dissect.target.plugins.os.windows.regf.cit#

Module Contents#

Classes#

Functions#

decode_name

Decode the registry key name.

local_wintimestamp

Attributes#

dissect.target.plugins.os.windows.regf.cit.cit_def = Multiline-String#
Show Value
"""
typedef QWORD FILETIME;

flag TELEMETRY_ANSWERS {
    Unknown0        = 0x4,
    Unknown1        = 0x8,
    POWERBROADCAST  = 0x10000,
    DEVICECHANGE    = 0x20000,
    IME_CONTROL     = 0x40000,
    WINHELP         = 0x80000,
};

typedef struct _CIT_HEADER {
    WORD    MajorVersion;
    WORD    MinorVersion;
    DWORD   Size;                   /* Size of the entire buffer */
    FILETIME    CurrentTimeLocal;   /* Maybe the time when the saved CIT was last updated? */
    DWORD   Crc32;                  /* Crc32 of the entire buffer, skipping this field */
    DWORD   EntrySize;
    DWORD   EntryCount;
    DWORD   EntryDataOffset;
    DWORD   SystemDataSize;
    DWORD   SystemDataOffset;
    DWORD   BaseUseDataSize;
    DWORD   BaseUseDataOffset;
    FILETIME    StartTimeLocal;     /* Presumably when the aggregation started */
    FILETIME    PeriodStartLocal;   /* Presumably the starting point of the aggregation period */
    DWORD   AggregationPeriodInS;   /* Presumably the duration over which this data was gathered
                                     * Always 604800 (7 days) */
    DWORD   BitPeriodInS;           /* Presumably the amount of seconds a single bit represents
                                     * Always 3600 (1 hour) */
    DWORD   SingleBitmapSize;       /* This appears to be the sizes of the Stats buffers, always 21 */
    DWORD   _Unk0;                  /* Always 0x00000100? */
    DWORD   HeaderSize;
    DWORD   _Unk1;                  /* Always 0x00000000? */
} CIT_HEADER;

typedef struct _CIT_PERSISTED {
    DWORD   BitmapsOffset;          /* Array of Offset and Size (DWORD, DWORD) */
    DWORD   BitmapsSize;
    DWORD   SpanStatsOffset;        /* Array of Count and Duration (DWORD, DWORD) */
    DWORD   SpanStatsSize;
    DWORD   StatsOffset;            /* Array of WORD */
    DWORD   StatsSize;
} CIT_PERSISTED;

typedef struct _CIT_ENTRY {
    DWORD   ProgramDataOffset;      /* Offset to CIT_PROGRAM_DATA */
    DWORD   UseDataOffset;          /* Offset to CIT_PERSISTED */
    DWORD   ProgramDataSize;
    DWORD   UseDataSize;
} CIT_ENTRY;

typedef struct _CIT_PROGRAM_DATA {
    DWORD   FilePathOffset;         /* Offset to UTF-16-LE file path string */
    DWORD   FilePathSize;           /* strlen of string */
    DWORD   CommandLineOffset;      /* Offset to UTF-16-LE command line string */
    DWORD   CommandLineSize;        /* strlen of string */
    DWORD   PeTimeDateStamp;        /* aka Extra1 */
    DWORD   PeCheckSum;             /* aka Extra2 */
    DWORD   Extra3;                 /* aka Extra3, some flag from PROCESSINFO struct */
} CIT_PROGRAM_DATA;

typedef struct _CIT_BITMAP_ITEM {
    DWORD   Offset;
    DWORD   Size;
} CIT_BITMAP_ITEM;

typedef struct _CIT_SPAN_STAT_ITEM {
    DWORD   Count;
    DWORD   Duration;
} CIT_SPAN_STAT_ITEM;

typedef struct _CIT_SYSTEM_DATA_SPAN_STATS {
    CIT_SPAN_STAT_ITEM  ContextFlushes0;
    CIT_SPAN_STAT_ITEM  Foreground0;
    CIT_SPAN_STAT_ITEM  Foreground1;
    CIT_SPAN_STAT_ITEM  DisplayPower0;
    CIT_SPAN_STAT_ITEM  DisplayRequestChange;
    CIT_SPAN_STAT_ITEM  DisplayPower1;
    CIT_SPAN_STAT_ITEM  DisplayPower2;
    CIT_SPAN_STAT_ITEM  DisplayPower3;
    CIT_SPAN_STAT_ITEM  ContextFlushes1;
    CIT_SPAN_STAT_ITEM  Foreground2;
    CIT_SPAN_STAT_ITEM  ContextFlushes2;
} CIT_SYSTEM_DATA_SPAN_STATS;

typedef struct _CIT_USE_DATA_SPAN_STATS {
    CIT_SPAN_STAT_ITEM  ProcessCreation0;
    CIT_SPAN_STAT_ITEM  Foreground0;
    CIT_SPAN_STAT_ITEM  Foreground1;
    CIT_SPAN_STAT_ITEM  Foreground2;
    CIT_SPAN_STAT_ITEM  ProcessSuspended;
    CIT_SPAN_STAT_ITEM  ProcessCreation1;
} CIT_USE_DATA_SPAN_STATS;

typedef struct _CIT_SYSTEM_DATA_STATS {
    WORD    Unknown_BootIdRelated0;
    WORD    Unknown_BootIdRelated1;
    WORD    Unknown_BootIdRelated2;
    WORD    Unknown_BootIdRelated3;
    WORD    Unknown_BootIdRelated4;
    WORD    SessionConnects;
    WORD    ProcessForegroundChanges;
    WORD    ContextFlushes;
    WORD    MissingProgData;
    WORD    DesktopSwitches;
    WORD    WinlogonMessage;
    WORD    WinlogonLockHotkey;
    WORD    WinlogonLock;
    WORD    SessionDisconnects;
} CIT_SYSTEM_DATA_STATS;

typedef struct _CIT_USE_DATA_STATS {
    WORD    Crashes;
    WORD    ThreadGhostingChanges;
    WORD    Input;
    WORD    InputKeyboard;
    WORD    Unknown;
    WORD    InputTouch;
    WORD    InputHid;
    WORD    InputMouse;
    WORD    MouseLeftButton;
    WORD    MouseRightButton;
    WORD    MouseMiddleButton;
    WORD    MouseWheel;
} CIT_USE_DATA_STATS;

// PUU
typedef struct _CIT_POST_UPDATE_USE_INFO {
    DWORD   UpdateKey;
    WORD    UpdateCount;
    WORD    CrashCount;
    WORD    SessionCount;
    WORD    LogCount;
    DWORD   UserActiveDurationInS;
    DWORD   UserOrDispActiveDurationInS;
    DWORD   DesktopActiveDurationInS;
    WORD    Version;
    WORD    _Unk0;
    WORD    BootIdMin;
    WORD    BootIdMax;
    DWORD   PMUUKey;
    DWORD   SessionDurationInS;
    DWORD   SessionUptimeInS;
    DWORD   UserInputInS;
    DWORD   MouseInputInS;
    DWORD   KeyboardInputInS;
    DWORD   TouchInputInS;
    DWORD   PrecisionTouchpadInputInS;
    DWORD   InForegroundInS;
    DWORD   ForegroundSwitchCount;
    DWORD   UserActiveTransitionCount;
    DWORD   _Unk1;
    FILETIME    LogTimeStart;
    QWORD   CumulativeUserActiveDurationInS;
    WORD    UpdateCountAccumulationStarted;
    WORD    _Unk2;
    DWORD   BuildUserActiveDurationInS;
    DWORD   BuildNumber;
    DWORD   _UnkDeltaUserOrDispActiveDurationInS;
    DWORD   _UnkDeltaTime;
    DWORD   _Unk3;
} CIT_POST_UPDATE_USE_INFO;

// DP
typedef struct _CIT_DP_MEMOIZATION_ENTRY {
    DWORD   Unk0;
    DWORD   Unk1;
    DWORD   Unk2;
} CIT_DP_MEMOIZATION_ENTRY;

typedef struct _CIT_DP_MEMOIZATION_CONTEXT {
    _CIT_DP_MEMOIZATION_ENTRY   Entries[12];
} CIT_DP_MEMOIZATION_CONTEXT;

