def run(self):
lst = []
"use the SOFTWARE hive to get the result"
ProfileList_user_settings_path = u"Microsoft\\Windows NT\\CurrentVersion\\ProfileList"
hive = get_hive(self.prim_hive, self.log_files)
ProfileList_user_settings_key = hive.find_key(
ProfileList_user_settings_path)
# print('Found a key: {}'.format(ProfileList_user_settings_key.path()))
if ProfileList_user_settings_key:
for sid_key in ProfileList_user_settings_key.subkeys():
sid_name = sid_key.name()
Profile_path = sid_key.value(name=u"ProfileImagePath")
Profile_data = strip_control_characters(Profile_path.data())
timestamp = sid_key.last_written_timestamp().isoformat()
user = strip_control_characters(
os.path.basename(os.path.normpath(Profile_data)))
record = OrderedDict([("Path", Profile_data), ("User", user),
("sid", sid_name),
("Key_Timestamp", timestamp),
("@timestamp", timestamp)])
lst.append(u"{}".format(json.dumps(record,
cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format(
'ProfileList', ProfileList_user_settings_path))
return lst
def run(self):
hive = get_hive(self.prim_hive, self.log_files)
select_key = hive.find_key(u'Select')
current_path = ''
if select_key:
current_value = select_key.value(name=u"Current")
current_path = u"ControlSet{:03d}".format(current_value.data())
else:
current_path = 'ControlSet001'
lst = []
TimeZoneInformation_user_settings_path = u"\\".join(
[current_path, u"Control\\TimeZoneInformation"])
TimeZoneInformation_user_settings_key = hive.find_key(
TimeZoneInformation_user_settings_path)
if TimeZoneInformation_user_settings_key:
TimeZoneKeyName = TimeZoneInformation_user_settings_key.value(
name=u"TimeZoneKeyName")
TimeZoneKeyName_data = TimeZoneKeyName.data()
timestamp = TimeZoneInformation_user_settings_key.last_written_timestamp(
).isoformat()
record = OrderedDict([
("Time Zone", strip_control_characters(TimeZoneKeyName_data)),
("Key_Timestamp", timestamp), ("@timestamp", timestamp)
])
lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format(
'TimeZoneInformation', TimeZoneInformation_user_settings_path))
return lst
def run(self):
lst = []
WordWheelQuery_user_settings_path = u"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery"
hive = get_hive(self.prim_hive,self.log_files)
WordWheelQuery_user_settings_key = hive.find_key(WordWheelQuery_user_settings_path)
if WordWheelQuery_user_settings_key:
#for sid_key in WordWheelQuery_user_settings_key.subkeys():
sid_key_values = iter(WordWheelQuery_user_settings_key.values())
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
logging.error(u"Error getting next value: {}".format(error))
continue
value_name = value.name()
url_data =value.data().decode("utf-16")
timestamp = WordWheelQuery_user_settings_key.last_written_timestamp().isoformat()
record = OrderedDict([
("Key_Timestamp",timestamp),
("Url_Name", value_name),
("Url", strip_control_characters(url_data)),
("@timestamp",timestamp),
])
lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format('WordWheelQuery', WordWheelQuery_user_settings_path))
return lst
def run(self):
lst = []
"use the NTUSER.dat hive to get the result"
RunMRU_user_settings_path = u'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU'
hive = get_hive(self.prim_hive,self.log_files)
RunMRU_user_settings_key = hive.find_key(RunMRU_user_settings_path)
if RunMRU_user_settings_key:
sid_key_values = iter(RunMRU_user_settings_key.values())
timestamp = RunMRU_user_settings_key.last_written_timestamp().isoformat()
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
logging.error(u"Error getting next value: {}".format(error))
continue
sid_name = value.name()
file_name = strip_control_characters(value.data())
record = OrderedDict([
("Sequence", sid_name),
("Command", file_name),
("Key_Timestamp",timestamp),
("@timestmap",timestamp)
