winevtrc package
Submodules
winevtrc.database module
Read from and write to SQLite databases.
- class winevtrc.database.ResourcesSQLite3DatabaseReader[source]
Bases:
object
Event Log resources SQLite database reader.
- GetEventLogProviders()[source]
Retrieves the Event Log providers.
- Yields:
EventLogProvider – an Event Log provider.
- GetMessage(log_source, lcid, message_identifier)[source]
Retrieves a specific message for a specific Event Log source.
- Parameters:
log_source (str) – Event Log source.
lcid (int) – language code identifier (LCID).
message_identifier (int) – message identifier.
- Returns:
the message string or None if not available.
- Return type:
str
- GetMessages(log_source, lcid)[source]
Retrieves the messages of a specific Event Log source.
- Parameters:
log_source (str) – Event Log source.
lcid (int) – language code identifier (LCID).
- Yields:
tuple[int, str] – message identifier and message string.
- GetMetadataAttribute(attribute_name)[source]
Retrieves the metadata attribute.
- Parameters:
attribute_name (str) – name of the metadata attribute.
- Returns:
value of the metadata attribute or None.
- Return type:
str
- Raises:
IOError – if more than one value is found in the database.
OSError – if more than one value is found in the database.
- class winevtrc.database.ResourcesSQLite3DatabaseWriter(string_format='wrc')[source]
Bases:
object
Event Log resources SQLite database writer.
- Open(filename)[source]
Opens the database writer.
- Parameters:
filename (str) – filename of the database.
- Returns:
True if successful or False if not.
- Return type:
bool
- WriteEventLogProvider(event_log_provider)[source]
Writes the Event Log provider.
- Parameters:
event_log_provider (EventLogProvider) – Event Log provider.
- WriteMessageFile(message_file)[source]
Writes a message file.
- Parameters:
message_file (ExportMessageFile) – message file.
- WriteMessageFilesPerEventLogProvider(event_log_provider, message_filename, message_file_type)[source]
Writes the message files used by an Event Log provider.
- Parameters:
event_log_provider (EventLogProvider) – Event Log provider.
message_filename (str) – message filename.
message_file_type (str) – message file type.
- WriteMessageTable(message_file, message_table)[source]
Writes a message table for a specific language identifier.
- Parameters:
message_file (ExportMessageFile) – message file.
message_table (MessageTable) – message table.
- class winevtrc.database.SQLite3DatabaseFile[source]
Bases:
object
A SQLite database file.
- Close()[source]
Closes the database file.
- Raises:
IOError – if the database is not opened.
OSError – if the database is not opened.
- CreateTable(table_name, column_definitions)[source]
Creates a table.
- Parameters:
table_name (str) – table name.
column_definitions (list[str]) – column definitions.
- Raises:
BackendError – if the database back-end raises an exception.
IOError – if the database is not opened or if the database is in read-only mode.
OSError – if the database is not opened or if the database is in read-only mode.
- GetValues(table_names, column_names, condition)[source]
Retrieves values from a table.
- Parameters:
table_names (list[str]) – table names.
column_names (list[str]) – column names.
condition (str) – condition.
- Returns:
values generator.
- Return type:
generator
- Raises:
IOError – if the database is not opened.
OSError – if the database is not opened.
- HasTable(table_name)[source]
Determines if a specific table exists.
- Parameters:
table_name (str) – table name.
- Returns:
True if the table exists, false otherwise.
- Return type:
bool
- Raises:
BackendError – if the database back-end raises an exception.
IOError – if the database is not opened.
OSError – if the database is not opened.
- InsertValues(table_name, column_names, values)[source]
Inserts values into a table.
- Parameters:
table_name (str) – table name.
column_names (list[str]) – column names.
values (list[str]) – values formatted as a string.
- Raises:
BackendError – if the database back-end raises an exception.
IOError – if the database is not opened or if the database is in read-only mode or if an unsupported value type is encountered.
OSError – if the database is not opened or if the database is in read-only mode or if an unsupported value type is encountered.
- Open(filename, read_only=False)[source]
Opens the database file.
- Parameters:
filename (str) – filename of the database.
read_only (Optional[bool]) – True if the database should be opened in read-only mode. Since sqlite3 does not support a real read-only mode we fake it by only permitting SELECT queries.
