plaso.parsers.winreg_plugins package¶

Submodules¶

plaso.parsers.winreg_plugins.amcache module¶

Windows Registry plugin to parse the AMCache.hve Root key.

class plaso.parsers.winreg_plugins.amcache.AMCacheFileEventData[source]¶

Bases: plaso.containers.events.EventData

AMCache file event data.

company_name¶

company name that created product file belongs to.

Type: str

file_description¶

description of file.

Type: str

file_reference¶

file system file reference, for example 9-1 (MFT entry - sequence number).

Type: str

file_size¶

size of file in bytes.

Type: int

file_version¶

version of file.

Type: str

full_path¶

full path of file.

Type: str

language_code¶

language code of file.

Type: int

product_name¶

product name file belongs to.

Type: str

program_identifier¶

GUID of entry under Root/Program key file belongs to.

Type: str

sha1¶

SHA-1 of file.

Type: str

DATA_TYPE = 'windows:registry:amcache'¶

class plaso.parsers.winreg_plugins.amcache.AMCachePlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

AMCache.hve Windows Registry plugin.

DATA_FORMAT = 'AMCache (AMCache.hve)'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'amcache'¶

class plaso.parsers.winreg_plugins.amcache.AMCacheProgramEventData[source]¶

Bases: plaso.containers.events.EventData

AMCache programs event data.

entry_type¶

type of entry (usually AddRemoveProgram).

Type: str

file_paths¶

file paths of installed program.

Type: str

files¶

list of files belonging to program.

Type: str

language_code¶

language_code of program.

Type: int

msi_package_code¶

MSI package code of program.

Type: str

msi_product_code¶

MSI product code of program.

Type: str

name¶

name of installed program.

Type: str

package_code¶

package code of program.

Type: str

product_code¶

product code of program.

Type: str

publisher¶

publisher of program.

Type: str

uninstall_key¶

unicode string of uninstall registry key for program.

Type: str

version¶

version of program.

Type: str

DATA_TYPE = 'windows:registry:amcache:programs'¶

plaso.parsers.winreg_plugins.appcompatcache module¶

Windows Registry plugin to parse the Application Compatibility Cache key.

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheCachedEntry[source]¶

Bases: object

Application Compatibility Cache cached entry.

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheEventData[source]¶

Bases: plaso.containers.events.EventData

Application Compatibility Cache event data.

entry_index¶

cache entry index number for the record.

Type: int

key_path¶

Windows Registry key path.

Type: str

offset¶

offset of the Application Compatibility Cache entry relative to the start of the Windows Registry value data, from which the event data was extracted.

Type: int

path¶

full path to the executable.

Type: str

DATA_TYPE = 'windows:registry:appcompatcache'¶

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheHeader[source]¶

Bases: object

Application Compatibility Cache header.

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib.dtfabric_helper.DtFabricHelper

Application Compatibility Cache data Windows Registry plugin.

DATA_FORMAT = 'Application Compatibility Cache Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Raises

ParseError – if the value data could not be parsed.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'appcompatcache'¶

plaso.parsers.winreg_plugins.bagmru module¶

This file contains BagMRU Windows Registry plugins (shellbags).

class plaso.parsers.winreg_plugins.bagmru.BagMRUEventData[source]¶

Bases: plaso.containers.events.EventData

BagMRU event data attribute container.

entries¶

most recently used (MRU) entries.

Type: str

key_path¶

Windows Registry key path.

Type: str

DATA_TYPE = 'windows:registry:bagmru'¶

class plaso.parsers.winreg_plugins.bagmru.BagMRUWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib.dtfabric_helper.DtFabricHelper

Class that defines a BagMRU Windows Registry plugin.

DATA_FORMAT = 'BagMRU (or ShellBags) Registry data'¶

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'bagmru'¶

plaso.parsers.winreg_plugins.bam module¶

Windows Registry plugin to parse the Background Activity Moderator keys.

class plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorEventData[source]¶

Bases: plaso.containers.events.EventData

Background Activity Moderator event data.

binary_path¶

binary executed.

Type: str

user_sid¶

user SID associated with entry.

Type: str

DATA_TYPE = 'windows:registry:bam'¶

class plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib.dtfabric_helper.DtFabricHelper

Background Activity Moderator data Windows Registry plugin.

