def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Collect Values under Office 2010 MRUs and return events for each one.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
# TODO: Test other Office versions to make sure this plugin is applicable.
mru_values_dict = {}
for registry_value in registry_key.GetValues():
# Ignore any value not in the form: 'Item [0-9]+'.
if not registry_value.name or not self._RE_VALUE_NAME.search(
registry_value.name):
continue
# Ignore any value that is empty or that does not contain a string.
if not registry_value.data or not registry_value.DataIsString():
continue
value_string = registry_value.GetDataAsObject()
values = self._RE_VALUE_DATA.findall(value_string)
# Values will contain a list containing a tuple containing 2 values.
if len(values) != 1 or len(values[0]) != 2:
continue
try:
filetime = int(values[0][0], 16)
except ValueError:
parser_mediator.ProduceParseError(
(u'unable to convert filetime string to an integer for '
u'value: {0:s}.').format(registry_value.name))
continue
mru_values_dict[registry_value.name] = value_string
# TODO: change into a separate event object.
values_dict = {registry_value.name: value_string}
event_object = windows_events.WindowsRegistryEvent(
filetime,
registry_key.path,
values_dict,
offset=registry_key.offset,
source_append=self._SOURCE_APPEND)
parser_mediator.ProduceEvent(event_object)
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time,
registry_key.path,
mru_values_dict,
offset=registry_key.offset,
source_append=self._SOURCE_APPEND)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Gather the BootExecute Value, compare to default, return event.
The rest of the values in the Session Manager key are in a separate event.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
values_dict = {}
for registry_value in registry_key.GetValues():
value_name = registry_value.name or u'(default)'
if value_name == u'BootExecute':
# MSDN: claims that the data type of this value is REG_BINARY
# although REG_MULTI_SZ is known to be used as well.
if registry_value.DataIsString():
value_string = registry_value.GetDataAsObject()
elif registry_value.DataIsMultiString():
value_string = u''.join(registry_value.GetDataAsObject())
elif registry_value.DataIsBinaryData():
value_string = registry_value.GetDataAsObject()
else:
value_string = u''
error_string = (
u'Key: {0:s}, value: {1:s}: unsupported value data type: '
u'{2:s}.').format(registry_key.path, value_name,
registry_value.data_type_string)
parser_mediator.ProduceExtractionError(error_string)
# TODO: why does this have a separate event object? Remove this.
value_dict = {u'BootExecute': value_string}
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time,
registry_key.path,
value_dict,
offset=registry_key.offset,
urls=self.URLS)
parser_mediator.ProduceEvent(event_object)
else:
values_dict[value_name] = registry_value.GetDataAsObject()
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time,
registry_key.path,
values_dict,
offset=registry_key.offset,
urls=self.URLS)
parser_mediator.ProduceEvent(event_object)
def CreateTestEventObjects():
"""Creates the event objects for testing.
Returns:
A list of event objects (instances of EventObject).
"""
event_objects = []
filetime = dfwinreg_filetime.Filetime()
filetime.CopyFromString(u'2012-04-20 22:38:46.929596')
values_dict = {u'Value': u'c:/Temp/evil.exe'}
event_object = windows_events.WindowsRegistryEvent(filetime.timestamp,
u'MY AutoRun key',
values_dict)
event_object.parser = 'UNKNOWN'
event_objects.append(event_object)
filetime.CopyFromString(u'2012-05-02 13:43:26.929596')
values_dict = {u'Value': u'send all the exes to the other world'}
event_object = windows_events.WindowsRegistryEvent(
filetime.timestamp, u'\\HKCU\\Secret\\EvilEmpire\\Malicious_key',
values_dict)
event_object.parser = 'UNKNOWN'
event_objects.append(event_object)
filetime.CopyFromString(u'2012-04-20 16:44:46')
values_dict = {u'Value': u'run all the benign stuff'}
event_object = windows_events.WindowsRegistryEvent(
filetime.timestamp, u'\\HKCU\\Windows\\Normal', values_dict)
event_object.parser = 'UNKNOWN'
event_objects.append(event_object)
timemstamp = timelib.Timestamp.CopyFromString(u'2009-04-05 12:27:39')
text_dict = {
u'hostname':
u'nomachine',
u'text':
(u'This is a line by someone not reading the log line properly. And '
u'since this log line exceeds the accepted 80 chars it will be '
u'shortened.'),
u'username':
u'johndoe'
}
event_object = text_events.TextEvent(timemstamp, 12, text_dict)
event_object.parser = 'UNKNOWN'
event_objects.append(event_object)
return event_objects
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Collect ShutdownTime value under Windows and produce an event object.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
shutdown_value = registry_key.GetValueByName(u'ShutdownTime')
if not shutdown_value:
return
value_integer = shutdown_value.GetDataAsObject()
try:
filetime = self._UINT64_STRUCT.parse(value_integer)
except construct.FieldError as exception:
parser_mediator.ProduceParseError(
(u'Unable to extract shutdown timestamp: {0:d} with error: '
u'{1:s}').format(value_integer, exception))
return
values_dict = {u'Description': shutdown_value.name}
event_object = windows_events.WindowsRegistryEvent(
filetime,
registry_key.path,
values_dict,
offset=registry_key.offset,
source_append=self._SOURCE_APPEND,
usage=eventdata.EventTimestamp.LAST_SHUTDOWN)
parser_mediator.ProduceEvent(event_object)
def _ParseMRUListExKey(self, parser_mediator, key, codepage=u'cp1252'):
"""Extract event objects from a MRUListEx Registry key.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
key: the Registry key (instance of dfwinreg.WinRegistryKey).
codepage: Optional extended ASCII string codepage.
