def run(self): lst = [] "use the SOFTWARE hive to get the result" ProfileList_user_settings_path = u"Microsoft\\Windows NT\\CurrentVersion\\ProfileList" hive = get_hive(self.prim_hive, self.log_files) ProfileList_user_settings_key = hive.find_key( ProfileList_user_settings_path) # print('Found a key: {}'.format(ProfileList_user_settings_key.path())) if ProfileList_user_settings_key: for sid_key in ProfileList_user_settings_key.subkeys(): sid_name = sid_key.name() Profile_path = sid_key.value(name=u"ProfileImagePath") Profile_data = strip_control_characters(Profile_path.data()) timestamp = sid_key.last_written_timestamp().isoformat() user = strip_control_characters( os.path.basename(os.path.normpath(Profile_data))) record = OrderedDict([("Path", Profile_data), ("User", user), ("sid", sid_name), ("Key_Timestamp", timestamp), ("@timestamp", timestamp)]) lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder))) else: logging.info(u"[{}] {} not found.".format( 'ProfileList', ProfileList_user_settings_path)) return lst
def run(self): hive = get_hive(self.prim_hive, self.log_files) select_key = hive.find_key(u'Select') current_path = '' if select_key: current_value = select_key.value(name=u"Current") current_path = u"ControlSet{:03d}".format(current_value.data()) else: current_path = 'ControlSet001' lst = [] TimeZoneInformation_user_settings_path = u"\\".join( [current_path, u"Control\\TimeZoneInformation"]) TimeZoneInformation_user_settings_key = hive.find_key( TimeZoneInformation_user_settings_path) if TimeZoneInformation_user_settings_key: TimeZoneKeyName = TimeZoneInformation_user_settings_key.value( name=u"TimeZoneKeyName") TimeZoneKeyName_data = TimeZoneKeyName.data() timestamp = TimeZoneInformation_user_settings_key.last_written_timestamp( ).isoformat() record = OrderedDict([ ("Time Zone", strip_control_characters(TimeZoneKeyName_data)), ("Key_Timestamp", timestamp), ("@timestamp", timestamp) ]) lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder))) else: logging.info(u"[{}] {} not found.".format( 'TimeZoneInformation', TimeZoneInformation_user_settings_path)) return lst
def run(self): lst = [] WordWheelQuery_user_settings_path = u"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery" hive = get_hive(self.prim_hive,self.log_files) WordWheelQuery_user_settings_key = hive.find_key(WordWheelQuery_user_settings_path) if WordWheelQuery_user_settings_key: #for sid_key in WordWheelQuery_user_settings_key.subkeys(): sid_key_values = iter(WordWheelQuery_user_settings_key.values()) while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: logging.error(u"Error getting next value: {}".format(error)) continue value_name = value.name() url_data =value.data().decode("utf-16") timestamp = WordWheelQuery_user_settings_key.last_written_timestamp().isoformat() record = OrderedDict([ ("Key_Timestamp",timestamp), ("Url_Name", value_name), ("Url", strip_control_characters(url_data)), ("@timestamp",timestamp), ]) lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder))) else: logging.info(u"[{}] {} not found.".format('WordWheelQuery', WordWheelQuery_user_settings_path)) return lst
def run(self): lst = [] "use the NTUSER.dat hive to get the result" RunMRU_user_settings_path = u'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU' hive = get_hive(self.prim_hive,self.log_files) RunMRU_user_settings_key = hive.find_key(RunMRU_user_settings_path) if RunMRU_user_settings_key: sid_key_values = iter(RunMRU_user_settings_key.values()) timestamp = RunMRU_user_settings_key.last_written_timestamp().isoformat() while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: logging.error(u"Error getting next value: {}".format(error)) continue sid_name = value.name() file_name = strip_control_characters(value.data()) record = OrderedDict([ ("Sequence", sid_name), ("Command", file_name), ("Key_Timestamp",timestamp), ("@timestmap",timestamp) ]) lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder))) else: logging.info(u"[{}] {} not found.".format('RunMRU', RunMRU_user_settings_path)) return lst
