def testProcess(self):
"""Tests the Process function on created key."""
key_path = (
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion'
)
time_string = '2013-01-30 10:47:57'
registry_key = self._CreateTestKey(key_path, time_string)
plugin = winlogon.WinlogonPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key, plugin)
self.assertEqual(storage_writer.number_of_events, 14)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
events = list(storage_writer.GetSortedEvents())
# The order of the events is non-deterministic since they are sorted on
# timestamp and description only.
test_event1 = None
test_event2 = None
for event in events:
self.CheckTimestamp(event.timestamp, '2013-01-30 10:47:57.000000')
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.data_type, 'windows:registry:winlogon')
if event_data.application == 'VmApplet':
test_event1 = event
elif (event_data.application == 'NavLogon'
and event_data.trigger == 'Logoff'):
test_event2 = event
expected_event_values = {
'application': 'VmApplet',
'command': 'SystemPropertiesPerformance.exe/pagefile',
'date_time': '2013-01-30 10:47:57.0000000',
'data_type': 'windows:registry:winlogon',
'key_path': key_path,
'trigger': 'Logon'
}
self.CheckEventValues(storage_writer, test_event1,
expected_event_values)
expected_event_values = {
'application': 'NavLogon',
'command': 'NavLogon.dll',
'date_time': '2013-01-30 10:47:57.0000000',
'data_type': 'windows:registry:winlogon',
'key_path': '{0:s}\\Notify\\NavLogon'.format(key_path),
'trigger': 'Logoff'
}
self.CheckEventValues(storage_writer, test_event2,
expected_event_values)
def testFilters(self):
"""Tests the FILTERS class attribute."""
plugin = winlogon.WinlogonPlugin()
key_path = (
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\'
'Winlogon')
self._AssertFiltersOnKeyPath(plugin, key_path)
self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')
def testProcess(self):
"""Tests the Process function on created key."""
key_path = (
'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion'
)
time_string = '2013-01-30 10:47:57'
registry_key = self._CreateTestKey(key_path, time_string)
plugin = winlogon.WinlogonPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key, plugin)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 14)
events = list(storage_writer.GetSortedEvents())
event = events[0]
self.CheckTimestamp(event.timestamp, '2013-01-30 10:47:57.000000')
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.data_type, 'windows:registry:winlogon')
expected_message = ('[{0:s}\\Notify\\NavLogon] '
'Application: NavLogon '
'Command: NavLogon.dll '
'Handler: NavLogoffEvent '
'Trigger: Logoff').format(key_path)
expected_short_message = '{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
event = events[13]
self.CheckTimestamp(event.timestamp, '2013-01-30 10:47:57.000000')
event_data = self._GetEventDataOfEvent(storage_writer, event)
self.assertEqual(event_data.data_type, 'windows:registry:winlogon')
expected_message = (
'[{0:s}] '
'Application: VmApplet '
'Command: SystemPropertiesPerformance.exe/pagefile '
'Trigger: Logon').format(key_path)
expected_short_message = '{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testProcess(self):
"""Tests the Process function on created key."""
key_path = (
u'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion')
time_string = u'2013-01-30 10:47:57'
registry_key = self._CreateTestKey(key_path, time_string)
plugin_object = winlogon.WinlogonPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key, plugin_object)
self.assertEqual(len(storage_writer.events), 14)
# Because the order the subkeys are parsed are not guaranteed we will sort
# the events.
# TODO: look into this.
event_objects = sorted(
storage_writer.events, key=lambda evt: evt.EqualityString())
event_object = event_objects[0]
expected_timestamp = timelib.Timestamp.CopyFromString(time_string)
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_message = (
u'[{0:s}\\Notify\\NavLogon] '
u'Application: NavLogon '
u'Command: NavLogon.dll '
u'Handler: NavLogoffEvent '
u'Trigger: Logoff').format(key_path)
expected_short_message = u'{0:s}...'.format(expected_message[0:77])
self._TestGetMessageStrings(
event_object, expected_message, expected_short_message)
event_object = event_objects[13]
expected_timestamp = timelib.Timestamp.CopyFromString(time_string)
self.assertEqual(event_object.timestamp, expected_timestamp)
expected_message = (
u'[{0:s}] '
u'Application: VmApplet '
u'Command: SystemPropertiesPerformance.exe/pagefile '
u'Trigger: Logon').format(key_path)
expected_short_message = u'{0:s}...'.format(expected_message[0:77])
self._TestGetMessageStrings(
event_object, expected_message, expected_short_message)
def testProcess(self):
"""Tests the Process function on created key."""
key_path = (
u'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion'
)
time_string = u'2013-01-30 10:47:57'
registry_key = self._CreateTestKey(key_path, time_string)
plugin = winlogon.WinlogonPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key, plugin)
self.assertEqual(storage_writer.number_of_events, 14)
events = list(storage_writer.GetSortedEvents())
event = events[3]
expected_timestamp = timelib.Timestamp.CopyFromString(time_string)
self.assertEqual(event.timestamp, expected_timestamp)
expected_message = (u'[{0:s}\\Notify\\NavLogon] '
u'Application: NavLogon '
u'Command: NavLogon.dll '
u'Handler: NavLogoffEvent '
u'Trigger: Logoff').format(key_path)
expected_short_message = u'{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
event = events[2]
expected_timestamp = timelib.Timestamp.CopyFromString(time_string)
self.assertEqual(event.timestamp, expected_timestamp)
expected_message = (
u'[{0:s}] '
u'Application: VmApplet '
u'Command: SystemPropertiesPerformance.exe/pagefile '
u'Trigger: Logon').format(key_path)
expected_short_message = u'{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
