plaso.parsers.winreg_plugins package

Submodules

plaso.parsers.winreg_plugins.amcache module

Windows Registry plugin to parse the AMCache.hve Root key.

class plaso.parsers.winreg_plugins.amcache.AMCacheFileEventData[source]

Bases: plaso.containers.events.EventData

AMCache file event data.

company_name

company name that created product file belongs to.

Type: str

file_description

description of file.

Type: str

file_reference

file system file reference, for example 9-1 (MFT entry - sequence number).

Type: str

file_size

size of file in bytes.

Type: int

file_version

version of file.

Type: str

full_path

full path of file.

Type: str

language_code

language code of file.

Type: int

product_name

product name file belongs to.

Type: str

program_identifier

GUID of entry under Root/Program key file belongs to.

Type: str

sha1

SHA-1 of file.

Type: str

DATA_TYPE = 'windows:registry:amcache'

class plaso.parsers.winreg_plugins.amcache.AMCachePlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

AMCache.hve Windows Registry plugin.

DATA_FORMAT = 'AMCache (AMCache.hve)'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'amcache'

class plaso.parsers.winreg_plugins.amcache.AMCacheProgramEventData[source]

Bases: plaso.containers.events.EventData

AMCache programs event data.

entry_type

type of entry (usually AddRemoveProgram).

Type: str

file_paths

file paths of installed program.

Type: str

files

list of files belonging to program.

Type: str

language_code

language_code of program.

Type: int

msi_package_code

MSI package code of program.

Type: str

msi_product_code

MSI product code of program.

Type: str

name

name of installed program.

Type: str

package_code

package code of program.

Type: str

product_code

product code of program.

Type: str

publisher

publisher of program.

Type: str

uninstall_key

unicode string of uninstall registry key for program.

Type: str

version

version of program.

Type: str

DATA_TYPE = 'windows:registry:amcache:programs'

plaso.parsers.winreg_plugins.appcompatcache module

Windows Registry plugin to parse the Application Compatibility Cache key.

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheCachedEntry[source]

Bases: object

Application Compatibility Cache cached entry.

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheEventData[source]

Bases: plaso.containers.events.EventData

Application Compatibility Cache event data.

entry_index

cache entry index number for the record.

Type: int

key_path

Windows Registry key path.

Type: str

offset

offset of the Application Compatibility Cache entry relative to the start of the Windows Registry value data, from which the event data was extracted.

Type: int

path

full path to the executable.

Type: str

DATA_TYPE = 'windows:registry:appcompatcache'

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheHeader[source]

Bases: object

Application Compatibility Cache header.

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib.dtfabric_helper.DtFabricHelper

Application Compatibility Cache data Windows Registry plugin.

DATA_FORMAT = 'Application Compatibility Cache Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Raises

ParseError – if the value data could not be parsed.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'appcompatcache'

plaso.parsers.winreg_plugins.bagmru module

This file contains BagMRU Windows Registry plugins (shellbags).

class plaso.parsers.winreg_plugins.bagmru.BagMRUEventData[source]

Bases: plaso.containers.events.EventData

BagMRU event data attribute container.

entries

most recently used (MRU) entries.

Type: str

key_path

Windows Registry key path.

Type: str

DATA_TYPE = 'windows:registry:bagmru'

class plaso.parsers.winreg_plugins.bagmru.BagMRUWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib.dtfabric_helper.DtFabricHelper

Class that defines a BagMRU Windows Registry plugin.

DATA_FORMAT = 'BagMRU (or ShellBags) Registry data'

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'bagmru'

plaso.parsers.winreg_plugins.bam module

Windows Registry plugin to parse the Background Activity Moderator keys.

class plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorEventData[source]

Bases: plaso.containers.events.EventData

Background Activity Moderator event data.

binary_path

binary executed.

Type: str

user_sid

user SID associated with entry.

Type: str

DATA_TYPE = 'windows:registry:bam'

class plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib.dtfabric_helper.DtFabricHelper

Background Activity Moderator data Windows Registry plugin.

