plaso.parsers.winreg_plugins package

Submodules

plaso.parsers.winreg_plugins.amcache module

Windows Registry plugin to parse the AMCache.hve Root key.

class plaso.parsers.winreg_plugins.amcache.AMCacheFileEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

AMCache file event data.

company_name

company name that created product file belongs to.

Type: str

file_creation_time

file entry creation date and time.

Type: dfdatetime.DateTimeValues

file_description

description of file.

Type: str

file_modification_time

file entry last modification date and time.

Type: dfdatetime.DateTimeValues

file_reference

file system file reference, for example 9-1 (MFT entry - sequence number).

Type: str

file_size

size of file in bytes.

Type: int

file_version

version of file.

Type: str

full_path

full path of file.

Type: str

installation_time

installation date and time.

Type: dfdatetime.DateTimeValues

language_code

language code of file.

Type: int

last_written_time

entry last written date and time.

Type: dfdatetime.DateTimeValues

link_time

link date and time.

Type: dfdatetime.DateTimeValues

msi_installation_time

MSI installation date and time.

Type: dfdatetime.DateTimeValues

product_name

product name file belongs to.

Type: str

program_identifier

GUID of entry under Root/Program key file belongs to.

Type: str

sha1

SHA-1.

Type: str

DATA_TYPE = 'windows:registry:amcache'

class plaso.parsers.winreg_plugins.amcache.AMCachePlugin[source]

Bases: WindowsRegistryPlugin

AMCache.hve Windows Registry plugin.

DATA_FORMAT = 'AMCache (AMCache.hve)'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'amcache'

class plaso.parsers.winreg_plugins.amcache.AMCacheProgramEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

AMCache programs event data.

entry_type

type of entry (usually AddRemoveProgram).

Type: str

file_paths

file paths of installed program.

Type: str

files

list of files belonging to program.

Type: str

installation_time

installation date and time.

Type: dfdatetime.DateTimeValues

language_code

language_code of program.

Type: int

msi_package_code

MSI package code of program.

Type: str

msi_product_code

MSI product code of program.

Type: str

name

name of installed program.

Type: str

package_code

package code of program.

Type: str

product_code

product code of program.

Type: str

publisher

publisher of program.

Type: str

uninstall_key

unicode string of uninstall registry key for program.

Type: str

version

version of program.

Type: str

DATA_TYPE = 'windows:registry:amcache:programs'

plaso.parsers.winreg_plugins.appcompatcache module

Windows Registry plugin to parse the Application Compatibility Cache key.

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheCachedEntry[source]

Bases: object

Application Compatibility Cache cached entry.

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Application Compatibility Cache event data.

entry_index

cache entry index number for the record.

Type: int

file_entry_modification_time

last modification date and time of the corresponding file entry.

Type: dfdatetime.DateTimeValues

key_path

Windows Registry key path.

Type: str

last_update_time

last update date and time of the Application Compatibility Cache entry.

Type: dfdatetime.DateTimeValues

offset

offset of the Application Compatibility Cache entry relative to the start of the Windows Registry value data, from which the event data was extracted.

Type: int

path

full path to the executable.

Type: str

DATA_TYPE = 'windows:registry:appcompatcache'

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheHeader[source]

Bases: object

Application Compatibility Cache header.

class plaso.parsers.winreg_plugins.appcompatcache.AppCompatCacheWindowsRegistryPlugin[source]

Bases: WindowsRegistryPlugin, DtFabricHelper

Application Compatibility Cache data Windows Registry plugin.

DATA_FORMAT = 'Application Compatibility Cache Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Raises

ParseError – if the value data could not be parsed.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'appcompatcache'

plaso.parsers.winreg_plugins.bagmru module

Windows Registry plugin to parse the BagMRU (or ShellBags) key.

class plaso.parsers.winreg_plugins.bagmru.BagMRUEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

BagMRU (or ShellBags) event data attribute container.

entries

most recently used (MRU) entries.

Type: str

key_path

Windows Registry key path.

Type: str

last_written_time

entry last written date and time.

Type: dfdatetime.DateTimeValues

DATA_TYPE = 'windows:registry:bagmru'

class plaso.parsers.winreg_plugins.bagmru.BagMRUWindowsRegistryPlugin[source]

Bases: WindowsRegistryPlugin, DtFabricHelper

Windows Registry plugin to parse the BagMRU (or ShellBags) key.

