def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts the program cache from a NTUSER.DAT Registry file.'))
argument_parser.add_argument(
'-d', '--debug', dest='debug', action='store_true', default=False,
help='enable debug output.')
argument_parser.add_argument(
'source', nargs='?', action='store', metavar='PATH', default=None,
help=(
'path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory, '
'or the path of a NTUSER.DAT Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(
level=logging.INFO, format='[%(levelname)s] %(message)s')
output_writer = output_writers.StdoutOutputWriter()
if not output_writer.Open():
print('Unable to open output writer.')
print('')
return False
# TODO: add support to select user.
volume_scanner_mediator = dfvfs_command_line.CLIVolumeScannerMediator()
registry_collector = collector.WindowsRegistryCollector(
mediator=volume_scanner_mediator)
if not registry_collector.ScanForWindowsVolume(options.source):
print('Unable to retrieve the Windows Registry from: {0:s}.'.format(
options.source))
print('')
return False
# TODO: map collector to available Registry keys.
collector_object = programscache.ProgramsCacheCollector(
debug=options.debug, output_writer=output_writer)
result = collector_object.Collect(registry_collector.registry)
if not result:
print('No Explorer StartPage or StartPage2 keys found.')
output_writer.Close()
return True
def testCollect(self):
"""Tests the Collect function."""
registry_collector = collector.WindowsRegistryCollector()
test_path = self._GetTestFilePath(['NTUSER.DAT'])
registry_collector.ScanForWindowsVolume(test_path)
self.assertIsNotNone(registry_collector.registry)
test_output_writer = test_lib.TestOutputWriter()
collector_object = programscache.ProgramsCacheCollector(
output_writer=test_output_writer)
result = collector_object.Collect(registry_collector.registry)
self.assertTrue(result)
test_output_writer.Close()
def testCollect(self):
"""Tests the Collect function."""
registry_collector = collector.WindowsRegistryCollector()
test_path = self._GetTestFilePath(['SOFTWARE'])
registry_collector.ScanForWindowsVolume(test_path)
self.assertIsNotNone(registry_collector.registry)
collector_object = msie_zone_info.MSIEZoneInfoCollector()
test_output_writer = TestOutputWriter()
collector_object.Collect(registry_collector.registry, test_output_writer)
test_output_writer.Close()
# TODO: fix test.
self.assertEqual(test_output_writer.text, [])
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts the system information from a SOFTWARE Registry file.'))
argument_parser.add_argument('-d',
'--debug',
dest='debug',
action='store_true',
default=False,
help=('enable debug output.'))
argument_parser.add_argument(
'source',
nargs='?',
action='store',
metavar='PATH',
default=None,
help=('path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory, '
'or the path of a SOFTWARE Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(level=logging.INFO,
format='[%(levelname)s] %(message)s')
output_writer = output_writers.StdoutOutputWriter()
if not output_writer.Open():
print('Unable to open output writer.')
print('')
return False
volume_scanner_mediator = dfvfs_command_line.CLIVolumeScannerMediator()
registry_collector = collector.WindowsRegistryCollector(
mediator=volume_scanner_mediator)
if not registry_collector.ScanForWindowsVolume(options.source):
print('Unable to retrieve the Windows Registry from: {0:s}.'.format(
options.source))
print('')
return False
# TODO: map collector to available Registry keys.
collector_object = sysinfo.SystemInfoCollector(debug=options.debug,
output_writer=output_writer)
result = collector_object.Collect(registry_collector.registry)
if not result:
print('No Current Version key found.')
