Skip to content

fix: correct registry value parsing for Amcache plugin parameters#4965

Open
stetsbemueht wants to merge 1 commit into
log2timeline:mainfrom
stetsbemueht:main
Open

fix: correct registry value parsing for Amcache plugin parameters#4965
stetsbemueht wants to merge 1 commit into
log2timeline:mainfrom
stetsbemueht:main

Conversation

@stetsbemueht

@stetsbemueht stetsbemueht commented Jun 18, 2025

Copy link
Copy Markdown

Description:

Updated the plugin to correctly read registry values for the following parameters of the windows:registry:amcache data type

  • sha1
  • file_size
  • language_code
  • file_version
  • company_name
  • product_name
  • program_identifier

Updated Test File.

This fix addresses issues caused by changes in the Amcache hive structure from Windows 7 to Windows 10.

Notes:

All contributions to Plaso undergo code review.
This makes sure that the code has appropriate test coverage and conforms to the
Plaso style guide.

One of the maintainers will examine your code, and may request changes. Check off the items below in
order, and then a maintainer will review your code.

Checklist:

  • No new new dependencies are required or l2tdevtools has been updated.
  • Test data has a Plaso compatible license. If the test data was not authored by you (the contributor), make sure to mention its orginal source in ACKNOWLEDGEMENTS.
  • Reviewer assigned.
  • Automated checks (GitHub Actions, AppVeyor) pass.

Updated the plugin to correctly read registry values for the following parameters of the windows:registry:amcache data type
- sha1
- file_size
- language_code
- file_version
- company_name
- product_name
- program_identifier

Updated Test File.

This fix addresses issues caused by changes in the Amcache hive structure from Windows 7 to Windows 10.
@joachimmetz

Copy link
Copy Markdown
Member

@stetsbemueht please rebase with current HEAD

@joachimmetz joachimmetz self-assigned this May 8, 2026
@joachimmetz joachimmetz added the pending reporter input Issue is pending input from the reporter label May 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

pending reporter input Issue is pending input from the reporter

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants