dissect.target.plugins.os.windows.regf.mru
#
Module Contents#
Classes#
Return MRU data stored at various registry keys. |
Functions#
Attributes#
- dissect.target.plugins.os.windows.regf.mru.UserRegistryRecordDescriptor#
- dissect.target.plugins.os.windows.regf.mru.RunMRURecord#
- dissect.target.plugins.os.windows.regf.mru.RecentDocsRecord#
- dissect.target.plugins.os.windows.regf.mru.OpenSaveMRURecord#
- dissect.target.plugins.os.windows.regf.mru.LastVisitedMRURecord#
- dissect.target.plugins.os.windows.regf.mru.ACMruRecord#
- dissect.target.plugins.os.windows.regf.mru.MapNetworkDriveMRURecord#
- dissect.target.plugins.os.windows.regf.mru.TerminalServerMRURecord#
- dissect.target.plugins.os.windows.regf.mru.MSOfficeMRURecord#
- class dissect.target.plugins.os.windows.regf.mru.MRUPlugin(target: dissect.target.Target)#
Bases:
dissect.target.plugin.Plugin
Return MRU data stored at various registry keys.
The Windows registry contains various keys about Most Recently Used (MRU) files.
References
- __namespace__ = 'mru'#
- check_compatible() None #
Perform a compatibility check with the target.
This function should return
None
if the plugin is compatible with the current target (self.target
). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError
.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- run()#
Return the RunMRU data.
The
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
registry key contains information about the most recent commands that have been performed by the Run applicationReferences
- recentdocs()#
Return the RecentDocs data.
The
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
registry key contains information about the last 10 documents that the currently logged on user accessed or executed via Windows Explorer.References
- opensave()#
Return the OpenSaveMRU data.
The
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
registry key contains information about the most recently opened or saved files.References
- lastvisited()#
Return the LastVisitedMRU data.
The
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
registry key contains information about the executable used by an application to open the files that are documented at the OpenSaveMRU registry key. Also each value tracks the directory location for the last file that was accessed by that application.References
- acmru()#
Return the ACMru (Windows Search) data.
- The following keys are being searched:
HKCU\Software\Microsoft\Search Assistant\ACMru
: This registry key contains the most recent search history from Windows default search.HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
: This registry key contains the most recent search history from Windows Explorer. (Windows >=7)
References
- Known categories:
5001: Internet Search Assistant
5603: Windows XP files and folder search
5604: “Word or phrase in a file” dialog box
5647: “For computers or people” selection in Search Results dialog box
- networkdrive()#
Return MRU of mapped network drives.
The HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerMap Network Drive MRU registry key contains information about the most recently used mapped network drives.
References
- mstsc()#
Return Terminal Server Client MRU data.
- msoffice()#
Return MS Office MRU keys.
- dissect.target.plugins.os.windows.regf.mru.parse_mru_key(target, key, record)#
- dissect.target.plugins.os.windows.regf.mru.parse_mru_ex_key(target, key, record)#
- dissect.target.plugins.os.windows.regf.mru.parse_office_mru(target, key, record)#
- dissect.target.plugins.os.windows.regf.mru.parse_office_mru_key(target, key, record)#