Changes for Windows user account without profile log2timeline#4891

joachimmetz · Jul 10, 2024 · 903805c · 903805c
1 parent 2ad42e3
commit 903805c
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 6 deletions.
diff --git a/plaso/preprocessors/mediator.py b/plaso/preprocessors/mediator.py
@@ -112,7 +112,12 @@ def AddUserAccount(self, user_account):
     Raises:
       KeyError: if the user account already exists.
     """
-    logger.debug(f'adding user account: {user_account.username:s}')
+    if not user_account.username:
+      logger.debug(f'adding user account: {user_account.identifier:s}')
+    else:
+      logger.debug(
+          f'adding user account: {user_account.username:s} '
+          f'({user_account.identifier:s})')
 
     if self._storage_writer:
       self._storage_writer.AddAttributeContainer(user_account)

diff --git a/plaso/preprocessors/windows.py b/plaso/preprocessors/windows.py
@@ -902,10 +902,13 @@ def _ParseKey(self, mediator, registry_key, value_name):
     user_account = artifacts.UserAccountArtifact(
         identifier=registry_key.name, path_separator='\\')
 
+    # It has been observed that Azure Entra ID useraccount entries do not
+    # contain ProfileImagePath value.
+
+    username = None
+
     registry_value = registry_key.GetValueByName('ProfileImagePath')
-    if not registry_value:
-      username = 'N/A'
-    else:
+    if registry_value:
       profile_path = registry_value.GetDataAsObject()
       username = self._GetUsernameFromProfilePath(profile_path)
 

diff --git a/tests/preprocessors/windows.py b/tests/preprocessors/windows.py
@@ -713,8 +713,9 @@ def testParseKey(self):
     user_account = storage_writer.GetAttributeContainerByIndex(
        'user_account', 9)
 
-    expected_sid = 'S-1-5-21-2036804247-3058324640-2116585241-1114'
-    self.assertEqual(user_account.identifier, expected_sid)
+    self.assertEqual(
+        user_account.identifier,
+        'S-1-5-21-2036804247-3058324640-2116585241-1114')
     self.assertEqual(user_account.username, 'rsydow')
     self.assertEqual(user_account.user_directory, 'C:\\Users\\rsydow')