DATA_FORMAT = 'Background Activity Moderator (BAM) Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Raises

ParseError – if the value data could not be parsed.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'bam'¶

plaso.parsers.winreg_plugins.ccleaner module¶

Parser for the CCleaner Registry key.

class plaso.parsers.winreg_plugins.ccleaner.CCleanerConfigurationEventData[source]¶

Bases: plaso.containers.events.EventData

CCleaner configuration event data.

configuration¶

CCleaner configuration.

Type: str

key_path¶

Windows Registry key path.

Type: str

DATA_TYPE = 'ccleaner:configuration'¶

class plaso.parsers.winreg_plugins.ccleaner.CCleanerPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Gathers the CCleaner Keys for NTUSER hive.

Known Windows Registry values within the CCleaner key: * (App)Cookies [REG_SZ], contains “True” if the cookies should be cleaned; * (App)Delete Index.dat files [REG_SZ] * (App)History [REG_SZ] * (App)Last Download Location [REG_SZ] * (App)Other Explorer MRUs [REG_SZ] * (App)Recent Documents [REG_SZ] * (App)Recently Typed URLs [REG_SZ] * (App)Run (in Start Menu) [REG_SZ] * (App)Temporary Internet Files [REG_SZ] * (App)Thumbnail Cache [REG_SZ] * CookiesToSave [REG_SZ] * UpdateKey [REG_SZ], contains a date and time formatted as:

“MM/DD/YYYY hh:mm:ss [A|P]M”, for example “07/13/2013 10:03:14 AM”;

WINDOW_HEIGHT [REG_SZ], contains the windows height in number of pixels;
WINDOW_LEFT [REG_SZ]
WINDOW_MAX [REG_SZ]
WINDOW_TOP [REG_SZ]
WINDOW_WIDTH [REG_SZ], contains the windows width in number of pixels;

Also see: http://cheeky4n6monkey.blogspot.com/2012/02/writing-ccleaner-regripper-plugin-part_05.html

DATA_FORMAT = 'CCleaner Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'ccleaner'¶

class plaso.parsers.winreg_plugins.ccleaner.CCleanerUpdateEventData[source]¶

Bases: plaso.containers.events.EventData

CCleaner update event data.

key_path¶

Windows Registry key path.

Type: str

DATA_TYPE = 'ccleaner:update'¶

plaso.parsers.winreg_plugins.default module¶

The default Windows Registry plugin.

class plaso.parsers.winreg_plugins.default.DefaultPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Default plugin that extracts minimum information from every Registry key.

The default plugin will parse every Registry key that is passed to it and extract minimum information, such as a list of available values and if possible content of those values. The timestamp used is the timestamp when the Registry key was last modified.

DATA_FORMAT = 'Windows Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

NAME = 'winreg_default'¶

plaso.parsers.winreg_plugins.interface module¶

The Windows Registry plugin interface.

class plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter[source]¶

Bases: object

The Windows Registry key filter interface.

abstract Match(registry_key)[source]¶

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns: True if the keys match.
Return type: bool

property key_paths¶

key paths defined by the filter.

Type: list[str]

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter(key_path)[source]¶

Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key path filter.

Match(registry_key)[source]¶

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns: True if the keys match.
Return type: bool

property key_paths¶: List of key paths defined by the filter.

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathPrefixFilter(key_path_prefix)[source]¶

Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key path prefix filter.

Match(registry_key)[source]¶

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns: True if the keys match.
Return type: bool

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathSuffixFilter(key_path_suffix)[source]¶

Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key path suffix filter.

Match(registry_key)[source]¶

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns: True if the keys match.
Return type: bool

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter(value_names)[source]¶

Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key with values filter.

Match(registry_key)[source]¶

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns: True if the keys match.
Return type: bool

class plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin[source]¶

Bases: plaso.parsers.plugins.BasePlugin

The Windows Registry plugin interface.

DATA_FORMAT = 'Windows Registry data'¶

abstract ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({})¶

NAME = 'winreg_plugin'¶

Process(parser_mediator, registry_key, **kwargs)[source]¶

Processes a Windows Registry key or value.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Raises

ValueError – If the Windows Registry key is not set.

UpdateChainAndProcess(parser_mediator, registry_key, **kwargs)[source]¶

Updates the parser chain and processes a Windows Registry key or value.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Raises

ValueError – If the Windows Registry key is not set.

plaso.parsers.winreg_plugins.lfu module¶

Plug-in to collect the Less Frequently Used Keys.

class plaso.parsers.winreg_plugins.lfu.BootExecutePlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect the BootExecute Value from the Session Manager key.