def run(self): lst = [] "use the SOFTWARE hive to get the result" InstalledApp_user_settings_path = u"Microsoft\\Windows\\CurrentVersion\\App Paths" hive = get_hive(self.prim_hive, self.log_files) InstalledApp_user_settings_key = hive.find_key( InstalledApp_user_settings_path) # print('Found a key: {}'.format(InstalledApp_user_settings_key.path())) if InstalledApp_user_settings_key: for sid_key in InstalledApp_user_settings_key.subkeys(): sid_name = sid_key.name() timestamp = sid_key.last_written_timestamp().isoformat() Path = sid_key.value(name=u"Path") if Path: Path_data = strip_control_characters(Path.data()) else: Path_data = "" record = OrderedDict([ ("Application_Name", sid_name), ("InstalledApp_date", timestamp), ("Path", Path_data), ("@timestamp", timestamp), ]) lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder))) else: logging.info(u"[{}] {} not found.".format('Bam', bam_user_settings_path)) return lst
def run(self): lst =[] "use the SOFTWARE hive to get the result" ShellExtensions_user_settings_path = u'Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved' hive = get_hive(self.prim_hive,self.log_files) ShellExtensions_user_settings_key = hive.find_key(ShellExtensions_user_settings_path) if ShellExtensions_user_settings_key: sid_key_values = iter(ShellExtensions_user_settings_key.values()) timestamp = ShellExtensions_user_settings_key.last_written_timestamp().isoformat() while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: logging.error(u"Error getting next value: {}".format(error)) continue sid_name= value.name() data = value.data() if isinstance(data, bytes): pos = data.find(b'\x00\x00') +1 file_name = strip_control_characters(data[:pos].decode('utf-16')) else: file_name = strip_control_characters(data) record = OrderedDict([ ("sid", sid_name), ("File Name", file_name), ("key_last_written_timestamp",timestamp), ("@timestamp",timestamp) ]) lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder))) else: logging.info(u"[{}] {} not found.".format('ShellExtensions', ShellExtensions_user_settings_path)) return lst
def get_service_parameters_subkey(self, service_parameters_key): parameters_dict = {} for v in service_parameters_key.values(): value_name = v.name().replace(".", "_") if type(v.data()) == str: parameters_dict[value_name] = strip_control_characters( v.data()) elif type(v.data()) == bytes: parameters_dict[value_name] = v.data().hex() elif type(v.data()) == list: parameters_dict[value_name] = "|".join( [value.rstrip('\x00') for value in v.data()]) else: parameters_dict[value_name] = v.data() return parameters_dict
def run(self): lst = [] ComputerName_user_settings_path = u"ControlSet001\\Control\\ComputerName\\ComputerName" hive = get_hive(self.prim_hive,self.log_files) ComputerName_user_settings_key = hive.find_key(ComputerName_user_settings_path) if ComputerName_user_settings_key: ComputerName = ComputerName_user_settings_key.value(name=u"ComputerName") ComputerName_data = ComputerName.data() timestamp = ComputerName_user_settings_key.last_written_timestamp().isoformat() record = OrderedDict([ ("ComputerName", strip_control_characters(ComputerName_data)), ("Key_Timestamp", timestamp), ("@timestamp",timestamp) ]) lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder))) else: logging.info(u"[{}] {} not found.".format('ComputerName', ComputerName_user_settings_path)) return lst
