def testProcess(self):
"""Tests the Process function."""
test_file_entry = self._GetTestFileEntry(['SAM'])
key_path = 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users'
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = sam_users.SAMUsersWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(
registry_key, plugin, file_entry=test_file_entry)
self.assertEqual(storage_writer.number_of_errors, 0)
self.assertEqual(storage_writer.number_of_events, 7)
events = list(storage_writer.GetEvents())
event = events[0]
self.CheckTimestamp(event.timestamp, '2014-09-24 03:36:06.358837')
self.assertEqual(
event.timestamp_desc, definitions.TIME_DESCRIPTION_WRITTEN)
self._TestRegvalue(event, 'account_rid', 500)
self._TestRegvalue(event, 'login_count', 6)
self._TestRegvalue(event, 'username', 'Administrator')
expected_message = (
'[{0:s}] '
'account_rid: 500 '
'comments: Built-in account for administering the computer/domain '
'login_count: 6 '
'username: Administrator').format(key_path)
expected_short_message = '{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event, expected_message, expected_short_message)
# Test SAMUsersWindowsRegistryEvent.
event = events[1]
self.CheckTimestamp(event.timestamp, '2010-11-20 21:48:12.569244')
self.assertEqual(
event.timestamp_desc, definitions.TIME_DESCRIPTION_LAST_LOGIN)
self.assertEqual(event.account_rid, 500)
self.assertEqual(event.login_count, 6)
self.assertEqual(event.username, 'Administrator')
expected_message = (
'[{0:s}] '
'Username: Administrator '
'Comments: Built-in account for administering the computer/domain '
'RID: 500 '
'Login count: 6').format(key_path)
expected_short_message = (
'Administrator '
'RID: 500 '
'Login count: 6')
self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testFilters(self):
"""Tests the FILTERS class attribute."""
plugin = sam_users.SAMUsersWindowsRegistryPlugin()
key_path = 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users'
self._AssertFiltersOnKeyPath(plugin, key_path)
self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')
def testProcess(self):
"""Tests the Process function."""
test_file_entry = self._GetTestFileEntry(['SAM'])
key_path = 'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users'
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = sam_users.SAMUsersWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin,
file_entry=test_file_entry)
number_of_events = storage_writer.GetNumberOfAttributeContainers(
'event')
self.assertEqual(number_of_events, 7)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'extraction_warning')
self.assertEqual(number_of_warnings, 0)
number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
'recovery_warning')
self.assertEqual(number_of_warnings, 0)
events = list(storage_writer.GetEvents())
expected_event_values = {
'account_rid': 500,
'comments':
'Built-in account for administering the computer/domain',
'date_time': '2014-09-24 03:36:06.3588374',
'data_type': 'windows:registry:sam_users',
'login_count': 6,
'timestamp_desc': definitions.TIME_DESCRIPTION_WRITTEN,
'username': '******'
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)
# Test SAMUsersWindowsRegistryEvent.
expected_event_values = {
'account_rid': 500,
'comments':
'Built-in account for administering the computer/domain',
'date_time': '2010-11-20 21:48:12.5692440',
'data_type': 'windows:registry:sam_users',
'login_count': 6,
'timestamp_desc': definitions.TIME_DESCRIPTION_LAST_LOGIN,
'username': '******'
}
self.CheckEventValues(storage_writer, events[1], expected_event_values)
def testProcess(self):
"""Tests the Process function."""
test_file_entry = self._GetTestFileEntry([u'SAM'])
key_path = u'HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users'
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin_object = sam_users.SAMUsersWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key,
plugin_object,
file_entry=test_file_entry)
self.assertEqual(len(storage_writer.events), 7)
event_object = storage_writer.events[0]
self._TestRegvalue(event_object, u'account_rid', 500)
self._TestRegvalue(event_object, u'login_count', 6)
self._TestRegvalue(event_object, u'username', u'Administrator')
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2014-09-24 03:36:06.358837')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.WRITTEN_TIME)
expected_message = (
u'[{0:s}] '
u'account_rid: 500 '
u'comments: Built-in account for administering the computer/domain '
u'login_count: 6 '
u'username: Administrator').format(key_path)
expected_short_message = u'{0:s}...'.format(expected_message[0:77])
self._TestGetMessageStrings(event_object, expected_message,
expected_short_message)
# Test SAMUsersWindowsRegistryEvent.
event_object = storage_writer.events[1]
self.assertEqual(event_object.account_rid, 500)
self.assertEqual(event_object.login_count, 6)
self.assertEqual(event_object.username, u'Administrator')
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2010-11-20 21:48:12.569244')
self.assertEqual(event_object.timestamp, expected_timestamp)
self.assertEqual(event_object.timestamp_desc,
eventdata.EventTimestamp.LAST_LOGIN_TIME)
expected_message = (
u'[{0:s}] '
u'Username: Administrator '
u'Comments: Built-in account for administering the computer/domain '
u'RID: 500 '
u'Login count: 6').format(key_path)
expected_short_message = (u'Administrator '
u'RID: 500 '
u'Login count: 6')
self._TestGetMessageStrings(event_object, expected_message,
expected_short_message)
def setUp(self):
"""Makes preparations before running an individual test."""
self._plugin = sam_users.SAMUsersWindowsRegistryPlugin()