DATA_FORMAT = 'BagMRU (or ShellBags) Registry data'

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'bagmru'

plaso.parsers.winreg_plugins.bam module

Windows Registry plugin to parse the Background Activity Moderator keys.

class plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Background Activity Moderator event data.

last_run_time

executable (binary) last run date and time.

Type: dfdatetime.DateTimeValues

path

path of the executable (binary).

Type: str

user_identifier

user identifier (Windows NT SID).

Type: str

DATA_TYPE = 'windows:registry:bam'

class plaso.parsers.winreg_plugins.bam.BackgroundActivityModeratorWindowsRegistryPlugin[source]

Bases: WindowsRegistryPlugin, DtFabricHelper

Background Activity Moderator data Windows Registry plugin.

DATA_FORMAT = 'Background Activity Moderator (BAM) Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Raises

ParseError – if the value data could not be parsed.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'bam'

plaso.parsers.winreg_plugins.ccleaner module

Windows Registry plugin to parse the CCleaner Registry key.

Also see:: https://winreg-kb.readthedocs.io/en/latest/sources/application-keys/CCleaner.html

class plaso.parsers.winreg_plugins.ccleaner.CCleanerConfigurationEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

CCleaner configuration event data.

configuration

CCleaner configuration.

Type: str

key_path

Windows Registry key path.

Type: str

last_written_time

entry last written date and time.

Type: dfdatetime.DateTimeValues

DATA_TYPE = 'ccleaner:configuration'

class plaso.parsers.winreg_plugins.ccleaner.CCleanerPlugin[source]

Bases: WindowsRegistryPlugin

Windows Registry plugin to parse the CCleaner Registry key.

DATA_FORMAT = 'CCleaner Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'ccleaner'

class plaso.parsers.winreg_plugins.ccleaner.CCleanerUpdateEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

CCleaner update event data.

key_path

Windows Registry key path.

Type: str

update_time

date and time CCleaner last checked for an update.

Type: dfdatetime.DateTimeValues

DATA_TYPE = 'ccleaner:update'

plaso.parsers.winreg_plugins.default module

The default Windows Registry plugin.

class plaso.parsers.winreg_plugins.default.DefaultPlugin[source]

Bases: WindowsRegistryPlugin

Default plugin that extracts minimum information from every Registry key.

The default plugin will parse every Registry key that is passed to it and extract minimum information, such as a list of available values and if possible content of those values. The timestamp used is the timestamp when the Registry key was last modified.

DATA_FORMAT = 'Windows Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

NAME = 'winreg_default'

plaso.parsers.winreg_plugins.interface module

The Windows Registry plugin interface.

class plaso.parsers.winreg_plugins.interface.BaseWindowsRegistryKeyFilter[source]

Bases: object

The Windows Registry key filter interface.

abstract Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns: True if the keys match.
Return type: bool

property key_paths

key paths defined by the filter.

Type: list[str]

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter(key_path)[source]

Bases: BaseWindowsRegistryKeyFilter

Windows Registry key path filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns: True if the keys match.
Return type: bool

property key_paths: List of key paths defined by the filter.

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathPrefixFilter(key_path_prefix)[source]

Bases: BaseWindowsRegistryKeyFilter

Windows Registry key path prefix filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns: True if the keys match.
Return type: bool

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathSuffixFilter(key_path_suffix)[source]

Bases: BaseWindowsRegistryKeyFilter

Windows Registry key path suffix filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns: True if the keys match.
Return type: bool

class plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter(value_names)[source]

Bases: BaseWindowsRegistryKeyFilter

Windows Registry key with values filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns: True if the keys match.
Return type: bool

class plaso.parsers.winreg_plugins.interface.WindowsRegistryPlugin[source]

Bases: BasePlugin

The Windows Registry plugin interface.

DATA_FORMAT = 'Windows Registry data'

abstract ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({})

NAME = 'winreg_plugin'

Process(parser_mediator, registry_key, **kwargs)[source]

Processes a Windows Registry key or value.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Raises

ValueError – If the Windows Registry key is not set.

