dissect.target icon indicating copy to clipboard operation
dissect.target copied to clipboard
verified publisher icon fox-it

Extend mru plugin to parse OpenSavePidlMRU and LastVisitedPidlMRU keys

Open M1ra1B0T opened this issue 9 months ago • 3 comments

This pull request extends the mru plugin and adds the capabilities to parse OpenSavePidlMRU and LastVisitedPidlMRU mru keys, which are existing since Windows Vista.

M1ra1B0T avatar Mar 07 '25 15:03 M1ra1B0T

@Schamper

Another general improvement question for this plugin, it's been a long time since I've looked at MRU so forgive me if it's a dumb question: it looks like a lot of the parsed out values are file paths, can we use the new (as in, didn't exist at the time of writing this plugin originally) path field type? That way we can benefit when running plugins that yield records containing file paths.

Mh, you could end up with paths that start with or contain parts like Shared Documents Folder (Users Files)\\<USERS_PROPERTY_VIEW {f42ee2d3-909f-4907-8871-4c22fc0bf756}>\\, were < and >would be forbidden characters for windows paths, however does this affect your path handling?

M1ra1B0T avatar Apr 10 '25 13:04 M1ra1B0T

Mh, you could end up with paths that start with or contain parts like Shared Documents Folder (Users Files)\\<USERS_PROPERTY_VIEW {f42ee2d3-909f-4907-8871-4c22fc0bf756}>\\, were < and >would be forbidden characters for windows paths, however does this affect your path handling?

Hm alright, nevermind in that case. Just keep that as it is then 😄

Schamper avatar Apr 10 '25 14:04 Schamper

Codecov Report

:x: Patch coverage is 95.55556% with 2 lines in your changes missing coverage. Please review. :white_check_mark: Project coverage is 80.63%. Comparing base (9058c70) to head (f48d046). :warning: Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
dissect/target/plugins/os/windows/regf/mru.py 95.55% 2 Missing :warning:
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1061      +/-   ##
==========================================
+ Coverage   80.61%   80.63%   +0.02%     
==========================================
  Files         374      374              
  Lines       33158    33184      +26     
==========================================
+ Hits        26729    26759      +30     
+ Misses       6429     6425       -4
Flag Coverage Δ
unittests 80.63% <95.55%> (+0.02%) :arrow_up:

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

codecov[bot] avatar Apr 29 '25 10:04 codecov[bot]

CodSpeed Performance Report

Merging #1061 will not alter performance

Comparing M1ra1B0T:feature/parse_pidl_mru_keys (01a54a8) with main (9058c70)

Summary

✅ 8 untouched benchmarks

codspeed-hq[bot] avatar Sep 02 '25 12:09 codspeed-hq[bot]