:py:mod:`dissect.target.plugins.os.windows.regf.cit` ==================================================== .. py:module:: dissect.target.plugins.os.windows.regf.cit Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.regf.cit.CIT dissect.target.plugins.os.windows.regf.cit.Entry dissect.target.plugins.os.windows.regf.cit.BaseUseData dissect.target.plugins.os.windows.regf.cit.BaseUseDataBitmaps dissect.target.plugins.os.windows.regf.cit.SystemData dissect.target.plugins.os.windows.regf.cit.SystemDataBitmaps dissect.target.plugins.os.windows.regf.cit.ProgramUseData dissect.target.plugins.os.windows.regf.cit.ProgramDataBitmaps dissect.target.plugins.os.windows.regf.cit.CITPlugin Functions ~~~~~~~~~ .. autoapisummary:: :nosignatures: dissect.target.plugins.os.windows.regf.cit.decode_name dissect.target.plugins.os.windows.regf.cit.local_wintimestamp Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.regf.cit.cit_def dissect.target.plugins.os.windows.regf.cit.c_cit dissect.target.plugins.os.windows.regf.cit.CITSystemRecord dissect.target.plugins.os.windows.regf.cit.BITMAP_FIELDS dissect.target.plugins.os.windows.regf.cit.CITSystemBitmapDisplayPowerRecord dissect.target.plugins.os.windows.regf.cit.CITSystemBitmapDisplayRequestChangeRecord dissect.target.plugins.os.windows.regf.cit.CITSystemBitmapInputRecord dissect.target.plugins.os.windows.regf.cit.CITSystemBitmapInputTouchRecord dissect.target.plugins.os.windows.regf.cit.CITSystemBitmapUnknownRecord dissect.target.plugins.os.windows.regf.cit.CITSystemBitmapForegroundRecord dissect.target.plugins.os.windows.regf.cit.CITProgramRecord dissect.target.plugins.os.windows.regf.cit.CITProgramBitmapForegroundRecord dissect.target.plugins.os.windows.regf.cit.CIT_RECORDS dissect.target.plugins.os.windows.regf.cit.CITPostUpdateUseInfoRecord dissect.target.plugins.os.windows.regf.cit.CITDPRecord dissect.target.plugins.os.windows.regf.cit.CITDPDurationRecord dissect.target.plugins.os.windows.regf.cit.CITTelemetryRecord dissect.target.plugins.os.windows.regf.cit.CITModuleRecord .. py:data:: cit_def :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ typedef QWORD FILETIME; flag TELEMETRY_ANSWERS { Unknown0 = 0x4, Unknown1 = 0x8, POWERBROADCAST = 0x10000, DEVICECHANGE = 0x20000, IME_CONTROL = 0x40000, WINHELP = 0x80000, }; typedef struct _CIT_HEADER { WORD MajorVersion; WORD MinorVersion; DWORD Size; /* Size of the entire buffer */ FILETIME CurrentTimeLocal; /* Maybe the time when the saved CIT was last updated? */ DWORD Crc32; /* Crc32 of the entire buffer, skipping this field */ DWORD EntrySize; DWORD EntryCount; DWORD EntryDataOffset; DWORD SystemDataSize; DWORD SystemDataOffset; DWORD BaseUseDataSize; DWORD BaseUseDataOffset; FILETIME StartTimeLocal; /* Presumably when the aggregation started */ FILETIME PeriodStartLocal; /* Presumably the starting point of the aggregation period */ DWORD AggregationPeriodInS; /* Presumably the duration over which this data was gathered * Always 604800 (7 days) */ DWORD BitPeriodInS; /* Presumably the amount of seconds a single bit represents * Always 3600 (1 hour) */ DWORD SingleBitmapSize; /* This appears to be the sizes of the Stats buffers, always 21 */ DWORD _Unk0; /* Always 0x00000100? */ DWORD HeaderSize; DWORD _Unk1; /* Always 0x00000000? */ } CIT_HEADER; typedef struct _CIT_PERSISTED { DWORD BitmapsOffset; /* Array of Offset and Size (DWORD, DWORD) */ DWORD BitmapsSize; DWORD SpanStatsOffset; /* Array of Count and Duration (DWORD, DWORD) */ DWORD SpanStatsSize; DWORD StatsOffset; /* Array of WORD */ DWORD StatsSize; } CIT_PERSISTED; typedef struct _CIT_ENTRY { DWORD ProgramDataOffset; /* Offset to CIT_PROGRAM_DATA */ DWORD UseDataOffset; /* Offset to