WIP

mkorman90 · Aug 1, 2024 · d3528b3 · d3528b3
1 parent e37a1dd
commit d3528b3
Show file tree

Hide file tree

Showing 54 changed files with 308 additions and 3 deletions.
diff --git a/regipy_tests/__init__.py b/regipy_tests/__init__.py
@@ -5,3 +5,28 @@
 from .validation.validation_tests import amcache_validation
 from .validation.validation_tests import bam_validation
 from .validation.validation_tests import word_wheel_query_ntuser_validation
+from .validation.validation_tests import computer_name_plugin_validation
+from .validation.validation_tests import uac_status_plugin_validation
+from .validation.validation_tests import software_classes_installer_plugin_validation
+from .validation.validation_tests import ntuser_classes_installer_plugin_validation
+from .validation.validation_tests import ras_tracing_plugin_validation
+from .validation.validation_tests import installed_programs_software_plugin_validation
+from .validation.validation_tests import last_logon_plugin_validation
+from .validation.validation_tests import typed_urls_plugin_validation
+from .validation.validation_tests import profile_list_plugin_validation
+from .validation.validation_tests import print_demon_plugin_validation
+from .validation.validation_tests import services_plugin_validation
+from .validation.validation_tests import local_sid_plugin_validation
+from .validation.validation_tests import boot_key_plugin_validation
+from .validation.validation_tests import host_domain_name_plugin_validation
+from .validation.validation_tests import domain_sid_plugin_validation
+from .validation.validation_tests import boot_entry_list_plugin_validation
+from .validation.validation_tests import wdigest_plugin_validation
+from .validation.validation_tests import winrar_plugin_validation
+from .validation.validation_tests import network_drives_plugin_validation
+from .validation.validation_tests import winscp_saved_sessions_plugin_validation
+from .validation.validation_tests import usbstor_plugin_validation
+from .validation.validation_tests import typed_paths_plugin_validation
+from .validation.validation_tests import shell_bag_ntuser_plugin_validation
+from .validation.validation_tests import shell_bag_usrclass_plugin_validation
+from .validation.validation_tests import network_data_plugin_validation
diff --git a/regipy_tests/validation/plugin_validation.md b/regipy_tests/validation/plugin_validation.md
@@ -21,15 +21,16 @@
 | domain_sid                   | DomainSidPlugin                 |                  | False     |
 | routes                       | RoutesPlugin                    |                  | False     |
 | last_logon_plugin            | LastLogonPlugin                 |                  | False     |
+| usrclass_shellbag_plugin     | ShellBagUsrclassPlugin          |                  | False     |
 | services                     | ServicesPlugin                  |                  | False     |
 | host_domain_name             | HostDomainNamePlugin            |                  | False     |
 | profilelist_plugin           | ProfileListPlugin               |                  | False     |
-| usrclass_shellbag_plugin     | ShellBagUsrclassPlugin          |                  | False     |
 | ntuser_shellbag_plugin       | ShellBagNtuserPlugin            |                  | False     |
 | computer_name                | ComputerNamePlugin              |                  | False     |
 | installed_programs_ntuser    | InstalledProgramsNTUserPlugin   |                  | False     |
 | winscp_saved_sessions        | WinSCPSavedSessionsPlugin       |                  | False     |
 | local_sid                    | LocalSidPlugin                  |                  | False     |
+| winrar_plugin                | WinRARPlugin                    |                  | False     |
 | print_demon_plugin           | PrintDemonPlugin                |                  | False     |
 | active_control_set           | ActiveControlSetPlugin          |                  | False     |
 | timezone_data                | TimezoneDataPlugin              |                  | False     |
@@ -48,6 +49,5 @@
 | network_drives_plugin        | NetworkDrivesPlugin             |                  | False     |
 | bootkey                      | BootKeyPlugin                   |                  | False     |
 | boot_entry_list              | BootEntryListPlugin             |                  | False     |
-| winrar_plugin                | WinRARPlugin                    |                  | False     |
 | software_classes_installer   | SoftwareClassesInstallerPlugin  |                  | False     |
 
diff --git a/regipy_tests/validation/plugin_validation.py b/regipy_tests/validation/plugin_validation.py
@@ -93,6 +93,7 @@ def main():
         print(
             f"\n\t[*] Validating {registry_hive_file_name} ({len(validation_cases)} validations):"
         )
+
         validation_results.extend(
             run_validations_for_hive_file(registry_hive_file_name, validation_cases)
         )

diff --git a/regipy_tests/validation/validation_tests/boot_entry_list_plugin_validation.py b/regipy_tests/validation/validation_tests/boot_entry_list_plugin_validation.py
@@ -0,0 +1,10 @@
+
+from regipy.plugins.bcd.boot_entry_list import BootEntryListPlugin
+from regipy_tests.validation.validation import ValidationCase
+
+
+class BootEntryListPluginValidationCase(ValidationCase):
+    plugin = BootEntryListPlugin
+    test_hive_file_name = "BCD.xz.xz"
+    exact_expected_result = [{'guid': '{733b62de-f608-11eb-825c-c112f60133ab}', 'type': '0x101FFFFF', 'name': 'Linux Boot Manager', 'gpt_disk': '376e5397-7d1f-4e4f-a668-5a62c1269e60', 'gpt_partition': '24e0e103-9bc2-477e-a5e2-3e42d2bb134f', 'image_path': '\\EFI\\systemd\\systemd-bootx64.efi', 'timestamp': '2021-08-09T02:13:30.992594+00:00'}, {'guid': '{733b62e2-f608-11eb-825c-c112f60133ab}', 'type': '0x101FFFFF', 'name': 'UEFI OS', 'gpt_disk': '376e5397-7d1f-4e4f-a668-5a62c1269e60', 'gpt_partition': '24e0e103-9bc2-477e-a5e2-3e42d2bb134f', 'image_path': '\\EFI\\BOOT\\BOOTX64.EFI', 'timestamp': '2021-08-09T02:13:30.992594+00:00'}, {'guid': '{733b62e3-f608-11eb-825c-c112f60133ab}', 'type': '0x101FFFFF', 'name': 'Windows Boot Manager', 'gpt_disk': '376e5397-7d1f-4e4f-a668-5a62c1269e60', 'gpt_partition': '24e0e103-9bc2-477e-a5e2-3e42d2bb134f', 'image_path': '\\EFI\\Microsoft\\Boot\\bootmgfw.efi', 'timestamp': '2021-08-09T02:13:30.992594+00:00'}, {'guid': '{733b62e4-f608-11eb-825c-c112f60133ab}', 'type': '0x10200004', 'name': 'Windows Resume Application', 