plaso.parsers.winreg_plugins package

Submodules

plaso.parsers.winreg_plugins.appcompatcache module

Windows Registry plugin to parse the Application Compatibility Cache key.

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheCachedEntry[source]

Bases: object

Class that contains the Application Compatibility Cache cached entry.

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheEventData[source]

Bases: plaso.containers.events.EventData

Class that defines AppCompatCache event data.

entry_index

int – cache entry index number for the record.

key_path

str – Windows Registry key path.

path

str – full path to the executable.

DATA_TYPE = u'windows:registry:appcompatcache'
class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheHeader[source]

Bases: object

Class that contains the Application Compatibility Cache header.

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Class that parses the Application Compatibility Cache Registry data.

DESCRIPTION = u'Parser for Application Compatibility Cache Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Raises:

ParseError – if the value data could not be parsed.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'appcompatcache'
URLS = [u'https://github.com/libyal/winreg-kb/blob/master/documentation/Application%20Compatibility%20Cache%20key.asciidoc']

plaso.parsers.winreg_plugins.bagmru module

This file contains BagMRU Windows Registry plugins (shellbags).

class plaso.parsers.winreg_plugins.bagmru.BagMRUWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Class that defines a BagMRU Windows Registry plugin.

DESCRIPTION = u'Parser for BagMRU Registry data.'
ExtractEvents(parser_mediator, registry_key, codepage=u'cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
  • codepage (Optional[str]) – extended ASCII string codepage.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'bagmru'
URLS = [u'https://github.com/libyal/winreg-kb/blob/master/documentation/MRU%20keys.asciidoc#bagmru-key']

plaso.parsers.winreg_plugins.ccleaner module

Parser for the CCleaner Registry key.

class plaso.parsers.winreg_plugins.ccleaner.CCleanerPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Gathers the CCleaner Keys for NTUSER hive.

DESCRIPTION = u'Parser for CCleaner Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'ccleaner'
URLS = [u'http://cheeky4n6monkey.blogspot.com/2012/02/writing-ccleaner-regripper-plugin-part_05.html']
class plaso.parsers.winreg_plugins.ccleaner.CCleanerUpdateEventData[source]

Bases: plaso.containers.events.EventData

CCleaner update event data.

key_path

str – Windows Registry key path.

DATA_TYPE = u'ccleaner:update'

plaso.parsers.winreg_plugins.default module

The default Windows Registry plugin.

class plaso.parsers.winreg_plugins.default.DefaultPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Default plugin that extracts minimum information from every registry key.

The default plugin will parse every registry key that is passed to it and extract minimum information, such as a list of available values and if possible content of those values. The timestamp used is the timestamp when the registry key was last modified.

DESCRIPTION = u'Parser for Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
NAME = u'winreg_default'

plaso.parsers.winreg_plugins.dtfabric_plugin module

Shared functionality for dtFabric-based data format Registry plugins.

class plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Shared functionality for dtFabric-based data format Registry plugins.

A dtFabric-based data format Windows Registry parser plugin defines its data format structures in dtFabric definition file, for example “dtfabric.yaml”:

name: int32 type: integer description: 32-bit signed integer type .. attribute:: format

signed
size

4

units

bytes

— name: point3d aliases: [POINT] type: structure description: Point in 3 dimensional space. .. attribute:: byte_order

little-endian

members: - name: x

aliases: [XCOORD] data_type: int32
  • name: y data_type: int32
  • name: z data_type: int32

The path to the definition file is defined in the class constant “_DEFINITION_FILE” and will be read on class instantiation.

The definition files contains data type definitions such as “int32” and “point3d” in the previous example.

A data type map can be used to create a Python object that represent the data type definition mapped to a byte stream, for example if we have the following byte stream: 01 00 00 00 02 00 00 00 03 00 00 00

The corresponding “point3d” Python object would be: point3d(x=1, y=2, z=3)

A parser that wants to implement a dtFabric-based data format parser needs to: * define a definition file and override _DEFINITION_FILE; * implement the ParseFileObject method.