])
lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format('RunMRU', RunMRU_user_settings_path))
return lst
def run(self):
lst = []
"use the SOFTWARE hive to get the result"
InstalledApp_user_settings_path = u"Microsoft\\Windows\\CurrentVersion\\App Paths"
hive = get_hive(self.prim_hive, self.log_files)
InstalledApp_user_settings_key = hive.find_key(
InstalledApp_user_settings_path)
# print('Found a key: {}'.format(InstalledApp_user_settings_key.path()))
if InstalledApp_user_settings_key:
for sid_key in InstalledApp_user_settings_key.subkeys():
sid_name = sid_key.name()
timestamp = sid_key.last_written_timestamp().isoformat()
Path = sid_key.value(name=u"Path")
if Path:
Path_data = strip_control_characters(Path.data())
else:
Path_data = ""
record = OrderedDict([
("Application_Name", sid_name),
("InstalledApp_date", timestamp),
("Path", Path_data),
("@timestamp", timestamp),
])
lst.append(u"{}".format(json.dumps(record,
cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format('Bam',
bam_user_settings_path))
return lst
def run(self):
lst =[]
"use the SOFTWARE hive to get the result"
ShellExtensions_user_settings_path = u'Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved'
hive = get_hive(self.prim_hive,self.log_files)
ShellExtensions_user_settings_key = hive.find_key(ShellExtensions_user_settings_path)
if ShellExtensions_user_settings_key:
sid_key_values = iter(ShellExtensions_user_settings_key.values())
timestamp = ShellExtensions_user_settings_key.last_written_timestamp().isoformat()
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
logging.error(u"Error getting next value: {}".format(error))
continue
sid_name= value.name()
data = value.data()
if isinstance(data, bytes):
pos = data.find(b'\x00\x00') +1
file_name = strip_control_characters(data[:pos].decode('utf-16'))
else:
file_name = strip_control_characters(data)
record = OrderedDict([
("sid", sid_name),
("File Name", file_name),
("key_last_written_timestamp",timestamp),
("@timestamp",timestamp)
])
lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format('ShellExtensions', ShellExtensions_user_settings_path))
return lst
def get_service_parameters_subkey(self, service_parameters_key):
parameters_dict = {}
for v in service_parameters_key.values():
value_name = v.name().replace(".", "_")
if type(v.data()) == str:
parameters_dict[value_name] = strip_control_characters(
v.data())
elif type(v.data()) == bytes:
parameters_dict[value_name] = v.data().hex()
elif type(v.data()) == list:
parameters_dict[value_name] = "|".join(
[value.rstrip('\x00') for value in v.data()])
else:
parameters_dict[value_name] = v.data()
return parameters_dict
def run(self):
lst = []
ComputerName_user_settings_path = u"ControlSet001\\Control\\ComputerName\\ComputerName"
hive = get_hive(self.prim_hive,self.log_files)
ComputerName_user_settings_key = hive.find_key(ComputerName_user_settings_path)
if ComputerName_user_settings_key:
ComputerName = ComputerName_user_settings_key.value(name=u"ComputerName")
ComputerName_data = ComputerName.data()
timestamp = ComputerName_user_settings_key.last_written_timestamp().isoformat()
record = OrderedDict([
("ComputerName", strip_control_characters(ComputerName_data)),
("Key_Timestamp", timestamp),
("@timestamp",timestamp)
])
lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format('ComputerName', ComputerName_user_settings_path))
return lst
def run(self):
lst = []
TypedUrls_user_settings_path = u"Software\\Microsoft\\Internet Explorer\\TypedURLs"
hive = get_hive(self.prim_hive, self.log_files)
TypedUrls_user_settings_key = hive.find_key(
TypedUrls_user_settings_path)
if TypedUrls_user_settings_key:
#for sid_key in TypedUrls_user_settings_key.subkeys():
sid_key_values = iter(TypedUrls_user_settings_key.values())
