def testProcessSoftwareRunOnce(self):
"""Tests the Process function on a RunOnce key."""
test_file_entry = self._GetTestFileEntry([u'SOFTWARE-RunTests'])
key_path = (
u'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\'
u'RunOnce')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin_object = run.AutoRunsPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin_object,
file_entry=test_file_entry)
self.assertEqual(len(storage_writer.events), 1)
event_object = storage_writer.events[0]
self.assertEqual(event_object.pathspec, test_file_entry.path_spec)
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_object.parser, plugin_object.plugin_name)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2012-04-06 14:07:27.750000')
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_message = (
u'[{0:s}] *WerKernelReporting: %SYSTEMROOT%\\SYSTEM32\\WerFault.exe '
u'-k -rq').format(key_path)
expected_short_message = u'{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event_object, expected_message,
expected_short_message)
def testProcessNtuserRunOnce(self):
"""Tests the Process function on a Run key."""
test_file_entry = self._GetTestFileEntry([u'NTUSER-RunTests.DAT'])
key_path = (
u'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
u'RunOnce')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin_object = run.AutoRunsPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin_object,
file_entry=test_file_entry)
self.assertEqual(len(storage_writer.events), 1)
event_object = storage_writer.events[0]
self.assertEqual(event_object.pathspec, test_file_entry.path_spec)
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_object.parser, plugin_object.plugin_name)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2012-04-05 17:03:53.992061')
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_message = (
u'[{0:s}] mctadmin: C:\\Windows\\System32\\mctadmin.exe'
).format(key_path)
expected_short_message = u'{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event_object, expected_message,
expected_short_message)
def testProcessNtuserRun(self):
"""Tests the Process function on a Run key."""
test_file_entry = self._GetTestFileEntry([u'NTUSER-RunTests.DAT'])
key_path = (
u'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
u'Run')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = run.AutoRunsPlugin()
storage_writer = self._ParseKeyWithPlugin(
registry_key, plugin, file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
event = events[0]
self.assertEqual(event.pathspec, test_file_entry.path_spec)
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event.parser, plugin.plugin_name)
# Timestamp is: 2012-04-05T17:03:53.992061+00:00
self.assertEqual(event.timestamp, 1333645433992061)
expected_message = (
u'[{0:s}] Sidebar: %ProgramFiles%\\Windows Sidebar\\Sidebar.exe '
u'/autoRun').format(key_path)
expected_short_message = u'{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testProcessNtuserRunOnce(self):
"""Tests the Process function on a Run key."""
test_file_entry = self._GetTestFileEntry(['NTUSER-RunTests.DAT'])
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'RunOnce')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = run.AutoRunsPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_events, 1)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
events = list(storage_writer.GetEvents())
expected_event_values = {
'date_time': '2012-04-05 17:03:53.9920616',
'data_type': 'windows:registry:run',
'entries': ['mctadmin: C:\\Windows\\System32\\mctadmin.exe'],
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
'parser': plugin.NAME
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testProcessNtuserRunOnce(self):
"""Tests the Process function on a Run key."""
test_file_entry = self._GetTestFileEntry(['NTUSER-RunTests.DAT'])
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'RunOnce')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = run.AutoRunsPlugin()
storage_writer = self._ParseKeyWithPlugin(
registry_key, plugin, file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_errors, 0)
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
event = events[0]
self.assertEqual(event.pathspec, test_file_entry.path_spec)
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event.parser, plugin.plugin_name)
self.CheckTimestamp(event.timestamp, '2012-04-05 17:03:53.992062')
expected_message = (
'[{0:s}] mctadmin: C:\\Windows\\System32\\mctadmin.exe').format(
key_path)
expected_short_message = '{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testProcessSoftwareRunOnce(self):
"""Tests the Process function on a RunOnce key."""
test_file_entry = self._GetTestFileEntry(['SOFTWARE-RunTests'])
key_path = (
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'RunOnce')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = run.AutoRunsPlugin()
storage_writer = self._ParseKeyWithPlugin(
registry_key, plugin, file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
expected_event_values = {
'data_type': 'windows:registry:run',
'entries': [
'*WerKernelReporting: %SYSTEMROOT%\\SYSTEM32\\WerFault.exe -k -rq'],
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
'parser': plugin.plugin_name,
'timestamp': '2012-04-06 14:07:27.750000'}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testProcessSoftwareRun(self):
"""Tests the Process function on a Run key."""
test_file_entry = self._GetTestFileEntry(['SOFTWARE-RunTests'])
key_path = (
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Run')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = run.AutoRunsPlugin()
storage_writer = self._ParseKeyWithPlugin(
registry_key, plugin, file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
expected_event_values = {
'data_type': 'windows:registry:run',
'entries': [
('McAfee Host Intrusion Prevention Tray: "C:\\Program Files\\'
'McAfee\\Host Intrusion Prevention\\FireTray.exe"'),
('VMware Tools: "C:\\Program Files\\VMware\\VMware Tools\\'
'VMwareTray.exe"'),
('VMware User Process: "C:\\Program Files\\VMware\\VMware Tools\\'
'VMwareUser.exe"')],
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
'parser': plugin.plugin_name,
'timestamp': '2011-09-16 20:57:09.067576'}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testProcessSoftwareRun(self):
"""Tests the Process function on a Run key."""
