dissect.target 3.19.dev57__py3-none-any.whl → 3.20__py3-none-any.whl

dissect/target/plugins/os/windows/amcache.py

@@ -1,4 +1,7 @@
+from __future__ import annotations
+
 from datetime import datetime, timezone
+from typing import Iterator
 
 from dissect.util.ts import wintimestamp
 
@@ -292,13 +295,13 @@ class AmcachePluginOldMixin:
                     )
 
     @export(record=ProgramsAppcompatRecord)
-    def programs(self):
+    def programs(self) -> Iterator[ProgramsAppcompatRecord]:
         """Return Programs records from Amcache hive."""
         if self.amcache:
             yield from self.parse_programs()
 
     @export(record=FileAppcompatRecord)
-    def files(self):
+    def files(self) -> Iterator[FileAppcompatRecord]:
         """Return File records from Amcache hive."""
         if self.amcache:
             yield from self.parse_file()
@@ -321,9 +324,9 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
         * InventoryApplicationShortcut
 
     References:
-        https://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html
-        https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf
-        https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/
+        - https://binaryforay.blogspot.com/2015/04/appcompatcache-changes-in-windows-10.html
+        - https://cyber.gouv.fr/sites/default/files/2019/01/anssi-coriin_2019-analysis_amcache.pdf
+        - https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/
 
     """
 
@@ -545,7 +548,7 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
             )
 
     @export(record=ApplicationAppcompatRecord)
-    def applications(self):
+    def applications(self) -> Iterator[ApplicationAppcompatRecord]:
         """Return InventoryApplication records from Amcache hive.
 
         Amcache is a registry hive that stores information about executed programs. The InventoryApplication key holds
@@ -559,7 +562,7 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
             yield from self.parse_inventory_application()
 
     @export(record=ApplicationFileAppcompatRecord)
-    def application_files(self):
+    def application_files(self) -> Iterator[ApplicationFileAppcompatRecord]:
         """Return InventoryApplicationFile records from Amcache hive.
 
         Amcache is a registry hive that stores information about executed programs. The InventoryApplicationFile key
@@ -573,7 +576,7 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
             yield from self.parse_inventory_application_file()
 
     @export(record=BinaryAppcompatRecord)
-    def drivers(self):
+    def drivers(self) -> Iterator[BinaryAppcompatRecord]:
         """Return InventoryDriverBinary records from Amcache hive.
 
         Amcache is a registry hive that stores information about executed programs. The InventoryDriverBinary key holds
@@ -588,7 +591,7 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
             yield from self.parse_inventory_driver_binary()
 
     @export(record=ShortcutAppcompatRecord)
-    def shortcuts(self):
+    def shortcuts(self) -> Iterator[ShortcutAppcompatRecord]:
         """Return InventoryApplicationShortcut records from Amcache hive.
 
         Amcache is a registry hive that stores information about executed programs. The InventoryApplicationShortcut
@@ -604,7 +607,7 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
             yield from self.parse_inventory_application_shortcut()
 
     @export(record=ContainerAppcompatRecord)
-    def device_containers(self):
+    def device_containers(self) -> Iterator[ContainerAppcompatRecord]:
         """Return InventoryDeviceContainer records from Amcache hive.
 
         Amcache is a registry hive that stores information about executed programs. The InventoryDeviceContainer key
@@ -619,7 +622,7 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
             yield from self.parse_inventory_device_container()
 
     @export(record=AppLaunchAppcompatRecord)
-    def applaunches(self):
+    def applaunches(self) -> Iterator[AppLaunchAppcompatRecord]:
         """Return AppLaunchAppcompatRecord records from Amcache applaunch files (Windows 11 22H2 or later).
 