Also see:: http://technet.microsoft.com/en-us/library/cc963230.aspx

DATA_FORMAT = 'Boot Execution Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'windows_boot_execute'¶

class plaso.parsers.winreg_plugins.lfu.BootVerificationPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect the Boot Verification Key.

Also see:: http://technet.microsoft.com/en-us/library/cc782537(v=ws.10).aspx

DATA_FORMAT = 'Windows boot verification Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'windows_boot_verify'¶

class plaso.parsers.winreg_plugins.lfu.WindowsBootExecuteEventData[source]¶

Bases: plaso.containers.events.EventData

Windows Boot Execute event data attribute container.

key_path¶

Windows Registry key path.

Type: str

value¶

boot execute value, contains the value obtained from the BootExecute Registry value.

Type: str

DATA_TYPE = 'windows:registry:boot_execute'¶

class plaso.parsers.winreg_plugins.lfu.WindowsBootVerificationEventData[source]¶

Bases: plaso.containers.events.EventData

Windows Boot Verification event data attribute container.

image_path¶

location of the boot verification executable, contains the value obtained from the ImagePath Registry value.

Type: str

key_path¶

Windows Registry key path.

Type: str

DATA_TYPE = 'windows:registry:boot_verification'¶

plaso.parsers.winreg_plugins.mountpoints module¶

MountPoints2 Windows Registry parser plugin.

class plaso.parsers.winreg_plugins.mountpoints.MountPoints2EventData[source]¶

Bases: plaso.containers.events.EventData

Windows MountPoints2 event data attribute container.

key_path¶

Windows Registry key path.

Type: str

label¶

mount point label.

Type: str

name¶

name of the mount point source.

Type: str

server_name¶

name of the remote drive server or None if not set.

Type: str

share_name¶

name of the remote drive share or None if not set.

Type: str

type¶

type of the mount point source, which can be “Drive”, “Remove Drive” or “Volume”.

Type: str

DATA_TYPE = 'windows:registry:mount_points2'¶

class plaso.parsers.winreg_plugins.mountpoints.MountPoints2Plugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the MountPoints2 key.

DATA_FORMAT = 'Windows Explorer mount points Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'explorer_mountpoints2'¶

plaso.parsers.winreg_plugins.mrulist module¶

This file contains a MRUList Registry plugin.

Also see: https://github.com/libyal/winreg-kb/blob/main/documentation/MRU%20keys.asciidoc

class plaso.parsers.winreg_plugins.mrulist.BaseMRUListWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib.dtfabric_helper.DtFabricHelper

Class for common MRUList Windows Registry plugin functionality.

class plaso.parsers.winreg_plugins.mrulist.MRUListEventData[source]¶

Bases: plaso.containers.events.EventData

MRUList event data attribute container.

entries¶

most recently used (MRU) entries.

Type: str

key_path¶

Windows Registry key path.

Type: str

DATA_TYPE = 'windows:registry:mrulist'¶

class plaso.parsers.winreg_plugins.mrulist.MRUListShellItemListWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.mrulist.BaseMRUListWindowsRegistryPlugin

Windows Registry plugin to parse a shell item list MRUList.

DATA_FORMAT = 'Most Recently Used (MRU) Registry data'¶

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'mrulist_shell_item_list'¶

class plaso.parsers.winreg_plugins.mrulist.MRUListStringRegistryKeyFilter[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter

Windows Registry key with values filter.

Match(registry_key)[source]¶

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns: True if the Windows Registry key matches the filter.
Return type: bool

class plaso.parsers.winreg_plugins.mrulist.MRUListStringWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.mrulist.BaseMRUListWindowsRegistryPlugin

Windows Registry plugin to parse a string MRUList.

DATA_FORMAT = 'Most Recently Used (MRU) Registry data'¶

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.mrulist.MRUListStringRegistryKeyFilter object>})¶

NAME = 'mrulist_string'¶

plaso.parsers.winreg_plugins.mrulistex module¶

This file contains MRUListEx Windows Registry plugins.

Also see: https://github.com/libyal/winreg-kb/blob/main/documentation/MRU%20keys.asciidoc

class plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib.dtfabric_helper.DtFabricHelper

Class for common MRUListEx Windows Registry plugin functionality.

class plaso.parsers.winreg_plugins.mrulistex.MRUListExEventData[source]¶

Bases: plaso.containers.events.EventData

MRUListEx event data attribute container.

entries¶

most recently used (MRU) entries.

