def _csv_open_save_mru(self, str_opensave_mru): """Extracts OpenSaveMRU containing information about opened and saved windows""" # TODO : Win XP self.logger.info("Extracting open save MRU") hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, str_opensave_mru) to_csv_list = [] for item in hive_list: if item[self.VALUE_NAME] != "MRUListEx": l_printable = extract_filename_from_pidlmru(item[self.VALUE_DATA]) # FIXME: (dirty) if the list is empty it's probably because the string is off by 1... if len(l_printable) == 0: # So we take away the first char to have a correct offset (modulo 2) l_printable = extract_filename_from_pidlmru(item[self.VALUE_DATA][1:]) if len(l_printable) != 0: str_printable = l_printable[-1] if item[self.KEY_VALUE_STR] == "VALUE": to_csv_list.append((self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR], registry_obj.get_str_type(item[self.VALUE_TYPE]), str_printable)) else: # if the length is still 0 then don't know if item[self.KEY_VALUE_STR] == "VALUE": to_csv_list.append((self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR], registry_obj.get_str_type(item[self.VALUE_TYPE]), item[self.VALUE_DATA])) with open(self.output_dir + "\\" + self.computer_name + "_opensaveMRU.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def csv_shell_bags(self): """Extracts shellbags: size, view, icon and position for Explorer folders""" # TODO Check Vista and under self.logger.info("Extracting shell bags") paths = [r"Software\Microsoft\Windows\Shell\Bags", r"Software\Microsoft\Windows\Shell\BagMRU", r"Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags", r"Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU"] hive_list = [] for path in paths: hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path) to_csv_list = [] for item in hive_list: try: datas = decode_shellbag_itempos_data(item[self.VALUE_NAME], item[self.VALUE_DATA]) except IndexError: self.logger.error("Error in shellbag data format for " + item[self.VALUE_NAME]) datas = None if datas: for data in datas: if item[self.KEY_VALUE_STR] == "VALUE": to_csv_list.append((self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR], registry_obj.get_str_type(item[self.VALUE_TYPE])) + tuple(data)) else: if item[self.KEY_VALUE_STR] == "VALUE": to_csv_list.append((self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR], registry_obj.get_str_type(item[self.VALUE_TYPE]), item[self.VALUE_DATA])) with open(self.output_dir + "\\" + self.computer_name + "_shellbags.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def csv_shell_bags(self): """ Extracts shellbags: size, view, icon and position of graphical windows In particular, executed graphical programs will leave a key here """ self.logger.info("Extracting shell bags") paths = [ r"Software\Microsoft\Windows\Shell\Bags", r"Software\Microsoft\Windows\Shell\BagMRU" ] paths_usrclass = [ r"Local Settings\Software\Microsoft\Windows\Shell\Bags", r"Local Settings\Software\Microsoft\Windows\Shell\BagMRU" ] hive_list = [] for path in paths: hive_list += self._get_list_from_registry_key( registry_obj.HKEY_USERS, path) for path in paths_usrclass: hive_list += self._get_list_from_registry_key( registry_obj.HKEY_USERS, path, is_usrclass=True) to_csv_list = [ ("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA") ] for item in hive_list: if "ItemPos" in item[VALUE_NAME]: try: data = decode_shellbag_itempos_data(item[VALUE_DATA]) except IndexError: self.logger.error("Error in shellbag data format for " + item[VALUE_NAME]) data = None if data: if item[KEY_VALUE_STR] == "VALUE": for data in data: for d in data: to_csv_list.append( (self.computer_name, "shellbags", item[VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[VALUE_PATH], item[VALUE_NAME], item[KEY_VALUE_STR], registry_obj.get_str_type( item[VALUE_TYPE]), d)) else: if item[KEY_VALUE_STR] == "VALUE": to_csv_list.append( (self.computer_name, "shellbags", item[VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[VALUE_PATH], item[VALUE_NAME], item[KEY_VALUE_STR], registry_obj.get_str_type(item[VALUE_TYPE]), item[VALUE_DATA])) with