plaso.parsers.winreg_plugins package

Submodules

plaso.parsers.winreg_plugins.appcompatcache module

Windows Registry plugin to parse the Application Compatibility Cache key.

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheCachedEntry[source]

Bases: object

Application Compatibility Cache cached entry.

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheEventData[source]

Bases: plaso.containers.events.EventData

Application Compatibility Cache event data.

entry_index

cache entry index number for the record.

Type

int

key_path

Windows Registry key path.

Type

str

path

full path to the executable.

Type

str

DATA_TYPE = 'windows:registry:appcompatcache'
class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheHeader[source]

Bases: object

Application Compatibility Cache header.

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Application Compatibility Cache data Windows Registry plugin.

DESCRIPTION = 'Parser for Application Compatibility Cache Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Raises

ParseError – if the value data could not be parsed.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'appcompatcache'

plaso.parsers.winreg_plugins.bagmru module

This file contains BagMRU Windows Registry plugins (shellbags).

class plaso.parsers.winreg_plugins.bagmru.BagMRUEventData[source]

Bases: plaso.containers.events.EventData

BagMRU event data attribute container.

entries

most recently used (MRU) entries.

Type

str

key_path

Windows Registry key path.

Type

str

DATA_TYPE = 'windows:registry:bagmru'
class plaso.parsers.winreg_plugins.bagmru.BagMRUWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Class that defines a BagMRU Windows Registry plugin.

DESCRIPTION = 'Parser for BagMRU Registry data.'
ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

  • codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'bagmru'

plaso.parsers.winreg_plugins.bam module

Windows Registry plugin to parse the Background Activity Moderator keys.

class plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorEventData[source]

Bases: plaso.containers.events.EventData

Background Activity Moderator event data.

binary_path

binary executed.

Type

str

user_sid

user SID associated with entry.

Type

str

DATA_TYPE = 'windows:registry:bam'
class plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Background Activity Moderator data Windows Registry plugin.

DESCRIPTION = 'Parser for Background Activity Moderator Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Raises

ParseError – if the value data could not be parsed.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'bam'

plaso.parsers.winreg_plugins.ccleaner module

Parser for the CCleaner Registry key.

class plaso.parsers.winreg_plugins.ccleaner.CCleanerConfigurationEventData[source]

Bases: plaso.containers.events.EventData

CCleaner configuration event data.

configuration

CCleaner configuration.

Type

str

key_path

Windows Registry key path.

Type

str

DATA_TYPE = 'ccleaner:configuration'
class plaso.parsers.winreg_plugins.ccleaner.CCleanerPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Gathers the CCleaner Keys for NTUSER hive.

Known Windows Registry values within the CCleaner key: * (App)Cookies [REG_SZ], contains “True” if the cookies should be cleaned; * (App)Delete Index.dat files [REG_SZ] * (App)History [REG_SZ] * (App)Last Download Location [REG_SZ] * (App)Other Explorer MRUs [REG_SZ] * (App)Recent Documents [REG_SZ] * (App)Recently Typed URLs [REG_SZ] * (App)Run (in Start Menu) [REG_SZ] * (App)Temporary Internet Files [REG_SZ] * (App)Thumbnail Cache [REG_SZ] * CookiesToSave [REG_SZ] * UpdateKey [REG_SZ], contains a date and time formatted as:

“MM/DD/YYYY hh:mm:ss [A|P]M”, for example “07/13/2013 10:03:14 AM”;

  • WINDOW_HEIGHT [REG_SZ], contains the windows height in number of pixels;

  • WINDOW_LEFT [REG_SZ]

  • WINDOW_MAX [REG_SZ]

  • WINDOW_TOP [REG_SZ]

  • WINDOW_WIDTH [REG_SZ], contains the windows width in number of pixels;

Also see: http://cheeky4n6monkey.blogspot.com/2012/02/writing-ccleaner-regripper-plugin-part_05.html

DESCRIPTION = 'Parser for CCleaner Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'ccleaner'
class plaso.parsers.winreg_plugins.ccleaner.CCleanerUpdateEventData[source]

Bases: plaso.containers.events.EventData

CCleaner update event data.

key_path

Windows Registry key path.