Type: str

key_path¶

Windows Registry key path.

Type: str

DATA_TYPE = 'windows:registry:mrulistex'¶

class plaso.parsers.winreg_plugins.mrulistex.MRUListExShellItemListWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a shell item list MRUListEx.

DATA_FORMAT = 'Most Recently Used (MRU) Registry data'¶

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'mrulistex_shell_item_list'¶

class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemListWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a string and shell item list MRUListEx.

DATA_FORMAT = 'Most Recently Used (MRU) Registry data'¶

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'mrulistex_string_and_shell_item_list'¶

class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a string and shell item MRUListEx.

DATA_FORMAT = 'Most Recently Used (MRU) Registry data'¶

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'mrulistex_string_and_shell_item'¶

class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringRegistryKeyFilter[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter

Windows Registry key with values filter.

Match(registry_key)[source]¶

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns: True if the Windows Registry key matches the filter.
Return type: bool

class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a string MRUListEx.

DATA_FORMAT = 'Most Recently Used (MRU) Registry data'¶

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.mrulistex.MRUListExStringRegistryKeyFilter object>})¶

NAME = 'mrulistex_string'¶

plaso.parsers.winreg_plugins.msie_zones module¶

This file contains the MSIE zone settings plugin.

class plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsEventData[source]¶

Bases: plaso.containers.events.EventData

MSIE zone settings event data attribute container.

key_path¶

Windows Registry key path.

Type: str

settings¶

MSIE zone settings.

Type: str

DATA_TYPE = 'windows:registry:msie_zone_settings'¶

class plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the MSIE zone settings.

The MSIE Feature controls are stored in the Zone specific subkeys in:: Internet SettingsZones key Internet SettingsLockdown_Zones key
Also see:: http://support.microsoft.com/kb/182569

DATA_FORMAT = 'Microsoft Internet Explorer zone settings Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'msie_zone'¶

plaso.parsers.winreg_plugins.network_drives module¶

This file contains the Network drive Registry plugin.

class plaso.parsers.winreg_plugins.network_drives.NetworkDriveEventData[source]¶

Bases: plaso.containers.events.EventData

Network drive event data attribute container.

drive_letter¶

drive letter assigned to network drive.

Type: str

key_path¶

Windows Registry key path.

Type: str

server_name¶

name of the server of the network drive.

Type: str

share_name¶

name of the share of the network drive.

Type: str

DATA_TYPE = 'windows:registry:network_drive'¶

class plaso.parsers.winreg_plugins.network_drives.NetworkDrivesPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the Network key.

DATA_FORMAT = 'Windows network drives Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'network_drives'¶

plaso.parsers.winreg_plugins.networks module¶

This file contains the NetworkList Registry plugin.

class plaso.parsers.winreg_plugins.networks.NetworksWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib.dtfabric_helper.DtFabricHelper

Windows Registry plugin for parsing the NetworkList key.

DATA_FORMAT = 'Windows networks (NetworkList) Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'networks'¶

class plaso.parsers.winreg_plugins.networks.WindowsRegistryNetworkListEventData[source]¶

Bases: plaso.containers.events.EventData

Windows NetworkList event data.

connection_type¶

type of connection.

Type: str

default_gateway_mac¶

MAC address for the default gateway.

Type: str

description¶

description of the wireless connection.

Type: str

dns_suffix¶

DNS suffix.

Type: str

ssid¶

SSID of the connection.

Type: str

DATA_TYPE = 'windows:registry:network'¶

plaso.parsers.winreg_plugins.officemru module¶

“Windows Registry plugin for the Microsoft Office MRU.

class plaso.parsers.winreg_plugins.officemru.OfficeMRUListWindowsRegistryEventData[source]¶

Bases: plaso.containers.events.EventData

Microsoft Office MRU list Windows Registry event data.

entries¶

most recently used (MRU) entries.

Type: str

key_path¶

Windows Registry key path.

Type: str

DATA_TYPE = 'windows:registry:office_mru_list'¶

class plaso.parsers.winreg_plugins.officemru.OfficeMRUPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plugin that parses Microsoft Office MRU keys.

DATA_FORMAT = 'Microsoft Office MRU Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'microsoft_office_mru'¶

class plaso.parsers.winreg_plugins.officemru.OfficeMRUWindowsRegistryEventData[source]¶

Bases: plaso.containers.events.EventData

Microsoft Office MRU Windows Registry event data.

key_path¶

Windows Registry key path.