         TODO: Research C:\\Windows\\appcompat\\pca\\PcaGeneralDb0.txt and
@@ -641,11 +644,11 @@ class AmcachePlugin(AmcachePluginOldMixin, Plugin):
                 )
 
 
-def parse_win_datetime(value: str):
+def parse_win_datetime(value: str) -> datetime | None:
     if value:
         return datetime.strptime(value, "%m/%d/%Y %H:%M:%S")
 
 
-def parse_win_timestamp(value: str):
+def parse_win_timestamp(value: str) -> datetime | None:
     if value:
         return wintimestamp(value)

dissect/target/plugins/os/windows/defender.py

@@ -4,7 +4,7 @@ import re
 from datetime import datetime, timezone
 from io import BytesIO
 from pathlib import Path
-from typing import Any, BinaryIO, Generator, Iterable, Iterator, TextIO, Union
+from typing import Any, BinaryIO, Iterable, Iterator, TextIO
 
 import dissect.util.ts as ts
 from dissect.cstruct import cstruct
@@ -434,7 +434,7 @@ class MicrosoftDefenderPlugin(plugin.Plugin):
             raise UnsupportedPluginError("No Defender objects found")
 
     @plugin.export(record=DefenderLogRecord)
-    def evtx(self) -> Generator[Record, None, None]:
+    def evtx(self) -> Iterator[DefenderLogRecord]:
         """Parse Microsoft Defender evtx log files"""
 
         defender_evtx_field_names = [field_name for _, field_name in DEFENDER_EVTX_FIELDS]
@@ -458,7 +458,7 @@ class MicrosoftDefenderPlugin(plugin.Plugin):
             yield DefenderLogRecord(**record_fields, _target=self.target)
 
     @plugin.export(record=[DefenderQuarantineRecord, DefenderFileQuarantineRecord])
-    def quarantine(self) -> Iterator[Union[DefenderQuarantineRecord, DefenderFileQuarantineRecord]]:
+    def quarantine(self) -> Iterator[DefenderQuarantineRecord | DefenderFileQuarantineRecord]:
         """Parse the quarantine folder of Microsoft Defender for quarantine entry resources.
 
         Quarantine entry resources contain metadata about detected threats that Microsoft Defender has placed in
@@ -517,6 +517,7 @@ class MicrosoftDefenderPlugin(plugin.Plugin):
                         regf_mtime=exclusion_type_subkey.timestamp,
                         type=exclusion_type,
                         value=exclusion_value,
+                        _target=self.target,
                     )
 
     def _mplog_processimage(self, data: dict) -> Iterator[DefenderMPLogProcessImageRecord]:

dissect/target/plugins/os/windows/dpapi/keyprovider/credhist.py

@@ -8,6 +8,8 @@ from dissect.target.plugins.os.windows.dpapi.keyprovider.keyprovider import (
 
 
 class CredHistKeyProviderPlugin(KeyProviderPlugin):
+    """Windows CREDHIST SHA1-hash key provider plugin."""
+
     __namespace__ = "_dpapi_keyprovider_credhist"
 
     def check_compatible(self) -> None:
@@ -16,6 +18,7 @@ class CredHistKeyProviderPlugin(KeyProviderPlugin):
 
     @export(output="yield")
     def keys(self) -> Iterator[tuple[str, str]]:
+        """Yield Windows CREDHIST SHA1 hashes."""
         for credhist in self.target.credhist():
             if value := getattr(credhist, "sha1"):
                 yield self.__namespace__, value

dissect/target/plugins/os/windows/dpapi/keyprovider/empty.py

@@ -7,6 +7,8 @@ from dissect.target.plugins.os.windows.dpapi.keyprovider.keyprovider import (
 
 
 class EmptyKeyProviderPlugin(KeyProviderPlugin):
+    """Empty key provider plugin."""
+
     __namespace__ = "_dpapi_keyprovider_empty"
 
     def check_compatible(self) -> None:
@@ -14,4 +16,5 @@ class EmptyKeyProviderPlugin(KeyProviderPlugin):
 
