From 4b5b62e20619382caef36e33da10fb28dde5380d Mon Sep 17 00:00:00 2001 From: ZarKyo Date: Wed, 14 Aug 2024 19:51:31 +0200 Subject: [PATCH 1/5] datetime.utcfromtimestamp() is deprecated in Python 3.12 --- regipy/plugins/software/winver.py | 4 +- regipy/plugins/system/network_data.py | 134 ++++++++++++----------- regipy/plugins/system/previous_winver.py | 6 +- 3 files changed, 75 insertions(+), 69 deletions(-) diff --git a/regipy/plugins/software/winver.py b/regipy/plugins/software/winver.py index d08f189..1ea17ee 100644 --- a/regipy/plugins/software/winver.py +++ b/regipy/plugins/software/winver.py @@ -1,10 +1,10 @@ import logging +from datetime import datetime, timezone from regipy.hive_types import SOFTWARE_HIVE_TYPE from regipy.plugins.plugin import Plugin from regipy.utils import convert_wintime from regipy.exceptions import RegistryKeyNotFoundException -import datetime logger = logging.getLogger(__name__) @@ -37,6 +37,6 @@ def run(self): for val in key.iter_values(): if val.name in os_list: if val.name == "InstallDate": - self.entries[WIN_VER_PATH][val.name] = datetime.datetime.utcfromtimestamp(val.value).strftime("%Y-%m-%d %H:%M:%S") + self.entries[WIN_VER_PATH][val.name] = datetime.fromtimestamp(val.value, timezone.utc).strftime("%Y-%m-%d %H:%M:%S") else: self.entries[WIN_VER_PATH][val.name] = val.value \ No newline at end of file diff --git a/regipy/plugins/system/network_data.py b/regipy/plugins/system/network_data.py index 885195f..2f0e1f1 100644 --- a/regipy/plugins/system/network_data.py +++ b/regipy/plugins/system/network_data.py @@ -1,8 +1,7 @@ -import datetime -from regipy.exceptions import RegistryKeyNotFoundException - import logging +from datetime import datetime, timezone +from regipy.exceptions import RegistryKeyNotFoundException from regipy.hive_types import SYSTEM_HIVE_TYPE from regipy.plugins.plugin import Plugin from regipy.utils import convert_wintime @@ -11,7 +10,6 @@ INTERFACES_PATH = r"Services\Tcpip\Parameters\Interfaces" - class NetworkDataPlugin(Plugin): NAME = "network_data" DESCRIPTION = "Get network data from many interfaces" @@ -30,49 +28,52 @@ def get_network_info(self, subkey, interfaces=None): "dhcp_enabled": interface.get_value("EnableDHCP") == 1, # Boolean value } - if entries["dhcp_enabled"]: - entries.update( - { - "dhcp_server": interface.get_value("DhcpServer"), - "dhcp_ip_address": interface.get_value("DhcpIPAddress"), - "dhcp_subnet_mask": interface.get_value("DhcpSubnetMask"), - "dhcp_default_gateway": interface.get_value( - "DhcpDefaultGateway" - ), - "dhcp_name_server": interface.get_value("DhcpNameServer"), - "dhcp_domain": interface.get_value("DhcpDomain"), - } - ) - - lease_obtained_time = interface.get_value("LeaseObtainedTime") - if lease_obtained_time is not None: - lease_obtained_time_str = datetime.datetime.utcfromtimestamp( - lease_obtained_time - ).strftime("%Y-%m-%d %H:%M:%S") - entries["dhcp_lease_obtained_time"] = lease_obtained_time_str - - lease_terminates_time = interface.get_value("LeaseTerminatesTime") - if lease_terminates_time is not None: - lease_terminates_time_str = datetime.datetime.utcfromtimestamp( - lease_terminates_time - ).strftime("%Y-%m-%d %H:%M:%S") - entries["dhcp_lease_terminates_time"] = lease_terminates_time_str - - else: - entries.update( - { - "ip_address": interface.get_value("IPAddress"), - "subnet_mask": interface.get_value("SubnetMask"), - "default_gateway": interface.get_value("DefaultGateway"), - "name_server": interface.get_value("NameServer"), - "domain": interface.get_value("Domain"), - } - ) - - if interface.subkey_count: - sub_interfaces = [] - self.get_network_info(self, interface, sub_interfaces) - entries["sub_interface"] = sub_interfaces + try: + if entries["dhcp_enabled"]: + entries.update( + { + "dhcp_server": interface.get_value("DhcpServer"), + "dhcp_ip_address": interface.get_value("DhcpIPAddress"), + "dhcp_subnet_mask": interface.get_value("DhcpSubnetMask"), + "dhcp_default_gateway": interface.get_value("DhcpDefaultGateway"), + "dhcp_name_server": interface.get_value("DhcpNameServer"), + "dhcp_domain": interface.get_value("DhcpDomain"), + } + ) + + lease_obtained_time = interface.get_value("LeaseObtainedTime") + if lease_obtained_time is not None: + lease_obtained_time_str = datetime.fromtimestamp( + lease_obtained_time, timezone.utc + ).strftime("%Y-%m-%d %H:%M:%S") + entries["dhcp_lease_obtained_time"] = lease_obtained_time_str + + lease_terminates_time = interface.get_value("LeaseTerminatesTime") + if lease_terminates_time is not None: + lease_terminates_time_str = datetime.fromtimestamp( + lease_terminates_time, timezone.utc + ).strftime("%Y-%m-%d %H:%M:%S") + entries["dhcp_lease_terminates_time"] = lease_terminates_time_str + + else: + entries.update( + { + "ip_address": interface.get_value("IPAddress"), + "subnet_mask": interface.get_value("SubnetMask"), + "default_gateway": interface.get_value("DefaultGateway"), + "name_server": interface.get_value("NameServer"), + "domain": interface.get_value("Domain"), + } + ) + + if interface.subkey_count: + sub_interfaces = [] + sub_interfaces = self.get_network_info(interface, sub_interfaces) + entries["sub_interface"] = sub_interfaces + + except Exception as e: + logger.error(f"Error processing interface {interface.name}: {e}") + # Optionally, handle specific errors or continue processing interfaces.append(entries) @@ -81,20 +82,25 @@ def get_network_info(self, subkey, interfaces=None): def run(self): self.entries = {} - for control_set_interfaces_path in self.registry_hive.get_control_sets( - INTERFACES_PATH - ): - try: - subkey = self.registry_hive.get_key(control_set_interfaces_path) - except RegistryKeyNotFoundException as ex: - logger.error(ex) - continue - - self.entries[control_set_interfaces_path] = { - "timestamp": convert_wintime( - subkey.header.last_modified, as_json=self.as_json - ) - } - interfaces = [] - interfaces = self.get_network_info(subkey, interfaces) - self.entries[control_set_interfaces_path]["interfaces"] = interfaces + try: + for control_set_interfaces_path in self.registry_hive.get_control_sets(INTERFACES_PATH): + try: + subkey = self.registry_hive.get_key(control_set_interfaces_path) + except RegistryKeyNotFoundException as ex: + logger.error(f"Registry key not found at path {control_set_interfaces_path}: {ex}") + continue # Skip to the next path if the key is not found + + try: + self.entries[control_set_interfaces_path] = { + "timestamp": convert_wintime( + subkey.header.last_modified, as_json=self.as_json + ) + } + interfaces = [] + interfaces = self.get_network_info(subkey, interfaces) + self.entries[control_set_interfaces_path]["interfaces"] = interfaces + except Exception as ex: + logger.error(f"Error processing registry key {control_set_interfaces_path}: {ex}") + + except Exception as ex: + logger.error(f"Error during run method execution: {ex}") \ No newline at end of file diff --git a/regipy/plugins/system/previous_winver.py b/regipy/plugins/system/previous_winver.py index 5dd5015..aa06ab7 100644 --- a/regipy/plugins/system/previous_winver.py +++ b/regipy/plugins/system/previous_winver.py @@ -1,10 +1,10 @@ import logging +from datetime import datetime, timezone +import re from regipy.hive_types import SYSTEM_HIVE_TYPE from regipy.plugins.plugin import Plugin from regipy.exceptions import RegistryKeyNotFoundException -import datetime -import re logger = logging.getLogger(__name__) @@ -41,7 +41,7 @@ def run(self): for val in sk.iter_values(): if val.name in os_list: if val.name == "InstallDate": - temp_dict[val.name] = datetime.datetime.utcfromtimestamp(val.value).strftime("%Y-%m-%d %H:%M:%S") + temp_dict[val.name] = datetime.fromtimestamp(val.value, timezone.utc).strftime("%Y-%m-%d %H:%M:%S") else: temp_dict[val.name] = val.value self.entries.append(temp_dict) From ee8ac1235dec0953eee4ec46a2336214242a1394 Mon Sep 17 00:00:00 2001 From: ZarKyo Date: Wed, 14 Aug 2024 19:56:35 +0200 Subject: [PATCH 2/5] fix failed datetime --- regipy/plugins/system/previous_winver.