open( self.output_dir + "\\" + self.computer_name + "_shellbags" + self.rand_ext, "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def _csv_user_assist(self, count_offset, is_win7_or_further): """ Extracts information from UserAssist registry key which contains information about executed programs The count offset is for Windows versions before 7, where it would start at 6 """ self.logger.info("Extracting user assist") path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\\UserAssist" count = "\Count" # logged on users users = registry_obj.RegistryKey(registry_obj.HKEY_USERS) hive_list = [] for i in xrange(users.get_number_of_sub_keys()): user = users.get_sub_key(i) user_assist_key = user.get_sub_key_by_path(path) if user_assist_key: for j in xrange(user_assist_key.get_number_of_sub_keys()): # getting Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*\Count path_no_sid = "\\".join(user_assist_key.get_sub_key(j).get_path().split("\\")[1:]) hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path_no_sid + count) if is_win7_or_further: to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA", "DATA_SESSION", "DATA_COUNT", "DATA_FOCUS", "DATA_LAST_EXEC")] else: to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA", "DATA_SESSION", "DATA_COUNT", "DATA_LAST_EXEC")] for item in hive_list: if item[KEY_VALUE_STR] == "VALUE": str_value_name = codecs.decode(item[VALUE_NAME], "rot_13") str_value_datatmp = item[VALUE_DATA] # some data are less than 16 bytes for some reason... if len(str_value_datatmp) < 16: to_csv_list.append((self.computer_name, "userassist", item[VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[VALUE_PATH], item[VALUE_NAME], item[KEY_VALUE_STR], registry_obj.get_str_type(item[VALUE_TYPE]), str_value_name)) else: if is_win7_or_further: data = csv_user_assist_value_decode_win7_and_after(str_value_datatmp, count_offset) else: data = csv_user_assist_value_decode_before_win7(str_value_datatmp, count_offset) to_csv_list.append((self.computer_name, "user_assist", item[VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[VALUE_PATH], item[VALUE_NAME], item[KEY_VALUE_STR], registry_obj.get_str_type(item[VALUE_TYPE]), str_value_name) + tuple(data)) with open(self.output_dir + "\\" + self.computer_name + "_user_assist.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def _csv_user_assist(self, count_offset, is_win7_or_further): """ Extracts information from UserAssist registry key which contains information about executed programs The count offset is for Windows versions before 7, where it would start at 6 """ self.logger.info("Extracting user assist") path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\\UserAssist" count = "\Count" # logged on users users = registry_obj.RegistryKey(registry_obj.HKEY_USERS) hive_list = [] for i in xrange(users.get_number_of_sub_keys()): user = users.get_sub_key(i) user_assist_key = user.get_sub_key_by_path(path) if user_assist_key: for j in xrange(user_assist_key.get_number_of_sub_keys()): # getting Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*\Count path_no_sid = "\\".join(user_assist_key.get_sub_key(j).get_path().split("\\")[1:]) hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path_no_sid + count) if is_win7_or_further: to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA", "DATA_SESSION", "DATA_COUNT", "DATA_FOCUS", "DATA_LAST_EXEC")] else: to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA", "DATA_SESSION", "DATA_COUNT", "DATA_LAST_EXEC")] for item in hive_list: if item[KEY_VALUE_STR] == "VALUE": str_value_name = codecs.decode(item[VALUE_NAME], "rot_13") str_value_datatmp = item[VALUE_DATA] # some data are less than 16 bytes for some reason... if len(str_value_datatmp) < 16: to_csv_list.append((self.computer_name, "userassist", item[VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[VALUE_PATH], item[VALUE_NAME], item[KEY_VALUE_STR], registry_obj.get_str_type(item[VALUE_TYPE]), str_value_name)) else: if is_win7_or_further: data = csv_user_assist_value_decode_win7_and_after(str_value_datatmp, count_offset) else: data = csv_user_assist_value_decode_before_win7(str_value_datatmp, count_offset) to_csv_list.append((self.computer_name, "user_assist", item[VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[VALUE_PATH], item[VALUE_NAME], item[KEY_VALUE_STR], registry_obj.get_str_type(item[VALUE_TYPE]), str_value_name) + tuple(data)) with open(self.output_dir + "\\" + self.computer_name + "_user_assist" + self.rand_ext, "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def csv_shell_bags(self): """ Extracts shellbags: size, view, icon and position of graphical windows In particular, executed graphical programs will leave a key here """ self.logger.info("Extracting shell bags") paths = [r"Software\Microsoft\Windows\Shell\Bags", r"Software\Microsoft\Windows\Shell\BagMRU"] paths_usrclass = [r"Local Settings\Software\Microsoft\Windows\Shell\Bags", r"Local Settings\Software\Microsoft\Windows\Shell\BagMRU"] hive_list = [] for path in paths: hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path) for path in paths_usrclass: hive_list += self._get_list_from_registry_key(registry_obj.HKEY_USERS, path, is_usrclass=True) to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")] for item in hive_list: if "ItemPos" in item[VALUE_NAME]: try: data = decode_shellbag_itempos_data(item[VALUE_DATA]) except IndexError: self.logger.error("Error in shellbag data format for " + item[VALUE_NAME]) data = None if data: if item[KEY_VALUE_STR] == "VALUE": for data in data: for d in data: to_csv_list.append((self.computer_name, "shellbags", item[VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[VALUE_PATH], item[VALUE_NAME], item[KEY_VALUE_STR], registry_obj.get_str_type(item[VALUE_TYPE]), d)) else: if item[KEY_VALUE_STR] == "VALUE": to_csv_list.append((self.computer_name, "shellbags", item[VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[VALUE_PATH], item[VALUE_NAME], item[KEY_VALUE_STR], registry_obj.get_str_type(item[VALUE_TYPE]), item[VALUE_DATA])) with open(self.output_dir + "\\" + self.computer_name + "_shellbags" + self.rand_ext, "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def _generate_hku_csv_list(self, to_csv_list, path, is_recursive=True): hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, path, is_recursive=is_recursive) for item in hive_list: if item[self.KEY_VALUE_STR] == "VALUE": to_csv_list.append((self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR], registry_obj.get_str_type(item[self.VALUE_TYPE]), item[self.VALUE_DATA]))
def _csv_open_save_mru(self, str_opensave_mru): """Extracts OpenSaveMRU containing information about files selected in the Open and Save view""" # TODO : Win XP self.logger.info("Extracting open save MRU") hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, str_opensave_mru) to_csv_list = [ ("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA") ] for item in hive_list: if item[KEY_VALUE_STR] == 'VALUE': if item[VALUE_NAME] != "MRUListEx": pidl = shell.StringAsPIDL(item[VALUE_DATA]) path = shell.SHGetPathFromIDList(pidl) to_csv_list.append( (self.computer_name, "opensaveMRU", item[VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[VALUE_PATH], item[VALUE_NAME], item[KEY_VALUE_STR], registry_obj.get_str_type(item[VALUE_TYPE]), path)) with open( self.output_dir + "\\" + self.computer_name + "_opensaveMRU" + self.rand_ext, "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def csv_recent_docs(self): """Extracts information about recently opened files saved location and opened date""" self.logger.info("Extracting recent docs") path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, path) to_csv_list = [ ("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA") ] for item in hive_list: if item[KEY_VALUE_STR] == "VALUE": if