DATA_FORMAT = 'Background Activity Moderator (BAM) Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Raises

ParseError – if the value data could not be parsed.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'bam'

plaso.parsers.winreg_plugins.ccleaner module

Parser for the CCleaner Registry key.

class plaso.parsers.winreg_plugins.ccleaner.CCleanerConfigurationEventData[source]

Bases: plaso.containers.events.EventData

CCleaner configuration event data.

configuration

CCleaner configuration.

Type: str

key_path

Windows Registry key path.

Type: str

DATA_TYPE = 'ccleaner:configuration'

class plaso.parsers.winreg_plugins.ccleaner.CCleanerPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Gathers the CCleaner Keys for NTUSER hive.

Known Windows Registry values within the CCleaner key: * (App)Cookies [REG_SZ], contains “True” if the cookies should be cleaned; * (App)Delete Index.dat files [REG_SZ] * (App)History [REG_SZ] * (App)Last Download Location [REG_SZ] * (App)Other Explorer MRUs [REG_SZ] * (App)Recent Documents [REG_SZ] * (App)Recently Typed URLs [REG_SZ] * (App)Run (in Start Menu) [REG_SZ] * (App)Temporary Internet Files [REG_SZ] * (App)Thumbnail Cache [REG_SZ] * CookiesToSave [REG_SZ] * UpdateKey [REG_SZ], contains a date and time formatted as:

“MM/DD/YYYY hh:mm:ss [A|P]M”, for example “07/13/2013 10:03:14 AM”;

WINDOW_HEIGHT [REG_SZ], contains the windows height in number of pixels;
WINDOW_LEFT [REG_SZ]
WINDOW_MAX [REG_SZ]
WINDOW_TOP [REG_SZ]
WINDOW_WIDTH [REG_SZ], contains the windows width in number of pixels;

Also see: http://cheeky4n6monkey.blogspot.com/2012/02/writing-ccleaner-regripper-plugin-part_05.html

DATA_FORMAT = 'CCleaner Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'ccleaner'

class plaso.parsers.winreg_plugins.ccleaner.CCleanerUpdateEventData[source]

Bases: plaso.containers.events.EventData

CCleaner update event data.

key_path

Windows Registry key path.

Type: str

DATA_TYPE = 'ccleaner:update'

plaso.parsers.winreg_plugins.default module

The default Windows Registry plugin.

class plaso.parsers.winreg_plugins.default.DefaultPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Default plugin that extracts minimum information from every Registry key.

The default plugin will parse every Registry key that is passed to it and extract minimum information, such as a list of available values and if possible content of those values. The timestamp used is the timestamp when the Registry key was last modified.

DATA_FORMAT = 'Windows Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

NAME = 'winreg_default'

plaso.parsers.winreg_plugins.interface module

The Windows Registry plugin interface.

class plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter[source]

Bases: object

The Windows Registry key filter interface.

abstract Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns: True if the keys match.
Return type: bool

property key_paths

key paths defined by the filter.

Type: list[str]

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter(key_path)[source]

Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key path filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns: True if the keys match.
Return type: bool

property key_paths: List of key paths defined by the filter.

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathPrefixFilter(key_path_prefix)[source]

Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key path prefix filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns: True if the keys match.
Return type: bool

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathSuffixFilter(key_path_suffix)[source]

Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key path suffix filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns: True if the keys match.
Return type: bool

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter(value_names)[source]

Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key with values filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns: True if the keys match.
Return type: bool

class plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin[source]

Bases: plaso.parsers.plugins.BasePlugin

The Windows Registry plugin interface.

DATA_FORMAT = 'Windows Registry data'

abstract ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({})

NAME = 'winreg_plugin'

Process(parser_mediator, registry_key, **kwargs)[source]

Processes a Windows Registry key or value.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Raises

ValueError – If the Windows Registry key is not set.

UpdateChainAndProcess(parser_mediator, registry_key, **kwargs)[source]

Updates the parser chain and processes a Windows Registry key or value.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Raises

ValueError – If the Windows Registry key is not set.

plaso.parsers.winreg_plugins.lfu module

Plug-in to collect the Less Frequently Used Keys.

class plaso.parsers.winreg_plugins.lfu.BootExecutePlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect the BootExecute Value from the Session Manager key.