else:
output_writer.WriteValue(
'Product name', collector_object.system_information.product_name)
output_writer.WriteValue(
'Product identifier',
collector_object.system_information.product_identifier)
output_writer.WriteValue(
'Current version',
collector_object.system_information.current_version)
output_writer.WriteValue(
'Current type', collector_object.system_information.current_type)
output_writer.WriteValue(
'Current build number',
collector_object.system_information.current_build_number)
output_writer.WriteValue(
'CSD version', collector_object.system_information.csd_version)
output_writer.WriteValue(
'Registered organization',
collector_object.system_information.registered_organization)
output_writer.WriteValue(
'Registered owner',
collector_object.system_information.registered_owner)
date_time_value = collector_object.system_information.installation_date
date_time_string = date_time_value.CopyToDateTimeString()
output_writer.WriteValue('Installation date', date_time_string)
output_writer.WriteValue('Path name',
collector_object.system_information.path_name)
output_writer.WriteValue(
'%SystemRoot%', collector_object.system_information.system_root)
output_writer.WriteText('\n')
output_writer.Close()
return True
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts the UserAssist information from a NTUSER.DAT Registry file.'
))
argument_parser.add_argument(
'--codepage',
dest='codepage',
action='store',
metavar='CODEPAGE',
default='cp1252',
help='the codepage of the extended ASCII strings.')
argument_parser.add_argument('-d',
'--debug',
dest='debug',
action='store_true',
default=False,
help='enable debug output.')
argument_parser.add_argument(
'source',
nargs='?',
action='store',
metavar='PATH',
default=None,
help=('path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory,'
'or the path of a NTUSER.DAT Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(level=logging.INFO,
format='[%(levelname)s] %(message)s')
output_writer = output_writers.StdoutOutputWriter()
if not output_writer.Open():
print('Unable to open output writer.')
print('')
return False
volume_scanner_mediator = dfvfs_command_line.CLIVolumeScannerMediator()
registry_collector = collector.WindowsRegistryCollector(
mediator=volume_scanner_mediator)
if not registry_collector.ScanForWindowsVolume(options.source):
print('Unable to retrieve the Windows Registry from: {0:s}.'.format(
options.source))
print('')
return False
# TODO: map collector to available Registry keys.
collector_object = userassist.UserAssistCollector(debug=options.debug)
result = collector_object.Collect(registry_collector.registry)
if not result:
print('No UserAssist key found.')
else:
guid = None
for user_assist_entry in collector_object.user_assist_entries:
if user_assist_entry.guid != guid:
print('GUID\t\t: {0:s}'.format(user_assist_entry.guid))
guid = user_assist_entry.guid
print('Original name\t: {0:s}'.format(
user_assist_entry.value_name))
print('Converted name\t: {0:s}'.format(user_assist_entry.name))
print('')
output_writer.Close()
return True
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts the shell folder class identifiers from a SOFTWARE Registry '
'file.'))
argument_parser.add_argument(
'-d', '--debug', dest='debug', action='store_true', default=False,
help='enable debug output.')
argument_parser.add_argument(
'--db', dest='database', action='store', metavar='shellitems.db',
default=None, help='path of the sqlite3 database to write to.')
argument_parser.add_argument(
'--winver', dest='windows_version', action='store', metavar='xp',
default=None, help=(
'string that identifies the Windows version in the database.'))
argument_parser.add_argument(
'source', nargs='?', action='store', metavar='PATH', default=None,
help=(
'path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory, '
'or the path of a SOFTWARE Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
if options.database and not options.windows_version:
print('Windows version missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(
level=logging.INFO, format='[%(levelname)s] %(message)s')
if not options.database:
output_writer_object = StdoutWriter()
else:
output_writer_object = Sqlite3Writer(
options.database, options.windows_version)
if not output_writer_object.Open():
print('Unable to open output writer.')
print('')
return False
volume_scanner_mediator = dfvfs_command_line.CLIVolumeScannerMediator()
registry_collector = collector.WindowsRegistryCollector(
mediator=volume_scanner_mediator)
if not registry_collector.ScanForWindowsVolume(options.source):
print('Unable to retrieve the Windows Registry from: {0:s}.'.format(
options.source))
print('')
return False
# TODO: map collector to available Registry keys.
collector_object = shellfolders.ShellFoldersCollector(
debug=options.debug)
result = collector_object.Collect(
registry_collector.registry, output_writer_object)
if not result:
print('No shell folder identifier keys found.')
output_writer_object.Close()
return True
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts the services information from a SYSTEM Registry file.'))
argument_parser.add_argument(
'--all',
dest='all_control_sets',
action='store_true',
default=False,
help=(
'Process all control sets instead of only the current control set.'
