├── README.md
├── ese2csv.exe
├── ese2csv.py
├── spartan_plugin.py
└── srudb_plugin.py


/README.md:
--------------------------------------------------------------------------------
  1 | # ese-analyst
  2 | 
  3 | The tool ese2csv is intended to make analyzing and dumping any ese file simple.  Its options are
  4 | 
  5 | ```
  6 | C:\>ese2csv.exe --help
  7 | usage: ese2csv.exe [-h] [--make-plugin] [--pluggin CONFIG] [--outpath OUTPATH]
  8 |                    [--acquire-live] [--verbose] [--list-tables] [--recurse]
  9 |                    [--dump-tables [DUMPTABLES [DUMPTABLES ...]]]
 10 |                    [--plugin-args [PLUGINARGS [PLUGINARGS ...]]]
 11 |                    ese_file
 12 | 
 13 | Find and dump ESE databases.
 14 | 
 15 | positional arguments:
 16 |   ese_file              This required file name is an ese database
 17 | 
 18 | optional arguments:
 19 |   -h, --help            show this help message and exit
 20 |   --make-plugin, -m     Produce an editable shell of a plugin for the
 21 |                         specified ese.
 22 |   --pluggin CONFIG, -p CONFIG
 23 |                         Use a plugin that defines fields in the ese database.
 24 |   --outpath OUTPATH, -o OUTPATH
 25 |                         The directory to which the CSV(s) will be written.
 26 |   --acquire-live, -a    Use FGET to extract locked file for processing.
 27 |   --verbose, -v         Generate Verbose output for debugging.
 28 |   --list-tables, -l     List all tables in the ese.
 29 |   --recurse, -r         Recurse subdirectories to find ese in path.
 30 |   --dump-tables [DUMPTABLES [DUMPTABLES ...]], -d [DUMPTABLES [DUMPTABLES ...]]
 31 |                         Only dump tables listed here separated by spaces. End
 32 |                         this list with double dash if this is not followed by
 33 |                         additional optional arguments. --.
 34 |   --plugin-args [PLUGINARGS [PLUGINARGS ...]]
 35 |                         Arguments passed to plugin. End arguments with double
 36 |                         dash if this is not followed by additional optional
 37 |                         arguments. --.
 38 | 
 39 | ```
 40 | 
 41 | The idea of ese2csv is to allow you to dump the data from any ESE database that the libesedb engine can read. However, you can also create a "plugin" for the ese file with the -m option that allows you to use YAML to define the formats for fields, gives them friendly names and provides functions for processing the database. The tool is distributed with two plugin.  The srudb_plugin.py can be used to dump the srum database. spartan_plugin.py is a beta of dumping Edge spartan files that took me 30 minutes to put together with the -m option! The tool supports wildcards and directory recursion so you can search your drive and let the tool extract what ever it can find. The tool assumes the plugins are in the same directory as the executable.
 42 | 
 43 | Two slightly confusing argument are -d and -p.  Both of those can be followed by multiple parameters. For example, -d can be followed by multiple table names separated by spaces. ese2csv will dump each of those table names. -p can be followed by multiple plugin arguments.  All of them will be passed on to the plugin for processing. So how does the ese2csv.exe command line know when your done with your list of table names or plugin arguments?  With Python programs you end these list by providing another optional argument.  If you use -p or -d as the last argument before the name of your ese file then you end the list with double dash (--).
 44 | 
 45 | ## Dump all the tables in the the specified srudb.dat file to csv_files (default). Acquire a copy of the locked srudb.dat file before use (-a). Ignored tables specified by the YAML  and use Table, Field names specified in in the srudb_plugin.py (-p srudb_plugin).  Also tell the plugin to live acquire the software registry hive (--plugin-args LIVE) . Output all of the CSV files to the root of the file system (-o c:\)
 46 | 
 47 | ```
 48 | C:>ese2csv.exe -p srudb_plugin -o c:\ -a --plugin-args LIVE -- C:\Windows\System32\sru\srudb.dat
 49 | ```
 50 | 
 51 | 
 52 | ## Same as above but provide the name of the SOFTWARE registry hive to the plugin and write to the current directory.
 53 | 
 54 | ```
 55 | C:>ese2csv.exe -p srudb_plugin -a --plugin-args C:\SOFTWARE -- C:\Windows\System32\sru\srudb.dat
 56 | ```
 57 | 
 58 | 
 59 | ## List the tables (-l) in an ese database. File must not be locked by the OS. If it is use -a (acquire).
 60 | 
 61 | ```
 62 | C:>ese2csv.exe -l C:\Windows\SoftwareDistribution\DataStore\DataStore.edb
 63 | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb True
 64 | Table MSysObjects has 479 records
 65 | Table MSysObjectsShadow has 479 records
 66 | Table MSysObjids has 59 records
 67 | Table MSysLocales has 8 records
 68 | Table tbAUState has 0 records
 69 | Table tbCcrDownloadData has 0 records
 70 | Table tbComputerInfo has 0 records
 71 | Table tbDownloadJob has 0 records
 72 | Table tbEula has 0 records
 73 | Table tbFiles has 704 records
 74 | Table tbHistory has 71 records
 75 | Table tbServerConfig has 2 records
 76 | Table tbServerCookies has 27 records
 77 | Table tbServiceData has 3 records
 78 | Table tbScanTransInfo has 2 records
 79 | Table tbStoreVersion has 1 records
 80 | Table tbUpdateLocalizedProps has 950 records
 81 | Table tbUpdates has 2707 records
 82 | Table tbHiddenUpdates has 0 records
 83 | Table tbLocalUserIds has 1 records
 84 | Table tbTimers has 1 records
 85 | Table tbSLSData has 4 records
 86 | Table tbPerSrvUpdate9116a23d9de3a64d8a4bb43877bcb1b7 has 0 records
 87 | Table tbPerSrvUserUpdateData9116a23d9de3a64d8a4bb43877bcb1b7 has 0 records
 88 | Table tbPerSrvUpdateb4f4829443e3b643b1709a65bc822c77 has 1964 records
 89 | Table tbPerSrvUserUpdateDatab4f4829443e3b643b1709a65bc822c77 has 0 records
 90 | Table tbPerSrvUpdate7c8a5e85b4eca34cb0451dfa50104289 has 713 records
 91 | Table tbPerSrvUserUpdateData7c8a5e85b4eca34cb0451dfa50104289 has 0 records
 92 | ```
 93 | 
 94 | ## Find all *.edb files in c:\ and list their table contents. Recurse (-r) all subdirectories and acquire live files (-a) with FGET before you list tables (-l).
 95 | 
 96 | ```
 97 | C:\> ese2csv.exe -ral "C:\*.edb"
 98 | TABLE LISTING FOR ESE FILE C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
 99 | 
100 | Table MSysObjects has 858 records
101 | Table MSysObjectsShadow has 858 records
102 | Table MSysObjids has 55 records
103 | Table MSysLocales has 8 records
104 | Table CatalogManager_Properties has 0 records
105 | Table CatalogStorageManager has 1 records
106 | Table SystemIndex_Gthr has 3170 records
107 | Table SystemIndex_GthrPth has 292 records
108 | Table SystemIndex_1_Properties has 225 records
109 | Table SystemIndex_1 has 18 records
110 | <TRUNCATED>
111 | ```
112 | 
113 | ## Recursivly (-r) go through every *.edb file in c:\. Acquire (-a) a copy of the locked file. Find the table named tbTimers in one of them and dump (-d) it.
114 | 
115 | ```
116 | C:\Users\Win10Lab\Desktop>ese2csv.exe -rad tbTimers -- "C:\*.edb"
117 | Processing tbTimers
118 | 
119 | C:\Users\Win10Lab\Desktop>type tbTimers.csv
120 | TimerId,ExpirationTime,IdleOnly,NetworkOnly
121 | b'e763a82909861e4db7cd5668f857f1db',b'31354874915ed501',0,0
122 | ```
123 | 
124 | ## Dump the dbTimers table without a plugin specifying the full path. Since no -a is provided the file must not be locked by the OS.
125 | 
126 | ```
127 | C:>ese2csv.exe -d tbTimers -- C:\Windows\SoftwareDistribution\DataStore\DataStore.edb
128 | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb True
129 | Processing tbTimers
130 | 
131 | C:>type tbTimers.csv
132 | TimerId,ExpirationTime,IdleOnly,NetworkOnly
133 | b'e763a82909861e4db7cd5668f857f1db',b'eaaadd49c85dd501',0,0
134 | ```
135 | 
136 | 
137 | ## Make (-m) a srum plugin template (which requires editing)
138 | 
139 | ```
140 | C:>ese2csv.exe -ma c:\windows\system32\sru\srudb.dat > srudb_plugin.py
141 | ```
142 | 
143 | ## After editing the YAML and functions in the new srum plugin use it (-p) to list new friendly table names
144 | 
145 | ```
146 | C:>ese2csv.exe -p srudb_plugin -l srudb.dat
147 | srudb.dat True
148 | Table MSysObjects aka MSysObjects has 262 records
149 | Table MSysObjectsShadow aka MSysObjectsShadow has 262 records
150 | Table MSysObjids aka MSysObjids has 41 records
151 | Table MSysLocales aka MSysLocales has 7 records
152 | Table SruDbIdMapTable aka SruDbIdMapTable has 33946 records
153 | Table SruDbCheckpointTable aka SruDbCheckpointTable has 0 records
154 | Table {D10CA2FE-6FCF-4F6D-848E-B2E99266FA89} aka Application Resources has 122856 records
155 | Table {DD6636C4-8929-4683-974E-22C046A43763} aka Network Connections has 2599 records
156 | Table {FEE4E14F-02A9-4550-B5CE-5FA2DA202E37} aka Energy Usage has 1736 records
157 | Table {973F5D5C-1D90-4944-BE8E-24B94231A174} aka Network Usage has 14445 records
158 | Table {FEE4E14F-02A9-4550-B5CE-5FA2DA202E37}LT aka Energy Usage (Long-Term) has 126 records
159 | Table {D10CA2FE-6FCF-4F6D-848E-B2E99266FA86} aka Application Resource Usage has 3719 records
160 | Table {DA73FB89-2BEA-4DDC-86B8-6E048C6DA477} aka Unknown4 has 13778 records
161 | Table {5C8CF1C7-7257-4F13-B223-970EF5939312} aka Unknown1 has 16982 records
162 | Table {7ACBBAA3-D029-4BE4-9A7A-0885927F1D8F} aka Unknown2 has 1544 records
163 | Table {B6D82AF1-F780-4E17-8077-6CB9AD8A6FC4} aka Unknown3 has 98 records
164 | ```
165 | 
166 | ## And dump a table based on its friendly name
167 | 
168 | ```
169 | C:>ese2csv.exe -p srudb_config -d "Network Usage" -- srudb.dat
170 | srudb.dat True
171 | Processing Network Usage
172 | ```
173 | 
174 | 
175 | ## Creating a plugin.
176 | 
177 | 
178 | I know this needs to be flushed out more but here is some basic documentation.
179 | 
180 | Start out your plugins with the -m option and redirecting it to a file.  Then edit the plugin and customize the output. This example creates a plugin for the srudb.dat file.
181 | 
182 | ```
183 | C:>ese2csv.exe -ma c:\windows\system32\sru\srudb.dat > srudb_plugin.py
184 | ```
185 | 
186 | You can place four "call back" functions in your plugin that are executed automatically by ese2csv.
187 | 
188 |  - **plugin_init(ese_database)**  - This function will receive one argument. The ese_database. It is called when the program first loads and can be used to setup data structures that other functions depend upon.
189 |  - **plugin_modify_header(list_of_headers, table_name)**  - This function is called after the headers are read from the ESE database before they are written to the CSV.  This is your chance to add or change the headers.
190 |  - **plugin_modify_row(list_of_row_values, table_name)**  - This function is called for every row in the ESE before itis written to the CSV.  This is your chance to add to or modify rows.   This is also where you can accumulate values or do additional processing or row data.
191 |  - **plugin_end_of_file(csv_writer_object, table_name)**  - This function is called before the csv file is closed.   Write your accumulated values or clean up data structures.
192 | 
193 | There are also built in functions that are available inside the plugin for you to call
194 | 
195 |  - **lookup("yaml table name", value)**   - Will lookup the value in the the specified YAML lookup table (defined in the yaml or by
196 |    table_reference entries).
197 |  - **extract_live_file(live_path)**  - Takes in a path to a file locked by
198 |    the OS and returns a path to an unlocked copy that was extracted with FGET.EXE
199 |  - **smart_retrieve(ese_db, rownum, colnum)**  - Retrieves the specified row and column from the ese database
200 |  - **blob_to_string(bytes)**   -  Attempts to convert the bytes into a
201 |    string
202 |  - **ole_timestamp(bytes)**  - Takes in bytes and interprets it as an OLE timestamp
203 |  - **file_timestamp(bytes)**  - Takes in bytes and interprets it as a File Timestamp
204 |  - **args** - The variable args is a list containing the arguments passwd to --plugin-args on the CLI
205 | 
206 | You can also create your own functions. These functions are called by setting the format fields in the YAML.  See srudb_plugin for example.
207 | 
208 | YAML format field can be in the form of:
209 | 
210 |  - **None**  -  Do Nothing to data.  Put in CSV as is.
211 |    
212 |  - **function:function_name**   - Call function_name and pass it the data. Put what is returned in the CSV
213 |  - **lookup:YAML_LOOKUP_TABLE**  - Call lookup("YAML_LOOKUP_TABLE",   current_value) and put what is returned in the CSV.
214 | 


--------------------------------------------------------------------------------
/ese2csv.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MarkBaggett/ese-analyst/d9111cde1792d197843cf33ab03d3c4833bb9a54/ese2csv.exe


--------------------------------------------------------------------------------
/ese2csv.py:
--------------------------------------------------------------------------------
  1 | import pyesedb
  2 | import yaml
  3 | import csv
  4 | import codecs
  5 | import struct
  6 | import uuid
  7 | import argparse
  8 | import pathlib
  9 | import importlib
 10 | import re
 11 | import sys
 12 | import os
 13 | import tempfile
 14 | import urllib.request
 15 | import subprocess
 16 | from Registry.Registry import Registry
 17 | from datetime import datetime,timedelta
 18 | 
 19 | def blob_to_string(chrblob):
 20 |     """Takes in a binary blob hex characters and does its best to convert it to a readable string.
 21 |        Works great for UTF-16 LE, UTF-16 BE, ASCII like data. Otherwise return it as hex.
 22 |     """
 23 |     try:
 24 |         chrblob = codecs.decode(chrblob,"hex")
 25 |     except:
 26 |         pass
 27 |     try:
 28 |         if re.match(b'^(?:[^\x00]\x00)+\x00\x00$', chrblob):
 29 |             binblob = chrblob.decode("utf-16-le").strip("\x00")
 30 |         elif re.match(b'^(?:\x00[^\x00])+\x00\x00$', chrblob):
 31 |             binblob = chrblob.decode("utf-16-be").strip("\x00")
 32 |         else:
 33 |             binblob = chrblob.decode("latin1").strip("\x00")
 34 |     except Exception as e:
 35 |         binblob = "" if not chrblob else codecs.decode(chrblob,"latin-1")
 36 |     return binblob
 37 | 
 38 | def ole_timestamp(binblob):
 39 |     """converts a hex encoded OLE time stamp to a time string"""
 40 |     try:
 41 |         td,ts = str(struct.unpack("<d",binblob)[0]).split(".")
 42 |         dt = datetime(1899,12,30,0,0,0) + timedelta(days=int(td),seconds=86400 * float("0.{}".format(ts)))
 43 |     except Exception as e:
 44 |         dt = "This field is incorrectly identified as an OLE timestamp in the template."