"""
values_dict = {}
for entry_index, entry_number in self._ParseMRUListExValue(key):
# TODO: detect if list ends prematurely.
# MRU lists are terminated with 0xffffffff (-1).
if entry_number == 0xffffffff:
break
value_string = self._ParseMRUListExEntryValue(parser_mediator,
key,
entry_index,
entry_number,
codepage=codepage)
value_text = u'Index: {0:d} [MRU Value {1:d}]'.format(
entry_index + 1, entry_number)
values_dict[value_text] = value_string
event_object = windows_events.WindowsRegistryEvent(
key.last_written_time,
key.path,
values_dict,
offset=key.offset,
source_append=self._SOURCE_APPEND)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Extracts event objects from a WinRAR ArcHistory key.
Args:
parser_mediator: a parser mediator object (instance of ParserMediator).
registry_key: a Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
values_dict = {}
for registry_value in registry_key.GetValues():
# Ignore any value not in the form: '[0-9]+'.
if (not registry_value.name or
not self._RE_VALUE_NAME.search(registry_value.name)):
continue
# Ignore any value that is empty or that does not contain a string.
if not registry_value.data or not registry_value.DataIsString():
continue
values_dict[registry_value.name] = registry_value.GetDataAsObject()
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time, registry_key.path, values_dict,
offset=registry_key.offset, source_append=self._SOURCE_APPEND)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Collect the values under Outlook and return event for each one.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
values_dict = {}
for registry_value in registry_key.GetValues():
# Ignore the default value.
if not registry_value.name:
continue
# Ignore any value that is empty or that does not contain an integer.
if not registry_value.data or not registry_value.DataIsInteger():
continue
# TODO: change this 32-bit integer into something meaningful, for now
# the value name is the most interesting part.
value_integer = registry_value.GetDataAsObject()
values_dict[registry_value.name] = u'0x{0:08x}'.format(
value_integer)
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time,
registry_key.path,
values_dict,
offset=registry_key.offset,
source_append=self._SOURCE_APPEND)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Collect MRU Values and return event for each one.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
values_dict = {}
for value in registry_key.GetValues():
# Ignore the default value.
if not value.name:
continue
# Ignore any value that is empty or that does not contain a string.
if not value.data or not value.DataIsString():
continue
values_dict[value.name] = value.GetDataAsObject()
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time,
registry_key.path,
values_dict,
offset=registry_key.offset,
source_append=self._SOURCE_APPEND)
parser_mediator.ProduceEvent(event_object)
def _ParseRegisteredDLLs(self, parser_mediator, registry_key):
"""Parses the registered DLLs that receive event notifications.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
notify_key = registry_key.GetSubkeyByName(u'Notify')
if not notify_key:
return
for subkey in notify_key.GetSubkeys():
for trigger in self._TRIGGERS:
handler_value = subkey.GetValueByName(trigger)
if handler_value:
values_dict = {
u'Application': subkey.name,
u'Handler': handler_value.GetDataAsObject(),
u'Trigger': trigger
}
command_value = subkey.GetValueByName(u'DllName')
if command_value:
values_dict[
u'Command'] = command_value.GetDataAsObject()
event_object = windows_events.WindowsRegistryEvent(
subkey.last_written_time,
subkey.path,
values_dict,
offset=subkey.offset,
source_append=u': Winlogon')
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Gather minimal information about system install and return an event.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
installation_value = None
string_values = {}
for registry_value in registry_key.GetValues():
# Ignore the default value.
if not registry_value.name:
continue
if (registry_value.name == u'InstallDate'
and registry_value.DataIsInteger()):
installation_value = registry_value
continue
# Ignore any value that is empty or that does not contain a string.
if not registry_value.data or not registry_value.DataIsString():
continue
string_value_name = self._STRING_VALUE_NAME_STRINGS.get(
registry_value.name, None)
if not string_value_name:
continue
string_values[string_value_name] = registry_value.GetDataAsObject()
owner = string_values.get(u'owner', u'')
product_name = string_values.get(u'product_name', u'')
service_pack = string_values.get(u'service_pack', u'')
version = string_values.get(u'version', u'')
values_dict = {}
values_dict[u'Owner'] = owner
values_dict[u'Product name'] = product_name
values_dict[u'Service pack'] = service_pack
values_dict[u'Windows Version Information'] = version
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time,
registry_key.path,
values_dict,
offset=registry_key.offset)
parser_mediator.ProduceEvent(event_object)
# TODO: if not present indicate anomaly of missing installation
# date and time.
if installation_value:
posix_time = installation_value.GetDataAsObject()
event_object = windows_events.WindowsRegistryInstallationEvent(
posix_time, registry_key.path, owner, product_name,
service_pack, version)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Returns an event object based on a Registry key name and values.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
values_dict = {}
if registry_key.number_of_values == 0:
values_dict[u'Value'] = u'No values stored in key.'