DATA_FORMAT = 'Boot Execution Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_boot_execute'

class plaso.parsers.winreg_plugins.lfu.BootVerificationPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect the Boot Verification Key.

DATA_FORMAT = 'Windows boot verification Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_boot_verify'

class plaso.parsers.winreg_plugins.lfu.WindowsBootExecuteEventData[source]

Bases: plaso.containers.events.EventData

Windows Boot Execute event data attribute container.

key_path

Windows Registry key path.

Type: str

value

boot execute value, contains the value obtained from the BootExecute Registry value.

Type: str

DATA_TYPE = 'windows:registry:boot_execute'

class plaso.parsers.winreg_plugins.lfu.WindowsBootVerificationEventData[source]

Bases: plaso.containers.events.EventData

Windows Boot Verification event data attribute container.

image_path

location of the boot verification executable, contains the value obtained from the ImagePath Registry value.

Type: str

key_path

Windows Registry key path.

Type: str

DATA_TYPE = 'windows:registry:boot_verification'

plaso.parsers.winreg_plugins.mountpoints module

MountPoints2 Windows Registry parser plugin.

class plaso.parsers.winreg_plugins.mountpoints.MountPoints2EventData[source]

Bases: plaso.containers.events.EventData

Windows MountPoints2 event data attribute container.

key_path

Windows Registry key path.

Type: str

label

mount point label.

Type: str

name

name of the mount point source.

Type: str

server_name

name of the remote drive server or None if not set.

Type: str

share_name

name of the remote drive share or None if not set.

Type: str

type

type of the mount point source, which can be “Drive”, “Remove Drive” or “Volume”.

Type: str

DATA_TYPE = 'windows:registry:mount_points2'

class plaso.parsers.winreg_plugins.mountpoints.MountPoints2Plugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the MountPoints2 key.

DATA_FORMAT = 'Windows Explorer mount points Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'explorer_mountpoints2'

plaso.parsers.winreg_plugins.mrulist module

This file contains a MRUList Registry plugin.

Also see: https://winreg-kb.readthedocs.io/en/latest/sources/explorer-keys/Most-recently-used.html

class plaso.parsers.winreg_plugins.mrulist.BaseMRUListWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib.dtfabric_helper.DtFabricHelper

Class for common MRUList Windows Registry plugin functionality.

class plaso.parsers.winreg_plugins.mrulist.MRUListEventData[source]

Bases: plaso.containers.events.EventData

MRUList event data attribute container.

entries

most recently used (MRU) entries.

Type: str

key_path

Windows Registry key path.

Type: str

DATA_TYPE = 'windows:registry:mrulist'

class plaso.parsers.winreg_plugins.mrulist.MRUListShellItemListWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.mrulist.BaseMRUListWindowsRegistryPlugin

Windows Registry plugin to parse a shell item list MRUList.

DATA_FORMAT = 'Most Recently Used (MRU) Registry data'

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'mrulist_shell_item_list'

class plaso.parsers.winreg_plugins.mrulist.MRUListStringRegistryKeyFilter[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter

Windows Registry key with values filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns: True if the Windows Registry key matches the filter.
Return type: bool

class plaso.parsers.winreg_plugins.mrulist.MRUListStringWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.mrulist.BaseMRUListWindowsRegistryPlugin

Windows Registry plugin to parse a string MRUList.

DATA_FORMAT = 'Most Recently Used (MRU) Registry data'

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.mrulist.MRUListStringRegistryKeyFilter object>})

NAME = 'mrulist_string'

plaso.parsers.winreg_plugins.mrulistex module

This file contains MRUListEx Windows Registry plugins.

Also see: https://winreg-kb.readthedocs.io/en/latest/sources/explorer-keys/Most-recently-used.html

class plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib.dtfabric_helper.DtFabricHelper

Class for common MRUListEx Windows Registry plugin functionality.

class plaso.parsers.winreg_plugins.mrulistex.MRUListExEventData[source]

Bases: plaso.containers.events.EventData

MRUListEx event data attribute container.

entries

most recently used (MRU) entries.

