-
Notifications
You must be signed in to change notification settings - Fork 51
/
profilelist.py
38 lines (31 loc) · 1.6 KB
/
profilelist.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
import pytz
import datetime
import logbook
from regipy.exceptions import RegistryKeyNotFoundException, NoRegistryValuesException
from regipy.hive_types import SOFTWARE_HIVE_TYPE
from regipy.plugins.plugin import Plugin
from regipy.utils import get_subkey_values_from_list
from regipy.utils import convert_wintime, convert_filetime
logger = logbook.Logger(__name__)
PROFILE_LIST_KEY_PATH = r"\Microsoft\Windows NT\CurrentVersion\ProfileList"
class ProfileListPlugin(Plugin):
NAME = 'profilelist_plugin'
DESCRIPTION = 'Parses information about user profiles found in the ProfileList key'
COMPATIBLE_HIVE = SOFTWARE_HIVE_TYPE
def run(self):
logger.info('Started profile list plugin...')
try:
subkey = self.registry_hive.get_key(PROFILE_LIST_KEY_PATH)
except RegistryKeyNotFoundException as ex:
logger.error(ex)
for profile in subkey.iter_subkeys():
self.entries.append({
'last_write': convert_wintime(profile.header.last_modified, as_json=self.as_json),
'path': profile.get_value('ProfileImagePath'),
'flags': profile.get_value('Flags'),
'full_profile': profile.get_value('FullProfile'),
'state': profile.get_value('State'),
'sid': profile.name,
'load_time': convert_filetime(profile.get_value('ProfileLoadTimeLow'), profile.get_value('ProfileLoadTimeHigh')),
'local_load_time': convert_filetime(profile.get_value('LocalProfileLoadTimeLow'), profile.get_value('LocalProfileLoadTimeHigh'))
})