else:
for registry_value in registry_key.GetValues():
value_name = registry_value.name or u'(default)'
if registry_value.data is None:
value_string = u'[{0:s}] Empty'.format(
registry_value.data_type_string)
elif registry_value.DataIsString():
value_string = registry_value.GetDataAsObject()
value_string = u'[{0:s}] {1:s}'.format(
registry_value.data_type_string, value_string)
elif registry_value.DataIsInteger():
value_integer = registry_value.GetDataAsObject()
value_string = u'[{0:s}] {1:d}'.format(
registry_value.data_type_string, value_integer)
elif registry_value.DataIsMultiString():
multi_string = registry_value.GetDataAsObject()
if not isinstance(multi_string, (list, tuple)):
value_string = u'[{0:s}]'.format(
registry_value.data_type_string)
# TODO: Add a flag or some sort of an anomaly alert.
else:
value_string = u'[{0:s}] {1:s}'.format(
registry_value.data_type_string,
u''.join(multi_string))
else:
value_string = u'[{0:s}]'.format(
registry_value.data_type_string)
values_dict[value_name] = value_string
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time,
registry_key.path,
values_dict,
offset=registry_key.offset)
parser_mediator.ProduceEvent(event_object)
def _ParseSubKey(
self, parser_mediator, key, parent_path_segments, codepage=u'cp1252'):
"""Extract event objects from a MRUListEx Registry key.
Args:
parser_mediator: a parser mediator object (instance of ParserMediator).
key: the Registry key (instance of dfwinreg.WinRegistryKey).
parent_path_segments: list containing the parent shell item path segments.
codepage: optional extended ASCII string codepage.
"""
entry_numbers = {}
values_dict = {}
value_strings = {}
found_terminator = False
for index, entry_number in self._ParseMRUListExValue(parser_mediator, key):
if entry_number == 0xffffffff:
found_terminator = True
continue
if found_terminator:
parser_mediator.ProduceExtractionError((
u'Found additional MRUListEx entries after terminator '
u'in key: {0:s}.').format(key.path))
# Only create one parser error per terminator.
found_terminator = False
path_segment = self._ParseMRUListExEntryValue(
parser_mediator, key, index, entry_number, values_dict,
value_strings, parent_path_segments, codepage=codepage)
entry_numbers[entry_number] = path_segment
event_object = windows_events.WindowsRegistryEvent(
key.last_written_time, key.path, values_dict,
offset=key.offset, source_append=self._SOURCE_APPEND, urls=self.URLS)
parser_mediator.ProduceEvent(event_object)
for entry_number, path_segment in iter(entry_numbers.items()):
sub_key = key.GetSubkeyByName(u'{0:d}'.format(entry_number))
if not sub_key:
parser_mediator.ProduceExtractionError(
u'Missing BagMRU sub key: {0:d} in key: {1:s}.'.format(
entry_number, key.path))
continue
parent_path_segments.append(path_segment)
self._ParseSubKey(
parser_mediator, sub_key, parent_path_segments, codepage=codepage)
parent_path_segments.pop()
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Collect Values in Servers and return event for each one.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
mru_values_dict = {}
for subkey in registry_key.GetSubkeys():
username_value = subkey.GetValueByName(u'UsernameHint')
if (username_value and username_value.data
and username_value.DataIsString()):
username = username_value.GetDataAsObject()
else:
username = u'N/A'
mru_values_dict[subkey.name] = username
values_dict = {u'Username hint': username}
event_object = windows_events.WindowsRegistryEvent(
subkey.last_written_time,
subkey.path,
values_dict,
offset=subkey.offset,
source_append=self._SOURCE_APPEND)
parser_mediator.ProduceEvent(event_object)
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time,
registry_key.path,
mru_values_dict,
offset=registry_key.offset,
source_append=self._SOURCE_APPEND)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Gather the BootVerification key values and return one event for all.
This key is rare, so its presence is suspect.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
values_dict = {}
for registry_value in registry_key.GetValues():
value_name = registry_value.name or u'(default)'
values_dict[value_name] = registry_value.GetDataAsObject()
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time, registry_key.path, values_dict,
offset=registry_key.offset, urls=self.URLS)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Extracts event objects from a CCleaner Registry key.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
update_key_value = None
values_dict = {}
for registry_value in registry_key.GetValues():
if not registry_value.name or not registry_value.data:
continue
if (registry_value.name == u'UpdateKey' and
registry_value.DataIsString()):
update_key_value = registry_value
else:
values_dict[registry_value.name] = registry_value.GetDataAsObject()
if update_key_value:
date_time_string = update_key_value.GetDataAsObject()
try:
# Date and time string in the form: MM/DD/YYYY hh:mm:ss [A|P]M
# e.g. 07/13/2013 10:03:14 AM
# TODO: does this hold for other locales?
timestamp = timelib.Timestamp.FromTimeString(
date_time_string, timezone=parser_mediator.timezone)
except errors.TimestampError:
timestamp = None
parser_mediator.ProduceParseError(
u'unable to parse time string: {0:s}'.format(date_time_string))
if timestamp is not None:
event_object = CCleanerUpdateEvent(timestamp, registry_key.path)
parser_mediator.ProduceEvent(event_object)
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time, registry_key.path, values_dict,
offset=registry_key.offset, source_append=self._SOURCE_APPEND)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Retrieves information from the MountPoints2 registry key.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
for subkey in registry_key.GetSubkeys():
name = subkey.name
if not name:
continue
values_dict = {}
values_dict[u'Volume'] = name
label_value = subkey.GetValueByName(u'_LabelFromReg')
if label_value:
values_dict[u'Label'] = label_value.GetDataAsObject()
if name.startswith(u'{'):
values_dict[u'Type'] = u'Volume'
elif name.startswith(u'#'):
