def testProcess(self): """Tests the Process function on created key.""" key_path = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion' ) time_string = '2013-01-30 10:47:57' registry_key = self._CreateTestKey(key_path, time_string) plugin = winlogon.WinlogonPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin) self.assertEqual(storage_writer.number_of_events, 14) self.assertEqual(storage_writer.number_of_extraction_warnings, 0) self.assertEqual(storage_writer.number_of_recovery_warnings, 0) events = list(storage_writer.GetSortedEvents()) # The order of the events is non-deterministic since they are sorted on # timestamp and description only. test_event1 = None test_event2 = None for event in events: self.CheckTimestamp(event.timestamp, '2013-01-30 10:47:57.000000') event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.data_type, 'windows:registry:winlogon') if event_data.application == 'VmApplet': test_event1 = event elif (event_data.application == 'NavLogon' and event_data.trigger == 'Logoff'): test_event2 = event expected_event_values = { 'application': 'VmApplet', 'command': 'SystemPropertiesPerformance.exe/pagefile', 'date_time': '2013-01-30 10:47:57.0000000', 'data_type': 'windows:registry:winlogon', 'key_path': key_path, 'trigger': 'Logon' } self.CheckEventValues(storage_writer, test_event1, expected_event_values) expected_event_values = { 'application': 'NavLogon', 'command': 'NavLogon.dll', 'date_time': '2013-01-30 10:47:57.0000000', 'data_type': 'windows:registry:winlogon', 'key_path': '{0:s}\\Notify\\NavLogon'.format(key_path), 'trigger': 'Logoff' } self.CheckEventValues(storage_writer, test_event2, expected_event_values)
def testFilters(self): """Tests the FILTERS class attribute.""" plugin = winlogon.WinlogonPlugin() key_path = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\' 'Winlogon') self._AssertFiltersOnKeyPath(plugin, key_path) self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')
def testProcess(self): """Tests the Process function on created key.""" key_path = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion' ) time_string = '2013-01-30 10:47:57' registry_key = self._CreateTestKey(key_path, time_string) plugin = winlogon.WinlogonPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 14) events = list(storage_writer.GetSortedEvents()) event = events[0] self.CheckTimestamp(event.timestamp, '2013-01-30 10:47:57.000000') event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.data_type, 'windows:registry:winlogon') expected_message = ('[{0:s}\\Notify\\NavLogon] ' 'Application: NavLogon ' 'Command: NavLogon.dll ' 'Handler: NavLogoffEvent ' 'Trigger: Logoff').format(key_path) expected_short_message = '{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event, expected_message, expected_short_message) event = events[13] self.CheckTimestamp(event.timestamp, '2013-01-30 10:47:57.000000') event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.data_type, 'windows:registry:winlogon') expected_message = ( '[{0:s}] ' 'Application: VmApplet ' 'Command: SystemPropertiesPerformance.exe/pagefile ' 'Trigger: Logon').format(key_path) expected_short_message = '{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testProcess(self): """Tests the Process function on created key.""" key_path = ( u'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion') time_string = u'2013-01-30 10:47:57' registry_key = self._CreateTestKey(key_path, time_string) plugin_object = winlogon.WinlogonPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin_object) self.assertEqual(len(storage_writer.events), 14) # Because the order the subkeys are parsed are not guaranteed we will sort # the events. # TODO: look into this. event_objects = sorted( storage_writer.events, key=lambda evt: evt.EqualityString()) event_object = event_objects[0] expected_timestamp = timelib.Timestamp.CopyFromString(time_string) self.assertEqual(event_object.timestamp, expected_timestamp) expected_message = ( u'[{0:s}\\Notify\\NavLogon] ' u'Application: NavLogon ' u'Command: NavLogon.dll ' u'Handler: NavLogoffEvent ' u'Trigger: Logoff').format(key_path) expected_short_message = u'{0:s}...'.format(expected_message[0:77]) self._TestGetMessageStrings( event_object, expected_message, expected_short_message) event_object = event_objects[13] expected_timestamp = timelib.Timestamp.CopyFromString(time_string) self.assertEqual(event_object.timestamp, expected_timestamp) expected_message = ( u'[{0:s}] ' u'Application: VmApplet ' u'Command: SystemPropertiesPerformance.exe/pagefile ' u'Trigger: Logon').format(key_path) expected_short_message = u'{0:s}...'.format(expected_message[0:77]) self._TestGetMessageStrings( event_object, expected_message, expected_short_message)
def testProcess(self): """Tests the Process function on created key.""" key_path = ( u'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion' ) time_string = u'2013-01-30 10:47:57' registry_key = self._CreateTestKey(key_path, time_string) plugin = winlogon.WinlogonPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin) self.assertEqual(storage_writer.number_of_events, 14) events = list(storage_writer.GetSortedEvents()) event = events[3] expected_timestamp = timelib.Timestamp.CopyFromString(time_string) self.assertEqual(event.timestamp, expected_timestamp) expected_message = (u'[{0:s}\\Notify\\NavLogon] ' u'Application: NavLogon ' u'Command: NavLogon.dll ' u'Handler: NavLogoffEvent ' u'Trigger: Logoff').format(key_path) expected_short_message = u'{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event, expected_message, expected_short_message) event = events[2] expected_timestamp = timelib.Timestamp.CopyFromString(time_string) self.assertEqual(event.timestamp, expected_timestamp) expected_message = ( u'[{0:s}] ' u'Application: VmApplet ' u'Command: SystemPropertiesPerformance.exe/pagefile ' u'Trigger: Logon').format(key_path) expected_short_message = u'{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event, expected_message, expected_short_message)