Type: str

key_path

Windows Registry key path.

Type: str

DATA_TYPE = 'windows:registry:mrulistex'

class plaso.parsers.winreg_plugins.mrulistex.MRUListExShellItemListWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a shell item list MRUListEx.

DATA_FORMAT = 'Most Recently Used (MRU) Registry data'

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'mrulistex_shell_item_list'

class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemListWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a string and shell item list MRUListEx.

DATA_FORMAT = 'Most Recently Used (MRU) Registry data'

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'mrulistex_string_and_shell_item_list'

class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a string and shell item MRUListEx.

DATA_FORMAT = 'Most Recently Used (MRU) Registry data'

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'mrulistex_string_and_shell_item'

class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringRegistryKeyFilter[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter

Windows Registry key with values filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns: True if the Windows Registry key matches the filter.
Return type: bool

class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a string MRUListEx.

DATA_FORMAT = 'Most Recently Used (MRU) Registry data'

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.mrulistex.MRUListExStringRegistryKeyFilter object>})

NAME = 'mrulistex_string'

plaso.parsers.winreg_plugins.msie_zones module

This file contains the MSIE zone settings plugin.

class plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsEventData[source]

Bases: plaso.containers.events.EventData

MSIE zone settings event data attribute container.

key_path

Windows Registry key path.

Type: str

settings

MSIE zone settings.

Type: str

DATA_TYPE = 'windows:registry:msie_zone_settings'

class plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the MSIE zone settings.

The MSIE Feature controls are stored in the Zone specific subkeys in:: Internet SettingsZones key Internet SettingsLockdown_Zones key

DATA_FORMAT = 'Microsoft Internet Explorer zone settings Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'msie_zone'

plaso.parsers.winreg_plugins.network_drives module

This file contains the Network drive Registry plugin.

class plaso.parsers.winreg_plugins.network_drives.NetworkDriveEventData[source]

Bases: plaso.containers.events.EventData

Network drive event data attribute container.

drive_letter

drive letter assigned to network drive.

Type: str

key_path

Windows Registry key path.

Type: str

server_name

name of the server of the network drive.

Type: str

share_name

name of the share of the network drive.

Type: str

DATA_TYPE = 'windows:registry:network_drive'

class plaso.parsers.winreg_plugins.network_drives.NetworkDrivesPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the Network key.

DATA_FORMAT = 'Windows network drives Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'network_drives'

plaso.parsers.winreg_plugins.networks module

This file contains the NetworkList Registry plugin.

class plaso.parsers.winreg_plugins.networks.NetworksWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib.dtfabric_helper.DtFabricHelper

Windows Registry plugin for parsing the NetworkList key.

DATA_FORMAT = 'Windows networks (NetworkList) Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'networks'

class plaso.parsers.winreg_plugins.networks.WindowsRegistryNetworkListEventData[source]

Bases: plaso.containers.events.EventData

Windows NetworkList event data.

connection_type

type of connection.

Type: str

default_gateway_mac

MAC address for the default gateway.

Type: str

description

description of the wireless connection.

Type: str

dns_suffix

DNS suffix.

Type: str

ssid

SSID of the connection.

Type: str

DATA_TYPE = 'windows:registry:network'

plaso.parsers.winreg_plugins.officemru module

Windows Registry plugin for the Microsoft Office MRU.

class plaso.parsers.winreg_plugins.officemru.OfficeMRUListWindowsRegistryEventData[source]

Bases: plaso.containers.events.EventData

Microsoft Office MRU list Windows Registry event data.

entries

most recently used (MRU) entries.

Type: str

key_path

Windows Registry key path.

Type: str

DATA_TYPE = 'windows:registry:office_mru_list'

class plaso.parsers.winreg_plugins.officemru.OfficeMRUPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plugin that parses Microsoft Office MRU keys.

DATA_FORMAT = 'Microsoft Office MRU Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'microsoft_office_mru'

class plaso.parsers.winreg_plugins.officemru.OfficeMRUWindowsRegistryEventData[source]

Bases: plaso.containers.events.EventData

Microsoft Office MRU Windows Registry event data.

key_path

Windows Registry key path.