 45 |     return dt
 46 |  
 47 | def file_timestamp(binblob):
 48 |     """converts a hex encoded windows file time stamp to a time string"""
 49 |     try:
 50 |         dt = datetime(1601,1,1,0,0,0) + timedelta(microseconds=binblob/10)
 51 |     except:
 52 |         dt = "This field is incorrectly identified as a file timestamp in the template"
 53 |     return dt
 54 | 
 55 | def smart_retrieve(ese_table, ese_record_num, column_number):
 56 |     """Given a row and column will determine the format and retrieve a value from the ESE table"""
 57 |     rec = ese_table.get_record(ese_record_num)
 58 |     col_type = rec.get_column_type(column_number)
 59 |     col_data = rec.get_value_data(column_number)
 60 |     #print "rec:%s  col:%s type:%s %s" % (ese_record_num, column_number, col_type, ese_column_types[col_type])
 61 |     if col_type == pyesedb.column_types.BINARY_DATA:
 62 |         col_data = "" if not col_data else codecs.encode(col_data,"HEX")
 63 |     elif col_type == pyesedb.column_types.BOOLEAN:
 64 |         col_data = col_data if col_data else b'\x00' 
 65 |         col_data = struct.unpack('?',col_data)[0]
 66 |     elif col_type == pyesedb.column_types.CURRENCY:
 67 |         pass
 68 |     elif col_type == pyesedb.column_types.DATE_TIME:
 69 |         col_data = ole_timestamp(col_data)
 70 |     elif col_type == pyesedb.column_types.DOUBLE_64BIT:
 71 |         col_data = 0 if not col_data else struct.unpack('d',col_data)[0]
 72 |     elif col_type == pyesedb.column_types.FLOAT_32BIT:
 73 |         col_data = 0.0 if not col_data else struct.unpack('f',col_data)[0]
 74 |     elif col_type == pyesedb.column_types.GUID:
 75 |         col_data = 0 if not col_data else str(uuid.UUID(bytes = col_data))    
 76 |     elif col_type == pyesedb.column_types.INTEGER_16BIT_SIGNED:
 77 |         col_data = 0 if not col_data else struct.unpack('h',col_data)[0]
 78 |     elif col_type == pyesedb.column_types.INTEGER_16BIT_UNSIGNED:
 79 |         col_data = 0 if not col_data else struct.unpack('H',col_data)[0]
 80 |     elif col_type == pyesedb.column_types.INTEGER_32BIT_SIGNED:
 81 |         col_data =  0 if not col_data else struct.unpack('i',col_data)[0]
 82 |     elif col_type == pyesedb.column_types.INTEGER_32BIT_UNSIGNED:
 83 |         col_data = 0 if not col_data else struct.unpack('I',col_data)[0]
 84 |     elif col_type == pyesedb.column_types.INTEGER_64BIT_SIGNED:
 85 |         col_data = 0 if not col_data else struct.unpack('q',col_data)[0]
 86 |     elif col_type == pyesedb.column_types.INTEGER_8BIT_UNSIGNED:
 87 |         col_data = 0 if not col_data else struct.unpack('B',col_data)[0]
 88 |     elif col_type == pyesedb.column_types.LARGE_BINARY_DATA:
 89 |         col_data = "" if not col_data else codecs.encode(col_data,"HEX")
 90 |     elif col_type == pyesedb.column_types.LARGE_TEXT:
 91 |         col_data = blob_to_string(col_data)
 92 |     elif col_type == pyesedb.column_types.NULL:
 93 |         pass
 94 |     elif col_type == pyesedb.column_types.SUPER_LARGE_VALUE:
 95 |         col_data = "" if not col_data else codecs.encode(col_data,"HEX")
 96 |     elif col_type == pyesedb.column_types.TEXT:
 97 |         col_data = blob_to_string(col_data)   
 98 |     else:
 99 |         col_data = blob_to_string(col_data)    
100 |     if col_data==None:
101 |         col_data = "Empty"
102 |     return col_data
103 | 
104 | def plugin_list():
105 |     if getattr(sys, 'frozen', False):
106 |         program_dir = pathlib.Path(sys.executable)
107 |     elif __file__:
108 |         program_dir = pathlib.Path(__file__)
109 |     plugpaths = pathlib.Path(program_dir).parent.glob("*_plugin.py")
110 |     plist = [x.name[:-3] for x in plugpaths]
111 |     if not plist:
112 |         plist = ['No Plugins found in path {}'.format(program_dir)]
113 |     return plist
114 | 
115 | def make_config(database):
116 |     yaml_struct = {'tables':{}}
117 |     for each_table in database.tables:
118 |         table_struct = {'name':each_table.name,'ignore':'no','fields':{}}
119 |         for each_field in each_table.columns:
120 |              field_struct = {}
121 |              field_struct['friendly name'] = each_field.name
122 |              field_struct['format'] = 'None'
123 |              field_struct['ignore'] = 'no'
124 |              table_struct['fields'][each_field.name] = field_struct
125 |         yaml_struct['tables'][each_table.name] = table_struct
126 |     lookups = {'lookups': {
127 |         'numbers' : {0:'zero', 1:"one"},
128 |         'known_sids' : { 'S-1-5-32-545': ' Users', 'S-1-5-32-544': ' Administrators', 'S-1-5-32-547': ' Power Users', 'S-1-5-32-546': ' Guests', 'S-1-5-32-569': ' BUILTIN\\Cryptographic Operators', 'S-1-16-16384': ' System Mandatory Level ', 'S-1-5-32-551': ' Backup Operators', 'S-1-16-8192': ' Medium Mandatory Level ', 'S-1-5-80': ' NT Service ', 'S-1-5-32-548': ' Account Operators', 'S-1-5-32-561': ' BUILTIN\\Terminal Server License Servers', 'S-1-5-64-14': ' SChannel Authentication ', 'S-1-5-32-562': ' BUILTIN\\Distributed COM Users', 'S-1-5-64-21': ' Digest Authentication ', 'S-1-5-19': ' NT Authority', 'S-1-3-0': ' Creator Owner', 'S-1-5-80-0': ' All Services ', 'S-1-5-20': ' NT Authority', 'S-1-5-18': ' Local System', 'S-1-5-32-552': ' Replicators', 'S-1-5-32-579': ' BUILTIN\\Access Control Assistance Operators', 'S-1-16-4096': ' Low Mandatory Level ', 'S-1-16-12288': ' High Mandatory Level ', 'S-1-2-0': ' Local ', 'S-1-16-0': ' Untrusted Mandatory Level ', 'S-1-5-3': ' Batch', 'S-1-5-2': ' Network', 'S-1-5-1': ' Dialup', 'S-1-5-7': ' Anonymous', 'S-1-5-6': ' Service', 'S-1-5-4': ' Interactive', 'S-1-5-9': ' Enterprise Domain Controllers', 'S-1-5-8': ' Proxy', 'S-1-5-32-550': ' Print Operators', 'S-1-0-0': ' Nobody', 'S-1-5-32-559': ' BUILTIN\\Performance Log Users', 'S-1-5-32-578': ' BUILTIN\\Hyper-V Administrators', 'S-1-5-32-549': ' Server Operators', 'S-1-2-1': ' Console Logon ', 'S-1-3-1': ' Creator Group', 'S-1-5-32-575': ' BUILTIN\\RDS Remote Access Servers', 'S-1-3-3': ' Creator Group Server', 'S-1-3-2': ' Creator Owner Server', 'S-1-5-32-556': ' BUILTIN\\Network Configuration Operators', 'S-1-5-32-557': ' BUILTIN\\Incoming Forest Trust Builders', 'S-1-5-32-554': ' BUILTIN\\Pre-Windows 2000 Compatible Access', 'S-1-5-32-573': ' BUILTIN\\Event Log Readers ', 'S-1-5-32-576': ' BUILTIN\\RDS Endpoint Servers', 'S-1-5-83-0': ' NT VIRTUAL MACHINE\\Virtual Machines', 'S-1-16-28672': ' Secure Process Mandatory Level ', 'S-1-5-11': ' Authenticated Users', 'S-1-1-0': ' Everyone', 'S-1-5-32-555': ' BUILTIN\\Remote Desktop Users', 'S-1-16-8448': ' Medium Plus Mandatory Level ', 'S-1-5-17': ' This Organization ', 'S-1-5-32-580': ' BUILTIN\\Remote Management Users', 'S-1-5-15': ' This Organization ', 'S-1-5-14': ' Remote Interactive Logon ', 'S-1-5-13': ' Terminal Server Users', 'S-1-5-12': ' Restricted Code', 'S-1-5-32-577': ' BUILTIN\\RDS Management Servers', 'S-1-5-10': ' Principal Self', 'S-1-3': ' Creator Authority', 'S-1-2': ' Local Authority', 'S-1-1': ' World Authority', 'S-1-0': ' Null Authority', 'S-1-5-32-574': ' BUILTIN\\Certificate Service DCOM Access ', 'S-1-5': ' NT Authority', 'S-1-4': ' Non-unique Authority', 'S-1-5-32-560': ' BUILTIN\\Windows Authorization Access Group', 'S-1-16-20480': ' Protected Process Mandatory Level ', 'S-1-5-64-10': ' NTLM Authentication ', 'S-1-5-32-558': ' BUILTIN\\Performance Monitor Users'},
129 |         'LUID_interface_types': {1: 'IF_TYPE_OTHER', 2: 'IF_TYPE_REGULAR_1822', 3: 'IF_TYPE_HDH_1822', 4: 'IF_TYPE_DDN_X25', 5: 'IF_TYPE_RFC877_X25', 6: 'IF_TYPE_ETHERNET_CSMACD', 7: 'IF_TYPE_IS088023_CSMACD', 8: 'IF_TYPE_ISO88024_TOKENBUS', 9: 'IF_TYPE_ISO88025_TOKENRING', 10: 'IF_TYPE_ISO88026_MAN', 11: 'IF_TYPE_STARLAN', 12: 'IF_TYPE_PROTEON_10MBIT', 13: 'IF_TYPE_PROTEON_80MBIT', 14: 'IF_TYPE_HYPERCHANNEL', 15: 'IF_TYPE_FDDI', 16: 'IF_TYPE_LAP_B', 17: 'IF_TYPE_SDLC', 18: 'IF_TYPE_DS1', 19: 'IF_TYPE_E1', 20: 'IF_TYPE_BASIC_ISDN', 21: 'IF_TYPE_PRIMARY_ISDN', 22: 'IF_TYPE_PROP_POINT2POINT_SERIAL', 23: 'IF_TYPE_PPP', 24: 'IF_TYPE_SOFTWARE_LOOPBACK', 25: 'IF_TYPE_EON', 26: 'IF_TYPE_ETHERNET_3MBIT', 27: 'IF_TYPE_NSIP', 28: 'IF_TYPE_SLIP', 29: 'IF_TYPE_ULTRA', 30: 'IF_TYPE_DS3', 31: 'IF_TYPE_SIP', 32: 'IF_TYPE_FRAMERELAY', 33: 'IF_TYPE_RS232', 34: 'IF_TYPE_PARA', 35: 'IF_TYPE_ARCNET', 36: 'IF_TYPE_ARCNET_PLUS', 37: 'IF_TYPE_ATM', 38: 'IF_TYPE_MIO_X25', 39: 'IF_TYPE_SONET', 40: 'IF_TYPE_X25_PLE', 41: 'IF_TYPE_ISO88022_LLC', 42: 'IF_TYPE_LOCALTALK', 43: 'IF_TYPE_SMDS_DXI', 44: 'IF_TYPE_FRAMERELAY_SERVICE', 45: 'IF_TYPE_V35', 46: 'IF_TYPE_HSSI', 47: 'IF_TYPE_HIPPI', 48: 'IF_TYPE_MODEM', 49: 'IF_TYPE_AAL5', 50: 'IF_TYPE_SONET_PATH', 51: 'IF_TYPE_SONET_VT', 52: 'IF_TYPE_SMDS_ICIP', 53: 'IF_TYPE_PROP_VIRTUAL', 54: 'IF_TYPE_PROP_MULTIPLEXOR', 55: 'IF_TYPE_IEEE80212', 56: 'IF_TYPE_FIBRECHANNEL', 57: 'IF_TYPE_HIPPIINTERFACE', 58: 'IF_TYPE_FRAMERELAY_INTERCONNECT', 59: 'IF_TYPE_AFLANE_8023', 60: 'IF_TYPE_AFLANE_8025', 61: 'IF_TYPE_CCTEMUL', 62: 'IF_TYPE_FASTETHER', 63: 'IF_TYPE_ISDN', 64: 'IF_TYPE_V11', 65: 'IF_TYPE_V36', 66: 'IF_TYPE_G703_64K', 67: 'IF_TYPE_G703_2MB', 68: 'IF_TYPE_QLLC', 69: 'IF_TYPE_FASTETHER_FX', 70: 'IF_TYPE_CHANNEL', 71: 'IF_TYPE_IEEE80211', 72: 'IF_TYPE_IBM370PARCHAN', 73: 'IF_TYPE_ESCON', 74: 'IF_TYPE_DLSW', 75: 'IF_TYPE_ISDN_S', 76: 'IF_TYPE_ISDN_U', 77: 'IF_TYPE_LAP_D', 78: 'IF_TYPE_IPSWITCH', 79: 'IF_TYPE_RSRB', 80: 'IF_TYPE_ATM_LOGICAL', 81: 'IF_TYPE_DS0', 82: 'IF_TYPE_DS0_BUNDLE', 83: 'IF_TYPE_BSC', 84: 'IF_TYPE_ASYNC', 85: 'IF_TYPE_CNR', 86: 'IF_TYPE_ISO88025R_DTR', 87: 'IF_TYPE_EPLRS', 88: 'IF_TYPE_ARAP', 89: 'IF_TYPE_PROP_CNLS', 90: 'IF_TYPE_HOSTPAD', 91: 'IF_TYPE_TERMPAD', 92: 'IF_TYPE_FRAMERELAY_MPI', 93: 'IF_TYPE_X213', 94: 'IF_TYPE_ADSL', 95: 'IF_TYPE_RADSL', 96: 'IF_TYPE_SDSL', 97: 'IF_TYPE_VDSL', 98: 'IF_TYPE_ISO88025_CRFPRINT', 99: 'IF_TYPE_MYRINET', 100: 'IF_TYPE_VOICE_EM', 101: 'IF_TYPE_VOICE_FXO', 102: 'IF_TYPE_VOICE_FXS', 103: 'IF_TYPE_VOICE_ENCAP', 104: 'IF_TYPE_VOICE_OVERIP', 105: 'IF_TYPE_ATM_DXI', 106: 'IF_TYPE_ATM_FUNI', 107: 'IF_TYPE_ATM_IMA', 108: 'IF_TYPE_PPPMULTILINKBUNDLE', 109: 'IF_TYPE_IPOVER_CDLC', 110: 'IF_TYPE_IPOVER_CLAW', 111: 'IF_TYPE_STACKTOSTACK', 112: 'IF_TYPE_VIRTUALIPADDRESS', 113: 'IF_TYPE_MPC', 114: 'IF_TYPE_IPOVER_ATM', 115: 'IF_TYPE_ISO88025_FIBER', 116: 'IF_TYPE_TDLC', 117: 'IF_TYPE_GIGABITETHERNET', 118: 'IF_TYPE_HDLC', 119: 'IF_TYPE_LAP_F', 120: 'IF_TYPE_V37', 121: 'IF_TYPE_X25_MLP', 122: 'IF_TYPE_X25_HUNTGROUP', 123: 'IF_TYPE_TRANSPHDLC', 124: 'IF_TYPE_INTERLEAVE', 125: 'IF_TYPE_FAST', 126: 'IF_TYPE_IP', 127: 'IF_TYPE_DOCSCABLE_MACLAYER', 128: 'IF_TYPE_DOCSCABLE_DOWNSTREAM', 129: 'IF_TYPE_DOCSCABLE_UPSTREAM', 130: 'IF_TYPE_A12MPPSWITCH', 131: 'IF_TYPE_TUNNEL', 132: 'IF_TYPE_COFFEE', 133: 'IF_TYPE_CES', 134: 'IF_TYPE_ATM_SUBINTERFACE', 135: 'IF_TYPE_L2_VLAN', 136: 'IF_TYPE_L3_IPVLAN', 137: 'IF_TYPE_L3_IPXVLAN', 138: 'IF_TYPE_DIGITALPOWERLINE', 139: 'IF_TYPE_MEDIAMAILOVERIP', 140: 'IF_TYPE_DTM', 141: 'IF_TYPE_DCN', 142: 'IF_TYPE_IPFORWARD', 143: 'IF_TYPE_MSDSL', 144: 'IF_TYPE_IEEE1394', 145: 'IF_TYPE_RECEIVE_ONLY'}
130 |         }}
131 |     table_references = {'table_references' : {
132 |         'app_id' : {'table':'SruDbIdMapTable',
133 |                     'key':'IdIndex',
134 |                     'value': ['IdType','IdBlob']}
135 |     }}
136 |     yaml_struct.update(lookups)
137 |     yaml_struct.update(table_references)
138 |     ese_config = 'yaml_config = r\"\"\"\n' + yaml.dump(yaml_struct) + """
139 | 
140 | \"\"\"
141 | 
142 | import struct
143 | import codecs
144 | 
145 | 
146 | 
147 | def plugin_init(ese_database):
148 |     #table_names = " ".join([x.name for x in ese_database.tables])
149 |     #print("Received Arguments", args)
150 |     #print("Plugin Initialized for ", table_names)
151 |     # Setup any data structures required for yaml function calls
152 |     return None
153 | 
154 | def plugin_modify_header(list_of_headers, table_name):
155 |     #print("Plugin Processing headers", list_of_headers)
156 |     # Modify headers as needed before commit to file
157 |     return list_of_headers
158 | 
159 | #sample_total = 0
160 | def plugin_modify_row(list_of_row_values, table_name):
161 |     #global sample_total
162 |     #print("Plugin Processing Row", list_of_row_values)
163 |     #if table_name == "some target":
164 |     #    sample_total += list_of_row_values[10] 
165 |     # Modify list as needed before commit to file or keep totals
166 |     return list_of_row_values
167 | 
168 | def plugin_end_of_file(csv_writer_object, table_name):
169 |     #print("Plugin Finished file" )
170 |     # Write header footers, calculations etc
171 |     return None
172 | 
173 | def BinarySIDtoStringSID(sid_str):
174 |     if not sid_str:
175 |         return ""
176 |     sid = codecs.decode(sid_str,"hex")
177 |     str_sid_components = [sid[0]]
178 |     # Now decode the 48-byte portion
179 |     if len(sid) >= 8:
180 |         subauthority_count = sid[1]
181 |         identifier_authority = struct.unpack(">H", sid[2:4])[0]
182 |         identifier_authority <<= 32
183 |         identifier_authority |= struct.unpack(">L", sid[4:8])[0]
184 |         str_sid_components.append(identifier_authority)
185 |         start = 8
186 |         for i in range(subauthority_count):
187 |             authority = sid[start:start + 4]
188 |             if not authority:
189 |                 break
190 |             if len(authority) < 4:
191 |                 raise ValueError("In binary SID '%s', component %d has been truncated. "
192 |                          "Expected 4 bytes, found %d: (%s)",
193 |                          ",".join([str(ord(c)) for c in sid]), i,
194 |                          len(authority), authority)
195 |             str_sid_components.append(struct.unpack("<L", authority)[0])
196 |             start += 4
197 |             sid_str = "S-%s" % ("-".join([str(x) for x in str_sid_components]))
198 |     sid_name = lookup("known_sids",sid_str)
199 |     return "{} ({})".format(sid_str,sid_name)
200 | 
201 | def get_app_id(data):
202 |     app_type, app_value = lookup("app_id", data)
203 |     if app_type == 3:
204 |         data = BinarySIDtoStringSID(app_value)
205 |     elif app_type == 2:
206 |         data = blob_to_string(app_value)
207 |     return data
208 | """
209 |     return ese_config
210 | 
211 | def lookup(table, value):
212 |     return yaml_config.get("lookups",{}).get(table, {}).get(value)
213 | 
214 | def extract_live_file(live_path):
215 |     if not live_path.exists():
216 |         print(f"The file specified for live aquisition was not found. {str(live_path)}")
217 |         sys.exit(1)
218 |     try:
219 |         fget_file = tempfile.NamedTemporaryFile(mode="w+b", suffix=".exe",delete=False)
220 |         extracted_file = tempfile.NamedTemporaryFile(mode="w+b", suffix = ".dat", delete=False)
221 |         #print("Downloading fget.exe to {}".format(fget_file.name))
222 |         try:
223 |             fget_binary = urllib.request.urlopen('https://github.com/MarkBaggett/srum-dump/raw/master/FGET.exe').read()
224 |         except Exception as e:
225 |             raise(Exception(f"Unable to download FGET {str(e)}"))
226 |         fget_file.write(fget_binary)
227 |         fget_file.close()
228 |         cmdline = r'{} -extract "{}" {}'.format(fget_file.name, str(live_path), extracted_file.name)
229 |         #print(cmdline)
230 |         phandle = subprocess.Popen(cmdline, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
231 |         out1,_ = phandle.communicate()
232 |         pathlib.Path(fget_file.name).unlink()
233 |     except Exception as e:
234 |         print("Unable to automatically extract file. {}".format(str(e)))
235 |         return None
236 |     if b"SUCCESS" in out1:
237 |         return pathlib.Path(extracted_file.name)
238 |     else:
239 |         print("ERROR running FGET.EXE: {}".format(out1))
240 |         sys.exit(1)
241 | 
242 | def extract_live_ese(tgt_file):
243 |     try:
244 |         tmp_dir = tempfile.mkdtemp()
245 |         esentutl_path = pathlib.Path(os.environ.get("COMSPEC")).parent / "esentutl.exe"
246 |         tgt_path = pathlib.Path(tgt_file)
247 |         destination = pathlib.Path(tmp_dir) / tgt_path.name
248 |         if not tgt_path.exists():
249 |             print("Unable to live aquire ese file {}. Target ESE path not found.".format(str(tgt_path)))
250 |             sys.exit(1)
251 |         if esentutl_path.exists():
252 |             print(f"Extracting {str(tgt_path)} with esentutl.exe")
253 |             cmdline = r'{} /y "{}" /vss /d "{}"'.format(str(esentutl_path), str(tgt_path), str(destination))
254 |         else:
255 |             print("ESENTUTL.EXE not found.  Reverting to fget.")
256 |             return extract_live_file(tgt_file)
257 |         print(cmdline)
258 |         phandle = subprocess.Popen(cmdline, shell=True,stdout=subprocess.PIPE, stderr=subprocess.PIPE)
259 |         out1,_ = phandle.communicate()
260 |     except Exception as e:
261 |         print("Error during live ese aquisition {}\n{}\n".format(str(e)))
262 |         return None
263 |     if b"success" in out1.lower():
264 |         return destination
265 |     else:
266 |         print("Unable to determine success or failure. \n{}\n".format( out1.decode() ))
267 |     return None
268 | 
269 | def create_csv(database, table_name, yaml= {}):
270 |     friendly_table_name = table_name
271 |     table_yaml = yaml.get('tables',{}).get(table_name,{})
272 |     if args.verbose and not table_yaml:
273 |         print(f"YAML WARNING: Table {table_name} is not defined in the YAML.")
274 |     else:
275 |         friendly_table_name = yaml.get('tables',{}).get(table_name,{}).get("name",table_name)
276 |         ignore_table = table_yaml.get("ignore","no") == "yes"
277 |         if ignore_table:
278 |             print(f"Table {friendly_table_name} ignored because of YAML setting.")
279 |             return
280 |     fcount = 1
281 |     dest_file = pathlib.Path(args.outpath) / (friendly_table_name+".csv")
282 |     while dest_file.exists():
283 |         dest_file = pathlib.Path.cwd() / (friendly_table_name+f"({fcount}).csv")
284 |         fcount += 1
285 |     with dest_file.open("w", newline = "") as csv_file:
286 |         csv_writer = csv.writer(csv_file, delimiter=',', quotechar='"', quoting=csv.QUOTE_MINIMAL)
287 |         print(f"Processing {friendly_table_name}")
288 |         ese_table = database.get_table_by_name(table_name)
289 |         header_row = []
290 |         for each_field in ese_table.columns:
291 |             name = each_field.name
292 |             if table_yaml:
293 |                 field_yaml = table_yaml.get("fields",{}).get(each_field.name,{})
294 |                 if args.verbose and not field_yaml:
295 |                         print (f"YAML WARNING: Format specifier missing in yaml for field {name} in {table_name}")
296 |                 name = field_yaml.get('name',each_field.name)
297 |                 ignore_field = field_yaml.get('ignore','no') == "yes"
298 |                 if ignore_field:
299 |                     continue
300 |             header_row.append(name)
301 |         if yaml_config and hasattr(plugin,"plugin_modify_header"):
302 |             header_row = plugin.plugin_modify_header(header_row,table_name)
303 |         csv_writer.writerow(header_row)
304 |         for rec_entry_num in range(ese_table.number_of_records):
305 |             data_row = []
306 |             for each_field in range(ese_table.number_of_columns):
307 |                 field_name = ese_table.columns[each_field].name
308 |                 data = smart_retrieve(ese_table,rec_entry_num, each_field)
309 |                 if table_yaml:
310 |                     ignore_field = table_yaml.get("fields",{}).get(field_name,{}).get('ignore','no') == "yes"
311 |                     if ignore_field:
312 |                         continue
313 |                     data_format = yaml.get('tables',{}).get(table_name,{}).get("fields",{}).get(field_name,{}).get('format',"")
314 |                     if data_format.startswith("function:"):
315 |                         func_call = data_format.split(":")[1]
316 |                         data = plugin.__dict__.get(func_call,lambda x:f"{data_format} not found")(data)
317 |                     elif data_format.startswith("lookup:"):
318 |                         data = lookup(data_format.split(":")[1],data)     
319 |                 data_row.append(data)
320 |             if yaml_config and hasattr(plugin,"plugin_modify_row"):
321 |                 data_row = plugin.plugin_modify_row(data_row, table_name)
322 |             csv_writer.writerow(data_row)
323 |         if yaml_config and hasattr(plugin,"plugin_end_of_file"):
324 |                 plugin.plugin_end_of_file(csv_writer, table_name)
325 | 
326 | 
327 | def load_yaml_table_refs(ese_db, plugin):
328 |     for each_table_reference in yaml_config.get("table_references",[]):
329 |         table_ref_value = yaml_config.get("table_references").get(each_table_reference)
330 |         try:
331 |             lookup_name = table_ref_value.get("table")
332 |             lookup_key = table_ref_value.get("key")
333 |             lookup_value = table_ref_value.get("value")
334 |             lookup_table = {}
335 |             ese_table = ese_db.get_table_by_name(lookup_name)
336 |             column_lookup = dict([(x.name,index) for index,x in enumerate(ese_table.columns)])
337 |             for eachrow in range(ese_table.number_of_records):
338 |                 val_list = []
339 |                 for each_val in lookup_value:
340 |                     val_list.append(smart_retrieve(ese_table, eachrow, column_lookup.get(each_val)))
341 |                 keyval = smart_retrieve(ese_table, eachrow, column_lookup.get(lookup_key))
342 |                 lookup_table[keyval] = val_list
343 |             yaml_config.get('lookups')[each_table_reference] = lookup_table
344 |         except Exception as e:
345 |             raise(e)
346 |     return yaml_config     
347 | 
348 | parser = argparse.ArgumentParser(description="Find and dump ESE databases.")