'gpt_disk': '0b2394a9-095e-487d-8d48-719ecd4d78ca', 'gpt_partition': '8e0f2c38-e4ea-47ba-b7fc-9d8c74dccf0b', 'image_path': '\\Windows\\system32\\winresume.efi', 'timestamp': '2021-08-09T02:13:30.992594+00:00'}, {'guid': '{733b62e5-f608-11eb-825c-c112f60133ab}', 'type': '0x10200003', 'name': 'Windows 10', 'gpt_disk': '0b2394a9-095e-487d-8d48-719ecd4d78ca', 'gpt_partition': '8e0f2c38-e4ea-47ba-b7fc-9d8c74dccf0b', 'image_path': '\\Windows\\system32\\winload.efi', 'timestamp': '2021-08-09T02:13:30.992594+00:00'}, {'guid': '{733b62e6-f608-11eb-825c-c112f60133ab}', 'type': '0x10200003', 'name': 'Windows Recovery Environment', 'gpt_disk': '00000001-0090-0000-0500-000006000000', 'gpt_partition': '00000003-0000-0000-0000-000000000000', 'image_path': '\\windows\\system32\\winload.efi', 'timestamp': '2021-08-09T02:13:30.976970+00:00'}, {'guid': '{9dea862c-5cdd-4e70-acc1-f32b344d4795}', 'type': '0x10100002', 'name': 'Windows Boot Manager', 'gpt_disk': '0b2394a9-095e-487d-8d48-719ecd4d78ca', 'gpt_partition': '36be3955-63bf-4068-a6ab-00195cca3a22', 'image_path': '\\EFI\\Microsoft\\Boot\\bootmgfw.efi', 'timestamp': '2021-08-09T02:13:30.992594+00:00'}, {'guid': '{b2721d73-1db4-4c62-bf78-c548a880142d}', 'type': '0x10200005', 'name': 'Windows Memory Diagnostic', 'gpt_disk': '0b2394a9-095e-487d-8d48-719ecd4d78ca', 'gpt_partition': '36be3955-63bf-4068-a6ab-00195cca3a22', 'image_path': '\\EFI\\Microsoft\\Boot\\memtest.efi', 'timestamp': '2021-08-09T02:13:30.976970+00:00'}]
+
diff --git a/regipy_tests/validation/validation_tests/boot_key_plugin_validation.py b/regipy_tests/validation/validation_tests/boot_key_plugin_validation.py
@@ -0,0 +1,10 @@
+
+from regipy.plugins.system.bootkey import BootKeyPlugin
+from regipy_tests.validation.validation import ValidationCase
+
+
+class BootKeyPluginValidationCase(ValidationCase):
+    plugin = BootKeyPlugin
+    test_hive_file_name = "SYSTEM.xz"
+    exact_expected_result = [{'key': 'e7f28d88f470cfed67dbcdb62ed1275b', 'timestamp': '2012-04-04T11:47:46.203124+00:00'}, {'key': 'e7f28d88f470cfed67dbcdb62ed1275b', 'timestamp': '2012-04-04T11:47:46.203124+00:00'}]
+
diff --git a/regipy_tests/validation/validation_tests/computer_name_plugin_validation.py b/regipy_tests/validation/validation_tests/computer_name_plugin_validation.py
@@ -0,0 +1,12 @@
+from regipy.plugins.system.computer_name import ComputerNamePlugin
+from regipy_tests.validation.validation import ValidationCase
+
+
+class ComputerNamePluginValidationCase(ValidationCase):
+    plugin = ComputerNamePlugin
+    test_hive_file_name = "SYSTEM.xz"
+
+    exact_expected_result = [
+        {"name": "WKS-WIN732BITA", "timestamp": "2010-11-10T17:18:08.718750+00:00"},
+        {"name": "WIN-V5T3CSP8U4H", "timestamp": "2010-11-10T18:17:36.968750+00:00"},
+    ]
diff --git a/regipy_tests/validation/validation_tests/domain_sid_plugin_validation.py b/regipy_tests/validation/validation_tests/domain_sid_plugin_validation.py
@@ -0,0 +1,10 @@
+
+from regipy.plugins.security.domain_sid import DomainSidPlugin
+from regipy_tests.validation.validation import ValidationCase
+
+
+class DomainSidPluginValidationCase(ValidationCase):
+    plugin = DomainSidPlugin
+    test_hive_file_name = "SECURITY.xz"
