dissect.target.plugins.os.windows.cam

Module Contents

Classes

CamPlugin

Plugin that iterates various Capability Access Manager registry key locations.

Attributes

CamRegistryRecord

CamUsageHistoryRecord

CamIdentityRelationshipHistoryRecord

CamGlobalPromptHistoryRecord

dissect.target.plugins.os.windows.cam.CamRegistryRecord
dissect.target.plugins.os.windows.cam.CamUsageHistoryRecord
dissect.target.plugins.os.windows.cam.CamIdentityRelationshipHistoryRecord
dissect.target.plugins.os.windows.cam.CamGlobalPromptHistoryRecord
class dissect.target.plugins.os.windows.cam.CamPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.Plugin

Plugin that iterates various Capability Access Manager registry key locations.

__namespace__ = 'cam'

Defines the plugin namespace.

CONSENT_STORES = ('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore',...
CAP_DB_REG_PATH = 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\CapabilityUsageHistory'
CONTENT_TABLES = ('NonPackagedUsageHistory', 'PackagedUsageHistory', 'NonPackagedIdentityRelationship',...
CONTEXT_TABLES = ('Capabilities', 'PackageFamilyNames', 'BinaryFullPaths', 'Users', 'FileIDs', 'ProgramIDs',...
app_regf_keys
camdb_path
camdb: dissect.database.sqlite3.SQLite3 | None = None
check_compatible() None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

yield_apps() collections.abc.Iterator[dissect.target.helpers.regutil.RegistryKey]
history() collections.abc.Iterator[CamUsageHistoryRecord | CamIdentityRelationshipHistoryRecord | CamGlobalPromptHistoryRecord]

Iterate Capability Access Manager History entries. The Capability Access Manager keeps track of processes that access I/O devices, like the webcam or microphone. Applications are divided into packaged and non-packaged applications meaning Microsoft or non-Microsoft applications. Additional historical entries are since Windows 11 available in a SQL database.

Records are created from the following tables: - NonPackagedUsageHistory - PackagedUsageHistory - NonPackagedIdentityRelationship - NonPackagedGlobalPromptHistory

References

Yields CamUsageHistoryRecord, CamIdentityRelationshipHistoryRecord or CamGlobalPromptHistoryRecord:

Record CamUsageHistoryRecord:

last_used_time_stop (datetime): When the application last stopped using the capability.
last_used_time_start (datetime): When the application last started using the capability.
duration (varint): How long the application used the capability.
package_type (string): The application type of the record, originates from the table name.
capability (string): The capability being used; microphone, camera, location etc.
file_id (string): The sha1 hash of the application making use of the capability.
file_id_hash (digest): Digest version of the file_id field.
access_blocked (string): If capability usage was allowed, 0 = Not blocked and 1 = blocked.
program_id (string): Program ID of application, unclear what this value means.
package_family_name (string): Package name of application using capability.
access_guid (string): Unclear what the value of this is.
label (string): Unclear what the value of this is, no joinable table with this ID.
app_name (string): Name of the application using capability.
binary_full_path (path): Path of the application using capability.
service_name (string): Name of the service using capability.

Record CamIdentityRelationshipHistoryRecord:

last_observed_time (datetime): Last time capability was observed.
package_type (string): The application type of the record, originates from the table name.
file_id (string): The sha1 hash of the application making use of the capability.
file_id_hash (digest): Digest version of the file_id field.
program_id (string): Program ID of application, unclear what this value means.
binary_full_path (path): Path of the application using capability.

Record CamGlobalPromptHistoryRecord

shown_time (datetime): Last time capability was observed.
package_type (string): The application type of the record, originates from the table name.
capability (string): The capability being used; microphone, camera, location etc.
file_id (string): The sha1 hash of the application making use of the capability.
file_id_hash (digest): Digest version of the file_id field.
program_id (string): Program ID of application, unclear what this value means.
registry() collections.abc.Iterator[CamRegistryRecord]

Iterate Capability Access Manager key locations.

The Capability Access Manager keeps track of processes that access I/O devices, like the webcam or microphone. Applications are divided into packaged and non-packaged applications meaning Microsoft or non-Microsoft applications.

References

Yields CamRegistryRecord with the following fields:

hostname (string): The target hostname.
domain (string): The target domain.
ts (datetime): The modification timestamp of the registry key.
device (string): Name of the device privacy permission where asked for.
app_name (string): The name of the application.
path (path): The possible path to the application.
last_started (datetime): When the application last started using the device.
last_stopped (datetime): When the application last stopped using the device.
duration (varint): How long the application used the device (seconds).