def run(self): lst = [] TypedUrls_user_settings_path = u"Software\\Microsoft\\Internet Explorer\\TypedURLs" hive = get_hive(self.prim_hive, self.log_files) TypedUrls_user_settings_key = hive.find_key( TypedUrls_user_settings_path) if TypedUrls_user_settings_key: #for sid_key in TypedUrls_user_settings_key.subkeys(): sid_key_values = iter(TypedUrls_user_settings_key.values()) while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: logging.error( u"Error getting next value: {}".format(error)) continue value_name = value.name() url_data = value.data() timestamp = TypedUrls_user_settings_key.last_written_timestamp( ).isoformat() record = OrderedDict([("Key_Timestamp", timestamp), ("Url Name", value_name), ("Url", strip_control_characters(url_data)), ("@timestamp", timestamp)]) lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder))) else: logging.info(u"[{}] {} not found.".format( 'TypedUrls', TypedUrls_user_settings_path)) return lst
def run(self): lst = [] TerminalServerClient_user_settings_paths = [ 'Software\\Microsoft\\Terminal Server Client\\Servers', 'Software\\Microsoft\\Terminal Server Client\\Default' ] for TerminalServerClient_user_settings_path in TerminalServerClient_user_settings_paths: hive = get_hive(self.prim_hive, self.log_files) TerminalServerClient_user_settings_key = hive.find_key( TerminalServerClient_user_settings_path) # print('Found a key: {}'.format(TerminalServerClient_user_settings_key.path())) if TerminalServerClient_user_settings_key: if "Servers" in TerminalServerClient_user_settings_path: for sid_key in TerminalServerClient_user_settings_key.subkeys( ): timestamp = TerminalServerClient_user_settings_key.last_written_timestamp( ).isoformat() key_name = sid_key.name() sid_key_values = iter(sid_key.values()) while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: logging.error( u"Error getting next value: {}".format( error)) continue value_name = value.name() if "UsernameHint" == value_name: value_data = value.data() record = OrderedDict([ ("key_timestamp", timestamp), ("IP_Address", key_name), ("User_Name", strip_control_characters(value_data)), ("@timestamp", timestamp) ]) # lst.append(u"{}".format( json.dumps(record, cls=ComplexEncoder))) else: sid_key_values = iter( TerminalServerClient_user_settings_key.values()) while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: logging.error( u"Error getting next value: {}".format(error)) continue value_name = value.name() value_data = value.data() record = OrderedDict([ ("key_timestamp", timestamp), ("@timestamp", timestamp), ("IP_Address", strip_control_characters(value_data)), ("Value_Name", value_name) ]) # lst.append(u"{}".format( json.dumps(record, cls=ComplexEncoder))) else: logging.info(u"[{}] {} not found.".format( 'TerminalServerClient', TerminalServerClient_user_settings_path)) return lst
def run(self): lst= [] "use the SOFTWARE hive to get the result" InstalledComponents_user_settings_path = [u'Microsoft\\Active Setup\\Installed Components',u'Wow6432Node\\Microsoft\\Active Setup\\Installed Components'] hive = get_hive(self.prim_hive,self.log_files) for path in InstalledComponents_user_settings_path: InstalledComponents_user_settings_key = hive.find_key(path) if InstalledComponents_user_settings_key: for sid_key in InstalledComponents_user_settings_key.subkeys(): sid_name = sid_key.name() timestamp = sid_key.last_written_timestamp().isoformat() IsInstalled = sid_key.value(name=u"IsInstalled") if IsInstalled: IsInstalled_data = IsInstalled.data() else: IsInstalled_data ="None" DontAsk = sid_key.value(name=u"DontAsk") if DontAsk: DontAsk_data = DontAsk.data() else: DontAsk_data ="None" Enabled = sid_key.value(name=u"Enabled") if Enabled: Enabled_data = Enabled.data() else: Enabled_data ="None" Locale = sid_key.value(name=u"Locale") if Locale: Locale_data = strip_control_characters(Locale.data()) else: Locale_data ="None" LocalizedName = sid_key.value(name=u"LocalizedName") if LocalizedName: LocalizedName_data = strip_control_characters(LocalizedName.data()) else: LocalizedName_data ="None" StubPath = sid_key.value(name=u"StubPath") if StubPath: StubPath_data = strip_control_characters(StubPath.data()) else: StubPath_data ="None" Version = sid_key.value(name=u"Version") if Version: Version_data = strip_control_characters(Version.data()) else: Version_data ="None" ComponentID = sid_key.value(name=u"ComponentID") if ComponentID: ComponentID_data = strip_control_characters(ComponentID.data()) else: ComponentID_data ="None" record = OrderedDict([ ("sid", sid_name), ("last_written_timestamp",timestamp), ("ComponentID", ComponentID_data), ("Version", Version_data), ("StubPath", StubPath_data), ("LocalizedName", LocalizedName_data), ("Locale", Locale_data), ("Enabled", Enabled_data), ("DontAsk", DontAsk_data), ("IsInstalled", IsInstalled_data), ("@timestamp",timestamp) ]) lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder))) else: logging.info(u"[{}] {} not found.".format('InstalledComponents', InstalledComponents_user_settings_path)) return lst
def run(self): lst = [] "use the SOFTWARE hive to get the result" Uninstall_user_settings_path = u"Microsoft\\Windows\\CurrentVersion\\Uninstall" hive = get_hive(self.prim_hive,self.log_files) Uninstall_user_settings_key = hive.find_key(Uninstall_user_settings_path) # print('Found a key: {}'.format(Uninstall_user_settings_key.path())) if Uninstall_user_settings_key: for sid_key in Uninstall_user_settings_key.subkeys(): sid_name = sid_key.name() timestamp = sid_key.last_written_timestamp().isoformat() #try: DisplayName = sid_key.value(name=u"DisplayName") if DisplayName: DisplayName_data = strip_control_characters(DisplayName.data()) else: DisplayName_data ="" DisplayVersion = sid_key.value(name=u"DisplayVersion") if DisplayVersion: DisplayVersion_data = strip_control_characters(DisplayVersion.data()) else: DisplayVersion_data ="" InstallDate = sid_key.value(name=u"InstallDate") if InstallDate: InstallDate_data = strip_control_characters(InstallDate.data()) else: InstallDate_data ="" InstallLocation = sid_key.value(name=u"InstallLocation") if InstallLocation: InstallLocation_data = strip_control_characters(InstallLocation.data()) else: InstallLocation_data ="" InstallSource= sid_key.value(name=u"InstallSource") if InstallSource: InstallSource_data = strip_control_characters(InstallSource.data()) else: InstallSource_data ="" ModifyPath = sid_key.value(name=u"ModifyPath") if ModifyPath: ModifyPath_data = strip_control_characters(ModifyPath.data()) else: ModifyPath_data ="" Publisher = sid_key.value(name=u"Publisher") if Publisher: Publisher_data = strip_control_characters(Publisher.data()) else: Publisher_data="" Size = sid_key.value(name=u"Size") if Size: Size_data = str(Size.data()) else: Size_data ="" URLInfoAbout = sid_key.value(name=u"URLInfoAbout") if URLInfoAbout: URLInfoAbout_data = strip_control_characters(URLInfoAbout.data()) else: URLInfoAbout_data ="" record = OrderedDict([ ("name", sid_name), ("Uninstall_date",timestamp), ("Application_Name", DisplayName_data), ("Version",DisplayVersion_data), ("Install_Date",InstallDate_data), ("Install_Location", InstallLocation_data), ("Install_Source", InstallSource_data), ("Modify_Path", ModifyPath_data), ("Publisher", Publisher_data), ("Size", Size_data), ("URLInfoAbout",URLInfoAbout_data), ("@timestamp",timestamp) ]) lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder))) else: logging.info(u"[{}] {} not found.".format('Bam', bam_user_settings_path)) return lst
