Windows Registry artifacts filter and CurrentControlSet

[joachimmetz]

Determine how to properly handle CurrentControlSet for Windows NT and 9x/Me Registry Files.

• In Windows 9x/Me CurrentControlSet is a "real" key
• In Windows NT CurrentControlSet is a virtual key

https://github.com/libyal/winreg-kb/blob/master/docs/sources/system-keys/Current-control-set.md

[joachimmetz]

For now rewrite the key path glob of the artifact from CurrentControlSet to ControlSet*, since 9x/Me files are not yet supported, and we want Plaso to extract all relevant control sets.

Have preprocessor use CurrentControlSet

[joachimmetz]

Related: ForensicArtifacts/artifacts#401

[MikeHofmann]

Just a short Question on this: This means only the CurrentControlSet is being parsed and previous stored known working ControlSet[0-9]{3} are not? And there is no cli-option to include these as well?

[joachimmetz]

This means only the CurrentControlSet is being parsed and previous stored known working ControlSet[0-9]{3} are not?

short answer, no

The pre-processor uses CurrentControlSet which is translated into the corresponding ControlSet key for Windows NT Registry.

The winreg parser includes all control sets, which for Windows NT Registry is ControlSet[0-9]{3}. However for Windows 9x/Me Registry all control sets include the real CurrentControlSet key, which is not supported at the moment.

[MikeHofmann]

The winreg parser includes all control sets, which for Windows NT Registry is ControlSet[0-9]{3}

Sorry if i'm bugging you, but this doesn't fit my observations. I have an Image from a Windows XP machine with multiple ControlSets, but the Services are only parsed from one of the ControlSets (presumable the CurrentControlSet).

[joachimmetz]

@MikeHofmann can you open another issue with the necessary details, you're hijacking an issue that is about the artifacts filter