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/regipy/plugins/system/previous_winver.py b/regipy/plugins/system/previous_winver.py index aa06ab7..d565657 100644 --- a/regipy/plugins/system/previous_winver.py +++ b/regipy/plugins/system/previous_winver.py @@ -35,7 +35,7 @@ def run(self): for sk in key.iter_subkeys(): if sk.name.startswith("Source OS"): old_date = re.search(r"Updated on (\d{1,2})/(\d{1,2})/(\d{4}) (\d{2}):(\d{2}):(\d{2})", sk.name) - dt = datetime.datetime(int(old_date.group(3)), int(old_date.group(1)), int(old_date.group(2)), int(old_date.group(4)), int(old_date.group(5)), int(old_date.group(6))).strftime("%Y-%m-%d %H:%M:%S") + dt = datetime(int(old_date.group(3)), int(old_date.group(1)), int(old_date.group(2)), int(old_date.group(4)), int(old_date.group(5)), int(old_date.group(6))).strftime("%Y-%m-%d %H:%M:%S") temp_dict = {'key': f"\\{key.name}\\{sk.name}"} temp_dict['update_date'] = dt for val in sk.iter_values(): From 44c4715dae01229ca4d95f1d0c0314eca59772c1 Mon Sep 17 00:00:00 2001 From: ZarKyo Date: Sun, 25 Aug 2024 16:04:40 +0200 Subject: [PATCH 3/5] add exception handling --- regipy/plugins/system/network_data.py | 169 +++++++++++++++++--------- regipy_tests/plugin_tests.py | 1 + 2 files changed, 115 insertions(+), 55 deletions(-) diff --git a/regipy/plugins/system/network_data.py b/regipy/plugins/system/network_data.py index 2f0e1f1..ff3c02c 100644 --- a/regipy/plugins/system/network_data.py +++ b/regipy/plugins/system/network_data.py @@ -10,6 +10,7 @@ INTERFACES_PATH = r"Services\Tcpip\Parameters\Interfaces" + class NetworkDataPlugin(Plugin): NAME = "network_data" DESCRIPTION = "Get network data from many interfaces" @@ -19,63 +20,114 @@ def get_network_info(self, subkey, interfaces=None): if interfaces is None: interfaces = [] - for interface in subkey.iter_subkeys(): - entries = { - "interface_name": interface.name, - "last_modified": convert_wintime( - interface.header.last_modified, as_json=self.as_json - ), - "dhcp_enabled": interface.get_value("EnableDHCP") == 1, # Boolean value - } - - try: - if entries["dhcp_enabled"]: - entries.update( - { - "dhcp_server": interface.get_value("DhcpServer"), - "dhcp_ip_address": interface.get_value("DhcpIPAddress"), - "dhcp_subnet_mask": interface.get_value("DhcpSubnetMask"), - "dhcp_default_gateway": interface.get_value("DhcpDefaultGateway"), - "dhcp_name_server": interface.get_value("DhcpNameServer"), - "dhcp_domain": interface.get_value("DhcpDomain"), - } + try: + for interface in subkey.iter_subkeys(): + entries = { + "interface_name": interface.name, + "last_modified": convert_wintime( + interface.header.last_modified, as_json=self.as_json + ), + "incomplete_data": False, # New key to indicate incomplete data + } + + try: + entries["dhcp_enabled"] = ( + interface.get_value("EnableDHCP") == 1 + ) # Boolean value + except Exception as e: + logger.error( + f"Error retrieving DHCP enabled status for interface {interface.name}: {e}" ) + entries["incomplete_data"] = True + + try: + if entries["dhcp_enabled"]: + entries.update( + { + "dhcp_server": interface.get_value("DhcpServer"), + "dhcp_ip_address": interface.get_value("DhcpIPAddress"), + "dhcp_subnet_mask": interface.get_value( + "DhcpSubnetMask" + ), + "dhcp_default_gateway": interface.get_value( + "DhcpDefaultGateway" + ), + "dhcp_name_server": interface.get_value( + "DhcpNameServer" + ), + "dhcp_domain": interface.get_value("DhcpDomain"), + } + ) - lease_obtained_time = interface.get_value("LeaseObtainedTime") - if lease_obtained_time is not None: - lease_obtained_time_str = datetime.fromtimestamp( - lease_obtained_time, timezone.utc - ).strftime("%Y-%m-%d %H:%M:%S") - entries["dhcp_lease_obtained_time"] = lease_obtained_time_str - - lease_terminates_time = interface.get_value("LeaseTerminatesTime") - if lease_terminates_time is not None: - lease_terminates_time_str = datetime.fromtimestamp( - lease_terminates_time, timezone.utc - ).strftime("%Y-%m-%d %H:%M:%S") - entries["dhcp_lease_terminates_time"] = lease_terminates_time_str - - else: - entries.update( - { - "ip_address": interface.get_value("IPAddress"), - "subnet_mask": interface.get_value("SubnetMask"), - "default_gateway": interface.get_value("DefaultGateway"), - "name_server": interface.get_value("NameServer"), - "domain": interface.get_value("Domain"), - } + try: + lease_obtained_time = interface.get_value( + "LeaseObtainedTime" + ) + if lease_obtained_time is not None: + lease_obtained_time_str = datetime.fromtimestamp( + lease_obtained_time, timezone.utc + ).strftime("%Y-%m-%d %H:%M:%S") + entries["dhcp_lease_obtained_time"] = ( + lease_obtained_time_str + ) + except Exception as e: + logger.error( + f"Error retrieving DHCP lease obtained time for interface {interface.name}: {e}" + ) + entries["incomplete_data"] = True + + try: + lease_terminates_time = interface.get_value( + "LeaseTerminatesTime" + ) + if lease_terminates_time is not None: + lease_terminates_time_str = datetime.fromtimestamp( + lease_terminates_time, timezone.utc + ).strftime("%Y-%m-%d %H:%M:%S") + entries["dhcp_lease_terminates_time"] = ( + lease_terminates_time_str + ) + except Exception as e: + logger.error( + f"Error retrieving DHCP lease terminates time for interface {interface.name}: {e}" + ) + entries["incomplete_data"] = True + + else: + entries.update( + { + "ip_address": interface.get_value("IPAddress"), + "subnet_mask": interface.get_value("SubnetMask"), + "default_gateway": interface.get_value( + "DefaultGateway" + ), + "name_server": interface.get_value("NameServer"), + "domain": interface.get_value("Domain"), + } + ) + except Exception as e: + logger.error( + f"Error processing DHCP/static IP information for interface {interface.name}: {e}" ) + entries["incomplete_data"] = True - if interface.subkey_count: - sub_interfaces = [] - sub_interfaces = self.get_network_info(interface, sub_interfaces) - entries["sub_interface"] = sub_interfaces + try: + if interface.subkey_count: + sub_interfaces = [] + sub_interfaces = self.get_network_info( + interface, sub_interfaces + ) + entries["sub_interface"] = sub_interfaces + except Exception as e: + logger.error( + f"Error processing sub-interfaces for interface {interface.name}: {e}" + ) + entries["incomplete_data"] = True - except Exception as e: - logger.error(f"Error processing interface {interface.name}: {e}") - # Optionally, handle specific errors or continue processing + interfaces.append(entries) - interfaces.append(entries) + except Exception as e: + logger.error(f"Error iterating over subkeys in {subkey.path}: {e}") return interfaces @@ -83,11 +135,15 @@ def run(self): self.entries = {} try: - for control_set_interfaces_path in self.registry_hive.get_control_sets(INTERFACES_PATH): + for control_set_interfaces_path in self.registry_hive.get_control_sets( + INTERFACES_PATH + ): try: subkey = self.registry_hive.get_key(control_set_interfaces_path) except RegistryKeyNotFoundException as ex: - logger.error(f"Registry key not found at path {control_set_interfaces_path}: {ex}") + logger.error( + f"Registry key not found at path {control_set_interfaces_path}: {ex}" + ) continue # Skip to the next path if the key is not found try: @@ -100,7 +156,10 @@ def run(self): interfaces = self.get_network_info(subkey, interfaces) self.entries[control_set_interfaces_path]["interfaces"] = interfaces except Exception as ex: - logger.error(f"Error processing registry key {control_set_interfaces_path}: {ex}") + logger.error( + f"Error processing registry key {control_set_interfaces_path}: {ex}" + ) + self.entries[control_set_interfaces_path]["incomplete_data"] = True except Exception as ex: - logger.error(f"Error during run method execution: {ex}") \ No newline at end of file + logger.error(f"Error during run method execution: {ex}") diff --git a/regipy_tests/plugin_tests.py b/regipy_tests/plugin_tests.py index dd61e9e..ab0f5f1 100644 --- a/regipy_tests/plugin_tests.py +++ b/regipy_tests/plugin_tests.py @@ -891,6 +891,7 @@ def test_network_data_plugin(system_hive): ]["interfaces"][0] == { "interface_name": "{698E50A9-4F58-4D86-B61D-F42E58DCACF6}", "last_modified": "2011-09-17T13:43:23.770078+00:00", + "incomplete_data": False, "dhcp_enabled": False, "ip_address": ["10.3.58.5"], "subnet_mask": ["255.255.255.0"], From 1a1d7f636f4e1b6cce772d62e83f130a50add71d Mon Sep 17 00:00:00 2001 From: ZarKyo Date: Sun, 25 Aug 2024 16:23:26 +0200 Subject: [PATCH 4/5] fix validation test --- .../validation_tests/network_data_plugin_validation.