     @export(output="yield")
     def keys(self) -> Iterator[tuple[str, str]]:
+        """Yield an empty string."""
         yield self.__namespace__, ""

dissect/target/plugins/os/windows/dpapi/keyprovider/keychain.py

@@ -8,6 +8,8 @@ from dissect.target.plugins.os.windows.dpapi.keyprovider.keyprovider import (
 
 
 class KeychainKeyProviderPlugin(KeyProviderPlugin):
+    """Keychain key provider plugin."""
+
     __namespace__ = "_dpapi_keyprovider_keychain"
 
     def check_compatible(self) -> None:
@@ -15,6 +17,7 @@ class KeychainKeyProviderPlugin(KeyProviderPlugin):
 
     @export(output="yield")
     def keys(self) -> Iterator[tuple[str, str]]:
+        """Yield keychain passphrases."""
         for key in keychain.get_keys_for_provider("user") + keychain.get_keys_without_provider():
             if key.key_type == keychain.KeyType.PASSPHRASE:
                 yield self.__namespace__, key.value

dissect/target/plugins/os/windows/dpapi/keyprovider/lsa.py

@@ -21,6 +21,8 @@ c_defaultpassword = cstruct().load(defaultpassword_def)
 
 
 class LSADefaultPasswordKeyProviderPlugin(KeyProviderPlugin):
+    """Windows LSA DefaultPassword key provider plugin."""
+
     __namespace__ = "_dpapi_keyprovider_lsa_defaultpassword"
 
     def check_compatible(self) -> None:
@@ -29,6 +31,7 @@ class LSADefaultPasswordKeyProviderPlugin(KeyProviderPlugin):
 
     @export(output="yield")
     def keys(self) -> Iterator[tuple[str, str]]:
+        """Yield Windows LSA DefaultPassword strings."""
         if default_pass := self.target.lsa._secrets.get("DefaultPassword"):
             try:
                 value = c_defaultpassword.DefaultPassword(default_pass).data

dissect/target/plugins/os/windows/env.py

@@ -314,8 +314,7 @@ class EnvironmentVariablePlugin(Plugin):
     def user_env(self, user_sid: Optional[str] = None) -> OrderedDict[str, str]:
         """Return a dict of all found (user) environment variables.
 
-        If no ``user_sid` is provided, this function will return just the
-        system environment variables.
+        If no ``user_sid`` is provided, this function will return just the system environment variables.
         """
         return self._get_user_env_vars(user_sid)
 

dissect/target/plugins/os/windows/exchange/exchange.py

@@ -3,13 +3,15 @@ from dissect.target.plugin import Plugin, export
 
 
 class ExchangePlugin(Plugin):
+    """Microsoft Exchange Server plugin."""
+
     __namespace__ = "exchange"
 
     def check_compatible(self) -> None:
         if not len(self.install_paths()):
             raise UnsupportedPluginError("No Exchange install path found")
 
-    def install_paths(self):
+    def install_paths(self) -> list[str]:
         paths = []
         key = "HKLM\\SOFTWARE\\Microsoft\\ExchangeServer"
         for reg_key in self.target.registry.keys(key):
@@ -23,9 +25,9 @@ class ExchangePlugin(Plugin):
 
         return paths
 
-    @export
-    def transport_agents(self):
-        """Return the content of the config file for Transport Agents for Microsoft Exchange.
+    @export(output="none")
+    def transport_agents(self) -> None:
+        """Print the content of the config file for Transport Agents for Microsoft Exchange.
 
         A Transport Agent is additional software on a Microsoft Exchange server that allows for custom processing of
         email messages that go through the transport pipeline.

dissect/target/plugins/os/windows/generic.py

@@ -1,6 +1,10 @@
+from __future__ import annotations
+
+import struct
 from datetime import datetime
-from typing import Optional
+from typing import Iterator
 
+from dissect.util.sid import read_sid
 from dissect.util.ts import from_unix
 
 from dissect.target.exceptions import RegistryError, UnsupportedPluginError
@@ -8,7 +12,10 @@ from dissect.target.helpers.descriptor_extensions import (
     RegistryRecordDescriptorExtension,
     UserRecordDescriptorExtension,
 )
-from dissect.target.helpers.record import create_extended_descriptor
+from dissect.target.helpers.record import (
+    TargetRecordDescriptor,
+    create_extended_descriptor,
+)
 from dissect.target.plugin import Plugin, export
 