349 | parser.add_argument("--make-plugin", "-m", dest="makeconfig", help="Produce an editable shell of a plugin for the specified ese.",action="store_true")
350 | parser.add_argument("--pluggin", "-p", choices = plugin_list(), dest="config", help="Use a plugin that defines fields in the ese database.")
351 | parser.add_argument("--outpath", "-o", dest="outpath", default = str(pathlib.Path.cwd()), help="The directory to which the CSV(s) will be written.")
352 | parser.add_argument("--acquire-live", "-a", dest="acquire", help="Use FGET to extract locked file for processing.",action="store_true")
353 | parser.add_argument("--verbose", "-v", dest="verbose", help="Generate Verbose output for debugging.",action="store_true")
354 | parser.add_argument("--list-tables", "-l", dest="listtables", help="List all tables in the ese.",action="store_true")
355 | parser.add_argument("--recurse", "-r", dest="recurse", help="Recurse subdirectories to find ese in path.",action="store_true")
356 | parser.add_argument("--dump-tables", "-d", dest="dumptables", help="Only dump tables listed here separated by spaces. End this list with double dash if this is not followed by additional optional arguments. --.",nargs = "*")
357 | parser.add_argument("--plugin-args", dest="pluginargs", default = [], help="Arguments passed to plugin. End arguments with double dash if this is not followed by additional optional arguments. --.",nargs = "*")
358 | parser.add_argument("ese_file", help = "This required file name is an ese database")
359 | args = parser.parse_args()
360 | 
361 | if args.outpath and not (pathlib.Path(args.outpath).exists() and pathlib.Path(args.outpath).is_dir()):
362 |     print("The specified output path is inaccessible.")
363 |     sys.exit(1)
364 | 
365 | edb_list = pathlib.Path(args.ese_file)
366 | if args.recurse:
367 |     edb_list = edb_list.parent.rglob(edb_list.name)
368 | else:
369 |     edb_list = edb_list.parent.glob(edb_list.name)
370 | 
371 | yaml_config = {}
372 | if args.config:
373 |     if getattr(sys, 'frozen', False):
374 |         program_dir = pathlib.Path(sys.executable)
375 |     elif __file__:
376 |         program_dir = pathlib.Path(__file__)
377 |     sys.path.append(str(program_dir.resolve().parent))
378 |     sys.path.append(str(pathlib.Path.cwd()))
379 |     try: 
380 |         plugin = importlib.import_module(args.config)
381 |     except Exception as e:
382 |         print(f"Unable to import plugin {args.config}. Proceeding without plugin. {str(e)}")
383 |     else:
384 |         yaml_config = yaml.safe_load(plugin.yaml_config)
385 |         plugin.smart_retrieve = smart_retrieve
386 |         plugin.blob_to_string = blob_to_string
387 |         plugin.lookup = lookup
388 |         plugin.ole_timestatmp = ole_timestamp
389 |         plugin.file_timestamp = file_timestamp
390 |         plugin.extract_live_file = extract_live_file
391 |         plugin.extract_live_ese = extract_live_ese
392 |         plugin.args = args.pluginargs
393 | 
394 | file_count = 0
395 | for edb_path in edb_list:
396 |     edb_path_original = str(edb_path)
397 |     file_count += 1
398 |     print(f"Processing File {edb_path_original}")
399 | 
400 |     if not edb_path.exists():
401 |         print(f"File {edb_path_original} not found. Skipping it!")
402 |         continue
403 | 
404 |     if args.acquire:
405 |         edb_path = extract_live_ese(edb_path)
406 | 
407 |     ese_db = pyesedb.file()
408 |     try:
409 |         ese_db.open(str(edb_path))
410 |     except Exception as e:
411 |         if "libesedb_file_open_wide" in str(e):
412 |             print("Not an ese file. Skipping.")
413 |         else:
414 |             print(f"Unable to open ESE. Perhaps it is locked (try -a) or it is not an ese. \n\n{str(e)}\n")
415 |         if args.acquire:
416 |             edb_path.unlink()
417 |         continue
418 | 
419 |     if yaml_config:
420 |             yaml_config = load_yaml_table_refs(ese_db, plugin)
421 |             if hasattr(plugin,"plugin_init"):
422 |                 plugin.plugin_init(ese_db)
423 | 
424 |     if args.makeconfig:
425 |         ese_config = make_config(ese_db)
426 |         print(ese_config)
427 |     elif args.listtables:
428 |         print(f"TABLE LISTING FOR ESE FILE {str(edb_path_original)}\n")
429 |         for eachtable in ese_db.tables:
430 |             if not yaml_config:
431 |                 try:
432 |                     print(f"Table {eachtable.name} has {eachtable.number_of_records} records")
433 |                 except Exception as e:
434 |                     print(f"Table {eachtable.name} {str(e)}")
435 |             else:
436 |                 friendly_name = yaml_config.get('tables',{}).get(eachtable.name,{}).get("name",eachtable.name)
437 |                 try:
438 |                     print(f"Table {eachtable.name} aka {friendly_name} has {eachtable.number_of_records} records") 
439 |                 except Exception as e:
440 |                     print(f"Table {eachtable.name} aka {friendly_name}")
441 |         print(f"\nDone listing {str(edb_path_original)}\n")
442 |     else:
443 |         for eachtable in ese_db.tables:
444 |             friendly_name = yaml_config.get('tables',{}).get(eachtable.name,{}).get("name",eachtable.name)
445 |             if args.dumptables and (eachtable.name not in args.dumptables) and (friendly_name not in args.dumptables):
446 |                 continue
447 |             create_csv(ese_db, eachtable.name, yaml_config )
448 | 
449 |     ese_db.close()
450 |     if args.acquire:
451 |         edb_path.unlink()
452 | 
453 | print(f"{file_count} files matched the file path criteria specified.")


--------------------------------------------------------------------------------
/spartan_plugin.py:
--------------------------------------------------------------------------------
   1 | yaml_config = r"""
   2 | lookups:
   3 |   numbers:
   4 |     0: zero
   5 |     1: one
   6 | tables:
   7 |   BookSetMembers:
   8 |     fields:
   9 |       MemberId:
  10 |         format: None
  11 |         friendly name: MemberId
  12 |         ignore: 'no'
  13 |       Name:
  14 |         format: None
  15 |         friendly name: Name
  16 |         ignore: 'no'
  17 |       RowId:
  18 |         format: None
  19 |         friendly name: RowId
  20 |         ignore: 'no'
  21 |       Type:
  22 |         format: None
  23 |         friendly name: Type
  24 |         ignore: 'no'
  25 |     ignore: 'no'
  26 |     name: BookSetMembers
  27 |   BookSetShareRights:
  28 |     fields:
  29 |       AccountId:
  30 |         format: None
  31 |         friendly name: AccountId
  32 |         ignore: 'no'
  33 |       BookSetId:
  34 |         format: None
  35 |         friendly name: BookSetId
  36 |         ignore: 'no'
  37 |       ErrorCode:
  38 |         format: None
  39 |         friendly name: ErrorCode
  40 |         ignore: 'no'
  41 |       MemberId:
  42 |         format: None
  43 |         friendly name: MemberId
  44 |         ignore: 'no'
  45 |       Permissions:
  46 |         format: None
  47 |         friendly name: Permissions
  48 |         ignore: 'no'
  49 |       RowId:
  50 |         format: None
  51 |         friendly name: RowId
  52 |         ignore: 'no'
  53 |       SyncStatus:
  54 |         format: None
  55 |         friendly name: SyncStatus
  56 |         ignore: 'no'
  57 |     ignore: 'no'
  58 |     name: BookSetShareRights
  59 |   BookSets:
  60 |     fields:
  61 |       AccountId:
  62 |         format: None
  63 |         friendly name: AccountId
  64 |         ignore: 'no'
  65 |       FullyAppliedSyncToken:
  66 |         format: None
  67 |         friendly name: FullyAppliedSyncToken
  68 |         ignore: 'no'
  69 |       IsDeleted:
  70 |         format: None
  71 |         friendly name: IsDeleted
  72 |         ignore: 'no'
  73 |       IsHydrationNeeded:
  74 |         format: None
  75 |         friendly name: IsHydrationNeeded
  76 |         ignore: 'no'
  77 |       IsPushAllowed:
  78 |         format: None
  79 |         friendly name: IsPushAllowed
  80 |         ignore: 'no'
  81 |       ItemId:
  82 |         format: None
  83 |         friendly name: ItemId
  84 |         ignore: 'no'
  85 |       Name:
  86 |         format: None
  87 |         friendly name: Name
  88 |         ignore: 'no'
  89 |       OpenedBookId:
  90 |         format: None
  91 |         friendly name: OpenedBookId
  92 |         ignore: 'no'
  93 |       OwnerId:
  94 |         format: None
  95 |         friendly name: OwnerId
  96 |         ignore: 'no'
  97 |       RowId:
  98 |         format: None
  99 |         friendly name: RowId
 100 |         ignore: 'no'
 101 |       SyncId:
 102 |         format: None
 103 |         friendly name: SyncId
 104 |         ignore: 'no'
 105 |       SyncToken:
 106 |         format: None
 107 |         friendly name: SyncToken
 108 |         ignore: 'no'
 109 |       SyncTokenVersion:
 110 |         format: None
 111 |         friendly name: SyncTokenVersion
 112 |         ignore: 'no'
 113 |       UpdatedDate:
 114 |         format: None
 115 |         friendly name: UpdatedDate
 116 |         ignore: 'no'
 117 |     ignore: 'no'
 118 |     name: BookSets
 119 |   GenericAutoSuggestStorage:
 120 |     fields:
 121 |       DateAccessed:
 122 |         format: None
 123 |         friendly name: DateAccessed
 124 |         ignore: 'no'
 125 |       DateUpdated:
 126 |         format: None
 127 |         friendly name: DateUpdated
 128 |         ignore: 'no'
 129 |       IsDeleted:
 130 |         format: None
 131 |         friendly name: IsDeleted
 132 |         ignore: 'no'
 133 |       IsShaGenerated:
 134 |         format: None
 135 |         friendly name: IsShaGenerated
 136 |         ignore: 'no'
 137 |       ItemId:
 138 |         format: None
 139 |         friendly name: ItemId
 140 |         ignore: 'no'
 141 |       Key:
 142 |         format: None
 143 |         friendly name: Key
 144 |         ignore: 'no'
 145 |       RowId:
 146 |         format: None
 147 |         friendly name: RowId
 148 |         ignore: 'no'
 149 |       URL:
 150 |         format: None
 151 |         friendly name: URL
 152 |         ignore: 'no'
 153 |       UseCount:
 154 |         format: None
 155 |         friendly name: UseCount
 156 |         ignore: 'no'
 157 |       Value:
 158 |         format: None
 159 |         friendly name: Value
 160 |         ignore: 'no'
 161 |     ignore: 'no'
 162 |     name: GenericAutoSuggestStorage
 163 |   PinningRules:
 164 |     fields:
 165 |       Host:
 166 |         format: None
 167 |         friendly name: Host
 168 |         ignore: 'no'
 169 |       Port:
 170 |         format: None
 171 |         friendly name: Port
 172 |         ignore: 'no'
 173 |       RowId:
 174 |         format: None
 175 |         friendly name: RowId
 176 |         ignore: 'no'
 177 |       Scheme:
 178 |         format: None
 179 |         friendly name: Scheme
 180 |         ignore: 'no'
 181 |       UriHash:
 182 |         format: None
 183 |         friendly name: UriHash
 184 |         ignore: 'no'
 185 |     ignore: 'no'
 186 |     name: PinningRules
 187 |   UserDataSourceInfo:
 188 |     fields:
 189 |       DataSourceId:
 190 |         format: None
 191 |         friendly name: DataSourceId
 192 |         ignore: 'no'
 193 |       DataSourceType:
 194 |         format: None
 195 |         friendly name: DataSourceType
 196 |         ignore: 'no'
 197 |       LastCommunicationUTC:
 198 |         format: None
 199 |         friendly name: LastCommunicationUTC
 200 |         ignore: 'no'
 201 |       RowId:
 202 |         format: None
 203 |         friendly name: RowId
 204 |         ignore: 'no'
 205 |     ignore: 'no'
 206 |     name: UserDataSourceInfo
 207 |   WebsitePermissions:
 208 |     fields:
 209 |       FullscreenPermissionStatus:
 210 |         format: None
 211 |         friendly name: FullscreenPermissionStatus
 212 |         ignore: 'no'
 213 |       LocationPermissionStatus:
 214 |         format: None
 215 |         friendly name: LocationPermissionStatus
 216 |         ignore: 'no'
 217 |       RowId:
 218 |         format: None
 219 |         friendly name: RowId
 220 |         ignore: 'no'
 221 |       URL:
 222 |         format: None
 223 |         friendly name: URL
 224 |         ignore: 'no'
 225 |       UrlHash:
 226 |         format: None
 227 |         friendly name: UrlHash
 228 |         ignore: 'no'
 229 |     ignore: 'no'
 230 |     name: WebsitePermissions
 231 |   AutoFormFillAddressStorage:
 232 |     fields:
 233 |       AddressLine1:
 234 |         format: None
 235 |         friendly name: AddressLine1
 236 |         ignore: 'no'
 237 |       AddressLine2:
 238 |         format: None
 239 |         friendly name: AddressLine2
 240 |         ignore: 'no'
 241 |       AddressLine3:
 242 |         format: None
 243 |         friendly name: AddressLine3
 244 |         ignore: 'no'
 245 |       AddressType:
 246 |         format: None
 247 |         friendly name: AddressType
 248 |         ignore: 'no'
 249 |       CedexCode:
 250 |         format: None
 251 |         friendly name: CedexCode
 252 |         ignore: 'no'
 253 |       City:
 254 |         format: None
 255 |         friendly name: City
 256 |         ignore: 'no'
 257 |       Country:
 258 |         format: None
 259 |         friendly name: Country
 260 |         ignore: 'no'
 261 |       CountryCode:
 262 |         format: None
 263 |         friendly name: CountryCode
 264 |         ignore: 'no'
 265 |       DateAccessed:
 266 |         format: function:file_timestamp
 267 |         friendly name: DateAccessed
 268 |         ignore: 'no'
 269 |       DateAdded:
 270 |         format: function:file_timestamp
 271 |         friendly name: DateAdded
 272 |         ignore: 'no'
 273 |       DateUpdated:
 274 |         format: function:file_timestamp
 275 |         friendly name: DateUpdated
 276 |         ignore: 'no'
 277 |       IsDeleted:
 278 |         format: None
 279 |         friendly name: IsDeleted
 280 |         ignore: 'no'
 281 |       ItemId:
 282 |         format: None
 283 |         friendly name: ItemId
 284 |         ignore: 'no'
 285 |       Locality:
 286 |         format: None
 287 |         friendly name: Locality
 288 |         ignore: 'no'
 289 |       RowId:
 290 |         format: None
 291 |         friendly name: RowId
 292 |         ignore: 'no'
 293 |       State:
 294 |         format: None
 295 |         friendly name: State
 296 |         ignore: 'no'
 297 |       UseCount:
 298 |         format: None
 299 |         friendly name: UseCount
 300 |         ignore: 'no'
 301 |       ZipCode:
 302 |         format: None
 303 |         friendly name: ZipCode
 304 |         ignore: 'no'
 305 |     ignore: 'no'
 306 |     name: AutoFormFillAddressStorage
 307 |   AutoFormFillPaymentStorage:
 308 |     fields:
 309 |       AccountType:
 310 |         format: None
 311 |         friendly name: AccountType
 312 |         ignore: 'no'
 313 |       AddressItemGuid:
 314 |         format: None
 315 |         friendly name: AddressItemGuid
 316 |         ignore: 'no'
 317 |       AssociatedAccount:
 318 |         format: None
 319 |         friendly name: AssociatedAccount
 320 |         ignore: 'no'
 321 |       CardHolderFirstName:
 322 |         format: None
 323 |         friendly name: CardHolderFirstName
 324 |         ignore: 'no'
 325 |       CardHolderLastName:
 326 |         format: None
 327 |         friendly name: CardHolderLastName
 328 |         ignore: 'no'
 329 |       CardHolderMiddleName:
 330 |         format: None
 331 |         friendly name: CardHolderMiddleName
 332 |         ignore: 'no'
 333 |       CardType:
 334 |         format: None
 335 |         friendly name: CardType
 336 |         ignore: 'no'
 337 |       CreditCardNumber:
 338 |         format: None
 339 |         friendly name: CreditCardNumber
 340 |         ignore: 'no'
 341 |       DateAccessed:
 342 |         format: function:file_timestamp
 343 |         friendly name: DateAccessed
 344 |         ignore: 'no'
 345 |       DateAdded:
 346 |         format: function:file_timestamp
 347 |         friendly name: DateAdded
 348 |         ignore: 'no'
 349 |       DateUpdated:
 350 |         format: function:file_timestamp
 351 |         friendly name: DateUpdated
 352 |         ignore: 'no'
 353 |       ExpiryMonth:
 354 |         format: None
 355 |         friendly name: ExpiryMonth
 356 |         ignore: 'no'
 357 |       ExpiryYear:
 358 |         format: None
 359 |         friendly name: ExpiryYear
 360 |         ignore: 'no'
 361 |       IsDeleted:
 362 |         format: None
 363 |         friendly name: IsDeleted
 364 |         ignore: 'no'
 365 |       IsFromWallet:
 366 |         format: None
 367 |         friendly name: IsFromWallet
 368 |         ignore: 'no'
 369 |       IsUploadedToWallet:
 370 |         format: None
 371 |         friendly name: IsUploadedToWallet
 372 |         ignore: 'no'
 373 |       PaymentItemId:
 374 |         format: None
 375 |         friendly name: PaymentItemId
 376 |         ignore: 'no'
 377 |       PaymentMethodType:
 378 |         format: None
 379 |         friendly name: PaymentMethodType
 380 |         ignore: 'no'
 381 |       RowId:
 382 |         format: None
 383 |         friendly name: RowId
 384 |         ignore: 'no'
 385 |       UseCount:
 386 |         format: None
 387 |         friendly name: UseCount
 388 |         ignore: 'no'
 389 |     ignore: 'no'
 390 |     name: AutoFormFillPaymentStorage
 391 |   AutoFormFillStorage:
 392 |     fields:
 393 |       AddressItemGuid:
 394 |         format: None
 395 |         friendly name: AddressItemGuid
 396 |         ignore: 'no'
 397 |       CompanyName:
 398 |         format: None
 399 |         friendly name: CompanyName
 400 |         ignore: 'no'
 401 |       DateAccessed:
 402 |         format: function:file_timestamp
 403 |         friendly name: DateAccessed
 404 |         ignore: 'no'
 405 |       DateAdded:
 406 |         format: function:file_timestamp
 407 |         friendly name: DateAdded
 408 |         ignore: 'no'
 409 |       DateUpdated:
 410 |         format: function:file_timestamp
 411 |         friendly name: DateUpdated
 412 |         ignore: 'no'
 413 |       Email:
 414 |         format: None
 415 |         friendly name: Email
 416 |         ignore: 'no'
 417 |       FirstName:
 418 |         format: None
 419 |         friendly name: FirstName
 420 |         ignore: 'no'
 421 |       FormUrl:
 422 |         format: function:remove_null_bytes
 423 |         friendly name: FormUrl
 424 |         ignore: 'no'
 425 |       IsDeleted:
 426 |         format: None
 427 |         friendly name: IsDeleted
 428 |         ignore: 'no'
 429 |       ItemId:
 430 |         format: None
 431 |         friendly name: ItemId
 432 |         ignore: 'no'
 433 |       JetStub_109_1:
 434 |         format: None