Type: str

value_string

MRU value.

Type: str

DATA_TYPE = 'windows:registry:office_mru'

plaso.parsers.winreg_plugins.outlook module

This file contains an Outlook search MRU Registry parser.

class plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUEventData[source]

Bases: plaso.containers.events.EventData

Outlook search MRU event data attribute container.

entries

most recently used (MRU) entries.

Type: str

key_path

Windows Registry key path.

Type: str

DATA_TYPE = 'windows:registry:outlook_search_mru'

class plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin parsing Outlook Search MRU keys.

DATA_FORMAT = 'Microsoft Outlook search MRU Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'microsoft_outlook_mru'

plaso.parsers.winreg_plugins.programscache module

Windows Registry plugin to parse the Explorer ProgramsCache key.

class plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheEventData[source]

Bases: plaso.containers.events.EventData

Explorer ProgramsCache event data attribute container.

entries

entries in the program cache.

Type: str

key_path

Windows Registry key path.

Type: str

known_folder_identifier

known folder identifier.

Type: str

value_name

Windows Registry value name.

Type: str

DATA_TYPE = 'windows:registry:explorer:programcache'

class plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib.dtfabric_helper.DtFabricHelper

Class that parses the Explorer ProgramsCache Registry data.

DATA_FORMAT = 'Windows Explorer Programs Cache Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'explorer_programscache'

plaso.parsers.winreg_plugins.run module

This file contains the Run/RunOnce key plugins for Plaso.

class plaso.parsers.winreg_plugins.run.AutoRunsPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing user specific auto runs.

DATA_FORMAT = 'Run and run once Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_run'

class plaso.parsers.winreg_plugins.run.RunKeyEventData[source]

Bases: plaso.containers.events.EventData

Run/RunOnce key event data attribute container.

entries

Run/RunOnce entries.

Type: list[str]

key_path

Windows Registry key path.

Type: str

DATA_TYPE = 'windows:registry:run'

plaso.parsers.winreg_plugins.sam_users module

“Windows Registry plugin for SAM Users Account information.

class plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryEventData[source]

Bases: plaso.containers.events.EventData

Class that defines SAM users Windows Registry event data.

account_rid

account relative identifier (RID).

Type: int

comments

comments.

Type: str

fullname

full name.

Type: str

key_path

Windows Registry key path.

Type: str

login_count

login count.

Type: int

username

a string containing the username.

Type: str

DATA_TYPE = 'windows:registry:sam_users'

class plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib.dtfabric_helper.DtFabricHelper

Windows Registry plugin for SAM Users Account information.

DATA_FORMAT = 'Security Accounts Manager (SAM) users Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_sam_users'

plaso.parsers.winreg_plugins.services module

Windows drivers and services Registry key parser plugin.

class plaso.parsers.winreg_plugins.services.ServicesPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to format the Services and Drivers keys having Type and Start.

DATA_FORMAT = 'Windows drivers and services Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter object>})

NAME = 'windows_services'

class plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventData[source]

Bases: plaso.containers.events.EventData

Windows Registry driver or service event data attribute container.

error_control

error control value of the Windows driver or service executable.

Type: int

image_path

path of the Windows driver or service executable.

Type: str

key_path

Windows Registry key path.

Type: str

name

name of the Windows driver or service.

Type: str

object_name

Windows service object name.

Type: str

service_dll

Windows service DLL.

Type: str

service_type

Windows driver or service type.

Type: int

start_type

Device or service start type.

Type: int

values

names and data of additional values in the key.

Type: str

DATA_TYPE = 'windows:registry:service'

plaso.parsers.winreg_plugins.shutdown module

Windows Registry plugin for parsing the last shutdown time of a system.

class plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryEventData[source]

Bases: plaso.containers.events.EventData

Shutdown Windows Registry event data.

key_path

Windows Registry key path.

Type: str

value_name

name of the Windows Registry value.

