def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts the program cache from a NTUSER.DAT Registry file.')) argument_parser.add_argument( '-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help=( 'path of the volume containing C:\\Windows, the filename of ' 'a storage media image containing the C:\\Windows directory, ' 'or the path of a NTUSER.DAT Registry file.')) options = argument_parser.parse_args() if not options.source: print('Source value is missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig( level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer = output_writers.StdoutOutputWriter() if not output_writer.Open(): print('Unable to open output writer.') print('') return False # TODO: add support to select user. volume_scanner_mediator = dfvfs_command_line.CLIVolumeScannerMediator() registry_collector = collector.WindowsRegistryCollector( mediator=volume_scanner_mediator) if not registry_collector.ScanForWindowsVolume(options.source): print('Unable to retrieve the Windows Registry from: {0:s}.'.format( options.source)) print('') return False # TODO: map collector to available Registry keys. collector_object = programscache.ProgramsCacheCollector( debug=options.debug, output_writer=output_writer) result = collector_object.Collect(registry_collector.registry) if not result: print('No Explorer StartPage or StartPage2 keys found.') output_writer.Close() return True
def testCollect(self): """Tests the Collect function.""" registry_collector = collector.WindowsRegistryCollector() test_path = self._GetTestFilePath(['NTUSER.DAT']) registry_collector.ScanForWindowsVolume(test_path) self.assertIsNotNone(registry_collector.registry) test_output_writer = test_lib.TestOutputWriter() collector_object = programscache.ProgramsCacheCollector( output_writer=test_output_writer) result = collector_object.Collect(registry_collector.registry) self.assertTrue(result) test_output_writer.Close()
def testCollect(self): """Tests the Collect function.""" registry_collector = collector.WindowsRegistryCollector() test_path = self._GetTestFilePath(['SOFTWARE']) registry_collector.ScanForWindowsVolume(test_path) self.assertIsNotNone(registry_collector.registry) collector_object = msie_zone_info.MSIEZoneInfoCollector() test_output_writer = TestOutputWriter() collector_object.Collect(registry_collector.registry, test_output_writer) test_output_writer.Close() # TODO: fix test. self.assertEqual(test_output_writer.text, [])
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts the system information from a SOFTWARE Registry file.')) argument_parser.add_argument('-d', '--debug', dest='debug', action='store_true', default=False, help=('enable debug output.')) argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help=('path of the volume containing C:\\Windows, the filename of ' 'a storage media image containing the C:\\Windows directory, ' 'or the path of a SOFTWARE Registry file.')) options = argument_parser.parse_args() if not options.source: print('Source value is missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer = output_writers.StdoutOutputWriter() if not output_writer.Open(): print('Unable to open output writer.') print('') return False volume_scanner_mediator = dfvfs_command_line.CLIVolumeScannerMediator() registry_collector = collector.WindowsRegistryCollector( mediator=volume_scanner_mediator) if not registry_collector.ScanForWindowsVolume(options.source): print('Unable to retrieve the Windows Registry from: {0:s}.'.format( options.source)) print('') return False # TODO: map collector to available Registry keys. collector_object = sysinfo.SystemInfoCollector(debug=options.debug, output_writer=output_writer) result = collector_object.Collect(registry_collector.registry) if not result: print('No Current Version key found.') else: output_writer.WriteValue( 'Product name', collector_object.system_information.product_name) output_writer.WriteValue( 'Product identifier', collector_object.system_information.product_identifier) output_writer.WriteValue( 'Current version', collector_object.system_information.current_version) output_writer.WriteValue( 'Current type', collector_object.system_information.current_type) output_writer.WriteValue( 'Current build number', collector_object.system_information.current_build_number) output_writer.WriteValue( 'CSD version', collector_object.system_information.csd_version) output_writer.WriteValue( 'Registered organization', collector_object.system_information.registered_organization) output_writer.WriteValue( 'Registered owner', collector_object.system_information.registered_owner) date_time_value = collector_object.system_information.installation_date date_time_string = date_time_value.CopyToDateTimeString() output_writer.WriteValue('Installation date', date_time_string) output_writer.WriteValue('Path name', collector_object.system_information.path_name) output_writer.WriteValue( '%SystemRoot%', collector_object.system_information.system_root) output_writer.WriteText('\n') output_writer.Close() return True