))
argument_parser.add_argument(
'--diff',
dest='diff_control_sets',
action='store_true',
default=False,
help='Only list differences between control sets.')
argument_parser.add_argument('--tsv',
dest='use_tsv',
action='store_true',
default=False,
help='Use tab separated value (TSV) output.')
argument_parser.add_argument('-d',
'--debug',
dest='debug',
action='store_true',
default=False,
help='enable debug output.')
argument_parser.add_argument(
'source',
nargs='?',
action='store',
metavar='PATH',
default=None,
help=('path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory,'
'or the path of a SYSTEM Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(level=logging.INFO,
format='[%(levelname)s] %(message)s')
output_writer_object = StdoutWriter(use_tsv=options.use_tsv)
if not output_writer_object.Open():
print('Unable to open output writer.')
print('')
return False
volume_scanner_mediator = dfvfs_command_line.CLIVolumeScannerMediator()
registry_collector = collector.WindowsRegistryCollector(
mediator=volume_scanner_mediator)
if not registry_collector.ScanForWindowsVolume(options.source):
print('Unable to retrieve the Windows Registry from: {0:s}.'.format(
options.source))
print('')
return False
# TODO: map collector to available Registry keys.
collector_object = services.WindowsServicesCollector(debug=options.debug)
if options.diff_control_sets:
result = collector_object.Compare(registry_collector.registry,
output_writer_object)
else:
result = collector_object.Collect(
registry_collector.registry,
output_writer_object,
all_control_sets=options.all_control_sets)
if not result:
print('No Services key found.')
output_writer_object.Close()
return True
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts Most Recently Used information from a NTUSER.DAT Registry '
'file.'))
argument_parser.add_argument(
'-d', '--debug', dest='debug', action='store_true', default=False,
help='enable debug output.')
argument_parser.add_argument(
'source', nargs='?', action='store', metavar='PATH', default=None,
help=(
'path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory,'
'or the path of a NTUSER.DAT Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(
level=logging.INFO, format='[%(levelname)s] %(message)s')
output_writer = StdoutWriter()
if not output_writer.Open():
print('Unable to open output writer.')
print('')
return False
volume_scanner_mediator = dfvfs_command_line.CLIVolumeScannerMediator()
registry_collector = collector.WindowsRegistryCollector(
mediator=volume_scanner_mediator)
if not registry_collector.ScanForWindowsVolume(options.source):
print('Unable to retrieve the Windows Registry from: {0:s}.'.format(
options.source))
print('')
return False
# TODO: map collector to available Registry keys.
collector_object = mru.MostRecentlyUsedCollector(
debug=options.debug, output_writer=output_writer)
result = collector_object.Collect(registry_collector.registry)
if not result:
print('No Most Recently Used key found.')
else:
for mru_entry in collector_object.mru_entries:
output_writer.WriteValue('Key path', mru_entry.key_path)
output_writer.WriteValue('Value name', mru_entry.value_name)
if mru_entry.string:
output_writer.WriteValue('String', mru_entry.string)
if mru_entry.shell_item_data:
shell_item = pyfwsi.item()
shell_item.copy_from_byte_stream(mru_entry.shell_item_data)
output_writer.WriteShellItem(shell_item)
elif mru_entry.shell_item_list_data:
shell_item_list = pyfwsi.item_list()
shell_item_list.copy_from_byte_stream(mru_entry.shell_item_list_data)
for shell_item in iter(shell_item_list.items):
output_writer.WriteShellItem(shell_item)
output_writer.WriteText('')
output_writer.Close()
return True
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts Application Compatibility Cache information from '
'a SYSTEM Registry file.'))
argument_parser.add_argument(
'--all',
dest='all_control_sets',
action='store_true',
default=False,
help=(
'Process all control sets instead of only the current control set.'
