Changes for Windows user account without profile #4891 (#4892)

joachimmetz · web-flow · commit f24124bf5354 · 2024-07-16T06:04:13.000+02:00
diff --git a/plaso/parsers/text_plugins/interface.py b/plaso/parsers/text_plugins/interface.py
@@ -266,7 +266,7 @@ def _ParseString(self, string):
       raise errors.ParseError('No match found.')
 
     if start > 0 and '\n' in string[:start + 1]:
-      raise errors.ParseError('Found a line preceeding match.')
+      raise errors.ParseError('Found a line preceding match.')
 
     # Unwrap the line structure and retrieve its name (key).
     keys = list(structure.keys())
diff --git a/plaso/preprocessors/mediator.py b/plaso/preprocessors/mediator.py
@@ -112,7 +112,12 @@ def AddUserAccount(self, user_account):
     Raises:
       KeyError: if the user account already exists.
     """
-    logger.debug(f'adding user account: {user_account.username:s}')
+    if not user_account.username:
+      logger.debug(f'adding user account: {user_account.identifier:s}')
+    else:
+      logger.debug(
+          f'adding user account: {user_account.username:s} '
+          f'({user_account.identifier:s})')
 
     if self._storage_writer:
       self._storage_writer.AddAttributeContainer(user_account)
diff --git a/plaso/preprocessors/windows.py b/plaso/preprocessors/windows.py
@@ -903,21 +903,24 @@ def _ParseKey(self, mediator, registry_key, value_name):
         identifier=registry_key.name, path_separator='\\')
 
     registry_value = registry_key.GetValueByName('ProfileImagePath')
-    if not registry_value:
-      username = 'N/A'
-    else:
+    if registry_value:
       profile_path = registry_value.GetDataAsObject()
+
       username = self._GetUsernameFromProfilePath(profile_path)
+      if profile_path and not username:
+        mediator.ProducePreprocessingWarning(self.ARTIFACT_DEFINITION_NAME, (
+            f'Unable to determine username from profile path: '
+            f'"{profile_path!s}"'))
 
       user_account.user_directory = profile_path or None
       user_account.username = username or None
 
     try:
       mediator.AddUserAccount(user_account)
     except KeyError:
-      mediator.ProducePreprocessingWarning(
-          self.ARTIFACT_DEFINITION_NAME,
-          f'Unable to add user account: "{username!s}" to knowledge base')
+      mediator.ProducePreprocessingWarning(self.ARTIFACT_DEFINITION_NAME, (
+          f'Unable to add user account: "{user_account.identifier:s}" to '
+          f'knowledge base'))
 
 
 class WindowsWinDirEnvironmentVariablePlugin(
diff --git a/tests/preprocessors/windows.py b/tests/preprocessors/windows.py
@@ -713,8 +713,9 @@ def testParseKey(self):
     user_account = storage_writer.GetAttributeContainerByIndex(
        'user_account', 9)
 
-    expected_sid = 'S-1-5-21-2036804247-3058324640-2116585241-1114'
-    self.assertEqual(user_account.identifier, expected_sid)
+    self.assertEqual(
+        user_account.identifier,
+        'S-1-5-21-2036804247-3058324640-2116585241-1114')
     self.assertEqual(user_account.username, 'rsydow')
     self.assertEqual(user_account.user_directory, 'C:\\Users\\rsydow')
 