 435 |         friendly name: JetStub_109_1
 436 |         ignore: 'no'
 437 |       JetStub_109_256:
 438 |         format: None
 439 |         friendly name: JetStub_109_256
 440 |         ignore: 'no'
 441 |       JetStub_109_257:
 442 |         format: None
 443 |         friendly name: JetStub_109_257
 444 |         ignore: 'no'
 445 |       JetStub_109_258:
 446 |         format: None
 447 |         friendly name: JetStub_109_258
 448 |         ignore: 'no'
 449 |       JetStub_109_259:
 450 |         format: None
 451 |         friendly name: JetStub_109_259
 452 |         ignore: 'no'
 453 |       JetStub_109_260:
 454 |         format: None
 455 |         friendly name: JetStub_109_260
 456 |         ignore: 'no'
 457 |       JetStub_109_262:
 458 |         format: None
 459 |         friendly name: JetStub_109_262
 460 |         ignore: 'no'
 461 |       JetStub_109_271:
 462 |         format: None
 463 |         friendly name: JetStub_109_271
 464 |         ignore: 'no'
 465 |       JetStub_109_274:
 466 |         format: None
 467 |         friendly name: JetStub_109_274
 468 |         ignore: 'no'
 469 |       JetStub_109_275:
 470 |         format: None
 471 |         friendly name: JetStub_109_275
 472 |         ignore: 'no'
 473 |       LastName:
 474 |         format: None
 475 |         friendly name: LastName
 476 |         ignore: 'no'
 477 |       MiddleName:
 478 |         format: None
 479 |         friendly name: MiddleName
 480 |         ignore: 'no'
 481 |       Phone:
 482 |         format: None
 483 |         friendly name: Phone
 484 |         ignore: 'no'
 485 |       RowId:
 486 |         format: None
 487 |         friendly name: RowId
 488 |         ignore: 'no'
 489 |       UseCount:
 490 |         format: None
 491 |         friendly name: UseCount
 492 |         ignore: 'no'
 493 |     ignore: 'no'
 494 |     name: AutoFormFillStorage
 495 |   BhxActionsTable:
 496 |     fields:
 497 |       AppxId:
 498 |         format: None
 499 |         friendly name: AppxId
 500 |         ignore: 'no'
 501 |       BhxExtensionEnabled:
 502 |         format: None
 503 |         friendly name: BhxExtensionEnabled
 504 |         ignore: 'no'
 505 |       ExtensionId:
 506 |         format: None
 507 |         friendly name: ExtensionId
 508 |         ignore: 'no'
 509 |       Icon:
 510 |         format: None
 511 |         friendly name: Icon
 512 |         ignore: 'no'
 513 |       IsBrowserAction:
 514 |         format: None
 515 |         friendly name: IsBrowserAction
 516 |         ignore: 'no'
 517 |       Popup:
 518 |         format: None
 519 |         friendly name: Popup
 520 |         ignore: 'no'
 521 |       RowId:
 522 |         format: None
 523 |         friendly name: RowId
 524 |         ignore: 'no'
 525 |       Title:
 526 |         format: function:remove_null_bytes
 527 |         friendly name: Title
 528 |         ignore: 'no'
 529 |     ignore: 'no'
 530 |     name: BhxActionsTable
 531 |   BhxContentScriptTable:
 532 |     fields:
 533 |       AppxId:
 534 |         format: None
 535 |         friendly name: AppxId
 536 |         ignore: 'no'
 537 |       BhxExtensionEnabled:
 538 |         format: None
 539 |         friendly name: BhxExtensionEnabled
 540 |         ignore: 'no'
 541 |       ContentScriptInfo:
 542 |         format: None
 543 |         friendly name: ContentScriptInfo
 544 |         ignore: 'no'
 545 |       ExtensionId:
 546 |         format: None
 547 |         friendly name: ExtensionId
 548 |         ignore: 'no'
 549 |       Permissions:
 550 |         format: None
 551 |         friendly name: Permissions
 552 |         ignore: 'no'
 553 |       RowId:
 554 |         format: None
 555 |         friendly name: RowId
 556 |         ignore: 'no'
 557 |       WebAccessibleResources:
 558 |         format: None
 559 |         friendly name: WebAccessibleResources
 560 |         ignore: 'no'
 561 |     ignore: 'no'
 562 |     name: BhxContentScriptTable
 563 |   BhxHostTable:
 564 |     fields:
 565 |       AppxId:
 566 |         format: None
 567 |         friendly name: AppxId
 568 |         ignore: 'no'
 569 |       BackgroundPage:
 570 |         format: None
 571 |         friendly name: BackgroundPage
 572 |         ignore: 'no'
 573 |       BackgroundScripts:
 574 |         format: None
 575 |         friendly name: BackgroundScripts
 576 |         ignore: 'no'
 577 |       ExtensionId:
 578 |         format: None
 579 |         friendly name: ExtensionId
 580 |         ignore: 'no'
 581 |       HasOptionalPermissions:
 582 |         format: None
 583 |         friendly name: HasOptionalPermissions
 584 |         ignore: 'no'
 585 |       IsPersistentPage:
 586 |         format: None
 587 |         friendly name: IsPersistentPage
 588 |         ignore: 'no'
 589 |       PermissionsBitField:
 590 |         format: None
 591 |         friendly name: PermissionsBitField
 592 |         ignore: 'no'
 593 |       RowId:
 594 |         format: None
 595 |         friendly name: RowId
 596 |         ignore: 'no'
 597 |       UrlMatches:
 598 |         format: None
 599 |         friendly name: UrlMatches
 600 |         ignore: 'no'
 601 |       UrlPermissions:
 602 |         format: None
 603 |         friendly name: UrlPermissions
 604 |         ignore: 'no'
 605 |     ignore: 'no'
 606 |     name: BhxHostTable
 607 |   BookAnnotations:
 608 |     fields:
 609 |       AddedDate:
 610 |         format: function:file_timestamp
 611 |         friendly name: AddedDate
 612 |         ignore: 'no'
 613 |       Context:
 614 |         format: None
 615 |         friendly name: Context
 616 |         ignore: 'no'
 617 |       HighlightColor:
 618 |         format: None
 619 |         friendly name: HighlightColor
 620 |         ignore: 'no'
 621 |       InkNoteBlobId:
 622 |         format: None
 623 |         friendly name: InkNoteBlobId
 624 |         ignore: 'no'
 625 |       InkNoteMetadataId:
 626 |         format: None
 627 |         friendly name: InkNoteMetadataId
 628 |         ignore: 'no'
 629 |       IsDeleted:
 630 |         format: None
 631 |         friendly name: IsDeleted
 632 |         ignore: 'no'
 633 |       IsMetadataUpToDate:
 634 |         format: None
 635 |         friendly name: IsMetadataUpToDate
 636 |         ignore: 'no'
 637 |       ItemId:
 638 |         format: None
 639 |         friendly name: ItemId
 640 |         ignore: 'no'
 641 |       Layout:
 642 |         format: None
 643 |         friendly name: Layout
 644 |         ignore: 'no'
 645 |       LineStyle:
 646 |         format: None
 647 |         friendly name: LineStyle
 648 |         ignore: 'no'
 649 |       OpenedBookId:
 650 |         format: None
 651 |         friendly name: OpenedBookId
 652 |         ignore: 'no'
 653 |       PageNumber:
 654 |         format: None
 655 |         friendly name: PageNumber
 656 |         ignore: 'no'
 657 |       ProductVersion:
 658 |         format: None
 659 |         friendly name: ProductVersion
 660 |         ignore: 'no'
 661 |       ProgressInBook:
 662 |         format: None
 663 |         friendly name: ProgressInBook
 664 |         ignore: 'no'
 665 |       ReadingPosition:
 666 |         format: None
 667 |         friendly name: ReadingPosition
 668 |         ignore: 'no'
 669 |       RowId:
 670 |         format: None
 671 |         friendly name: RowId
 672 |         ignore: 'no'
 673 |       SyncStatus:
 674 |         format: None
 675 |         friendly name: SyncStatus
 676 |         ignore: 'no'
 677 |       TypedNoteText:
 678 |         format: function:remove_null_bytes
 679 |         friendly name: TypedNoteText
 680 |         ignore: 'no'
 681 |       UpdatedDate:
 682 |         format: function:file_timestamp
 683 |         friendly name: UpdatedDate
 684 |         ignore: 'no'
 685 |     ignore: 'no'
 686 |     name: BookAnnotations
 687 |   BookPushOperations:
 688 |     fields:
 689 |       AccountId:
 690 |         format: None
 691 |         friendly name: AccountId
 692 |         ignore: 'no'
 693 |       BlobId:
 694 |         format: None
 695 |         friendly name: BlobId
 696 |         ignore: 'no'
 697 |       Category:
 698 |         format: None
 699 |         friendly name: Category
 700 |         ignore: 'no'
 701 |       ErrorCount:
 702 |         format: None
 703 |         friendly name: ErrorCount
 704 |         ignore: 'no'
 705 |       ErrorRetry:
 706 |         format: None
 707 |         friendly name: ErrorRetry
 708 |         ignore: 'no'
 709 |       ItemId:
 710 |         format: None
 711 |         friendly name: ItemId
 712 |         ignore: 'no'
 713 |       MetadataId:
 714 |         format: None
 715 |         friendly name: MetadataId
 716 |         ignore: 'no'
 717 |       OpenedBookId:
 718 |         format: None
 719 |         friendly name: OpenedBookId
 720 |         ignore: 'no'
 721 |       Path:
 722 |         format: None
 723 |         friendly name: Path
 724 |         ignore: 'no'
 725 |       RowId:
 726 |         format: None
 727 |         friendly name: RowId
 728 |         ignore: 'no'
 729 |       Timestamp:
 730 |         format: None
 731 |         friendly name: Timestamp
 732 |         ignore: 'no'
 733 |       Type:
 734 |         format: None
 735 |         friendly name: Type
 736 |         ignore: 'no'
 737 |       UserDataId:
 738 |         format: None
 739 |         friendly name: UserDataId
 740 |         ignore: 'no'
 741 |       Value:
 742 |         format: None
 743 |         friendly name: Value
 744 |         ignore: 'no'
 745 |     ignore: 'no'
 746 |     name: BookPushOperations
 747 |   Bookmarks:
 748 |     fields:
 749 |       AddedDate:
 750 |         format: function:file_timestamp
 751 |         friendly name: AddedDate
 752 |         ignore: 'no'
 753 |       BookId:
 754 |         format: None
 755 |         friendly name: BookId
 756 |         ignore: 'no'
 757 |       IsDeleted:
 758 |         format: None
 759 |         friendly name: IsDeleted
 760 |         ignore: 'no'
 761 |       ItemId:
 762 |         format: None
 763 |         friendly name: ItemId
 764 |         ignore: 'no'
 765 |       PageNumber:
 766 |         format: None
 767 |         friendly name: PageNumber
 768 |         ignore: 'no'
 769 |       ProductVersion:
 770 |         format: None
 771 |         friendly name: ProductVersion
 772 |         ignore: 'no'
 773 |       ProgressInBook:
 774 |         format: None
 775 |         friendly name: ProgressInBook
 776 |         ignore: 'no'
 777 |       ReadingPosition:
 778 |         format: None
 779 |         friendly name: ReadingPosition
 780 |         ignore: 'no'
 781 |       RowId:
 782 |         format: None
 783 |         friendly name: RowId
 784 |         ignore: 'no'
 785 |       SyncStatus:
 786 |         format: None
 787 |         friendly name: SyncStatus
 788 |         ignore: 'no'
 789 |       Title:
 790 |         format: function:remove_null_bytes
 791 |         friendly name: Title
 792 |         ignore: 'no'
 793 |       UpdatedDate:
 794 |         format: function:file_timestamp
 795 |         friendly name: UpdatedDate
 796 |         ignore: 'no'
 797 |     ignore: 'no'
 798 |     name: Bookmarks
 799 |   CARules:
 800 |     fields:
 801 |       Domain:
 802 |         format: function:remove_null_bytes
 803 |         friendly name: Domain
 804 |         ignore: 'no'
 805 |       RowId:
 806 |         format: None
 807 |         friendly name: RowId
 808 |         ignore: 'no'
 809 |       Rule:
 810 |         format: None
 811 |         friendly name: Rule
 812 |         ignore: 'no'
 813 |       RuleType:
 814 |         format: None
 815 |         friendly name: RuleType
 816 |         ignore: 'no'
 817 |     ignore: 'no'
 818 |     name: CARules
 819 |   CloudLibrary:
 820 |     fields:
 821 |       AccountId:
 822 |         format: None
 823 |         friendly name: AccountId
 824 |         ignore: 'no'
 825 |       FullyAppliedSyncToken:
 826 |         format: None
 827 |         friendly name: FullyAppliedSyncToken
 828 |         ignore: 'no'
 829 |       IsPushAllowed:
 830 |         format: None
 831 |         friendly name: IsPushAllowed
 832 |         ignore: 'no'
 833 |       RowId:
 834 |         format: None
 835 |         friendly name: RowId
 836 |         ignore: 'no'
 837 |       SyncToken:
 838 |         format: None
 839 |         friendly name: SyncToken
 840 |         ignore: 'no'
 841 |     ignore: 'no'
 842 |     name: CloudLibrary
 843 |   EdgeScenarioLogger:
 844 |     fields:
 845 |       Cookie:
 846 |         format: None
 847 |         friendly name: Cookie
 848 |         ignore: 'no'
 849 |       Data:
 850 |         format: None
 851 |         friendly name: Data
 852 |         ignore: 'no'
 853 |       Duration:
 854 |         format: None
 855 |         friendly name: Duration
 856 |         ignore: 'no'
 857 |       EndTime:
 858 |         format: None
 859 |         friendly name: EndTime
 860 |         ignore: 'no'
 861 |       InstanceCount:
 862 |         format: None
 863 |         friendly name: InstanceCount
 864 |         ignore: 'no'
 865 |       IsDeleted:
 866 |         format: None
 867 |         friendly name: IsDeleted
 868 |         ignore: 'no'
 869 |       IsIndividualItem:
 870 |         format: None
 871 |         friendly name: IsIndividualItem
 872 |         ignore: 'no'
 873 |       RowId:
 874 |         format: None
 875 |         friendly name: RowId
 876 |         ignore: 'no'
 877 |       ScenarioId:
 878 |         format: None
 879 |         friendly name: ScenarioId
 880 |         ignore: 'no'
 881 |       StartTime:
 882 |         format: None
 883 |         friendly name: StartTime
 884 |         ignore: 'no'
 885 |     ignore: 'no'
 886 |     name: EdgeScenarioLogger
 887 |   ExtensionIdsList:
 888 |     fields:
 889 |       DateUpdated:
 890 |         format: function:file_timestamp
 891 |         friendly name: DateUpdated
 892 |         ignore: 'no'
 893 |       ExtensionId:
 894 |         format: None
 895 |         friendly name: ExtensionId
 896 |         ignore: 'no'
 897 |       InstallStatus:
 898 |         format: None
 899 |         friendly name: InstallStatus
 900 |         ignore: 'no'
 901 |       InstallType:
 902 |         format: None
 903 |         friendly name: InstallType
 904 |         ignore: 'no'
 905 |       RowId:
 906 |         format: None
 907 |         friendly name: RowId
 908 |         ignore: 'no'
 909 |     ignore: 'no'
 910 |     name: ExtensionIdsList
 911 |   ExtensionsList:
 912 |     fields:
 913 |       Author:
 914 |         format: None
 915 |         friendly name: Author
 916 |         ignore: 'no'
 917 |       BhxExtensionEnabled:
 918 |         format: None
 919 |         friendly name: BhxExtensionEnabled
 920 |         ignore: 'no'
 921 |       BhxExtensionId:
 922 |         format: None
 923 |         friendly name: BhxExtensionId
 924 |         ignore: 'no'
 925 |       BhxExtensionName:
 926 |         format: None
 927 |         friendly name: BhxExtensionName
 928 |         ignore: 'no'
 929 |       BhxInstallTime:
 930 |         format: None
 931 |         friendly name: BhxInstallTime
 932 |         ignore: 'no'
 933 |       Description:
 934 |         format: None
 935 |         friendly name: Description
 936 |         ignore: 'no'
 937 |       ExtensionOrigin:
 938 |         format: None
 939 |         friendly name: ExtensionOrigin
 940 |         ignore: 'no'
 941 |       HomepageUrl:
 942 |         format: function:remove_null_bytes
 943 |         friendly name: HomepageUrl
 944 |         ignore: 'no'
 945 |       InstallType:
 946 |         format: None
 947 |         friendly name: InstallType
 948 |         ignore: 'no'
 949 |       IsOfflineEnabled:
 950 |         format: None
 951 |         friendly name: IsOfflineEnabled
 952 |         ignore: 'no'
 953 |       Key:
 954 |         format: None
 955 |         friendly name: Key
 956 |         ignore: 'no'
 957 |       Locale:
 958 |         format: None
 959 |         friendly name: Locale
 960 |         ignore: 'no'
 961 |       ManifestVersion:
 962 |         format: None
 963 |         friendly name: ManifestVersion
 964 |         ignore: 'no'
 965 |       MinBrowserVersion:
 966 |         format: None
 967 |         friendly name: MinBrowserVersion
 968 |         ignore: 'no'
 969 |       OptionalPermissions:
 970 |         format: None
 971 |         friendly name: OptionalPermissions
 972 |         ignore: 'no'
 973 |       OptionsPage:
 974 |         format: None
 975 |         friendly name: OptionsPage
 976 |         ignore: 'no'
 977 |       Permissions:
 978 |         format: None
 979 |         friendly name: Permissions
 980 |         ignore: 'no'
 981 |       RootPath:
 982 |         format: None
 983 |         friendly name: RootPath
 984 |         ignore: 'no'
 985 |       RowId:
 986 |         format: None
 987 |         friendly name: RowId
 988 |         ignore: 'no'
 989 |       SettingsFlags:
 990 |         format: None
 991 |         friendly name: SettingsFlags
 992 |         ignore: 'no'
 993 |       ShortName:
 994 |         format: None
 995 |         friendly name: ShortName
 996 |         ignore: 'no'
 997 |       UpdateVersion:
 998 |         format: None
 999 |         friendly name: UpdateVersion
1000 |         ignore: 'no'
1001 |       Version:
1002 |         format: None
1003 |         friendly name: Version
1004 |         ignore: 'no'
1005 |     ignore: 'no'
1006 |     name: ExtensionsList
1007 |   Favorites:
1008 |     fields:
1009 |       DateSyncedWithIE:
1010 |         format: function:file_timestamp
1011 |         friendly name: DateSyncedWithIE
1012 |         ignore: 'no'
1013 |       DateUpdated:
1014 |         format: function:file_timestamp
1015 |         friendly name: DateUpdated
1016 |         ignore: 'no'
1017 |       DisplayMode:
1018 |         format: None
1019 |         friendly name: DisplayMode
1020 |         ignore: 'no'
1021 |       FaviconFile:
1022 |         format: None
1023 |         friendly name: FaviconFile
1024 |         ignore: 'no'
1025 |       HashedUrl:
1026 |         format: None
1027 |         friendly name: HashedUrl
1028 |         ignore: 'no'
1029 |       IsAllowedToBeOrphan:
1030 |         format: None
1031 |         friendly name: IsAllowedToBeOrphan
1032 |         ignore: 'no'
1033 |       IsAwaitingDeletion:
1034 |         format: None
1035 |         friendly name: IsAwaitingDeletion
1036 |         ignore: 'no'
1037 |       IsDeleted:
1038 |         format: None
1039 |         friendly name: IsDeleted
1040 |         ignore: 'no'
1041 |       IsEnterprise:
1042 |         format: None
1043 |         friendly name: IsEnterprise
1044 |         ignore: 'no'
1045 |       IsFolder:
1046 |         format: None
1047 |         friendly name: IsFolder
1048 |         ignore: 'no'
1049 |       IsOrphaned:
1050 |         format: None
1051 |         friendly name: IsOrphaned
