def test_userassist_winxp(mock_reg_xp):
p = plugin(mock_reg_xp, LoggerMock(), "NTUSER.DAT", "-")
results = list(p.run())
assert len(results) == 1, "There should be a single result"
assert ("userassist" in results[0].custom.keys()
), "A 'userassist' object should have been created"
ua = results[0].custom["userassist"]
assert ua.name.endswith("\\notepad.exe"), "Decoded name should be notepad"
assert ua.number_of_execs == 3, "Notepad was executed 3 times"
def test_userassist_win7(mock_reg_seven):
p = plugin(mock_reg_seven, LoggerMock(), "NTUSER.DAT", "-")
results = list(p.run())
assert len(results) == 1, "There should be a single result"
assert ("userassist" in results[0].custom.keys()
), "A 'userassist' object should have been created"
ua = results[0].custom["userassist"]
assert ua.name.endswith("\\notepad.exe"), "Decoded name should be notepad"
assert ua.number_of_execs == 6, "Notepad was executed 6 times"
assert ua.focus_count == 5, "Notepad was focused 5 times"
assert ua.focus_time_secs == 0xEA60, "Notepad was focused for 60,000 seconds (!!)"