 UserRegistryRecordDescriptor = create_extended_descriptor(
@@ -111,6 +118,15 @@ WinSockNamespaceProviderRecord = UserRegistryRecordDescriptor(
     ],
 )
 
+ComputerSidRecord = TargetRecordDescriptor(
+    "windows/sid/computer",
+    [
+        ("datetime", "ts"),
+        ("string", "sidtype"),
+        ("string", "sid"),
+    ],
+)
+
 
 class GenericPlugin(Plugin):
     """Generic Windows plugin.
@@ -123,12 +139,12 @@ class GenericPlugin(Plugin):
             raise UnsupportedPluginError("Unsupported Plugin")
 
     @export(property=True)
-    def ntversion(self):
+    def ntversion(self) -> str | None:
         """Return the Windows NT version."""
         return self.target._os._nt_version()
 
     @export(output="yield")
-    def pathenvironment(self):
+    def pathenvironment(self) -> Iterator[str]:
         """Return the content of the Windows PATH environment variable.
 
         PATH is an environment variable on an operating system that specifies a set of directories where executable
@@ -142,7 +158,7 @@ class GenericPlugin(Plugin):
             yield r.value("Path").value
 
     @export(property=True)
-    def domain(self):
+    def domain(self) -> str | None:
         """Return the domain name.
 
         Corporate Windows systems are usually connected to a domain (active directory).
@@ -167,7 +183,7 @@ class GenericPlugin(Plugin):
                 continue
 
     @export(property=True)
-    def activity(self) -> Optional[datetime]:
+    def activity(self) -> datetime | None:
         """Return last seen activity based on filesystem timestamps."""
         last_seen = 0
 
@@ -193,7 +209,7 @@ class GenericPlugin(Plugin):
         return from_unix(last_seen)
 
     @export(property=True)
-    def install_date(self) -> Optional[datetime]:
+    def install_date(self) -> datetime | None:
         """Returns the install date of the system.
 
         The value of the registry key is stored as a Unix epoch timestamp.
@@ -211,7 +227,7 @@ class GenericPlugin(Plugin):
             return
 
     @export(record=AppInitRecord)
-    def appinit(self):
+    def appinit(self) -> Iterator[AppInitRecord]:
         """Return all available Application Initial (AppInit) DLLs registry key values.
 
         AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on
@@ -258,7 +274,7 @@ class GenericPlugin(Plugin):
                     continue
 
     @export(record=KnownDllRecord)
-    def knowndlls(self):
+    def knowndlls(self) -> Iterator[KnownDllRecord]:
         """Return all available KnownDLLs registry key values.
 
         The KnownDLLs registry key values are used to cache frequently used system DLLs. Initially, it was added to
@@ -287,7 +303,7 @@ class GenericPlugin(Plugin):
             pass
 
     @export(record=SessionManagerRecord)
-    def sessionmanager(self):
+    def sessionmanager(self) -> Iterator[SessionManagerRecord]:
         """Return interesting Session Manager (Smss.exe) registry key entries.
 
         Session Manager (Smss.exe) is the first user-mode process started by the kernel and performs several tasks,
@@ -339,7 +355,7 @@ class GenericPlugin(Plugin):
                     )
 
     @export(record=NullSessionPipeRecord)
-    def nullsessionpipes(self):
+    def nullsessionpipes(self) -> Iterator[NullSessionPipeRecord]:
         """Return the NullSessionPipes registry key value.
 