item[VALUE_NAME] != "MRUListEx": values_decoded = decode_recent_docs_mru(item[VALUE_DATA]) for value_decoded in values_decoded: to_csv_list.append( (self.computer_name, "recent_docs", item[VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[VALUE_PATH], item[VALUE_NAME], item[KEY_VALUE_STR], registry_obj.get_str_type(item[VALUE_TYPE]), value_decoded)) with open( self.output_dir + "\\" + self.computer_name + "_recent_docs" + self.rand_ext, "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def _generate_hku_csv_list(self, to_csv_list, csv_type, path, is_recursive=True): """ Generates a generic list suitable for CSV output. Extracts information from HKEY_USERS hives. """ hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, path, is_recursive=is_recursive) for item in hive_list: if item[KEY_VALUE_STR] == "VALUE": try: value_data = item[VALUE_DATA].decode('UTF-16') if '\x00' not in value_data: value_data = item[VALUE_DATA] except: value_data = item[VALUE_DATA] to_csv_list.append((self.computer_name, csv_type, item[VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[VALUE_PATH], item[VALUE_NAME], item[KEY_VALUE_STR], registry_obj.get_str_type(item[VALUE_TYPE]), value_data))
def csv_shell_bags(self): """Extracts shellbags: size, view, icon and position for Explorer folders""" # TODO Check Vista and under self.logger.info("Extracting shell bags") paths = [ r"Software\Microsoft\Windows\Shell\Bags", r"Software\Microsoft\Windows\Shell\BagMRU", r"Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags", r"Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU" ] hive_list = [] for path in paths: hive_list += self._get_list_from_registry_key( registry_obj.HKEY_USERS, path) to_csv_list = [] for item in hive_list: try: datas = decode_shellbag_itempos_data(item[self.VALUE_NAME], item[self.VALUE_DATA]) except IndexError: self.logger.error("Error in shellbag data format for " + item[self.VALUE_NAME]) datas = None if datas: for data in datas: if item[self.KEY_VALUE_STR] == "VALUE": to_csv_list.append(( self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR], registry_obj.get_str_type(item[self.VALUE_TYPE])) + tuple(data)) else: if item[self.KEY_VALUE_STR] == "VALUE": to_csv_list.append( (self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR], registry_obj.get_str_type(item[self.VALUE_TYPE]), item[self.VALUE_DATA])) with open( self.output_dir + "\\" + self.computer_name + "_shellbags.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def _generate_hklm_csv_list(self, to_csv_list, path, is_recursive=True): hive_list = self._get_list_from_registry_key( registry_obj.HKEY_LOCAL_MACHINE, path, is_recursive=is_recursive) for item in hive_list: if item[self.KEY_VALUE_STR] == "VALUE": to_csv_list.append( (self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_LOCAL_MACHINE", item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR], registry_obj.get_str_type(item[self.VALUE_TYPE]), item[self.VALUE_DATA]))
def _csv_open_save_mru(self, str_opensave_mru): """Extracts OpenSaveMRU containing information about opened and saved windows""" # TODO : Win XP self.logger.info("Extracting open save MRU") hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, str_opensave_mru) to_csv_list = [] for item in hive_list: if item[self.VALUE_NAME] != "MRUListEx": l_printable = extract_filename_from_pidlmru( item[self.VALUE_DATA]) # FIXME: (dirty) if the list is empty it's probably because the string is off by 1... if len(l_printable) == 0: # So we take away the first char to have a correct offset (modulo 2) l_printable = extract_filename_from_pidlmru( item[self.VALUE_DATA][1:]) if len(l_printable) != 0: str_printable = l_printable[-1] if item[self.KEY_VALUE_STR] == "VALUE": to_csv_list.append( (self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR], registry_obj.get_str_type(item[self.VALUE_TYPE]), str_printable)) else: # if the length is still 0 then don't know if item[self.KEY_VALUE_STR] == "VALUE": to_csv_list.append( (self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR], registry_obj.get_str_type(item[self.VALUE_TYPE]), item[self.VALUE_DATA])) with open( self.output_dir + "\\" + self.computer_name + "_opensaveMRU.