The _GetDataTypeMap method of this class can be used to retrieve data type maps from the “fabric”, which is the collection of the data type definitions in definition file. Data type maps are cached for reuse.

The _ReadStructure method of this class can be used to read structure data from a file-like object and create a Python object using a data type map.

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

plaso.parsers.winreg_plugins.interface module

The Windows Registry plugin interface.

class plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter[source]

Bases: object

Class that defines the Windows Registry key filter interface.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters:registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns:True if the keys match.
Return type:bool
key_paths

List of key paths defined by the filter.

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter(key_path)[source]

Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key path filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters:registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns:True if the keys match.
Return type:bool
key_paths

List of key paths defined by the filter.

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathPrefixFilter(key_path_prefix)[source]

Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key path prefix filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters:registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns:True if the keys match.
Return type:bool
class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathSuffixFilter(key_path_suffix)[source]

Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key path suffix filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters:registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns:True if the keys match.
Return type:bool
class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter(value_names)[source]

Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key with values filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters:registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns:True if the keys match.
Return type:bool
class plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin[source]

Bases: plaso.parsers.plugins.BasePlugin

The Windows Registry plugin interface.

DESCRIPTION = u'Parser for Windows Registry value data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([])
NAME = u'winreg_plugin'
Process(parser_mediator, registry_key, **kwargs)[source]

Processes a Windows Registry key or value.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Raises:

ValueError – If the Windows Registry key is not set.
URLS = []
UpdateChainAndProcess(parser_mediator, registry_key, **kwargs)[source]

Updates the parser chain and processes a Windows Registry key or value.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Raises:

ValueError – If the Windows Registry key is not set.

plaso.parsers.winreg_plugins.lfu module

Plug-in to collect the Less Frequently Used Keys.

class plaso.parsers.winreg_plugins.lfu.BootExecutePlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect the BootExecute Value from the Session Manager key.

DESCRIPTION = u'Parser for Boot Execution Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'windows_boot_execute'
URLS = [u'http://technet.microsoft.com/en-us/library/cc963230.aspx']
class plaso.parsers.winreg_plugins.lfu.BootVerificationPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect the Boot Verification Key.

DESCRIPTION = u'Parser for Boot Verification Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'windows_boot_verify'
URLS = [u'http://technet.microsoft.com/en-us/library/cc782537(v=ws.10).aspx']

plaso.parsers.winreg_plugins.mountpoints module

This file contains the MountPoints2 plugin.

class plaso.parsers.winreg_plugins.mountpoints.MountPoints2Plugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the MountPoints2 key.

DESCRIPTION = u'Parser for mount points Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'explorer_mountpoints2'
URLS = [u'http://support.microsoft.com/kb/932463']

plaso.parsers.winreg_plugins.mrulist module

This file contains a MRUList Registry plugin.

class plaso.parsers.winreg_plugins.mrulist.BaseMRUListWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Class for common MRUList Windows Registry plugin functionality.

class plaso.parsers.winreg_plugins.mrulist.MRUListShellItemListWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.mrulist.BaseMRUListWindowsRegistryPlugin

Windows Registry plugin to parse a shell item list MRUList.

DESCRIPTION = u'Parser for Most Recently Used (MRU) Registry data.'
ExtractEvents(parser_mediator, registry_key, codepage=u'cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
  • codepage (Optional[str]) – extended ASCII string codepage.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'mrulist_shell_item_list'
URLS = [u'https://github.com/libyal/winreg-kb/wiki/MRU-keys']
class plaso.parsers.winreg_plugins.mrulist.MRUListStringRegistryKeyFilter[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter

Windows Registry key with values filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters:registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns:True if the Windows Registry key matches the filter.
Return type:bool
class plaso.parsers.winreg_plugins.mrulist.MRUListStringWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.mrulist.BaseMRUListWindowsRegistryPlugin

Windows Registry plugin to parse a string MRUList.

