dissect.target 3.20.dev36__py3-none-any.whl → 3.20.dev39__py3-none-any.whl

dissect/target/plugins/os/windows/generic.py

@@ -1,5 +1,7 @@
+from __future__ import annotations
+
 from datetime import datetime
-from typing import Optional
+from typing import Iterator
 
 from dissect.util.ts import from_unix
 
@@ -123,12 +125,12 @@ class GenericPlugin(Plugin):
             raise UnsupportedPluginError("Unsupported Plugin")
 
     @export(property=True)
-    def ntversion(self):
+    def ntversion(self) -> str | None:
         """Return the Windows NT version."""
         return self.target._os._nt_version()
 
     @export(output="yield")
-    def pathenvironment(self):
+    def pathenvironment(self) -> Iterator[str]:
         """Return the content of the Windows PATH environment variable.
 
         PATH is an environment variable on an operating system that specifies a set of directories where executable
@@ -142,7 +144,7 @@ class GenericPlugin(Plugin):
             yield r.value("Path").value
 
     @export(property=True)
-    def domain(self):
+    def domain(self) -> str | None:
         """Return the domain name.
 
         Corporate Windows systems are usually connected to a domain (active directory).
@@ -167,7 +169,7 @@ class GenericPlugin(Plugin):
                 continue
 
     @export(property=True)
-    def activity(self) -> Optional[datetime]:
+    def activity(self) -> datetime | None:
         """Return last seen activity based on filesystem timestamps."""
         last_seen = 0
 
@@ -193,7 +195,7 @@ class GenericPlugin(Plugin):
         return from_unix(last_seen)
 
     @export(property=True)
-    def install_date(self) -> Optional[datetime]:
+    def install_date(self) -> datetime | None:
         """Returns the install date of the system.
 
         The value of the registry key is stored as a Unix epoch timestamp.
@@ -211,7 +213,7 @@ class GenericPlugin(Plugin):
             return
 
     @export(record=AppInitRecord)
-    def appinit(self):
+    def appinit(self) -> Iterator[AppInitRecord]:
         """Return all available Application Initial (AppInit) DLLs registry key values.
 
         AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on
@@ -258,7 +260,7 @@ class GenericPlugin(Plugin):
                     continue
 
     @export(record=KnownDllRecord)
-    def knowndlls(self):
+    def knowndlls(self) -> Iterator[KnownDllRecord]:
         """Return all available KnownDLLs registry key values.
 
         The KnownDLLs registry key values are used to cache frequently used system DLLs. Initially, it was added to
@@ -287,7 +289,7 @@ class GenericPlugin(Plugin):
             pass
 
     @export(record=SessionManagerRecord)
-    def sessionmanager(self):
+    def sessionmanager(self) -> Iterator[SessionManagerRecord]:
         """Return interesting Session Manager (Smss.exe) registry key entries.
 
         Session Manager (Smss.exe) is the first user-mode process started by the kernel and performs several tasks,
@@ -339,7 +341,7 @@ class GenericPlugin(Plugin):
                     )
 
     @export(record=NullSessionPipeRecord)
-    def nullsessionpipes(self):
+    def nullsessionpipes(self) -> Iterator[NullSessionPipeRecord]:
         """Return the NullSessionPipes registry key value.
 
         The NullSessionPipes registry key value specifies server pipes and shared folders that are excluded from the
@@ -367,7 +369,7 @@ class GenericPlugin(Plugin):
                 continue
 
     @export(record=NdisRecord)
-    def ndis(self):
+    def ndis(self) -> Iterator[NdisRecord]:
         """Return network registry key entries."""
         key = "HKLM\\System\\CurrentControlSet\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}"
         for r in self.target.registry.keys(key):
@@ -401,7 +403,7 @@ class GenericPlugin(Plugin):
                     )
 
     @export(record=CommandProcAutoRunRecord)
-    def commandprocautorun(self):
+    def commandprocautorun(self) -> Iterator[CommandProcAutoRunRecord]:
         """Return all available Command Processor (cmd.exe) AutoRun registry key values.
 