Type: str

value_string¶

MRU value.

Type: str

DATA_TYPE = 'windows:registry:office_mru'¶

plaso.parsers.winreg_plugins.outlook module¶

This file contains an Outlook search MRU Registry parser.

class plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUEventData[source]¶

Bases: plaso.containers.events.EventData

Outlook search MRU event data attribute container.

entries¶

most recently used (MRU) entries.

Type: str

key_path¶

Windows Registry key path.

Type: str

DATA_TYPE = 'windows:registry:outlook_search_mru'¶

class plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin parsing Outlook Search MRU keys.

DATA_FORMAT = 'Microsoft Outlook search MRU Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'microsoft_outlook_mru'¶

plaso.parsers.winreg_plugins.programscache module¶

Windows Registry plugin to parse the Explorer ProgramsCache key.

class plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheEventData[source]¶

Bases: plaso.containers.events.EventData

Explorer ProgramsCache event data attribute container.

entries¶

entries in the program cache.

Type: str

key_path¶

Windows Registry key path.

Type: str

known_folder_identifier¶

known folder identifier.

Type: str

value_name¶

Windows Registry value name.

Type: str

DATA_TYPE = 'windows:registry:explorer:programcache'¶

class plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib.dtfabric_helper.DtFabricHelper

Class that parses the Explorer ProgramsCache Registry data.

DATA_FORMAT = 'Windows Explorer Programs Cache Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'explorer_programscache'¶

plaso.parsers.winreg_plugins.run module¶

This file contains the Run/RunOnce key plugins for Plaso.

class plaso.parsers.winreg_plugins.run.AutoRunsPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing user specific auto runs.

Also see:: http://msdn.microsoft.com/en-us/library/aa376977(v=vs.85).aspx

DATA_FORMAT = 'Run and run once Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'windows_run'¶

class plaso.parsers.winreg_plugins.run.RunKeyEventData[source]¶

Bases: plaso.containers.events.EventData

Run/RunOnce key event data attribute container.

entries¶

Run/RunOnce entries.

Type: list[str]

key_path¶

Windows Registry key path.

Type: str

DATA_TYPE = 'windows:registry:run'¶

plaso.parsers.winreg_plugins.sam_users module¶

“Windows Registry plugin for SAM Users Account information.

class plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryEventData[source]¶

Bases: plaso.containers.events.EventData

Class that defines SAM users Windows Registry event data.

account_rid¶

account relative identifier (RID).

Type: int

comments¶

comments.

Type: str

fullname¶

full name.

Type: str

key_path¶

Windows Registry key path.

Type: str

login_count¶

login count.

Type: int

username¶

a string containing the username.

Type: str

DATA_TYPE = 'windows:registry:sam_users'¶

class plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib.dtfabric_helper.DtFabricHelper

Windows Registry plugin for SAM Users Account information.

DATA_FORMAT = 'Security Accounts Manager (SAM) users Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'windows_sam_users'¶

plaso.parsers.winreg_plugins.services module¶

Windows drivers and services Registry key parser plugin.

class plaso.parsers.winreg_plugins.services.ServicesPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to format the Services and Drivers keys having Type and Start.

DATA_FORMAT = 'Windows drivers and services Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter object>})¶

NAME = 'windows_services'¶

class plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventData[source]¶

Bases: plaso.containers.events.EventData

Windows Registry driver or service event data attribute container.

error_control¶

error control value of the Windows driver or service executable.

Type: int

image_path¶

path of the Windows driver or service executable.

Type: str

key_path¶

Windows Registry key path.

Type: str

name¶

name of the Windows driver or service.

Type: str

object_name¶

Windows service object name.

Type: str

service_dll¶

Windows service DLL.

Type: str

service_type¶

Windows driver or service type.

Type: int

start_type¶

Device or service start type.

Type: int

values¶

names and data of additional values in the key.

Type: str

DATA_TYPE = 'windows:registry:service'¶

plaso.parsers.winreg_plugins.shutdown module¶

Windows Registry plugin for parsing the last shutdown time of a system.

class plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryEventData[source]¶

Bases: plaso.containers.events.EventData

Shutdown Windows Registry event data.

key_path¶

Windows Registry key path.

Type: str

value_name¶

name of the Windows Registry value.