))
argument_parser.add_argument('-d',
'--debug',
dest='debug',
action='store_true',
default=False,
help='enable debug output.')
argument_parser.add_argument(
'source',
nargs='?',
action='store',
metavar='PATH',
default=None,
help=('path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory,'
'or the path of a SYSTEM Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(level=logging.INFO,
format='[%(levelname)s] %(message)s')
output_writer = output_writers.StdoutOutputWriter()
if not output_writer.Open():
print('Unable to open output writer.')
print('')
return False
volume_scanner_mediator = dfvfs_command_line.CLIVolumeScannerMediator()
registry_collector = collector.WindowsRegistryCollector(
mediator=volume_scanner_mediator)
if not registry_collector.ScanForWindowsVolume(options.source):
print('Unable to retrieve the Windows Registry from: {0:s}.'.format(
options.source))
print('')
return False
# TODO: map collector to available Registry keys.
collector_object = appcompatcache.AppCompatCacheCollector(
debug=options.debug, output_writer=output_writer)
result = collector_object.Collect(
registry_collector.registry, all_control_sets=options.all_control_sets)
if not result:
output_writer.WriteText(
'No Application Compatibility Cache key found.')
output_writer.WriteText('')
else:
for cached_entry in collector_object.cached_entries:
output_writer.WriteFiletimeValue(
'Last modification time', cached_entry.last_modification_time)
output_writer.WriteText('\n')
output_writer.WriteValue('Path', cached_entry.path)
output_writer.WriteText('\n')
output_writer.WriteText('')
output_writer.WriteText('\n')
output_writer.Close()
return True
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts Security Account Manager information from a SAM Registry '
'file.'))
argument_parser.add_argument('-d',
'--debug',
dest='debug',
action='store_true',
default=False,
help='enable debug output.')
argument_parser.add_argument(
'source',
nargs='?',
action='store',
metavar='PATH',
default=None,
help=('path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory, '
'or the path of a SAM Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(level=logging.INFO,
format='[%(levelname)s] %(message)s')
output_writer = output_writers.StdoutOutputWriter()
if not output_writer.Open():
print('Unable to open output writer.')
print('')
return False
volume_scanner_mediator = dfvfs_command_line.CLIVolumeScannerMediator()
registry_collector = collector.WindowsRegistryCollector(
mediator=volume_scanner_mediator)
if not registry_collector.ScanForWindowsVolume(options.source):
print('Unable to retrieve the Windows Registry from: {0:s}.'.format(
options.source))
print('')
return False
# TODO: map collector to available Registry keys.
collector_object = sam.SecurityAccountManagerCollector(
debug=options.debug, output_writer=output_writer)
result = collector_object.Collect(registry_collector.registry)
if not result:
output_writer.WriteText('No Security Account Manager key found.')
output_writer.WriteText('')
else:
for user_account in collector_object.user_accounts:
output_writer.WriteValue('Username', user_account.username)
output_writer.WriteValue('Relative identifier (RID)',
user_account.rid)
output_writer.WriteValue('Primary group identifier',
user_account.primary_gid)
if user_account.full_name:
output_writer.WriteValue('Full name', user_account.full_name)
if user_account.comment:
output_writer.WriteValue('Comment', user_account.comment)
if user_account.user_comment:
output_writer.WriteValue('User comment',
user_account.user_comment)
output_writer.WriteFiletimeValue('Last log-in time',
user_account.last_login_time)
output_writer.WriteFiletimeValue(
'Last password set time', user_account.last_password_set_time)
output_writer.WriteFiletimeValue(
'Account expiration time',
user_account.account_expiration_time)
output_writer.WriteFiletimeValue(
'Last password failure time',
user_account.last_password_failure_time)
output_writer.WriteValue('Number of log-ons',
user_account.number_of_logons)
output_writer.WriteValue('Number of password failures',
user_account.number_of_password_failures)
if user_account.codepage:
output_writer.WriteValue('Codepage', user_account.codepage)
output_writer.WriteText('')
output_writer.Close()
return True
