From 8e161221d71ed578e57034a93a1cb72f0d9c0395 Mon Sep 17 00:00:00 2001 From: Joachim Metz Date: Mon, 1 Jan 2024 11:14:31 +0100 Subject: [PATCH] Worked on support for parameter expansion #4259 --- plaso/output/winevt_rc.py | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/plaso/output/winevt_rc.py b/plaso/output/winevt_rc.py index a3e1307e3c..c24bba1181 100644 --- a/plaso/output/winevt_rc.py +++ b/plaso/output/winevt_rc.py @@ -341,6 +341,10 @@ class WinevtResourcesHelper(object): # LCID 0x0409 is en-US. DEFAULT_LCID = 0x0409 + _DEFAULT_PARAMETER_MESSAGE_FILES = ( + '%SystemRoot%\\System32\\MsObjs.dll', + '%SystemRoot%\\System32\\kernel32.dll') + # The maximum number of cached message strings _MAXIMUM_CACHED_MESSAGE_STRINGS = 64 * 1024 @@ -717,13 +721,15 @@ def _ReadParameterMessageString( 'windows_eventlog_message_string'): return None - message_file_identifiers = self._GetEventMessageFileIdentifiers( - provider.parameter_message_files) - - if not message_file_identifiers: - message_file_identifiers = self._GetEventMessageFileIdentifiers( - provider.event_message_files) + message_files = provider.parameter_message_files + if not message_files: + # If no parameter message files are defined fallback to the event + # message files and default parameter message files. + message_files = list(provider.event_message_files) + message_files.extend(self._DEFAULT_PARAMETER_MESSAGE_FILES) + message_file_identifiers = self._GetEventMessageFileIdentifiers( + message_files) if not message_file_identifiers: logger.warning(( f'No parameter message file for identifier: ' @@ -746,7 +752,6 @@ def _ReadWindowsEventLogProviders(self, storage_reader): Args: storage_reader (StorageReader): storage reader. """ - # TODO: get windows eventlog providers to the source. self._windows_eventlog_providers = {} if storage_reader.HasAttributeContainers('windows_eventlog_provider'): for provider in storage_reader.GetAttributeContainers(