Type: str

DATA_TYPE = 'windows:registry:shutdown'¶

class plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib.dtfabric_helper.DtFabricHelper

Windows Registry plugin for parsing the last shutdown time of a system.

DATA_FORMAT = 'Windows last shutdown Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a ShutdownTime Windows Registry value.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'windows_shutdown'¶

plaso.parsers.winreg_plugins.task_scheduler module¶

This file contains the Task Scheduler Registry keys plugins.

class plaso.parsers.winreg_plugins.task_scheduler.TaskCacheEventData[source]¶

Bases: plaso.containers.events.EventData

Task Cache event data.

key_path¶

Windows Registry key path.

Type: str

task_name¶

name of the task.

Type: str

task_identifier¶

identifier of the task.

Type: str

DATA_TYPE = 'task_scheduler:task_cache:entry'¶

class plaso.parsers.winreg_plugins.task_scheduler.TaskCacheWindowsRegistryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib.dtfabric_helper.DtFabricHelper

Plugin that parses a Task Cache key.

DATA_FORMAT = 'Windows Task Scheduler cache Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'windows_task_cache'¶

plaso.parsers.winreg_plugins.terminal_server module¶

This file contains the Terminal Server client Windows Registry plugins.

class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientConnectionEventData[source]¶

Bases: plaso.containers.events.EventData

Terminal Server client connection event data attribute container.

entries¶

most recently used (MRU) entries.

Type: str

key_path¶

Windows Registry key path.

Type: str

username¶

username, provided by the UsernameHint value.

Type: str

DATA_TYPE = 'windows:registry:mstsc:connection'¶

class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUEventData[source]¶

Bases: plaso.containers.events.EventData

Terminal Server client MRU event data attribute container.

entries¶

most recently used (MRU) entries.

Type: str

key_path¶

Windows Registry key path.

Type: str

DATA_TYPE = 'windows:registry:mstsc:mru'¶

class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for Terminal Server Client Connection MRUs keys.

DATA_FORMAT = 'Terminal Server Client Most Recently Used (MRU) Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Terminal Server Client MRU Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'mstsc_rdp_mru'¶

class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for Terminal Server Client Connection keys.

DATA_FORMAT = 'Terminal Server Client Connection Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Terminal Server Client Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'mstsc_rdp'¶

plaso.parsers.winreg_plugins.timezone module¶

Plug-in to collect information about the Windows timezone settings.

class plaso.parsers.winreg_plugins.timezone.WinRegTimezonePlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect information about the Windows timezone settings.

DATA_FORMAT = 'Windows time zone Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'windows_timezone'¶

class plaso.parsers.winreg_plugins.timezone.WindowsTimezoneSettingsEventData[source]¶

Bases: plaso.containers.events.EventData

Timezone settings event data attribute container.

configuration¶

timezone configuration.

Type: str

key_path¶

Windows Registry key path.

Type: str

DATA_TYPE = 'windows:registry:timezone'¶

plaso.parsers.winreg_plugins.typedurls module¶

File containing a Windows Registry plugin to parse the typed URLs key.

class plaso.parsers.winreg_plugins.typedurls.TypedURLsEventData[source]¶

Bases: plaso.containers.events.EventData

Typed URLs event data attribute container.

entries¶

typed URLs or paths entries.

Type: str

key_path¶

Windows Registry key path.

Type: str

DATA_TYPE = 'windows:registry:typedurls'¶

class plaso.parsers.winreg_plugins.typedurls.TypedURLsPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

A Windows Registry plugin for typed URLs history.

DATA_FORMAT = 'Windows Explorer typed URLs Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'windows_typed_urls'¶

plaso.parsers.winreg_plugins.usb module¶

File containing a Windows Registry plugin to parse the USB Device key.

class plaso.parsers.winreg_plugins.usb.USBPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

USB Windows Registry plugin for last connection time.

Also see:: https://msdn.microsoft.com/en-us/library/windows/hardware/jj649944%28v=vs.85%29.aspx

DATA_FORMAT = 'Windows USB device Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'windows_usb_devices'¶

class plaso.parsers.winreg_plugins.usb.WindowsUSBDeviceEventData[source]¶

Bases: plaso.containers.events.EventData

Windows USB device event data attribute container.

key_path¶

Windows Registry key path.

Type: str

product¶

product of the USB device.

Type: str

serial¶

serial number of the USB device.

Type: str

subkey_name¶

name of the Windows Registry subkey.

Type: str

vendor¶

vendor of the USB device.

