dissect.target.plugins.os.windows.notifications#
Module Contents#
Classes#
Plugin that parses the notification databases on Windows 10 machines. |
Attributes#
- dissect.target.plugins.os.windows.notifications.appdb_def = Multiline-String#
Show Value
""" typedef struct { char Magic[4]; // Always b"DNPW" DWORD Version; // Versions 1 (win8) and 3 (win10) seem to exist QWORD Timestamp; // According to some sources this is LastNotificationDate, // but that seems incorrect. DWORD NextNotificationId; DWORD Unknown; char Padding[8]; } ChunkHeader; // size: 0x20 typedef struct { WORD InUse; // ?? WORD NextTileWriteIndex; // ?? WORD NextToastWriteIndex; // ?? BYTE Flags[2]; } ChunkInfo; typedef struct { QWORD Timestamp1; // ?? QWORD Timestamp2; // Is this time to refresh? char Uri[1024]; // Is this the correct size? char Padding[0x818 - 0x410]; } PushDescriptor; // size: 0x818 typedef struct { DWORD Id; DWORD Zero; // ?? QWORD Timestamp; // ?? WORD Unknown; WORD DataLength; char Data[DataLength]; char Padding[0x118 - 0x14 - DataLength]; } BadgeContent; // size: 0x118 typedef struct { DWORD UniqueId; // ?? DWORD Zero; QWORD ExpiryTime; // The time this tile expires QWORD ArrivalTime; // The time this tile was set BYTE Type; // ?? BYTE Index; WORD ContentLength; wchar_t Name[18]; } TileDescriptor; // size: 0x40 typedef struct { DWORD UniqueId; // ?? DWORD Zero; QWORD ExpiryTime; // The time this toast expires QWORD ArrivalTime; // The time this toast was set BYTE Type; // ?? BYTE Index; WORD ContentLength; wchar_t Name1[17]; wchar_t Name2[17]; } ToastDescriptor; // size: 0x60 typedef struct { char Content[0x1400]; } DataXML; // size: 0x1400 typedef struct { ChunkHeader Header; // Only populated for first chunk, else zeroed ChunkInfo Info; PushDescriptor Push; BadgeContent Badge; TileDescriptor Tiles[5]; // start @ 0x958 DataXML TileXml[5]; // For the in use chunks, 0x14 ToastDiscriptors have an Index, but there // is space for more. Maybe this is used in case of deleted entries? ToastDescriptor Toasts[0x14]; // start @ 0x6e98 char Padding1[0x1e00]; // start @ 0x7618 DataXML ToastXml[0x14]; // start @ 0x9418 char Padding2[0x13f8]; // start @ 0x22418 } Chunk; // size: 0x23810 """
- dissect.target.plugins.os.windows.notifications.c_appdb#
- dissect.target.plugins.os.windows.notifications.APPDB_MAGIC = b'DNPW'#
- dissect.target.plugins.os.windows.notifications.NUM_APPDB_CHUNKS = 256#
- dissect.target.plugins.os.windows.notifications.AppDBRecord#
- dissect.target.plugins.os.windows.notifications.AppDBPushRecord#
- dissect.target.plugins.os.windows.notifications.AppDBBadgeRecord#
- dissect.target.plugins.os.windows.notifications.AppDBTileRecord#
- dissect.target.plugins.os.windows.notifications.AppDBToastRecord#
- dissect.target.plugins.os.windows.notifications.WpnDatabaseNotificationRecord#
- dissect.target.plugins.os.windows.notifications.WpnDatabaseNotificationHandlerRecord#
- dissect.target.plugins.os.windows.notifications.NOTIFICATIONS_DIR = 'AppData/Local/Microsoft/Windows/Notifications'#
- class dissect.target.plugins.os.windows.notifications.NotificationsPlugin(target)#
Bases:
dissect.target.plugin.PluginPlugin that parses the notification databases on Windows 10 machines.
- __namespace__ = 'notifications'#
- check_compatible() None#
Perform a compatibility check with the target.
This function should return
Noneif the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- appdb() Iterator[flow.record.GroupedRecord]#
Retrun the data from Windows appdb.dat file.
This file contains data presentted to the user, pushed by external sources. The appdb.dat file was used from Windows 8 to Windows 10 pre anniversary version. This plugin only supports appdb.dat version 3 from Windows 10.
References
- wpndatabase()#
Returns Windows Notifications from wpndatabase.db (post Windows 10 Anniversary).
References