def testCollectEmpty(self): """Tests the Collect function on an empty Registry.""" registry = dfwinreg_registry.WinRegistry() test_output_writer = test_lib.TestOutputWriter() collector_object = userassist.UserAssistCollector( output_writer=test_output_writer) result = collector_object.Collect(registry) self.assertFalse(result) test_output_writer.Close() self.assertEqual(len(collector_object.user_assist_entries), 0)
def testCollect(self): """Tests the Collect function.""" registry = self._CreateTestRegistry() test_output_writer = test_lib.TestOutputWriter() collector_object = userassist.UserAssistCollector( output_writer=test_output_writer) result = collector_object.Collect(registry) self.assertTrue(result) test_output_writer.Close() self.assertEqual(len(collector_object.user_assist_entries), 1)
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts the UserAssist information from a NTUSER.DAT Registry file.' )) argument_parser.add_argument( '--codepage', dest='codepage', action='store', metavar='CODEPAGE', default='cp1252', help='the codepage of the extended ASCII strings.') argument_parser.add_argument('-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help=('path of the volume containing C:\\Windows, the filename of ' 'a storage media image containing the C:\\Windows directory, ' 'or the path of a NTUSER.DAT Registry file.')) options = argument_parser.parse_args() if not options.source: print('Source value is missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer = output_writers.StdoutOutputWriter() if not output_writer.Open(): print('Unable to open output writer.') print('') return False mediator = volume_scanner.WindowsRegistryVolumeScannerMediator() scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator) volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions() volume_scanner_options.partitions = ['all'] volume_scanner_options.snapshots = ['none'] volume_scanner_options.volumes = ['none'] if not scanner.ScanForWindowsVolume(options.source, options=volume_scanner_options): print( ('Unable to retrieve the volume with the Windows directory from: ' '{0:s}.').format(options.source)) print('') return False # TODO: map collector to available Registry keys. collector_object = userassist.UserAssistCollector( debug=options.debug, output_writer=output_writer) result = collector_object.Collect(scanner.registry) if not result: print('No UserAssist key found.') else: guid = None for user_assist_entry in collector_object.user_assist_entries: if user_assist_entry.guid != guid: print('GUID\t\t: {0:s}'.format(user_assist_entry.guid)) guid = user_assist_entry.guid print('Name\t\t: {0:s}'.format(user_assist_entry.name)) print('Original name\t: {0:s}'.format( user_assist_entry.value_name)) print('') output_writer.Close() return True