Type

str

DATA_TYPE = 'ccleaner:update'

plaso.parsers.winreg_plugins.default module

The default Windows Registry plugin.

class plaso.parsers.winreg_plugins.default.DefaultPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Default plugin that extracts minimum information from every registry key.

The default plugin will parse every registry key that is passed to it and extract minimum information, such as a list of available values and if possible content of those values. The timestamp used is the timestamp when the registry key was last modified.

DESCRIPTION = 'Parser for Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

NAME = 'winreg_default'

plaso.parsers.winreg_plugins.dtfabric_plugin module

Shared functionality for dtFabric-based data format Registry plugins.

class plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Shared functionality for dtFabric-based data format Registry plugins.

A dtFabric-based data format Windows Registry parser plugin defines its data format structures in dtFabric definition file, for example “dtfabric.yaml”:

name: int32 type: integer description: 32-bit signed integer type .. attribute:: format

signed

size

4

units

bytes

— name: point3d aliases: [POINT] type: structure description: Point in 3 dimensional space. .. attribute:: byte_order

little-endian

members: - name: x

aliases: [XCOORD] data_type: int32

  • name: y data_type: int32

  • name: z data_type: int32

The path to the definition file is defined in the class constant “_DEFINITION_FILE” and will be read on class instantiation.

The definition files contains data type definitions such as “int32” and “point3d” in the previous example.

A data type map can be used to create a Python object that represent the data type definition mapped to a byte stream, for example if we have the following byte stream: 01 00 00 00 02 00 00 00 03 00 00 00

The corresponding “point3d” Python object would be: point3d(x=1, y=2, z=3)

A parser that wants to implement a dtFabric-based data format parser needs to: * define a definition file and override _DEFINITION_FILE; * implement the ParseFileObject method.

The _GetDataTypeMap method of this class can be used to retrieve data type maps from the “fabric”, which is the collection of the data type definitions in definition file. Data type maps are cached for reuse.

The _ReadStructure method of this class can be used to read structure data from a file-like object and create a Python object using a data type map.

abstract ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

plaso.parsers.winreg_plugins.interface module

The Windows Registry plugin interface.

class plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter[source]

Bases: object

The Windows Registry key filter interface.

abstract Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters

registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Returns

True if the keys match.

Return type

bool

property key_paths

key paths defined by the filter.

Type

list[str]

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter(key_path)[source]

Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key path filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters

registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Returns

True if the keys match.

Return type

bool

property key_paths

List of key paths defined by the filter.

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathPrefixFilter(key_path_prefix)[source]

Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key path prefix filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters

registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Returns

True if the keys match.

Return type

bool

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathSuffixFilter(key_path_suffix)[source]

Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key path suffix filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters

registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Returns

True if the keys match.

Return type

bool

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter(value_names)[source]

Bases: plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter

Windows Registry key with values filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters

registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Returns

True if the keys match.

Return type

bool

class plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin[source]

Bases: plaso.parsers.plugins.BasePlugin

The Windows Registry plugin interface.

DESCRIPTION = 'Parser for Windows Registry value data.'
abstract ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({})
NAME = 'winreg_plugin'
Process(parser_mediator, registry_key, **kwargs)[source]

Processes a Windows Registry key or value.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Raises

ValueError – If the Windows Registry key is not set.

UpdateChainAndProcess(parser_mediator, registry_key, **kwargs)[source]

Updates the parser chain and processes a Windows Registry key or value.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Raises

ValueError – If the Windows Registry key is not set.

plaso.parsers.winreg_plugins.lfu module

Plug-in to collect the Less Frequently Used Keys.

class plaso.parsers.winreg_plugins.lfu.BootExecutePlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect the BootExecute Value from the Session Manager key.

Also see:

http://technet.microsoft.com/en-us/library/cc963230.aspx

DESCRIPTION = 'Parser for Boot Execution Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'windows_boot_execute'
class plaso.parsers.winreg_plugins.lfu.BootVerificationPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect the Boot Verification Key.

