Changes to handle Windows MUI form time zone names #3752

log2timeline · Jun 21, 2021 · 29c1951 · 29c1951
1 parent 7ec60ca
commit 29c1951
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 7 deletions.
diff --git a/plaso/containers/artifacts.py b/plaso/containers/artifacts.py
@@ -463,24 +463,30 @@ class TimeZoneArtifact(ArtifactAttributeContainer):
   Attributes:
     localized_name (str): name describing the time zone in localized language
         for example "Greenwich (standaardtijd)".
+    mui_form (str): MUI form of the name describing the time zone for example
+        "@tzres.dll,-112".
     name (str): name describing the time zone for example "Greenwich Standard
         Time".
     offset (int): time zone offset in number of minutes from UTC.
   """
   CONTAINER_TYPE = 'time_zone'
 
-  def __init__(self, localized_name=None, name=None, offset=None):
+  def __init__(
+      self, localized_name=None, mui_form=None, name=None, offset=None):
     """Initializes a time zone artifact.
 
     Args:
       localized_name (Optional[str]): name describing the time zone in localized
           language for example "Greenwich (standaardtijd)".
+      mui_form (Optional[str]): MUI form of the name describing the time zone
+          for example "@tzres.dll,-112".
       name (Optional[str]): name describing the time zone for example "Greenwich
           Standard Time".
       offset (Optional[int]): time zone offset in number of minutes from UTC.
     """
     super(TimeZoneArtifact, self).__init__()
     self.localized_name = localized_name
+    self.mui_form = mui_form
     self.name = name
     self.offset = offset
 

diff --git a/plaso/engine/knowledge_base.py b/plaso/engine/knowledge_base.py
@@ -459,12 +459,19 @@ def SetTimeZone(self, time_zone):
     Raises:
       ValueError: if the time zone is not supported.
     """
-    localized_time_zones = {
-        time_zone_artifact.localized_name: time_zone_artifact.name
-        for time_zone_artifact in self.available_time_zones}
-
     # Get the "normalized" name of a Windows time zone name.
-    time_zone = localized_time_zones.get(time_zone, time_zone)
+    if time_zone.startswith('@tzres.dll,'):
+      mui_form_time_zones = {
+          time_zone_artifact.mui_form: time_zone_artifact.name
+          for time_zone_artifact in self.available_time_zones}
+
+      time_zone = mui_form_time_zones.get(time_zone, time_zone)
+    else:
+      localized_time_zones = {
+          time_zone_artifact.localized_name: time_zone_artifact.name
+          for time_zone_artifact in self.available_time_zones}
+
+      time_zone = localized_time_zones.get(time_zone, time_zone)
 
     # Map a Windows time zone name to a Python time zone name.
     time_zone = time_zones.WINDOWS_TIME_ZONES.get(time_zone, time_zone)

diff --git a/plaso/preprocessors/windows.py b/plaso/preprocessors/windows.py
@@ -224,6 +224,12 @@ def _ParseKey(self, mediator, registry_key, value_name):
     else:
       localized_name = registry_key.name
 
+    mui_std_value = registry_key.GetValueByName('MUI_Std')
+    if mui_std_value:
+      mui_form = std_value.GetDataAsObject()
+    else:
+      mui_form = None
+
     tzi_value = registry_key.GetValueByName('TZI')
     if not tzi_value:
       mediator.ProducePreprocessingWarning(
@@ -233,7 +239,8 @@ def _ParseKey(self, mediator, registry_key, value_name):
       return
 
     time_zone_artifact = artifacts.TimeZoneArtifact(
-        localized_name=localized_name, name=registry_key.name)
+        localized_name=localized_name, mui_form=mui_form,
+        name=registry_key.name)
 
     try:
       self._ParseTZIValue(tzi_value.data, time_zone_artifact)

diff --git a/tests/engine/knowledge_base.py b/tests/engine/knowledge_base.py
@@ -360,7 +360,27 @@ def testSetTimeZone(self):
     """Tests the SetTimeZone function."""
     knowledge_base_object = knowledge_base.KnowledgeBase()
 
+    time_zone_artifact = artifacts.TimeZoneArtifact(
+        localized_name='Eastern (standaardtijd)', mui_form='@tzres.dll,-112',
+        name='Eastern Standard Time')
+
+    knowledge_base_object.AddAvailableTimeZone(time_zone_artifact)
+
+    # Set an IANA time zone name.
     knowledge_base_object.SetTimeZone('Europe/Zurich')
+    self.assertEqual(knowledge_base_object._time_zone.zone, 'Europe/Zurich')
+
+    # Set a Windows time zone name.
+    knowledge_base_object.SetTimeZone('Eastern Standard Time')
+    self.assertEqual(knowledge_base_object._time_zone.zone, 'America/New_York')
+
+    # Set a localized Windows time zone name.
+    knowledge_base_object.SetTimeZone('Eastern (standaardtijd)')
+    self.assertEqual(knowledge_base_object._time_zone.zone, 'America/New_York')
+
+    # Set a MUI form Windows time zone name.
+    knowledge_base_object.SetTimeZone('@tzres.dll,-112')
+    self.assertEqual(knowledge_base_object._time_zone.zone, 'America/New_York')
 
     with self.assertRaises(ValueError):
       knowledge_base_object.SetTimeZone('Bogus')