         The Command Processor AutoRun registry key values contain commands that are run each time the Command Processor
@@ -435,7 +437,7 @@ class GenericPlugin(Plugin):
                     continue
 
     @export(record=AlternateShellRecord)
-    def alternateshell(self):
+    def alternateshell(self) -> Iterator[AlternateShellRecord]:
         """Return the AlternateShell registry key value.
 
         The AlternateShell registry key, HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Safeboot, specifies the
@@ -459,7 +461,7 @@ class GenericPlugin(Plugin):
             )
 
     @export(record=BootShellRecord)
-    def bootshell(self):
+    def bootshell(self) -> Iterator[BootShellRecord]:
         """Return the BootShell registry key entry.
 
         Usually contains a path to bootim.exe which is Windows's recovery menu.
@@ -483,7 +485,7 @@ class GenericPlugin(Plugin):
             )
 
     @export(record=FileRenameOperationRecord)
-    def filerenameop(self):
+    def filerenameop(self) -> Iterator[FileRenameOperationRecord]:
         """Return all pending file rename operations.
 
         The PendingFileRenameOperations registry key value contains information about files that will be renamed on
@@ -513,7 +515,7 @@ class GenericPlugin(Plugin):
                 )
 
     @export(record=WinRarRecord)
-    def winrar(self):
+    def winrar(self) -> Iterator[WinRarRecord]:
         """Return all available WinRAR history registry key values."""
         keys = [
             "HKEY_CURRENT_USER\\Software\\WinRAR\\ArcHistory",
@@ -534,7 +536,7 @@ class GenericPlugin(Plugin):
                     )
 
     @export(record=WinSockNamespaceProviderRecord)
-    def winsocknamespaceprovider(self):
+    def winsocknamespaceprovider(self) -> Iterator[WinSockNamespaceProviderRecord]:
         """Return available protocols stored in the Winsock catalog database.
 
         References:
@@ -562,7 +564,7 @@ class GenericPlugin(Plugin):
                     )
 
     @export(property=True)
-    def codepage(self) -> Optional[str]:
+    def codepage(self) -> str | None:
         """Returns the current active codepage on the system."""
 
         key = "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Nls\\CodePage"

dissect/target/plugins/os/windows/lnk.py

@@ -118,6 +118,8 @@ def parse_lnk_file(target: Target, lnk_file: Lnk, lnk_path: TargetPath) -> Itera
 
 
 class LnkPlugin(Plugin):
+    """Windows lnk plugin."""
+
     def __init__(self, target: Target) -> None:
         super().__init__(target)
         self.folders = ["programdata", "users", "windows"]

dissect/target/plugins/os/windows/locale.py

@@ -1,3 +1,7 @@
+from __future__ import annotations
+
+from typing import Iterator
+
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.localeutil import normalize_language, normalize_timezone
 from dissect.target.helpers.record import TargetRecordDescriptor
@@ -13,6 +17,8 @@ WindowsKeyboardRecord = TargetRecordDescriptor(
 
 
 class LocalePlugin(Plugin):
+    """Windows locale plugin."""
+
     def __init__(self, target):
         super().__init__(target)
         self.LANG_DICT = {
@@ -26,7 +32,7 @@ class LocalePlugin(Plugin):
             raise UnsupportedPluginError("Unsupported Plugin")
 
     @export(record=WindowsKeyboardRecord)
-    def keyboard(self):
+    def keyboard(self) -> Iterator[WindowsKeyboardRecord]:
         """Yield records of installed keyboards on the system."""
         found_keyboards = []
         for key in self.target.registry.keys("HKCU\\Keyboard Layout\\Preload"):
@@ -41,7 +47,7 @@ class LocalePlugin(Plugin):
                     )
 
     @export(property=True)
-    def language(self):
+    def language(self) -> str | None:
         """Get a list of installed languages on the system."""
         # HKCU\\Control Panel\\International\\User Profile" Languages
         found_languages = []
@@ -53,6 +59,6 @@ class LocalePlugin(Plugin):
         return found_languages
 