Also see:

http://technet.microsoft.com/en-us/library/cc782537(v=ws.10).aspx

DESCRIPTION = 'Parser for Boot Verification Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'windows_boot_verify'
class plaso.parsers.winreg_plugins.lfu.WindowsBootExecuteEventData[source]

Bases: plaso.containers.events.EventData

Windows Boot Execute event data attribute container.

key_path

Windows Registry key path.

Type

str

value

boot execute value, contains the value obtained from the BootExecute Registry value.

Type

str

DATA_TYPE = 'windows:registry:boot_execute'
class plaso.parsers.winreg_plugins.lfu.WindowsBootVerificationEventData[source]

Bases: plaso.containers.events.EventData

Windows Boot Verification event data attribute container.

image_path

location of the boot verification executable, contains the value obtained from the ImagePath Registry value.

Type

str

key_path

Windows Registry key path.

Type

str

DATA_TYPE = 'windows:registry:boot_verification'

plaso.parsers.winreg_plugins.mountpoints module

MountPoints2 Windows Registry parser plugin.

class plaso.parsers.winreg_plugins.mountpoints.MountPoints2EventData[source]

Bases: plaso.containers.events.EventData

Windows MountPoints2 event data attribute container.

key_path

Windows Registry key path.

Type

str

label

mount point label.

Type

str

name

name of the mount point source.

Type

str

server_name

name of the remote drive server or None if not set.

Type

str

share_name

name of the remote drive share or None if not set.

Type

str

type

type of the mount point source, which can be “Drive”, “Remove Drive” or “Volume”.

Type

str

DATA_TYPE = 'windows:registry:mount_points2'
class plaso.parsers.winreg_plugins.mountpoints.MountPoints2Plugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the MountPoints2 key.

DESCRIPTION = 'Parser for mount points Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'explorer_mountpoints2'

plaso.parsers.winreg_plugins.mrulist module

This file contains a MRUList Registry plugin.

Also see: https://github.com/libyal/winreg-kb/blob/master/documentation/MRU%20keys.asciidoc

class plaso.parsers.winreg_plugins.mrulist.BaseMRUListWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Class for common MRUList Windows Registry plugin functionality.

class plaso.parsers.winreg_plugins.mrulist.MRUListEventData[source]

Bases: plaso.containers.events.EventData

MRUList event data attribute container.

entries

most recently used (MRU) entries.

Type

str

key_path

Windows Registry key path.

Type

str

DATA_TYPE = 'windows:registry:mrulist'
class plaso.parsers.winreg_plugins.mrulist.MRUListShellItemListWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.mrulist.BaseMRUListWindowsRegistryPlugin

Windows Registry plugin to parse a shell item list MRUList.

DESCRIPTION = 'Parser for Most Recently Used (MRU) Registry data.'
ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

  • codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'mrulist_shell_item_list'
class plaso.parsers.winreg_plugins.mrulist.MRUListStringRegistryKeyFilter[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter

Windows Registry key with values filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters

registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Returns

True if the Windows Registry key matches the filter.

Return type

bool

class plaso.parsers.winreg_plugins.mrulist.MRUListStringWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.mrulist.BaseMRUListWindowsRegistryPlugin

Windows Registry plugin to parse a string MRUList.

DESCRIPTION = 'Parser for Most Recently Used (MRU) Registry data.'
ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

  • codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.mrulist.MRUListStringRegistryKeyFilter object>})
NAME = 'mrulist_string'

plaso.parsers.winreg_plugins.mrulistex module

This file contains MRUListEx Windows Registry plugins.

Also see: https://github.com/libyal/winreg-kb/blob/master/documentation/MRU%20keys.asciidoc

class plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Class for common MRUListEx Windows Registry plugin functionality.

class plaso.parsers.winreg_plugins.mrulistex.MRUListExEventData[source]

Bases: plaso.containers.events.EventData

MRUListEx event data attribute container.

entries

most recently used (MRU) entries.

Type

str

key_path

Windows Registry key path.

Type

str

DATA_TYPE = 'windows:registry:mrulistex'
class plaso.parsers.winreg_plugins.mrulistex.MRUListExShellItemListWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a shell item list MRUListEx.

DESCRIPTION = 'Parser for Most Recently Used (MRU) Registry data.'
ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

  • codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'mrulistex_shell_item_list'
class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemListWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a string and shell item list MRUListEx.