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
logging.error(
u"Error getting next value: {}".format(error))
continue
value_name = value.name()
url_data = value.data()
timestamp = TypedUrls_user_settings_key.last_written_timestamp(
).isoformat()
record = OrderedDict([("Key_Timestamp", timestamp),
("Url Name", value_name),
("Url",
strip_control_characters(url_data)),
("@timestamp", timestamp)])
lst.append(u"{}".format(json.dumps(record,
cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format(
'TypedUrls', TypedUrls_user_settings_path))
return lst
def run(self):
lst = []
TerminalServerClient_user_settings_paths = [
'Software\\Microsoft\\Terminal Server Client\\Servers',
'Software\\Microsoft\\Terminal Server Client\\Default'
]
for TerminalServerClient_user_settings_path in TerminalServerClient_user_settings_paths:
hive = get_hive(self.prim_hive, self.log_files)
TerminalServerClient_user_settings_key = hive.find_key(
TerminalServerClient_user_settings_path)
# print('Found a key: {}'.format(TerminalServerClient_user_settings_key.path()))
if TerminalServerClient_user_settings_key:
if "Servers" in TerminalServerClient_user_settings_path:
for sid_key in TerminalServerClient_user_settings_key.subkeys(
):
timestamp = TerminalServerClient_user_settings_key.last_written_timestamp(
).isoformat()
key_name = sid_key.name()
sid_key_values = iter(sid_key.values())
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
logging.error(
u"Error getting next value: {}".format(
error))
continue
value_name = value.name()
if "UsernameHint" == value_name:
value_data = value.data()
record = OrderedDict([
("key_timestamp", timestamp),
("IP_Address", key_name),
("User_Name",
strip_control_characters(value_data)),
("@timestamp", timestamp)
])
#
lst.append(u"{}".format(
json.dumps(record, cls=ComplexEncoder)))
else:
sid_key_values = iter(
TerminalServerClient_user_settings_key.values())
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
logging.error(
u"Error getting next value: {}".format(error))
continue
value_name = value.name()
value_data = value.data()
record = OrderedDict([
("key_timestamp", timestamp),
("@timestamp", timestamp),
("IP_Address",
strip_control_characters(value_data)),
("Value_Name", value_name)
])
#
lst.append(u"{}".format(
json.dumps(record, cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format(
'TerminalServerClient',
TerminalServerClient_user_settings_path))
return lst
def run(self):
lst= []
"use the SOFTWARE hive to get the result"
InstalledComponents_user_settings_path = [u'Microsoft\\Active Setup\\Installed Components',u'Wow6432Node\\Microsoft\\Active Setup\\Installed Components']
hive = get_hive(self.prim_hive,self.log_files)
for path in InstalledComponents_user_settings_path:
InstalledComponents_user_settings_key = hive.find_key(path)
if InstalledComponents_user_settings_key:
for sid_key in InstalledComponents_user_settings_key.subkeys():
sid_name = sid_key.name()
timestamp = sid_key.last_written_timestamp().isoformat()
IsInstalled = sid_key.value(name=u"IsInstalled")
if IsInstalled:
IsInstalled_data = IsInstalled.data()
else:
IsInstalled_data ="None"
DontAsk = sid_key.value(name=u"DontAsk")
if DontAsk:
DontAsk_data = DontAsk.data()
else:
DontAsk_data ="None"
Enabled = sid_key.value(name=u"Enabled")
if Enabled:
Enabled_data = Enabled.data()
else:
Enabled_data ="None"
Locale = sid_key.value(name=u"Locale")
if Locale:
Locale_data = strip_control_characters(Locale.data())
else:
Locale_data ="None"
LocalizedName = sid_key.value(name=u"LocalizedName")
if LocalizedName:
LocalizedName_data = strip_control_characters(LocalizedName.data())
else:
LocalizedName_data ="None"
StubPath = sid_key.value(name=u"StubPath")
if StubPath:
StubPath_data = strip_control_characters(StubPath.data())
else:
