winevtrc package

Submodules

winevtrc.database module

Read from and write to SQLite databases.

class winevtrc.database.EventProvidersSQLite3DatabaseReader[source]

Bases: winevtrc.database.SQLite3DatabaseReader

Event Log providers SQLite database reader.

GetEventLogProviders()[source]

Retrieves the Event Log providers.

Yields: EventLogProvider – event log provider.

GetMessageFiles()[source]

Retrieves the message filenames.

Yields: tuple[str, str] – message filename and corresponding database filename.

class winevtrc.database.EventProvidersSQLite3DatabaseWriter[source]

Bases: winevtrc.database.SQLite3DatabaseWriter

Event Log providers SQLite database writer.

WriteEventLogProvider(event_log_provider)[source]

Writes the Event Log provider.

Parameters: event_log_provider (EventLogProvider) – event log provider.

WriteMessageFile(message_filename, database_filename)[source]

Writes a Windows message file to the database.

Parameters

message_filename (str) – message filename.
database_filename (str) – database filename.

WriteMessageFilesPerEventLogProvider(event_log_provider, message_filename, message_file_type)[source]

Writes the message files used by an Event Log provider.

Parameters

event_log_provider (EventLogProvider) – event log provider.
message_filename (str) – message filename.
message_file_type (str) – message file type.

class winevtrc.database.MessageFileSQLite3DatabaseReader[source]

Bases: winevtrc.database.SQLite3DatabaseReader

Event Log message file SQLite database reader.

GetMessageTables()[source]

Retrieves the message tables.

Yields

tuple[int, str] –

language code identifier (LCID) and the message file: version.

GetMessages(lcid, file_version)[source]

Retrieves the messages of a specific message table.

Parameters

lcid (str) – language code identifier (LCID).
file_version (str) – message file file version.

Yields

tuple[int, str] – message identifier and message string.

GetStringTables()[source]

Retrieves the string tables.

Yields

tuple[int, str] –

language code identifier (LCID) and the message file: version.

GetStrings(lcid, file_version)[source]

Retrieves the strings of a specific string table.

Parameters

lcid (str) – language code identifier (LCID).
file_version (str) – message file file version.

Yields

tuple[int, str] – string identifier and string.

class winevtrc.database.MessageResourceFileSQLite3DatabaseWriter(message_resource_file)[source]

Bases: winevtrc.database.SQLite3DatabaseWriter

Event Log message resource file SQLite database writer.

WriteResources()[source]: Writes the resources.

class winevtrc.database.ResourcesSQLite3DatabaseReader[source]

Bases: winevtrc.database.SQLite3DatabaseReader

Event Log resources SQLite database reader.

GetEventLogProviders()[source]

Retrieves the Event Log providers.

Yields: EventLogProvider – an Event Log provider.

GetMessage(log_source, lcid, message_identifier)[source]

Retrieves a specific message for a specific Event Log source.

Parameters

log_source (str) – Event Log source.
lcid (int) – language code identifier (LCID).
message_identifier (int) – message identifier.

Returns

the message string or None if not available.

Return type

str

GetMessages(log_source, lcid)[source]

Retrieves the messages of a specific Event Log source.

Parameters

log_source (str) – Event Log source.
lcid (int) – language code identifier (LCID).

Yields

tuple[int, str] – message identifier and message string.

GetMetadataAttribute(attribute_name)[source]

Retrieves the metadata attribute.

Parameters

attribute_name (str) – name of the metadata attribute.

Returns

value of the metadata attribute or None.

Return type

str

Raises

IOError – if more than one value is found in the database.
OSError – if more than one value is found in the database.

class winevtrc.database.ResourcesSQLite3DatabaseWriter(string_format='wrc')[source]

Bases: winevtrc.database.SQLite3DatabaseWriter

Event Log resources SQLite database writer.

WriteEventLogProvider(event_log_provider)[source]

Writes the Event Log provider.

Parameters: event_log_provider (EventLogProvider) – event log provider.

WriteMessageFile(message_file)[source]

Writes the Windows Message Resource file.

Parameters: message_file (MessageFile) – message file.

WriteMessageFilesPerEventLogProvider(event_log_provider, message_filename, message_file_type)[source]

Writes the message files used by an Event Log provider.

Parameters

event_log_provider (EventLogProvider) – event log provider.
message_filename (str) – message filename.
message_file_type (str) – message file type.

WriteMetadataAttribute(attribute_name, attribute_value)[source]

Writes a metadata attribute.

Parameters

attribute_name (str) – name of the metadata attribute.
attribute_value (str) – value of the metadata attribute.

class winevtrc.database.SQLite3DatabaseFile[source]

Bases: object

A SQLite database file.

Close()[source]

Closes the database file.

Raises

IOError – if the database is not opened.
OSError – if the database is not opened.

CreateTable(table_name, column_definitions)[source]

Creates a table.

Parameters

table_name (str) – table name.
column_definitions (list[str]) – column definitions.

