dissect.target.plugins.os.windows.amcache

Module Contents

Classes

PcaGeneralDbType

PcaGeneralDb type enum.

AmcachePluginOldMixin

AmcachePlugin

Appcompat plugin for amcache.hve.

Functions

parse_win_datetime

parse_win_timestamp

Attributes

AMCACHE_FILE_KEYS

AMCACHE_PROGRAM_KEYS

ShortcutAppcompatRecord

FileAppcompatRecord

ProgramsAppcompatRecord

ApplicationAppcompatRecord

ApplicationFileAppcompatRecord

BinaryAppcompatRecord

ContainerAppcompatRecord

PcaAppLaunchAppcompatRecord

PcaGeneralAppcompatRecord

dissect.target.plugins.os.windows.amcache.AMCACHE_FILE_KEYS
dissect.target.plugins.os.windows.amcache.AMCACHE_PROGRAM_KEYS
dissect.target.plugins.os.windows.amcache.ShortcutAppcompatRecord
dissect.target.plugins.os.windows.amcache.FileAppcompatRecord
dissect.target.plugins.os.windows.amcache.ProgramsAppcompatRecord
dissect.target.plugins.os.windows.amcache.ApplicationAppcompatRecord
dissect.target.plugins.os.windows.amcache.ApplicationFileAppcompatRecord
dissect.target.plugins.os.windows.amcache.BinaryAppcompatRecord
dissect.target.plugins.os.windows.amcache.ContainerAppcompatRecord
dissect.target.plugins.os.windows.amcache.PcaAppLaunchAppcompatRecord
dissect.target.plugins.os.windows.amcache.PcaGeneralAppcompatRecord
class dissect.target.plugins.os.windows.amcache.PcaGeneralDbType

Bases: enum.IntEnum

PcaGeneralDb type enum.

Resource:
INSTALLER_FAILED = 0
DRIVER_BLOCKED = 1
ABNORMAL_PROCESS_EXIT = 2
PCA_RESOLVE_CALLED = 3
UNKNOWN = 4
class dissect.target.plugins.os.windows.amcache.AmcachePluginOldMixin
__namespace__ = 'amcache'
parse_file() collections.abc.Iterator[FileAppcompatRecord]
parse_programs() collections.abc.Iterator[ProgramsAppcompatRecord]
programs() collections.abc.Iterator[ProgramsAppcompatRecord]

Return Programs records from Amcache hive.

files() collections.abc.Iterator[FileAppcompatRecord]

Return File records from Amcache hive.

class dissect.target.plugins.os.windows.amcache.AmcachePlugin(target: dissect.target.target.Target)

Bases: AmcachePluginOldMixin, dissect.target.plugin.Plugin

Appcompat plugin for amcache.hve.

Supported registry keys for old version of Amcache:

  • File

  • Programs

Supported registry keys for new version of Amcache:

  • InventoryDriverBinary

  • InventoryDeviceContainer

  • InventoryApplication

  • InventoryApplicationFile

  • InventoryApplicationShortcut

References

__namespace__ = 'amcache'

Defines the plugin namespace.

amcache
amcache_applaunch = False
check_compatible() None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

read_key_subkeys(key: str) collections.abc.Iterator[dissect.target.helpers.regutil.RegistryKey]
parse_inventory_application() collections.abc.Iterator[ApplicationAppcompatRecord]

Parse RootInventoryApplication registry key subkeys.

References

parse_inventory_application_file() collections.abc.Iterator[ApplicationFileAppcompatRecord]

Parse RootInventoryApplicationFile registry key subkeys.

References

parse_inventory_driver_binary() collections.abc.Iterator[BinaryAppcompatRecord]
parse_inventory_application_shortcut() collections.abc.Iterator[ShortcutAppcompatRecord]
parse_inventory_device_container() collections.abc.Iterator[ContainerAppcompatRecord]
applications() collections.abc.Iterator[ApplicationAppcompatRecord]

Return InventoryApplication records from Amcache hive.

Amcache is a registry hive that stores information about executed programs. The InventoryApplication key holds all application objects that are in cache.

References

application_files() collections.abc.Iterator[ApplicationFileAppcompatRecord]

Return InventoryApplicationFile records from Amcache hive.

Amcache is a registry hive that stores information about executed programs. The InventoryApplicationFile key holds the application files that are in cache.

References

drivers() collections.abc.Iterator[BinaryAppcompatRecord]

Return InventoryDriverBinary records from Amcache hive.

Amcache is a registry hive that stores information about executed programs. The InventoryDriverBinary key holds the driver binaries that are in cache.

References

shortcuts() collections.abc.Iterator[ShortcutAppcompatRecord]

Return InventoryApplicationShortcut records from Amcache hive.

Amcache is a registry hive that stores information about executed programs. The InventoryApplicationShortcut field holds the shortcuts that are in cache. The key values contain information about the target of the lnk file.

References

device_containers() collections.abc.Iterator[ContainerAppcompatRecord]

Return InventoryDeviceContainer records from Amcache hive.

Amcache is a registry hive that stores information about executed programs. The InventoryDeviceContainer key holds the device containers that are in cache. Example devices are bluetooth, printers, audio, etc.

References

applaunches() collections.abc.Iterator[PcaAppLaunchAppcompatRecord]

Return PcaAppLaunchAppcompatRecord records from Amcache PCA AppLaunch files (Windows 11 22H2 or later).

References

general() collections.abc.Iterator[PcaGeneralAppcompatRecord]

Return PcaGeneralAppcompatRecord records from Amcache PCA General files (Windows 11 22H2 or later).

References

dissect.target.plugins.os.windows.amcache.parse_win_datetime(value: str) datetime.datetime | None
dissect.target.plugins.os.windows.amcache.parse_win_timestamp(value: str) datetime.datetime | None