Improved normalization of EventLog paths log2timeline#4890

joachimmetz · Jul 16, 2024 · 926d512 · 926d512
1 parent f24124b
commit 926d512
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/plaso/helpers/windows/eventlog_providers.py b/plaso/helpers/windows/eventlog_providers.py
@@ -33,8 +33,8 @@ def _GetNormalizedPath(self, path):
       path_segments = ['%SystemRoot%', 'System32']
 
     elif path_segments_lower[0] in ('system32', '$(runtime.system32)'):
-        # Note that the path can be relative so if it starts with "System32"
-        # asume this represents "%SystemRoot%\System32".
+      # Note that the path can be relative so if it starts with "System32"
+      # asume this represents "%SystemRoot%\System32".
       path_segments = ['%SystemRoot%', 'System32'] + path_segments[1:]
 
     elif path_segments_lower[0] in (
@@ -43,8 +43,8 @@ def _GetNormalizedPath(self, path):
 
     # Check if path starts with "\SystemRoot\", "\Windows\" or "\WinNT\" for
     # example: "\SystemRoot\system32\drivers\SerCx.sys"
-    elif not path_segments_lower[0] and path_segments_lower[1] in (
-        'systemroot', 'windows', 'winnt'):
+    elif (len(path_segments_lower) > 1 and not path_segments_lower[0] and
+          path_segments_lower[1] in ('systemroot', 'windows', 'winnt')):
       path_segments = ['%SystemRoot%'] + path_segments[2:]
 
     path_segments.append(filename)