1052 |         ignore: 'no'
1053 |       IsWebNotes:
1054 |         format: None
1055 |         friendly name: IsWebNotes
1056 |         ignore: 'no'
1057 |       ItemId:
1058 |         format: None
1059 |         friendly name: ItemId
1060 |         ignore: 'no'
1061 |       OrderNumber:
1062 |         format: None
1063 |         friendly name: OrderNumber
1064 |         ignore: 'no'
1065 |       ParentId:
1066 |         format: None
1067 |         friendly name: ParentId
1068 |         ignore: 'no'
1069 |       RoamDisabled:
1070 |         format: None
1071 |         friendly name: RoamDisabled
1072 |         ignore: 'no'
1073 |       RowId:
1074 |         format: None
1075 |         friendly name: RowId
1076 |         ignore: 'no'
1077 |       Title:
1078 |         format: function:remove_null_bytes
1079 |         friendly name: Title
1080 |         ignore: 'no'
1081 |       URL:
1082 |         format: function:remove_null_bytes
1083 |         friendly name: URL
1084 |         ignore: 'no'
1085 |     ignore: 'no'
1086 |     name: Favorites
1087 |   FileCleanup:
1088 |     fields:
1089 |       AccountStoreId:
1090 |         format: None
1091 |         friendly name: AccountStoreId
1092 |         ignore: 'no'
1093 |       FileName:
1094 |         format: None
1095 |         friendly name: FileName
1096 |         ignore: 'no'
1097 |       RowId:
1098 |         format: None
1099 |         friendly name: RowId
1100 |         ignore: 'no'
1101 |       Timestamp:
1102 |         format: None
1103 |         friendly name: Timestamp
1104 |         ignore: 'no'
1105 |     ignore: 'no'
1106 |     name: FileCleanup
1107 |   Folder:
1108 |     fields:
1109 |       FolderPath:
1110 |         format: None
1111 |         friendly name: FolderPath
1112 |         ignore: 'no'
1113 |       Name:
1114 |         format: None
1115 |         friendly name: Name
1116 |         ignore: 'no'
1117 |       OriginalParentId:
1118 |         format: None
1119 |         friendly name: OriginalParentId
1120 |         ignore: 'no'
1121 |       ParentId:
1122 |         format: None
1123 |         friendly name: ParentId
1124 |         ignore: 'no'
1125 |       RowId:
1126 |         format: None
1127 |         friendly name: RowId
1128 |         ignore: 'no'
1129 |       Type:
1130 |         format: None
1131 |         friendly name: Type
1132 |         ignore: 'no'
1133 |     ignore: 'no'
1134 |     name: Folder
1135 |   FolderStash:
1136 |     fields:
1137 |       FolderPath:
1138 |         format: None
1139 |         friendly name: FolderPath
1140 |         ignore: 'no'
1141 |       Name:
1142 |         format: None
1143 |         friendly name: Name
1144 |         ignore: 'no'
1145 |       OriginalParentId:
1146 |         format: None
1147 |         friendly name: OriginalParentId
1148 |         ignore: 'no'
1149 |       ParentId:
1150 |         format: None
1151 |         friendly name: ParentId
1152 |         ignore: 'no'
1153 |       RealStoreId:
1154 |         format: None
1155 |         friendly name: RealStoreId
1156 |         ignore: 'no'
1157 |       RowId:
1158 |         format: None
1159 |         friendly name: RowId
1160 |         ignore: 'no'
1161 |       StashChangeType:
1162 |         format: None
1163 |         friendly name: StashChangeType
1164 |         ignore: 'no'
1165 |       Type:
1166 |         format: None
1167 |         friendly name: Type
1168 |         ignore: 'no'
1169 |     ignore: 'no'
1170 |     name: FolderStash
1171 |   FreeFormInks:
1172 |     fields:
1173 |       AddedDate:
1174 |         format: function:file_timestamp
1175 |         friendly name: AddedDate
1176 |         ignore: 'no'
1177 |       Context:
1178 |         format: None
1179 |         friendly name: Context
1180 |         ignore: 'no'
1181 |       InkBlobId:
1182 |         format: None
1183 |         friendly name: InkBlobId
1184 |         ignore: 'no'
1185 |       InkMetadataId:
1186 |         format: None
1187 |         friendly name: InkMetadataId
1188 |         ignore: 'no'
1189 |       IsDeleted:
1190 |         format: None
1191 |         friendly name: IsDeleted
1192 |         ignore: 'no'
1193 |       IsMetadataUpToDate:
1194 |         format: None
1195 |         friendly name: IsMetadataUpToDate
1196 |         ignore: 'no'
1197 |       ItemId:
1198 |         format: None
1199 |         friendly name: ItemId
1200 |         ignore: 'no'
1201 |       OpenedBookId:
1202 |         format: None
1203 |         friendly name: OpenedBookId
1204 |         ignore: 'no'
1205 |       PageNumber:
1206 |         format: None
1207 |         friendly name: PageNumber
1208 |         ignore: 'no'
1209 |       ProductVersion:
1210 |         format: None
1211 |         friendly name: ProductVersion
1212 |         ignore: 'no'
1213 |       ProgressInBook:
1214 |         format: None
1215 |         friendly name: ProgressInBook
1216 |         ignore: 'no'
1217 |       ReadingPosition:
1218 |         format: None
1219 |         friendly name: ReadingPosition
1220 |         ignore: 'no'
1221 |       RowId:
1222 |         format: None
1223 |         friendly name: RowId
1224 |         ignore: 'no'
1225 |       SyncStatus:
1226 |         format: None
1227 |         friendly name: SyncStatus
1228 |         ignore: 'no'
1229 |       UpdatedDate:
1230 |         format: function:file_timestamp
1231 |         friendly name: UpdatedDate
1232 |         ignore: 'no'
1233 |     ignore: 'no'
1234 |     name: FreeFormInks
1235 |   Library:
1236 |     fields:
1237 |       AccountId:
1238 |         format: None
1239 |         friendly name: AccountId
1240 |         ignore: 'no'
1241 |       AddedDate:
1242 |         format: function:file_timestamp
1243 |         friendly name: AddedDate
1244 |         ignore: 'no'
1245 |       Author:
1246 |         format: None
1247 |         friendly name: Author
1248 |         ignore: 'no'
1249 |       CoverUrl:
1250 |         format: function:remove_null_bytes
1251 |         friendly name: CoverUrl
1252 |         ignore: 'no'
1253 |       CurrentDownloadedVersion:
1254 |         format: None
1255 |         friendly name: CurrentDownloadedVersion
1256 |         ignore: 'no'
1257 |       Description:
1258 |         format: None
1259 |         friendly name: Description
1260 |         ignore: 'no'
1261 |       DevicePolicy:
1262 |         format: None
1263 |         friendly name: DevicePolicy
1264 |         ignore: 'no'
1265 |       DownloadDate:
1266 |         format: function:file_timestamp
1267 |         friendly name: DownloadDate
1268 |         ignore: 'no'
1269 |       DownloadErrorCode:
1270 |         format: None
1271 |         friendly name: DownloadErrorCode
1272 |         ignore: 'no'
1273 |       DownloadStatus:
1274 |         format: None
1275 |         friendly name: DownloadStatus
1276 |         ignore: 'no'
1277 |       EntitlementModifiedDate:
1278 |         format: function:file_timestamp
1279 |         friendly name: EntitlementModifiedDate
1280 |         ignore: 'no'
1281 |       FileType:
1282 |         format: None
1283 |         friendly name: FileType
1284 |         ignore: 'no'
1285 |       IsProtected:
1286 |         format: None
1287 |         friendly name: IsProtected
1288 |         ignore: 'no'
1289 |       ItemId:
1290 |         format: None
1291 |         friendly name: ItemId
1292 |         ignore: 'no'
1293 |       Language:
1294 |         format: None
1295 |         friendly name: Language
1296 |         ignore: 'no'
1297 |       LatestKnownVersion:
1298 |         format: None
1299 |         friendly name: LatestKnownVersion
1300 |         ignore: 'no'
1301 |       Market:
1302 |         format: None
1303 |         friendly name: Market
1304 |         ignore: 'no'
1305 |       OwnershipEndDate:
1306 |         format: function:file_timestamp
1307 |         friendly name: OwnershipEndDate
1308 |         ignore: 'no'
1309 |       OwnershipStartDate:
1310 |         format: function:file_timestamp
1311 |         friendly name: OwnershipStartDate
1312 |         ignore: 'no'
1313 |       OwnershipStatus:
1314 |         format: None
1315 |         friendly name: OwnershipStatus
1316 |         ignore: 'no'
1317 |       OwnershipType:
1318 |         format: None
1319 |         friendly name: OwnershipType
1320 |         ignore: 'no'
1321 |       ProductId:
1322 |         format: None
1323 |         friendly name: ProductId
1324 |         ignore: 'no'
1325 |       Publisher:
1326 |         format: None
1327 |         friendly name: Publisher
1328 |         ignore: 'no'
1329 |       PurchaseDate:
1330 |         format: function:file_timestamp
1331 |         friendly name: PurchaseDate
1332 |         ignore: 'no'
1333 |       RowId:
1334 |         format: None
1335 |         friendly name: RowId
1336 |         ignore: 'no'
1337 |       Title:
1338 |         format: function:remove_null_bytes
1339 |         friendly name: Title
1340 |         ignore: 'no'
1341 |     ignore: 'no'
1342 |     name: Library
1343 |   MSysLocales:
1344 |     fields:
1345 |       Key:
1346 |         format: None
1347 |         friendly name: Key
1348 |         ignore: 'no'
1349 |       Type:
1350 |         format: None
1351 |         friendly name: Type
1352 |         ignore: 'no'
1353 |       iValue:
1354 |         format: None
1355 |         friendly name: iValue
1356 |         ignore: 'no'
1357 |     ignore: 'no'
1358 |     name: MSysLocales
1359 |   MSysObjects:
1360 |     fields:
1361 |       CallbackData:
1362 |         format: None
1363 |         friendly name: CallbackData
1364 |         ignore: 'no'
1365 |       CallbackDependencies:
1366 |         format: None
1367 |         friendly name: CallbackDependencies
1368 |         ignore: 'no'
1369 |       ColtypOrPgnoFDP:
1370 |         format: None
1371 |         friendly name: ColtypOrPgnoFDP
1372 |         ignore: 'no'
1373 |       ConditionalColumns:
1374 |         format: None
1375 |         friendly name: ConditionalColumns
1376 |         ignore: 'no'
1377 |       DefaultValue:
1378 |         format: None
1379 |         friendly name: DefaultValue
1380 |         ignore: 'no'
1381 |       Flags:
1382 |         format: None
1383 |         friendly name: Flags
1384 |         ignore: 'no'
1385 |       Id:
1386 |         format: None
1387 |         friendly name: Id
1388 |         ignore: 'no'
1389 |       KeyFldIDs:
1390 |         format: None
1391 |         friendly name: KeyFldIDs
1392 |         ignore: 'no'
1393 |       KeyMost:
1394 |         format: None
1395 |         friendly name: KeyMost
1396 |         ignore: 'no'
1397 |       LCMapFlags:
1398 |         format: None
1399 |         friendly name: LCMapFlags
1400 |         ignore: 'no'
1401 |       LocaleName:
1402 |         format: None
1403 |         friendly name: LocaleName
1404 |         ignore: 'no'
1405 |       Name:
1406 |         format: None
1407 |         friendly name: Name
1408 |         ignore: 'no'
1409 |       ObjidTable:
1410 |         format: None
1411 |         friendly name: ObjidTable
1412 |         ignore: 'no'
1413 |       PagesOrLocale:
1414 |         format: None
1415 |         friendly name: PagesOrLocale
1416 |         ignore: 'no'
1417 |       RecordOffset:
1418 |         format: None
1419 |         friendly name: RecordOffset
1420 |         ignore: 'no'
1421 |       RootFlag:
1422 |         format: None
1423 |         friendly name: RootFlag
1424 |         ignore: 'no'
1425 |       SeparateLV:
1426 |         format: None
1427 |         friendly name: SeparateLV
1428 |         ignore: 'no'
1429 |       SortID:
1430 |         format: None
1431 |         friendly name: SortID
1432 |         ignore: 'no'
1433 |       SpaceDeferredLVHints:
1434 |         format: None
1435 |         friendly name: SpaceDeferredLVHints
1436 |         ignore: 'no'
1437 |       SpaceHints:
1438 |         format: None
1439 |         friendly name: SpaceHints
1440 |         ignore: 'no'
1441 |       SpaceUsage:
1442 |         format: None
1443 |         friendly name: SpaceUsage
1444 |         ignore: 'no'
1445 |       Stats:
1446 |         format: None
1447 |         friendly name: Stats
1448 |         ignore: 'no'
1449 |       TemplateTable:
1450 |         format: None
1451 |         friendly name: TemplateTable
1452 |         ignore: 'no'
1453 |       TupleLimits:
1454 |         format: None
1455 |         friendly name: TupleLimits
1456 |         ignore: 'no'
1457 |       Type:
1458 |         format: None
1459 |         friendly name: Type
1460 |         ignore: 'no'
1461 |       VarSegMac:
1462 |         format: None
1463 |         friendly name: VarSegMac
1464 |         ignore: 'no'
1465 |       Version:
1466 |         format: None
1467 |         friendly name: Version
1468 |         ignore: 'no'
1469 |     ignore: 'no'
1470 |     name: MSysObjects
1471 |   MSysObjectsShadow:
1472 |     fields:
1473 |       CallbackData:
1474 |         format: None
1475 |         friendly name: CallbackData
1476 |         ignore: 'no'
1477 |       CallbackDependencies:
1478 |         format: None
1479 |         friendly name: CallbackDependencies
1480 |         ignore: 'no'
1481 |       ColtypOrPgnoFDP:
1482 |         format: None
1483 |         friendly name: ColtypOrPgnoFDP
1484 |         ignore: 'no'
1485 |       ConditionalColumns:
1486 |         format: None
1487 |         friendly name: ConditionalColumns
1488 |         ignore: 'no'
1489 |       DefaultValue:
1490 |         format: None
1491 |         friendly name: DefaultValue
1492 |         ignore: 'no'
1493 |       Flags:
1494 |         format: None
1495 |         friendly name: Flags
1496 |         ignore: 'no'
1497 |       Id:
1498 |         format: None
1499 |         friendly name: Id
1500 |         ignore: 'no'
1501 |       KeyFldIDs:
1502 |         format: None
1503 |         friendly name: KeyFldIDs
1504 |         ignore: 'no'
1505 |       KeyMost:
1506 |         format: None
1507 |         friendly name: KeyMost
1508 |         ignore: 'no'
1509 |       LCMapFlags:
1510 |         format: None
1511 |         friendly name: LCMapFlags
1512 |         ignore: 'no'
1513 |       LocaleName:
1514 |         format: None
1515 |         friendly name: LocaleName
1516 |         ignore: 'no'
1517 |       Name:
1518 |         format: None
1519 |         friendly name: Name
1520 |         ignore: 'no'
1521 |       ObjidTable:
1522 |         format: None
1523 |         friendly name: ObjidTable
1524 |         ignore: 'no'
1525 |       PagesOrLocale:
1526 |         format: None
1527 |         friendly name: PagesOrLocale
1528 |         ignore: 'no'
1529 |       RecordOffset:
1530 |         format: None
1531 |         friendly name: RecordOffset
1532 |         ignore: 'no'
1533 |       RootFlag:
1534 |         format: None
1535 |         friendly name: RootFlag
1536 |         ignore: 'no'
1537 |       SeparateLV:
1538 |         format: None
1539 |         friendly name: SeparateLV
1540 |         ignore: 'no'
1541 |       SortID:
1542 |         format: None
1543 |         friendly name: SortID
1544 |         ignore: 'no'
1545 |       SpaceDeferredLVHints:
1546 |         format: None
1547 |         friendly name: SpaceDeferredLVHints
1548 |         ignore: 'no'
1549 |       SpaceHints:
1550 |         format: None
1551 |         friendly name: SpaceHints
1552 |         ignore: 'no'
1553 |       SpaceUsage:
1554 |         format: None
1555 |         friendly name: SpaceUsage
1556 |         ignore: 'no'
1557 |       Stats:
1558 |         format: None
1559 |         friendly name: Stats
1560 |         ignore: 'no'
1561 |       TemplateTable:
1562 |         format: None
1563 |         friendly name: TemplateTable
1564 |         ignore: 'no'
1565 |       TupleLimits:
1566 |         format: None
1567 |         friendly name: TupleLimits
1568 |         ignore: 'no'
1569 |       Type:
1570 |         format: None
1571 |         friendly name: Type
1572 |         ignore: 'no'
1573 |       VarSegMac:
1574 |         format: None
1575 |         friendly name: VarSegMac
1576 |         ignore: 'no'
1577 |       Version:
1578 |         format: None
1579 |         friendly name: Version
1580 |         ignore: 'no'
1581 |     ignore: 'no'
1582 |     name: MSysObjectsShadow
1583 |   MSysObjids:
1584 |     fields:
1585 |       objid:
1586 |         format: None
1587 |         friendly name: objid
1588 |         ignore: 'no'
1589 |       objidTable:
1590 |         format: None
1591 |         friendly name: objidTable
1592 |         ignore: 'no'
1593 |       type:
1594 |         format: None
1595 |         friendly name: type
1596 |         ignore: 'no'
1597 |     ignore: 'no'
1598 |     name: MSysObjids
1599 |   OpenedBooks:
1600 |     fields:
1601 |       AccountId:
1602 |         format: None
1603 |         friendly name: AccountId
1604 |         ignore: 'no'
1605 |       FullyAppliedSyncToken:
1606 |         format: None
1607 |         friendly name: FullyAppliedSyncToken
1608 |         ignore: 'no'
1609 |       HasCloudAnnotations:
1610 |         format: None
1611 |         friendly name: HasCloudAnnotations
1612 |         ignore: 'no'
1613 |       HashId:
1614 |         format: None
1615 |         friendly name: HashId
1616 |         ignore: 'no'
1617 |       HighestKnownProductVersion:
1618 |         format: None
1619 |         friendly name: HighestKnownProductVersion
1620 |         ignore: 'no'
1621 |       IsPushAllowed:
1622 |         format: None
1623 |         friendly name: IsPushAllowed
1624 |         ignore: 'no'
1625 |       ItemId:
1626 |         format: None
1627 |         friendly name: ItemId
1628 |         ignore: 'no'
1629 |       PageNumber:
1630 |         format: None
1631 |         friendly name: PageNumber
1632 |         ignore: 'no'
1633 |       ProductId:
1634 |         format: None
1635 |         friendly name: ProductId
1636 |         ignore: 'no'
1637 |       ProgressInBook:
1638 |         format: None
1639 |         friendly name: ProgressInBook
1640 |         ignore: 'no'
1641 |       ReadingPosition:
1642 |         format: None
1643 |         friendly name: ReadingPosition
1644 |         ignore: 'no'
1645 |       ReadingPositionModifiedDate:
1646 |         format: function:file_timestamp
1647 |         friendly name: ReadingPositionModifiedDate
1648 |         ignore: 'no'
1649 |       RowId:
1650 |         format: None
1651 |         friendly name: RowId
1652 |         ignore: 'no'
1653 |       SyncToken:
1654 |         format: None
1655 |         friendly name: SyncToken
1656 |         ignore: 'no'
1657 |       VersionNumber:
1658 |         format: None
1659 |         friendly name: VersionNumber
1660 |         ignore: 'no'
1661 |     ignore: 'no'
1662 |     name: OpenedBooks
1663 |   PackagedExtensionsStorage:
1664 |     fields:
1665 |       DateUpdated:
1666 |         format: function:file_timestamp
1667 |         friendly name: DateUpdated
1668 |         ignore: 'no'
1669 |       ExtensionId:
1670 |         format: None
1671 |         friendly name: ExtensionId
1672 |         ignore: 'no'
1673 |       HashedKey:
1674 |         format: None