         The NullSessionPipes registry key value specifies server pipes and shared folders that are excluded from the
@@ -367,7 +383,7 @@ class GenericPlugin(Plugin):
                 continue
 
     @export(record=NdisRecord)
-    def ndis(self):
+    def ndis(self) -> Iterator[NdisRecord]:
         """Return network registry key entries."""
         key = "HKLM\\System\\CurrentControlSet\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}"
         for r in self.target.registry.keys(key):
@@ -401,7 +417,7 @@ class GenericPlugin(Plugin):
                     )
 
     @export(record=CommandProcAutoRunRecord)
-    def commandprocautorun(self):
+    def commandprocautorun(self) -> Iterator[CommandProcAutoRunRecord]:
         """Return all available Command Processor (cmd.exe) AutoRun registry key values.
 
         The Command Processor AutoRun registry key values contain commands that are run each time the Command Processor
@@ -435,7 +451,7 @@ class GenericPlugin(Plugin):
                     continue
 
     @export(record=AlternateShellRecord)
-    def alternateshell(self):
+    def alternateshell(self) -> Iterator[AlternateShellRecord]:
         """Return the AlternateShell registry key value.
 
         The AlternateShell registry key, HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Safeboot, specifies the
@@ -459,7 +475,7 @@ class GenericPlugin(Plugin):
             )
 
     @export(record=BootShellRecord)
-    def bootshell(self):
+    def bootshell(self) -> Iterator[BootShellRecord]:
         """Return the BootShell registry key entry.
 
         Usually contains a path to bootim.exe which is Windows's recovery menu.
@@ -483,7 +499,7 @@ class GenericPlugin(Plugin):
             )
 
     @export(record=FileRenameOperationRecord)
-    def filerenameop(self):
+    def filerenameop(self) -> Iterator[FileRenameOperationRecord]:
         """Return all pending file rename operations.
 
         The PendingFileRenameOperations registry key value contains information about files that will be renamed on
@@ -513,7 +529,7 @@ class GenericPlugin(Plugin):
                 )
 
     @export(record=WinRarRecord)
-    def winrar(self):
+    def winrar(self) -> Iterator[WinRarRecord]:
         """Return all available WinRAR history registry key values."""
         keys = [
             "HKEY_CURRENT_USER\\Software\\WinRAR\\ArcHistory",
@@ -534,7 +550,7 @@ class GenericPlugin(Plugin):
                     )
 
     @export(record=WinSockNamespaceProviderRecord)
-    def winsocknamespaceprovider(self):
+    def winsocknamespaceprovider(self) -> Iterator[WinSockNamespaceProviderRecord]:
         """Return available protocols stored in the Winsock catalog database.
 
         References:
@@ -562,7 +578,7 @@ class GenericPlugin(Plugin):
                     )
 
     @export(property=True)
-    def codepage(self) -> Optional[str]:
+    def codepage(self) -> str | None:
         """Returns the current active codepage on the system."""
 
         key = "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Nls\\CodePage"
@@ -571,3 +587,36 @@ class GenericPlugin(Plugin):
             return self.target.registry.key(key).value("ACP").value
         except RegistryError:
             pass
+
+    @export(record=ComputerSidRecord)
+    def sid(self) -> Iterator[ComputerSidRecord]:
+        """Return the machine- and optional domain SID of the system."""
+
+        try:
+            key = self.target.registry.key("HKLM\\SAM\\SAM\\Domains\\Account")
+
+            # The machine SID is stored in the last 12 bytes of the V value as little-endian
+            # The machine SID differs from a 'normal' binary SID as only holds 3 values and lacks a prefix / Revision
+            # NOTE: Consider moving this to dissect.util.sid if we encounter this more often
+            sid = struct.unpack_from("<III", key.value("V").value, -12)
+
+            yield ComputerSidRecord(
+                ts=key.timestamp,
+                sidtype="Machine",
+                sid=f"S-1-5-21-{sid[0]}-{sid[1]}-{sid[2]}",
+                _target=self.target,
+            )
+        except (RegistryError, struct.error):
+            pass
+
+        try:
+            key = self.target.registry.key("HKLM\\SECURITY\\Policy\\PolMachineAccountS")
+
+            yield ComputerSidRecord(
+                ts=key.timestamp,
+                sidtype="Domain",
+                sid=read_sid(key.value("(Default)").value),
+                _target=self.target,
+            )
+        except (RegistryError, struct.error):
+            pass

