dissect.target.plugins.os.windows.startupinfo

Module Contents

Classes

StartupInfoPlugin

Windows startup info plugin.

Functions

parse_ts

Attributes

StartupInfoRecord

dissect.target.plugins.os.windows.startupinfo.StartupInfoRecord

dissect.target.plugins.os.windows.startupinfo.parse_ts(time_string: str) → datetime.datetime | None

class dissect.target.plugins.os.windows.startupinfo.StartupInfoPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.Plugin

Windows startup info plugin.

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

startupinfo() → collections.abc.Iterator[StartupInfoRecord]

Return the contents of StartupInfo files.

On a Windows system, the StartupInfo log files contain information about process execution for the first 90 seconds of user logon activity, such as process name and CPU usage.

References

• https://www.trustedsec.com/blog/who-left-the-backdoor-open-using-startupinfo-for-the-win/