dissect.target.plugins.os.windows.wer#

Module Contents#

Classes#

WindowsErrorReportingPlugin

Plugin for parsing Windows Error Reporting files.

Attributes#

dissect.target.plugins.os.windows.wer.camel_case_patterns#
class dissect.target.plugins.os.windows.wer.WindowsErrorReportingPlugin(target: dissect.target.target.Target)#

Bases: dissect.target.plugin.Plugin

Plugin for parsing Windows Error Reporting files.

WER_LOG_DIRS = ['sysvol/ProgramData/Microsoft/Windows/WER/ReportArchive',...#
check_compatible() None#

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

wer() Iterator[dissect.target.helpers.record.DynamicDescriptor]#

Return information from Windows Error Reporting (WER) files.

Windows Error Reporting (WER) is used by Microsoft to create a report when an application crashes. These reports can be sent to Microsoft, on which basis Microsoft can provide the user with troubleshooting information. Since malware usually crashes more often than legitimate software, the presence of these WER files and/or the information within may be useful for analysis. For example, it may contain the file hash of the crashed application within the target_app_id field.

References

Yields dynamically created records based on the fields in the files. A record at least contains the following fields:

ts (datetime): The moment in time when the error event took place. version (string): WER file version. event_type (string): WER file event type. consent (string): WER file consent to be sent to Microsoft. report_identifier (string): WER file report identifier app_session_guid (string): GUID for the app session causing/reporting the error. target_app_id (string): WER file target app ID which may contain the application hash. target_app_ver (string): WER file target app version. boot_id (string): WER file boot ID. response_type (string): WER file response type. friendly_event_name (string): Human readable event name. app_name (string): WER file application name. app_path (string): Path to application that caused/reported the error. report_description (string): WER file report description. application_identity (string): WER file application identity. metadata_hash (string): WER file metadata hash. wer_file_path (path): File path to the WER report on the target. metadata_file_path (path): File path to the metadata XML file on the target (if present).