DESCRIPTION = 'Parser for Most Recently Used (MRU) Registry data.'
ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

  • codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'mrulistex_string_and_shell_item_list'
class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a string and shell item MRUListEx.

DESCRIPTION = 'Parser for Most Recently Used (MRU) Registry data.'
ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

  • codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'mrulistex_string_and_shell_item'
class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringRegistryKeyFilter[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter

Windows Registry key with values filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters

registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Returns

True if the Windows Registry key matches the filter.

Return type

bool

class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a string MRUListEx.

DESCRIPTION = 'Parser for Most Recently Used (MRU) Registry data.'
ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

  • codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.mrulistex.MRUListExStringRegistryKeyFilter object>})
NAME = 'mrulistex_string'

plaso.parsers.winreg_plugins.msie_zones module

This file contains the MSIE zone settings plugin.

class plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsEventData[source]

Bases: plaso.containers.events.EventData

MSIE zone settings event data attribute container.

key_path

Windows Registry key path.

Type

str

settings

MSIE zone settings.

Type

str

DATA_TYPE = 'windows:registry:msie_zone_settings'
class plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the MSIE zone settings.

The MSIE Feature controls are stored in the Zone specific subkeys in:

Internet SettingsZones key Internet SettingsLockdown_Zones key

Also see:

http://support.microsoft.com/kb/182569

DESCRIPTION = 'Parser for Internet Explorer zone settings Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'msie_zone'

plaso.parsers.winreg_plugins.network_drives module

This file contains the Network drive Registry plugin.

class plaso.parsers.winreg_plugins.network_drives.NetworkDriveEventData[source]

Bases: plaso.containers.events.EventData

Network drive event data attribute container.

drive_letter

drive letter assigned to network drive.

Type

str

key_path

Windows Registry key path.

Type

str

server_name

name of the server of the network drive.

Type

str

share_name

name of the share of the network drive.

Type

str

DATA_TYPE = 'windows:registry:network_drive'
class plaso.parsers.winreg_plugins.network_drives.NetworkDrivesPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the Network key.

DESCRIPTION = 'Parser for Windows network drives Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'network_drives'

plaso.parsers.winreg_plugins.networks module

This file contains the NetworkList Registry plugin.

class plaso.parsers.winreg_plugins.networks.NetworksWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Windows Registry plugin for parsing the NetworkList key.

DESCRIPTION = 'Parser for NetworkList data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'networks'
class plaso.parsers.winreg_plugins.networks.WindowsRegistryNetworkListEventData[source]

Bases: plaso.containers.events.EventData

Windows NetworkList event data.

connection_type

type of connection.

Type

str

default_gateway_mac

MAC address for the default gateway.

Type

str

description

description of the wireless connection.

Type

str

dns_suffix

DNS suffix.

Type

str

ssid

SSID of the connection.

Type

str

DATA_TYPE = 'windows:registry:network'

plaso.parsers.winreg_plugins.officemru module

“Windows Registry plugin for the Microsoft Office MRU.

class plaso.parsers.winreg_plugins.officemru.OfficeMRUListWindowsRegistryEventData[source]

Bases: plaso.containers.events.EventData

Microsoft Office MRU list Windows Registry event data.

entries

most recently used (MRU) entries.

Type

str

key_path

Windows Registry key path.

Type

str

DATA_TYPE = 'windows:registry:office_mru_list'
class plaso.parsers.winreg_plugins.officemru.OfficeMRUPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plugin that parses Microsoft Office MRU keys.

DESCRIPTION = 'Parser for Microsoft Office MRU Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'microsoft_office_mru'
class plaso.parsers.winreg_plugins.officemru.OfficeMRUWindowsRegistryEventData[source]

Bases: plaso.containers.events.EventData

Microsoft Office MRU Windows Registry event data.

key_path

Windows Registry key path.

Type

str

value_string

MRU value.

Type

str

DATA_TYPE = 'windows:registry:office_mru'

plaso.parsers.winreg_plugins.outlook module

This file contains an Outlook search MRU Registry parser.

class plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUEventData[source]

Bases: plaso.containers.events.EventData

Outlook search MRU event data attribute container.

entries

most recently used (MRU) entries.

