootKey() if not root_key: return False return True
def testProperties(self): """Tests the properties functions.""" path = self._GetTestFilePath(['NTUSER.DAT']) registry_file = regf.REGFWinRegistryFile() with open(path, 'rb') as file_object: registry_file.Open(file_object) key_path = '\\Software' registry_key = registry_file.GetKeyByPath(key_path) self.assertIsNotNone(registry_key) self.assertIsNone(registry_key.class_name) self.assertEqual(registry_key.name, 'Software') self.assertEqual(registry_key.number_of_subkeys, 7) self.assertEqual(registry_key.number_of_values, 0) self.assertEqual(registry_key.offset, 4372) self.assertEqual(registry_key.path, key_path) self.assertIsNotNone(registry_key.last_written_time) timestamp = registry_key.last_written_time.timestamp self.assertEqual(timestamp, 131205170396534120) registry_key._pyregf_key = FakePyREGFKey() self.assertIsNotNone(registry_key.last_written_time) date_time_string = registry_key.last_written_time.CopyToDateTimeString( ) self.assertEqual(date_time_string, 'Not set') registry_file.Close()
def testCollect(self): """Tests the Collect function.""" test_path = self._GetTestFilePath(['NTUSER.DAT']) self._SkipIfPathNotExists(test_path) registry = dfwinreg_registry.WinRegistry() with open(test_path, 'rb') as file_object: registry_file = dfwinreg_regf.REGFWinRegistryFile( ascii_codepage='cp1252') registry_file.Open(file_object) key_path_prefix = registry.GetRegistryFileMapping(registry_file) registry_file.SetKeyPathPrefix(key_path_prefix) registry.MapFile(key_path_prefix, registry_file) test_output_writer = test_lib.TestOutputWriter() collector_object = programscache.ProgramsCacheCollector( output_writer=test_output_writer) result = collector_object.Collect(registry) self.assertTrue(result) test_output_writer.Close()
def testGetDataAsObject(self): """Tests the GetDataAsObject function.""" path = self._GetTestFilePath(['NTUSER.DAT']) registry_file = regf.REGFWinRegistryFile() with open(path, 'rb') as file_object: registry_file.Open(file_object) registry_key = registry_file.GetKeyByPath('\\Console') value_name = 'ColorTable14' registry_value = registry_key.GetValueByName(value_name) registry_value._pyregf_value = FakePyREGFValue(value_type='REG_SZ') with self.assertRaises(errors.WinRegistryValueError): registry_value.GetDataAsObject() registry_value._pyregf_value = FakePyREGFValue( value_type='REG_DWORD_LE') with self.assertRaises(errors.WinRegistryValueError): registry_value.GetDataAsObject() registry_value._pyregf_value = FakePyREGFValue( value_type='REG_MULTI_SZ') with self.assertRaises(errors.WinRegistryValueError): registry_value.GetDataAsObject()
def ParseFileObject(self, parser_mediator, file_object): """Parses a Windows Registry file-like object. Args: parser_mediator (ParserMediator): parser mediator. file_object (dfvfs.FileIO): a file-like object. """ registry_find_specs = getattr( parser_mediator.collection_filters_helper, 'registry_find_specs', None) registry_file = dfwinreg_regf.REGFWinRegistryFile( ascii_codepage=parser_mediator.codepage, emulate_virtual_keys=False) try: registry_file.Open(file_object) except IOError as exception: parser_mediator.ProduceExtractionWarning( 'unable to open Windows Registry file with error: {0!s}'. format(exception)) return try: win_registry = dfwinreg_registry.WinRegistry() key_path_prefix = win_registry.GetRegistryFileMapping( registry_file) registry_file.SetKeyPathPrefix(key_path_prefix) root_key = registry_file.GetRootKey() if root_key: # For now treat AMCache.hve seperately. if root_key.name.lower() in self._AMCACHE_ROOT_KEY_NAMES: self._ParseRecurseKeys(parser_mediator, root_key) elif not registry_find_specs: self._ParseRecurseKeys(parser_mediator, root_key) elif not self._ARTIFACTS_FILTER_HELPER.CheckKeyCompatibility( key_path_prefix): logger.warning(( 'Artifacts filters are not supported for Windows Registry ' 'file with key path prefix: "{0:s}".' ).format(key_path_prefix)) else: win_registry.MapFile(key_path_prefix, registry_file) # Note that win_registry will close the mapped registry_file. registry_file = None self._ParseKeysFromFindSpecs(parser_mediator, win_registry, registry_find_specs) except IOError as exception: parser_mediator.ProduceExtractionWarning('{0!s}'.format(exception)) finally: if registry_file: registry_file.Close()