     @export(property=True)
-    def timezone(self):
+    def timezone(self) -> str | None:
         """Get the configured timezone of the system in IANA TZ standard format."""
         return normalize_timezone(self.target.datetime.tzinfo.name)

dissect/target/plugins/os/windows/log/etl.py

@@ -1,5 +1,6 @@
 from functools import lru_cache
 from pathlib import Path
+from typing import Iterator
 
 from dissect.etl.etl import ETL, Event
 
@@ -65,7 +66,7 @@ class EtlRecordBuilder:
 
 
 class EtlPlugin(Plugin):
-    """Plugin for fetching and parsing Windows ETL Files (*.etl)"""
+    """Plugin for parsing Windows ETL Files (``*.etl``)."""
 
     __namespace__ = "etl"
 
@@ -108,7 +109,7 @@ class EtlPlugin(Plugin):
             yield from etl_records
 
     @export(record=DynamicDescriptor(["datetime"]))
-    def etl(self):
+    def etl(self) -> Iterator[DynamicDescriptor]:
         """Return the contents of the ETL files generated at last boot and last shutdown.
 
         An event trace log (.etl) file, also known as a trace log, stores the trace messages generated during one or
@@ -135,7 +136,7 @@ class EtlPlugin(Plugin):
             yield from getattr(self, etl_plugin)()
 
     @export(record=DynamicDescriptor(["datetime"]))
-    def shutdown(self):
+    def shutdown(self) -> Iterator[DynamicDescriptor]:
         """Return the contents of the ETL files created at last shutdown.
 
         The plugin reads the content from the ShutdownCKCL.etl file or the ShutdownPerfDiagLogger.etl file (depending
@@ -155,7 +156,7 @@ class EtlPlugin(Plugin):
         yield from self.read_etl_files(self.PATHS["shutdown"])
 
     @export(record=DynamicDescriptor(["datetime"]))
-    def boot(self):
+    def boot(self) -> Iterator[DynamicDescriptor]:
         """Return the contents of the ETL files created at last boot.
 
         The plugin reads the content from the BootCKCL.etl file or the BootPerfDiagLogger.etl file (depending

dissect/target/plugins/os/windows/log/evt.py

@@ -1,7 +1,9 @@
+from __future__ import annotations
+
 import fnmatch
 import re
 from pathlib import Path
-from typing import Any, BinaryIO, Generator, List, Optional
+from typing import Any, BinaryIO, Iterator
 
 from dissect.eventlog import evt
 from flow.record import Record
@@ -48,7 +50,7 @@ class WindowsEventlogsMixin:
     LOGS_DIR_PATH = None
 
     @plugin.internal
-    def get_logs(self, filename_glob="*") -> List[Path]:
+    def get_logs(self, filename_glob="*") -> list[Path]:
         file_paths = []
         file_paths.extend(self.get_logs_from_dir(self.LOGS_DIR_PATH, filename_glob=filename_glob))
 
@@ -66,7 +68,7 @@ class WindowsEventlogsMixin:
         return file_paths
 
     @plugin.internal
-    def get_logs_from_dir(self, logs_dir: str, filename_glob: str = "*") -> List[Path]:
+    def get_logs_from_dir(self, logs_dir: str, filename_glob: str = "*") -> list[Path]:
         file_paths = []
         logs_dir = self.target.fs.path(logs_dir)
         if logs_dir.exists():
@@ -76,7 +78,7 @@ class WindowsEventlogsMixin:
         return file_paths
 
     @plugin.internal
-    def get_logs_from_registry(self, filename_glob: str = "*") -> List[Path]:
+    def get_logs_from_registry(self, filename_glob: str = "*") -> list[Path]:
         # compile glob into case-insensitive regex
         filename_regex = re.compile(fnmatch.translate(filename_glob), re.IGNORECASE)
 
@@ -112,6 +114,8 @@ class WindowsEventlogsMixin:
 
 
 class EvtPlugin(WindowsEventlogsMixin, plugin.Plugin):
+    """Windows ``.evt`` event log plugin."""
+
     LOGS_DIR_PATH = "sysvol/windows/system32/config"
 