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/regipy_tests/validation/validation_tests/network_data_plugin_validation.py b/regipy_tests/validation/validation_tests/network_data_plugin_validation.py index 3614e95..5510f45 100644 --- a/regipy_tests/validation/validation_tests/network_data_plugin_validation.py +++ b/regipy_tests/validation/validation_tests/network_data_plugin_validation.py @@ -12,6 +12,7 @@ class NetworkDataPluginValidationCase(ValidationCase): { "interface_name": "{698E50A9-4F58-4D86-B61D-F42E58DCACF6}", "last_modified": "2011-09-17T13:43:23.770078+00:00", + "incomplete_data": False, "dhcp_enabled": False, "ip_address": ["10.3.58.5"], "subnet_mask": ["255.255.255.0"], @@ -22,6 +23,7 @@ class NetworkDataPluginValidationCase(ValidationCase): { "interface_name": "{6AAFC9A9-0542-4DB2-8760-CCFFA953737C}", "last_modified": "2011-09-17T13:43:23.770078+00:00", + "incomplete_data": False, "dhcp_enabled": False, "ip_address": ["192.168.1.123"], "subnet_mask": ["255.255.255.0"], @@ -32,6 +34,7 @@ class NetworkDataPluginValidationCase(ValidationCase): { "interface_name": "{e29ac6c2-7037-11de-816d-806e6f6e6963}", "last_modified": "2011-09-17T13:43:23.770078+00:00", + "incomplete_data": False, "dhcp_enabled": False, "ip_address": None, "subnet_mask": None, @@ -47,6 +50,7 @@ class NetworkDataPluginValidationCase(ValidationCase): { "interface_name": "{698E50A9-4F58-4D86-B61D-F42E58DCACF6}", "last_modified": "2011-09-17T13:43:23.770078+00:00", + "incomplete_data": False, "dhcp_enabled": False, "ip_address": ["10.3.58.5"], "subnet_mask": ["255.255.255.0"], @@ -57,6 +61,7 @@ class NetworkDataPluginValidationCase(ValidationCase): { "interface_name": "{6AAFC9A9-0542-4DB2-8760-CCFFA953737C}", "last_modified": "2011-09-17T13:43:23.770078+00:00", + "incomplete_data": False, "dhcp_enabled": False, "ip_address": ["192.168.1.123"], "subnet_mask": ["255.255.255.0"], @@ -67,6 +72,7 @@ class NetworkDataPluginValidationCase(ValidationCase): { "interface_name": "{e29ac6c2-7037-11de-816d-806e6f6e6963}", "last_modified": "2011-09-17T13:43:23.770078+00:00", + "incomplete_data": False, "dhcp_enabled": False, "ip_address": None, "subnet_mask": None, From 66cacbe326b69b2f5b6a9968beaa0c804578c331 Mon Sep 17 00:00:00 2001 From: ZarKyo Date: Wed, 28 Aug 2024 15:55:58 +0200 Subject: [PATCH 5/5] correction of exception handling --- regipy/plugins/system/network_data.py | 160 ++-- regipy_tests/plugin_tests.py | 1227 ------------------------- 2 files changed, 67 insertions(+), 1320 deletions(-) delete mode 100644 regipy_tests/plugin_tests.py diff --git a/regipy/plugins/system/network_data.py b/regipy/plugins/system/network_data.py index ff3c02c..eee81c8 100644 --- a/regipy/plugins/system/network_data.py +++ b/regipy/plugins/system/network_data.py @@ -28,88 +28,66 @@ def get_network_info(self, subkey, interfaces=None): interface.header.last_modified, as_json=self.as_json ), "incomplete_data": False, # New key to indicate incomplete data + "dhcp_enabled": interface.get_value("EnableDHCP") + == 1, # Boolean value } - try: - entries["dhcp_enabled"] = ( - interface.get_value("EnableDHCP") == 1 - ) # Boolean value - except Exception as e: - logger.error( - f"Error retrieving DHCP enabled status for interface {interface.name}: {e}" + if entries["dhcp_enabled"]: + entries.update( + { + "dhcp_server": interface.get_value("DhcpServer"), + "dhcp_ip_address": interface.get_value("DhcpIPAddress"), + "dhcp_subnet_mask": interface.get_value("DhcpSubnetMask"), + "dhcp_default_gateway": interface.get_value( + "DhcpDefaultGateway" + ), + "dhcp_name_server": interface.get_value("DhcpNameServer"), + "dhcp_domain": interface.get_value("DhcpDomain"), + } ) - entries["incomplete_data"] = True - - try: - if entries["dhcp_enabled"]: - entries.update( - { - "dhcp_server": interface.get_value("DhcpServer"), - "dhcp_ip_address": interface.get_value("DhcpIPAddress"), - "dhcp_subnet_mask": interface.get_value( - "DhcpSubnetMask" - ), - "dhcp_default_gateway": interface.get_value( - "DhcpDefaultGateway" - ), - "dhcp_name_server": interface.get_value( - "DhcpNameServer" - ), - "dhcp_domain": interface.get_value("DhcpDomain"), - } - ) + # Lease Obtained Time + lease_obtained_time = interface.get_value("LeaseObtainedTime") + if lease_obtained_time is not None: try: - lease_obtained_time = interface.get_value( - "LeaseObtainedTime" + lease_obtained_time_str = datetime.fromtimestamp( + lease_obtained_time, timezone.utc + ).strftime("%Y-%m-%d %H:%M:%S") + entries["dhcp_lease_obtained_time"] = ( + lease_obtained_time_str ) - if lease_obtained_time is not None: - lease_obtained_time_str = datetime.fromtimestamp( - lease_obtained_time, timezone.utc - ).strftime("%Y-%m-%d %H:%M:%S") - entries["dhcp_lease_obtained_time"] = ( - lease_obtained_time_str - ) - except Exception as e: + except (OSError, ValueError) as e: logger.error( - f"Error retrieving DHCP lease obtained time for interface {interface.name}: {e}" + f"Error converting DHCP lease obtained time for interface {interface.name}: {e}" ) entries["incomplete_data"] = True + # Lease Terminates Time + lease_terminates_time = interface.get_value("LeaseTerminatesTime") + if lease_terminates_time is not None: try: - lease_terminates_time = interface.get_value( - "LeaseTerminatesTime" + lease_terminates_time_str = datetime.fromtimestamp( + lease_terminates_time, timezone.utc + ).strftime("%Y-%m-%d %H:%M:%S") + entries["dhcp_lease_terminates_time"] = ( + lease_terminates_time_str ) - if lease_terminates_time is not None: - lease_terminates_time_str = datetime.fromtimestamp( - lease_terminates_time, timezone.utc - ).strftime("%Y-%m-%d %H:%M:%S") - entries["dhcp_lease_terminates_time"] = ( - lease_terminates_time_str - ) - except Exception as e: + except (OSError, ValueError) as e: logger.error( - f"Error retrieving DHCP lease terminates time for interface {interface.name}: {e}" + f"Error converting DHCP lease terminates time for interface {interface.name}: {e}" ) entries["incomplete_data"] = True - else: - entries.update( - { - "ip_address": interface.get_value("IPAddress"), - "subnet_mask": interface.get_value("SubnetMask"), - "default_gateway": interface.get_value( - "DefaultGateway" - ), - "name_server": interface.get_value("NameServer"), - "domain": interface.get_value("Domain"), - } - ) - except Exception as e: - logger.error( - f"Error processing DHCP/static IP information for interface {interface.name}: {e}" + else: + entries.update( + { + "ip_address": interface.get_value("IPAddress"), + "subnet_mask": interface.get_value("SubnetMask"), + "default_gateway": interface.get_value("DefaultGateway"), + "name_server": interface.get_value("NameServer"), + "domain": interface.get_value("Domain"), + } ) - entries["incomplete_data"] = True try: if interface.subkey_count: @@ -134,32 +112,28 @@ def get_network_info(self, subkey, interfaces=None): def run(self): self.entries = {} - try: - for control_set_interfaces_path in self.registry_hive.get_control_sets( - INTERFACES_PATH - ): - try: - subkey = self.registry_hive.get_key(control_set_interfaces_path) - except RegistryKeyNotFoundException as ex: - logger.error( - f"Registry key not found at path {control_set_interfaces_path}: {ex}" - ) - continue # Skip to the next path if the key is not found - - try: - self.entries[control_set_interfaces_path] = { - "timestamp": convert_wintime( - subkey.header.last_modified, as_json=self.as_json - ) - } - interfaces = [] - interfaces = self.get_network_info(subkey, interfaces) - self.entries[control_set_interfaces_path]["interfaces"] = interfaces - except Exception as ex: - logger.error( - f"Error processing registry key {control_set_interfaces_path}: {ex}" + for control_set_interfaces_path in self.registry_hive.get_control_sets( + INTERFACES_PATH + ): + try: + subkey = self.registry_hive.get_key(control_set_interfaces_path) + except RegistryKeyNotFoundException as ex: + logger.error( + f"Registry key not found at path {control_set_interfaces_path}: {ex}" + ) + continue # Skip to the next path if the key is not found + + try: + self.entries[control_set_interfaces_path] = { + "timestamp": convert_wintime( + subkey.header.last_modified, as_json=self.as_json ) - self.entries[control_set_interfaces_path]["incomplete_data"] = True - - except Exception as ex: - logger.error(f"Error during run method execution: {ex}") + } + interfaces = [] + interfaces = self.get_network_info(subkey, interfaces) + self.entries[control_set_interfaces_path]["interfaces"] = interfaces + except Exception as ex: + logger.error( + f"Error processing registry key {control_set_interfaces_path}: {ex}" + ) + self.entries[control_set_interfaces_path]["incomplete_data"] = True diff --git a/regipy_tests/plugin_tests.py b/regipy_tests/plugin_tests.py deleted file mode 100644 index ab0f5f1..0000000 --- a/regipy_tests/plugin_tests.py +++ /dev/null @@ -1,1227 +0,0 @@ -import datetime as dt - -from regipy.plugins.amcache.amcache import AmCachePlugin -from regipy.plugins.bcd.boot_entry_list import BootEntryListPlugin -from regipy.plugins.ntuser.classes_installer import NtuserClassesInstallerPlugin -from regipy.plugins.ntuser.network_drives import NetworkDrivesPlugin -from regipy.plugins.ntuser.persistence import NTUserPersistencePlugin -from regipy.plugins.ntuser.shellbags_ntuser import ShellBagNtuserPlugin -from regipy.plugins.ntuser.typed_paths import TypedPathsPlugin -from regipy.plugins.ntuser.typed_urls import TypedUrlsPlugin -from regipy.plugins.ntuser.user_assist import UserAssistPlugin -from regipy.plugins.ntuser.winrar import WinRARPlugin -from regipy.plugins.ntuser.winscp_saved_sessions import WinSCPSavedSessionsPlugin -from regipy.plugins.ntuser.word_wheel_query import WordWheelQueryPlugin -from regipy.plugins.sam.local_sid import LocalSidPlugin -from regipy.plugins.security.domain_sid import DomainSidPlugin -from regipy.plugins.software.disablesr import DisableSRPlugin -from regipy.plugins.software.installed_programs import InstalledProgramsSoftwarePlugin -from regipy.plugins.software.last_logon import LastLogonPlugin -from regipy.plugins.software.persistence import SoftwarePersistencePlugin -from regipy.plugins.software.printdemon import PrintDemonPlugin -from regipy.plugins.software.profilelist import ProfileListPlugin -from regipy.plugins.software.spp_clients import SppClientsPlugin -from regipy.plugins.software.susclient import SusclientPlugin -from regipy.plugins.software.tracing import RASTracingPlugin -from regipy.plugins.software.uac import UACStatusPlugin -from regipy.plugins.software.winver import WinVersionPlugin -from regipy.plugins.system.backuprestore import BackupRestorePlugin -from regipy.plugins.system.bootkey import BootKeyPlugin -from regipy.plugins.system.codepage import CodepagePlugin -from regipy.plugins.system.computer_name import ComputerNamePlugin -from regipy.plugins.system.crash_dump import CrashDumpPlugin -from regipy.plugins.system.diag_sr import DiagSRPlugin -from regipy.plugins.system.disablelastaccess import DisableLastAccessPlugin -from regipy.plugins.system.host_domain_name import HostDomainNamePlugin -from regipy.plugins.system.network_data import NetworkDataPlugin -from regipy.plugins.system.previous_winver import PreviousWinVersionPlugin -from regipy.plugins.system.processor_architecture import ProcessorArchitecturePlugin -from regipy.plugins.system.services import ServicesPlugin -from regipy.plugins.system.shimcache import ShimCachePlugin -from regipy.plugins.system.shutdown import ShutdownPlugin -from regipy.plugins.system.timezone_data2 import TimezoneDataPlugin2 -from regipy.plugins.system.usbstor import USBSTORPlugin -from regipy.plugins.system.wdigest import WDIGESTPlugin -from regipy.plugins.usrclass.shellbags_usrclass import ShellBagUsrclassPlugin -from regipy.registry import RegistryHive - - -def test_shimcache_plugin(system_hive): - registry_hive = RegistryHive(system_hive) - plugin_instance = ShimCachePlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert len(plugin_instance.entries) == 660 - assert plugin_instance.entries[0] == { - "last_mod_date": "2011-01-12T12:08:00+00:00", - "path": "\\??\\C:\\Program Files\\McAfee\\VirusScan Enterprise\\mfeann.exe", - "exec_flag": "True", - } - - -def test_computer_name_plugin(system_hive): - registry_hive = RegistryHive(system_hive) - plugin_instance = ComputerNamePlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries == [ - {"name": "WKS-WIN732BITA", "timestamp": "2010-11-10T17:18:08.718750+00:00"}, - {"name": "WIN-V5T3CSP8U4H", "timestamp": "2010-11-10T18:17:36.968750+00:00"}, - ] - - -def test_persistence_plugin_ntuser(ntuser_hive): - registry_hive = RegistryHive(ntuser_hive) - plugin_instance = NTUserPersistencePlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries == { - "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run": { - "timestamp": "2012-04-03T21:19:54.837716+00:00", - "values": [ - { - "name": "Sidebar", - "value_type": "REG_EXPAND_SZ", - "value": "%ProgramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun", - "is_corrupted": False, - } - ], - } - } - - -def test_persistence_plugin_software(software_hive): - registry_hive = RegistryHive(software_hive) - plugin_instance = SoftwarePersistencePlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries == { - "\\Microsoft\\Windows\\CurrentVersion\\Run": { - "timestamp": "2012-04-04T01:54:23.669836+00:00", - "values": [ - { - "name": "VMware Tools", - "value_type": "REG_SZ", - "value": '"C:\\Program Files\\VMware\\VMware Tools\\VMwareTray.exe"', - "is_corrupted": False, - }, - { - "name": "VMware User Process", - "value_type": "REG_SZ", - "value": '"C:\\Program Files\\VMware\\VMware Tools\\VMwareUser.exe"', - "is_corrupted": False, - }, - { - "name": "Adobe ARM", - "value_type": "REG_SZ", - "value": '"C:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"', - "is_corrupted": False, - }, - { - "name": "McAfeeUpdaterUI", - "value_type": "REG_SZ", - "value": '"C:\\Program Files\\McAfee\\Common Framework\\udaterui.exe" /StartedFromRunKey', - "is_corrupted": False, - }, - { - "name": "ShStatEXE", - "value_type": "REG_SZ", - "value": '"C:\\Program Files\\McAfee\\VirusScan Enterprise\\SHSTAT.EXE" /STANDALONE', - "is_corrupted": False, - }, - { - "name": "McAfee Host Intrusion Prevention Tray", - "value_type": "REG_SZ", - "value": '"C:\\Program Files\\McAfee\\Host Intrusion Prevention\\FireTray.exe"', - "is_corrupted": False, - }, - { - "name": "svchost", - "value_type": "REG_SZ", - "value": "c:\\windows\\system32\\dllhost\\svchost.exe", - "is_corrupted": False, - }, - ], - } - } - - -def test_user_assist_plugin_ntuser(ntuser_hive): - registry_hive = RegistryHive(ntuser_hive) - plugin_instance = UserAssistPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert len(plugin_instance.entries) == 62 - assert plugin_instance.entries[-1] == { - "focus_count": 1, - "name": "%PROGRAMFILES(X86)%\\Microsoft Office\\Office14\\EXCEL.EXE", - "run_counter": 4, - "session_id": 0, - "timestamp": "2012-04-04T15:43:14.785000+00:00", - "total_focus_time_ms": 47673, - } - - assert plugin_instance.entries[50] == { - "focus_count": 9, - "name": "Microsoft.Windows.RemoteDesktop", - "run_counter": 8, - "session_id": 