1675 |         friendly name: HashedKey
1676 |         ignore: 'no'
1677 |       IsDeleted:
1678 |         format: None
1679 |         friendly name: IsDeleted
1680 |         ignore: 'no'
1681 |       ItemId:
1682 |         format: None
1683 |         friendly name: ItemId
1684 |         ignore: 'no'
1685 |       Key:
1686 |         format: None
1687 |         friendly name: Key
1688 |         ignore: 'no'
1689 |       RowId:
1690 |         format: None
1691 |         friendly name: RowId
1692 |         ignore: 'no'
1693 |       Value:
1694 |         format: None
1695 |         friendly name: Value
1696 |         ignore: 'no'
1697 |     ignore: 'no'
1698 |     name: PackagedExtensionsStorage
1699 |   PageSettings:
1700 |     fields:
1701 |       Domain:
1702 |         format: None
1703 |         friendly name: Domain
1704 |         ignore: 'no'
1705 |       PageSettings:
1706 |         format: None
1707 |         friendly name: PageSettings
1708 |         ignore: 'no'
1709 |       RowId:
1710 |         format: None
1711 |         friendly name: RowId
1712 |         ignore: 'no'
1713 |     ignore: 'no'
1714 |     name: PageSettings
1715 |   ReadingList:
1716 |     fields:
1717 |       AddedDate:
1718 |         format: function:file_timestamp
1719 |         friendly name: AddedDate
1720 |         ignore: 'no'
1721 |       Description:
1722 |         format: None
1723 |         friendly name: Description
1724 |         ignore: 'no'
1725 |       DominantImageFile:
1726 |         format: None
1727 |         friendly name: DominantImageFile
1728 |         ignore: 'no'
1729 |       IsDeleted:
1730 |         format: None
1731 |         friendly name: IsDeleted
1732 |         ignore: 'no'
1733 |       ItemId:
1734 |         format: None
1735 |         friendly name: ItemId
1736 |         ignore: 'no'
1737 |       JetStub_18_1:
1738 |         format: None
1739 |         friendly name: JetStub_18_1
1740 |         ignore: 'no'
1741 |       JetStub_18_2:
1742 |         format: None
1743 |         friendly name: JetStub_18_2
1744 |         ignore: 'no'
1745 |       LastAccessedDate:
1746 |         format: function:file_timestamp
1747 |         friendly name: LastAccessedDate
1748 |         ignore: 'no'
1749 |       MhtFile:
1750 |         format: None
1751 |         friendly name: MhtFile
1752 |         ignore: 'no'
1753 |       RoamDisabled:
1754 |         format: None
1755 |         friendly name: RoamDisabled
1756 |         ignore: 'no'
1757 |       RowId:
1758 |         format: None
1759 |         friendly name: RowId
1760 |         ignore: 'no'
1761 |       Source:
1762 |         format: None
1763 |         friendly name: Source
1764 |         ignore: 'no'
1765 |       Title:
1766 |         format: function:remove_null_bytes
1767 |         friendly name: Title
1768 |         ignore: 'no'
1769 |       Type:
1770 |         format: None
1771 |         friendly name: Type
1772 |         ignore: 'no'
1773 |       URL:
1774 |         format: function:remove_null_bytes
1775 |         friendly name: URL
1776 |         ignore: 'no'
1777 |       UpdatedDate:
1778 |         format: function:file_timestamp
1779 |         friendly name: UpdatedDate
1780 |         ignore: 'no'
1781 |     ignore: 'no'
1782 |     name: ReadingList
1783 |   RowId:
1784 |     fields:
1785 |       MaxAllocatedRowId:
1786 |         format: None
1787 |         friendly name: MaxAllocatedRowId
1788 |         ignore: 'no'
1789 |       RowId:
1790 |         format: None
1791 |         friendly name: RowId
1792 |         ignore: 'no'
1793 |     ignore: 'no'
1794 |     name: RowId
1795 |   SideLoadedExtensionsStorage:
1796 |     fields:
1797 |       DateUpdated:
1798 |         format: function:file_timestamp
1799 |         friendly name: DateUpdated
1800 |         ignore: 'no'
1801 |       ExtensionId:
1802 |         format: None
1803 |         friendly name: ExtensionId
1804 |         ignore: 'no'
1805 |       HashedKey:
1806 |         format: None
1807 |         friendly name: HashedKey
1808 |         ignore: 'no'
1809 |       IsDeleted:
1810 |         format: None
1811 |         friendly name: IsDeleted
1812 |         ignore: 'no'
1813 |       ItemId:
1814 |         format: None
1815 |         friendly name: ItemId
1816 |         ignore: 'no'
1817 |       Key:
1818 |         format: None
1819 |         friendly name: Key
1820 |         ignore: 'no'
1821 |       RowId:
1822 |         format: None
1823 |         friendly name: RowId
1824 |         ignore: 'no'
1825 |       Value:
1826 |         format: None
1827 |         friendly name: Value
1828 |         ignore: 'no'
1829 |     ignore: 'no'
1830 |     name: SideLoadedExtensionsStorage
1831 |   SweptTabs:
1832 |     fields:
1833 |       DateSwept:
1834 |         format: function:file_timestamp
1835 |         friendly name: DateSwept
1836 |         ignore: 'no'
1837 |       EnterpriseID:
1838 |         format: None
1839 |         friendly name: EnterpriseID
1840 |         ignore: 'no'
1841 |       OrderNumber:
1842 |         format: None
1843 |         friendly name: OrderNumber
1844 |         ignore: 'no'
1845 |       RecoveryGuid:
1846 |         format: None
1847 |         friendly name: RecoveryGuid
1848 |         ignore: 'no'
1849 |       RowId:
1850 |         format: None
1851 |         friendly name: RowId
1852 |         ignore: 'no'
1853 |       SweepGroupId:
1854 |         format: None
1855 |         friendly name: SweepGroupId
1856 |         ignore: 'no'
1857 |       Title:
1858 |         format: function:remove_null_bytes
1859 |         friendly name: Title
1860 |         ignore: 'no'
1861 |       URL:
1862 |         format: function:remove_null_bytes
1863 |         friendly name: URL
1864 |         ignore: 'no'
1865 |       WasSelected:
1866 |         format: None
1867 |         friendly name: WasSelected
1868 |         ignore: 'no'
1869 |     ignore: 'no'
1870 |     name: SweptTabs
1871 |   TopSites:
1872 |     fields:
1873 |       CreatedDateTimeUTC:
1874 |         format: function:file_timestamp
1875 |         friendly name: CreatedDateTimeUTC
1876 |         ignore: 'no'
1877 |       FaviconBackground:
1878 |         format: None
1879 |         friendly name: FaviconBackground
1880 |         ignore: 'no'
1881 |       FaviconForeground:
1882 |         format: None
1883 |         friendly name: FaviconForeground
1884 |         ignore: 'no'
1885 |       FaviconSource:
1886 |         format: None
1887 |         friendly name: FaviconSource
1888 |         ignore: 'no'
1889 |       FaviconUrl:
1890 |         format: function:remove_null_bytes
1891 |         friendly name: FaviconUrl
1892 |         ignore: 'no'
1893 |       IsTombstoned:
1894 |         format: None
1895 |         friendly name: IsTombstoned
1896 |         ignore: 'no'
1897 |       ItemId:
1898 |         format: None
1899 |         friendly name: ItemId
1900 |         ignore: 'no'
1901 |       RowId:
1902 |         format: None
1903 |         friendly name: RowId
1904 |         ignore: 'no'
1905 |       SlotIndex:
1906 |         format: None
1907 |         friendly name: SlotIndex
1908 |         ignore: 'no'
1909 |       SourceType:
1910 |         format: None
1911 |         friendly name: SourceType
1912 |         ignore: 'no'
1913 |       Title:
1914 |         format: function:remove_null_bytes
1915 |         friendly name: Title
1916 |         ignore: 'no'
1917 |       TombstonedDateTimeUTC:
1918 |         format: function:file_timestamp
1919 |         friendly name: TombstonedDateTimeUTC
1920 |         ignore: 'no'
1921 |       URL:
1922 |         format: function:remove_null_bytes
1923 |         friendly name: URL
1924 |         ignore: 'no'
1925 |       UpdatedDateTimeUTC:
1926 |         format: function:file_timestamp
1927 |         friendly name: UpdatedDateTimeUTC
1928 |         ignore: 'no'
1929 |       UrlHash:
1930 |         format: None
1931 |         friendly name: UrlHash
1932 |         ignore: 'no'
1933 |     ignore: 'no'
1934 |     name: TopSites
1935 |   TypedUrls:
1936 |     fields:
1937 |       AccessDateTimeUTC:
1938 |         format: function:file_timestamp
1939 |         friendly name: AccessDateTimeUTC
1940 |         ignore: 'no'
1941 |       RowId:
1942 |         format: None
1943 |         friendly name: RowId
1944 |         ignore: 'no'
1945 |       URL:
1946 |         format: function:remove_null_bytes
1947 |         friendly name: URL
1948 |         ignore: 'no'
1949 |       UrlHash:
1950 |         format: None
1951 |         friendly name: UrlHash
1952 |         ignore: 'no'
1953 |       VisitCount:
1954 |         format: None
1955 |         friendly name: VisitCount
1956 |         ignore: 'no'
1957 |     ignore: 'no'
1958 |     name: TypedUrls
1959 |   UriToAppIdMapping:
1960 |     fields:
1961 |       ExpiryDateUTC:
1962 |         format: function:file_timestamp
1963 |         friendly name: ExpiryDateUTC
1964 |         ignore: 'no'
1965 |       HasAddOns:
1966 |         format: None
1967 |         friendly name: HasAddOns
1968 |         ignore: 'no'
1969 |       IsFree:
1970 |         format: None
1971 |         friendly name: IsFree
1972 |         ignore: 'no'
1973 |       ItemId:
1974 |         format: None
1975 |         friendly name: ItemId
1976 |         ignore: 'no'
1977 |       LastAccessedDateUTC:
1978 |         format: function:file_timestamp
1979 |         friendly name: LastAccessedDateUTC
1980 |         ignore: 'no'
1981 |       LastUpdatedDateUTC:
1982 |         format: function:file_timestamp
1983 |         friendly name: LastUpdatedDateUTC
1984 |         ignore: 'no'
1985 |       MatchedUrl:
1986 |         format: None
1987 |         friendly name: MatchedUrl
1988 |         ignore: 'no'
1989 |       PackageFamilyName:
1990 |         format: None
1991 |         friendly name: PackageFamilyName
1992 |         ignore: 'no'
1993 |       ProductId:
1994 |         format: None
1995 |         friendly name: ProductId
1996 |         ignore: 'no'
1997 |       ProductTitle:
1998 |         format: function:remove_null_bytes
1999 |         friendly name: ProductTitle
2000 |         ignore: 'no'
2001 |       RetryAttemptCount:
2002 |         format: None
2003 |         friendly name: RetryAttemptCount
2004 |         ignore: 'no'
2005 |       RowId:
2006 |         format: None
2007 |         friendly name: RowId
2008 |         ignore: 'no'
2009 |       Status:
2010 |         format: None
2011 |         friendly name: Status
2012 |         ignore: 'no'
2013 |       Uri:
2014 |         format: None
2015 |         friendly name: Uri
2016 |         ignore: 'no'
2017 |       UriHash:
2018 |         format: None
2019 |         friendly name: UriHash
2020 |         ignore: 'no'
2021 |     ignore: 'no'
2022 |     name: UriToAppIdMapping
2023 |   UrlHistory:
2024 |     fields:
2025 |       AddTime:
2026 |         format: None
2027 |         friendly name: AddTime
2028 |         ignore: 'no'
2029 |       Domain:
2030 |         format: None
2031 |         friendly name: Domain
2032 |         ignore: 'no'
2033 |       FaviconTimeStamp:
2034 |         format: None
2035 |         friendly name: FaviconTimeStamp
2036 |         ignore: 'no'
2037 |       FaviconUrl:
2038 |         format: function:remove_null_bytes
2039 |         friendly name: FaviconUrl
2040 |         ignore: 'no'
2041 |       Flags:
2042 |         format: None
2043 |         friendly name: Flags
2044 |         ignore: 'no'
2045 |       RowId:
2046 |         format: None
2047 |         friendly name: RowId
2048 |         ignore: 'no'
2049 |       Title:
2050 |         format: function:remove_null_bytes
2051 |         friendly name: Title
2052 |         ignore: 'no'
2053 |       URL:
2054 |         format: function:remove_null_bytes
2055 |         friendly name: URL
2056 |         ignore: 'no'
2057 |       UpdateTime:
2058 |         format: None
2059 |         friendly name: UpdateTime
2060 |         ignore: 'no'
2061 |       UrlHash:
2062 |         format: None
2063 |         friendly name: UrlHash
2064 |         ignore: 'no'
2065 |       VisitCount:
2066 |         format: None
2067 |         friendly name: VisitCount
2068 |         ignore: 'no'
2069 |     ignore: 'no'
2070 |     name: UrlHistory
2071 |   UrlVisit:
2072 |     fields:
2073 |       Domain:
2074 |         format: None
2075 |         friendly name: Domain
2076 |         ignore: 'no'
2077 |       RowId:
2078 |         format: None
2079 |         friendly name: RowId
2080 |         ignore: 'no'
2081 |       Title:
2082 |         format: function:remove_null_bytes
2083 |         friendly name: Title
2084 |         ignore: 'no'
2085 |       URL:
2086 |         format: function:remove_null_bytes
2087 |         friendly name: URL
2088 |         ignore: 'no'
2089 |       UrlHash:
2090 |         format: None
2091 |         friendly name: UrlHash
2092 |         ignore: 'no'
2093 |       VisitTime:
2094 |         format: None
2095 |         friendly name: VisitTime
2096 |         ignore: 'no'
2097 |     ignore: 'no'
2098 |     name: UrlVisit
2099 | 
2100 | 
2101 | """
2102 | 
2103 | import struct
2104 | import codecs
2105 | 
2106 | 
2107 | def plugin_init(ese_database):
2108 |     #table_names = " ".join([x.name for x in ese_database.tables])
2109 |     #print("Received Arguments", args)
2110 |     #print("Plugin Initialized for ", table_names)
2111 |     # Setup any data structures required for yaml function calls
2112 |     return None
2113 | 
2114 | def plugin_modify_header(list_of_headers, table_name):
2115 |     #print("Plugin Processing headers", list_of_headers)
2116 |     # Modify headers as needed before commit to file
2117 |     return list_of_headers
2118 | 
2119 | #sample_total = 0
2120 | def plugin_modify_row(list_of_row_values, table_name):
2121 |     #global sample_total
2122 |     #print("Plugin Processing Row", list_of_row_values)
2123 |     #if table_name == "some target":
2124 |     #    sample_total += list_of_row_values[10] 
2125 |     # Modify list as needed before commit to file or keep totals
2126 |     return list_of_row_values
2127 | 
2128 | def plugin_end_of_file(csv_writer_object, table_name):
2129 |     #print("Plugin Finished file" )
2130 |     # Write header footers, calculations etc
2131 |     return None
2132 | 
2133 | def remove_null_bytes(instr):
2134 |     return instr.replace('\x00','')
2135 | 
2136 | 
2137 | 


--------------------------------------------------------------------------------
/srudb_plugin.py:
--------------------------------------------------------------------------------
   1 | yaml_config = r"""
   2 | lookups:
   3 |   LUID_interface_types:
   4 |     1: IF_TYPE_OTHER
   5 |     10: IF_TYPE_ISO88026_MAN
   6 |     100: IF_TYPE_VOICE_EM
   7 |     101: IF_TYPE_VOICE_FXO
   8 |     102: IF_TYPE_VOICE_FXS
   9 |     103: IF_TYPE_VOICE_ENCAP
  10 |     104: IF_TYPE_VOICE_OVERIP
  11 |     105: IF_TYPE_ATM_DXI
  12 |     106: IF_TYPE_ATM_FUNI
  13 |     107: IF_TYPE_ATM_IMA
  14 |     108: IF_TYPE_PPPMULTILINKBUNDLE
  15 |     109: IF_TYPE_IPOVER_CDLC
  16 |     11: IF_TYPE_STARLAN
  17 |     110: IF_TYPE_IPOVER_CLAW
  18 |     111: IF_TYPE_STACKTOSTACK
  19 |     112: IF_TYPE_VIRTUALIPADDRESS
  20 |     113: IF_TYPE_MPC
  21 |     114: IF_TYPE_IPOVER_ATM
  22 |     115: IF_TYPE_ISO88025_FIBER
  23 |     116: IF_TYPE_TDLC
  24 |     117': IF_TYPE_GIGABITETHERNET
  25 |     118: IF_TYPE_HDLC
  26 |     119: IF_TYPE_LAP_F
  27 |     12: IF_TYPE_PROTEON_10MBIT
  28 |     120: IF_TYPE_V37
  29 |     121: IF_TYPE_X25_MLP
  30 |     122: IF_TYPE_X25_HUNTGROUP
  31 |     123: IF_TYPE_TRANSPHDLC
  32 |     124: IF_TYPE_INTERLEAVE
  33 |     125: IF_TYPE_FAST
  34 |     126: IF_TYPE_IP
  35 |     127: IF_TYPE_DOCSCABLE_MACLAYER
  36 |     128: IF_TYPE_DOCSCABLE_DOWNSTREAM
  37 |     129: IF_TYPE_DOCSCABLE_UPSTREAM
  38 |     13: IF_TYPE_PROTEON_80MBIT
  39 |     130: IF_TYPE_A12MPPSWITCH
  40 |     131: IF_TYPE_TUNNEL
  41 |     132: IF_TYPE_COFFEE
  42 |     133: IF_TYPE_CES
  43 |     134: IF_TYPE_ATM_SUBINTERFACE
  44 |     135: IF_TYPE_L2_VLAN
  45 |     136: IF_TYPE_L3_IPVLAN
  46 |     137: IF_TYPE_L3_IPXVLAN
  47 |     138: IF_TYPE_DIGITALPOWERLINE
  48 |     139: IF_TYPE_MEDIAMAILOVERIP
  49 |     14: IF_TYPE_HYPERCHANNEL
  50 |     140: IF_TYPE_DTM
  51 |     141: IF_TYPE_DCN
  52 |     142: IF_TYPE_IPFORWARD
  53 |     143: IF_TYPE_MSDSL
  54 |     144: IF_TYPE_IEEE1394
  55 |     145: IF_TYPE_RECEIVE_ONLY
  56 |     15: IF_TYPE_FDDI
  57 |     16: IF_TYPE_LAP_B
  58 |     17: IF_TYPE_SDLC
  59 |     18: IF_TYPE_DS1
  60 |     19: IF_TYPE_E1
  61 |     2: IF_TYPE_REGULAR_1822
  62 |     20: IF_TYPE_BASIC_ISDN
  63 |     21: IF_TYPE_PRIMARY_ISDN
  64 |     22: IF_TYPE_PROP_POINT2POINT_SERIAL
  65 |     23: IF_TYPE_PPP
  66 |     24: IF_TYPE_SOFTWARE_LOOPBACK
  67 |     25: IF_TYPE_EON
  68 |     26: IF_TYPE_ETHERNET_3MBIT
  69 |     27: IF_TYPE_NSIP
  70 |     28: IF_TYPE_SLIP
  71 |     29: IF_TYPE_ULTRA
  72 |     3: IF_TYPE_HDH_1822
  73 |     30: IF_TYPE_DS3
  74 |     31: IF_TYPE_SIP
  75 |     32: IF_TYPE_FRAMERELAY
  76 |     33: IF_TYPE_RS232
  77 |     34: IF_TYPE_PARA
  78 |     35: IF_TYPE_ARCNET
  79 |     36: IF_TYPE_ARCNET_PLUS
  80 |     37: IF_TYPE_ATM
  81 |     38: IF_TYPE_MIO_X25
  82 |     39: IF_TYPE_SONET
  83 |     4: IF_TYPE_DDN_X25
  84 |     40: IF_TYPE_X25_PLE
  85 |     41: IF_TYPE_ISO88022_LLC
  86 |     42: IF_TYPE_LOCALTALK
  87 |     43: IF_TYPE_SMDS_DXI
  88 |     44: IF_TYPE_FRAMERELAY_SERVICE
  89 |     45: IF_TYPE_V35
  90 |     46: IF_TYPE_HSSI
  91 |     47: IF_TYPE_HIPPI
  92 |     48: IF_TYPE_MODEM
  93 |     49: IF_TYPE_AAL5
  94 |     5: IF_TYPE_RFC877_X25
  95 |     50: IF_TYPE_SONET_PATH
  96 |     51: IF_TYPE_SONET_VT
  97 |     52: IF_TYPE_SMDS_ICIP
  98 |     53: IF_TYPE_PROP_VIRTUAL
  99 |     54: IF_TYPE_PROP_MULTIPLEXOR
 100 |     55: IF_TYPE_IEEE80212
 101 |     56: IF_TYPE_FIBRECHANNEL
 102 |     57: IF_TYPE_HIPPIINTERFACE
 103 |     58: IF_TYPE_FRAMERELAY_INTERCONNECT
 104 |     59: IF_TYPE_AFLANE_8023
 105 |     6: IF_TYPE_ETHERNET_CSMACD
 106 |     60: IF_TYPE_AFLANE_8025
 107 |     61: IF_TYPE_CCTEMUL
 108 |     62: IF_TYPE_FASTETHER
 109 |     63: IF_TYPE_ISDN
 110 |     64: IF_TYPE_V11
 111 |     65: IF_TYPE_V36
 112 |     66: IF_TYPE_G703_64K
 113 |     67: IF_TYPE_G703_2MB
 114 |     68: IF_TYPE_QLLC
 115 |     69: IF_TYPE_FASTETHER_FX
 116 |     7: IF_TYPE_IS088023_CSMACD
 117 |     70: IF_TYPE_CHANNEL
 118 |     71: IF_TYPE_IEEE80211
 119 |     72: IF_TYPE_IBM370PARCHAN
 120 |     73: IF_TYPE_ESCON
 121 |     74: IF_TYPE_DLSW
 122 |     75: IF_TYPE_ISDN_S
 123 |     76: IF_TYPE_ISDN_U
 124 |     77: IF_TYPE_LAP_D
 125 |     78: IF_TYPE_IPSWITCH
 126 |     79: IF_TYPE_RSRB
 127 |     8: IF_TYPE_ISO88024_TOKENBUS
 128 |     80: IF_TYPE_ATM_LOGICAL
 129 |     81: IF_TYPE_DS0
 130 |     82: IF_TYPE_DS0_BUNDLE
 131 |     83: IF_TYPE_BSC
 132 |     84: IF_TYPE_ASYNC
 133 |     85: IF_TYPE_CNR
 134 |     86: IF_TYPE_ISO88025R_DTR
 135 |     87: IF_TYPE_EPLRS
 136 |     88: IF_TYPE_ARAP
 137 |     89: IF_TYPE_PROP_CNLS
 138 |     9: IF_TYPE_ISO88025_TOKENRING
