dissect.target.plugins.os.windows.regf.userassist
¶
Module Contents¶
Classes¶
UserAssist plugin. |
Attributes¶
- dissect.target.plugins.os.windows.regf.userassist.userassist_def = Multiline-String¶
Show Value
""" struct VERSION5_ENTRY { char padding0[4]; uint32 number_of_executions; uint32 application_focus_count; uint32 application_focus_duration; char padding1[44]; uint64 timestamp; char padding2[4]; }; struct VERSION3_ENTRY { uint32 session_id; uint32 number_of_executions; uint64 timestamp; }; """
- dissect.target.plugins.os.windows.regf.userassist.c_userassist¶
- dissect.target.plugins.os.windows.regf.userassist.UserAssistRecordDescriptor¶
- dissect.target.plugins.os.windows.regf.userassist.UserAssistRecord¶
- class dissect.target.plugins.os.windows.regf.userassist.UserAssistPlugin(target: dissect.target.Target)¶
Bases:
dissect.target.plugin.Plugin
UserAssist plugin.
- KEY = 'HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist'¶
- check_compatible() None ¶
Perform a compatibility check with the target.
This function should return
None
if the plugin is compatible with the current target (self.target
). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError
.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- userassist()¶
Return the UserAssist information for each user.
The UserAssist registry keys contain information about programs that were recently executed on the system. Programs launch via the commandline are not registered within these registry keys.
References
Yields UserAssistRecords with fields:
hostname (string): The target hostname. domain (string): The target domain. ts (datetime): The entry timestamp. path (path): The entry path. number_of_executions (int): The number of executions for this entry. application_focus_count (int): The number of focus acount for this entry. application_focus_duration (int): The duration of focus for this entry.