dissect/target/plugins/os/windows/lnk.py

@@ -118,6 +118,8 @@ def parse_lnk_file(target: Target, lnk_file: Lnk, lnk_path: TargetPath) -> Itera
 
 
 class LnkPlugin(Plugin):
+    """Windows lnk plugin."""
+
     def __init__(self, target: Target) -> None:
         super().__init__(target)
         self.folders = ["programdata", "users", "windows"]

dissect/target/plugins/os/windows/locale.py

@@ -1,3 +1,7 @@
+from __future__ import annotations
+
+from typing import Iterator
+
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.localeutil import normalize_language, normalize_timezone
 from dissect.target.helpers.record import TargetRecordDescriptor
@@ -13,6 +17,8 @@ WindowsKeyboardRecord = TargetRecordDescriptor(
 
 
 class LocalePlugin(Plugin):
+    """Windows locale plugin."""
+
     def __init__(self, target):
         super().__init__(target)
         self.LANG_DICT = {
@@ -26,7 +32,7 @@ class LocalePlugin(Plugin):
             raise UnsupportedPluginError("Unsupported Plugin")
 
     @export(record=WindowsKeyboardRecord)
-    def keyboard(self):
+    def keyboard(self) -> Iterator[WindowsKeyboardRecord]:
         """Yield records of installed keyboards on the system."""
         found_keyboards = []
         for key in self.target.registry.keys("HKCU\\Keyboard Layout\\Preload"):
@@ -41,7 +47,7 @@ class LocalePlugin(Plugin):
                     )
 
     @export(property=True)
-    def language(self):
+    def language(self) -> str | None:
         """Get a list of installed languages on the system."""
         # HKCU\\Control Panel\\International\\User Profile" Languages
         found_languages = []
@@ -53,6 +59,6 @@ class LocalePlugin(Plugin):
         return found_languages
 
     @export(property=True)
-    def timezone(self):
+    def timezone(self) -> str | None:
         """Get the configured timezone of the system in IANA TZ standard format."""
         return normalize_timezone(self.target.datetime.tzinfo.name)

dissect/target/plugins/os/windows/log/etl.py

@@ -1,5 +1,6 @@
 from functools import lru_cache
 from pathlib import Path
+from typing import Iterator
 
 from dissect.etl.etl import ETL, Event
 
@@ -65,7 +66,7 @@ class EtlRecordBuilder:
 
 
 class EtlPlugin(Plugin):
-    """Plugin for fetching and parsing Windows ETL Files (*.etl)"""
+    """Plugin for parsing Windows ETL Files (``*.etl``)."""
 
     __namespace__ = "etl"
 
@@ -108,7 +109,7 @@ class EtlPlugin(Plugin):
             yield from etl_records
 
     @export(record=DynamicDescriptor(["datetime"]))
-    def etl(self):
+    def etl(self) -> Iterator[DynamicDescriptor]:
         """Return the contents of the ETL files generated at last boot and last shutdown.
 
         An event trace log (.etl) file, also known as a trace log, stores the trace messages generated during one or
@@ -135,7 +136,7 @@ class EtlPlugin(Plugin):
             yield from getattr(self, etl_plugin)()
 
     @export(record=DynamicDescriptor(["datetime"]))
-    def shutdown(self):
+    def shutdown(self) -> Iterator[DynamicDescriptor]:
         """Return the contents of the ETL files created at last shutdown.
 
         The plugin reads the content from the ShutdownCKCL.etl file or the ShutdownPerfDiagLogger.etl file (depending
@@ -155,7 +156,7 @@ class EtlPlugin(Plugin):
         yield from self.read_etl_files(self.PATHS["shutdown"])
 
     @export(record=DynamicDescriptor(["datetime"]))
-    def boot(self):
+    def boot(self) -> Iterator[DynamicDescriptor]:
         """Return the contents of the ETL files created at last boot.
 
