plaso.helpers.windows package

Submodules

plaso.helpers.windows.eventlog_providers module

Windows EventLog providers helper.

class plaso.helpers.windows.eventlog_providers.WindowsEventLogProvidersHelper[source]

Bases: object

Windows EventLog providers helper.

Merge(first_event_log_provider, second_event_log_provider)[source]

Merges the information of the second Event Log provider into the first.

Parameters:

  • first_event_log_provider (EventLogProvider) – first Event Log provider.

  • second_event_log_provider (EventLogProvider) – second Event Log provider.

NormalizeMessageFiles(event_log_provider)[source]

Normalizes the message files.

Parameters:

event_log_provider (EventLogProvider) – Event Log provider.

plaso.helpers.windows.known_folders module

Windows known folders helper.

class plaso.helpers.windows.known_folders.WindowsKnownFoldersHelper[source]

Bases: object

Windows known folders helper.

classmethod GetPath(known_folder_identifier)[source]

Retrieves the path for a specific known folder identifier.

Parameters:

known_folder_identifier (str) – known folder identifier in the format “{GUID}”.

Returns:

path represented by the known folder identifier or None of not

available.

Return type:

str

plaso.helpers.windows.languages module

Windows languages helper.

class plaso.helpers.windows.languages.WindowsLanguageHelper[source]

Bases: object

Windows languages helper.

classmethod GetLCIDForLanguageTag(language_tag)[source]

Retrieves the LCID for a specific language tag.

Parameters:

language_tag (str) – language tag.

Returns:

Windows NT language identifier (LCID) or None if not available.

Return type:

int

classmethod GetLanguageTagForLCID(lcid)[source]

Retrieves the language tag for a specific LCID.

Parameters:

lcid (int) – Windows NT language identifier (LCID).

Returns:

language tag or None if not available.

Return type:

str

plaso.helpers.windows.resource_files module

Windows PE/COFF resource file helper.

class plaso.helpers.windows.resource_files.WindowsResourceFileHelper[source]

Bases: object

Windows PE/COFF resource file helper.

classmethod FormatMessageStringInPEP3101(message_string)[source]

Formats a message string in Python format() (PEP 3101) style.

Parameters:

message_string (str) – message string.

Returns:

message string in Python format() (PEP 3101) style.

Return type:

str

plaso.helpers.windows.shell_folders module

Windows shell folders helper.

class plaso.helpers.windows.shell_folders.WindowsShellFoldersHelper[source]

Bases: object

Windows shell folders helper.

classmethod GetDescription(shell_folder_identifier)[source]

Retrieves the description for a specific shell folder identifier.

Parameters:

shell_folder_identifier (str) – shell folder identifier in the format “GUID”.

Returns:

description represented by the shell folder identifier or None of

not available.

Return type:

str

plaso.helpers.windows.time_zones module

This file contains the Windows NT time zone definitions.

The Windows time zone names can be obtained from the following Windows Registry key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTime Zones

The list below is based on time zone definitions from: * Windows 2000 * Windows 2003 * Windows 2008 * Windows 2012 * Windows 7 * Windows 8 * Windows 8.1 * Windows 10 * Windows XP

And utils/generate_windows_time_zones.py

Module contents