- Returns:
True if successful or False if not.
- Return type:
bool
- Raises:
BackendError – if the database back-end raises an exception.
IOError – if the database is already opened.
OSError – if the database is already opened.
winevtrc.definitions module
The Windows Event Log resource definitions.
winevtrc.dfvfs_helpers module
dfVFS helpers.
- winevtrc.dfvfs_helpers.AddDFVFSCLIArguments(argument_parser)[source]
Adds dfVFS command line arguments.
- Parameters:
argument_parser (argparse.ArgumentParser) – argument parser.
- class winevtrc.dfvfs_helpers.DFVFSFileSystemHelper(*args: Any, **kwargs: Any)[source]
Bases:
FileSystemHelper
,VolumeScanner
dfVFS file system helper.
- BasenamePath(path)[source]
Determines the basename of the path.
- Parameters:
path (str) – path.
- Returns:
basename of the path.
- Return type:
str
- CheckFileExistsByPath(path)[source]
Checks if a specific file exists.
- Parameters:
path (str) – path of the file.
- Returns:
True if the file exists, False otherwise.
- Return type:
bool
- DirnamePath(path)[source]
Determines the directory name of the path.
- Parameters:
path (str) – path.
- Returns:
directory name of the path or None.
- Return type:
str
- GetFileSizeByPath(path)[source]
Retrieves the size of a specific file.
- Parameters:
path (str) – path of the file.
- Returns:
size of the file in bytes or None if not available.
- Return type:
int
- JoinPath(path_segments)[source]
Joins the path segments into a path.
- Parameters:
path_segments (list[str]) – path segments.
- Returns:
joined path segments prefixed with the path separator.
- Return type:
str
- ListDirectory(path)[source]
Lists the entries in a directory.
- Parameters:
path (str) – path of the directory.
- Yields:
str – name of a directory entry.
- OpenFileByPath(path)[source]
Opens a specific file.
- Parameters:
path (str) – path of the file.
- Returns:
file-like object of the file.
- Return type:
file
- OpenFileSystem(path_spec)[source]
Opens a file system.
- Parameters:
path_spec (dfvfs.PathSpec) – file system path specification.
winevtrc.documentation module
Documentation writers.
- class winevtrc.documentation.DocumentationFileWriter(path)[source]
Bases:
object
Documentation file writer.
- class winevtrc.documentation.EventLogProviderMarkdownWriter(path)[source]
Bases:
DocumentationFileWriter
Event Log provider Markdown file writer.
- WriteEventLogProvider(event_log_provider, windows_versions)[source]
Writes an Event Log provider to a Markdown file.
- Parameters:
event_log_provider (EventLogProvider) – Event Log provider.
windows_versions (list[str]) – strings that identify the Windows versions.
- class winevtrc.documentation.EventLogProvidersIndexRstWriter(path)[source]
Bases:
DocumentationFileWriter
Event Log providers index.rst file writer.
- class winevtrc.documentation.MessageFileMarkdownWriter(path)[source]
Bases:
DocumentationFileWriter
Message file Markdown file writer.
- WriteMessageFile(message_file)[source]
Writes a message file.
- Parameters:
message_file (ExportMessageFile) – message file.
- class winevtrc.documentation.MessageFilesIndexRstWriter(path)[source]
Bases:
DocumentationFileWriter
Message files index.rst file writer.
winevtrc.errors module
The error objects.
winevtrc.eventlog_providers module
Windows Event Log providers collector.
- class winevtrc.eventlog_providers.EventLogProvidersCollector[source]
Bases:
object
Windows Event Log providers collector.
- Collect(registry)[source]
Collects Windows Event Log providers from a Windows Registry.
- Parameters:
registry (dfwinreg.WinRegistry) – Windows Registry.
- Returns:
Event Log provider generator.
- Return type:
generator[EventLogProvider]
winevtrc.exporter module
Windows Event Log message resource exporter.
- class winevtrc.exporter.ExportEventLogProvider(name)[source]
Bases:
object
Event Log provider.
- name
name.
- Type:
str
- providers_with_versions
Event Log providers with corresponding Windows versions.