CIT_PERSISTED */ DWORD ProgramDataSize; DWORD UseDataSize; } CIT_ENTRY; typedef struct _CIT_PROGRAM_DATA { DWORD FilePathOffset; /* Offset to UTF-16-LE file path string */ DWORD FilePathSize; /* strlen of string */ DWORD CommandLineOffset; /* Offset to UTF-16-LE command line string */ DWORD CommandLineSize; /* strlen of string */ DWORD PeTimeDateStamp; /* aka Extra1 */ DWORD PeCheckSum; /* aka Extra2 */ DWORD Extra3; /* aka Extra3, some flag from PROCESSINFO struct */ } CIT_PROGRAM_DATA; typedef struct _CIT_BITMAP_ITEM { DWORD Offset; DWORD Size; } CIT_BITMAP_ITEM; typedef struct _CIT_SPAN_STAT_ITEM { DWORD Count; DWORD Duration; } CIT_SPAN_STAT_ITEM; typedef struct _CIT_SYSTEM_DATA_SPAN_STATS { CIT_SPAN_STAT_ITEM ContextFlushes0; CIT_SPAN_STAT_ITEM Foreground0; CIT_SPAN_STAT_ITEM Foreground1; CIT_SPAN_STAT_ITEM DisplayPower0; CIT_SPAN_STAT_ITEM DisplayRequestChange; CIT_SPAN_STAT_ITEM DisplayPower1; CIT_SPAN_STAT_ITEM DisplayPower2; CIT_SPAN_STAT_ITEM DisplayPower3; CIT_SPAN_STAT_ITEM ContextFlushes1; CIT_SPAN_STAT_ITEM Foreground2; CIT_SPAN_STAT_ITEM ContextFlushes2; } CIT_SYSTEM_DATA_SPAN_STATS; typedef struct _CIT_USE_DATA_SPAN_STATS { CIT_SPAN_STAT_ITEM ProcessCreation0; CIT_SPAN_STAT_ITEM Foreground0; CIT_SPAN_STAT_ITEM Foreground1; CIT_SPAN_STAT_ITEM Foreground2; CIT_SPAN_STAT_ITEM ProcessSuspended; CIT_SPAN_STAT_ITEM ProcessCreation1; } CIT_USE_DATA_SPAN_STATS; typedef struct _CIT_SYSTEM_DATA_STATS { WORD Unknown_BootIdRelated0; WORD Unknown_BootIdRelated1; WORD Unknown_BootIdRelated2; WORD Unknown_BootIdRelated3; WORD Unknown_BootIdRelated4; WORD SessionConnects; WORD ProcessForegroundChanges; WORD ContextFlushes; WORD MissingProgData; WORD DesktopSwitches; WORD WinlogonMessage; WORD WinlogonLockHotkey; WORD WinlogonLock; WORD SessionDisconnects; } CIT_SYSTEM_DATA_STATS; typedef struct _CIT_USE_DATA_STATS { WORD Crashes; WORD ThreadGhostingChanges; WORD Input; WORD InputKeyboard; WORD Unknown; WORD InputTouch; WORD InputHid; WORD InputMouse; WORD MouseLeftButton; WORD MouseRightButton; WORD MouseMiddleButton; WORD MouseWheel; } CIT_USE_DATA_STATS; // PUU typedef struct _CIT_POST_UPDATE_USE_INFO { DWORD UpdateKey; WORD UpdateCount; WORD CrashCount; WORD SessionCount; WORD LogCount; DWORD UserActiveDurationInS; DWORD UserOrDispActiveDurationInS; DWORD DesktopActiveDurationInS; WORD Version; WORD _Unk0; WORD BootIdMin; WORD BootIdMax; DWORD PMUUKey; DWORD SessionDurationInS; DWORD SessionUptimeInS; DWORD UserInputInS; DWORD MouseInputInS; DWORD KeyboardInputInS; DWORD TouchInputInS; DWORD PrecisionTouchpadInputInS; DWORD InForegroundInS; DWORD ForegroundSwitchCount; DWORD UserActiveTransitionCount; DWORD _Unk1; FILETIME LogTimeStart; QWORD CumulativeUserActiveDurationInS; WORD UpdateCountAccumulationStarted; WORD _Unk2; DWORD BuildUserActiveDurationInS; DWORD BuildNumber; DWORD _UnkDeltaUserOrDispActiveDurationInS; DWORD _UnkDeltaTime; DWORD _Unk3; } CIT_POST_UPDATE_USE_INFO; // DP typedef struct _CIT_DP_MEMOIZATION_ENTRY { DWORD Unk0; DWORD Unk1; DWORD Unk2; } CIT_DP_MEMOIZATION_ENTRY; typedef struct _CIT_DP_MEMOIZATION_CONTEXT { _CIT_DP_MEMOIZATION_ENTRY Entries[12]; } CIT_DP_MEMOIZATION_CONTEXT; typedef struct _CIT_DP_DATA { WORD Version; WORD Size; WORD LogCount; WORD CrashCount; DWORD SessionCount; DWORD UpdateKey; QWORD _Unk0; FILETIME _UnkTime; FILETIME LogTimeStart; DWORD ForegroundDurations[11]; DWORD _Unk1; _CIT_DP_MEMOIZATION_CONTEXT MemoizationContext; } CIT_DP_DATA; """ .. raw:: html