UpdateChainAndProcess(parser_mediator, registry_key, **kwargs)[source]

Updates the parser chain and processes a Windows Registry key or value.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

Raises

ValueError – If the Windows Registry key is not set.

plaso.parsers.winreg_plugins.lfu module

Plug-in to collect the Less Frequently Used (LFU) keys.

class plaso.parsers.winreg_plugins.lfu.BootExecutePlugin[source]

Bases: WindowsRegistryPlugin

Plug-in to collect the BootExecute Value from the Session Manager key.

DATA_FORMAT = 'Boot Execution Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_boot_execute'

class plaso.parsers.winreg_plugins.lfu.BootVerificationPlugin[source]

Bases: WindowsRegistryPlugin

Plug-in to collect the Boot Verification Key.

DATA_FORMAT = 'Windows boot verification Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_boot_verify'

class plaso.parsers.winreg_plugins.lfu.WindowsBootExecuteEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows Boot Execute event data attribute container.

key_path

Windows Registry key path.

Type: str

last_written_time

entry last written date and time.

Type: dfdatetime.DateTimeValues

value

boot execute value, contains the value obtained from the BootExecute Registry value.

Type: str

DATA_TYPE = 'windows:registry:boot_execute'

class plaso.parsers.winreg_plugins.lfu.WindowsBootVerificationEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows Boot Verification event data attribute container.

image_path

location of the boot verification executable, contains the value obtained from the ImagePath Registry value.

Type: str

key_path

Windows Registry key path.

Type: str

last_written_time

entry last written date and time.

Type: dfdatetime.DateTimeValues

DATA_TYPE = 'windows:registry:boot_verification'

plaso.parsers.winreg_plugins.mountpoints module

MountPoints2 Windows Registry parser plugin.

class plaso.parsers.winreg_plugins.mountpoints.MountPoints2EventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows MountPoints2 event data attribute container.

key_path

Windows Registry key path.

Type: str

label

mount point label.

Type: str

last_written_time

entry last written date and time.

Type: dfdatetime.DateTimeValues

name

name of the mount point source.

Type: str

server_name

name of the remote drive server or None if not set.

Type: str

share_name

name of the remote drive share or None if not set.

Type: str

type

type of the mount point source, which can be “Drive”, “Remove Drive” or “Volume”.

Type: str

DATA_TYPE = 'windows:registry:mount_points2'

class plaso.parsers.winreg_plugins.mountpoints.MountPoints2Plugin[source]

Bases: WindowsRegistryPlugin

Windows Registry plugin for parsing the MountPoints2 key.

DATA_FORMAT = 'Windows Explorer mount points Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'explorer_mountpoints2'

plaso.parsers.winreg_plugins.mrulist module

Windows Registry plugin to parse the MRUList Registry values.

Also see:: https://winreg-kb.readthedocs.io/en/latest/sources/explorer-keys/Most-recently-used.html

class plaso.parsers.winreg_plugins.mrulist.BaseMRUListWindowsRegistryPlugin[source]

Bases: WindowsRegistryPlugin, DtFabricHelper

Class for common MRUList Windows Registry plugin functionality.

class plaso.parsers.winreg_plugins.mrulist.MRUListEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MRUList event data attribute container.

entries

most recently used (MRU) entries.

Type: str

key_path

Windows Registry key path.

Type: str

last_written_time

entry last written date and time.

Type: dfdatetime.DateTimeValues

DATA_TYPE = 'windows:registry:mrulist'

class plaso.parsers.winreg_plugins.mrulist.MRUListShellItemListWindowsRegistryPlugin[source]

Bases: BaseMRUListWindowsRegistryPlugin

Windows Registry plugin to parse a shell item list MRUList.

DATA_FORMAT = 'Most Recently Used (MRU) Registry data'

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'mrulist_shell_item_list'

class plaso.parsers.winreg_plugins.mrulist.MRUListStringRegistryKeyFilter[source]

Bases: WindowsRegistryKeyWithValuesFilter

Windows Registry key with values filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns: True if the Windows Registry key matches the filter.
Return type: bool

class plaso.parsers.winreg_plugins.mrulist.MRUListStringWindowsRegistryPlugin[source]

Bases: BaseMRUListWindowsRegistryPlugin

Windows Registry plugin to parse a string MRUList.

DATA_FORMAT = 'Most Recently Used (MRU) Registry data'

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.mrulist.MRUListStringRegistryKeyFilter object>})

NAME = 'mrulist_string'

plaso.parsers.winreg_plugins.mrulistex module

Windows Registry plugin to parse the MRUListEx Registry values.