# The format is: ##Server_Name#Share_Name.
values_dict[u'Type'] = u'Remote Drive'
server_name, _, share_name = name[2:].partition(u'#')
values_dict[u'Remote_Server'] = server_name
values_dict[u'Share_Name'] = u'\\{0:s}'.format(
share_name.replace(u'#', u'\\'))
else:
values_dict[u'Type'] = u'Drive'
event_object = windows_events.WindowsRegistryEvent(
subkey.last_written_time,
registry_key.path,
values_dict,
offset=subkey.offset,
urls=self.URLS)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Extracts event objects from a Explorer ProgramsCache Registry key.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
registry_value = registry_key.GetValueByName(u'ProgramsCache')
if registry_value:
self._ParseValueData(parser_mediator, registry_key, registry_value)
registry_value = registry_key.GetValueByName(u'ProgramsCacheSMP')
if registry_value:
self._ParseValueData(parser_mediator, registry_key, registry_value)
registry_value = registry_key.GetValueByName(u'ProgramsCacheTBP')
if registry_value:
self._ParseValueData(parser_mediator, registry_key, registry_value)
values_dict = {}
for registry_value in registry_key.GetValues():
# Ignore the default value.
if not registry_value.name or registry_value.name in [
u'ProgramsCache', u'ProgramsCacheSMP', u'ProgramsCacheTBP']:
continue
# Ignore any value that is empty or that does not contain a string.
if not registry_value.data or not registry_value.DataIsString():
continue
values_dict[registry_value.name] = registry_value.GetDataAsObject()
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time, registry_key.path, values_dict,
offset=registry_key.offset)
parser_mediator.ProduceEvent(event_object)
def _ParseLogonApplications(self, parser_mediator, registry_key):
"""Parses the registered logon applications.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
for application in self._LOGON_APPLICATIONS:
command_value = registry_key.GetValueByName(application)
if command_value:
values_dict = {
u'Application': application,
u'Command': command_value.GetDataAsObject(),
u'Trigger': u'Logon'
}
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time,
registry_key.path,
values_dict,
offset=registry_key.offset,
source_append=u': Winlogon')
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Collect SubKeys under USB and produce an event object for each one.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
for subkey in registry_key.GetSubkeys():
values_dict = {}
values_dict[u'subkey_name'] = subkey.name
vendor_identification = None
product_identification = None
try:
subkey_name_parts = subkey.name.split(u'&')
if len(subkey_name_parts) >= 2:
vendor_identification = subkey_name_parts[0]
product_identification = subkey_name_parts[1]
except ValueError as exception:
logging.warning(
u'Unable to split string: {0:s} with error: {1:s}'.format(
subkey.name, exception))
if vendor_identification and product_identification:
values_dict[u'vendor'] = vendor_identification
values_dict[u'product'] = product_identification
for devicekey in subkey.GetSubkeys():
values_dict[u'serial'] = devicekey.name
# Last USB connection per USB device recorded in the Registry.
event_object = windows_events.WindowsRegistryEvent(
devicekey.last_written_time, registry_key.path, values_dict,
offset=registry_key.offset, source_append=self._SOURCE_APPEND,
usage=eventdata.EventTimestamp.LAST_CONNECTED)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Retrieves information from the Network registry key.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
for subkey in registry_key.GetSubkeys():
drive_letter = subkey.name
if not drive_letter:
continue
values_dict = {
u'DriveLetter': drive_letter,
u'Type': u'Mapped Drive'
}
# Get the remote path if it exists.
remote_path_value = subkey.GetValueByName(u'RemotePath')
if remote_path_value:
remote_path = remote_path_value.GetDataAsObject()
if remote_path.startswith(u'\\\\'):
server_name, _, share_name = remote_path[2:].partition(
u'\\')
values_dict[u'RemoteServer'] = server_name
values_dict[u'ShareName'] = u'\\{0:s}'.format(
share_name.replace(u'#', u'\\'))
event_object = windows_events.WindowsRegistryEvent(
subkey.last_written_time,
registry_key.path,
values_dict,
offset=subkey.offset,
source_append=u': Network Drive')
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Collect values and return an event.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
if registry_key is None:
return
values_dict = {}
for value_name in self._VALUE_NAMES:
value_data = self._GetValueData(registry_key, value_name)
if value_data is None:
continue
values_dict[value_name] = value_data
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time,
registry_key.path,
values_dict,
offset=registry_key.offset)
parser_mediator.ProduceEvent(event_object)
def CreateTestEvents():
"""Creates events for testing.
Returns:
list[EventObject]: events.
"""
test_events = []
hostname = u'MYHOSTNAME'
data_type = u'test:event'
event_object = events.EventObject()
event_object.username = u'joesmith'
event_object.filename = u'c:/Users/joesmith/NTUSER.DAT'
event_object.hostname = hostname
event_object.timestamp = 0
event_object.data_type = data_type
event_object.text = u''
test_events.append(event_object)
filetime = dfdatetime_filetime.Filetime()