DESCRIPTION = u'Parser for Most Recently Used (MRU) Registry data.'
ExtractEvents(parser_mediator, registry_key, codepage=u'cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
  • codepage (Optional[str]) – extended ASCII string codepage.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.mrulist.MRUListStringRegistryKeyFilter object>])
NAME = u'mrulist_string'
URLS = [u'http://forensicartifacts.com/tag/mru/']

plaso.parsers.winreg_plugins.mrulistex module

This file contains MRUListEx Windows Registry plugins.

class plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Class for common MRUListEx Windows Registry plugin functionality.

class plaso.parsers.winreg_plugins.mrulistex.MRUListExShellItemListWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a shell item list MRUListEx.

DESCRIPTION = u'Parser for Most Recently Used (MRU) Registry data.'
ExtractEvents(parser_mediator, registry_key, codepage=u'cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
  • codepage (Optional[str]) – extended ASCII string codepage.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'mrulistex_shell_item_list'
class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemListWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a string and shell item list MRUListEx.

DESCRIPTION = u'Parser for Most Recently Used (MRU) Registry data.'
ExtractEvents(parser_mediator, registry_key, codepage=u'cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
  • codepage (Optional[str]) – extended ASCII string codepage.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'mrulistex_string_and_shell_item_list'
class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a string and shell item MRUListEx.

DESCRIPTION = u'Parser for Most Recently Used (MRU) Registry data.'
ExtractEvents(parser_mediator, registry_key, codepage=u'cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
  • codepage (Optional[str]) – extended ASCII string codepage.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'mrulistex_string_and_shell_item'
class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringRegistryKeyFilter[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter

Windows Registry key with values filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters:registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns:True if the Windows Registry key matches the filter.
Return type:bool
class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a string MRUListEx.

DESCRIPTION = u'Parser for Most Recently Used (MRU) Registry data.'
ExtractEvents(parser_mediator, registry_key, codepage=u'cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
  • codepage (Optional[str]) – extended ASCII string codepage.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.mrulistex.MRUListExStringRegistryKeyFilter object>])
NAME = u'mrulistex_string'
URLS = [u'http://forensicartifacts.com/2011/02/recentdocs/', u'https://github.com/libyal/winreg-kb/wiki/MRU-keys']

plaso.parsers.winreg_plugins.msie_zones module

This file contains the MSIE zone settings plugin.

class plaso.parsers.winreg_plugins.msie_zones.MsieZoneSettingsPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the MSIE Zones settings.

The MSIE Feature controls are stored in the Zone specific subkeys in:
Internet SettingsZones key Internet SettingsLockdown_Zones key
DESCRIPTION = u'Parser for Internet Explorer zone settings Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'msie_zone'
URLS = [u'http://support.microsoft.com/kb/182569']

plaso.parsers.winreg_plugins.network_drives module

This file contains the Network registry plugin.

class plaso.parsers.winreg_plugins.network_drives.NetworkDrivesPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the Network key.

DESCRIPTION = u'Parser for Network Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'network_drives'

plaso.parsers.winreg_plugins.networks module

This file contains the NetworkList registry plugin.

class plaso.parsers.winreg_plugins.networks.NetworksWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Windows Registry plugin for parsing the NetworkList key.

DESCRIPTION = u'Parser for NetworkList data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'networks'
class plaso.parsers.winreg_plugins.networks.WindowsRegistryNetworkEventData[source]

Bases: plaso.containers.events.EventData

Windows network event data.

connection_type

str – type of connection.

default_gateway_mac

str – MAC address for the default gateway.

description

str – description of the wireless connection.

dns_suffix

str – DNS suffix.

ssid

str – SSID of the connection.

DATA_TYPE = u'windows:registry:network'

plaso.parsers.winreg_plugins.officemru module

“Windows Registry plugin for the Microsoft Office MRU.

class plaso.parsers.winreg_plugins.officemru.OfficeMRUPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plugin that parses Microsoft Office MRU keys.