Raises

BackendError – if the database back-end raises an exception.
IOError – if the database is not opened or if the database is in read-only mode.
OSError – if the database is not opened or if the database is in read-only mode.

GetValues(table_names, column_names, condition)[source]

Retrieves values from a table.

Parameters

table_names (list[str]) – table names.
column_names (list[str]) – column names.
condition (str) – condition.

Returns

values generator.

Return type

generator

Raises

IOError – if the database is not opened.
OSError – if the database is not opened.

HasTable(table_name)[source]

Determines if a specific table exists.

Parameters

table_name (str) – table name.

Returns

True if the table exists, false otherwise.

Return type

bool

Raises

BackendError – if the database back-end raises an exception.
IOError – if the database is not opened.
OSError – if the database is not opened.

InsertValues(table_name, column_names, values)[source]

Inserts values into a table.

Parameters

table_name (str) – table name.
column_names (list[str]) – column names.
values (list[str]) – values formatted as a string.

Raises

BackendError – if the database back-end raises an exception.
IOError – if the database is not opened or if the database is in read-only mode or if an unsupported value type is encountered.
OSError – if the database is not opened or if the database is in read-only mode or if an unsupported value type is encountered.

Open(filename, read_only=False)[source]

Opens the database file.

Parameters

filename (str) – filename of the database.
read_only (Optional[bool]) – True if the database should be opened in read-only mode. Since sqlite3 does not support a real read-only mode we fake it by only permitting SELECT queries.

Returns

True if successful or False if not.

Return type

bool

Raises

BackendError – if the database back-end raises an exception.
IOError – if the database is already opened.
OSError – if the database is already opened.

class winevtrc.database.SQLite3DatabaseReader[source]

Bases: object

SQLite database reader.

Close()[source]: Closes the database reader.

Open(filename)[source]

Opens the database reader.

Parameters: filename (str) – filename of the database.
Returns: True if successful or False if not.
Return type: bool

class winevtrc.database.SQLite3DatabaseWriter[source]

Bases: object

SQLite database writer.

Close()[source]: Closes the database writer.

Open(filename)[source]

Opens the database writer.

Parameters: filename (str) – filename of the database.
Returns: True if successful or False if not.
Return type: bool

winevtrc.definitions module

The Windows Event Log resource definitions.

winevtrc.environment_variables module

Environment variables collector.

class winevtrc.environment_variables.EnvironmentVariablesCollector[source]

Bases: object

Environment variables collector.

Collect(registry)[source]

Collects environment variables.

Parameters: registry (dfwinreg.WinRegistry) – Windows Registry.
Yields: EnvironmentVariable – an environment variable.

winevtrc.errors module

The error objects.

exception winevtrc.errors.BackendError[source]

Bases: winevtrc.errors.Error

Error that is raised for database back-end exceptions.

exception winevtrc.errors.Error[source]

Bases: Exception

The error interface.

winevtrc.eventlog_providers module

Windows Event Log providers collector.

class winevtrc.eventlog_providers.EventLogProvidersCollector[source]

Bases: object

Windows Event Log providers collector.

Collect(registry)[source]

Collects Windows Event Log providers from a Windows Registry.

Parameters: registry (dfwinreg.WinRegistry) – Windows Registry.
Returns: Event Log provider generator.
Return type: generator[EventLogProvider]

winevtrc.extractor module

Windows Event Log message resource extractor.

class winevtrc.extractor.EventMessageStringExtractor(*args: Any, **kwargs: Any)[source]

Bases: dfvfs.helpers.volume_scanner.WindowsVolumeScanner

Windows Event Log message string extractor.

ascii_codepage

ASCII string codepage.

Type: str

missing_message_filenames

names of message files that were not found or without a resource section.

Type: list[str]

missing_resources_message_filenames

names of message files, where both a string and a message table resource is missing.

Type: list[str]

preferred_language_identifier

preferred language identifier (LCID).

Type: int

CollectEventLogProviders()[source]

Retrieves the Event Log providers.

Returns: Event Log providers generator.
Return type: generator[EventLogProvider]

CollectSystemEnvironmentVariables()[source]: Collects the system environment variables.

GetMessageResourceFile(event_log_provider, message_filename)[source]

Retrieves an Event Log message resource file.

Parameters

event_log_provider (EventLogProvider) – Event Log provider.
message_filename (str) – message filename.

Returns

message resource file or None if not available or: already processed.

Return type

MessageResourceFile

GetNormalizedMessageFilePath(path)[source]

Retrieves a normalized variant of a message file path.

Parameters: path (str) – path of a message file.
Returns: normalized path of a message file.
Return type: str

property windows_version: The Windows version (getter).

class winevtrc.extractor.EventMessageStringRegistryFileReader(*args: Any, **kwargs: Any)[source]

Bases: dfwinreg.interface.WinRegistryFileReader

Class that defines a Windows Registry file reader.

Open(path, ascii_codepage='cp1252')[source]

Opens the Windows Registry file specified by the path.