+    exact_expected_result = [{'domain_name': 'WORKGROUP', 'domain_sid': None, 'machine_sid': None, 'timestamp': '2021-08-05T10:43:08.911000+00:00'}]
+
diff --git a/regipy_tests/validation/validation_tests/host_domain_name_plugin_validation.py b/regipy_tests/validation/validation_tests/host_domain_name_plugin_validation.py
@@ -0,0 +1,10 @@
+
+from regipy.plugins.system.host_domain_name import HostDomainNamePlugin
+from regipy_tests.validation.validation import ValidationCase
+
+
+class HostDomainNamePluginValidationCase(ValidationCase):
+    plugin = HostDomainNamePlugin
+    test_hive_file_name = "SYSTEM.xz"
+    exact_expected_result = [{'hostname': 'WKS-WIN732BITA', 'domain': 'shieldbase.local', 'timestamp': '2011-09-17T13:43:23.770078+00:00'}, {'hostname': 'WKS-WIN732BITA', 'domain': 'shieldbase.local', 'timestamp': '2011-09-17T13:43:23.770078+00:00'}]
+
diff --git a/regipy_tests/validation/validation_tests/installed_programs_software_plugin_validation.py b/regipy_tests/validation/validation_tests/installed_programs_software_plugin_validation.py
@@ -0,0 +1,14 @@
+
+from regipy.plugins.software.installed_programs import InstalledProgramsSoftwarePlugin
+from regipy_tests.validation.validation import ValidationCase
+
+
+class InstalledProgramsSoftwarePluginValidationCase(ValidationCase):
+    plugin = InstalledProgramsSoftwarePlugin
+    test_hive_file_name = "SOFTWARE.xz"
+
+    expected_entries_count = 67
+    expected_entries = [
+        {'registry_path': '\\Microsoft\\Windows\\CurrentVersion\\Uninstall', 'service_name': 'AddressBook', 'timestamp': '2009-07-14T04:41:12.758808+00:00'},
+        {'service_name': '{FE2F6A2C-196E-4210-9C04-2B1BC21F07EF}', 'timestamp': '2011-07-05T22:58:57.996094+00:00', 'registry_path': '\\Microsoft\\Windows\\CurrentVersion\\Uninstall', 'UninstallString': 'MsiExec.exe /X{FE2F6A2C-196E-4210-9C04-2B1BC21F07EF}', 'URLInfoAbout': 'http://www.vmware.com', 'DisplayName': 'VMware Tools'}
+    ]
diff --git a/regipy_tests/validation/validation_tests/last_logon_plugin_validation.py b/regipy_tests/validation/validation_tests/last_logon_plugin_validation.py
@@ -0,0 +1,12 @@
+
+from regipy.plugins.software.last_logon import LastLogonPlugin
+from regipy_tests.validation.validation import ValidationCase
+
+
+class LastLogonPluginValidationCase(ValidationCase):
+    plugin = LastLogonPlugin
+    test_hive_file_name = "SOFTWARE.xz"
+
+    exact_expected_result = {'last_logged_on_provider': '{6F45DC1E-5384-457A-BC13-2CD81B0D28ED}', 'last_logged_on_sam_user': 'SHIELDBASE\\rsydow', 'last_logged_on_user': 'SHIELDBASE\\rsydow', 'last_write': '2012-04-04T12:20:41.453654+00:00', 'show_tablet_keyboard': 0}
+
+    expected_entries_count = 5
diff --git a/regipy_tests/validation/validation_tests/local_sid_plugin_validation.py b/regipy_tests/validation/validation_tests/local_sid_plugin_validation.py
@@ -0,0 +1,10 @@
+
+from regipy.plugins.sam.local_sid import LocalSidPlugin
+from regipy_tests.validation.validation import ValidationCase
+
+
+class LocalSidPluginValidationCase(ValidationCase):
+    plugin = LocalSidPlugin
+    test_hive_file_name = "sam_hive.xz"
+
+    exact_expected_result = [{'machine_sid': 'S-1-5-21-1760460187-1592185332-161725925', 'timestamp': '2014-09-24T03:36:43.549302+00:00'}]