typedef struct _CIT_DP_DATA {
    WORD    Version;
    WORD    Size;
    WORD    LogCount;
    WORD    CrashCount;
    DWORD   SessionCount;
    DWORD   UpdateKey;
    QWORD   _Unk0;
    FILETIME    _UnkTime;
    FILETIME    LogTimeStart;
    DWORD   ForegroundDurations[11];
    DWORD   _Unk1;
    _CIT_DP_MEMOIZATION_CONTEXT MemoizationContext;
} CIT_DP_DATA;
"""
dissect.target.plugins.os.windows.regf.cit.c_cit#
dissect.target.plugins.os.windows.regf.cit.CITSystemRecord#
dissect.target.plugins.os.windows.regf.cit.BITMAP_FIELDS = [('datetime', 'ts'), ('datetime', 'period_start'), ('datetime', 'start_time'), ('datetime',...#
dissect.target.plugins.os.windows.regf.cit.CITSystemBitmapDisplayPowerRecord#
dissect.target.plugins.os.windows.regf.cit.CITSystemBitmapDisplayRequestChangeRecord#
dissect.target.plugins.os.windows.regf.cit.CITSystemBitmapInputRecord#
dissect.target.plugins.os.windows.regf.cit.CITSystemBitmapInputTouchRecord#
dissect.target.plugins.os.windows.regf.cit.CITSystemBitmapUnknownRecord#
dissect.target.plugins.os.windows.regf.cit.CITSystemBitmapForegroundRecord#
dissect.target.plugins.os.windows.regf.cit.CITProgramRecord#
dissect.target.plugins.os.windows.regf.cit.CITProgramBitmapForegroundRecord#
dissect.target.plugins.os.windows.regf.cit.CIT_RECORDS#
dissect.target.plugins.os.windows.regf.cit.CITPostUpdateUseInfoRecord#
dissect.target.plugins.os.windows.regf.cit.CITDPRecord#
dissect.target.plugins.os.windows.regf.cit.CITDPDurationRecord#
dissect.target.plugins.os.windows.regf.cit.CITTelemetryRecord#
dissect.target.plugins.os.windows.regf.cit.CITModuleRecord#
class dissect.target.plugins.os.windows.regf.cit.CIT(buf)#
data(offset, size, expected_size=None)#
iter_bitmap(bitmap: bytes)#
class dissect.target.plugins.os.windows.regf.cit.Entry(cit, entry)#
__repr__()#

Return repr(self).

class dissect.target.plugins.os.windows.regf.cit.BaseUseData(cit, entry)#
MIN_BITMAPS_SIZE = 8#
MIN_SPAN_STATS_SIZE = 48#
MIN_STATS_SIZE = 24#
class dissect.target.plugins.os.windows.regf.cit.BaseUseDataBitmaps(cit, bitmaps)#
class dissect.target.plugins.os.windows.regf.cit.SystemData(cit, entry)#

Bases: BaseUseData

MIN_BITMAPS_SIZE = 48#
MIN_SPAN_STATS_SIZE = 88#
MIN_STATS_SIZE = 28#
class dissect.target.plugins.os.windows.regf.cit.SystemDataBitmaps(cit, bitmaps)#

Bases: BaseUseDataBitmaps

class dissect.target.plugins.os.windows.regf.cit.ProgramUseData(cit, entry)#

Bases: BaseUseData

class dissect.target.plugins.os.windows.regf.cit.ProgramDataBitmaps(cit, use_data)#

Bases: BaseUseDataBitmaps

dissect.target.plugins.os.windows.regf.cit.decode_name(name)#

Decode the registry key name.

The CIT key name in the registry has some strange encoding. This function is currently unused, but leaving it here for reference if someone needs it.

dissect.target.plugins.os.windows.regf.cit.local_wintimestamp(target, ts)#
class dissect.target.plugins.os.windows.regf.cit.CITPlugin(target: dissect.target.Target)#

Bases: dissect.target.plugin.Plugin

Plugin that parses CIT data from the registry.

Reference: - https://dfir.ru/2018/12/02/the-cit-database-and-the-syscache-hive/

__namespace__ = 'cit'#
KEY = 'HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT'#
check_compatible() None#

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

cit()#

Return CIT data from the registry for executed executable information.

CIT data is stored at HKLMSoftwareMicrosoftWindows NTCurrentVersionAppCompatFlagsCITSystem. It’s supposedly application usage data that has yet-to-be flushed to the amcache.

Some of its values are still unknown. Generally only available before Windows 10.

puu()#

Parse CIT PUU (Post Update Usage) data from the registry.

Generally only available since Windows 10.

dp()#

Parse CIT DP data from the registry.

Generally only available since Windows 10.

telemetry()#

Parse CIT process telemetry answers from the registry.

In some versions of Windows, processes would get “telemetry answers” set on their process struct, based on if certain events happened.

Generally only available before Windows 10.

modules()#

Parse CIT tracked module information from the registry.

Contains applications that loaded a tracked module. By default these are:

System32mrt100.dll Microsoft.NETFrameworkv1.0.3705mscorwks.dll Microsoft.NETFrameworkv1.0.3705mscorsvr.dll Microsoft.NETFrameworkv1.1.4322mscorwks.dll Microsoft.NETFrameworkv1.1.4322mscorsvr.dll Microsoft.NETFrameworkv2.0.50727mscorwks.dll Microsoft.NETFrameworkv4.0.30319clr.dll Microsoft.NETFramework64v4.0.30319clr.dll Microsoft.NETFramework64v2.0.50727mscorwks.dll

When the amount of executables exceeds 64, the OverflowQuota value is set with the last timestamp. When the path length of an executable exceeds 520 characters, the OverflowValue value is set.

Generally only available since Windows 10.