Changes to windows services analysis plugin log2timeline#3001 (log2ti…

…meline#3006)
joachimmetz · Jun 22, 2020 · 3eac71c · 3eac71c
1 parent 73bd816
commit 3eac71c
Showing 1 changed file with 8 additions and 5 deletions.
diff --git a/plaso/analysis/windows_services.py b/plaso/analysis/windows_services.py
@@ -8,6 +8,7 @@
 from plaso.analysis import interface
 from plaso.analysis import manager
 from plaso.containers import reports
+from plaso.parsers.winreg_plugins import services
 from plaso.winnt import human_readable_service_enums
 
 
@@ -191,8 +192,6 @@ class WindowsServicesAnalysisPlugin(interface.AnalysisPlugin):
   # Indicate that we can run this plugin during regular extraction.
   ENABLE_IN_EXTRACTION = True
 
-  _SUPPORTED_EVENT_DATA_TYPES = frozenset([
-      'windows:registry:service'])
 
   def __init__(self):
     """Initializes the Windows Services plugin."""
@@ -263,11 +262,15 @@ def ExamineEvent(self, mediator, event, event_data):
       event (EventObject): event to examine.
       event_data (EventData): event data.
     """
-    if event_data.data_type not in self._SUPPORTED_EVENT_DATA_TYPES:
+    # TODO: Handle event log entries here also (ie, event id 4697).
+    if event_data.data_type != 'windows:registry:service':
       return
 
-    # TODO: Handle event log entries here also (ie, event id 4697).
-    service = WindowsService.FromEventData(event_data)
+    event_data_attributes = event_data.CopyToDict()
+    service_event_data = services.WindowsRegistryServiceEventData()
+    service_event_data.CopyFromDict(event_data_attributes)
+
+    service = WindowsService.FromEventData(service_event_data)
     self._service_collection.AddService(service)
 
   def SetOutputFormat(self, output_format):