diff --git a/regipy_tests/validation/validation_tests/network_data_plugin_validation.py b/regipy_tests/validation/validation_tests/network_data_plugin_validation.py
@@ -0,0 +1,9 @@
+
+from regipy.plugins.system.network_data import NetworkDataPlugin
+from regipy_tests.validation.validation import ValidationCase
+
+
+class NetworkDataPluginValidationCase(ValidationCase):
+    plugin = NetworkDataPlugin
+    test_hive_file_name = "SYSTEM.xz"
+    expected_entries = [{'interface_name': '{698E50A9-4F58-4D86-B61D-F42E58DCACF6}', 'last_modified': '2011-09-17T13:43:23.770078+00:00', 'dhcp_enabled': False, 'ip_address': ['10.3.58.5'], 'subnet_mask': ['255.255.255.0'], 'default_gateway': ['10.3.58.1'], 'name_server': '10.3.58.4', 'domain': 0}]
diff --git a/regipy_tests/validation/validation_tests/network_drives_plugin_validation.py b/regipy_tests/validation/validation_tests/network_drives_plugin_validation.py
@@ -0,0 +1,10 @@
+
+from regipy.plugins.ntuser.network_drives import NetworkDrivesPlugin
+from regipy_tests.validation.validation import ValidationCase
+
+
+class NetworkDrivesPluginValidationCase(ValidationCase):
+    plugin = NetworkDrivesPlugin
+    test_hive_file_name = "NTUSER.DAT.xz"
+    exact_expected_result = [{'drive_letter': 'p', 'last_write': '2012-04-03T22:08:18.840132+00:00', 'network_path': '\\\\controller\\public'}]
+
diff --git a/regipy_tests/validation/validation_tests/ntuser_classes_installer_plugin_validation.py b/regipy_tests/validation/validation_tests/ntuser_classes_installer_plugin_validation.py
@@ -0,0 +1,11 @@
+
+from regipy.plugins.ntuser.classes_installer import NtuserClassesInstallerPlugin
+from regipy_tests.validation.validation import ValidationCase
+
+
+class NtuserClassesInstallerPluginValidationCase(ValidationCase):
+    plugin = NtuserClassesInstallerPlugin
+    test_hive_file_name = "ntuser_hive_2.xz"
+    expected_entries = [{'identifier': '8A4152964845CF540BEAEBD27F7A8519', 'is_hidden': False, 'product_name': 'Microsoft Visual C++ Compiler Package for Python 2.7', 'timestamp': '2022-02-15T07:00:07.245646+00:00'}]
+
+
diff --git a/regipy_tests/validation/validation_tests/print_demon_plugin_validation.py b/regipy_tests/validation/validation_tests/print_demon_plugin_validation.py
@@ -0,0 +1,12 @@
+
+from regipy.plugins.software.printdemon import PrintDemonPlugin
+from regipy_tests.validation.validation import ValidationCase
+
+
+class PrintDemonPluginValidationCase(ValidationCase):
+    plugin = PrintDemonPlugin
+    test_hive_file_name = "SOFTWARE.xz"
+
+    exact_expected_result = [{'parameters': ['9600', 'n', '8', '1'], 'port_name': 'COM1:', 'timestamp': '2010-11-10T10:35:02.448040+00:00'}, {'parameters': ['9600', 'n', '8', '1'], 'port_name': 'COM2:', 'timestamp': '2010-11-10T10:35:02.448040+00:00'}, {'parameters': ['9600', 'n', '8', '1'], 'port_name': 'COM3:', 'timestamp': '2010-11-10T10:35:02.448040+00:00'}, {'parameters': ['9600', 'n', '8', '1'], 'port_name': 'COM4:', 'timestamp': '2010-11-10T10:35:02.448040+00:00'}, {'parameters': 0, 'port_name': 'FILE:', 'timestamp': '2010-11-10T10:35:02.448040+00:00'}, {'parameters': 0, 'port_name': 'LPT1:', 'timestamp': '2010-11-10T10:35:02.448040+00:00'}, {'parameters': 0, 'port_name': 'LPT2:', 'timestamp': '2010-11-10T10:35:02.448040+00:00'}, {'parameters': 0, 'port_name': 'LPT3:', 'timestamp': '2010-11-10T10:35:02.448040+00:00'}, {'parameters': 0, 'port_name': 'XPSPort:', 'timestamp': '2010-11-10T10:35:02.448040+00:00'}, {'parameters': 0, 'port_name': 'Ne00:', 'timestamp': '2010-11-10T10:35:02.448040+00:00'}, {'parameters': 0, 'port_name': 'Ne01:', 'timestamp': '2010-11-10T10:35:02.448040+00:00'}, {'parameters': 0, 'port_name': 'nul:', 'timestamp': '2010-11-10T10:35:02.448040+00:00'}]