# TODO: move this to a WindowsRegistryEvent unit test.
filetime.CopyFromString(u'2012-04-20 22:38:46.929596')
values_dict = {u'Run': u'c:/Temp/evil.exe'}
event_object = windows_events.WindowsRegistryEvent(filetime,
u'MY AutoRun key',
values_dict)
event_object.hostname = hostname
test_events.append(event_object)
filetime.CopyFromString(u'2012-04-20 23:56:46.929596')
values_dict = {u'Value': u'send all the exes to the other world'}
event_object = windows_events.WindowsRegistryEvent(
filetime, u'HKCU\\Secret\\EvilEmpire\\Malicious_key', values_dict)
event_object.hostname = hostname
test_events.append(event_object)
filetime.CopyFromString(u'2012-04-20 16:44:46.000000')
values_dict = {u'Value': u'run all the benign stuff'}
event_object = windows_events.WindowsRegistryEvent(
filetime, u'HKCU\\Windows\\Normal', values_dict)
event_object.hostname = hostname
test_events.append(event_object)
timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 10:29:47.929596')
filename = u'c:/Temp/evil.exe'
attributes = {u'text': u'This log line reads ohh so much.'}
event_object = TestEvent(timestamp, attributes)
event_object.filename = filename
event_object.hostname = hostname
test_events.append(event_object)
timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 10:29:47.929596')
attributes = {u'text': u'Nothing of interest here, move on.'}
event_object = TestEvent(timestamp, attributes)
event_object.filename = filename
event_object.hostname = hostname
test_events.append(event_object)
timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 13:06:47.939596')
attributes = {
u'text': u'Mr. Evil just logged into the machine and got root.'
}
event_object = TestEvent(timestamp, attributes)
event_object.filename = filename
event_object.hostname = hostname
test_events.append(event_object)
text_dict = {
u'body':
(u'This is a line by someone not reading the log line properly. And '
u'since this log line exceeds the accepted 80 chars it will be '
u'shortened.'),
u'hostname':
u'nomachine',
u'username':
u'johndoe'
}
# TODO: move this to a TextEvent unit test.
timestamp = timelib.Timestamp.CopyFromString(u'2012-06-05 22:14:19.000000')
event_object = text_events.TextEvent(timestamp, 12, text_dict)
event_object.text = event_object.body
event_object.hostname = hostname
event_object.filename = filename
test_events.append(event_object)
return test_events
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Collect data from Users and Names and produce event objects.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
name_key = registry_key.GetSubkeyByName(u'Names')
if not name_key:
parser_mediator.ProduceParseError(u'Unable to locate Names key.')
return
values = [(v.name, v.last_written_time) for v in name_key.GetSubkeys()]
name_dict = dict(values)
for subkey in registry_key.GetSubkeys():
if subkey.name == u'Names':
continue
parsed_v_value = self._ParseVValue(subkey)
if not parsed_v_value:
parser_mediator.ProduceParseError(
u'Unable to parse SAM key: {0:s} V value.'.format(subkey))
return
username = parsed_v_value[0]
full_name = parsed_v_value[1]
comments = parsed_v_value[2]
values_dict = {u'user_guid': subkey.name}
if username:
values_dict[u'username'] = username
if full_name:
values_dict[u'full_name'] = full_name
if comments:
values_dict[u'comments'] = comments
if name_dict:
account_create_time = name_dict.get(username, 0)
else:
account_create_time = 0
f_data = self._ParseFValue(subkey)
values_dict[u'account_rid'] = f_data.rid
values_dict[u'login_count'] = f_data.login_count
if account_create_time > 0:
event_object = windows_events.WindowsRegistryEvent(
account_create_time, registry_key.path, values_dict,
usage=eventdata.EventTimestamp.ACCOUNT_CREATED,
offset=registry_key.offset, source_append=self._SOURCE_APPEND)
parser_mediator.ProduceEvent(event_object)
if f_data.last_login > 0:
event_object = windows_events.WindowsRegistryEvent(
f_data.last_login, registry_key.path, values_dict,
usage=eventdata.EventTimestamp.LAST_LOGIN_TIME,
offset=registry_key.offset, source_append=self._SOURCE_APPEND)
parser_mediator.ProduceEvent(event_object)
if f_data.password_reset > 0:
event_object = windows_events.WindowsRegistryEvent(
f_data.password_reset, registry_key.path, values_dict,
usage=eventdata.EventTimestamp.LAST_PASSWORD_RESET,
offset=registry_key.offset, source_append=self._SOURCE_APPEND)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Parses a Task Cache Registry key.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
dynamic_info_size_error_reported = False
tasks_key = registry_key.GetSubkeyByName(u'Tasks')
tree_key = registry_key.GetSubkeyByName(u'Tree')
if not tasks_key or not tree_key:
parser_mediator.ProduceParseError(
u'Task Cache is missing a Tasks or Tree sub key.')
return
task_guids = {}
for sub_key in tree_key.GetSubkeys():
for value_key, id_value in self._GetIdValue(sub_key):
# TODO: improve this check to a regex.
# The GUID is in the form {%GUID%} and stored an UTF-16 little-endian
# string and should be 78 bytes in size.
id_value_data_size = len(id_value.data)
if id_value_data_size != 78:
parser_mediator.ProduceParseError(
u'unsupported Id value data size: {0:d}.'.format(
id_value_data_size))
continue
guid_string = id_value.GetDataAsObject()
task_guids[guid_string] = value_key.name
for sub_key in tasks_key.GetSubkeys():
dynamic_info_value = sub_key.GetValueByName(u'DynamicInfo')
if not dynamic_info_value:
continue
dynamic_info_value_data_size = len(dynamic_info_value.data)
if dynamic_info_value_data_size == self._DYNAMIC_INFO_STRUCT_SIZE:
dynamic_info_struct = self._DYNAMIC_INFO_STRUCT.parse(
dynamic_info_value.data)
elif dynamic_info_value_data_size == self._DYNAMIC_INFO2_STRUCT_SIZE:
dynamic_info_struct = self._DYNAMIC_INFO_STRUCT.parse(
dynamic_info_value.data)
else:
if not dynamic_info_size_error_reported:
parser_mediator.ProduceParseError(
u'unsupported DynamicInfo value data size: {0:d}.'.