Parameters

path (str) – path of the Windows Registry file. The path is a Windows path relative to the root of the file system that contains the specific Windows Registry file. E.g. C:WindowsSystem32configSYSTEM
ascii_codepage (Optional[str]) – ASCII string codepage.

Returns

Windows Registry file or None if the file cannot: be opened.

Return type

WinRegistryFile

winevtrc.resource_file module

Windows Message Resource file.

class winevtrc.resource_file.MessageResourceFile(windows_path, ascii_codepage='cp1252', preferred_language_identifier=1033)[source]

Bases: object

Windows Message Resource file.

windows_path

Windows path of the message resource file.

Type: str

Close()[source]

Closes the Windows Message Resource file.

Raises

IOError – if not open.
OSError – if not open.

GetMUILanguage()[source]

Retrieves the MUI language.

Returns: MUI language or None if not available.
Return type: str

GetMUIResource()[source]

Retrieves the MUI resource.

Returns: MUI resource or None if not available.
Return type: pywrc.mui_resource

GetMessageTableResource()[source]

Retrieves the message table resource.

Returns

resource containing the message table resource or None: if not available.

Return type

pywrc.resource

GetStringTableResource()[source]

Retrieves the string table resource.

Returns

resource containing the string table resource or None: if not available.

Return type

pywrc.resource

HasMessageTableResource()[source]

Determines if the resource file as a message table resource.

Returns: True if the resource file as a message table resource.
Return type: bool

HasStringTableResource()[source]

Determines if the resource file as a string table resource.

Returns: True if the resource file as a string table resource.
Return type: bool

OpenFileObject(file_object)[source]

Opens the Windows Message Resource file using a file-like object.

Parameters

file_object (file) – file-like object.

Raises

IOError – if already open.
OSError – if already open.

property file_version

the file version.

Type: str

property product_version

the product version.

Type: str

winevtrc.resources module

Windows Event Log resources.

class winevtrc.resources.EnvironmentVariable(name, value)[source]

Bases: object

Environment variable.

name

name.

Type: str

value

value.

Type: str

class winevtrc.resources.EventLogProvider(identifier, log_source, log_type)[source]

Bases: object

Windows Event Log provider.

additional_identifier

additional identifier of the provider, contains a GUID.

Type: str

category_message_files

filenames of the category message files.

Type: set[str]

event_message_files

filenames of the event message files.

Type: set[str]

identifier

identifier of the provider, contains a GUID.

Type: str

log_sources

names of the Windows Event Log source.

Type: list[str]

log_type

Windows Event Log type.

Type: str

parameter_message_files

filenames of the parameter message files.

Type: set[str]

SetCategoryMessageFilenames(category_message_filenames)[source]

Sets the category message filenames.

Parameters: category_message_filenames (str|list[str]) – category message filenames, where multiple filenames in the same string are separated by ‘;’.

SetEventMessageFilenames(event_message_filenames)[source]

Sets the event message filenames.

Parameters: event_message_filenames (str|list[str]) – event message filenames, where multiple filenames in the same string are separated by ‘;’.

SetParameterMessageFilenames(parameter_message_filenames)[source]

Sets the parameter message filenames.

Parameters: parameter_message_filenames (str|list[str]) – parameter message filenames, where multiple filenames in the same string are separated by ‘;’.

property log_source

name of the Windows Event Log source.

Type: str

class winevtrc.resources.MessageFile(name)[source]

Bases: object

Class that defines a Windows Event Log message file.

name

name.

Type: str

windows_path

Windows path.

Type: str

AppendMessageTable(lcid, file_version)[source]

Appends a message table.

Parameters

lcid (int) – language identifier (LCID).
file_version (str) – Windows Event Log resource file version of the file that contains the message table.

AppendStringTable(lcid, file_version)[source]

Appends a string table.

Parameters

lcid (int) – language identifier (LCID).
file_version (str) – Windows Event Log resource file version of the file that contains the string table.

GetMessageTable(lcid)[source]

Retrieves the message table for a specific language.

Parameters: lcid (int) – language identifier (LCID).
Returns: message table or None.
Return type: MessageTable

GetMessageTables()[source]

Retrieves the message tables.

Yields: MessageTable – message table.

GetStringTable(lcid)[source]

Retrieves the string table for a specific language.

Parameters: lcid (int) – language identifier (LCID).
Returns: string table or None.
Return type: StringTable

GetStringTables()[source]

Retrieves the string tables.

Yields: StringTable – string table.

class winevtrc.resources.MessageTable(lcid)[source]

Bases: object

Class that contains the messages per language.

file_versions

Windows Event Log resource file versions.

Type: list[str]

lcid

language identifier (LCID).

Type: int

message_strings

Windows Event Log resource message strings.

Type: list[str]

class winevtrc.resources.StringTable(lcid)[source]

Bases: object

Class that contains the strings per language.

file_versions

Windows Event Log resource file versions.

Type: list[str]

lcid

language identifier (LCID).

Type: int

strings

Windows Event Log resource strings.

Type: list[str]

Module contents

Windows Event Log resources (winevtrc).