dissect.target.plugins.os.windows.regf.clsid

Module Contents

Classes

CLSIDPlugin

Return all CLSID registry keys.

Attributes

CLSIDRecordDescriptor
CLSIDRecord

dissect.target.plugins.os.windows.regf.clsid.CLSIDRecordDescriptor

dissect.target.plugins.os.windows.regf.clsid.CLSIDRecord

class dissect.target.plugins.os.windows.regf.clsid.CLSIDPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.Plugin

Return all CLSID registry keys.

A CLSID is a globally unique identifier that identifies a COM class object (program) situated in HKEY_CURRENT_USERSoftwareClassesCLSID and HKEY_LOCAL_MACHINESOFTWAREClassesCLSID. Malware may make use of the CLSID system to launch themselves automatically or when certain conditions are triggered.

References

• https://docs.microsoft.com/en-us/windows/win32/com/clsid-key-hklm

• https://www.enigmasoftware.com/what-is-clsid-registry-key/

__namespace__ = 'clsid'

Defines the plugin namespace.

KEYS: Final[dict[str, str]]

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

create_records(keys: list[dissect.target.helpers.regutil.RegistryKey]) → collections.abc.Iterator[CLSIDRecord]

Iterate all CLSID keys from HKEY_CURRENT_USERSoftwareClassesCLSID and HKEY_LOCAL_MACHINESOFTWAREClassesCLSID.

Yields CLSIDRecords with fields:

hostname (string): The target hostname.
domain (string): The target domain.
ts (datetime): Last modified timestamp of the registry key.
clsid (string): The CLSID key name.
path (uri): The CLSID path value.

user() → collections.abc.Iterator[CLSIDRecord]

Return only the user CLSID registry keys.

machine() → collections.abc.Iterator[CLSIDRecord]

Return only the machine CLSID registry keys.