def run(self): lst = [] hive = get_hive(self.prim_hive, self.log_files) Amcache_user_settings_path = u"root\\InventoryApplicationFile" Amcache_win7_user_settings_path = u"root\\File" Amcache_user_settings_key = hive.find_key(Amcache_user_settings_path) Amcache7_user_settings_key = hive.find_key( Amcache_win7_user_settings_path) if Amcache_user_settings_key: for sid_key in Amcache_user_settings_key.subkeys(): sid_key_values = iter(sid_key.values()) key_time = sid_key.last_written_timestamp().isoformat() win10_amache_mapping = { "ProgramId": "ProgramId", "LongPathHash": "LongPathHash", "IsOsComponent": "IsOsComponent", "Usn": "Usn", "LowerCaseLongPath": "Path", "FileId": "Sha1", "Name": "Name", "Publisher": "CompanyName", "Version": "Version", "BinFileVersion": "BinFileVersion", "BinaryType": "BinaryType", "ProductName": "ProductName", "ProductVersion": "ProductVersion", "LinkDate": "LinkDate", "BinProductVersion": "BinProductVersion", "Size": "FileSize", "Language": "Language", "IsPeFile": "IsPeFile" } record = OrderedDict([]) while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: logging.error( u"Error getting next value: {}".format(error)) continue value_name = value.name() names = win10_amache_mapping[value_name] data = value.data() record[names] = strip_control_characters(str(data)) record["@timestamp"] = key_time if record["Sha1"].startswith("0000"): sha1 = record["Sha1"] record["Sha1"] = sha1[4:] lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder))) return lst elif Amcache7_user_settings_key: win8_amcache_mapping = { '0': 'ProductName', '1': 'CompanyName', '2': 'FileVersionNum', '3': 'Language', '4': 'SwitchBackContext', '5': 'FileVersion', '6': 'FileSize', '7': 'pe_header_hash', '8': 'unknown1', '9': 'pe_header_checksum', 'a': 'unknown2', 'b': 'unknown3', 'c': 'file_description', 'd': 'unknown4', 'f': 'linker_compile_time', '10': 'unknown5', '11': 'last_modified_timestamp', '12': 'created_timestamp', '15': 'Path', '16': 'unknown6', '17': 'last_modified_timestamp_2', '100': 'ProgramId', '101': 'Sha1' } for sid_key in Amcache7_user_settings_key.subkeys(): for sidd_key in sid_key.subkeys(): sid_key_values = iter(sidd_key.values()) key_time = sidd_key.last_written_timestamp().isoformat() record = OrderedDict([]) while True: try: value = next(sid_key_values) except StopIteration: break except Exception as error: logging.error( u"Error getting next value: {}".format(error)) continue value_name = value.name() names = win8_amcache_mapping[value_name] data = value.data() if "time" in names: if "linker_compile_time" in names: data = datetime.datetime.fromtimestamp(data) else: data = convert_datetime(data) record[names] = strip_control_characters(str(data)) if len(record) == 0: continue record["@timestamp"] = key_time if record["Sha1"].startswith("0000"): sha1 = record["Sha1"] record["Sha1"] = sha1[4:] lst.append(u"{}".format( json.dumps(record, cls=ComplexEncoder))) return lst else: logging.info(u"[{}] {} not found.".format( 'Amcache', Amcache_user_settings_key))
def run(self): lst = [] DHCP_user_settings_path = u"ControlSet001\\Services\\Tcpip\\Parameters\\Interfaces" hive = get_hive(self.prim_hive, self.log_files) DHCP_user_settings_key = hive.find_key(DHCP_user_settings_path) if DHCP_user_settings_key: for sid_key in DHCP_user_settings_key.subkeys(): timestamp = sid_key.last_written_timestamp().isoformat() sid_name = sid_key.name() def get_date(value_name): value = sid_key.value(name=value_name) if value: value = value.data() else: value = "None" return value dict_values_data = { 'DhcpIPAddress': strip_control_characters(get_date('DhcpIPAddress')), 'DhcpServer': strip_control_characters(get_date('DhcpServer')), 'DhcpSubnetMask': strip_control_characters(get_date('DhcpSubnetMask')), 'Domain': strip_control_characters(get_date('Domain')), 'NameServer': strip_control_characters(get_date('NameServer')), 'EnableDHCP': get_date('EnableDHCP'), 'DhcpConnForceBroadcastFlag': get_date('DhcpConnForceBroadcastFlag'), 'IsServerNapAware': get_date('IsServerNapAware'), 'RegisterAdapterName': get_date('RegisterAdapterName'), 'RegistrationEnabled': get_date('RegistrationEnabled') } record = OrderedDict([ ("Dhcp IP Address", dict_values_data['DhcpIPAddress']), ("Dhcp