DESCRIPTION = u'Parser for Microsoft Office MRU Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'microsoft_office_mru'
class plaso.parsers.winreg_plugins.officemru.OfficeMRUWindowsRegistryEventData[source]

Bases: plaso.containers.events.EventData

Microsoft Office MRU Windows Registry event data.

key_path

str – Windows Registry key path.

value_string

str – MRU value.

DATA_TYPE = u'windows:registry:office_mru'

plaso.parsers.winreg_plugins.outlook module

This file contains an Outlook Registry parser.

class plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin parsing Outlook Search MRU keys.

DESCRIPTION = u'Parser for Microsoft Outlook search MRU Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'microsoft_outlook_mru'

plaso.parsers.winreg_plugins.programscache module

Windows Registry plugin to parse the Explorer ProgramsCache key.

class plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Class that parses the Explorer ProgramsCache Registry data.

DESCRIPTION = u'Parser for Explorer ProgramsCache Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'explorer_programscache'
URLS = [u'https://github.com/libyal/winreg-kb/blob/master/documentation/Programs%20Cache%20values.asciidoc']

plaso.parsers.winreg_plugins.run module

This file contains the Run/RunOnce Key plugins for Plaso.

class plaso.parsers.winreg_plugins.run.AutoRunsPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing user specific auto runs.

DESCRIPTION = u'Parser for run and run once Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'windows_run'
URLS = [u'http://msdn.microsoft.com/en-us/library/aa376977(v=vs.85).aspx']

plaso.parsers.winreg_plugins.sam_users module

“Windows Registry plugin for SAM Users Account information.

class plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryEventData[source]

Bases: plaso.containers.events.EventData

Class that defines SAM users Windows Registry event data.

account_rid

int – account relative identifier (RID).

comments

str – comments.

fullname

str – full name.

key_path

str – Windows Registry key path.

login_count

int – login count.

username

str – a string containing the username.

DATA_TYPE = u'windows:registry:sam_users'
class plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Windows Registry plugin for SAM Users Account information.

DESCRIPTION = u'Parser for SAM Users and Names Registry keys.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'windows_sam_users'

plaso.parsers.winreg_plugins.services module

Plug-in to format the Services and Drivers key with Start and Type values.

class plaso.parsers.winreg_plugins.services.ServicesPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to format the Services and Drivers keys having Type and Start.

DESCRIPTION = u'Parser for services and drivers Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter object>])
GetServiceDll(key)[source]

Get the Service DLL for a service, if it exists.

Checks for a ServiceDLL for in the Parameters subkey of a service key in the Registry.

Parameters:key (dfwinreg.WinRegistryKey) – a Windows Registry key.
Returns:path of the service DLL or None.
Return type:str
NAME = u'windows_services'
URLS = [u'http://support.microsoft.com/kb/103000']

plaso.parsers.winreg_plugins.shutdown module

Windows Registry plugin for parsing the last shutdown time of a system.

class plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryEventData[source]

Bases: plaso.containers.events.EventData

Shutdown Windows Registry event data.

key_path

str – Windows Registry key path.

value_name

str – name of the Windows Registry value.

DATA_TYPE = u'windows:registry:shutdown'
class plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Windows Registry plugin for parsing the last shutdown time of a system.

DESCRIPTION = u'Parser for ShutdownTime Registry value.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a ShutdownTime Windows Registry value.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'windows_shutdown'

plaso.parsers.winreg_plugins.task_scheduler module

This file contains the Task Scheduler Registry keys plugins.

class plaso.parsers.winreg_plugins.task_scheduler.TaskCacheEventData[source]

Bases: plaso.containers.events.EventData

Task Cache event data.

task_name

str – name of the task.

task_identifier

str – identifier of the task.

DATA_TYPE = u'task_scheduler:task_cache:entry'
class plaso.parsers.winreg_plugins.task_scheduler.TaskCacheWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Plugin that parses a Task Cache key.

DESCRIPTION = u'Parser for Task Scheduler cache Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'windows_task_cache'
URLS = [u'https://github.com/libyal/winreg-kb/blob/master/documentation/Task%20Scheduler%20Keys.asciidoc']

plaso.parsers.winreg_plugins.terminal_server module

This file contains the Terminal Server Registry plugins.

class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for Terminal Server Client Connection MRUs keys.