     NEEDLE = b"LfLe"
@@ -120,8 +124,8 @@ class EvtPlugin(WindowsEventlogsMixin, plugin.Plugin):
     @plugin.arg("--logs-dir", help="logs directory to scan")
     @plugin.arg("--log-file-glob", default=EVT_GLOB, help="glob pattern to match a log file name")
     @plugin.export(record=EvtRecordDescriptor)
-    def evt(self, log_file_glob: str = EVT_GLOB, logs_dir: Optional[str] = None) -> Generator[Record, None, None]:
-        """Parse Windows Eventlog files (*.evt).
+    def evt(self, log_file_glob: str = EVT_GLOB, logs_dir: str | None = None) -> Iterator[EvtRecordDescriptor]:
+        """Parse Windows Eventlog files (``*.evt``).
 
         Yields dynamically created records based on the fields in the event.
         At least contains the following fields:
@@ -174,7 +178,7 @@ class EvtPlugin(WindowsEventlogsMixin, plugin.Plugin):
         )
 
     @plugin.export(record=EvtRecordDescriptor)
-    def scraped_evt(self) -> Generator[Record, None, None]:
+    def scraped_evt(self) -> Iterator[EvtRecordDescriptor]:
         """Yields EVT log file records scraped from target disks"""
         yield from self.target.scrape.scrape_chunks_from_disks(
             needle=self.NEEDLE,
@@ -189,6 +193,6 @@ class EvtPlugin(WindowsEventlogsMixin, plugin.Plugin):
         fh.seek(offset - 4)
         return fh.read(chunk_size)
 
-    def _parse_chunk(self, _, chunk: bytes) -> Generator[Record, None, None]:
+    def _parse_chunk(self, _, chunk: bytes) -> Iterator[Record]:
         for record in evt.parse_chunk(chunk):
             yield self._build_record(record)

dissect/target/plugins/os/windows/log/evtx.py

@@ -1,7 +1,9 @@
+from __future__ import annotations
+
 import datetime
 import re
 from functools import lru_cache
-from typing import Any, Generator, Optional
+from typing import Any, Iterator
 
 from dissect.eventlog import evtx
 from dissect.eventlog.exceptions import MalformedElfChnkException
@@ -19,7 +21,7 @@ EVTX_GLOB = "*.evtx"
 
 
 class EvtxPlugin(WindowsEventlogsMixin, plugin.Plugin):
-    """Plugin for fetching and parsing Windows Eventlog Files (*.evtx)"""
+    """Plugin for fetching and parsing Windows Eventlog Files (``*.evtx``)."""
 
     RECORD_NAME = "filesystem/windows/evtx"
     LOGS_DIR_PATH = "sysvol/windows/system32/winevt/logs"
@@ -34,11 +36,11 @@ class EvtxPlugin(WindowsEventlogsMixin, plugin.Plugin):
     @plugin.arg("--logs-dir", help="logs directory to scan")
     @plugin.arg("--log-file-glob", default=EVTX_GLOB, help="glob pattern to match a log file name")
     @plugin.export(record=DynamicDescriptor(["datetime"]))
-    def evtx(self, log_file_glob: str = EVTX_GLOB, logs_dir: Optional[str] = None) -> Generator[Record, None, None]:
-        """Return entries from Windows Event log files (*.evtx).
+    def evtx(self, log_file_glob: str = EVTX_GLOB, logs_dir: str | None = None) -> Iterator[DynamicDescriptor]:
+        """Return entries from Windows Event log files (``*.evtx``).
 
         Windows Event log is a detailed record of system, security and application notifications. It can be used to
-        diagnose a system or find future issues. Up until Windows XP the extension .evt was used, hereafter .evtx
+        diagnose a system or find future issues. Up until Windows XP the extension .evt was used, hereafter ``.evtx``
         became the new standard.
 