Also see:: https://winreg-kb.readthedocs.io/en/latest/sources/explorer-keys/Most-recently-used.html

class plaso.parsers.winreg_plugins.mrulistex.BaseMRUListExWindowsRegistryPlugin[source]

Bases: WindowsRegistryPlugin, DtFabricHelper

Class for common MRUListEx Windows Registry plugin functionality.

class plaso.parsers.winreg_plugins.mrulistex.MRUListExEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MRUListEx event data attribute container.

entries

most recently used (MRU) entries.

Type: str

key_path

Windows Registry key path.

Type: str

last_written_time

entry last written date and time.

Type: dfdatetime.DateTimeValues

DATA_TYPE = 'windows:registry:mrulistex'

class plaso.parsers.winreg_plugins.mrulistex.MRUListExShellItemListWindowsRegistryPlugin[source]

Bases: BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a shell item list MRUListEx.

DATA_FORMAT = 'Most Recently Used (MRU) Registry data'

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'mrulistex_shell_item_list'

class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemListWindowsRegistryPlugin[source]

Bases: BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a string and shell item list MRUListEx.

DATA_FORMAT = 'Most Recently Used (MRU) Registry data'

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'mrulistex_string_and_shell_item_list'

class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringAndShellItemWindowsRegistryPlugin[source]

Bases: BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a string and shell item MRUListEx.

DATA_FORMAT = 'Most Recently Used (MRU) Registry data'

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'mrulistex_string_and_shell_item'

class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringRegistryKeyFilter[source]

Bases: WindowsRegistryKeyWithValuesFilter

Windows Registry key with values filter.

Match(registry_key)[source]

Determines if a Windows Registry key matches the filter.

Parameters: registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
Returns: True if the Windows Registry key matches the filter.
Return type: bool

class plaso.parsers.winreg_plugins.mrulistex.MRUListExStringWindowsRegistryPlugin[source]

Bases: BaseMRUListExWindowsRegistryPlugin

Windows Registry plugin to parse a string MRUListEx.

DATA_FORMAT = 'Most Recently Used (MRU) Registry data'

ExtractEvents(parser_mediator, registry_key, codepage='cp1252', **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.
codepage (Optional[str]) – extended ASCII string codepage.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.mrulistex.MRUListExStringRegistryKeyFilter object>})

NAME = 'mrulistex_string'

plaso.parsers.winreg_plugins.msie_zones module

This file contains the MSIE zone settings plugin.

class plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

MSIE zone settings event data attribute container.

key_path

Windows Registry key path.

Type: str

last_written_time

entry last written date and time.

Type: dfdatetime.DateTimeValues

settings

MSIE zone settings.

Type: str

DATA_TYPE = 'windows:registry:msie_zone_settings'

class plaso.parsers.winreg_plugins.msie_zones.MSIEZoneSettingsPlugin[source]

Bases: WindowsRegistryPlugin

Windows Registry plugin for parsing the MSIE zone settings.

The MSIE Feature controls are stored in the Zone specific subkeys in:: Internet SettingsZones key Internet SettingsLockdown_Zones key

DATA_FORMAT = 'Microsoft Internet Explorer zone settings Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'msie_zone'

plaso.parsers.winreg_plugins.network_drives module

This file contains the Network drive Registry plugin.

class plaso.parsers.winreg_plugins.network_drives.NetworkDriveEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Network drive event data attribute container.

drive_letter

drive letter assigned to network drive.

Type: str

key_path

Windows Registry key path.

Type: str

last_written_time

entry last written date and time.

Type: dfdatetime.DateTimeValues

server_name

name of the server of the network drive.

Type: str

share_name

name of the share of the network drive.

Type: str

DATA_TYPE = 'windows:registry:network_drive'

class plaso.parsers.winreg_plugins.network_drives.NetworkDrivesPlugin[source]

Bases: WindowsRegistryPlugin

Windows Registry plugin for parsing the Network key.

DATA_FORMAT = 'Windows network drives Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'network_drives'

plaso.parsers.winreg_plugins.networks module

This file contains the NetworkList Registry plugin.

class plaso.parsers.winreg_plugins.networks.NetworksWindowsRegistryPlugin[source]

Bases: WindowsRegistryPlugin, DtFabricHelper

Windows Registry plugin for parsing the NetworkList key.