test_file_entry = self._GetTestFileEntry(['SOFTWARE-RunTests'])
key_path = (
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Run')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = run.AutoRunsPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
event = events[0]
self.CheckTimestamp(event.timestamp, '2011-09-16 20:57:09.067576')
event_data = self._GetEventDataOfEvent(storage_writer, event)
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_data.parser, plugin.plugin_name)
self.assertEqual(event_data.data_type, 'windows:registry:run')
self.assertEqual(event_data.pathspec, test_file_entry.path_spec)
expected_entries = (
'McAfee Host Intrusion Prevention Tray: "C:\\Program Files\\McAfee\\'
'Host Intrusion Prevention\\FireTray.exe" VMware Tools: "C:\\Program '
'Files\\VMware\\VMware Tools\\VMwareTray.exe" VMware User Process: '
'"C:\\Program Files\\VMware\\VMware Tools\\VMwareUser.exe"')
self.assertEqual(event_data.entries, expected_entries)
expected_message = (
'[{0:s}] '
'McAfee Host Intrusion Prevention Tray: "C:\\Program Files\\McAfee\\'
'Host Intrusion Prevention\\FireTray.exe" '
'VMware Tools: "C:\\Program Files\\VMware\\VMware Tools\\'
'VMwareTray.exe" '
'VMware User Process: "C:\\Program Files\\VMware\\VMware Tools\\'
'VMwareUser.exe"').format(key_path)
expected_short_message = '{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
def testProcessSoftwareRunOnce(self):
"""Tests the Process function on a RunOnce key."""
test_file_entry = self._GetTestFileEntry(['SOFTWARE-RunTests'])
key_path = (
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'RunOnce')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = run.AutoRunsPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
event = events[0]
self.CheckTimestamp(event.timestamp, '2012-04-06 14:07:27.750000')
event_data = self._GetEventDataOfEvent(storage_writer, event)
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_data.parser, plugin.plugin_name)
self.assertEqual(event_data.data_type, 'windows:registry:run')
self.assertEqual(event_data.pathspec, test_file_entry.path_spec)
expected_entries = (
'*WerKernelReporting: %SYSTEMROOT%\\SYSTEM32\\WerFault.exe -k -rq')
self.assertEqual(event_data.entries, expected_entries)
expected_message = (
'[{0:s}] *WerKernelReporting: %SYSTEMROOT%\\SYSTEM32\\WerFault.exe '
'-k -rq').format(key_path)
expected_short_message = '{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
def testProcessNtuserRun(self):
"""Tests the Process function on a Run key."""
test_file_entry = self._GetTestFileEntry(['NTUSER-RunTests.DAT'])
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Run')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = run.AutoRunsPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
event = events[0]
self.CheckTimestamp(event.timestamp, '2012-04-05 17:03:53.992062')
event_data = self._GetEventDataOfEvent(storage_writer, event)
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_data.parser, plugin.plugin_name)
self.assertEqual(event_data.data_type, 'windows:registry:run')
expected_entries = (
'Sidebar: %ProgramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun')
self.assertEqual(event_data.entries, expected_entries)
expected_message = (
'[{0:s}] Sidebar: %ProgramFiles%\\Windows Sidebar\\Sidebar.exe '
'/autoRun').format(key_path)
expected_short_message = '{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event_data, expected_message,
expected_short_message)
def testProcessSoftwareRun(self):
"""Tests the Process function on a Run key."""
test_file_entry = self._GetTestFileEntry([u'SOFTWARE-RunTests'])
key_path = (
u'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\'
u'Run')
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin_object = run.AutoRunsPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin_object,
file_entry=test_file_entry)
self.assertEqual(len(storage_writer.events), 1)
event_object = storage_writer.events[0]
self.assertEqual(event_object.pathspec, test_file_entry.path_spec)
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_object.parser, plugin_object.plugin_name)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2011-09-16 20:57:09.067575')
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_message = (
u'[{0:s}] '
u'McAfee Host Intrusion Prevention Tray: "C:\\Program Files\\McAfee\\'
u'Host Intrusion Prevention\\FireTray.exe" '
u'VMware Tools: "C:\\Program Files\\VMware\\VMware Tools\\'
u'VMwareTray.exe" '
u'VMware User Process: "C:\\Program Files\\VMware\\VMware Tools\\'
u'VMwareUser.exe"').format(key_path)
expected_short_message = u'{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event_object, expected_message,
expected_short_message)
def testFilters(self):
"""Tests the FILTERS class attribute."""
plugin = run.AutoRunsPlugin()
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Run')
self._AssertFiltersOnKeyPath(plugin, key_path)
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'RunOnce')
self._AssertFiltersOnKeyPath(plugin, key_path)
key_path = (
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Run')
self._AssertFiltersOnKeyPath(plugin, key_path)
key_path = (
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'RunOnce')
self._AssertFiltersOnKeyPath(plugin, key_path)
key_path = (
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'RunOnce\\Setup')
self._AssertFiltersOnKeyPath(plugin, key_path)
key_path = (
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'RunServices')
self._AssertFiltersOnKeyPath(plugin, key_path)
key_path = (
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'RunServicesOnce')
self._AssertFiltersOnKeyPath(plugin, key_path)
self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._plugin = run.AutoRunsPlugin()
def setUp(self):
"""Makes preparations before running an individual test."""
self._plugin = run.AutoRunsPlugin()
