Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package windows :: Package registry :: Module userassist
[frames] | no frames]

Module userassist

source code

Author: Jamie Levy (gleeda)

License: GNU General Public License 2.0 or later

Contact: jamie.levy@gmail.com

Organization: Volatile Systems

Classes
  UserAssistModification
Add special types to the profile to deal with user assist records.
  UserAssist
Print userassist registry keys and information
Variables
  ua_win7_vtypes = {'_VOLUSER_ASSIST_TYPES': [72, {'Count': [4, ...
  ua_vtypes = {'_VOLUSER_ASSIST_TYPES': [16, {'CountStartingAtFi...
  FOLDER_GUIDS = {'{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}': '%AL...
  __package__ = 'rekall.plugins.windows.registry'
Variables Details

ua_win7_vtypes

Value:
{'_VOLUSER_ASSIST_TYPES': [72,
                           {'Count': [4, ['unsigned int']],
                            'FocusCount': [8, ['unsigned int']],
                            'FocusTime': [12, ['unsigned int']],
                            'LastUpdated': [60, ['WinFileTime']]}]}

ua_vtypes

Value:
{'_VOLUSER_ASSIST_TYPES': [16,
                           {'CountStartingAtFive': [4,
                                                    ['unsigned int']],
                            'ID': [0, ['unsigned int']],
                            'LastUpdated': [8, ['WinFileTime']]}]}

FOLDER_GUIDS

Value:
{'{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}': '%ALLUSERSPROFILE%\\Microso\
ft\\Windows\\Start Menu\\Programs',
 '{054FAE61-4DD8-4787-80B6-090220C4B700}': 'GameExplorer',
 '{0762D272-C50A-4BB0-A382-697DCD729B80}': '%SystemDrive%\\Users',
 '{0AC0837C-BBF8-452A-850D-79D08E667CA7}': '(My) Computer',
 '{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}': 'Sync Setup',
 '{15CA69B3-30EE-49C1-ACE1-6B5EC372AFB5}': '%PUBLIC%\\Music\\Sample Pl\
aylists',
...

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:27:47 2017 http://epydoc.sourceforge.net