.. py:data:: c_cit .. py:data:: CITSystemRecord .. py:data:: BITMAP_FIELDS :value: [('datetime', 'ts'), ('datetime', 'period_start'), ('datetime', 'start_time'), ('datetime',... .. py:data:: CITSystemBitmapDisplayPowerRecord .. py:data:: CITSystemBitmapDisplayRequestChangeRecord .. py:data:: CITSystemBitmapInputRecord .. py:data:: CITSystemBitmapInputTouchRecord .. py:data:: CITSystemBitmapUnknownRecord .. py:data:: CITSystemBitmapForegroundRecord .. py:data:: CITProgramRecord .. py:data:: CITProgramBitmapForegroundRecord .. py:data:: CIT_RECORDS .. py:data:: CITPostUpdateUseInfoRecord .. py:data:: CITDPRecord .. py:data:: CITDPDurationRecord .. py:data:: CITTelemetryRecord .. py:data:: CITModuleRecord .. py:class:: CIT(buf) .. py:method:: data(offset, size, expected_size=None) .. py:method:: iter_bitmap(bitmap: bytes) .. py:class:: Entry(cit, entry) .. py:method:: __repr__() Return repr(self). .. py:class:: BaseUseData(cit, entry) .. py:attribute:: MIN_BITMAPS_SIZE :value: 8 .. py:attribute:: MIN_SPAN_STATS_SIZE :value: 48 .. py:attribute:: MIN_STATS_SIZE :value: 24 .. py:class:: BaseUseDataBitmaps(cit, bitmaps) .. py:class:: SystemData(cit, entry) Bases: :py:obj:`BaseUseData` .. py:attribute:: MIN_BITMAPS_SIZE :value: 48 .. py:attribute:: MIN_SPAN_STATS_SIZE :value: 88 .. py:attribute:: MIN_STATS_SIZE :value: 28 .. py:class:: SystemDataBitmaps(cit, bitmaps) Bases: :py:obj:`BaseUseDataBitmaps` .. py:class:: ProgramUseData(cit, entry) Bases: :py:obj:`BaseUseData` .. py:class:: ProgramDataBitmaps(cit, use_data) Bases: :py:obj:`BaseUseDataBitmaps` .. py:function:: decode_name(name) Decode the registry key name. The CIT key name in the registry has some strange encoding. This function is currently unused, but leaving it here for reference if someone needs it. .. py:function:: local_wintimestamp(target, ts) .. py:class:: CITPlugin(target: dissect.target.Target) Bases: :py:obj:`dissect.target.plugin.Plugin` Plugin that parses CIT data from the registry. Reference: - https://dfir.ru/2018/12/02/the-cit-database-and-the-syscache-hive/ .. py:attribute:: __namespace__ :value: 'cit' .. py:attribute:: KEY :value: 'HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT' .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an ``UnsupportedPluginError``. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: cit() Return CIT data from the registry for executed executable information. CIT data is stored at HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System. It's supposedly application usage data that has yet-to-be flushed to the amcache. Some of its values are still unknown. Generally only available before Windows 10. .. py:method:: puu() Parse CIT PUU (Post Update Usage) data from the registry. Generally only available since Windows 10. .. py:method:: dp() Parse CIT DP data from the registry. Generally only available since Windows 10. .. py:method:: telemetry() Parse CIT process telemetry answers from the registry. In some versions of Windows, processes would get "telemetry answers" set on their process struct, based on if certain events happened. Generally only available before Windows 10. .. py:method:: modules() Parse CIT tracked module information from the registry. Contains applications that loaded a tracked module. By default these are: \System32\mrt100.dll Microsoft.NET\Framework\v1.0.3705\mscorwks.dll Microsoft.NET\Framework\v1.0.3705\mscorsvr.dll Microsoft.NET\Framework\v1.1.4322\mscorwks.dll Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll Microsoft.NET\Framework\v2.0.50727\mscorwks.dll \Microsoft.NET\Framework\v4.0.30319\clr.dll \Microsoft.NET\Framework64\v4.0.30319\clr.dll \Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll When the amount of executables exceeds 64, the OverflowQuota value is set with the last timestamp. When the path length of an executable exceeds 520 characters, the OverflowValue value is set. Generally only available since Windows 10.