format(dynamic_info_value_data_size))
dynamic_info_size_error_reported = True
continue
name = task_guids.get(sub_key.name, sub_key.name)
values_dict = {}
values_dict[u'Task: {0:s}'.format(name)] = u'[ID: {0:s}]'.format(
sub_key.name)
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time,
registry_key.path,
values_dict,
offset=registry_key.offset)
parser_mediator.ProduceEvent(event_object)
last_registered_time = dynamic_info_struct.get(
u'last_registered_time')
if last_registered_time:
# Note this is likely either the last registered time or
# the update time.
event_object = TaskCacheEvent(last_registered_time,
u'Last registered time', name,
sub_key.name)
parser_mediator.ProduceEvent(event_object)
launch_time = dynamic_info_struct.get(u'launch_time')
if launch_time:
# Note this is likely the launch time.
event_object = TaskCacheEvent(launch_time, u'Launch time',
name, sub_key.name)
parser_mediator.ProduceEvent(event_object)
unknown_time = dynamic_info_struct.get(u'unknown_time')
if unknown_time:
event_object = TaskCacheEvent(unknown_time, u'Unknown time',
name, sub_key.name)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Parses a UserAssist Registry key.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
version_value = registry_key.GetValueByName(u'Version')
count_subkey = registry_key.GetSubkeyByName(u'Count')
if not version_value:
parser_mediator.ProduceParseError(u'Missing version value')
return
if not version_value.DataIsInteger():
parser_mediator.ProduceParseError(
u'Unsupported version value data type')
return
format_version = version_value.GetDataAsObject()
if format_version not in (3, 5):
parser_mediator.ProduceParseError(
u'Unsupported format version: {0:d}'.format(format_version))
return
if not count_subkey:
parser_mediator.ProduceParseError(u'Missing count subkey')
return
userassist_entry_index = 0
for registry_value in count_subkey.GetValues():
try:
value_name = registry_value.name.decode(u'rot-13')
except UnicodeEncodeError as exception:
logging.debug((
u'Unable to decode UserAssist string: {0:s} with error: {1:s}.\n'
u'Attempting piecewise decoding.').format(
registry_value.name, exception))
characters = []
for char in registry_value.name:
if ord(char) < 128:
try:
characters.append(char.decode(u'rot-13'))
except UnicodeEncodeError:
characters.append(char)
else:
characters.append(char)
value_name = u''.join(characters)
if format_version == 5:
path_segments = value_name.split(u'\\')
for segment_index in range(0, len(path_segments)):
# Remove the { } from the path segment to get the GUID.
guid = path_segments[segment_index][1:-1]
path_segments[segment_index] = known_folder_ids.PATHS.get(
guid, path_segments[segment_index])
value_name = u'\\'.join(path_segments)
# Check if we might need to substitute values.
if u'%' in value_name:
# TODO: deprecate direct use of pre_obj.
value_name = environ_expand.ExpandWindowsEnvironmentVariables(
value_name, parser_mediator.knowledge_base.pre_obj)
value_data_size = len(registry_value.data)
if not registry_value.DataIsBinaryData():
parser_mediator.ProduceParseError(
u'Unsupported value data type: {0:s}'.format(
registry_value.data_type_string))
elif value_name == u'UEME_CTLSESSION':
pass
elif format_version == 3:
if value_data_size != self._USERASSIST_V3_STRUCT.sizeof():
parser_mediator.ProduceParseError(
u'Unsupported value data size: {0:d}'.format(
value_data_size))
else:
parsed_data = self._USERASSIST_V3_STRUCT.parse(
registry_value.data)
filetime = parsed_data.get(u'timestamp', 0)
count = parsed_data.get(u'count', 0)
if count > 5:
count -= 5
values_dict = {}
values_dict[value_name] = u'[Count: {0:d}]'.format(count)
event_object = windows_events.WindowsRegistryEvent(
filetime,
count_subkey.path,
values_dict,
offset=registry_value.offset)
parser_mediator.ProduceEvent(event_object)
elif format_version == 5:
if value_data_size != self._USERASSIST_V5_STRUCT.sizeof():
parser_mediator.ProduceParseError(
u'Unsupported value data size: {0:d}'.format(
value_data_size))
parsed_data = self._USERASSIST_V5_STRUCT.parse(
registry_value.data)
userassist_entry_index += 1
count = parsed_data.get(u'count', None)
app_focus_count = parsed_data.get(u'app_focus_count', None)
focus_duration = parsed_data.get(u'focus_duration', None)
filetime = parsed_data.get(u'timestamp', 0)
values_dict = {}
values_dict[value_name] = (
u'[UserAssist entry: {0:d}, Count: {1:d}, '
u'Application focus count: {2:d}, Focus duration: {3:d}]'
).format(userassist_entry_index, count, app_focus_count,
focus_duration)
event_object = windows_events.WindowsRegistryEvent(
filetime,
count_subkey.path,
values_dict,
offset=count_subkey.offset)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Collect Values under USBStor and return an event object for each one.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
for subkey in registry_key.GetSubkeys():
values_dict = {}
values_dict[u'subkey_name'] = subkey.name
# Time last USB device of this class was first inserted.
event_object = windows_events.WindowsRegistryEvent(
subkey.last_written_time,
registry_key.path,
values_dict,
offset=registry_key.offset,
source_append=self._SOURCE_APPEND,
usage=eventdata.EventTimestamp.FIRST_CONNECTED)
parser_mediator.ProduceEvent(event_object)
name_values = subkey.name.split(u'&')
number_of_name_values = len(name_values)