         References:
@@ -77,7 +79,7 @@ class EvtxPlugin(WindowsEventlogsMixin, plugin.Plugin):
                 yield self._build_record(event)
 
     @plugin.export(record=DynamicDescriptor(["datetime"]))
-    def scraped_evtx(self) -> Generator[Record, None, None]:
+    def scraped_evtx(self) -> Iterator[DynamicDescriptor]:
         """Return EVTX log file records scraped from target disks"""
         yield from self.target.scrape.scrape_chunks_from_disks(
             needle=self.NEEDLE,
@@ -85,7 +87,7 @@ class EvtxPlugin(WindowsEventlogsMixin, plugin.Plugin):
             chunk_parser=self._parse_chunk,
         )
 
-    def _parse_chunk(self, _, chunk: bytes) -> Generator[Any, None, None]:
+    def _parse_chunk(self, _, chunk: bytes) -> Iterator[Record]:
         chnk = evtx.ElfChnk(chunk)
         try:
             for event in chnk.read():

dissect/target/plugins/os/windows/log/pfro.py

@@ -1,5 +1,6 @@
 import datetime
 import re
+from typing import Iterator
 
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.record import TargetRecordDescriptor
@@ -29,7 +30,7 @@ class PfroPlugin(Plugin):
             raise UnsupportedPluginError("No PFRO log found")
 
     @export(record=PfroRecord)
-    def pfro(self):
+    def pfro(self) -> Iterator[PfroRecord]:
         """Return the content of sysvol/Windows/PFRO.log
 
         A Pending File Rename Operation log file (PFRO.log) holds information about the process of deleting or renaming

dissect/target/plugins/os/windows/network.py

@@ -223,6 +223,8 @@ def _try_value(subkey: RegistryKey, value: str) -> str | list | None:
 
 
 class WindowsNetworkPlugin(NetworkPlugin):
+    """Windows network interface plugin."""
+
     def _interfaces(self) -> Iterator[WindowsInterfaceRecord]:
         # Get all the network interfaces
         for keys in self.target.registry.keys(

dissect/target/plugins/os/windows/notifications.py

@@ -1,5 +1,7 @@
+from __future__ import annotations
+
 import datetime
-from typing import Iterator, Optional
+from typing import Iterator
 from uuid import UUID
 
 from dissect.cstruct import cstruct
@@ -253,7 +255,7 @@ class NotificationsPlugin(Plugin):
         chunk: c_appdb.Chunk,
         chunk_num: int,
         user: WindowsUserRecord,
-    ) -> Optional[AppDBPushRecord]:
+    ) -> AppDBPushRecord | None:
         badge_record = None
         push_uri = chunk.Push.Uri.split(b"\x00")[0]
         push_uri = push_uri.decode("utf-8", errors="surrogateescape")
@@ -282,7 +284,7 @@ class NotificationsPlugin(Plugin):
         chunk: c_appdb.Chunk,
         chunk_num: int,
         user: WindowsUserRecord,
-    ) -> Optional[AppDBBadgeRecord]:
+    ) -> AppDBBadgeRecord | None:
         badge_record = None
         badge_id = chunk.Badge.Id
 
@@ -432,7 +434,7 @@ class NotificationsPlugin(Plugin):
                         yield toast_record
 
     @export(record=[WpnDatabaseNotificationRecord, WpnDatabaseNotificationHandlerRecord])
-    def wpndatabase(self):
+    def wpndatabase(self) -> Iterator[WpnDatabaseNotificationRecord | WpnDatabaseNotificationHandlerRecord]:
         """Returns Windows Notifications from wpndatabase.db (post Windows 10 Anniversary).
 
         References:

dissect/target/plugins/os/windows/prefetch.py

@@ -1,4 +1,7 @@
+from __future__ import annotations
+
 from io import BytesIO
+from typing import Iterator
 
 from dissect.cstruct import cstruct
 from dissect.util import lzxpress_huffman
@@ -237,6 +240,8 @@ class Prefetch:
 
 
 class PrefetchPlugin(Plugin):
+    """Windows prefetch plugin."""
+
     def __init__(self, target):
         super().__init__(target)
         self.prefetchdir = self.target.fs.path("sysvol/windows/prefetch")
@@ -247,7 +252,7 @@ class PrefetchPlugin(Plugin):
 
     @export(record=[PrefetchRecord, GroupedPrefetchRecord])
     @arg("--grouped", action="store_true", help="Group the prefetch record")
-    def prefetch(self, grouped=False):
+    def prefetch(self, grouped=False) -> Iterator[PrefetchRecord | GroupedPrefetchRecord]:
         """Return the content of all prefetch files.
 
