dissect.target.plugins.os.windows.regf.cam

Module Contents

Classes

CamPlugin

Plugin that iterates various Capability Access Manager registry key locations.

Attributes

CamRecord

dissect.target.plugins.os.windows.regf.cam.CamRecord
class dissect.target.plugins.os.windows.regf.cam.CamPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.Plugin

Plugin that iterates various Capability Access Manager registry key locations.

CONSENT_STORES = ['HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore',...
app_regf_keys = []
check_compatible() None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

yield_apps() Iterator[dissect.target.helpers.regutil.RegistryKey]
cam() Iterator[CamRecord]

Iterate Capability Access Manager key locations.

The Capability Access Manager keeps track of processes that access I/O devices, like the webcam or microphone. Applications are divided into packaged and non-packaged applications meaning Microsoft or non-Microsoft applications.

References

Yields CamRecord with the following fields:

hostname (string): The target hostname.
domain (string): The target domain.
ts (datetime): The modification timestamp of the registry key.
device (string): Name of the device privacy permission where asked for.
app_name (string): The name of the application.
path (path): The possible path to the application.
last_started (datetime): When the application last started using the device.
last_stopped (datetime): When the application last stopped using the device.
duration (datetime): How long the application used the device (seconds).