def testProcess(self):
"""Tests the Process function."""
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Explorer\\DesktopStreamMRU')
time_string = '2012-08-28 09:23:49.002031'
registry_key = self._CreateTestKey(key_path, time_string)
plugin = mrulist.MRUListShellItemListWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key, plugin)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 5)
events = list(storage_writer.GetEvents())
# A MRUList event.
event = events[4]
self.CheckTimestamp(event.timestamp, '2012-08-28 09:23:49.002031')
event_data = self._GetEventDataOfEvent(storage_writer, event)
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_data.parser, plugin.plugin_name)
self.assertEqual(event_data.data_type, 'windows:registry:mrulist')
expected_message = (
'[{0:s}] '
'Index: 1 [MRU Value a]: Shell item path: '
'<My Computer> C:\\Winnt\\Profiles\\Administrator\\Desktop'
).format(key_path)
expected_short_message = '{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
# A shell item event.
event = events[0]
self.CheckTimestamp(event.timestamp, '2011-01-14 12:03:52.000000')
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.data_type, 'windows:shell_item:file_entry')
expected_message = ('Name: Winnt '
'Shell item path: <My Computer> C:\\Winnt '
'Origin: {0:s}').format(key_path)
expected_short_message = (
'Name: Winnt '
'Origin: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\'
'CurrentVersi...')
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testFilters(self):
"""Tests the FILTERS class attribute."""
plugin = mrulist.MRUListShellItemListWindowsRegistryPlugin()
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Explorer\\DesktopStreamMRU')
self._AssertFiltersOnKeyPath(plugin, key_path)
self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')
def testProcess(self):
"""Tests the Process function."""
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Explorer\\DesktopStreamMRU')
registry_key = self._CreateTestKey(key_path,
'2012-08-28 09:23:49.002031')
plugin = mrulist.MRUListShellItemListWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key, plugin)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 5)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetEvents())
# A MRUList event.
expected_event_values = {
'date_time':
'2012-08-28 09:23:49.0020310',
'data_type':
'windows:registry:mrulist',
'entries':
('Index: 1 [MRU Value a]: Shell item path: <My Computer> '
'C:\\Winnt\\Profiles\\Administrator\\Desktop'),
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
'parser':
plugin.NAME
}
self.CheckEventValues(storage_writer, events[4], expected_event_values)
# A shell item event.
expected_event_values = {
'date_time': '2011-01-14 12:03:52',
'data_type': 'windows:shell_item:file_entry',
'name': 'Winnt',
'origin': key_path,
'shell_item_path': '<My Computer> C:\\Winnt'
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)