- Type:
list[tuple[EventLogProvider, list[str]]]
- class winevtrc.exporter.ExportMessageFile(name)[source]
Bases:
object
Windows Event Log message file.
- message_tables
message tables.
- Type:
list[MessageTable]
- name
name.
- Type:
str
- windows_path
Windows path.
- Type:
str
- class winevtrc.exporter.Exporter[source]
Bases:
object
Exports the strings extracted from Windows EventLog message files.
- Export(source_path, output_writer)[source]
Exports the strings extracted from message files.
- Parameters:
source_path (str) – source path.
output_writer (ExporterOutputWriter) – output writer.
- class winevtrc.exporter.ExporterOutputWriter[source]
Bases:
object
Exporter output writer.
- abstract Open()[source]
Opens the output writer.
- Returns:
True if successful or False if not.
- Return type:
bool
- abstract WriteEventLogProvider(export_event_log_provider)[source]
Writes an Event Log provider.
- Parameters:
export_event_log_provider (ExportEventLogProvider) – Event Log provider.
- abstract WriteMessageFile(message_file)[source]
Writes a message file.
- Parameters:
message_file (ExportMessageFile) – message file.
- abstract WriteMessageFilesPerEventLogProvider(event_log_provider, message_file)[source]
Writes a mapping between an Event Log provider and a message file.
- Parameters:
event_log_provider (EventLogProvider) – Event Log provider.
message_file (ExportMessageFile) – message file.
winevtrc.extractor module
Windows Event Log message resource extractor.
- class winevtrc.extractor.EventMessageStringExtractor(*args: Any, **kwargs: Any)[source]
Bases:
WindowsVolumeScanner
Windows Event Log message string extractor.
- ascii_codepage
ASCII string codepage.
- Type:
str
- missing_message_filenames
names of message files that were not found or without a resource section.
- Type:
list[str]
- missing_resources_message_filenames
names of message files, where both a string and a message table resource is missing.
- Type:
list[str]
- preferred_language_identifier
preferred language identifier (LCID).
- Type:
int
- CollectEventLogProviders()[source]
Retrieves the Event Log providers.
- Yields:
EventLogProvider – Event Log provider.
- GetMessageResourceFile(event_log_provider, message_filename)[source]
Retrieves an Event Log message resource file.
- Parameters:
event_log_provider (EventLogProvider) – Event Log provider.
message_filename (str) – message filename.
- Returns:
- message resource file or None if not available or
already processed.
- Return type:
- GetNormalizedMessageFilePath(path)[source]
Retrieves a normalized variant of a message file path.
- Parameters:
path (str) – path of a message file.
- Returns:
normalized path of a message file.
- Return type:
str
- ScanForWindowsVolume(source_path, options=None)[source]
Scans for a Windows volume.
- Parameters:
source_path (str) – source path.
options (Optional[VolumeScannerOptions]) – volume scanner options. If None the default volume scanner options are used, which are defined in the VolumeScannerOptions class.
- Returns:
True if a Windows volume was found.
- Return type:
bool
- Raises:
ScannerError – if the source path does not exists, or if the source path is not a file or directory, or if the format of or within the source file is not supported.
- __init__(debug=False, mediator=None)[source]
Initializes a Windows Event Log message string extractor.
- Parameters:
debug (Optional[bool]) – True if debug information should be printed.
mediator (dfvfs.VolumeScannerMediator) – a volume scanner mediator or None.
- property windows_version
The Windows version (getter).
winevtrc.file_system module
File system helper.
- class winevtrc.file_system.FileSystemHelper[source]
Bases:
object
File system helper interface.
- abstract BasenamePath(path)[source]
Determines the basename of the path.
- Parameters:
path (str) – path.
- Returns:
basename of the path.
- Return type:
str
- abstract CheckFileExistsByPath(path)[source]
Checks if a specific file exists.
- Parameters:
path (str) – path of the file.
- Returns:
True if the file exists, False otherwise.
- Return type:
bool
- abstract DirnamePath(path)[source]
Determines the directory name of the path.
- Parameters:
path (str) – path.
- Returns:
directory name of the path or None.
- Return type:
str
- abstract GetFileSizeByPath(path)[source]
Retrieves the size of a specific file.