+
+    expected_entries_count = 12
diff --git a/regipy_tests/validation/validation_tests/profile_list_plugin_validation.py b/regipy_tests/validation/validation_tests/profile_list_plugin_validation.py
@@ -0,0 +1,12 @@
+
+from regipy.plugins.software.profilelist import ProfileListPlugin
+from regipy_tests.validation.validation import ValidationCase
+
+
+class ProfileListPluginValidationCase(ValidationCase):
+    plugin = ProfileListPlugin
+    test_hive_file_name = "SOFTWARE.xz"
+
+    exact_expected_result = [{'last_write': '2009-07-14T04:41:12.493608+00:00', 'path': '%systemroot%\\system32\\config\\systemprofile', 'flags': 12, 'full_profile': None, 'state': 0, 'sid': 'S-1-5-18', 'load_time': None, 'local_load_time': None}, {'last_write': '2010-11-10T18:09:16.250000+00:00', 'path': 'C:\\Windows\\ServiceProfiles\\LocalService', 'flags': 0, 'full_profile': None, 'state': 0, 'sid': 'S-1-5-19', 'load_time': None, 'local_load_time': None}, {'last_write': '2010-11-10T18:09:16.250000+00:00', 'path': 'C:\\Windows\\ServiceProfiles\\NetworkService', 'flags': 0, 'full_profile': None, 'state': 0, 'sid': 'S-1-5-20', 'load_time': None, 'local_load_time': None}, {'last_write': '2010-11-10T17:22:52.109376+00:00', 'path': 'C:\\Users\\Pepper', 'flags': 0, 'full_profile': None, 'state': 0, 'sid': 'S-1-5-21-100689374-1717798114-2601648136-1000', 'load_time': '1601-01-01T00:00:00+00:00', 'local_load_time': None}, {'last_write': '2012-04-04T12:42:17.719834+00:00', 'path': 'C:\\Users\\SRL-Helpdesk', 'flags': 0, 'full_profile': None, 'state': 0, 'sid': 'S-1-5-21-100689374-1717798114-2601648136-1001', 'load_time': '1601-01-01T00:00:00+00:00', 'local_load_time': None}, {'last_write': '2011-08-21T00:51:19.820166+00:00', 'path': 'C:\\Users\\nfury', 'flags': 0, 'full_profile': None, 'state': 0, 'sid': 'S-1-5-21-2036804247-3058324640-2116585241-1105', 'load_time': '1601-01-01T00:00:00+00:00', 'local_load_time': None}, {'last_write': '2011-08-23T01:33:29.006350+00:00', 'path': 'C:\\Users\\mhill', 'flags': 0, 'full_profile': None, 'state': 0, 'sid': 'S-1-5-21-2036804247-3058324640-2116585241-1106', 'load_time': '1601-01-01T00:00:00+00:00', 'local_load_time': None}, {'last_write': '2011-09-17T13:33:17.372366+00:00', 'path': 'C:\\Users\\Tdungan', 'flags': 0, 'full_profile': None, 'state': 0, 'sid': 'S-1-5-21-2036804247-3058324640-2116585241-1107', 'load_time': '1601-01-01T00:00:00+00:00', 'local_load_time': None}, {'last_write': '2012-04-06T19:44:17.844274+00:00', 'path': 'C:\\Users\\nromanoff', 'flags': 0, 'full_profile': None, 'state': 0, 'sid': 'S-1-5-21-2036804247-3058324640-2116585241-1109', 'load_time': '1601-01-01T00:00:00+00:00', 'local_load_time': None}, {'last_write': '2012-04-06T19:42:31.408714+00:00', 'path': 'C:\\Users\\rsydow', 'flags': 0, 'full_profile': None, 'state': 256, 'sid': 'S-1-5-21-2036804247-3058324640-2116585241-1114', 'load_time': '1601-01-01T00:00:00+00:00', 'local_load_time': None}, {'last_write': '2012-04-06T19:22:20.845938+00:00', 'path': 'C:\\Users\\vibranium', 'flags': 0, 'full_profile': None, 'state': 256, 'sid': 'S-1-5-21-2036804247-3058324640-2116585241-1673', 'load_time': '1601-01-01T00:00:00+00:00', 'local_load_time': None}]