Type: str

DATA_TYPE = 'windows:registry:shutdown'

class plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib.dtfabric_helper.DtFabricHelper

Windows Registry plugin for parsing the last shutdown time of a system.

DATA_FORMAT = 'Windows last shutdown Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a ShutdownTime Windows Registry value.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_shutdown'

plaso.parsers.winreg_plugins.task_scheduler module

This file contains the Task Scheduler Registry keys plugins.

class plaso.parsers.winreg_plugins.task_scheduler.TaskCacheEventData[source]

Bases: plaso.containers.events.EventData

Task Cache event data.

key_path

Windows Registry key path.

Type: str

task_name

name of the task.

Type: str

task_identifier

identifier of the task.

Type: str

DATA_TYPE = 'task_scheduler:task_cache:entry'

class plaso.parsers.winreg_plugins.task_scheduler.TaskCacheWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib.dtfabric_helper.DtFabricHelper

Plugin that parses a Task Cache key.

DATA_FORMAT = 'Windows Task Scheduler cache Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_task_cache'

plaso.parsers.winreg_plugins.terminal_server module

This file contains the Terminal Server client Windows Registry plugins.

class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientConnectionEventData[source]

Bases: plaso.containers.events.EventData

Terminal Server client connection event data attribute container.

entries

most recently used (MRU) entries.

Type: str

key_path

Windows Registry key path.

Type: str

username

username, provided by the UsernameHint value.

Type: str

DATA_TYPE = 'windows:registry:mstsc:connection'

class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUEventData[source]

Bases: plaso.containers.events.EventData

Terminal Server client MRU event data attribute container.

entries

most recently used (MRU) entries.

Type: str

key_path

Windows Registry key path.

Type: str

DATA_TYPE = 'windows:registry:mstsc:mru'

class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for Terminal Server Client Connection MRUs keys.

DATA_FORMAT = 'Terminal Server Client Most Recently Used (MRU) Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Terminal Server Client MRU Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'mstsc_rdp_mru'

class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for Terminal Server Client Connection keys.

DATA_FORMAT = 'Terminal Server Client Connection Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Terminal Server Client Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'mstsc_rdp'

plaso.parsers.winreg_plugins.timezone module

Plug-in to collect information about the Windows timezone settings.

class plaso.parsers.winreg_plugins.timezone.WinRegTimezonePlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect information about the Windows timezone settings.

DATA_FORMAT = 'Windows time zone Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_timezone'

class plaso.parsers.winreg_plugins.timezone.WindowsTimezoneSettingsEventData[source]

Bases: plaso.containers.events.EventData

Timezone settings event data attribute container.

configuration

timezone configuration.

Type: str

key_path

Windows Registry key path.

Type: str

DATA_TYPE = 'windows:registry:timezone'

plaso.parsers.winreg_plugins.typedurls module

File containing a Windows Registry plugin to parse the typed URLs key.

class plaso.parsers.winreg_plugins.typedurls.TypedURLsEventData[source]

Bases: plaso.containers.events.EventData

Typed URLs event data attribute container.

entries

typed URLs or paths entries.

Type: str

key_path

Windows Registry key path.

Type: str

DATA_TYPE = 'windows:registry:typedurls'

class plaso.parsers.winreg_plugins.typedurls.TypedURLsPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

A Windows Registry plugin for typed URLs history.

DATA_FORMAT = 'Windows Explorer typed URLs Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_typed_urls'

plaso.parsers.winreg_plugins.usb module

File containing a Windows Registry plugin to parse the USB Device key.

class plaso.parsers.winreg_plugins.usb.USBPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

USB Windows Registry plugin for last connection time.

Also see:: https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/

DATA_FORMAT = 'Windows USB device Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_usb_devices'

class plaso.parsers.winreg_plugins.usb.WindowsUSBDeviceEventData[source]

Bases: plaso.containers.events.EventData

Windows USB device event data attribute container.

key_path

Windows Registry key path.

Type: str

product

product of the USB device.

Type: str

serial

serial number of the USB device.

Type: str

subkey_name

name of the Windows Registry subkey.

Type: str

vendor

vendor of the USB device.