         Prefetch is a memory management feature in Windows. It contains information (for example run count and
@@ -268,7 +273,7 @@ class PrefetchPlugin(Plugin):
             linkedfile (path): The linked file entry.
             runcount (int): The run count.
 
-        with --grouped:
+        with ``--grouped``:
 
         Yields PrefetchRecords with fields:
 

dissect/target/plugins/os/windows/regf/7zip.py

@@ -1,3 +1,7 @@
+from __future__ import annotations
+
+from typing import Iterator
+
 from dissect.target.exceptions import RegistryError, UnsupportedPluginError
 from dissect.target.helpers.record import TargetRecordDescriptor
 from dissect.target.plugin import Plugin, export
@@ -48,6 +52,8 @@ FolderHistoryRecord = TargetRecordDescriptor(
 
 
 class SevenZipPlugin(Plugin):
+    """Windows 7-Zip GUI plugin."""
+
     KEY = "HKCU\\Software\\7-Zip"
 
     def check_compatible(self) -> None:
@@ -71,7 +77,9 @@ class SevenZipPlugin(Plugin):
             pass
 
     @export(record=[PanelPathRecord, ArcHistoryRecord, PathHistoryRecord, CopyHistoryRecord, FolderHistoryRecord])
-    def sevenzip(self):
+    def sevenzip(
+        self,
+    ) -> Iterator[PanelPathRecord | ArcHistoryRecord | PathHistoryRecord | CopyHistoryRecord | FolderHistoryRecord]:
         """Return 7-Zip history information from the registry.
 
         7-Zip is an open source file archiver. If the HKCU\\Software\\7-Zip registry key exists, it checks for

dissect/target/plugins/os/windows/regf/auditpol.py

@@ -1,4 +1,5 @@
 import io
+from typing import Iterator
 
 from dissect.cstruct import cstruct
 
@@ -138,7 +139,7 @@ class AuditpolPlugin(Plugin):
             raise UnsupportedPluginError(f"Registry key {self.KEY} not found")
 
     @export(record=AuditPolicyRecord)
-    def auditpol(self):
+    def auditpol(self) -> Iterator[AuditPolicyRecord]:
         """Return audit policy settings from the registry.
 
         For Windows, the audit policy settings are stored in the HKEY_LOCAL_MACHINE\\Security\\Policy\\PolAdtEv registry

dissect/target/plugins/os/windows/regf/bam.py

@@ -1,3 +1,5 @@
+from typing import Iterator
+
 from dissect.cstruct import cstruct
 from dissect.util.ts import wintimestamp
 
@@ -36,7 +38,7 @@ class BamDamPlugin(Plugin):
             raise UnsupportedPluginError("No bam or dam registry keys not found")
 
     @export(record=BamDamRecord)
-    def bam(self):
+    def bam(self) -> Iterator[BamDamRecord]:
         """Parse bam and dam registry keys.
 
         Yields BamDamRecords with fields:

dissect/target/plugins/os/windows/regf/cit.py

@@ -1,12 +1,10 @@
-# Resources:
-# - generaltel.dll
-# - win32k.sys (Windows 7)
-# - win32kbase.sys (Windows 10)
+from __future__ import annotations
 
 import datetime
 import struct
 from binascii import crc32
 from io import BytesIO
+from typing import Iterator, Union, get_args
 
 from dissect.cstruct import cstruct
 from dissect.util.compression import lznt1
@@ -20,6 +18,10 @@ from dissect.target.helpers.record import (
 )
 from dissect.target.plugin import Plugin, export
 
+# Resources:
+# - generaltel.dll
+# - win32k.sys (Windows 7)
+# - win32kbase.sys (Windows 10)
 cit_def = """
 typedef QWORD FILETIME;
 
@@ -353,7 +355,7 @@ CITProgramBitmapForegroundRecord = TargetRecordDescriptor(
 )
 
 
-CIT_RECORDS = [
+CITRecords = Union[
     CITSystemRecord,
     CITSystemBitmapDisplayPowerRecord,
     CITSystemBitmapDisplayRequestChangeRecord,
@@ -602,7 +604,7 @@ class ProgramDataBitmaps(BaseUseDataBitmaps):
         self.foreground = self._parse_bitmap(0)
 
 
-def decode_name(name):
+def decode_name(name: str) -> bytes:
     """Decode the registry key name.
 