- Parameters:
path (str) – path of the file.
- Returns:
size of the file in bytes.
- Return type:
int
- abstract JoinPath(path_segments)[source]
Joins the path segments into a path.
- Parameters:
path_segments (list[str]) – path segments.
- Returns:
joined path segments prefixed with the path separator.
- Return type:
str
- abstract ListDirectory(path)[source]
Lists the entries in a directory.
- Parameters:
path (str) – path of the directory.
- Yields:
str – name of a directory entry.
- class winevtrc.file_system.NativeFileSystemHelper[source]
Bases:
object
Python native system helper.
- BasenamePath(path)[source]
Determines the basename of the path.
- Parameters:
path (str) – path.
- Returns:
basename of the path.
- Return type:
str
- CheckFileExistsByPath(path)[source]
Checks if a specific file exists.
- Parameters:
path (str) – path of the file.
- Returns:
True if the file exists, False otherwise.
- Return type:
bool
- DirnamePath(path)[source]
Determines the directory name of the path.
- Parameters:
path (str) – path.
- Returns:
directory name of the path or None.
- Return type:
str
- GetFileSizeByPath(path)[source]
Retrieves the size of a specific file.
- Parameters:
path (str) – path of the file.
- Returns:
size of the file in bytes.
- Return type:
int
- JoinPath(path_segments)[source]
Joins the path segments into a path.
- Parameters:
path_segments (list[str]) – path segments.
- Returns:
joined path segments prefixed with the path separator.
- Return type:
str
- ListDirectory(path)[source]
Lists the entries in a directory.
- Parameters:
path (str) – path of the directory.
- Yields:
str – name of a directory entry.
winevtrc.resource_file module
Windows Resource file.
- class winevtrc.resource_file.WindowsResourceFile(windows_path, ascii_codepage='cp1252', preferred_language_identifier=1033)[source]
Bases:
object
Windows Resource file.
- windows_path
Windows path of the resource file.
- Type:
str
- Close()[source]
Closes the Windows Resource file.
- Raises:
IOError – if not open.
OSError – if not open.
- GetMUILanguage()[source]
Retrieves the MUI language.
- Returns:
MUI language or None if not available.
- Return type:
str
- GetMUIResource()[source]
Retrieves the MUI resource.
- Returns:
MUI resource or None if not available.
- Return type:
pywrc.mui_resource
- GetMessageTableResource()[source]
Retrieves the message table resource.
- Returns:
- resource containing the message table resource or None
if not available.
- Return type:
pywrc.resource
- HasMessageTableResource()[source]
Determines if the resource file as a message table resource.
- Returns:
True if the resource file as a message table resource.
- Return type:
bool
- OpenFileObject(file_object)[source]
Opens the Windows Resource file using a file-like object.
- Parameters:
file_object (file) – file-like object.
- Raises:
IOError – if already open.
OSError – if already open.
- __init__(windows_path, ascii_codepage='cp1252', preferred_language_identifier=1033)[source]
Initializes the Windows Resource file.
- Parameters:
windows_path (str) – normalized version of the Windows path.
ascii_codepage (Optional[str]) – ASCII string codepage.
preferred_language_identifier (Optional[int]) – preferred language identifier (LCID).
- property file_version
the file version.
- Type:
str
- property product_version
the product version.
- Type:
str
winevtrc.resources module
Windows Event Log resources.
- class winevtrc.resources.EnvironmentVariable(name, value)[source]
Bases:
object
Environment variable.
- name
name.
- Type:
str
- value
value.
- Type:
str
- class winevtrc.resources.EventLogProvider(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Windows Event Log provider.
- additional_identifier
additional identifier of the provider, contains a GUID.
- Type:
str
- category_message_files
paths of the category message files.
- Type:
set[str]
- event_message_files
paths of the event message files.
- Type:
set[str]
- identifier
identifier of the provider, contains a GUID.
- Type:
str
- log_sources
names of the corresponding Event Log sources.
- Type:
list[str]
- log_types
Windows Event Log types.
- Type:
list[str]
- name
name of the provider.
- Type:
str
- parameter_message_files
- paths of the parameter message
files.
windows_version (str): Windows version.