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts the UserAssist information from a NTUSER.DAT Registry file.' )) argument_parser.add_argument( '--codepage', dest='codepage', action='store', metavar='CODEPAGE', default='cp1252', help='the codepage of the extended ASCII strings.') argument_parser.add_argument('-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help=('path of the volume containing C:\\Windows, the filename of ' 'a storage media image containing the C:\\Windows directory,' 'or the path of a NTUSER.DAT Registry file.')) options = argument_parser.parse_args() if not options.source: print('Source value is missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer = output_writers.StdoutOutputWriter() if not output_writer.Open(): print('Unable to open output writer.') print('') return False volume_scanner_mediator = dfvfs_command_line.CLIVolumeScannerMediator() registry_collector = collector.WindowsRegistryCollector( mediator=volume_scanner_mediator) if not registry_collector.ScanForWindowsVolume(options.source): print('Unable to retrieve the Windows Registry from: {0:s}.'.format( options.source)) print('') return False # TODO: map collector to available Registry keys. collector_object = userassist.UserAssistCollector(debug=options.debug) result = collector_object.Collect(registry_collector.registry) if not result: print('No UserAssist key found.') else: guid = None for user_assist_entry in collector_object.user_assist_entries: if user_assist_entry.guid != guid: print('GUID\t\t: {0:s}'.format(user_assist_entry.guid)) guid = user_assist_entry.guid print('Original name\t: {0:s}'.format( user_assist_entry.value_name)) print('Converted name\t: {0:s}'.format(user_assist_entry.name)) print('') output_writer.Close() return True
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts the shell folder class identifiers from a SOFTWARE Registry ' 'file.')) argument_parser.add_argument( '-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument( '--db', dest='database', action='store', metavar='shellitems.db', default=None, help='path of the sqlite3 database to write to.') argument_parser.add_argument( '--winver', dest='windows_version', action='store', metavar='xp', default=None, help=( 'string that identifies the Windows version in the database.')) argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help=( 'path of the volume containing C:\\Windows, the filename of ' 'a storage media image containing the C:\\Windows directory, ' 'or the path of a SOFTWARE Registry file.')) options = argument_parser.parse_args() if not options.source: print('Source value is missing.') print('') argument_parser.print_help() print('') return False if options.database and not options.windows_version: print('Windows version missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig( level=logging.INFO, format='[%(levelname)s] %(message)s') if not options.database: output_writer_object = StdoutWriter() else: output_writer_object = Sqlite3Writer( options.database, options.windows_version) if not output_writer_object.Open(): print('Unable to open output writer.') print('') return False volume_scanner_mediator = dfvfs_command_line.CLIVolumeScannerMediator() registry_collector = collector.WindowsRegistryCollector( mediator=volume_scanner_mediator) if not registry_collector.ScanForWindowsVolume(options.source): print('Unable to retrieve the Windows Registry from: {0:s}.'.format( options.source)) print('') return False # TODO: map collector to available Registry keys. collector_object = shellfolders.ShellFoldersCollector( debug=options.debug) result = collector_object.Collect( registry_collector.registry, output_writer_object) if not result: print('No shell folder identifier keys found.') output_writer_object.Close() return True
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts the services information from a SYSTEM Registry file.')) argument_parser.add_argument( '--all', dest='all_control_sets', action='store_true', default=False, help=( 'Process all control sets instead of only the current control set.' )) argument_parser.add_argument( '--diff', dest='diff_control_sets', action='store_true', default=False, help='Only list differences between control sets.') argument_parser.add_argument('--tsv', dest='use_tsv', action='store_true', default=False, help='Use tab separated value (TSV) output.') argument_parser.add_argument('-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help=('path of the volume containing C:\\Windows, the filename of ' 'a storage media image containing the C:\\Windows directory,' 'or the path of a SYSTEM Registry file.')) options = argument_parser.parse_args() if not options.source: print('Source value is missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer_object = StdoutWriter(use_tsv=options.use_tsv) if not output_writer_object.Open(): print('Unable to open output writer.') print('') return False volume_scanner_mediator = dfvfs_command_line.CLIVolumeScannerMediator() registry_collector = collector.WindowsRegistryCollector( mediator=volume_scanner_mediator) if not registry_collector.ScanForWindowsVolume(options.source): print('Unable to retrieve the Windows Registry from: {0:s}.'.format( options.source)) print('') return False # TODO: map collector to available Registry keys. collector_object = services.WindowsServicesCollector(debug=options.debug) if options.diff_control_sets: result = collector_object.Compare(registry_collector.registry, output_writer_object) else: result = collector_object.Collect( registry_collector.registry, output_writer_object, all_control_sets=options.all_control_sets) if not result: print('No Services key found.') output_writer_object.Close() return True