 139 |     90: IF_TYPE_HOSTPAD
 140 |     91: IF_TYPE_TERMPAD
 141 |     92: IF_TYPE_FRAMERELAY_MPI
 142 |     93: IF_TYPE_X213
 143 |     94: IF_TYPE_ADSL
 144 |     95: IF_TYPE_RADSL
 145 |     96: IF_TYPE_SDSL
 146 |     97: IF_TYPE_VDSL
 147 |     98: IF_TYPE_ISO88025_CRFPRINT
 148 |     99: IF_TYPE_MYRINET
 149 |   known_sids:
 150 |     S-1-0: ' Null Authority'
 151 |     S-1-0-0: ' Nobody'
 152 |     S-1-1: ' World Authority'
 153 |     S-1-1-0: ' Everyone'
 154 |     S-1-16-0: ' Untrusted Mandatory Level '
 155 |     S-1-16-12288: ' High Mandatory Level '
 156 |     S-1-16-16384: ' System Mandatory Level '
 157 |     S-1-16-20480: ' Protected Process Mandatory Level '
 158 |     S-1-16-28672: ' Secure Process Mandatory Level '
 159 |     S-1-16-4096: ' Low Mandatory Level '
 160 |     S-1-16-8192: ' Medium Mandatory Level '
 161 |     S-1-16-8448: ' Medium Plus Mandatory Level '
 162 |     S-1-2: ' Local Authority'
 163 |     S-1-2-0: ' Local '
 164 |     S-1-2-1: ' Console Logon '
 165 |     S-1-3: ' Creator Authority'
 166 |     S-1-3-0: ' Creator Owner'
 167 |     S-1-3-1: ' Creator Group'
 168 |     S-1-3-2: ' Creator Owner Server'
 169 |     S-1-3-3: ' Creator Group Server'
 170 |     S-1-4: ' Non-unique Authority'
 171 |     S-1-5: ' NT Authority'
 172 |     S-1-5-1: ' Dialup'
 173 |     S-1-5-10: ' Principal Self'
 174 |     S-1-5-11: ' Authenticated Users'
 175 |     S-1-5-12: ' Restricted Code'
 176 |     S-1-5-13: ' Terminal Server Users'
 177 |     S-1-5-14: ' Remote Interactive Logon '
 178 |     S-1-5-15: ' This Organization '
 179 |     S-1-5-17: ' This Organization '
 180 |     S-1-5-18: ' Local System'
 181 |     S-1-5-19: ' NT Authority'
 182 |     S-1-5-2: ' Network'
 183 |     S-1-5-20: ' NT Authority'
 184 |     S-1-5-3: ' Batch'
 185 |     S-1-5-32-544: ' Administrators'
 186 |     S-1-5-32-545: ' Users'
 187 |     S-1-5-32-546: ' Guests'
 188 |     S-1-5-32-547: ' Power Users'
 189 |     S-1-5-32-548: ' Account Operators'
 190 |     S-1-5-32-549: ' Server Operators'
 191 |     S-1-5-32-550: ' Print Operators'
 192 |     S-1-5-32-551: ' Backup Operators'
 193 |     S-1-5-32-552: ' Replicators'
 194 |     S-1-5-32-554: ' BUILTIN\Pre-Windows 2000 Compatible Access'
 195 |     S-1-5-32-555: ' BUILTIN\Remote Desktop Users'
 196 |     S-1-5-32-556: ' BUILTIN\Network Configuration Operators'
 197 |     S-1-5-32-557: ' BUILTIN\Incoming Forest Trust Builders'
 198 |     S-1-5-32-558: ' BUILTIN\Performance Monitor Users'
 199 |     S-1-5-32-559: ' BUILTIN\Performance Log Users'
 200 |     S-1-5-32-560: ' BUILTIN\Windows Authorization Access Group'
 201 |     S-1-5-32-561: ' BUILTIN\Terminal Server License Servers'
 202 |     S-1-5-32-562: ' BUILTIN\Distributed COM Users'
 203 |     S-1-5-32-569: ' BUILTIN\Cryptographic Operators'
 204 |     S-1-5-32-573: ' BUILTIN\Event Log Readers '
 205 |     S-1-5-32-574: ' BUILTIN\Certificate Service DCOM Access '
 206 |     S-1-5-32-575: ' BUILTIN\RDS Remote Access Servers'
 207 |     S-1-5-32-576: ' BUILTIN\RDS Endpoint Servers'
 208 |     S-1-5-32-577: ' BUILTIN\RDS Management Servers'
 209 |     S-1-5-32-578: ' BUILTIN\Hyper-V Administrators'
 210 |     S-1-5-32-579: ' BUILTIN\Access Control Assistance Operators'
 211 |     S-1-5-32-580: ' BUILTIN\Remote Management Users'
 212 |     S-1-5-4: ' Interactive'
 213 |     S-1-5-6: ' Service'
 214 |     S-1-5-64-10: ' NTLM Authentication '
 215 |     S-1-5-64-14: ' SChannel Authentication '
 216 |     S-1-5-64-21: ' Digest Authentication '
 217 |     S-1-5-7: ' Anonymous'
 218 |     S-1-5-8: ' Proxy'
 219 |     S-1-5-80: ' NT Service '
 220 |     S-1-5-80-0: ' All Services '
 221 |     S-1-5-83-0: ' NT VIRTUAL MACHINE\Virtual Machines'
 222 |     S-1-5-9: ' Enterprise Domain Controllers'
 223 |   numbers:
 224 |     0: zero
 225 |     1: one
 226 | table_references:
 227 |   app_id:
 228 |     key: IdIndex
 229 |     table: SruDbIdMapTable
 230 |     value:
 231 |     - IdType
 232 |     - IdBlob
 233 | tables:
 234 |   MSysLocales:
 235 |     fields:
 236 |       Key:
 237 |         format: None
 238 |         friendly name: Key
 239 |         ignore: 'no'
 240 |       Type:
 241 |         format: None
 242 |         friendly name: Type
 243 |         ignore: 'no'
 244 |       iValue:
 245 |         format: None
 246 |         friendly name: iValue
 247 |         ignore: 'no'
 248 |     ignore: 'yes'
 249 |     name: MSysLocales
 250 |   MSysObjects:
 251 |     fields:
 252 |       CallbackData:
 253 |         format: None
 254 |         friendly name: CallbackData
 255 |         ignore: 'no'
 256 |       CallbackDependencies:
 257 |         format: None
 258 |         friendly name: CallbackDependencies
 259 |         ignore: 'no'
 260 |       ColtypOrPgnoFDP:
 261 |         format: None
 262 |         friendly name: ColtypOrPgnoFDP
 263 |         ignore: 'no'
 264 |       ConditionalColumns:
 265 |         format: None
 266 |         friendly name: ConditionalColumns
 267 |         ignore: 'no'
 268 |       DefaultValue:
 269 |         format: None
 270 |         friendly name: DefaultValue
 271 |         ignore: 'no'
 272 |       Flags:
 273 |         format: None
 274 |         friendly name: Flags
 275 |         ignore: 'no'
 276 |       Id:
 277 |         format: None
 278 |         friendly name: Id
 279 |         ignore: 'no'
 280 |       KeyFldIDs:
 281 |         format: None
 282 |         friendly name: KeyFldIDs
 283 |         ignore: 'no'
 284 |       KeyMost:
 285 |         format: None
 286 |         friendly name: KeyMost
 287 |         ignore: 'no'
 288 |       LCMapFlags:
 289 |         format: None
 290 |         friendly name: LCMapFlags
 291 |         ignore: 'no'
 292 |       LVChunkMax:
 293 |         format: None
 294 |         friendly name: LVChunkMax
 295 |         ignore: 'no'
 296 |       LocaleName:
 297 |         format: None
 298 |         friendly name: LocaleName
 299 |         ignore: 'no'
 300 |       Name:
 301 |         format: None
 302 |         friendly name: Name
 303 |         ignore: 'no'
 304 |       ObjidTable:
 305 |         format: None
 306 |         friendly name: ObjidTable
 307 |         ignore: 'no'
 308 |       PagesOrLocale:
 309 |         format: None
 310 |         friendly name: PagesOrLocale
 311 |         ignore: 'no'
 312 |       RecordOffset:
 313 |         format: None
 314 |         friendly name: RecordOffset
 315 |         ignore: 'no'
 316 |       RootFlag:
 317 |         format: None
 318 |         friendly name: RootFlag
 319 |         ignore: 'no'
 320 |       SeparateLV:
 321 |         format: None
 322 |         friendly name: SeparateLV
 323 |         ignore: 'no'
 324 |       SortID:
 325 |         format: None
 326 |         friendly name: SortID
 327 |         ignore: 'no'
 328 |       SpaceDeferredLVHints:
 329 |         format: None
 330 |         friendly name: SpaceDeferredLVHints
 331 |         ignore: 'no'
 332 |       SpaceHints:
 333 |         format: None
 334 |         friendly name: SpaceHints
 335 |         ignore: 'no'
 336 |       SpaceUsage:
 337 |         format: None
 338 |         friendly name: SpaceUsage
 339 |         ignore: 'no'
 340 |       Stats:
 341 |         format: None
 342 |         friendly name: Stats
 343 |         ignore: 'no'
 344 |       TemplateTable:
 345 |         format: None
 346 |         friendly name: TemplateTable
 347 |         ignore: 'no'
 348 |       TupleLimits:
 349 |         format: None
 350 |         friendly name: TupleLimits
 351 |         ignore: 'no'
 352 |       Type:
 353 |         format: None
 354 |         friendly name: Type
 355 |         ignore: 'no'
 356 |       VarSegMac:
 357 |         format: None
 358 |         friendly name: VarSegMac
 359 |         ignore: 'no'
 360 |       Version:
 361 |         format: None
 362 |         friendly name: Version
 363 |         ignore: 'no'
 364 |     ignore: 'yes'
 365 |     name: MSysObjects
 366 |   MSysObjectsShadow:
 367 |     fields:
 368 |       CallbackData:
 369 |         format: None
 370 |         friendly name: CallbackData
 371 |         ignore: 'no'
 372 |       CallbackDependencies:
 373 |         format: None
 374 |         friendly name: CallbackDependencies
 375 |         ignore: 'no'
 376 |       ColtypOrPgnoFDP:
 377 |         format: None
 378 |         friendly name: ColtypOrPgnoFDP
 379 |         ignore: 'no'
 380 |       ConditionalColumns:
 381 |         format: None
 382 |         friendly name: ConditionalColumns
 383 |         ignore: 'no'
 384 |       DefaultValue:
 385 |         format: None
 386 |         friendly name: DefaultValue
 387 |         ignore: 'no'
 388 |       Flags:
 389 |         format: None
 390 |         friendly name: Flags
 391 |         ignore: 'no'
 392 |       Id:
 393 |         format: None
 394 |         friendly name: Id
 395 |         ignore: 'no'
 396 |       KeyFldIDs:
 397 |         format: None
 398 |         friendly name: KeyFldIDs
 399 |         ignore: 'no'
 400 |       KeyMost:
 401 |         format: None
 402 |         friendly name: KeyMost
 403 |         ignore: 'no'
 404 |       LCMapFlags:
 405 |         format: None
 406 |         friendly name: LCMapFlags
 407 |         ignore: 'no'
 408 |       LVChunkMax:
 409 |         format: None
 410 |         friendly name: LVChunkMax
 411 |         ignore: 'no'
 412 |       LocaleName:
 413 |         format: None
 414 |         friendly name: LocaleName
 415 |         ignore: 'no'
 416 |       Name:
 417 |         format: None
 418 |         friendly name: Name
 419 |         ignore: 'no'
 420 |       ObjidTable:
 421 |         format: None
 422 |         friendly name: ObjidTable
 423 |         ignore: 'no'
 424 |       PagesOrLocale:
 425 |         format: None
 426 |         friendly name: PagesOrLocale
 427 |         ignore: 'no'
 428 |       RecordOffset:
 429 |         format: None
 430 |         friendly name: RecordOffset
 431 |         ignore: 'no'
 432 |       RootFlag:
 433 |         format: None
 434 |         friendly name: RootFlag
 435 |         ignore: 'no'
 436 |       SeparateLV:
 437 |         format: None
 438 |         friendly name: SeparateLV
 439 |         ignore: 'no'
 440 |       SortID:
 441 |         format: None
 442 |         friendly name: SortID
 443 |         ignore: 'no'
 444 |       SpaceDeferredLVHints:
 445 |         format: None
 446 |         friendly name: SpaceDeferredLVHints
 447 |         ignore: 'no'
 448 |       SpaceHints:
 449 |         format: None
 450 |         friendly name: SpaceHints
 451 |         ignore: 'no'
 452 |       SpaceUsage:
 453 |         format: None
 454 |         friendly name: SpaceUsage
 455 |         ignore: 'no'
 456 |       Stats:
 457 |         format: None
 458 |         friendly name: Stats
 459 |         ignore: 'no'
 460 |       TemplateTable:
 461 |         format: None
 462 |         friendly name: TemplateTable
 463 |         ignore: 'no'
 464 |       TupleLimits:
 465 |         format: None
 466 |         friendly name: TupleLimits
 467 |         ignore: 'no'
 468 |       Type:
 469 |         format: None
 470 |         friendly name: Type
 471 |         ignore: 'no'
 472 |       VarSegMac:
 473 |         format: None
 474 |         friendly name: VarSegMac
 475 |         ignore: 'no'
 476 |       Version:
 477 |         format: None
 478 |         friendly name: Version
 479 |         ignore: 'no'
 480 |     ignore: 'yes'
 481 |     name: MSysObjectsShadow
 482 |   MSysObjids:
 483 |     fields:
 484 |       objid:
 485 |         format: None
 486 |         friendly name: objid
 487 |         ignore: 'no'
 488 |       objidTable:
 489 |         format: None
 490 |         friendly name: objidTable
 491 |         ignore: 'no'
 492 |       type:
 493 |         format: None
 494 |         friendly name: type
 495 |         ignore: 'no'
 496 |     ignore: 'yes'
 497 |     name: MSysObjids
 498 |   SruDbCheckpointTable:
 499 |     fields:
 500 |       CheckpointId:
 501 |         format: None
 502 |         friendly name: CheckpointId
 503 |         ignore: 'no'
 504 |       NextIncId:
 505 |         format: None
 506 |         friendly name: NextIncId
 507 |         ignore: 'no'
 508 |       ProviderId:
 509 |         format: None
 510 |         friendly name: ProviderId
 511 |         ignore: 'no'
 512 |       RecordSet:
 513 |         format: None
 514 |         friendly name: RecordSet
 515 |         ignore: 'no'
 516 |       SeqNumber:
 517 |         format: None
 518 |         friendly name: SeqNumber
 519 |         ignore: 'no'
 520 |     ignore: 'no'
 521 |     name: SruDbCheckpointTable
 522 |   SruDbIdMapTable:
 523 |     fields:
 524 |       IdBlob:
 525 |         format: None
 526 |         friendly name: IdBlob
 527 |         ignore: 'no'
 528 |       IdIndex:
 529 |         format: None
 530 |         friendly name: IdIndex
 531 |         ignore: 'no'
 532 |       IdType:
 533 |         format: None
 534 |         friendly name: IdType
 535 |         ignore: 'no'
 536 |     ignore: 'no'
 537 |     name: SruDbIdMapTable
 538 |   '{5C8CF1C7-7257-4F13-B223-970EF5939312}':
 539 |     fields:
 540 |       AppId:
 541 |         format: function:get_app_id
 542 |         friendly name: Application
 543 |         ignore: 'no'
 544 |       AudioInS:
 545 |         format: None
 546 |         friendly name: AudioInS
 547 |         ignore: 'no'
 548 |       AudioInTimeline:
 549 |         format: None
 550 |         friendly name: AudioInTimeline
 551 |         ignore: 'no'
 552 |       AudioOutS:
 553 |         format: None
 554 |         friendly name: AudioOutS
 555 |         ignore: 'no'
 556 |       AudioOutTimeline:
 557 |         format: None
 558 |         friendly name: AudioOutTimeline
 559 |         ignore: 'no'
 560 |       AutoIncId:
 561 |         format: None
 562 |         friendly name: AutoIncId
 563 |         ignore: 'no'
 564 |       CompDirtiedS:
 565 |         format: None
 566 |         friendly name: CompDirtiedS
 567 |         ignore: 'no'
 568 |       CompDirtiedTimeline:
 569 |         format: None
 570 |         friendly name: CompDirtiedTimeline
 571 |         ignore: 'no'
 572 |       CompPropagatedS:
 573 |         format: None
 574 |         friendly name: CompPropagatedS
 575 |         ignore: 'no'
 576 |       CompPropagatedTimeline:
 577 |         format: None
 578 |         friendly name: CompPropagatedTimeline
 579 |         ignore: 'no'
 580 |       CompRenderedS:
 581 |         format: None
 582 |         friendly name: CompRenderedS
 583 |         ignore: 'no'
 584 |       CompRenderedTimeline:
 585 |         format: None
 586 |         friendly name: CompRenderedTimeline
 587 |         ignore: 'no'
 588 |       CpuTimeline:
 589 |         format: None
 590 |         friendly name: CpuTimeline
 591 |         ignore: 'no'
 592 |       Cycles:
 593 |         format: None
 594 |         friendly name: Cycles
 595 |         ignore: 'no'
 596 |       CyclesAttr:
 597 |         format: None
 598 |         friendly name: CyclesAttr
 599 |         ignore: 'no'
 600 |       CyclesAttrBreakdown:
 601 |         format: None
 602 |         friendly name: CyclesAttrBreakdown
 603 |         ignore: 'no'
 604 |       CyclesBreakdown:
 605 |         format: None
 606 |         friendly name: CyclesBreakdown
 607 |         ignore: 'no'
 608 |       CyclesWOB:
 609 |         format: None
 610 |         friendly name: CyclesWOB
 611 |         ignore: 'no'
 612 |       CyclesWOBBreakdown:
 613 |         format: None
 614 |         friendly name: CyclesWOBBreakdown
 615 |         ignore: 'no'
 616 |       DiskRaw:
 617 |         format: None
 618 |         friendly name: DiskRaw
 619 |         ignore: 'no'
 620 |       DiskTimeline:
 621 |         format: None
 622 |         friendly name: DiskTimeline
 623 |         ignore: 'no'
 624 |       DisplayRequiredS:
 625 |         format: None
 626 |         friendly name: DisplayRequiredS
 627 |         ignore: 'no'
 628 |       DisplayRequiredTimeline:
 629 |         format: None
 630 |         friendly name: DisplayRequiredTimeline
 631 |         ignore: 'no'
 632 |       DurationMS:
 633 |         format: None
 634 |         friendly name: DurationMS
 635 |         ignore: 'no'
 636 |       EndTime:
 637 |         format: None
 638 |         friendly name: EndTime
 639 |         ignore: 'no'
 640 |       Flags:
 641 |         format: None
 642 |         friendly name: Flags
 643 |         ignore: 'no'
 644 |       InFocusS:
 645 |         format: None
 646 |         friendly name: InFocusS
 647 |         ignore: 'no'
 648 |       InFocusTimeline:
 649 |         format: None
 650 |         friendly name: InFocusTimeline
 651 |         ignore: 'no'
 652 |       KeyboardInputS:
 653 |         format: None
 654 |         friendly name: KeyboardInputS
 655 |         ignore: 'no'
 656 |       KeyboardInputTimeline:
 657 |         format: None
 658 |         friendly name: KeyboardInputTimeline
 659 |         ignore: 'no'
 660 |       MBBBytesRaw:
 661 |         format: None
 662 |         friendly name: MBBBytesRaw
 663 |         ignore: 'no'
 664 |       MBBTailRaw:
 665 |         format: None
 666 |         friendly name: MBBTailRaw
 667 |         ignore: 'no'
 668 |       MBBTimeline:
 669 |         format: None
 670 |         friendly name: MBBTimeline
 671 |         ignore: 'no'
 672 |       MouseInputS:
 673 |         format: None
 674 |         friendly name: MouseInputS
 675 |         ignore: 'no'
 676 |       NetworkBytesRaw:
 677 |         format: None
 678 |         friendly name: NetworkBytesRaw
 679 |         ignore: 'no'
 680 |       NetworkTailRaw:
 681 |         format: None
 682 |         friendly name: NetworkTailRaw
 683 |         ignore: 'no'
 684 |       NetworkTimeline:
 685 |         format: None
 686 |         friendly name: NetworkTimeline
 687 |         ignore: 'no'
 688 |       PSMForegroundS:
 689 |         format: None
 690 |         friendly name: PSMForegroundS
 691 |         ignore: 'no'
 692 |       SpanMS:
 693 |         format: None
 694 |         friendly name: SpanMS
 695 |         ignore: 'no'
 696 |       TimeStamp:
 697 |         format: None
 698 |         friendly name: TimeStamp
 699 |         ignore: 'no'
 700 |       TimelineEnd:
 701 |         format: None
 702 |         friendly name: TimelineEnd
 703 |         ignore: 'no'
 704 |       UserId:
 705 |         format: function:get_app_id
 706 |         friendly name: User Info
 707 |         ignore: 'no'
 708 |       UserInputS:
 709 |         format: None
 710 |         friendly name: UserInputS
 711 |         ignore: 'no'
 712 |       UserInputTimeline:
 713 |         format: None
 714 |         friendly name: UserInputTimeline
 715 |         ignore: 'no'
 716 |     ignore: 'no'
 717 |     name: 'Unknown1'
 718 |   '{7ACBBAA3-D029-4BE4-9A7A-0885927F1D8F}':
 719 |     fields:
 720 |       AppId:
 721 |         format: function:get_app_id
 722 |         friendly name: Application
 723 |         ignore: 'no'
 724 |       AutoIncId:
