dissect.target.plugins.os.windows.regf.userassist#

Module Contents#

Classes#

UserAssistPlugin

UserAssist plugin.

Attributes#

dissect.target.plugins.os.windows.regf.userassist.userassist_def = Multiline-String#
Show Value
"""
struct VERSION5_ENTRY {
    char padding[4];
    uint32 number_of_executions;
    uint32 application_focus_count;
    uint32 application_focus_duration;
    char padding[44];
    uint64 timestamp;
    char padding[4];
};

struct VERSION3_ENTRY {
    uint32  session_id;
    uint32  number_of_executions;
    uint64  timestamp;
};
"""
dissect.target.plugins.os.windows.regf.userassist.c_userassist#
dissect.target.plugins.os.windows.regf.userassist.UserAssistRecordDescriptor#
dissect.target.plugins.os.windows.regf.userassist.UserAssistRecord#
class dissect.target.plugins.os.windows.regf.userassist.UserAssistPlugin(target: dissect.target.Target)#

Bases: dissect.target.plugin.Plugin

UserAssist plugin.

KEY = 'HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist'#
check_compatible() None#

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

userassist()#

Return the UserAssist information for each user.

The UserAssist registry keys contain information about programs that were recently executed on the system. Programs launch via the commandline are not registered within these registry keys.

References

Yields UserAssistRecords with fields:

hostname (string): The target hostname. domain (string): The target domain. ts (datetime): The entry timestamp. path (path): The entry path. number_of_executions (int): The number of executions for this entry. application_focus_count (int): The number of focus acount for this entry. application_focus_duration (int): The duration of focus for this entry.