Type

str

key_path

Windows Registry key path.

Type

str

DATA_TYPE = 'windows:registry:outlook_search_mru'
class plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin parsing Outlook Search MRU keys.

DESCRIPTION = 'Parser for Microsoft Outlook search MRU Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'microsoft_outlook_mru'

plaso.parsers.winreg_plugins.programscache module

Windows Registry plugin to parse the Explorer ProgramsCache key.

class plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheEventData[source]

Bases: plaso.containers.events.EventData

Explorer ProgramsCache event data attribute container.

entries

entries in the program cache.

Type

str

key_path

Windows Registry key path.

Type

str

known_folder_identifier

known folder identifier.

Type

str

value_name

Windows Registry value name.

Type

str

DATA_TYPE = 'windows:registry:explorer:programcache'
class plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Class that parses the Explorer ProgramsCache Registry data.

DESCRIPTION = 'Parser for Explorer ProgramsCache Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'explorer_programscache'

plaso.parsers.winreg_plugins.run module

This file contains the Run/RunOnce key plugins for Plaso.

class plaso.parsers.winreg_plugins.run.AutoRunsPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing user specific auto runs.

Also see:

http://msdn.microsoft.com/en-us/library/aa376977(v=vs.85).aspx

DESCRIPTION = 'Parser for run and run once Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'windows_run'
class plaso.parsers.winreg_plugins.run.RunKeyEventData[source]

Bases: plaso.containers.events.EventData

Run/RunOnce key event data attribute container.

entries

Run/RunOnce entries.

Type

str

key_path

Windows Registry key path.

Type

str

DATA_TYPE = 'windows:registry:run'

plaso.parsers.winreg_plugins.sam_users module

“Windows Registry plugin for SAM Users Account information.

class plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryEventData[source]

Bases: plaso.containers.events.EventData

Class that defines SAM users Windows Registry event data.

account_rid

account relative identifier (RID).

Type

int

comments

comments.

Type

str

fullname

full name.

Type

str

key_path

Windows Registry key path.

Type

str

login_count

login count.

Type

int

username

a string containing the username.

Type

str

DATA_TYPE = 'windows:registry:sam_users'
class plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Windows Registry plugin for SAM Users Account information.

DESCRIPTION = 'Parser for SAM Users and Names Registry keys.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'windows_sam_users'

plaso.parsers.winreg_plugins.services module

Windows drivers and services Registry key parser plugin.

class plaso.parsers.winreg_plugins.services.ServicesPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to format the Services and Drivers keys having Type and Start.

Also see:

http://support.microsoft.com/kb/103000

DESCRIPTION = 'Parser for services and drivers Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter object>})
NAME = 'windows_services'
class plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventData[source]

Bases: plaso.containers.events.EventData

Windows Registry driver or service event data attribute container.

error_control

error control value of the Windows driver or service executable.

Type

int

image_path

path of the Windows driver or service executable.

Type

str

key_path

Windows Registry key path.

Type

str

name

name of the Windows driver or service.

Type

str

object_name

Windows service object name.

Type

str

service_dll

Windows service DLL.

Type

str

service_type

Windows driver or service type.

Type

int

start_type

Device or service start type.

Type

int

values

names and data of additional values in the key.

Type

str

DATA_TYPE = 'windows:registry:service'

plaso.parsers.winreg_plugins.shutdown module

Windows Registry plugin for parsing the last shutdown time of a system.

class plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryEventData[source]

Bases: plaso.containers.events.EventData

Shutdown Windows Registry event data.

key_path

Windows Registry key path.

Type

str

value_name

name of the Windows Registry value.

Type

str

DATA_TYPE = 'windows:registry:shutdown'
class plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Windows Registry plugin for parsing the last shutdown time of a system.

DESCRIPTION = 'Parser for ShutdownTime Registry value.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a ShutdownTime Windows Registry value.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'windows_shutdown'

plaso.parsers.winreg_plugins.task_scheduler module

This file contains the Task Scheduler Registry keys plugins.

class plaso.parsers.winreg_plugins.task_scheduler.TaskCacheEventData[source]

Bases: plaso.containers.events.EventData

Task Cache event data.

key_path

Windows Registry key path.