DATA_FORMAT = 'Windows networks (NetworkList) Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'networks'

class plaso.parsers.winreg_plugins.networks.WindowsRegistryNetworkListEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows NetworkList event data.

connection_type

type of connection.

Type: int

creation_time

entry creation date and time.

Type: dfdatetime.DateTimeValues

default_gateway_mac

MAC address for the default gateway.

Type: str

description

description of the wireless connection.

Type: str

dns_suffix

DNS suffix.

Type: str

last_connected_time

last connected date and time.

Type: dfdatetime.DateTimeValues

ssid

SSID of the connection.

Type: str

DATA_TYPE = 'windows:registry:network'

plaso.parsers.winreg_plugins.officemru module

Windows Registry plugin for the Microsoft Office MRU.

class plaso.parsers.winreg_plugins.officemru.OfficeMRUListWindowsRegistryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Microsoft Office MRU list Windows Registry event data.

entries

most recently used (MRU) entries.

Type: str

key_path

Windows Registry key path.

Type: str

last_written_time

entry last written date and time.

Type: dfdatetime.DateTimeValues

DATA_TYPE = 'windows:registry:office_mru_list'

class plaso.parsers.winreg_plugins.officemru.OfficeMRUPlugin[source]

Bases: WindowsRegistryPlugin

Plugin that parses Microsoft Office MRU keys.

DATA_FORMAT = 'Microsoft Office MRU Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'microsoft_office_mru'

class plaso.parsers.winreg_plugins.officemru.OfficeMRUWindowsRegistryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Microsoft Office MRU Windows Registry event data.

key_path

Windows Registry key path.

Type: str

last_written_time

entry last written date and time.

Type: dfdatetime.DateTimeValues

value_string

MRU value.

Type: str

DATA_TYPE = 'windows:registry:office_mru'

plaso.parsers.winreg_plugins.outlook module

This file contains an Outlook search MRU Registry parser.

class plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Outlook search MRU event data attribute container.

entries

most recently used (MRU) entries.

Type: str

key_path

Windows Registry key path.

Type: str

last_written_time

entry last written date and time.

Type: dfdatetime.DateTimeValues

DATA_TYPE = 'windows:registry:outlook_search_mru'

class plaso.parsers.winreg_plugins.outlook.OutlookSearchMRUPlugin[source]

Bases: WindowsRegistryPlugin

Windows Registry plugin parsing Outlook Search MRU keys.

DATA_FORMAT = 'Microsoft Outlook search MRU Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'microsoft_outlook_mru'

plaso.parsers.winreg_plugins.programscache module

Windows Registry plugin to parse the Explorer ProgramsCache key.

class plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Explorer ProgramsCache event data attribute container.

entries

entries in the program cache.

Type: str

key_path

Windows Registry key path.

Type: str

known_folder_identifier

known folder identifier.

Type: str

last_written_time

entry last written date and time.

Type: dfdatetime.DateTimeValues

value_name

Windows Registry value name.

Type: str

DATA_TYPE = 'windows:registry:explorer:programcache'

class plaso.parsers.winreg_plugins.programscache.ExplorerProgramsCacheWindowsRegistryPlugin[source]

Bases: WindowsRegistryPlugin, DtFabricHelper

Class that parses the Explorer ProgramsCache Registry data.

DATA_FORMAT = 'Windows Explorer Programs Cache Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'explorer_programscache'

plaso.parsers.winreg_plugins.run module

This file contains the Run/RunOnce key plugins for Plaso.

class plaso.parsers.winreg_plugins.run.AutoRunsPlugin[source]

Bases: WindowsRegistryPlugin

Windows Registry plugin for parsing user specific auto runs.

DATA_FORMAT = 'Run and run once Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_run'

class plaso.parsers.winreg_plugins.run.RunKeyEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Run/RunOnce key event data attribute container.

entries

Run/RunOnce entries.

Type: list[str]

key_path

Windows Registry key path.

Type: str

last_written_time

entry last written date and time.

Type: dfdatetime.DateTimeValues

DATA_TYPE = 'windows:registry:run'

plaso.parsers.winreg_plugins.sam_users module

“Windows Registry plugin for SAM Users Account information.

class plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Class that defines SAM users Windows Registry event data.

account_rid

account relative identifier (RID).

Type: int

comments

comments.

