:py:mod:`dissect.target.plugins.os.windows.regf.userassist`
===========================================================

.. py:module:: dissect.target.plugins.os.windows.regf.userassist


Module Contents
---------------

Classes
~~~~~~~

.. autoapisummary::

   dissect.target.plugins.os.windows.regf.userassist.UserAssistPlugin




Attributes
~~~~~~~~~~

.. autoapisummary::

   dissect.target.plugins.os.windows.regf.userassist.userassist_def
   dissect.target.plugins.os.windows.regf.userassist.c_userassist
   dissect.target.plugins.os.windows.regf.userassist.UserAssistRecordDescriptor
   dissect.target.plugins.os.windows.regf.userassist.UserAssistRecord


.. py:data:: userassist_def
   :value: Multiline-String

    .. raw:: html

        <details><summary>Show Value</summary>

    .. code-block:: python

        """
        struct VERSION5_ENTRY {
            char padding[4];
            uint32 number_of_executions;
            uint32 application_focus_count;
            uint32 application_focus_duration;
            char padding[44];
            uint64 timestamp;
            char padding[4];
        };
        
        struct VERSION3_ENTRY {
            uint32  session_id;
            uint32  number_of_executions;
            uint64  timestamp;
        };
        """

    .. raw:: html

        </details>

   

.. py:data:: c_userassist

   

.. py:data:: UserAssistRecordDescriptor

   

.. py:data:: UserAssistRecord

   

.. py:class:: UserAssistPlugin(target: dissect.target.Target)


   Bases: :py:obj:`dissect.target.plugin.Plugin`

   UserAssist plugin.

   .. py:attribute:: KEY
      :value: 'HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist'

      

   .. py:method:: check_compatible() -> None

      Perform a compatibility check with the target.

      This function should return ``None`` if the plugin is compatible with
      the current target (``self.target``). For example, check if a certain
      file exists.
      Otherwise it should raise an ``UnsupportedPluginError``.

      :raises UnsupportedPluginError: If the plugin could not be loaded.


   .. py:method:: userassist()

      Return the UserAssist information for each user.

      The UserAssist registry keys contain information about programs that were recently executed on the system.
      Programs launch via the commandline are not registered within these registry keys.

      .. rubric:: References

      - https://www.magnetforensics.com/blog/artifact-profile-userassist/
      - https://www.aldeid.com/wiki/Windows-userassist-keys

      Yields UserAssistRecords with fields:
          hostname (string): The target hostname.
          domain (string): The target domain.
          ts (datetime): The entry timestamp.
          path (path): The entry path.
          number_of_executions (int): The number of executions for this entry.
          application_focus_count (int): The number of focus acount for this entry.
          application_focus_duration (int): The duration of focus for this entry.