Source code for plaso.parsers.winreg_plugins.run

"""This file contains the Run/RunOnce key plugins for Plaso."""

from plaso.containers import events
from plaso.parsers import winreg_parser
from plaso.parsers.winreg_plugins import interface




class RunKeyEventData(events.EventData):
    """Run/RunOnce key event data attribute container.

    Attributes:
      entries (list[str]): Run/RunOnce entries.
      key_path (str): Windows Registry key path.
      last_written_time (dfdatetime.DateTimeValues): entry last written date and
          time.
    """

    DATA_TYPE = "windows:registry:run"



    def __init__(self):
        """Initializes event data."""
        super().__init__(data_type=self.DATA_TYPE)
        self.entries = None
        self.key_path = None
        self.last_written_time = None






class AutoRunsPlugin(interface.WindowsRegistryPlugin):
    """Windows Registry plugin for parsing user specific auto runs."""

    NAME = "windows_run"
    DATA_FORMAT = "Run and run once Registry data"

    FILTERS = frozenset(
        [
            interface.WindowsRegistryKeyPathFilter(
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\"
                "Run"
            ),
            interface.WindowsRegistryKeyPathFilter(
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\"
                "RunOnce"
            ),
            interface.WindowsRegistryKeyPathFilter(
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\"
                "Run"
            ),
            interface.WindowsRegistryKeyPathFilter(
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\"
                "RunOnce"
            ),
            interface.WindowsRegistryKeyPathFilter(
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\"
                "RunOnce\\Setup"
            ),
            interface.WindowsRegistryKeyPathFilter(
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\"
                "RunServices"
            ),
            interface.WindowsRegistryKeyPathFilter(
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\"
                "RunServicesOnce"
            ),
        ]
    )



    def ExtractEvents(self, parser_mediator, registry_key, **kwargs):
        """Extracts events from a Windows Registry key.

        Args:
          parser_mediator (ParserMediator): mediates interactions between parsers
              and other components, such as storage and dfVFS.
          registry_key (dfwinreg.WinRegistryKey): Windows Registry key.
        """
        entries = []
        for registry_value in registry_key.GetValues():
            # Ignore the default value.
            if not registry_value.name:
                continue

            # Ignore any value that is empty or that does not contain a string.
            if not registry_value.data or not registry_value.DataIsString():
                continue

            value_data = registry_value.GetDataAsObject()

            entries.append(f"{registry_value.name:s}: {value_data:s}")

        event_data = RunKeyEventData()
        event_data.entries = sorted(entries)
        event_data.key_path = registry_key.path
        event_data.last_written_time = registry_key.last_written_time

        parser_mediator.ProduceEventData(event_data)




winreg_parser.WinRegistryParser.RegisterPlugin(AutoRunsPlugin)