Type

str

task_name

name of the task.

Type

str

task_identifier

identifier of the task.

Type

str

DATA_TYPE = 'task_scheduler:task_cache:entry'
class plaso.parsers.winreg_plugins.task_scheduler.TaskCacheWindowsRegistryPlugin[source]

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Plugin that parses a Task Cache key.

DESCRIPTION = 'Parser for Task Scheduler cache Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'windows_task_cache'

plaso.parsers.winreg_plugins.terminal_server module

This file contains the Terminal Server client Windows Registry plugins.

class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientConnectionEventData[source]

Bases: plaso.containers.events.EventData

Terminal Server client connection event data attribute container.

entries

most recently used (MRU) entries.

Type

str

key_path

Windows Registry key path.

Type

str

username

username, provided by the UsernameHint value.

Type

str

DATA_TYPE = 'windows:registry:mstsc:connection'
class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUEventData[source]

Bases: plaso.containers.events.EventData

Terminal Server client MRU event data attribute container.

entries

most recently used (MRU) entries.

Type

str

key_path

Windows Registry key path.

Type

str

DATA_TYPE = 'windows:registry:mstsc:mru'
class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for Terminal Server Client Connection MRUs keys.

DESCRIPTION = 'Parser for Terminal Server Client MRU Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Terminal Server Client MRU Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'mstsc_rdp_mru'
class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for Terminal Server Client Connection keys.

DESCRIPTION = 'Parser for Terminal Server Client Connection Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Terminal Server Client Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'mstsc_rdp'

plaso.parsers.winreg_plugins.timezone module

Plug-in to collect information about the Windows timezone settings.

class plaso.parsers.winreg_plugins.timezone.WinRegTimezonePlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect information about the Windows timezone settings.

DESCRIPTION = 'Parser for Windows timezone settings.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'windows_timezone'
class plaso.parsers.winreg_plugins.timezone.WindowsTimezoneSettingsEventData[source]

Bases: plaso.containers.events.EventData

Timezone settings event data attribute container.

configuration

timezone configuration.

Type

str

key_path

Windows Registry key path.

Type

str

DATA_TYPE = 'windows:registry:timezone'

plaso.parsers.winreg_plugins.typedurls module

File containing a Windows Registry plugin to parse the typed URLs key.

class plaso.parsers.winreg_plugins.typedurls.TypedURLsEventData[source]

Bases: plaso.containers.events.EventData

Typed URLs event data attribute container.

entries

typed URLs or paths entries.

Type

str

key_path

Windows Registry key path.

Type

str

DATA_TYPE = 'windows:registry:typedurls'
class plaso.parsers.winreg_plugins.typedurls.TypedURLsPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

A Windows Registry plugin for typed URLs history.

DESCRIPTION = 'Parser for Explorer typed URLs Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'windows_typed_urls'

plaso.parsers.winreg_plugins.usb module

File containing a Windows Registry plugin to parse the USB Device key.

class plaso.parsers.winreg_plugins.usb.USBPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

USB Windows Registry plugin for last connection time.

Also see:

https://msdn.microsoft.com/en-us/library/windows/hardware/jj649944%28v=vs.85%29.aspx

DESCRIPTION = 'Parser for USB device Registry entries.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'windows_usb_devices'
class plaso.parsers.winreg_plugins.usb.WindowsUSBDeviceEventData[source]

Bases: plaso.containers.events.EventData

Windows USB device event data attribute container.

key_path

Windows Registry key path.

Type

str

product

product of the USB device.

Type

str

serial

serial number of the USB device.

Type

str

subkey_name

name of the Windows Registry subkey.

Type

str

vendor

vendor of the USB device.

Type

str

DATA_TYPE = 'windows:registry:usb'

plaso.parsers.winreg_plugins.usbstor module

File containing a Windows Registry plugin to parse the USBStor key.

class plaso.parsers.winreg_plugins.usbstor.USBStorEventData[source]

Bases: plaso.containers.events.EventData

USBStor event data attribute container.

device_type

type of USB device.

Type

str

display_name

display name of the USB device.

Type

str

key_path

Windows Registry key path.