 725 |         format: None
 726 |         friendly name: AutoIncId
 727 |         ignore: 'no'
 728 |       EndTime:
 729 |         format: None
 730 |         friendly name: EndTime
 731 |         ignore: 'no'
 732 |       Flags:
 733 |         format: None
 734 |         friendly name: Flags
 735 |         ignore: 'no'
 736 |       StartTime:
 737 |         format: None
 738 |         friendly name: StartTime
 739 |         ignore: 'no'
 740 |       TimeStamp:
 741 |         format: None
 742 |         friendly name: TimeStamp
 743 |         ignore: 'no'
 744 |       Usage:
 745 |         format: None
 746 |         friendly name: Usage
 747 |         ignore: 'no'
 748 |       UserId:
 749 |         format: function:get_app_id
 750 |         friendly name: User Info
 751 |         ignore: 'no'
 752 |     ignore: 'no'
 753 |     name: 'Unknown2'
 754 |   '{973F5D5C-1D90-4944-BE8E-24B94231A174}':
 755 |     fields:
 756 |       AppId:        
 757 |         format: function:get_app_id
 758 |         friendly name: Application
 759 |         ignore: 'no'
 760 |       AutoIncId:
 761 |         format: None
 762 |         friendly name: AutoIncId
 763 |         ignore: 'no'
 764 |       BytesRecvd:
 765 |         format: None
 766 |         friendly name: BytesRecvd
 767 |         ignore: 'no'
 768 |       BytesSent:
 769 |         format: None
 770 |         friendly name: BytesSent
 771 |         ignore: 'no'
 772 |       InterfaceLuid:
 773 |         format: function:lookup_luid
 774 |         friendly name: InterfaceLuid
 775 |         ignore: 'no'
 776 |       L2ProfileFlags:
 777 |         format: None
 778 |         friendly name: L2ProfileFlags
 779 |         ignore: 'no'
 780 |       L2ProfileId:
 781 |         format: function:lookup_wireless
 782 |         friendly name: L2ProfileId
 783 |         ignore: 'no'
 784 |       TimeStamp:
 785 |         format: None
 786 |         friendly name: TimeStamp
 787 |         ignore: 'no'
 788 |       UserId:
 789 |         format: function:get_app_id
 790 |         friendly name: User Info
 791 |         ignore: 'no'
 792 |     ignore: 'no'
 793 |     name: Network Usage
 794 |   '{B6D82AF1-F780-4E17-8077-6CB9AD8A6FC4}':
 795 |     fields:
 796 |       AppId:
 797 |         format: function:get_app_id
 798 |         friendly name: Application
 799 |         ignore: 'no'
 800 |       AutoIncId:
 801 |         format: None
 802 |         friendly name: AutoIncId
 803 |         ignore: 'no'
 804 |       Energy Data:
 805 |         format: None
 806 |         friendly name: Energy Data
 807 |         ignore: 'no'
 808 |       Metadata:
 809 |         format: None
 810 |         friendly name: Metadata
 811 |         ignore: 'no'
 812 |       Tag:
 813 |         format: None
 814 |         friendly name: Tag
 815 |         ignore: 'no'
 816 |       TimeStamp:
 817 |         format: None
 818 |         friendly name: TimeStamp
 819 |         ignore: 'no'
 820 |       UserId:
 821 |         format: function:get_app_id
 822 |         friendly name: User Info
 823 |         ignore: 'no'
 824 |     ignore: 'no'
 825 |     name: 'Unknown3'
 826 |   '{D10CA2FE-6FCF-4F6D-848E-B2E99266FA86}':
 827 |     fields:
 828 |       AppId:        
 829 |         format: function:get_app_id
 830 |         friendly name: Application
 831 |         ignore: 'no'
 832 |       AutoIncId:
 833 |         format: None
 834 |         friendly name: AutoIncId
 835 |         ignore: 'no'
 836 |       NetworkType:
 837 |         format: None
 838 |         friendly name: NetworkType
 839 |         ignore: 'no'
 840 |       NotificationType:
 841 |         format: None
 842 |         friendly name: NotificationType
 843 |         ignore: 'no'
 844 |       PayloadSize:
 845 |         format: None
 846 |         friendly name: PayloadSize
 847 |         ignore: 'no'
 848 |       TimeStamp:
 849 |         format: None
 850 |         friendly name: TimeStamp
 851 |         ignore: 'no'
 852 |       UserId:
 853 |         format: function:get_app_id
 854 |         friendly name: User Info
 855 |         ignore: 'no'
 856 |     ignore: 'no'
 857 |     name: Application Resource Usage
 858 |   '{D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}':
 859 |     fields:
 860 |       AppId:
 861 |         format: function:get_app_id
 862 |         friendly name: Application
 863 |         ignore: 'no'
 864 |       AutoIncId:
 865 |         format: None
 866 |         friendly name: AutoIncId
 867 |         ignore: 'no'
 868 |       BackgroundBytesRead:
 869 |         format: None
 870 |         friendly name: BackgroundBytesRead
 871 |         ignore: 'no'
 872 |       BackgroundBytesWritten:
 873 |         format: None
 874 |         friendly name: BackgroundBytesWritten
 875 |         ignore: 'no'
 876 |       BackgroundContextSwitches:
 877 |         format: None
 878 |         friendly name: BackgroundContextSwitches
 879 |         ignore: 'no'
 880 |       BackgroundCycleTime:
 881 |         format: None
 882 |         friendly name: BackgroundCycleTime
 883 |         ignore: 'no'
 884 |       BackgroundNumReadOperations:
 885 |         format: None
 886 |         friendly name: BackgroundNumReadOperations
 887 |         ignore: 'no'
 888 |       BackgroundNumWriteOperations:
 889 |         format: None
 890 |         friendly name: BackgroundNumWriteOperations
 891 |         ignore: 'no'
 892 |       BackgroundNumberOfFlushes:
 893 |         format: None
 894 |         friendly name: BackgroundNumberOfFlushes
 895 |         ignore: 'no'
 896 |       FaceTime:
 897 |         format: None
 898 |         friendly name: FaceTime
 899 |         ignore: 'no'
 900 |       ForegroundBytesRead:
 901 |         format: None
 902 |         friendly name: ForegroundBytesRead
 903 |         ignore: 'no'
 904 |       ForegroundBytesWritten:
 905 |         format: None
 906 |         friendly name: ForegroundBytesWritten
 907 |         ignore: 'no'
 908 |       ForegroundContextSwitches:
 909 |         format: None
 910 |         friendly name: ForegroundContextSwitches
 911 |         ignore: 'no'
 912 |       ForegroundCycleTime:
 913 |         format: None
 914 |         friendly name: ForegroundCycleTime
 915 |         ignore: 'no'
 916 |       ForegroundNumReadOperations:
 917 |         format: None
 918 |         friendly name: ForegroundNumReadOperations
 919 |         ignore: 'no'
 920 |       ForegroundNumWriteOperations:
 921 |         format: None
 922 |         friendly name: ForegroundNumWriteOperations
 923 |         ignore: 'no'
 924 |       ForegroundNumberOfFlushes:
 925 |         format: None
 926 |         friendly name: ForegroundNumberOfFlushes
 927 |         ignore: 'no'
 928 |       TimeStamp:
 929 |         format: None
 930 |         friendly name: TimeStamp
 931 |         ignore: 'no'
 932 |       UserId:
 933 |         format: function:get_app_id
 934 |         friendly name: UserId
 935 |         ignore: 'no'
 936 |     ignore: 'no'
 937 |     name: 'Application Resources'
 938 |   '{DA73FB89-2BEA-4DDC-86B8-6E048C6DA477}':
 939 |     fields:
 940 |       AppId:
 941 |         format: function:get_app_id
 942 |         friendly name: Application
 943 |         ignore: 'no'
 944 |       AutoIncId:
 945 |         format: None
 946 |         friendly name: AutoIncId
 947 |         ignore: 'no'
 948 |       BinaryData:
 949 |         format: None
 950 |         friendly name: BinaryData
 951 |         ignore: 'no'
 952 |       TimeStamp:
 953 |         format: None
 954 |         friendly name: TimeStamp
 955 |         ignore: 'no'
 956 |       UserId:
 957 |         format: function:get_app_id
 958 |         friendly name: User Info
 959 |         ignore: 'no'
 960 |     ignore: 'no'
 961 |     name: 'Unknown4'
 962 |   '{DD6636C4-8929-4683-974E-22C046A43763}':
 963 |     fields:
 964 |       AppId:
 965 |         format: function:get_app_id
 966 |         friendly name: Application
 967 |         ignore: 'no'
 968 |       AutoIncId:
 969 |         format: None
 970 |         friendly name: AutoIncId
 971 |         ignore: 'no'
 972 |       ConnectStartTime:
 973 |         format: None
 974 |         friendly name: ConnectStartTime
 975 |         ignore: 'no'
 976 |       ConnectedTime:
 977 |         format: None
 978 |         friendly name: ConnectedTime
 979 |         ignore: 'no'
 980 |       InterfaceLuid:
 981 |         format: None
 982 |         friendly name: InterfaceLuid
 983 |         ignore: 'no'
 984 |       L2ProfileFlags:
 985 |         format: None
 986 |         friendly name: L2ProfileFlags
 987 |         ignore: 'no'
 988 |       L2ProfileId:
 989 |         format: function:lookup_wireless
 990 |         friendly name: L2ProfileId
 991 |         ignore: 'no'
 992 |       TimeStamp:
 993 |         format: None
 994 |         friendly name: TimeStamp
 995 |         ignore: 'no'
 996 |       UserId:
 997 |         format: function:get_app_id
 998 |         friendly name: User Info
 999 |         ignore: 'no'
1000 |     ignore: 'no'
1001 |     name: 'Network Connections'
1002 |   '{FEE4E14F-02A9-4550-B5CE-5FA2DA202E37}':
1003 |     fields:
1004 |       AppId:
1005 |         format: function:get_app_id
1006 |         friendly name: Application
1007 |         ignore: 'no'
1008 |       AutoIncId:
1009 |         format: None
1010 |         friendly name: AutoIncId
1011 |         ignore: 'no'
1012 |       ChargeLevel:
1013 |         format: None
1014 |         friendly name: ChargeLevel
1015 |         ignore: 'no'
1016 |       ConfigurationHash:
1017 |         format: None
1018 |         friendly name: ConfigurationHash
1019 |         ignore: 'no'
1020 |       CycleCount:
1021 |         format: None
1022 |         friendly name: CycleCount
1023 |         ignore: 'no'
1024 |       DesignedCapacity:
1025 |         format: None
1026 |         friendly name: DesignedCapacity
1027 |         ignore: 'no'
1028 |       EventTimestamp:
1029 |         format: None
1030 |         friendly name: EventTimestamp
1031 |         ignore: 'no'
1032 |       FullChargedCapacity:
1033 |         format: None
1034 |         friendly name: FullChargedCapacity
1035 |         ignore: 'no'
1036 |       StateTransition:
1037 |         format: None
1038 |         friendly name: StateTransition
1039 |         ignore: 'no'
1040 |       TimeStamp:
1041 |         format: None
1042 |         friendly name: TimeStamp
1043 |         ignore: 'no'
1044 |       UserId:
1045 |         format: function:get_app_id
1046 |         friendly name: User Info
1047 |         ignore: 'no'
1048 |     ignore: 'no'
1049 |     name: Energy Usage
1050 |   '{FEE4E14F-02A9-4550-B5CE-5FA2DA202E37}LT':
1051 |     fields:
1052 |       ActiveAcTime:
1053 |         format: None
1054 |         friendly name: ActiveAcTime
1055 |         ignore: 'no'
1056 |       ActiveDcTime:
1057 |         format: None
1058 |         friendly name: ActiveDcTime
1059 |         ignore: 'no'
1060 |       ActiveDischargeTime:
1061 |         format: None
1062 |         friendly name: ActiveDischargeTime
1063 |         ignore: 'no'
1064 |       ActiveEnergy:
1065 |         format: None
1066 |         friendly name: ActiveEnergy
1067 |         ignore: 'no'
1068 |       AppId:
1069 |         format: function:get_app_id
1070 |         friendly name: Application
1071 |         ignore: 'no'
1072 |       AutoIncId:
1073 |         format: None
1074 |         friendly name: AutoIncId
1075 |         ignore: 'no'
1076 |       ConfigurationHash:
1077 |         format: None
1078 |         friendly name: ConfigurationHash
1079 |         ignore: 'no'
1080 |       CsAcTime:
1081 |         format: None
1082 |         friendly name: CsAcTime
1083 |         ignore: 'no'
1084 |       CsDcTime:
1085 |         format: None
1086 |         friendly name: CsDcTime
1087 |         ignore: 'no'
1088 |       CsDischargeTime:
1089 |         format: None
1090 |         friendly name: CsDischargeTime
1091 |         ignore: 'no'
1092 |       CsEnergy:
1093 |         format: None
1094 |         friendly name: CsEnergy
1095 |         ignore: 'no'
1096 |       CycleCount:
1097 |         format: None
1098 |         friendly name: CycleCount
1099 |         ignore: 'no'
1100 |       DesignedCapacity:
1101 |         format: None
1102 |         friendly name: DesignedCapacity
1103 |         ignore: 'no'
1104 |       FullChargedCapacity:
1105 |         format: None
1106 |         friendly name: FullChargedCapacity
1107 |         ignore: 'no'
1108 |       TimeStamp:
1109 |         format: None
1110 |         friendly name: TimeStamp
1111 |         ignore: 'no'
1112 |       UserId:
1113 |         format: function:get_app_id
1114 |         friendly name: User Info
1115 |         ignore: 'no'
1116 |     ignore: 'no'
1117 |     name: Energy Usage (Long-Term)
1118 | 
1119 | 
1120 | """
1121 | import struct
1122 | import codecs
1123 | import pathlib
1124 | import sys
1125 | from Registry.Registry import Registry
1126 | 
1127 | def load_registry_sids(reg_file):
1128 |     """Given Software hive find SID usernames"""
1129 |     sids = {}
1130 |     profile_key = r"Microsoft\Windows NT\CurrentVersion\ProfileList"
1131 |     tgt_value = "ProfileImagePath"
1132 |     try:
1133 |         reg_handle = Registry(reg_file)
1134 |         key_handle = reg_handle.open(profile_key)
1135 |         for eachsid in key_handle.subkeys():
1136 |             sids_path = eachsid.value(tgt_value).value()
1137 |             sids[eachsid.name()] = sids_path.split("\\")[-1]
1138 |     except Exception as e:
1139 |         print(str(e))
1140 |         return {}
1141 |     print("Loaded SIDS", sids)
1142 |     return sids
1143 | 
1144 | def load_interfaces(reg_file):
1145 |     try:
1146 |         reg_handle = Registry(reg_file)
1147 |         int_keys = reg_handle.open('Microsoft\\WlanSvc\\Interfaces')
1148 |     except Exception as e:
1149 |         print("I could not open the specified SOFTWARE registry key. It is usually located in \Windows\system32\config but is locked by the OS.")
1150 |         print("Error : ", str(e))
1151 |         return {}   
1152 |     profile_lookup = {}
1153 |     for eachinterface in int_keys.subkeys():
1154 |         if len(eachinterface.subkeys())==0:
1155 |             continue
1156 |         for eachprofile in eachinterface.subkey("Profiles").subkeys():
1157 |             profileid = [x.value() for x in eachprofile.values() if x.name()=="ProfileIndex"][0]
1158 |             metadata = eachprofile.subkey("MetaData").values()
1159 |             for eachvalue in metadata:
1160 |                 if eachvalue.name() in ["Channel Hints", "Band Channel Hints"]:
1161 |                     channelhintraw = eachvalue.value()
1162 |                     hintlength = struct.unpack("I", channelhintraw[0:4])[0]
1163 |                     name = channelhintraw[4:hintlength+4] 
1164 |                     profile_lookup[str(profileid)] = name
1165 |     return profile_lookup
1166 | 
1167 | wireless_lookup = {}
1168 | def lookup_wireless(wireless_id):
1169 |     return wireless_lookup.get(str(wireless_id),"")
1170 | 
1171 | registry_sids = {}
1172 | def plugin_init(ese_database):
1173 |     global wireless_lookup
1174 |     global registry_sids
1175 |     #table_names = " ".join([x.name for x in ese_database.tables])
1176 |     #print("Received Arguments", args)
1177 |     if args and args[0].lower() == "live":
1178 |         live_path = pathlib.Path("c:\\Windows\\System32\\Config\\SOFTWARE")
1179 |         if live_path.exists():
1180 |             regpath = extract_live_ese(live_path)
1181 |             wireless_lookup = load_interfaces(str(regpath))
1182 |             registry_sids = load_registry_sids(str(regpath))
1183 |         else:
1184 |             print("Unable to find the SOFTWARE registry on this system.")
1185 |     elif args and pathlib.Path(args[0]).exists():
1186 |         wireless_lookup = load_interfaces(args[0])
1187 |         registry_sids = load_registry_sids(str(args[0]))
1188 |     elif args:
1189 |         print(f"Registry file {str(args[0])} not found.")
1190 |     #print("Plugin Initialized for ", table_names)
1191 |     # Setup any data structures required for yaml function calls
1192 |     return None
1193 | 
1194 | def plugin_modify_header(list_of_headers, table_name):
1195 |     #print("Plugin Processing headers", list_of_headers)
1196 |     # Modify headers as needed before commit to file
1197 |     return list_of_headers
1198 | 
1199 | def plugin_modify_row(list_of_row_values, table_name):
1200 |     #print("Plugin Processing Row", list_of_row_values)
1201 |     # Modify list as needed before commit to file or keep totals
1202 |     return list_of_row_values
1203 | 
1204 | def plugin_end_of_file(csv_writer_object, table_name):
1205 |     #print("Plugin Finished file" )
1206 |     # Write header footers, calculations etc
1207 |     return None
1208 | 
1209 | def BinarySIDtoStringSID(sid_str):
1210 |     if not sid_str:
1211 |         return ""
1212 |     sid = codecs.decode(sid_str,"hex")
1213 |     str_sid_components = [sid[0]]
1214 |     # Now decode the 48-byte portion
1215 |     if len(sid) >= 8:
1216 |         subauthority_count = sid[1]
1217 |         identifier_authority = struct.unpack(">H", sid[2:4])[0]
1218 |         identifier_authority <<= 32
1219 |         identifier_authority |= struct.unpack(">L", sid[4:8])[0]
1220 |         str_sid_components.append(identifier_authority)
1221 |         start = 8
1222 |         for i in range(subauthority_count):
1223 |             authority = sid[start:start + 4]
1224 |             if not authority:
1225 |                 break
1226 |             if len(authority) < 4:
1227 |                 raise ValueError("In binary SID '%s', component %d has been truncated. "
1228 |                          "Expected 4 bytes, found %d: (%s)",
1229 |                          ",".join([str(ord(c)) for c in sid]), i,
1230 |                          len(authority), authority)
1231 |             str_sid_components.append(struct.unpack("<L", authority)[0])
1232 |             start += 4
1233 |             sid_str = "S-%s" % ("-".join([str(x) for x in str_sid_components]))
1234 |     if sid_str in registry_sids:
1235 |         sid_name = registry_sids.get(sid_str)
1236 |     else:
1237 |         sid_name = lookup("known_sids",sid_str)
1238 |     return "{} ({})".format(sid_str,sid_name)
1239 | 
1240 | def get_app_id(data):
1241 |     app_record = lookup("app_id", data)
1242 |     if not app_record:
1243 |         return "Application ID lookup failed."
1244 |     app_type, app_value = app_record  
1245 |     if app_type == 3:
1246 |         data = BinarySIDtoStringSID(app_value)
1247 |     else:
1248 |         data = blob_to_string(app_value)
1249 |     return data
1250 | 
1251 | def lookup_luid(luidval): 
1252 |     inttype = struct.unpack(">H6B", codecs.decode(format(luidval,'016x'),'hex'))[0] 
1253 |     return lookup("LUID_interface_types",inttype)
1254 | 


--------------------------------------------------------------------------------