         The plugin reads the content from the BootCKCL.etl file or the BootPerfDiagLogger.etl file (depending

dissect/target/plugins/os/windows/log/evt.py

@@ -1,7 +1,9 @@
+from __future__ import annotations
+
 import fnmatch
 import re
 from pathlib import Path
-from typing import Any, BinaryIO, Generator, List, Optional
+from typing import Any, BinaryIO, Iterator
 
 from dissect.eventlog import evt
 from flow.record import Record
@@ -48,7 +50,7 @@ class WindowsEventlogsMixin:
     LOGS_DIR_PATH = None
 
     @plugin.internal
-    def get_logs(self, filename_glob="*") -> List[Path]:
+    def get_logs(self, filename_glob="*") -> list[Path]:
         file_paths = []
         file_paths.extend(self.get_logs_from_dir(self.LOGS_DIR_PATH, filename_glob=filename_glob))
 
@@ -66,7 +68,7 @@ class WindowsEventlogsMixin:
         return file_paths
 
     @plugin.internal
-    def get_logs_from_dir(self, logs_dir: str, filename_glob: str = "*") -> List[Path]:
+    def get_logs_from_dir(self, logs_dir: str, filename_glob: str = "*") -> list[Path]:
         file_paths = []
         logs_dir = self.target.fs.path(logs_dir)
         if logs_dir.exists():
@@ -76,7 +78,7 @@ class WindowsEventlogsMixin:
         return file_paths
 
     @plugin.internal
-    def get_logs_from_registry(self, filename_glob: str = "*") -> List[Path]:
+    def get_logs_from_registry(self, filename_glob: str = "*") -> list[Path]:
         # compile glob into case-insensitive regex
         filename_regex = re.compile(fnmatch.translate(filename_glob), re.IGNORECASE)
 
@@ -112,6 +114,8 @@ class WindowsEventlogsMixin:
 
 
 class EvtPlugin(WindowsEventlogsMixin, plugin.Plugin):
+    """Windows ``.evt`` event log plugin."""
+
     LOGS_DIR_PATH = "sysvol/windows/system32/config"
 
     NEEDLE = b"LfLe"
@@ -120,8 +124,8 @@ class EvtPlugin(WindowsEventlogsMixin, plugin.Plugin):
     @plugin.arg("--logs-dir", help="logs directory to scan")
     @plugin.arg("--log-file-glob", default=EVT_GLOB, help="glob pattern to match a log file name")
     @plugin.export(record=EvtRecordDescriptor)
-    def evt(self, log_file_glob: str = EVT_GLOB, logs_dir: Optional[str] = None) -> Generator[Record, None, None]:
-        """Parse Windows Eventlog files (*.evt).
+    def evt(self, log_file_glob: str = EVT_GLOB, logs_dir: str | None = None) -> Iterator[EvtRecordDescriptor]:
+        """Parse Windows Eventlog files (``*.evt``).
 
         Yields dynamically created records based on the fields in the event.
         At least contains the following fields:
@@ -174,7 +178,7 @@ class EvtPlugin(WindowsEventlogsMixin, plugin.Plugin):
         )
 
     @plugin.export(record=EvtRecordDescriptor)
-    def scraped_evt(self) -> Generator[Record, None, None]:
+    def scraped_evt(self) -> Iterator[EvtRecordDescriptor]:
         """Yields EVT log file records scraped from target disks"""
         yield from self.target.scrape.scrape_chunks_from_disks(
             needle=self.NEEDLE,
@@ -189,6 +193,6 @@ class EvtPlugin(WindowsEventlogsMixin, plugin.Plugin):
         fh.seek(offset - 4)
         return fh.read(chunk_size)
 
-    def _parse_chunk(self, _, chunk: bytes) -> Generator[Record, None, None]:
+    def _parse_chunk(self, _, chunk: bytes) -> Iterator[Record]:
         for record in evt.parse_chunk(chunk):
             yield self._build_record(record)