StubPath_data ="None"
Version = sid_key.value(name=u"Version")
if Version:
Version_data = strip_control_characters(Version.data())
else:
Version_data ="None"
ComponentID = sid_key.value(name=u"ComponentID")
if ComponentID:
ComponentID_data = strip_control_characters(ComponentID.data())
else:
ComponentID_data ="None"
record = OrderedDict([
("sid", sid_name),
("last_written_timestamp",timestamp),
("ComponentID", ComponentID_data),
("Version", Version_data),
("StubPath", StubPath_data),
("LocalizedName", LocalizedName_data),
("Locale", Locale_data),
("Enabled", Enabled_data),
("DontAsk", DontAsk_data),
("IsInstalled", IsInstalled_data),
("@timestamp",timestamp)
])
lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format('InstalledComponents', InstalledComponents_user_settings_path))
return lst
def run(self):
lst = []
"use the SOFTWARE hive to get the result"
Uninstall_user_settings_path = u"Microsoft\\Windows\\CurrentVersion\\Uninstall"
hive = get_hive(self.prim_hive,self.log_files)
Uninstall_user_settings_key = hive.find_key(Uninstall_user_settings_path)
# print('Found a key: {}'.format(Uninstall_user_settings_key.path()))
if Uninstall_user_settings_key:
for sid_key in Uninstall_user_settings_key.subkeys():
sid_name = sid_key.name()
timestamp = sid_key.last_written_timestamp().isoformat()
#try:
DisplayName = sid_key.value(name=u"DisplayName")
if DisplayName:
DisplayName_data = strip_control_characters(DisplayName.data())
else:
DisplayName_data =""
DisplayVersion = sid_key.value(name=u"DisplayVersion")
if DisplayVersion:
DisplayVersion_data = strip_control_characters(DisplayVersion.data())
else:
DisplayVersion_data =""
InstallDate = sid_key.value(name=u"InstallDate")
if InstallDate:
InstallDate_data = strip_control_characters(InstallDate.data())
else:
InstallDate_data =""
InstallLocation = sid_key.value(name=u"InstallLocation")
if InstallLocation:
InstallLocation_data = strip_control_characters(InstallLocation.data())
else:
InstallLocation_data =""
InstallSource= sid_key.value(name=u"InstallSource")
if InstallSource:
InstallSource_data = strip_control_characters(InstallSource.data())
else:
InstallSource_data =""
ModifyPath = sid_key.value(name=u"ModifyPath")
if ModifyPath:
ModifyPath_data = strip_control_characters(ModifyPath.data())
else:
ModifyPath_data =""
Publisher = sid_key.value(name=u"Publisher")
if Publisher:
Publisher_data = strip_control_characters(Publisher.data())
else:
Publisher_data=""
Size = sid_key.value(name=u"Size")
if Size:
Size_data = str(Size.data())
else:
Size_data =""
URLInfoAbout = sid_key.value(name=u"URLInfoAbout")
if URLInfoAbout:
URLInfoAbout_data = strip_control_characters(URLInfoAbout.data())
else:
URLInfoAbout_data =""
record = OrderedDict([
("name", sid_name),
("Uninstall_date",timestamp),
("Application_Name", DisplayName_data),
("Version",DisplayVersion_data),
("Install_Date",InstallDate_data),
("Install_Location", InstallLocation_data),
("Install_Source", InstallSource_data),
("Modify_Path", ModifyPath_data),
("Publisher", Publisher_data),
("Size", Size_data),
("URLInfoAbout",URLInfoAbout_data),
("@timestamp",timestamp)
])
lst.append(u"{}".format(json.dumps(record, cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format('Bam', bam_user_settings_path))
return lst
def run(self):
lst = []
hive = get_hive(self.prim_hive, self.log_files)
Amcache_user_settings_path = u"root\\InventoryApplicationFile"
Amcache_win7_user_settings_path = u"root\\File"
Amcache_user_settings_key = hive.find_key(Amcache_user_settings_path)
Amcache7_user_settings_key = hive.find_key(
Amcache_win7_user_settings_path)
if Amcache_user_settings_key:
for sid_key in Amcache_user_settings_key.subkeys():
sid_key_values = iter(sid_key.values())
key_time = sid_key.last_written_timestamp().isoformat()
win10_amache_mapping = {