Type: str

fullname

full name.

Type: str

key_path

Windows Registry key path.

Type: str

last_login_time

date and time of the last login.

Type: dfdatetime.DateTimeValues

last_password_set_time

date and time of the last password set.

Type: dfdatetime.DateTimeValues

last_written_time

entry last written date and time.

Type: dfdatetime.DateTimeValues

login_count

login count.

Type: int

username

a string containing the username.

Type: str

DATA_TYPE = 'windows:registry:sam_users'

class plaso.parsers.winreg_plugins.sam_users.SAMUsersWindowsRegistryPlugin[source]

Bases: WindowsRegistryPlugin, DtFabricHelper

Windows Registry plugin for SAM Users Account information.

DATA_FORMAT = 'Security Accounts Manager (SAM) users Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_sam_users'

plaso.parsers.winreg_plugins.services module

Windows drivers and services Registry key parser plugin.

class plaso.parsers.winreg_plugins.services.ServicesPlugin[source]

Bases: WindowsRegistryPlugin

Plug-in to format the Services and Drivers keys having Type and Start.

DATA_FORMAT = 'Windows drivers and services Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyWithValuesFilter object>})

NAME = 'windows_services'

class plaso.parsers.winreg_plugins.services.WindowsRegistryServiceEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows Registry driver or service event data attribute container.

error_control

error control value of the Windows driver or service executable.

Type: int

image_path

path of the Windows driver or service executable.

Type: str

key_path

Windows Registry key path.

Type: str

last_written_time

entry last written date and time.

Type: dfdatetime.DateTimeValues

name

name of the Windows driver or service.

Type: str

object_name

Windows service object name.

Type: str

service_dll

Windows service DLL.

Type: str

service_type

Windows driver or service type.

Type: int

start_type

Device or service start type.

Type: int

values

names and data of additional values in the key.

Type: str

values

name, data type and data of the additional values in the key.

Type: list[tuple[str, str, str]]

DATA_TYPE = 'windows:registry:service'

plaso.parsers.winreg_plugins.shutdown module

Windows Registry plugin for parsing the last shutdown time of a system.

class plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Shutdown Windows Registry event data.

key_path

Windows Registry key path.

Type: str

last_shutdown_time

date and time the system was last shutdown.

Type: dfdatetime.DateTimeValues

value_name

name of the Windows Registry value.

Type: str

DATA_TYPE = 'windows:registry:shutdown'

class plaso.parsers.winreg_plugins.shutdown.ShutdownWindowsRegistryPlugin[source]

Bases: WindowsRegistryPlugin, DtFabricHelper

Windows Registry plugin for parsing the last shutdown time of a system.

DATA_FORMAT = 'Windows last shutdown Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a ShutdownTime Windows Registry value.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_shutdown'

plaso.parsers.winreg_plugins.task_scheduler module

This file contains the Task Scheduler Registry keys plugins.

class plaso.parsers.winreg_plugins.task_scheduler.TaskCacheEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Task Cache event data.

key_path

Windows Registry key path.

Type: str

last_registered_time

date and time the task was last registered.

Type: dfdatetime.DateTimeValues

last_written_time

entry last written date and time.

Type: dfdatetime.DateTimeValues

launch_time

date and time the task was last launched.

Type: dfdatetime.DateTimeValues

task_name

name of the task.

Type: str

task_identifier

identifier of the task.

Type: str

unknown_time

unknown date and time.

Type: dfdatetime.DateTimeValues

DATA_TYPE = 'task_scheduler:task_cache:entry'

class plaso.parsers.winreg_plugins.task_scheduler.TaskCacheWindowsRegistryPlugin[source]

Bases: WindowsRegistryPlugin, DtFabricHelper

Plugin that parses a Task Cache key.

DATA_FORMAT = 'Windows Task Scheduler cache Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_task_cache'

plaso.parsers.winreg_plugins.terminal_server module

This file contains the Terminal Server client Windows Registry plugins.

class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientConnectionEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Terminal Server client connection event data attribute container.

entries

most recently used (MRU) entries.

Type: str

key_path

Windows Registry key path.

Type: str

last_written_time

entry last written date and time.

Type: dfdatetime.DateTimeValues

username

username, provided by the UsernameHint value.

Type: str

DATA_TYPE = 'windows:registry:mstsc:connection'

class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Terminal Server client MRU event data attribute container.

entries

most recently used (MRU) entries.