# Normally we expect 4 fields here however that is not always the case.
if number_of_name_values != 4:
logging.warning(
u'Expected 4 &-separated values in: {0:s}'.format(
subkey.name))
if number_of_name_values >= 1:
values_dict[u'device_type'] = name_values[0]
if number_of_name_values >= 2:
values_dict[u'vendor'] = name_values[1]
if number_of_name_values >= 3:
values_dict[u'product'] = name_values[2]
if number_of_name_values >= 4:
values_dict[u'revision'] = name_values[3]
for devicekey in subkey.GetSubkeys():
values_dict[u'serial'] = devicekey.name
friendly_name_value = devicekey.GetValueByName(u'FriendlyName')
if friendly_name_value:
values_dict[
u'friendly_name'] = friendly_name_value.GetDataAsObject(
)
else:
values_dict.pop(u'friendly_name', None)
# ParentIdPrefix applies to Windows XP Only.
parent_id_prefix_value = devicekey.GetValueByName(
u'ParentIdPrefix')
if parent_id_prefix_value:
values_dict[u'parent_id_prefix'] = (
parent_id_prefix_value.GetDataAsObject())
else:
values_dict.pop(u'parent_id_prefix', None)
# Win7 - Last Connection.
# Vista/XP - Time of an insert.
event_object = windows_events.WindowsRegistryEvent(
devicekey.last_written_time,
registry_key.path,
values_dict,
offset=registry_key.offset,
source_append=self._SOURCE_APPEND,
usage=eventdata.EventTimestamp.LAST_CONNECTED)
parser_mediator.ProduceEvent(event_object)
# Build list of first Insertion times.
first_insert = []
device_parameter_key = devicekey.GetSubkeyByName(
u'Device Parameters')
if device_parameter_key:
first_insert.append(device_parameter_key.last_written_time)
log_configuration_key = devicekey.GetSubkeyByName(u'LogConf')
if (log_configuration_key
and log_configuration_key.last_written_time
not in first_insert):
first_insert.append(
log_configuration_key.last_written_time)
properties_key = devicekey.GetSubkeyByName(u'Properties')
if (properties_key and properties_key.last_written_time
not in first_insert):
first_insert.append(properties_key.last_written_time)
# Add first Insertion times.
for timestamp in first_insert:
event_object = windows_events.WindowsRegistryEvent(
timestamp,
registry_key.path,
values_dict,
offset=registry_key.offset,
source_append=self._SOURCE_APPEND,
usage=eventdata.EventTimestamp.LAST_CONNECTED)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Collect data from Users and Names and produce event objects.
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
names_key = registry_key.GetSubkeyByName(u'Names')
if not names_key:
parser_mediator.ProduceParseError(u'missing subkey: "Names".')
return
values = [(v.name, v.last_written_time)
for v in names_key.GetSubkeys()]
usernames_dict = dict(values)
for subkey in registry_key.GetSubkeys():
if subkey.name == u'Names':
continue
f_value = subkey.GetValueByName(u'F')
if not f_value:
parser_mediator.ProduceParseError(
u'missing Registry value: "F" in subkey: {0:s}.'.format(
subkey.name))
continue
v_value = subkey.GetValueByName(u'V')
if not v_value:
parser_mediator.ProduceParseError(
u'missing Registry value: "V" in subkey: {0:s}.'.format(
subkey.name))
continue
try:
f_data_struct = self._F_VALUE_STRUCT.parse(f_value.data)
except construct.FieldError as exception:
parser_mediator.ProduceParseError(
(u'unable to parse Registry value: "F" in subkey: {0:s} '
u'with error: {1:s}.').format(subkey.name, exception))
continue
try:
v_data_struct = self._V_VALUE_HEADER.parse(v_value.data)
except construct.FieldError as exception:
parser_mediator.ProduceParseError(
(u'unable to parse Registry value: "V" in subkey: {0:s} '
u'with error: {1:s}.').format(subkey.name, exception))
continue
v_header_values = v_data_struct.values()[0]
data_start_offset = v_header_values[
3] + self._V_VALUE_STRINGS_OFFSET
data_end_offset = v_header_values[4] + data_start_offset
utf16_stream = v_value.data[data_start_offset:data_end_offset]
try:
username = utf16_stream.decode(u'utf-16-le')
except (UnicodeDecodeError, UnicodeEncodeError) as exception:
username = utf16_stream.decode(u'utf-16-le', errors=u'replace')
parser_mediator.ProduceParseError((
u'unable to decode username string with error: {0:s}. Characters '
u'that cannot be decoded will be replaced with "?" or '
u'"\\ufffd".').format(exception))
data_start_offset = v_header_values[
6] + self._V_VALUE_STRINGS_OFFSET
data_end_offset = v_header_values[7] + data_start_offset
utf16_stream = v_value.data[data_start_offset:data_end_offset]
try:
fullname = utf16_stream.decode(u'utf-16-le')
except (UnicodeDecodeError, UnicodeEncodeError) as exception:
fullname = utf16_stream.decode(u'utf-16-le', errors=u'replace')
parser_mediator.ProduceParseError((
u'unable to decode fullname string with error: {0:s}. Characters '
u'that cannot be decoded will be replaced with "?" or '
u'"\\ufffd".').format(exception))
data_start_offset = v_header_values[
9] + self._V_VALUE_STRINGS_OFFSET
data_end_offset = v_header_values[10] + data_start_offset
