dissect.target.plugins.os.windows.regf.userassist

Module Contents

Classes

UserAssistPlugin

UserAssist plugin.

Attributes

dissect.target.plugins.os.windows.regf.userassist.userassist_def = Multiline-String
Show Value
"""
struct VERSION5_ENTRY {
    char padding0[4];
    uint32 number_of_executions;
    uint32 application_focus_count;
    uint32 application_focus_duration;
    char padding1[44];
    uint64 timestamp;
    char padding2[4];
};

struct VERSION3_ENTRY {
    uint32  session_id;
    uint32  number_of_executions;
    uint64  timestamp;
};
"""
dissect.target.plugins.os.windows.regf.userassist.c_userassist
dissect.target.plugins.os.windows.regf.userassist.UserAssistRecordDescriptor
dissect.target.plugins.os.windows.regf.userassist.UserAssistRecord
class dissect.target.plugins.os.windows.regf.userassist.UserAssistPlugin(target: dissect.target.Target)

Bases: dissect.target.plugin.Plugin

UserAssist plugin.

KEY = 'HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist'
check_compatible() None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

userassist()

Return the UserAssist information for each user.

The UserAssist registry keys contain information about programs that were recently executed on the system. Programs launch via the commandline are not registered within these registry keys.

References

Yields UserAssistRecords with fields:

hostname (string): The target hostname.
domain (string): The target domain.
ts (datetime): The entry timestamp.
path (path): The entry path.
number_of_executions (int): The number of executions for this entry.
application_focus_count (int): The number of focus acount for this entry.
application_focus_duration (int): The duration of focus for this entry.