Type

str

parent_id_prefix

parent identifier prefix of the USB device.

Type

str

product

product of the USB device.

Type

str

serial

serial number of the USB device.

Type

str

revision

revision number of the USB device.

Type

str

subkey_name

name of the Windows Registry subkey.

Type

str

vendor

vendor of the USB device.

Type

str

DATA_TYPE = 'windows:registry:usbstor'
class plaso.parsers.winreg_plugins.usbstor.USBStorPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

USBStor key plugin.

Also see: https://forensicswiki.xyz/wiki/index.php?title=USB_History_Viewing

DESCRIPTION = 'Parser for USB Plug And Play Manager USBStor Registry Key.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'windows_usbstor_devices'

plaso.parsers.winreg_plugins.userassist module

The UserAssist Windows Registry plugin.

class plaso.parsers.winreg_plugins.userassist.UserAssistPlugin[source]

Bases: plaso.parsers.winreg_plugins.dtfabric_plugin.DtFabricBaseWindowsRegistryPlugin

Plugin that parses an UserAssist key.

Also see:

http://blog.didierstevens.com/programs/userassist/ https://code.google.com/p/winreg-kb/wiki/UserAssistKeys http://intotheboxes.files.wordpress.com/2010/04/intotheboxes_2010_q1.pdf

DESCRIPTION = 'Parser for User Assist Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>})
NAME = 'userassist'
class plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryEventData[source]

Bases: plaso.containers.events.EventData

UserAssist Windows Registry event data.

application_focus_count

application focus count.

Type

int

application_focus_duration

application focus duration.

Type

int

entry_index

entry index.

Type

int

key_path

Windows Registry key path.

Type

str

number_of_executions

nubmer of executions.

Type

int

value_name

name of the Windows Registry value.

Type

str

DATA_TYPE = 'windows:registry:userassist'
class plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter(user_assist_guid)[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter

UserAssist Windows Registry key path filter.

plaso.parsers.winreg_plugins.windows_version module

Plug-in to collect information about the Windows version.

class plaso.parsers.winreg_plugins.windows_version.WindowsRegistryInstallationEventData[source]

Bases: plaso.containers.events.EventData

Windows installation event data attribute container.

build_number

Windows build number.

Type

str

key_path

Windows Registry key path.

Type

str

owner

registered owner.

Type

str

product_name

product name.

Type

str

service_pack

service pack.

Type

str

version

Windows version.

Type

str

DATA_TYPE = 'windows:registry:installation'
class plaso.parsers.winreg_plugins.windows_version.WindowsVersionPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Plug-in to collect information about the Windows version.

DESCRIPTION = 'Parser for Windows version Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'windows_version'

plaso.parsers.winreg_plugins.winlogon module

This file contains the Winlogon Registry plugin.

class plaso.parsers.winreg_plugins.winlogon.WinlogonEventData[source]

Bases: plaso.containers.events.EventData

Winlogon event data attribute container.

application

Winlogon application.

Type

str

command

Winlogon command.

Type

str

handler

Winlogon handler.

Type

str

key_path

Windows Registry key path.

Type

str

trigger

Winlogon trigger.

Type

str

DATA_TYPE = 'windows:registry:winlogon'
class plaso.parsers.winreg_plugins.winlogon.WinlogonPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing the Winlogon key.

DESCRIPTION = 'Parser for winlogon Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'winlogon'

plaso.parsers.winreg_plugins.winrar module

This file contains a WinRAR history Windows Registry plugin.

class plaso.parsers.winreg_plugins.winrar.WinRARHistoryEventData[source]

Bases: plaso.containers.events.EventData

WinRAR history event data attribute container.

entries

archive history entries.

Type

str

key_path

Windows Registry key path.

Type

str

DATA_TYPE = 'winrar:history'
class plaso.parsers.winreg_plugins.winrar.WinRARHistoryPlugin[source]

Bases: plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin

Windows Registry plugin for parsing WinRAR History keys.

DESCRIPTION = 'Parser for WinRAR History Registry data.'
ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

  • parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfvfs.

  • registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})
NAME = 'winrar_mru'

Module contents

Imports for the Windows Registry parser.