Type: str

key_path

Windows Registry key path.

Type: str

last_written_time

entry last written date and time.

Type: dfdatetime.DateTimeValues

DATA_TYPE = 'windows:registry:mstsc:mru'

class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientMRUPlugin[source]

Bases: WindowsRegistryPlugin

Windows Registry plugin for Terminal Server Client Connection MRUs keys.

DATA_FORMAT = 'Terminal Server Client Most Recently Used (MRU) Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Terminal Server Client MRU Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'mstsc_rdp_mru'

class plaso.parsers.winreg_plugins.terminal_server.TerminalServerClientPlugin[source]

Bases: WindowsRegistryPlugin

Windows Registry plugin for Terminal Server Client Connection keys.

DATA_FORMAT = 'Terminal Server Client Connection Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Terminal Server Client Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'mstsc_rdp'

plaso.parsers.winreg_plugins.timezone module

Plug-in to collect information about the Windows timezone settings.

class plaso.parsers.winreg_plugins.timezone.WinRegTimezonePlugin[source]

Bases: WindowsRegistryPlugin

Plug-in to collect information about the Windows timezone settings.

DATA_FORMAT = 'Windows time zone Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_timezone'

class plaso.parsers.winreg_plugins.timezone.WindowsTimezoneSettingsEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Timezone settings event data attribute container.

configuration

timezone configuration.

Type: str

key_path

Windows Registry key path.

Type: str

last_written_time

entry last written date and time.

Type: dfdatetime.DateTimeValues

DATA_TYPE = 'windows:registry:timezone'

plaso.parsers.winreg_plugins.typedurls module

File containing a Windows Registry plugin to parse the typed URLs key.

class plaso.parsers.winreg_plugins.typedurls.TypedURLsEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Typed URLs event data attribute container.

entries

typed URLs or paths entries.

Type: str

key_path

Windows Registry key path.

Type: str

last_written_time

entry last written date and time.

Type: dfdatetime.DateTimeValues

DATA_TYPE = 'windows:registry:typedurls'

class plaso.parsers.winreg_plugins.typedurls.TypedURLsPlugin[source]

Bases: WindowsRegistryPlugin

A Windows Registry plugin for typed URLs history.

DATA_FORMAT = 'Windows Explorer typed URLs Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_typed_urls'

plaso.parsers.winreg_plugins.usb module

File containing a Windows Registry plugin to parse the USB Device key.

Also see:: https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/

class plaso.parsers.winreg_plugins.usb.USBPlugin[source]

Bases: WindowsRegistryPlugin

USB Windows Registry plugin for last connection time.

DATA_FORMAT = 'Windows USB device Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_usb_devices'

class plaso.parsers.winreg_plugins.usb.WindowsUSBDeviceEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows USB device event data attribute container.

key_path

Windows Registry key path.

Type: str

last_written_time

entry last written date and time.

Type: dfdatetime.DateTimeValues

product

product of the USB device.

Type: str

serial

serial number of the USB device.

Type: str

subkey_name

name of the Windows Registry subkey.

Type: str

vendor

vendor of the USB device.

Type: str

DATA_TYPE = 'windows:registry:usb'

plaso.parsers.winreg_plugins.usbstor module

File containing a Windows Registry plugin to parse the USBStor key.

Also see:: https://forensics.wiki/usb_history_viewing

class plaso.parsers.winreg_plugins.usbstor.USBStorDeviceInstanceEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

USBStor device instance event data attribute container.

device_last_arrival_time

date and time of the device insertion.

Type: dfdatetime.DateTimeValues

device_last_removal_time

date and time of the removal insertion.

Type: dfdatetime.DateTimeValues

device_type

type of USB device.

Type: str

display_name

display name of the USB device.

Type: str

key_path

Windows Registry key path.

Type: str

driver_first_installation_time

date and time of when the device instance was first installed in the system

Type: dfdatetime.DateTimeValues

driver_last_installation_time

date and time of when the current device instance was installed in the system.

Type: dfdatetime.DateTimeValues

firmware_time

date and time of the firmware.

Type: dfdatetime.DateTimeValues

product

product of the USB device.

Type: str

revision

revision number of the USB device.

Type: str

vendor

vendor of the USB device.