"ProgramId": "ProgramId",
"LongPathHash": "LongPathHash",
"IsOsComponent": "IsOsComponent",
"Usn": "Usn",
"LowerCaseLongPath": "Path",
"FileId": "Sha1",
"Name": "Name",
"Publisher": "CompanyName",
"Version": "Version",
"BinFileVersion": "BinFileVersion",
"BinaryType": "BinaryType",
"ProductName": "ProductName",
"ProductVersion": "ProductVersion",
"LinkDate": "LinkDate",
"BinProductVersion": "BinProductVersion",
"Size": "FileSize",
"Language": "Language",
"IsPeFile": "IsPeFile"
}
record = OrderedDict([])
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
logging.error(
u"Error getting next value: {}".format(error))
continue
value_name = value.name()
names = win10_amache_mapping[value_name]
data = value.data()
record[names] = strip_control_characters(str(data))
record["@timestamp"] = key_time
if record["Sha1"].startswith("0000"):
sha1 = record["Sha1"]
record["Sha1"] = sha1[4:]
lst.append(u"{}".format(json.dumps(record,
cls=ComplexEncoder)))
return lst
elif Amcache7_user_settings_key:
win8_amcache_mapping = {
'0': 'ProductName',
'1': 'CompanyName',
'2': 'FileVersionNum',
'3': 'Language',
'4': 'SwitchBackContext',
'5': 'FileVersion',
'6': 'FileSize',
'7': 'pe_header_hash',
'8': 'unknown1',
'9': 'pe_header_checksum',
'a': 'unknown2',
'b': 'unknown3',
'c': 'file_description',
'd': 'unknown4',
'f': 'linker_compile_time',
'10': 'unknown5',
'11': 'last_modified_timestamp',
'12': 'created_timestamp',
'15': 'Path',
'16': 'unknown6',
'17': 'last_modified_timestamp_2',
'100': 'ProgramId',
'101': 'Sha1'
}
for sid_key in Amcache7_user_settings_key.subkeys():
for sidd_key in sid_key.subkeys():
sid_key_values = iter(sidd_key.values())
key_time = sidd_key.last_written_timestamp().isoformat()
record = OrderedDict([])
while True:
try:
value = next(sid_key_values)
except StopIteration:
break
except Exception as error:
logging.error(
u"Error getting next value: {}".format(error))
continue
value_name = value.name()
names = win8_amcache_mapping[value_name]
data = value.data()
if "time" in names:
if "linker_compile_time" in names:
data = datetime.datetime.fromtimestamp(data)
else:
data = convert_datetime(data)
record[names] = strip_control_characters(str(data))
if len(record) == 0:
continue
record["@timestamp"] = key_time
if record["Sha1"].startswith("0000"):
sha1 = record["Sha1"]
record["Sha1"] = sha1[4:]
lst.append(u"{}".format(
json.dumps(record, cls=ComplexEncoder)))
return lst
else:
logging.info(u"[{}] {} not found.".format(
'Amcache', Amcache_user_settings_key))
def run(self):
lst = []
DHCP_user_settings_path = u"ControlSet001\\Services\\Tcpip\\Parameters\\Interfaces"
hive = get_hive(self.prim_hive, self.log_files)
DHCP_user_settings_key = hive.find_key(DHCP_user_settings_path)
if DHCP_user_settings_key:
for sid_key in DHCP_user_settings_key.subkeys():
timestamp = sid_key.last_written_timestamp().isoformat()
sid_name = sid_key.name()
def get_date(value_name):
value = sid_key.value(name=value_name)
if value:
value = value.data()
else:
value = "None"
return value
dict_values_data = {
'DhcpIPAddress':
strip_control_characters(get_date('DhcpIPAddress')),
'DhcpServer':
strip_control_characters(get_date('DhcpServer')),
'DhcpSubnetMask':
strip_control_characters(get_date('DhcpSubnetMask')),
'Domain':
strip_control_characters(get_date('Domain')),
'NameServer':
strip_control_characters(get_date('NameServer')),
'EnableDHCP':
get_date('EnableDHCP'),
'DhcpConnForceBroadcastFlag':
get_date('DhcpConnForceBroadcastFlag'),
'IsServerNapAware':
get_date('IsServerNapAware'),
'RegisterAdapterName':
get_date('RegisterAdapterName'),
'RegistrationEnabled':
get_date('RegistrationEnabled')
}
record = OrderedDict([
("Dhcp IP Address", dict_values_data['DhcpIPAddress']),
("Dhcp Server", dict_values_data['DhcpServer']),