+
+    expected_entries_count = 11
diff --git a/regipy_tests/validation/validation_tests/ras_tracing_plugin_validation.py b/regipy_tests/validation/validation_tests/ras_tracing_plugin_validation.py
@@ -0,0 +1,12 @@
+
+from regipy.plugins.software.tracing import RASTracingPlugin
+from regipy_tests.validation.validation import ValidationCase
+
+
+class RASTracingPluginValidationCase(ValidationCase):
+    plugin = RASTracingPlugin
+    test_hive_file_name = "SOFTWARE.xz"
+
+    expected_entries = [{'key': '\\Microsoft\\Tracing', 'name': 'AcroRd32_RASAPI32', 'timestamp': '2012-03-16T21:31:26.613878+00:00'},
+                        {'key': '\\Microsoft\\Tracing', 'name': 'wmplayer_RASMANCS', 'timestamp': '2012-03-12T20:58:55.476336+00:00'}]
+    expected_entries_count = 70
diff --git a/regipy_tests/validation/validation_tests/services_plugin_validation.py b/regipy_tests/validation/validation_tests/services_plugin_validation.py
@@ -0,0 +1,13 @@
+
+from regipy.plugins.system.services import ServicesPlugin
+from regipy_tests.validation.validation import ValidationCase
+
+
+class ServicesPluginValidationCase(ValidationCase):
+    plugin = ServicesPlugin
+    test_hive_file_name = "corrupted_SYSTEM.xz"
+
+    expected_entries = [{'a':'b'}]
+
+    #assert plugin_instance.entries['\\ControlSet001\\Services']['services'][0] == {'last_modified': '2008-10-21T17:48:29.328124+00:00', 'name': 'Abiosdsk', 'parameters': [], 'values': [{'is_corrupted': False, 'name': 'ErrorControl', 'value': 0, 'value_type': 'REG_DWORD'}, {'is_corrupted': False, 'name': 'Group', 'value': 'Primary disk', 'value_type': 'REG_SZ'}, {'is_corrupted': False, 'name': 'Start', 'value': 4, 'value_type': 'REG_DWORD'}, {'is_corrupted': False, 'name': 'Tag', 'value': 3, 'value_type': 'REG_DWORD'}, {'is_corrupted': False, 'name': 'Type', 'value': 1, 'value_type': 'REG_DWORD'}]}
+
diff --git a/regipy_tests/validation/validation_tests/shell_bag_ntuser_plugin_validation.py b/regipy_tests/validation/validation_tests/shell_bag_ntuser_plugin_validation.py
@@ -0,0 +1,13 @@
+
+import datetime as dt
+
+from regipy.plugins.ntuser.shellbags_ntuser import ShellBagNtuserPlugin
+from regipy_tests.validation.validation import ValidationCase
+
+
+class ShellBagNtuserPluginValidationCase(ValidationCase):
+    plugin = ShellBagNtuserPlugin
+    test_hive_file_name = "shellbags_ntuser.xz"
+
+    expected_entries_count = 102
+    expected_entries = [{'value': 'rekall', 'slot': '0', 'reg_path': '\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\2\\0', 'value_name': '0', 'node_slot': '11', 'shell_type': 'Directory', 'path': 'Search Folder\\tmp\\rekall', 'creation_time': dt.datetime(2021, 8, 16, 9, 41, 32).isoformat(), 'full path': None, 'access_time': dt.datetime(2021, 8, 16, 9, 43, 22).isoformat(), 'modification_time': dt.datetime(2021, 8, 16, 9, 41, 32).isoformat(), 'last_write': '2021-08-16T09:44:39.333110+00:00', 'location description': None, 'mru_order': '0', 'mru_order_location': 0}]