..
    generated, remove this comment to keep this file

``catroot.files``
=================

.. code-block:: console

    $ target-query <path/to/target> -f catroot.files


.. list-table:: Details
    :widths: 20 80

    * - Module
      - ``dissect.target.plugins.os.windows.catroot.CatrootPlugin``
    * - Output
      - ``records``

**Module documentation**

Catroot plugin.

Parses catroot files for hashes and file hints.

**Function documentation**

Return the content of the catalog files in the CatRoot folder.

A catalog file contains a collection of cryptographic hashes, or thumbprints. These files are generally used to
verify the integrity of Windows operating system files, instead of per-file authenticode signatures.

At the moment, parsing catalog files is done on best effort. ``asn1crypto`` is not able to fully parse the
``encap_content_info``, highly likely because Microsoft uses its own format. Future research should result in
a more resilient and complete implementation of the ``catroot.files`` plugin.

References:
    - https://www.thewindowsclub.com/catroot-catroot2-folder-reset-windows
    - https://docs.microsoft.com/en-us/windows-hardware/drivers/install/catalog-files

Yields CatrootRecords with the following fields:

.. code-block:: text

    hostname (string): The target hostname.
    domain (string): The target domain.
    digest (digest): The parsed digest.
    hints (string[]): File hints, if present.
    catroot_name (string): Catroot name.
    source (path): Source of the catroot record.