:py:mod:`dissect.target.plugins.os.windows.regf.runkeys` ======================================================== .. py:module:: dissect.target.plugins.os.windows.regf.runkeys Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.regf.runkeys.RunKeysPlugin Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.regf.runkeys.RunKeyRecord .. py:data:: RunKeyRecord .. py:class:: RunKeysPlugin(target: dissect.target.Target) Bases: :py:obj:`dissect.target.plugin.Plugin` Plugin that iterates various Runkey locations. .. py:attribute:: KEYS :value: ['HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run',... .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an ``UnsupportedPluginError``. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: runkeys() -> Iterator[RunKeyRecord] Iterate various run key locations. See source for all locations. Run keys (Run and RunOnce) are registry keys that make a program run when a user logs on. a Run key runs every time the user logs on and the RunOnce key makes the program run once and deletes the key after. Often leveraged as a persistence mechanism. .. rubric:: References - https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys Yields RunKeyRecords with fields: hostname (string): The target hostname. domain (string): The target domain. ts (datetime): The registry key last modified timestamp. name (string): The run key name. command (command): The run key command. key (string): The source key for this run key.