0, - "timestamp": "2012-04-03T22:06:58.124282+00:00", - "total_focus_time_ms": 180000, - } - - -def test_plugin_amcache(amcache_hive): - registry_hive = RegistryHive(amcache_hive) - plugin_instance = AmCachePlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert len(plugin_instance.entries) == 1367 - assert plugin_instance.entries[100] == { - "full_path": "C:\\Windows\\system32\\TPVMMondeu.dll", - "last_modified_timestamp_2": "2017-03-17T05:06:04.002722+00:00", - "program_id": "75a010066bb612ca7357ce31df8e9f0300000904", - "sha1": "056f4b9d9ec9b5dc548e1b460da889e44089d76f", - "timestamp": "2017-08-03T11:34:02.263418+00:00", - } - - -def test_word_wheel_query_plugin_ntuser(ntuser_hive): - registry_hive = RegistryHive(ntuser_hive) - plugin_instance = WordWheelQueryPlugin(registry_hive, ntuser_hive) - plugin_instance.run() - - assert len(plugin_instance.entries) == 6 - assert plugin_instance.entries[0] == { - "last_write": "2012-04-04T15:45:18.551340+00:00", - "mru_id": 1, - "name": "alloy", - "order": 0, - } - - -def test_uac_status_plugin_software(software_hive): - registry_hive = RegistryHive(software_hive) - plugin_instance = UACStatusPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries == { - "consent_prompt_admin": 5, - "consent_prompt_user": 3, - "enable_limited_user_accounts": 1, - "enable_virtualization": 1, - "filter_admin_token": 0, - "last_write": "2011-08-30T18:47:10.734144+00:00", - } - - -def test_classes_installer_plugin_ntuser(ntuser_hive_2): - registry_hive = RegistryHive(ntuser_hive_2) - plugin_instance = NtuserClassesInstallerPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries[0] == { - "identifier": "8A4152964845CF540BEAEBD27F7A8519", - "timestamp": "2022-02-15T07:00:07.245646+00:00", - "product_name": "Microsoft Visual C++ Compiler Package for Python 2.7", - "is_hidden": False, - } - - assert not any([x["is_hidden"] for x in plugin_instance.entries]) - - -def test_ras_tracing_plugin_software(software_hive): - registry_hive = RegistryHive(software_hive) - plugin_instance = RASTracingPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert len(plugin_instance.entries) == 70 - - assert plugin_instance.entries[0] == { - "key": "\\Microsoft\\Tracing", - "name": "AcroRd32_RASAPI32", - "timestamp": "2012-03-16T21:31:26.613878+00:00", - } - - assert plugin_instance.entries[-1] == { - "key": "\\Microsoft\\Tracing", - "name": "wmplayer_RASMANCS", - "timestamp": "2012-03-12T20:58:55.476336+00:00", - } - - -def test_installed_programs_plugin_software(software_hive): - registry_hive = RegistryHive(software_hive) - plugin_instance = InstalledProgramsSoftwarePlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert len(plugin_instance.entries) == 67 - - assert plugin_instance.entries[0] == { - "registry_path": "\\Microsoft\\Windows\\CurrentVersion\\Uninstall", - "service_name": "AddressBook", - "timestamp": "2009-07-14T04:41:12.758808+00:00", - } - - assert ( - plugin_instance.entries[-1].items() - > { - "service_name": "{FE2F6A2C-196E-4210-9C04-2B1BC21F07EF}", - "timestamp": "2011-07-05T22:58:57.996094+00:00", - "registry_path": "\\Microsoft\\Windows\\CurrentVersion\\Uninstall", - "UninstallString": "MsiExec.exe /X{FE2F6A2C-196E-4210-9C04-2B1BC21F07EF}", - "URLInfoAbout": "http://www.vmware.com", - "DisplayName": "VMware Tools", - }.items() - ) - - -def test_last_logon_plugin_software(software_hive): - registry_hive = RegistryHive(software_hive) - plugin_instance = LastLogonPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries == { - "last_logged_on_provider": "{6F45DC1E-5384-457A-BC13-2CD81B0D28ED}", - "last_logged_on_sam_user": "SHIELDBASE\\rsydow", - "last_logged_on_user": "SHIELDBASE\\rsydow", - "last_write": "2012-04-04T12:20:41.453654+00:00", - "show_tablet_keyboard": 0, - } - - -def test_typed_urls_plugin_ntuser(ntuser_hive): - registry_hive = RegistryHive(ntuser_hive) - plugin_instance = TypedUrlsPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries == { - "last_write": "2012-04-03T22:37:55.411500+00:00", - "entries": [ - {"url1": "http://199.73.28.114:53/"}, - {"url2": "http://go.microsoft.com/fwlink/?LinkId=69157"}, - ], - } - - -def test_profilelist_plugin(software_hive): - registry_hive = RegistryHive(software_hive) - plugin_instance = ProfileListPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries == [ - { - "last_write": "2009-07-14T04:41:12.493608+00:00", - "path": "%systemroot%\\system32\\config\\systemprofile", - "flags": 12, - "full_profile": None, - "state": 0, - "sid": "S-1-5-18", - "load_time": None, - "local_load_time": None, - }, - { - "last_write": "2010-11-10T18:09:16.250000+00:00", - "path": "C:\\Windows\\ServiceProfiles\\LocalService", - "flags": 0, - "full_profile": None, - "state": 0, - "sid": "S-1-5-19", - "load_time": None, - "local_load_time": None, - }, - { - "last_write": "2010-11-10T18:09:16.250000+00:00", - "path": "C:\\Windows\\ServiceProfiles\\NetworkService", - "flags": 0, - "full_profile": None, - "state": 0, - "sid": "S-1-5-20", - "load_time": None, - "local_load_time": None, - }, - { - "last_write": "2010-11-10T17:22:52.109376+00:00", - "path": "C:\\Users\\Pepper", - "flags": 0, - "full_profile": None, - "state": 0, - "sid": "S-1-5-21-100689374-1717798114-2601648136-1000", - "load_time": "1601-01-01T00:00:00+00:00", - "local_load_time": None, - }, - { - "last_write": "2012-04-04T12:42:17.719834+00:00", - "path": "C:\\Users\\SRL-Helpdesk", - "flags": 0, - "full_profile": None, - "state": 0, - "sid": "S-1-5-21-100689374-1717798114-2601648136-1001", - "load_time": "1601-01-01T00:00:00+00:00", - "local_load_time": None, - }, - { - "last_write": "2011-08-21T00:51:19.820166+00:00", - "path": "C:\\Users\\nfury", - "flags": 0, - "full_profile": None, - "state": 0, - "sid": "S-1-5-21-2036804247-3058324640-2116585241-1105", - "load_time": "1601-01-01T00:00:00+00:00", - "local_load_time": None, - }, - { - "last_write": "2011-08-23T01:33:29.006350+00:00", - "path": "C:\\Users\\mhill", - "flags": 0, - "full_profile": None, - "state": 0, - "sid": "S-1-5-21-2036804247-3058324640-2116585241-1106", - "load_time": "1601-01-01T00:00:00+00:00", - "local_load_time": None, - }, - { - "last_write": "2011-09-17T13:33:17.372366+00:00", - "path": "C:\\Users\\Tdungan", - "flags": 0, - "full_profile": None, - "state": 0, - "sid": "S-1-5-21-2036804247-3058324640-2116585241-1107", - "load_time": "1601-01-01T00:00:00+00:00", - "local_load_time": None, - }, - { - "last_write": "2012-04-06T19:44:17.844274+00:00", - "path": "C:\\Users\\nromanoff", - "flags": 0, - "full_profile": None, - "state": 0, - "sid": "S-1-5-21-2036804247-3058324640-2116585241-1109", - "load_time": "1601-01-01T00:00:00+00:00", - "local_load_time": None, - }, - { - "last_write": "2012-04-06T19:42:31.408714+00:00", - "path": "C:\\Users\\rsydow", - "flags": 0, - "full_profile": None, - "state": 256, - "sid": "S-1-5-21-2036804247-3058324640-2116585241-1114", - "load_time": "1601-01-01T00:00:00+00:00", - "local_load_time": None, - }, - { - "last_write": "2012-04-06T19:22:20.845938+00:00", - "path": "C:\\Users\\vibranium", - "flags": 0, - "full_profile": None, - "state": 256, - "sid": "S-1-5-21-2036804247-3058324640-2116585241-1673", - "load_time": "1601-01-01T00:00:00+00:00", - "local_load_time": None, - }, - ] - - -def test_printdemon_plugin(software_hive): - registry_hive = RegistryHive(software_hive) - plugin_instance = PrintDemonPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries == [ - { - "parameters": ["9600", "n", "8", "1"], - "port_name": "COM1:", - "timestamp": "2010-11-10T10:35:02.448040+00:00", - }, - { - "parameters": ["9600", "n", "8", "1"], - "port_name": "COM2:", - "timestamp": "2010-11-10T10:35:02.448040+00:00", - }, - { - "parameters": ["9600", "n", "8", "1"], - "port_name": "COM3:", - "timestamp": "2010-11-10T10:35:02.448040+00:00", - }, - { - "parameters": ["9600", "n", "8", "1"], - "port_name": "COM4:", - "timestamp": "2010-11-10T10:35:02.448040+00:00", - }, - { - "parameters": 