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def csv_recent_docs(self): """Extracts information about recently opened files saved location and opened date""" self.logger.info("Extracting recent docs") path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, path) to_csv_list = [] for item in hive_list: if item[self.KEY_VALUE_STR] == "VALUE": if item[self.VALUE_NAME] != "MRUListEx": value_decoded = decode_recent_docs_mru(item[self.VALUE_DATA]) to_csv_list.append((self.computer_name, item[self.VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[self.VALUE_PATH], item[self.VALUE_NAME], item[self.KEY_VALUE_STR], registry_obj.get_str_type(item[self.VALUE_TYPE])) + tuple(value_decoded)) with open(self.output_dir + "\\" + self.computer_name + "_recent_docs.csv", "wb") as output: csv_writer = get_csv_writer(output) write_list_to_csv(to_csv_list, csv_writer)
def _generate_hklm_csv_list(self, to_csv_list, csv_type, path, is_recursive=True): """ Generates a generic list suitable for CSV output. Extracts information from HKEY_LOCAL_MACHINE hives. """ hive_list = self._get_list_from_registry_key(registry_obj.HKEY_LOCAL_MACHINE, path, is_recursive=is_recursive) for item in hive_list: if item[KEY_VALUE_STR] == "VALUE": to_csv_list.append((self.computer_name, csv_type, item[VALUE_LAST_WRITE_TIME], "HKEY_LOCAL_MACHINE", item[VALUE_PATH], item[VALUE_NAME], item[KEY_VALUE_STR], registry_obj.get_str_type(item[VALUE_TYPE]), item[VALUE_DATA]))
def __get_powerpoint_mru(self, str_powerpoint_mru): """Extracts PowerPoint user mru""" # TODO : Win XP self.logger.info("Extracting PowerPoint MRU") hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, str_powerpoint_mru) to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")] for item in hive_list: if item[KEY_VALUE_STR] == 'VALUE': if item[VALUE_NAME] != "MRUListEx": pidl = shell.StringAsPIDL(item[VALUE_DATA]) path = shell.SHGetPathFromIDList(pidl) to_csv_list.append((self.computer_name, "PowerPointMRU", item[VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[VALUE_PATH], item[VALUE_NAME], item[KEY_VALUE_STR], registry_obj.get_str_type(item[VALUE_TYPE]), path)) return to_csv_list
def __get_open_save_mru(self, str_opensave_mru): """Extracts OpenSaveMRU containing information about files selected in the Open and Save view""" # TODO : Win XP self.logger.info("Extracting open save MRU") hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, str_opensave_mru) to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")] for item in hive_list: if item[KEY_VALUE_STR] == 'VALUE': if item[VALUE_NAME] != "MRUListEx": pidl = shell.StringAsPIDL(item[VALUE_DATA]) path = shell.SHGetPathFromIDList(pidl) to_csv_list.append((self.computer_name, "opensaveMRU", item[VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[VALUE_PATH], item[VALUE_NAME], item[KEY_VALUE_STR], registry_obj.get_str_type(item[VALUE_TYPE]), path)) return to_csv_list
def __get_recents_docs(self): """Extracts information about recently opened files saved location and opened date""" self.logger.info("Extracting recent docs") path = r"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" hive_list = self._get_list_from_registry_key(registry_obj.HKEY_USERS, path) to_csv_list = [("COMPUTER_NAME", "TYPE", "LAST_WRITE_TIME", "HIVE", "KEY_PATH", "ATTR_NAME", "REG_TYPE", "ATTR_TYPE", "ATTR_DATA")] for item in hive_list: if item[KEY_VALUE_STR] == "VALUE": if item[VALUE_NAME] != "MRUListEx": values_decoded = decode_recent_docs_mru(item[VALUE_DATA]) for value_decoded in values_decoded: to_csv_list.append((self.computer_name, "recent_docs", item[VALUE_LAST_WRITE_TIME], "HKEY_USERS", item[VALUE_PATH], item[VALUE_NAME], item[KEY_VALUE_STR], registry_obj.get_str_type(item[VALUE_TYPE]), value_decoded)) return to_csv_list