Server", dict_values_data['DhcpServer']), ("DhcpSubnetMask", dict_values_data['DhcpSubnetMask']), ("Domain", dict_values_data['Domain']), ("Name Server", dict_values_data['NameServer']), ("Enable DHCP", dict_values_data['EnableDHCP']), ("DhcpConnForceBroadcastFlag", dict_values_data['DhcpConnForceBroadcastFlag']), ("Is Server NapAware", dict_values_data['IsServerNapAware']), ("Register Adapter Name", dict_values_data['RegisterAdapterName']), ("Registration Enabled", dict_values_data['RegistrationEnabled']), ('@timestamp', timestamp) ]) lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder))) else: logging.info(u"[{}] {} not found.".format('DHCP', DHCP_user_settings_path)) return lst
def run(self): lst = [] # list of service data mapping Service_Start = [ 'Boot', 'System', 'Automatic', 'Manual', 'Disabled', "DelayedStart" ] Service_ErrorControl = ['Ignore', 'Normal', 'Severe', 'Critical'] Service_ServiceSidType = ['NONE', 'UNRESTRICTED', 0, 'RESTRICTED'] hive = get_hive(self.prim_hive, self.log_files) ControlSet_Services_Paths = [ ] # this contains the list of paths for ControlSets main_key = hive.find_key("\\") for main_key_subkey in main_key.subkeys(): if main_key_subkey.name().startswith("ControlSet"): ControlSet_Services_Paths.append(main_key_subkey.path() + "\\services") for ControlSet_Services_Path in ControlSet_Services_Paths: ControlSet_Services_Key = hive.find_key(ControlSet_Services_Path) if ControlSet_Services_Key: #print('Found a key: {}'.format(ControlSet_Services_Key.path())) timestamp = ControlSet_Services_Key.last_written_timestamp( ).isoformat() #print("timestamp: " + timestamp) for subkey in ControlSet_Services_Key.subkeys(): service = {} service['Name'] = subkey.name() service['Path'] = subkey.path() service["@timestamp"] = subkey.last_written_timestamp( ).isoformat() values = list(subkey.values()) for v in values: value_name = v.name().replace(".", "_") #print(value_name + " ---> " + str(type(v.data()))) # get the start type if the value name is Start if value_name == 'Start': service[value_name] = Service_Start[v.data()] # get the ErrorControl if the value name is ErrorControl elif value_name == 'ErrorControl': service[value_name] = Service_ErrorControl[ v.data()] # get the ServiceSidType if the value name is ServiceSidType elif value_name == 'ServiceSidType': service[value_name] = Service_ServiceSidType[ v.data()] # parse the FailureActions field elif value_name == 'FailureActions': failure_actions = self.parse_SERVICE_FAILURE_ACTIONS( v.data()) service[value_name] = failure_actions['SC_ACTIONS'] service[ "FailureCountResetPeriod"] = failure_actions[ 'SC_ACTIONS'] # get the service type if the value name is Type elif value_name == 'Type': service[value_name] = self.get_service_type( v.data()) # if the data is a list, then combine the list elif type(v.data()) == list: service[value_name] = "|".join([ strip_control_characters(element) for element in v.data() if element != "\x00" ]) # if the data is str, ensure to strip null bytes elif type(v.data()) == str: service[value_name] = strip_control_characters( v.data()) elif type(v.data()) == bytes: service[value_name] = v.data().hex() else: service[value_name] = v.data() # check and retrive parameters subkey from the key for service_subkey in subkey.subkeys(): if service_subkey.name() == 'Parameters': service[ 'Parameters'] = self.get_service_parameters_subkey( service_subkey) elif service_subkey.name() == 'TriggerInfo': triggers = {} for trigger in service_subkey.subkeys(): triggers[str( len(triggers) )] = self.get_TriggerInfo_subkey(trigger) service["TriggerInfo"] = triggers #print(service) print(json.dumps(service, indent=4, sort_keys=True)) lst.append(service) else: pass else: logging.info(u"[{}] {} not found.".format( 'Services', ControlSet_Services_Paths)) print(len(lst)) return lst