def testCollect(self): """Tests the Collect function.""" software_test_path = self._GetTestFilePath(['SOFTWARE']) self._SkipIfPathNotExists(software_test_path) system_test_path = self._GetTestFilePath(['SYSTEM']) self._SkipIfPathNotExists(system_test_path) registry = dfwinreg_registry.WinRegistry() with open(software_test_path, 'rb') as software_file_object: with open(system_test_path, 'rb') as system_file_object: registry_file = dfwinreg_regf.REGFWinRegistryFile( ascii_codepage='cp1252') registry_file.Open(software_file_object) key_path_prefix = registry.GetRegistryFileMapping( registry_file) registry_file.SetKeyPathPrefix(key_path_prefix) registry.MapFile(key_path_prefix, registry_file) registry_file = dfwinreg_regf.REGFWinRegistryFile( ascii_codepage='cp1252') registry_file.Open(system_file_object) key_path_prefix = registry.GetRegistryFileMapping( registry_file) registry_file.SetKeyPathPrefix(key_path_prefix) registry.MapFile(key_path_prefix, registry_file) collector_object = eventlog_providers.EventLogProvidersCollector( ) test_results = list(collector_object.Collect(registry)) self.assertEqual(len(test_results), 974) eventlog_provider = test_results[0] self.assertIsNone(eventlog_provider.identifier) self.assertIsNone(eventlog_provider.name) self.assertEqual(eventlog_provider.log_sources, ['.NET Runtime']) self.assertEqual(eventlog_provider.log_types, ['Application']) self.assertEqual(eventlog_provider.category_message_files, set()) self.assertEqual(eventlog_provider.event_message_files, set(['C:\\Windows\\System32\\mscoree.dll'])) self.assertEqual(eventlog_provider.parameter_message_files, set())
def testProperties(self): """Tests the properties functions on a NTUSER.DAT file.""" path = self._GetTestFilePath(['NTUSER.DAT']) registry_file = regf.REGFWinRegistryFile() with open(path, 'rb') as file_object: registry_file.Open(file_object) registry_key = registry_file.GetKeyByPath('\\Console') value_name = 'ColorTable14' registry_value = registry_key.GetValueByName(value_name) expected_data = b'\xff\xff\x00\x00' self.assertIsNotNone(registry_value) self.assertEqual(registry_value.data_type, 4) self.assertEqual(registry_value.data_type_string, 'REG_DWORD_LE') self.assertEqual(registry_value.GetDataAsObject(), 65535) self.assertEqual(registry_value.name, value_name) self.assertEqual(registry_value.offset, 105212) self.assertEqual(registry_value.data, expected_data) registry_key = registry_file.GetKeyByPath( '\\AppEvents\\EventLabels\\CriticalBatteryAlarm') value_name = 'DispFileName' registry_value = registry_key.GetValueByName(value_name) expected_data = ( b'@\x00m\x00m\x00r\x00e\x00s\x00.\x00d\x00l\x00l\x00,\x00-\x005\x008' b'\x002\x007\x00\x00\x00') self.assertIsNotNone(registry_value) self.assertEqual(registry_value.data_type, 1) self.assertEqual(registry_value.data_type_string, 'REG_SZ') self.assertEqual(registry_value.GetDataAsObject(), '@mmres.dll,-5827') self.assertEqual(registry_value.name, value_name) self.assertEqual(registry_value.offset, 62028) self.assertEqual(registry_value.data, expected_data) registry_key = registry_file.GetKeyByPath( '\\Control Panel\\Appearance') value_name = 'SchemeLangID' registry_value = registry_key.GetValueByName(value_name) expected_data = b'\x00\x00' self.assertIsNotNone(registry_value) self.assertEqual(registry_value.data_type, 3) self.assertEqual(registry_value.data_type_string, 'REG_BINARY') self.assertEqual(registry_value.GetDataAsObject(), expected_data) self.assertEqual(registry_value.name, value_name) self.assertEqual(registry_value.offset, 46468) self.assertEqual(registry_value.data, expected_data) registry_value._pyregf_value = FakePyREGFValue() with self.assertRaises(errors.WinRegistryValueError): _ = registry_value.data registry_file.Close()
def ParseFileObject(self, parser_mediator, file_object): """Parses a Windows Registry file-like object. Args: parser_mediator (ParserMediator): parser mediator. file_object (dfvfs.FileIO): a file-like object. """ # TODO: set codepage from mediator. registry_file = dfwinreg_regf.REGFWinRegistryFile( ascii_codepage='cp1252', emulate_virtual_keys=False) try: registry_file.Open(file_object) except IOError as exception: parser_mediator.ProduceExtractionWarning( 'unable to open Windows Registry file with error: {0!s}'. format(exception)) return try: win_registry = dfwinreg_registry.WinRegistry() key_path_prefix = win_registry.GetRegistryFileMapping( registry_file) registry_file.SetKeyPathPrefix(key_path_prefix) root_key = registry_file.GetRootKey() if root_key: registry_find_specs = getattr( parser_mediator.collection_filters_helper, 'registry_find_specs', None) if not registry_find_specs: self._ParseRecurseKeys(parser_mediator, root_key) else: artifacts_filters_helper = ( artifact_filters.ArtifactDefinitionsFiltersHelper) if not artifacts_filters_helper.CheckKeyCompatibility( key_path_prefix): logger.warning(( 'Artifacts filters are not supported for Windows Registry file ' 'with key path prefix: "{0:s}".' ).format(key_path_prefix)) else: win_registry.MapFile(key_path_prefix, registry_file) # Note that win_registry will close the mapped registry_file. registry_file = None self._ParseKeysFromFindSpecs(parser_mediator, win_registry, registry_find_specs) except IOError as exception: parser_mediator.ProduceExtractionWarning('{0!s}'.format(exception)) finally: if registry_file: registry_file.Close()
