dissect.target.plugins.os.windows.regf.applications

Module Contents

Classes

WindowsApplicationsPlugin

Windows Applications plugin.

Attributes

WindowsApplicationRecord

dissect.target.plugins.os.windows.regf.applications.WindowsApplicationRecord

class dissect.target.plugins.os.windows.regf.applications.WindowsApplicationsPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.Plugin

Windows Applications plugin.

keys

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

applications() → collections.abc.Iterator[WindowsApplicationRecord]

Yields currently installed applications from the Windows registry.

Use the Windows eventlog plugin (evtx, evt) to parse install and uninstall events of applications and services (e.g. 4697, 110707, 1034 and 11724).

References

• https://learn.microsoft.com/en-us/windows/win32/msi/uninstall-registry-key

Yields WindowsApplicationRecord records with the following fields:

ts_modified  (datetime): timestamp when the installation was modified according to the registry
ts_installed (datetime): the date when the application was installed according to the application
name         (string):   name of the application
version      (string):   version of the application
author       (string):   author of the application
type         (string):   type of the application, either user or system
path         (string):   path to the installed location or installer of the application