utf16_stream = v_value.data[data_start_offset:data_end_offset]
try:
comments = utf16_stream.decode(u'utf-16-le')
except (UnicodeDecodeError, UnicodeEncodeError) as exception:
comments = utf16_stream.decode(u'utf-16-le', errors=u'replace')
parser_mediator.ProduceParseError((
u'unable to decode comments string with error: {0:s}. Characters '
u'that cannot be decoded will be replaced with "?" or '
u'"\\ufffd".').format(exception))
filetime = None
if usernames_dict:
filetime = usernames_dict.get(username, None)
# TODO: check if subkey.name == f_data_struct.rid
if filetime:
values_dict = {
u'account_rid': f_data_struct.rid,
u'login_count': f_data_struct.login_count
}
if username:
values_dict[u'username'] = username
if fullname:
values_dict[u'full_name'] = fullname
if comments:
values_dict[u'comments'] = comments
event_object = windows_events.WindowsRegistryEvent(
filetime,
registry_key.path,
values_dict,
offset=registry_key.offset,
source_append=self._SOURCE_APPEND)
parser_mediator.ProduceEvent(event_object)
if f_data_struct.last_login > 0:
event_object = SAMUsersWindowsRegistryEvent(
f_data_struct.last_login,
eventdata.EventTimestamp.LAST_LOGIN_TIME,
registry_key.path, f_value.offset, f_data_struct.rid,
f_data_struct.login_count, username, fullname, comments)
parser_mediator.ProduceEvent(event_object)
if f_data_struct.password_reset > 0:
event_object = SAMUsersWindowsRegistryEvent(
f_data_struct.password_reset,
eventdata.EventTimestamp.LAST_PASSWORD_RESET,
registry_key.path, f_value.offset, f_data_struct.rid,
f_data_struct.login_count, username, fullname, comments)
parser_mediator.ProduceEvent(event_object)
def GetEntries(self, parser_mediator, registry_key, **kwargs):
"""Retrieves information of the Internet Settings Zones values.
The MSIE Feature controls are stored in the Zone specific subkeys in:
Internet Settings\\Zones key
Internet Settings\\Lockdown_Zones key
Args:
parser_mediator: A parser mediator object (instance of ParserMediator).
registry_key: A Windows Registry key (instance of
dfwinreg.WinRegistryKey).
"""
values_dict = {}
if registry_key.number_of_values > 0:
for registry_value in registry_key.GetValues():
value_name = registry_value.name or u'(default)'
if registry_value.DataIsString():
value_string = u'[{0:s}] {1:s}'.format(
registry_value.data_type_string, registry_value.GetDataAsObject())
elif registry_value.DataIsInteger():
value_string = u'[{0:s}] {1:d}'.format(
registry_value.data_type_string, registry_value.GetDataAsObject())
elif registry_value.DataIsMultiString():
value_string = u'[{0:s}] {1:s}'.format(
registry_value.data_type_string, u''.join(
registry_value.GetDataAsObject()))
else:
value_string = u'[{0:s}]'.format(registry_value.data_type_string)
values_dict[value_name] = value_string
# Generate at least one event object for the key.
event_object = windows_events.WindowsRegistryEvent(
registry_key.last_written_time, registry_key.path, values_dict,
offset=registry_key.offset, urls=self.URLS)
parser_mediator.ProduceEvent(event_object)
if registry_key.number_of_subkeys == 0:
error_string = u'Key: {0:s} missing subkeys.'.format(registry_key.path)
parser_mediator.ProduceParseError(error_string)
return
for zone_key in registry_key.GetSubkeys():
# TODO: these values are stored in the Description value of the
# zone key. This solution will break on zone values that are larger
# than 5.
path = u'{0:s}\\{1:s}'.format(
registry_key.path, self._ZONE_NAMES[zone_key.name])
values_dict = {}
# TODO: this plugin currently just dumps the values and does not
# distinguish between what is a feature control or not.
for value in zone_key.GetValues():
# Ignore the default value.
if not value.name:
continue
if value.DataIsString():
value_string = value.GetDataAsObject()
elif value.DataIsInteger():
value_integer = value.GetDataAsObject()
if value.name in self._KNOWN_PERMISSIONS_VALUE_NAMES:
value_string = self._CONTROL_VALUES_PERMISSIONS.get(
value_integer, u'UNKNOWN')
elif value.name == u'1A00':
value_string = self._CONTROL_VALUES_1A00.get(
value_integer, u'UNKNOWN')
elif value.name == u'1C00':
value_string = self._CONTROL_VALUES_1C00.get(
value_integer, u'UNKNOWN')
elif value.name == u'1E05':
value_string = self._CONTROL_VALUES_SAFETY.get(
value_integer, u'UNKNOWN')
else:
value_string = u'{0:d}'.format(value_integer)
else:
value_string = u'[{0:s}]'.format(value.data_type_string)
if len(value.name) == 4 and value.name != u'Icon':
value_description = self._FEATURE_CONTROLS.get(value.name, u'UNKNOWN')
else:
value_description = self._FEATURE_CONTROLS.get(value.name, u'')
if value_description:
feature_control = u'[{0:s}] {1:s}'.format(
value.name, value_description)
else:
feature_control = u'[{0:s}]'.format(value.name)
values_dict[feature_control] = value_string
event_object = windows_events.WindowsRegistryEvent(
zone_key.last_written_time, path, values_dict,
offset=zone_key.offset, urls=self.URLS)
parser_mediator.ProduceEvent(event_object)