("DhcpSubnetMask", dict_values_data['DhcpSubnetMask']),
("Domain", dict_values_data['Domain']),
("Name Server", dict_values_data['NameServer']),
("Enable DHCP", dict_values_data['EnableDHCP']),
("DhcpConnForceBroadcastFlag",
dict_values_data['DhcpConnForceBroadcastFlag']),
("Is Server NapAware",
dict_values_data['IsServerNapAware']),
("Register Adapter Name",
dict_values_data['RegisterAdapterName']),
("Registration Enabled",
dict_values_data['RegistrationEnabled']),
('@timestamp', timestamp)
])
lst.append(u"{}".format(json.dumps(record,
cls=ComplexEncoder)))
else:
logging.info(u"[{}] {} not found.".format('DHCP',
DHCP_user_settings_path))
return lst
def run(self):
lst = []
# list of service data mapping
Service_Start = [
'Boot', 'System', 'Automatic', 'Manual', 'Disabled', "DelayedStart"
]
Service_ErrorControl = ['Ignore', 'Normal', 'Severe', 'Critical']
Service_ServiceSidType = ['NONE', 'UNRESTRICTED', 0, 'RESTRICTED']
hive = get_hive(self.prim_hive, self.log_files)
ControlSet_Services_Paths = [
] # this contains the list of paths for ControlSets
main_key = hive.find_key("\\")
for main_key_subkey in main_key.subkeys():
if main_key_subkey.name().startswith("ControlSet"):
ControlSet_Services_Paths.append(main_key_subkey.path() +
"\\services")
for ControlSet_Services_Path in ControlSet_Services_Paths:
ControlSet_Services_Key = hive.find_key(ControlSet_Services_Path)
if ControlSet_Services_Key:
#print('Found a key: {}'.format(ControlSet_Services_Key.path()))
timestamp = ControlSet_Services_Key.last_written_timestamp(
).isoformat()
#print("timestamp: " + timestamp)
for subkey in ControlSet_Services_Key.subkeys():
service = {}
service['Name'] = subkey.name()
service['Path'] = subkey.path()
service["@timestamp"] = subkey.last_written_timestamp(
).isoformat()
values = list(subkey.values())
for v in values:
value_name = v.name().replace(".", "_")
#print(value_name + " ---> " + str(type(v.data())))
# get the start type if the value name is Start
if value_name == 'Start':
service[value_name] = Service_Start[v.data()]
# get the ErrorControl if the value name is ErrorControl
elif value_name == 'ErrorControl':
service[value_name] = Service_ErrorControl[
v.data()]
# get the ServiceSidType if the value name is ServiceSidType
elif value_name == 'ServiceSidType':
service[value_name] = Service_ServiceSidType[
v.data()]
# parse the FailureActions field
elif value_name == 'FailureActions':
failure_actions = self.parse_SERVICE_FAILURE_ACTIONS(
v.data())
service[value_name] = failure_actions['SC_ACTIONS']
service[
"FailureCountResetPeriod"] = failure_actions[
'SC_ACTIONS']
# get the service type if the value name is Type
elif value_name == 'Type':
service[value_name] = self.get_service_type(
v.data())
# if the data is a list, then combine the list
elif type(v.data()) == list:
service[value_name] = "|".join([
strip_control_characters(element)
for element in v.data() if element != "\x00"
])
# if the data is str, ensure to strip null bytes
elif type(v.data()) == str:
service[value_name] = strip_control_characters(
v.data())
elif type(v.data()) == bytes:
service[value_name] = v.data().hex()
else:
service[value_name] = v.data()
# check and retrive parameters subkey from the key
for service_subkey in subkey.subkeys():
if service_subkey.name() == 'Parameters':
service[
'Parameters'] = self.get_service_parameters_subkey(
service_subkey)
elif service_subkey.name() == 'TriggerInfo':
triggers = {}
for trigger in service_subkey.subkeys():
triggers[str(
len(triggers)
)] = self.get_TriggerInfo_subkey(trigger)
service["TriggerInfo"] = triggers
#print(service)
print(json.dumps(service, indent=4, sort_keys=True))
lst.append(service)
else:
pass
else:
logging.info(u"[{}] {} not found.".format(
'Services', ControlSet_Services_Paths))
print(len(lst))
return lst
