:py:mod:`dissect.target.plugins.os.windows.regf.mru`
====================================================

.. py:module:: dissect.target.plugins.os.windows.regf.mru




Module Contents
---------------

Classes
~~~~~~~

.. autoapisummary::

   dissect.target.plugins.os.windows.regf.mru.MRUPlugin



Functions
~~~~~~~~~

.. autoapisummary::
   :nosignatures:

   dissect.target.plugins.os.windows.regf.mru.parse_mru_key
   dissect.target.plugins.os.windows.regf.mru.parse_mru_ex_key
   dissect.target.plugins.os.windows.regf.mru.parse_office_mru
   dissect.target.plugins.os.windows.regf.mru.parse_office_mru_key
   dissect.target.plugins.os.windows.regf.mru.read_wstrings



Attributes
~~~~~~~~~~

.. autoapisummary::

   dissect.target.plugins.os.windows.regf.mru.UserRegistryRecordDescriptor
   dissect.target.plugins.os.windows.regf.mru.RunMRURecord
   dissect.target.plugins.os.windows.regf.mru.RecentDocsRecord
   dissect.target.plugins.os.windows.regf.mru.OpenSaveMRURecord
   dissect.target.plugins.os.windows.regf.mru.LastVisitedMRURecord
   dissect.target.plugins.os.windows.regf.mru.ACMruRecord
   dissect.target.plugins.os.windows.regf.mru.MapNetworkDriveMRURecord
   dissect.target.plugins.os.windows.regf.mru.TerminalServerMRURecord
   dissect.target.plugins.os.windows.regf.mru.MSOfficeMRURecord


.. py:data:: UserRegistryRecordDescriptor

.. py:data:: RunMRURecord

.. py:data:: RecentDocsRecord

.. py:data:: OpenSaveMRURecord

.. py:data:: LastVisitedMRURecord

.. py:data:: ACMruRecord

.. py:data:: MapNetworkDriveMRURecord

.. py:data:: TerminalServerMRURecord

.. py:data:: MSOfficeMRURecord

.. py:class:: MRUPlugin(target: dissect.target.target.Target)

   Bases: :py:obj:`dissect.target.plugin.Plugin`


   Return MRU data stored at various registry keys.

   The Windows registry contains various keys about Most Recently Used (MRU) files.

   .. rubric:: References

   - https://winreg-kb.readthedocs.io/en/latest/sources/explorer-keys/Most-recently-used.html


   .. py:attribute:: __namespace__
      :value: 'mru'


      Defines the plugin namespace.


   .. py:method:: check_compatible() -> None

      Perform a compatibility check with the target.

      This function should return ``None`` if the plugin is compatible with the current target (``self.target``).
      For example, check if a certain file exists. Otherwise it should raise an
      :class:`UnsupportedPluginError`.

      :raises UnsupportedPluginError: If the plugin could not be loaded.



   .. py:method:: run() -> collections.abc.Iterator[RunMRURecord]

      Return the RunMRU data.

      The ``HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU`` registry key contains information
      about the most recent commands that have been performed by the Run application

      .. rubric:: References

      - https://digitalf0rensics.wordpress.com/2014/01/17/windows-registry-and-forensics-part2/



   .. py:method:: recentdocs() -> collections.abc.Iterator[RecentDocsRecord]

      Return the RecentDocs data.

      The ``HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`` registry key contains
      information about the last 10 documents that the currently logged on user accessed or executed via Windows
      Explorer.

      .. rubric:: References

      - https://digitalf0rensics.wordpress.com/2014/01/17/windows-registry-and-forensics-part2/



   .. py:method:: opensave() -> collections.abc.Iterator[OpenSaveMRURecord]

      Return the OpenSaveMRU data.

      The ``HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU`` registry key
      - renamed to ``OpenSavePidlMRU`` since Windows Vista - contains information about the most recently
      opened or saved files.

      .. rubric:: References

      - https://digitalf0rensics.wordpress.com/2014/01/17/windows-registry-and-forensics-part2/



   .. py:method:: lastvisited() -> collections.abc.Iterator[LastVisitedMRURecord]

      Return the LastVisitedMRU data.

      The ``HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU`` registry key
      - renamed to ``LastVisitedPidlMRU`` since Windows Vista - contains information about the executable used by
      an application to open the files that are documented at the ``OpenSaveMRU`` registry key. Also, each value
      tracks the directory location for the last file that was accessed by that application.

      .. rubric:: References

      - https://digitalf0rensics.wordpress.com/2014/01/17/windows-registry-and-forensics-part2/



   .. py:method:: acmru() -> collections.abc.Iterator[ACMruRecord]

      Return the ACMru (Windows Search) data.

      The following keys are being searched:
        - ``HKCU\Software\Microsoft\Search Assistant\ACMru``:
          This registry key contains the most recent search history from Windows default search.
        - ``HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery``:
          This registry key contains the most recent search history from Windows Explorer. (Windows >=7)

      .. rubric:: References

      - https://digitalf0rensics.wordpress.com/2014/01/17/windows-registry-and-forensics-part2/

      Known categories:
          - 5001: Internet Search Assistant
          - 5603: Windows XP files and folder search
          - 5604: "Word or phrase in a file" dialog box
          - 5647: "For computers or people" selection in Search Results dialog box



   .. py:method:: networkdrive() -> collections.abc.Iterator[MapNetworkDriveMRURecord]

      Return MRU of mapped network drives.

      The HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU registry key contains
      information about the most recently used mapped network drives.

      .. rubric:: References

      - https://winreg-kb.readthedocs.io/en/latest/sources/explorer-keys/Most-recently-used.html#keys-with-a-mrulist-value



   .. py:method:: mstsc() -> collections.abc.Iterator[TerminalServerMRURecord]

      Return Terminal Server Client MRU data.



   .. py:method:: msoffice() -> collections.abc.Iterator[MSOfficeMRURecord]

      Return MS Office MRU keys.



.. py:function:: parse_mru_key(target: dissect.target.target.Target, key: dissect.target.helpers.regutil.RegistryKey, record: dissect.target.helpers.record.TargetRecordDescriptor) -> collections.abc.Iterator[flow.record.Record]

.. py:function:: parse_mru_ex_key(target: dissect.target.target.Target, key: dissect.target.helpers.regutil.RegistryKey, record: dissect.target.helpers.record.TargetRecordDescriptor) -> collections.abc.Iterator[flow.record.Record]

.. py:function:: parse_office_mru(target: dissect.target.target.Target, key: dissect.target.helpers.regutil.RegistryKey, record: dissect.target.helpers.record.TargetRecordDescriptor) -> collections.abc.Iterator[flow.record.Record]

.. py:function:: parse_office_mru_key(target: dissect.target.target.Target, key: dissect.target.helpers.regutil.RegistryKey, record: dissect.target.helpers.record.TargetRecordDescriptor) -> collections.abc.Iterator[flow.record.Record]

.. py:function:: read_wstrings(buf: bytes) -> collections.abc.Iterator[bytes]