0, - "port_name": "FILE:", - "timestamp": "2010-11-10T10:35:02.448040+00:00", - }, - { - "parameters": 0, - "port_name": "LPT1:", - "timestamp": "2010-11-10T10:35:02.448040+00:00", - }, - { - "parameters": 0, - "port_name": "LPT2:", - "timestamp": "2010-11-10T10:35:02.448040+00:00", - }, - { - "parameters": 0, - "port_name": "LPT3:", - "timestamp": "2010-11-10T10:35:02.448040+00:00", - }, - { - "parameters": 0, - "port_name": "XPSPort:", - "timestamp": "2010-11-10T10:35:02.448040+00:00", - }, - { - "parameters": 0, - "port_name": "Ne00:", - "timestamp": "2010-11-10T10:35:02.448040+00:00", - }, - { - "parameters": 0, - "port_name": "Ne01:", - "timestamp": "2010-11-10T10:35:02.448040+00:00", - }, - { - "parameters": 0, - "port_name": "nul:", - "timestamp": "2010-11-10T10:35:02.448040+00:00", - }, - ] - - -def test_services_plugin_on_corrupted_hive(corrupted_system_hive): - registry_hive = RegistryHive(corrupted_system_hive) - plugin_instance = ServicesPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries["\\ControlSet001\\Services"]["services"][0] == { - "last_modified": "2008-10-21T17:48:29.328124+00:00", - "name": "Abiosdsk", - "parameters": [], - "values": [ - { - "is_corrupted": False, - "name": "ErrorControl", - "value": 0, - "value_type": "REG_DWORD", - }, - { - "is_corrupted": False, - "name": "Group", - "value": "Primary disk", - "value_type": "REG_SZ", - }, - { - "is_corrupted": False, - "name": "Start", - "value": 4, - "value_type": "REG_DWORD", - }, - { - "is_corrupted": False, - "name": "Tag", - "value": 3, - "value_type": "REG_DWORD", - }, - { - "is_corrupted": False, - "name": "Type", - "value": 1, - "value_type": "REG_DWORD", - }, - ], - } - - -def test_local_sid_plugin_sam(sam_hive): - registry_hive = RegistryHive(sam_hive) - plugin_instance = LocalSidPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries == [ - { - "machine_sid": "S-1-5-21-1760460187-1592185332-161725925", - "timestamp": "2014-09-24T03:36:43.549302+00:00", - } - ] - - -def test_bootkey_plugin_system(system_hive): - registry_hive = RegistryHive(system_hive) - plugin_instance = BootKeyPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries == [ - { - "key": "e7f28d88f470cfed67dbcdb62ed1275b", - "timestamp": "2012-04-04T11:47:46.203124+00:00", - }, - { - "key": "e7f28d88f470cfed67dbcdb62ed1275b", - "timestamp": "2012-04-04T11:47:46.203124+00:00", - }, - ] - - -def test_host_domain_name_plugin_system(system_hive): - registry_hive = RegistryHive(system_hive) - plugin_instance = HostDomainNamePlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries == [ - { - "hostname": "WKS-WIN732BITA", - "domain": "shieldbase.local", - "timestamp": "2011-09-17T13:43:23.770078+00:00", - }, - { - "hostname": "WKS-WIN732BITA", - "domain": "shieldbase.local", - "timestamp": "2011-09-17T13:43:23.770078+00:00", - }, - ] - - -def test_domain_sid_plugin_security(security_hive): - registry_hive = RegistryHive(security_hive) - plugin_instance = DomainSidPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries == [ - { - "domain_name": "WORKGROUP", - "domain_sid": None, - "machine_sid": None, - "timestamp": "2021-08-05T10:43:08.911000+00:00", - } - ] - - -def test_boot_entry_list_plugin_bcd(bcd_hive): - registry_hive = RegistryHive(bcd_hive) - plugin_instance = BootEntryListPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries == [ - { - "guid": "{733b62de-f608-11eb-825c-c112f60133ab}", - "type": "0x101FFFFF", - "name": "Linux Boot Manager", - "gpt_disk": "376e5397-7d1f-4e4f-a668-5a62c1269e60", - "gpt_partition": "24e0e103-9bc2-477e-a5e2-3e42d2bb134f", - "image_path": "\\EFI\\systemd\\systemd-bootx64.efi", - "timestamp": "2021-08-09T02:13:30.992594+00:00", - }, - { - "guid": "{733b62e2-f608-11eb-825c-c112f60133ab}", - "type": "0x101FFFFF", - "name": "UEFI OS", - "gpt_disk": "376e5397-7d1f-4e4f-a668-5a62c1269e60", - "gpt_partition": "24e0e103-9bc2-477e-a5e2-3e42d2bb134f", - "image_path": "\\EFI\\BOOT\\BOOTX64.EFI", - "timestamp": "2021-08-09T02:13:30.992594+00:00", - }, - { - "guid": "{733b62e3-f608-11eb-825c-c112f60133ab}", - "type": "0x101FFFFF", - "name": "Windows Boot Manager", - "gpt_disk": "376e5397-7d1f-4e4f-a668-5a62c1269e60", - "gpt_partition": "24e0e103-9bc2-477e-a5e2-3e42d2bb134f", - "image_path": "\\EFI\\Microsoft\\Boot\\bootmgfw.efi", - "timestamp": "2021-08-09T02:13:30.992594+00:00", - }, - { - "guid": "{733b62e4-f608-11eb-825c-c112f60133ab}", - "type": "0x10200004", - "name": "Windows Resume Application", - "gpt_disk": "0b2394a9-095e-487d-8d48-719ecd4d78ca", - "gpt_partition": "8e0f2c38-e4ea-47ba-b7fc-9d8c74dccf0b", - "image_path": "\\Windows\\system32\\winresume.efi", - "timestamp": "2021-08-09T02:13:30.992594+00:00", - }, - { - "guid": "{733b62e5-f608-11eb-825c-c112f60133ab}", - "type": "0x10200003", - "name": "Windows 10", - "gpt_disk": "0b2394a9-095e-487d-8d48-719ecd4d78ca", - "gpt_partition": "8e0f2c38-e4ea-47ba-b7fc-9d8c74dccf0b", - "image_path": "\\Windows\\system32\\winload.efi", - "timestamp": "2021-08-09T02:13:30.992594+00:00", - }, - { - "guid": "{733b62e6-f608-11eb-825c-c112f60133ab}", - "type": "0x10200003", - "name": "Windows Recovery Environment", - "gpt_disk": "00000001-0090-0000-0500-000006000000", - "gpt_partition": "00000003-0000-0000-0000-000000000000", - "image_path": "\\windows\\system32\\winload.efi", - "timestamp": "2021-08-09T02:13:30.976970+00:00", - }, - { - "guid": "{9dea862c-5cdd-4e70-acc1-f32b344d4795}", - "type": "0x10100002", - "name": "Windows Boot Manager", - "gpt_disk": "0b2394a9-095e-487d-8d48-719ecd4d78ca", - "gpt_partition": "36be3955-63bf-4068-a6ab-00195cca3a22", - "image_path": "\\EFI\\Microsoft\\Boot\\bootmgfw.efi", - "timestamp": "2021-08-09T02:13:30.992594+00:00", - }, - { - "guid": "{b2721d73-1db4-4c62-bf78-c548a880142d}", - "type": "0x10200005", - "name": "Windows Memory Diagnostic", - "gpt_disk": "0b2394a9-095e-487d-8d48-719ecd4d78ca", - "gpt_partition": "36be3955-63bf-4068-a6ab-00195cca3a22", - "image_path": "\\EFI\\Microsoft\\Boot\\memtest.efi", - "timestamp": "2021-08-09T02:13:30.976970+00:00", - }, - ] - - -def test_wdigest(system_hive): - registry_hive = RegistryHive(system_hive) - plugin_instance = WDIGESTPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries == [ - { - "subkey": r"\ControlSet001\Control\SecurityProviders\WDigest", - "timestamp": "2009-07-14T04:37:09.491968+00:00", - "use_logon_credential": 1, - }, - { - "subkey": r"\ControlSet002\Control\SecurityProviders\WDigest", - "timestamp": "2009-07-14T04:37:09.491968+00:00", - "use_logon_credential": None, - }, - ] - - -def test_winrar(ntuser_hive): - registry_hive = RegistryHive(ntuser_hive) - plugin_instance = WinRARPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries == [ - { - "last_write": "2021-11-18T13:59:04.888952+00:00", - "file_path": "C:\\Users\\tony\\Downloads\\RegistryFinder64.zip", - "operation": "archive_opened", - "value_name": "0", - }, - { - "last_write": "2021-11-18T13:59:04.888952+00:00", - "file_path": "C:\\temp\\token.zip", - "operation": "archive_opened", - "value_name": "1", - }, - { - "last_write": "2021-11-18T13:59:50.023788+00:00", - "file_name": "Tools.zip", - "operation": "archive_created", - "value_name": "0", - }, - { - "last_write": "2021-11-18T13:59:50.023788+00:00", - "file_name": "data.zip", - "operation": "archive_created", - "value_name": "1", - }, - { - "last_write": "2021-11-18T14:00:44.180468+00:00", - "file_path": "C:\\Users\\tony\\Downloads", - "operation": "archive_extracted", - "value_name": "0", - }, - { - "last_write": "2021-11-18T14:00:44.180468+00:00", - "file_path": "C:\\temp", - "operation": "archive_extracted", - "value_name": "1", - }, - ] - - -def test_netdrives(ntuser_hive): - - registry_hive = RegistryHive(ntuser_hive) - plugin_instance = NetworkDrivesPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries == [ - { - "drive_letter": r"p", - "last_write": "2012-04-03T22:08:18.840132+00:00", - "network_path": "\\\\controller\\public", - } - ] - - -def test_winscp_saved_sessions_plugin(ntuser_hive_2): - registry_hive = RegistryHive(ntuser_hive_2) - plugin_instance = WinSCPSavedSessionsPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert len(plugin_instance.entries) == 2 - - assert plugin_instance.entries[1] == { - "FSProtocol": 7, - "Ftps": 1, - "hive_name": "HKEY_CURRENT_USER", - "HostName": "s3.amazonaws.com", - "IsWorkspace": 1, - "key_path": "HKEY_CURRENT_USER\\Software\\Martin Prikryl\\WinSCP 2\\Sessions\\personalab/0000", - "LocalDirectory": "C:%5CUsers%5Ctony%5CDocuments", - "PortNumber": 443, - "RemoteDirectory": "/dev-personalab-velocityapp-data/uploads/Amnon/Lunar_Memdumps", - "timestamp": "2022-04-25T09:53:58.125852+00:00", - "UserName": "AKIAYTYA2O7PWLAQQOCU", - } - - -def test_usbstor(system_hive_with_filetime): - registry_hive = RegistryHive(system_hive_with_filetime) - plugin_instance = USBSTORPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries[0] == { - "device_name": "SanDisk Cruzer USB Device", - "disk_guid": "{fc416b61-6437-11ea-bd0c-a483e7c21469}", - "first_installed": "2020-03-17T14:02:38.955490+00:00", - "key_path": "\\ControlSet001\\Enum\\USBSTOR\\Disk&Ven_SanDisk&Prod_Cruzer&Rev_1.20\\200608767007B7C08A6A&0", - "last_connected": "2020-03-17T14:02:38.946628+00:00", - "last_installed": "2020-03-17T14:02:38.955490+00:00", - "last_removed": "2020-03-17T14:23:45.504690+00:00", - "last_write": "2020-03-17T14:02:38.965050+00:00", - "manufacturer": "Ven_SanDisk", - "serial_number": "200608767007B7C08A6A&0", - "title": "Prod_Cruzer", - "version": "Rev_1.20", - } - - -def test_typed_paths_plugin_ntuser(shellbags_ntuser): - registry_hive = RegistryHive(shellbags_ntuser) - plugin_instance = TypedPathsPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries == { - "last_write": "2022-02-06T13:46:04.945080+00:00", - "entries": [ - {"url1": "cmd"}, - {"url2": "C:\\Offline\\AD"}, - {"url3": "git"}, - {"url4": "powershell"}, - {"url5": "C:\\Program Files"}, - {"url6": "Network"}, - {"url7": "\\\\wsl$\\Ubuntu\\projects\\CAD316_001\\partition_p1"}, - {"url8": "\\\\wsl$\\Ubuntu\\projects"}, - {"url9": "\\\\wsl$\\Ubuntu"}, - {"url10": "C:\\Users\\tony\\Github"}, - {"url11": "C:\\Users\\tony\\Github\\velocity-client-master"}, - {"url12": "C:\\Users\\tony\\Github\\cogz"}, - {"url13": "C:\\Users\\tony\\Github\\cogz\\cogz"}, - {"url14": "Quick access"}, - {"url15": "C:\\ProgramData\\chocolatey\\lib\\yara\\tools"}, - {"url16": "C:\\Training\\MT01\\exercise"}, - ], - } - - -def test_shellbags_plugin_ntuser(shellbags_ntuser): - registry_hive = RegistryHive(shellbags_ntuser) - plugin_instance = ShellBagNtuserPlugin(registry_hive, as_json=True) - plugin_instance.run() - assert plugin_instance.entries[-1] == { - "value": "rekall", - "slot": "0", - "reg_path": "\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\2\\0", - "value_name": "0", - "node_slot": "11", - "shell_type": "Directory", - "path": "Search Folder\\tmp\\rekall", - "creation_time": dt.datetime(2021, 8, 16, 9, 41, 32).isoformat(), - "full path": None, - "access_time": dt.datetime(2021, 8, 16, 9, 43, 22).isoformat(), - "modification_time": dt.datetime(2021, 8, 16, 9, 41, 32).isoformat(), - "last_write": "2021-08-16T09:44:39.333110+00:00", - "location description": None, - "mru_order": "0", - "mru_order_location": 0, - } - - assert len(plugin_instance.entries) == 102 - - -def test_shellbags_plugin_usrclass(transaction_usrclass): - registry_hive = RegistryHive(transaction_usrclass) - plugin_instance = ShellBagUsrclassPlugin(registry_hive, as_json=True) - plugin_instance.run() - assert plugin_instance.entries[-1] == { - "value": "Dropbox", - "slot": "9", - "reg_path": "\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU", - "value_name": "9", - "node_slot": "20", - "shell_type": "Root Folder", - "path": "Dropbox", - "creation_time": None, - "full path": None, - "access_time": None, - "modification_time": None, - "last_write": "2018-04-05T02:13:26.843024+00:00", - "location description": None, - "mru_order": "4-8-7-6-9-0-1-5-3-2", - "mru_order_location": 4, - } - - assert len(plugin_instance.entries) == 29 - - -def test_network_data_plugin(system_hive): - registry_hive = RegistryHive(system_hive) - plugin_instance = NetworkDataPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries[ - "\\ControlSet001\\Services\\Tcpip\\Parameters\\Interfaces" - ]["interfaces"][0] == { - "interface_name": "{698E50A9-4F58-4D86-B61D-F42E58DCACF6}", - "last_modified": "2011-09-17T13:43:23.770078+00:00", - "incomplete_data": False, - "dhcp_enabled": False, - "ip_address": ["10.3.58.5"], - "subnet_mask": ["255.255.255.0"], - "default_gateway": ["10.3.58.1"], - "name_server": "10.3.58.4", - "domain": 0, - } - - -def test_win_version_plugin(software_hive): - registry_hive = RegistryHive(software_hive) - plugin_instance = WinVersionPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries["\\Microsoft\\Windows NT\\CurrentVersion"] == { - "BuildLab": "7601.win7sp1_gdr.111118-2330", - "BuildLabEx": "7601.17727.x86fre.win7sp1_gdr.111118-2330", - "CSDVersion": "Service Pack 1", - "CurrentBuild": "7601", - "CurrentBuildNumber": "7601", - "CurrentVersion": "6.1", - "EditionID": "Ultimate", - "InstallationType": "Client", - "InstallDate": "2010-11-10 16:28:55", - "last_write": "2012-03-14T07:09:21.562500+00:00", - "ProductId": "00426-067-1817155-86250", - "ProductName": "Windows 7 Ultimate", - "RegisteredOrganization": 0, - "RegisteredOwner": "Windows User", - } - - -def test_previous_win_version_plugin(system_hive_with_filetime): - registry_hive = RegistryHive(system_hive_with_filetime) - plugin_instance = PreviousWinVersionPlugin(registry_hive, as_json=True) - plugin_instance.run() - - # work with SYSTEM_WIN_10_1709 HIVE - assert plugin_instance.entries == [ - { - "BuildLab": "15063.rs2_release.170317-1834", - "BuildLabEx": "15063.0.amd64fre.rs2_release.170317-1834", - "CompositionEditionID": "Professional", - "CurrentBuild": "15063", - "CurrentBuildNumber": "15063", - "CurrentVersion": "6.3", - "EditionID": "Professional", - "InstallationType": "Client", - "InstallDate": "2017-07-12 07:18:28", - "key": "\\Setup\\Source OS (Updated on 1/6/2019 02:18:37)", - "ProductId": "00330-80111-62153-AA362", - "ProductName": "Windows 10 Pro", - "RegisteredOrganization": 0, - "RegisteredOwner": "Windows User", - "update_date": "2019-01-06 02:18:37", - }, - { - "BuildLab": "17134.rs4_release.180410-1804", - "BuildLabEx": "17134.1.amd64fre.rs4_release.180410-1804", - "CompositionEditionID": "Enterprise", - "CurrentBuild": "17134", - "CurrentBuildNumber": "17134", - "CurrentVersion": "6.3", - "EditionID": "Professional", - "InstallationType": "Client", - "InstallDate": "2019-01-27 10:39:32", - "key": "\\Setup\\Source OS (Updated on 5/16/2019 00:55:20)", - "ProductId": "00330-80111-62153-AA442", - "ProductName": "Windows 10 Pro", - "RegisteredOrganization": 0, - "RegisteredOwner": "Windows User", - "update_date": "2019-05-16 00:55:20", - }, - ] - - -def test_shutdown_plugin(system_hive): - registry_hive = RegistryHive(system_hive) - plugin_instance = ShutdownPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries == { - "\\ControlSet001\\Control\\Windows": { - "date": "2012-04-04 01:58:40", - "last_write": "2012-04-04T01:58:40.839250+00:00", - }, - "\\ControlSet002\\Control\\Windows": { - "date": "2012-04-04 01:58:40", - "last_write": "2012-04-04T01:58:40.839250+00:00", - }, - } - - -def test_processor_architecture_plugin(system_hive): - registry_hive = RegistryHive(system_hive) - plugin_instance = ProcessorArchitecturePlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries[ - "\\ControlSet001\\Control\\Session Manager\\Environment" - ] == { - "NUMBER_OF_PROCESSORS": 49, - "PROCESSOR_ARCHITECTURE": "x86", - "PROCESSOR_IDENTIFIER": "x86 Family 16 Model 8 Stepping 