Type: str

DATA_TYPE = 'windows:registry:usb'

plaso.parsers.winreg_plugins.usbstor module

File containing a Windows Registry plugin to parse the USBStor key.

class plaso.parsers.winreg_plugins.usbstor.USBStorEventData[source]

Bases: plaso.containers.events.EventData

USBStor event data attribute container.

device_type

type of USB device.

Type: str

display_name

display name of the USB device.

Type: str

key_path

Windows Registry key path.

Type: str

parent_id_prefix

parent identifier prefix of the USB device.

Type: str

product

product of the USB device.

Type: str

serial

serial number of the USB device.

Type: str

revision

revision number of the USB device.

Type: str

subkey_name

name of the Windows Registry subkey.

Type: str

vendor

vendor of the USB device.

Type: str

DATA_TYPE = 'windows:registry:usbstor'

class plaso.parsers.winreg_plugins.usbstor.USBStorPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

USBStor key plugin.

Also see: https://forensicswiki.xyz/wiki/index.php?title=USB_History_Viewing

DATA_FORMAT = 'Windows USB Plug And Play Manager USBStor Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_usbstor_devices'

plaso.parsers.winreg_plugins.userassist module

The UserAssist Windows Registry plugin.

class plaso.parsers.winreg_plugins.userassist.UserAssistPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin, plaso.lib.dtfabric_helper.DtFabricHelper

Plugin that parses an UserAssist key.

DATA_FORMAT = 'User Assist Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>})

NAME = 'userassist'

class plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryEventData[source]

Bases: plaso.containers.events.EventData

UserAssist Windows Registry event data.

application_focus_count

application focus count.

Type: int

application_focus_duration

application focus duration.

Type: int

entry_index

entry index.

Type: int

key_path

Windows Registry key path.

Type: str

number_of_executions

number of executions.

Type: int

value_name

name of the Windows Registry value.

Type: str

DATA_TYPE = 'windows:registry:userassist'

class plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter(user_assist_guid)[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter

UserAssist Windows Registry key path filter.

plaso.parsers.winreg_plugins.windows_version module

Plug-in to collect information about the Windows version.

class plaso.parsers.winreg_plugins.windows_version.WindowsRegistryInstallationEventData[source]

Bases: plaso.containers.events.EventData

Windows installation event data attribute container.

build_number

Windows build number.

Type: str

key_path

Windows Registry key path.

Type: str

owner

registered owner.

Type: str

product_name

product name.

Type: str

service_pack

service pack.

Type: str

version

Windows version.

Type: str

DATA_TYPE = 'windows:registry:installation'

class plaso.parsers.winreg_plugins.windows_version.WindowsVersionPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect information about the Windows version.

DATA_FORMAT = 'Windows version (product) Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_version'

plaso.parsers.winreg_plugins.winlogon module

This file contains the Winlogon Registry plugin.

class plaso.parsers.winreg_plugins.winlogon.WinlogonEventData[source]

Bases: plaso.containers.events.EventData

Winlogon event data attribute container.

application

Winlogon application.

Type: str

command

Winlogon command.

Type: str

handler

Winlogon handler.

Type: str

key_path

Windows Registry key path.

Type: str

trigger

Winlogon trigger.

Type: str

DATA_TYPE = 'windows:registry:winlogon'

class plaso.parsers.winreg_plugins.winlogon.WinlogonPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the Winlogon key.

DATA_FORMAT = 'Windows log-on Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'winlogon'

plaso.parsers.winreg_plugins.winrar module

This file contains a WinRAR history Windows Registry plugin.

class plaso.parsers.winreg_plugins.winrar.WinRARHistoryEventData[source]

Bases: plaso.containers.events.EventData

WinRAR history event data attribute container.

entries

archive history entries.

Type: str

key_path

Windows Registry key path.

Type: str

DATA_TYPE = 'winrar:history'

class plaso.parsers.winreg_plugins.winrar.WinRARHistoryPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing WinRAR History keys.

DATA_FORMAT = 'WinRAR History Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'winrar_mru'

Module contents

Imports for the Windows Registry parser.