Type: str

DATA_TYPE = 'windows:registry:usbstor:instance'

class plaso.parsers.winreg_plugins.usbstor.USBStorPlugin[source]

Bases: WindowsRegistryPlugin, DtFabricHelper

USBStor key plugin.

DATA_FORMAT = 'Windows USB Plug And Play Manager USBStor Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_usbstor_devices'

plaso.parsers.winreg_plugins.userassist module

The UserAssist Windows Registry plugin.

class plaso.parsers.winreg_plugins.userassist.UserAssistPlugin[source]

Bases: WindowsRegistryPlugin, DtFabricHelper

Plugin that parses an UserAssist key.

DATA_FORMAT = 'User Assist Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter object>})

NAME = 'userassist'

class plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

UserAssist Windows Registry event data.

application_focus_count

application focus count.

Type: int

application_focus_duration

application focus duration.

Type: int

entry_index

entry index.

Type: int

key_path

Windows Registry key path.

Type: str

last_execution_time

date and time the application was last executed (or run).

Type: dfdatetime.DateTimeValues

number_of_executions

number of executions.

Type: int

value_name

name of the Windows Registry value.

Type: str

DATA_TYPE = 'windows:registry:userassist'

class plaso.parsers.winreg_plugins.userassist.UserAssistWindowsRegistryKeyPathFilter(user_assist_guid)[source]

Bases: WindowsRegistryKeyPathFilter

UserAssist Windows Registry key path filter.

plaso.parsers.winreg_plugins.windows_version module

Plug-in to collect information about the Windows version.

class plaso.parsers.winreg_plugins.windows_version.WindowsRegistryInstallationEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Windows installation event data attribute container.

build_number

Windows build number.

Type: str

installation_time

Windows installation date and time.

Type: dfdatetime.DateTimeValues

key_path

Windows Registry key path.

Type: str

owner

registered owner.

Type: str

product_name

product name.

Type: str

service_pack

service pack.

Type: str

version

Windows version.

Type: str

DATA_TYPE = 'windows:registry:installation'

class plaso.parsers.winreg_plugins.windows_version.WindowsVersionPlugin[source]

Bases: WindowsRegistryPlugin

Plug-in to collect information about the Windows version.

DATA_FORMAT = 'Windows version (product) Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'windows_version'

plaso.parsers.winreg_plugins.winlogon module

This file contains the Winlogon Registry plugin.

class plaso.parsers.winreg_plugins.winlogon.WinlogonEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

Winlogon event data attribute container.

application

Winlogon application.

Type: str

command

Winlogon command.

Type: str

handler

Winlogon handler.

Type: str

key_path

Windows Registry key path.

Type: str

last_written_time

entry last written date and time.

Type: dfdatetime.DateTimeValues

trigger

Winlogon trigger.

Type: str

DATA_TYPE = 'windows:registry:winlogon'

class plaso.parsers.winreg_plugins.winlogon.WinlogonPlugin[source]

Bases: WindowsRegistryPlugin

Windows Registry plugin for parsing the Winlogon key.

DATA_FORMAT = 'Windows log-on Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'winlogon'

plaso.parsers.winreg_plugins.winrar module

This file contains a WinRAR history Windows Registry plugin.

class plaso.parsers.winreg_plugins.winrar.WinRARHistoryEventData(*args: Any, **kwargs: Any)[source]

Bases: EventData

WinRAR history event data attribute container.

entries

archive history entries.

Type: str

key_path

Windows Registry key path.

Type: str

last_written_time

entry last written date and time.

Type: dfdatetime.DateTimeValues

DATA_TYPE = 'winrar:history'

class plaso.parsers.winreg_plugins.winrar.WinRARHistoryPlugin[source]

Bases: WindowsRegistryPlugin

Windows Registry plugin for parsing WinRAR History keys.

DATA_FORMAT = 'WinRAR History Registry data'

ExtractEvents(parser_mediator, registry_key, **kwargs)[source]

Extracts events from a Windows Registry key.

Parameters

parser_mediator (ParserMediator) – mediates interactions between parsers and other components, such as storage and dfVFS.
registry_key (dfwinreg.WinRegistryKey) – Windows Registry key.

FILTERS = frozenset({<plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>, <plaso.parsers.winreg_plugins.interface.WindowsRegistryKeyPathFilter object>})

NAME = 'winrar_mru'

Module contents

Imports for the Windows Registry parser.