`dissect.target.plugins.os.windows.regf.runkeys`#

Module Contents#

Classes#

RunKeysPlugin

Plugin that iterates various Runkey locations.

Attributes#

RunKeyRecord

dissect.target.plugins.os.windows.regf.runkeys.RunKeyRecord#

class dissect.target.plugins.os.windows.regf.runkeys.RunKeysPlugin(target: dissect.target.Target)#

Bases: dissect.target.plugin.Plugin

Plugin that iterates various Runkey locations.

KEYS = ['HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run',...#

check_compatible() → None#

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:: UnsupportedPluginError – If the plugin could not be loaded.

runkeys()#

Iterate various run key locations. See source for all locations.

Run keys (Run and RunOnce) are registry keys that make a program run when a user logs on. a Run key runs every time the user logs on and the RunOnce key makes the program run once and deletes the key after. Often leveraged as a persistence mechanism.

References

https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys

Yields RunKeyRecords with fields:: hostname (string): The target hostname. domain (string): The target domain. ts (datetime): The registry key last modified timestamp. name (string): The run key name. path (string): The run key path. key (string): The source key for this run key.

dissect.target.plugins.os.windows.regf.runkeys#

Module Contents#

Classes#

Attributes#

`dissect.target.plugins.os.windows.regf.runkeys`#