def testOpenClose(self): """Tests the Open and Close functions.""" path = self._GetTestFilePath(['NTUSER.DAT']) registry_file = regf.REGFWinRegistryFile() with open(path, 'rb') as file_object: registry_file.Open(file_object) registry_file.Close()
def Open(self, path, ascii_codepage='cp1252'): LOGGER.info("open registry %s", path) """ Opens a path within the dfVFS volume """ realpath = path.replace('\\', '/') if path in self.not_present: return None # check for variables and if we know them realpath = path for match in re.finditer('%[a-zA-Z0-9_]+%', path): key = match.group(0) val = self.windows_system.get_var(key) if val: realpath = realpath.replace(key, val) else: LOGGER.warning("Could not resolve variable %s", key) return None realpath = realpath.replace('\\', '/') if realpath.lower().startswith('c:/'): # catch absolute paths realpath = '/' + realpath[3:] if not realpath[0] == '/': realpath = '/' + realpath if realpath in self.not_present: return None path_specs = list( self.dfvfs.find_paths([realpath], partitions=[self.partition])) if not path_specs: LOGGER.warning("Could not find requested registry hive %s [%s]", path, realpath) self.not_present.add(path) self.not_present.add(realpath) return None if len(path_specs) > 1: LOGGER.warning( "Found multiple registry hives for query %s, using %s", path, dfvfs_helper.reconstruct_full_path(path_specs[0])) # extract the file locally filename = realpath.replace('/', '_') dfvfs_helper.export_file(path_specs[0], self.tmpfs, filename) try: file_object = self.tmpfs.open(filename, 'rb') except ResourceNotFound: files = self.tmpfs.listdir("/") LOGGER.warning("Could not open registry hive %s [%s] (%s)", path, realpath, files) return None self.open_handles.append((filename, file_object)) reg_file = regfile_impl.REGFWinRegistryFile( ascii_codepage=ascii_codepage) reg_file.Open(file_object) return reg_file
def testRecurseKeys(self): """Tests the RecurseKeys function.""" path = self._GetTestFilePath(['NTUSER.DAT']) registry_file = regf.REGFWinRegistryFile() with open(path, 'rb') as file_object: registry_file.Open(file_object) key_path = '\\Software' registry_key = registry_file.GetKeyByPath(key_path) registry_keys = list(registry_key.RecurseKeys()) registry_file.Close() self.assertEqual(len(registry_keys), 1219)
def testGetValues(self): """Tests the GetValues function.""" path = self._GetTestFilePath(['NTUSER.DAT']) registry_file = regf.REGFWinRegistryFile() with open(path, 'rb') as file_object: registry_file.Open(file_object) key_path = '\\Console' registry_key = registry_file.GetKeyByPath(key_path) values = list(registry_key.GetValues()) self.assertEqual(len(values), 37) registry_file.Close()
def _OpenREGFRegistryFile(self, filename): """Opens a REGF Windows Registry file. Args: filename: the name of the file relative to the test file path. Returns: The Windows Registry file object (instance of REGFWinRegistryFileTest) or None. """ path = self._GetTestFilePath([filename]) file_object = open(path, 'rb') registry_file = regf.REGFWinRegistryFile() registry_file.Open(file_object) return registry_file
def testGetSubkeys(self): """Tests the GetSubkeys function.""" test_path = self._GetTestFilePath(['NTUSER.DAT']) self._SkipIfPathNotExists(test_path) registry_file = regf.REGFWinRegistryFile() with open(test_path, 'rb') as file_object: registry_file.Open(file_object) key_path = '\\Software' registry_key = registry_file.GetKeyByPath(key_path) sub_registry_keys = list(registry_key.GetSubkeys()) self.assertEqual(len(sub_registry_keys), 7) registry_file.Close()
def _OpenREGFRegistryFile(self, filename, key_path_prefix=''): """Opens a REGF Windows Registry file. Args: filename (str): name of the file relative to the test file path. key_path_prefix (Optional[str]): Windows Registry key path prefix. Returns: REGFWinRegistryFileTest: Windows Registry file or None. """ path = self._GetTestFilePath([filename]) file_object = open(path, 'rb') registry_file = regf.REGFWinRegistryFile( key_path_prefix=key_path_prefix) registry_file.Open(file_object) return registry_file