DESCRIPTION = u'Parser for Terminal Server Client MRU Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Terminal Server Client MRU Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'mstsc_rdp_mru'
class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for Terminal Server Client Connection keys.

DESCRIPTION = u'Parser for Terminal Server Client Connection Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Terminal Server Client Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'mstsc_rdp'

plaso.parsers.winreg_plugins.timezone module

Plug-in to collect information about the Windows timezone settings.

class plaso.parsers.winreg_plugins.timezone.WinRegTimezonePlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect information about the Windows timezone settings.

DESCRIPTION = u'Parser for Windows timezone settings.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'windows_timezone'

plaso.parsers.winreg_plugins.typedurls module

File containing a Windows Registry plugin to parse the typed URLs key.

class plaso.parsers.winreg_plugins.typedurls.TypedURLsPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

A Windows Registry plugin for typed URLs history.

DESCRIPTION = u'Parser for Explorer typed URLs Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'windows_typed_urls'

plaso.parsers.winreg_plugins.usb module

File containing a Windows Registry plugin to parse the USB Device key.

class plaso.parsers.winreg_plugins.usb.USBPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

USB Windows Registry plugin for last connection time.

DESCRIPTION = u'Parser for USB device Registry entries.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'windows_usb_devices'
URLS = [u'https://msdn.microsoft.com/en-us/library/windows/hardware/jj649944%28v=vs.85%29.aspx']

plaso.parsers.winreg_plugins.usbstor module

File containing a Windows Registry plugin to parse the USBStor key.

class plaso.parsers.winreg_plugins.usbstor.USBStorPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

USBStor key plugin.

DESCRIPTION = u'Parser for USB Plug And Play Manager USBStor Registry Key.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'windows_usbstor_devices'
URLS = [u'http://www.forensicswiki.org/wiki/USB_History_Viewing']

plaso.parsers.winreg_plugins.userassist module

The UserAssist Windows Registry plugin.

class plaso.parsers.winreg_plugins.userassist.UserAssistPlugin[source]

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Plugin that parses an UserAssist key.

DESCRIPTION = u'Parser for User Assist Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>])
NAME = u'userassist'
URLS = [u'http://blog.didierstevens.com/programs/userassist/', u'https://code.google.com/p/winreg-kb/wiki/UserAssistKeys', u'http://intotheboxes.files.wordpress.com/2010/04/intotheboxes_2010_q1.pdf']
class plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryEventData[source]

Bases: plaso.containers.events.EventData

UserAssist Windows Registry event data.

application_focus_count

int – application focus count.

application_focus_duration

int – application focus duration.

entry_index

int – entry index.

key_path

str – Windows Registry key path.

number_of_executions

int – nubmer of executions.

regvalue

dict[str, str] – UserAssist values.

value_name

str – name of the Windows Registry value.

DATA_TYPE = u'windows:registry:userassist'
class plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter(user_assist_guid)[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter

UserAssist Windows Registry key path filter.

plaso.parsers.winreg_plugins.windows_version module

Plug-in to collect information about the Windows version.

class plaso.parsers.winreg_plugins.windows_version.WindowsVersionPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect information about the Windows version.

DESCRIPTION = u'Parser for Windows version Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'windows_version'

plaso.parsers.winreg_plugins.winlogon module

This file contains the Winlogon Registry plugin.

class plaso.parsers.winreg_plugins.winlogon.WinlogonPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the Winlogon key.

DESCRIPTION = u'Parser for winlogon Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'winlogon'

plaso.parsers.winreg_plugins.winrar module

This file contains a Windows Registry plugin for WinRAR Registry key.

class plaso.parsers.winreg_plugins.winrar.WinRarHistoryPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing WinRAR History keys.

DESCRIPTION = u'Parser for WinRAR History Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters:
  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
FILTERS = frozenset([<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>])
NAME = u'winrar_mru'

Module contents

Imports for the Windows Registry parser.