Type: str

DATA_TYPE = 'windows:registry:usb'¶

plaso.parsers.winreg_plugins.usbstor module¶

File containing a Windows Registry plugin to parse the USBStor key.

class plaso.parsers.winreg_plugins.usbstor.USBStorEventData[source]¶

Bases: plaso.containers.events.EventData

USBStor event data attribute container.

device_type¶

type of USB device.

Type: str

display_name¶

display name of the USB device.

Type: str

key_path¶

Windows Registry key path.

Type: str

parent_id_prefix¶

parent identifier prefix of the USB device.

Type: str

product¶

product of the USB device.

Type: str

serial¶

serial number of the USB device.

Type: str

revision¶

revision number of the USB device.

Type: str

subkey_name¶

name of the Windows Registry subkey.

Type: str

vendor¶

vendor of the USB device.

Type: str

DATA_TYPE = 'windows:registry:usbstor'¶

class plaso.parsers.winreg_plugins.usbstor.USBStorPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

USBStor key plugin.

Also see: https://forensicswiki.xyz/wiki/index.php?title=USB_History_Viewing

DATA_FORMAT = 'Windows USB Plug And Play Manager USBStor Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'windows_usbstor_devices'¶

plaso.parsers.winreg_plugins.userassist module¶

The UserAssist Windows Registry plugin.

class plaso.parsers.winreg_plugins.userassist.UserAssistPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib.dtfabric_helper.DtFabricHelper

Plugin that parses an UserAssist key.

DATA_FORMAT = 'User Assist Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>})¶

NAME = 'userassist'¶

class plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryEventData[source]¶

Bases: plaso.containers.events.EventData

UserAssist Windows Registry event data.

application_focus_count¶

application focus count.

Type: int

application_focus_duration¶

application focus duration.

Type: int

entry_index¶

entry index.

Type: int

key_path¶

Windows Registry key path.

Type: str

number_of_executions¶

number of executions.

Type: int

value_name¶

name of the Windows Registry value.

Type: str

DATA_TYPE = 'windows:registry:userassist'¶

class plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter(user_assist_guid)[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter

UserAssist Windows Registry key path filter.

plaso.parsers.winreg_plugins.windows_version module¶

Plug-in to collect information about the Windows version.

class plaso.parsers.winreg_plugins.windows_version.WindowsRegistryInstallationEventData[source]¶

Bases: plaso.containers.events.EventData

Windows installation event data attribute container.

build_number¶

Windows build number.

Type: str

key_path¶

Windows Registry key path.

Type: str

owner¶

registered owner.

Type: str

product_name¶

product name.

Type: str

service_pack¶

service pack.

Type: str

version¶

Windows version.

Type: str

DATA_TYPE = 'windows:registry:installation'¶

class plaso.parsers.winreg_plugins.windows_version.WindowsVersionPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect information about the Windows version.

DATA_FORMAT = 'Windows version (product) Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'windows_version'¶

plaso.parsers.winreg_plugins.winlogon module¶

This file contains the Winlogon Registry plugin.

class plaso.parsers.winreg_plugins.winlogon.WinlogonEventData[source]¶

Bases: plaso.containers.events.EventData

Winlogon event data attribute container.

application¶

Winlogon application.

Type: str

command¶

Winlogon command.

Type: str

handler¶

Winlogon handler.

Type: str

key_path¶

Windows Registry key path.

Type: str

trigger¶

Winlogon trigger.

Type: str

DATA_TYPE = 'windows:registry:winlogon'¶

class plaso.parsers.winreg_plugins.winlogon.WinlogonPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the Winlogon key.

DATA_FORMAT = 'Windows log-on Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'winlogon'¶

plaso.parsers.winreg_plugins.winrar module¶

This file contains a WinRAR history Windows Registry plugin.

class plaso.parsers.winreg_plugins.winrar.WinRARHistoryEventData[source]¶

Bases: plaso.containers.events.EventData

WinRAR history event data attribute container.

entries¶

archive history entries.

Type: str

key_path¶

Windows Registry key path.

Type: str

DATA_TYPE = 'winrar:history'¶

class plaso.parsers.winreg_plugins.winrar.WinRARHistoryPlugin[source]¶

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing WinRAR History keys.

DATA_FORMAT = 'WinRAR History Registry data'¶

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]¶

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})¶

NAME = 'winrar_mru'¶

Module contents¶

Imports for the Windows Registry parser.