- Type:
set[str]
- CONTAINER_TYPE = 'windows_eventlog_provider'
- SCHEMA = {'additional_identifier': 'str', 'category_message_files': 'List[str]', 'event_message_files': 'List[str]', 'identifier': 'str', 'log_sources': 'List[str]', 'log_types': 'List[str]', 'name': 'str', 'parameter_message_files': 'List[str]', 'windows_version': 'str'}
- SetCategoryMessageFilenames(category_message_filenames)[source]
Sets the category message filenames.
- Parameters:
category_message_filenames (str|list[str]) – category message filenames, where multiple filenames in the same string are separated by ‘;’.
- SetEventMessageFilenames(event_message_filenames)[source]
Sets the event message filenames.
- Parameters:
event_message_filenames (str|list[str]) – event message filenames, where multiple filenames in the same string are separated by ‘;’.
- SetParameterMessageFilenames(parameter_message_filenames)[source]
Sets the parameter message filenames.
- Parameters:
parameter_message_filenames (str|list[str]) – parameter message filenames, where multiple filenames in the same string are separated by ‘;’.
- property log_source
name of the Windows Event Log source.
- Type:
str
- class winevtrc.resources.MessageFileDatabaseDescriptor(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Windows Event Log message file database descriptor.
- database_filename
database filename.
- Type:
str
- message_filename
message filename.
- Type:
str
- CONTAINER_TYPE = 'message_file_database'
- SCHEMA = {'database_filename': 'str', 'message_filename': 'str'}
- class winevtrc.resources.MessageFileDescriptor(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Windows Event Log message file descriptor.
- file_version
file version.
- Type:
str
- message_filename
message filename.
- Type:
str
- product_version
product version.
- Type:
str
- windows_version
Windows version.
- Type:
str
- CONTAINER_TYPE = 'message_file'
- SCHEMA = {'file_version': 'str', 'message_filename': 'str', 'product_version': 'str', 'windows_version': 'str'}
- __init__(file_version=None, message_filename=None, product_version=None, windows_version=None)[source]
Initializes a Windows Event Log message file descriptor.
- Parameters:
file_version (Optional[str]) – file version.
message_filename (Optional[str]) – message filename.
product_version (Optional[str]) – product version.
windows_version (Optional[str]) – Windows version.
- class winevtrc.resources.MessageStringDescriptor(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Windows Event Log message string descriptor.
- identifier
message identifier.
- Type:
int
- text
message text.
- Type:
str
- CONTAINER_TYPE = 'message_string'
- GetMessageTableIdentifier()[source]
Retrieves the identifier of the associated message table.
- Returns:
- message table identifier or None when not
set.
- Return type:
AttributeContainerIdentifier
- SCHEMA = {'_message_table_identifier': 'AttributeContainerIdentifier', 'identifier': 'int', 'text': 'str'}
- class winevtrc.resources.MessageTable(language_identifier)[source]
Bases:
object
Class that contains the messages per language.
- file_versions
Windows Event Log resource file versions.
- Type:
list[str]
- language_identifier
language identifier (LCID).
- Type:
int
- message_strings
Windows Event Log resource message strings per identifier.
- Type:
dict[int, str]
- __init__(language_identifier)[source]
Initializes the message table.
- Parameters:
lcid (int) – language identifier (LCID).
- property lcid
language identifier (LCID).
- Type:
int
- class winevtrc.resources.MessageTableDescriptor(*args: Any, **kwargs: Any)[source]
Bases:
AttributeContainer
Windows Event Log message table descriptor.
- language_identifier
language identifier (LCID).
- Type:
int
- CONTAINER_TYPE = 'message_table'
- GetMessageFileIdentifier()[source]
Retrieves the identifier of the associated message file.
- Returns:
- message file identifier or None when not
set.
- Return type:
AttributeContainerIdentifier
- SCHEMA = {'_message_file_identifier': 'AttributeContainerIdentifier', 'language_identifier': 'int'}
winevtrc.storage module
Attribute container store.
- class winevtrc.storage.JSONStringsListAttributeSerializer(*args: Any, **kwargs: Any)[source]
Bases:
AttributeSerializer
JSON strings list attribute serializer.
winevtrc.versions module
Windows versions.
Module contents
Windows Event Log resources (winevtrc).