0, AuthenticAMD", - "PROCESSOR_REVISION": "0800", - } - - -def test_crash_dump_plugin(system_hive): - registry_hive = RegistryHive(system_hive) - plugin_instance = CrashDumpPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries["\\ControlSet001\\Control\\CrashControl"] == { - "CrashDumpEnabled": 2, - "CrashDumpEnabledStr": "Kernel memory dump", - "DumpFile": "%SystemRoot%\\MEMORY.DMP", - "last_write": "2012-04-04T11:47:36.984376+00:00", - "LogEvent": 1, - "MinidumpDir": "%SystemRoot%\\Minidump", - } - - -def test_susclient_plugin(software_hive): - registry_hive = RegistryHive(software_hive) - plugin_instance = SusclientPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries[ - "\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate" - ] == { - "last_write": "2012-03-14T07:05:41.719626+00:00", - "LastRestorePointSetTime": "2012-03-14 07:05:41", - "SusClientId": "50df98f2-964a-496d-976d-d95296e13929", - "SusClientIdValidation": "", - } - - -def test_disable_last_access_plugin(system_hive_with_filetime): - registry_hive = RegistryHive(system_hive_with_filetime) - plugin_instance = DisableLastAccessPlugin(registry_hive, as_json=True) - plugin_instance.run() - - # work with SYSTEM_WIN_10_1709 HIVE - assert plugin_instance.entries["\\ControlSet001\\Control\\FileSystem"] == { - "last_write": "2020-02-13T11:59:20.987114+00:00", - "NtfsDisableLastAccessUpdate": "80000003", - "NtfsDisableLastAccessUpdateStr": "(System Managed, Updates Disabled)", - } - - -def test_code_page_plugin(system_hive_with_filetime): - registry_hive = RegistryHive(system_hive_with_filetime) - plugin_instance = CodepagePlugin(registry_hive, as_json=True) - plugin_instance.run() - - # work with SYSTEM_WIN_10_1709 HIVE - assert plugin_instance.entries["\\ControlSet001\\Control\\Nls\\CodePage"] == { - "ACP": "1252", - "last_write": "2019-05-16T08:22:00.160628+00:00", - } - - -def test_disable_sr_plugin(software_hive): - registry_hive = RegistryHive(software_hive) - plugin_instance = DisableSRPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries == { - "\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore": { - "last_write": "2012-03-31T04:00:23.006648+00:00" - } - } - - -def test_diag_sr_plugin(system_hive): - registry_hive = RegistryHive(system_hive) - plugin_instance = DiagSRPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries[ - "\\ControlSet001\\Services\\VSS\\Diag\\SystemRestore" - ] == { - "last_write": "2012-03-31T04:00:22.998834+00:00", - "SrCreateRp (Enter)": "2012-03-31 04:00:01", - "SrCreateRp (Leave)": "2012-03-31 04:00:22", - } - - -def test_spp_clients_plugin(software_hive): - registry_hive = RegistryHive(software_hive) - plugin_instance = SppClientsPlugin(registry_hive, as_json=True) - plugin_instance.run() - - assert plugin_instance.entries == { - "\\Microsoft\\Windows NT\\CurrentVersion\\SPP\\Clients": { - "{09F7EDC5-294E-4180-AF6A-FB0E6A0E9513}": [ - "\\\\?\\Volume{656b1715-ecf6-11df-92e6-806e6f6e6963}\\:(C:)" - ], - "last_write": "2012-03-15T22:32:18.089574+00:00", - } - } - - -def test_backup_restore_plugin(system_hive_with_filetime): - registry_hive = RegistryHive(system_hive_with_filetime) - plugin_instance = BackupRestorePlugin(registry_hive, as_json=True) - plugin_instance.run() - - # work with SYSTEM_WIN_10_1709 HIVE - assert plugin_instance.entries == { - "\\ControlSet001\\Control\\BackupRestore\\FilesNotToBackup": { - "BITS_metadata": ["%ProgramData%\\Microsoft\\Network\\Downloader\\* /s"], - "ETW": ["%SystemRoot%\\system32\\LogFiles\\WMI\\RtBackup\\*.*"], - "FVE_Control": [ - "\\System Volume Information\\FVE.{e40ad34d-dae9-4bc7-95bd-b16218c10f72}.*" - ], - "FVE_Log": [ - "\\System Volume Information\\FVE.{c9ca54a3-6983-46b7-8684-a7e5e23499e3}" - ], - "FVE_Wipe": [ - "\\System Volume Information\\FVE.{9ef82dfa-1239-4a30-83e6-3b3e9b8fed08}" - ], - "FVE2_Control": [ - "\\System Volume Information\\FVE2.{e40ad34d-dae9-4bc7-95bd-b16218c10f72}.*" - ], - "FVE2_Log": [ - "\\System Volume Information\\FVE2.{c9ca54a3-6983-46b7-8684-a7e5e23499e3}" - ], - "FVE2_VBB": [ - "\\System Volume Information\\FVE2.{24e6f0ae-6a00-4f73-984b-75ce9942852d}" - ], - "FVE2_Wipe": [ - "\\System Volume Information\\FVE2.{9ef82dfa-1239-4a30-83e6-3b3e9b8fed08}" - ], - "FVE2_WipeInfo": [ - "\\System Volume Information\\FVE2.{aff97bac-a69b-45da-aba1-2cfbce434750}.*" - ], - "FVE2_WipeX": [ - "\\System Volume Information\\FVE2.{9ef82dfa-1239-4a30-83e6-3b3e9b8fed08}.*" - ], - "Internet Explorer": ["%UserProfile%\\index.dat /s"], - "Kernel Dumps": [ - "%systemroot%\\Minidump\\* /s", - "%systemroot%\\memory.dmp", - ], - "last_write": "2019-05-16T08:21:59.973146+00:00", - "Memory Page File": ["\\Pagefile.sys"], - "Mount Manager": [ - "\\System Volume Information\\MountPointManagerRemoteDatabase" - ], - "MS Distributed Transaction Coordinator": [ - "C:\\Windows\\system32\\MSDtc\\MSDTC.LOG", - "C:\\Windows\\system32\\MSDtc\\trace\\dtctrace.log", - ], - "Netlogon": ["%SystemRoot%\\netlogon.chg"], - "Power Management": ["\\hiberfil.sys"], - "Storage Tiers Management": ["\\System Volume Information\\Heat\\*.* /s"], - "Temporary Files": ["%TEMP%\\* /s"], - "VSS Default Provider": [ - "\\System Volume Information\\*{3808876B-C176-4e48-B7AE-04046E6CC752} /s" - ], - "VSS Service Alternate DB": [ - "\\System Volume Information\\*.{7cc467ef-6865-4831-853f-2a4817fd1bca}ALT" - ], - "VSS Service DB": [ - "\\System Volume Information\\*.{7cc467ef-6865-4831-853f-2a4817fd1bca}DB" - ], - "WER": ["%ProgramData%\\Microsoft\\Windows\\WER\\* /s"], - "WUA": ["%windir%\\softwaredistribution\\*.* /s"], - }, - "\\ControlSet001\\Control\\BackupRestore\\FilesNotToSnapshot": { - "FVE": [ - "$AllVolumes$\\System Volume Information\\FVE.{9ef82dfa-1239-4a30-83e6-3b3e9b8fed08}" - ], - "FVE2_Wipe": [ - "$AllVolumes$\\System Volume Information\\FVE2.{9ef82dfa-1239-4a30-83e6-3b3e9b8fed08}" - ], - "FVE2_WipeX": [ - "$AllVolumes$\\System Volume Information\\FVE2.{9ef82dfa-1239-4a30-83e6-3b3e9b8fed08}.*" - ], - "last_write": "2020-02-13T08:47:50.455600+00:00", - "ModernOutlookOAB": [ - "$UserProfile$\\AppData\\Local\\Packages\\Microsoft.Office." - "Desktop_8wekyb3d8bbwe\\LocalCache\\Local\\Microsoft\\Outlook\\*.oab /s" - ], - "ModernOutlookOST": [ - "$UserProfile$\\AppData\\Local\\Packages\\Microsoft.Office." - "Desktop_8wekyb3d8bbwe\\LocalCache\\Local\\Microsoft\\Outlook\\*.ost /s" - ], - "OutlookOST": ["$UserProfile$\\AppData\\Local\\Microsoft\\Outlook\\*.ost"], - "Storage Tiers Management": ["\\System Volume Information\\Heat\\*.* /s"], - "TSBACKUP": ["C:\\ProgramData\\FLEXnet\\*.* /s"], - "WUA": ["%windir%\\softwaredistribution\\*.* /s"], - }, - "\\ControlSet001\\Control\\BackupRestore\\KeysNotToRestore": { - "last_write": "2019-05-16T08:21:59.973146+00:00", - "Mount Manager": ["MountedDevices\\"], - "MS Distributed Transaction Coordinator": [ - "CurrentControlSet\\Control\\MSDTC\\ASR\\" - ], - "Pending Rename Operations": [ - "CurrentControlSet\\Control\\Session Manager\\PendingFileRenameOperations" - ], - "Pending Rename Operations2": [ - "CurrentControlSet\\Control\\Session Manager\\PendingFileRenameOperations2" - ], - "Session Manager": [ - "CurrentControlSet\\Control\\Session Manager\\AllowProtectedRenames" - ], - }, - } - - -def test_timezone_data2_plugin(system_hive_with_filetime): - registry_hive = RegistryHive(system_hive_with_filetime) - plugin_instance = TimezoneDataPlugin2(registry_hive, as_json=True) - plugin_instance.run() - - # work with SYSTEM_WIN_10_1709 HIVE - assert plugin_instance.entries["\\ControlSet001\\Control\\TimeZoneInformation"] == { - "ActiveTimeBias": 420, - "Bias": 480, - "DaylightBias": -60, - "DaylightName": "@tzres.dll,-211", - "DaylightStart": "00000300020002000000000000000000", - "DynamicDaylightTimeDisabled": 0, - "last_write": "2020-03-09T13:07:51.297306+00:00", - "StandardBias": 0, - "StandardName": "@tzres.dll,-212", - "StandardStart": "00000b00010002000000000000000000", - "TimeZoneKeyName": "Pacific Standard Time", - }