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts Most Recently Used information from a NTUSER.DAT Registry ' 'file.')) argument_parser.add_argument( '-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help=( 'path of the volume containing C:\\Windows, the filename of ' 'a storage media image containing the C:\\Windows directory,' 'or the path of a NTUSER.DAT Registry file.')) options = argument_parser.parse_args() if not options.source: print('Source value is missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig( level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer = StdoutWriter() if not output_writer.Open(): print('Unable to open output writer.') print('') return False volume_scanner_mediator = dfvfs_command_line.CLIVolumeScannerMediator() registry_collector = collector.WindowsRegistryCollector( mediator=volume_scanner_mediator) if not registry_collector.ScanForWindowsVolume(options.source): print('Unable to retrieve the Windows Registry from: {0:s}.'.format( options.source)) print('') return False # TODO: map collector to available Registry keys. collector_object = mru.MostRecentlyUsedCollector( debug=options.debug, output_writer=output_writer) result = collector_object.Collect(registry_collector.registry) if not result: print('No Most Recently Used key found.') else: for mru_entry in collector_object.mru_entries: output_writer.WriteValue('Key path', mru_entry.key_path) output_writer.WriteValue('Value name', mru_entry.value_name) if mru_entry.string: output_writer.WriteValue('String', mru_entry.string) if mru_entry.shell_item_data: shell_item = pyfwsi.item() shell_item.copy_from_byte_stream(mru_entry.shell_item_data) output_writer.WriteShellItem(shell_item) elif mru_entry.shell_item_list_data: shell_item_list = pyfwsi.item_list() shell_item_list.copy_from_byte_stream(mru_entry.shell_item_list_data) for shell_item in iter(shell_item_list.items): output_writer.WriteShellItem(shell_item) output_writer.WriteText('') output_writer.Close() return True
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts Application Compatibility Cache information from ' 'a SYSTEM Registry file.')) argument_parser.add_argument( '--all', dest='all_control_sets', action='store_true', default=False, help=( 'Process all control sets instead of only the current control set.' )) argument_parser.add_argument('-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help=('path of the volume containing C:\\Windows, the filename of ' 'a storage media image containing the C:\\Windows directory,' 'or the path of a SYSTEM Registry file.')) options = argument_parser.parse_args() if not options.source: print('Source value is missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer = output_writers.StdoutOutputWriter() if not output_writer.Open(): print('Unable to open output writer.') print('') return False volume_scanner_mediator = dfvfs_command_line.CLIVolumeScannerMediator() registry_collector = collector.WindowsRegistryCollector( mediator=volume_scanner_mediator) if not registry_collector.ScanForWindowsVolume(options.source): print('Unable to retrieve the Windows Registry from: {0:s}.'.format( options.source)) print('') return False # TODO: map collector to available Registry keys. collector_object = appcompatcache.AppCompatCacheCollector( debug=options.debug, output_writer=output_writer) result = collector_object.Collect( registry_collector.registry, all_control_sets=options.all_control_sets) if not result: output_writer.WriteText( 'No Application Compatibility Cache key found.') output_writer.WriteText('') else: for cached_entry in collector_object.cached_entries: output_writer.WriteFiletimeValue( 'Last modification time', cached_entry.last_modification_time) output_writer.WriteText('\n') output_writer.WriteValue('Path', cached_entry.path) output_writer.WriteText('\n') output_writer.WriteText('') output_writer.WriteText('\n') output_writer.Close() return True
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts Security Account Manager information from a SAM Registry ' 'file.')) argument_parser.add_argument('-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help=('path of the volume containing C:\\Windows, the filename of ' 'a storage media image containing the C:\\Windows directory, ' 'or the path of a SAM Registry file.')) options = argument_parser.parse_args() if not options.source: print('Source value is missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer = output_writers.StdoutOutputWriter() if not output_writer.Open(): print('Unable to open output writer.') print('') return False volume_scanner_mediator = dfvfs_command_line.CLIVolumeScannerMediator() registry_collector = collector.WindowsRegistryCollector( mediator=volume_scanner_mediator) if not registry_collector.ScanForWindowsVolume(options.source): print('Unable to retrieve the Windows Registry from: {0:s}.'.format( options.source)) print('') return False # TODO: map collector to available Registry keys. collector_object = sam.SecurityAccountManagerCollector( debug=options.debug, output_writer=output_writer) result = collector_object.Collect(registry_collector.registry) if not result: output_writer.WriteText('No Security Account Manager key found.') output_writer.WriteText('') else: for user_account in collector_object.user_accounts: output_writer.WriteValue('Username', user_account.username) output_writer.WriteValue('Relative identifier (RID)', user_account.rid) output_writer.WriteValue('Primary group identifier', user_account.primary_gid) if user_account.full_name: output_writer.WriteValue('Full name', user_account.full_name) if user_account.comment: output_writer.WriteValue('Comment', user_account.comment) if user_account.user_comment: output_writer.WriteValue('User comment', user_account.user_comment) output_writer.WriteFiletimeValue('Last log-in time', user_account.last_login_time) output_writer.WriteFiletimeValue( 'Last password set time', user_account.last_password_set_time) output_writer.WriteFiletimeValue( 'Account expiration time', user_account.account_expiration_time) output_writer.WriteFiletimeValue( 'Last password failure time', user_account.last_password_failure_time) output_writer.WriteValue('Number of log-ons', user_account.number_of_logons) output_writer.WriteValue('Number of password failures', user_account.number_of_password_failures) if user_account.codepage: output_writer.WriteValue('Codepage', user_account.codepage) output_writer.WriteText('') output_writer.Close() return True