     The CIT key name in the registry has some strange encoding.
@@ -642,8 +644,8 @@ class CITPlugin(Plugin):
         if not len(list(self.target.registry.keys(self.KEY))) > 0:
             raise UnsupportedPluginError("No CIT registry key found")
 
-    @export(record=CIT_RECORDS)
-    def cit(self):
+    @export(record=get_args(CITRecords))
+    def cit(self) -> Iterator[CITRecords]:
         """Return CIT data from the registry for executed executable information.
 
         CIT data is stored at HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT\\System.
@@ -772,7 +774,7 @@ class CITPlugin(Plugin):
                     self.target.log.exception("Failed to parse CIT value: %s", value.name)
 
     @export(record=CITPostUpdateUseInfoRecord)
-    def puu(self):
+    def puu(self) -> Iterator[CITPostUpdateUseInfoRecord]:
         """Parse CIT PUU (Post Update Usage) data from the registry.
 
         Generally only available since Windows 10.
@@ -823,7 +825,7 @@ class CITPlugin(Plugin):
                 )
 
     @export(record=[CITDPRecord, CITDPDurationRecord])
-    def dp(self):
+    def dp(self) -> Iterator[CITDPRecord | CITDPDurationRecord]:
         """Parse CIT DP data from the registry.
 
         Generally only available since Windows 10.
@@ -878,7 +880,7 @@ class CITPlugin(Plugin):
                         )
 
     @export(record=CITTelemetryRecord)
-    def telemetry(self):
+    def telemetry(self) -> Iterator[CITTelemetryRecord]:
         """Parse CIT process telemetry answers from the registry.
 
         In some versions of Windows, processes would get "telemetry answers" set on their process struct, based on
@@ -899,7 +901,7 @@ class CITPlugin(Plugin):
                     )
 
     @export(record=CITModuleRecord)
-    def modules(self):
+    def modules(self) -> Iterator[CITModuleRecord]:
         """Parse CIT tracked module information from the registry.
 
         Contains applications that loaded a tracked module. By default these are:

dissect/target/plugins/os/windows/regf/clsid.py

@@ -1,9 +1,12 @@
+from typing import Iterator
+
 from dissect.target.exceptions import RegistryError, UnsupportedPluginError
 from dissect.target.helpers.descriptor_extensions import (
     RegistryRecordDescriptorExtension,
     UserRecordDescriptorExtension,
 )
 from dissect.target.helpers.record import create_extended_descriptor
+from dissect.target.helpers.regutil import RegistryKey
 from dissect.target.plugin import Plugin, export
 
 CLSIDRecordDescriptor = create_extended_descriptor(
@@ -50,7 +53,7 @@ class CLSIDPlugin(Plugin):
         if not len(list(self.target.registry.keys(list(self.KEYS.values())))) > 0:
             raise UnsupportedPluginError("No CLSID key found")
 
-    def create_records(self, keys):
+    def create_records(self, keys: list[RegistryKey]) -> Iterator[CLSIDRecord]:
         """Iterate all CLSID keys from HKEY_CURRENT_USER\\Software\\Classes\\CLSID and
         HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID.
 
@@ -98,11 +101,11 @@ class CLSIDPlugin(Plugin):
                         )
 
     @export(record=CLSIDRecord)
-    def user(self):
+    def user(self) -> Iterator[CLSIDRecord]:
         """Return only the user CLSID registry keys."""
         yield from self.create_records(self.KEYS["user"])
 
     @export(record=CLSIDRecord)
-    def machine(self):
+    def machine(self) -> Iterator[CLSIDRecord]:
         """Return only the machine CLSID registry keys."""
         yield from self.create_records(self.KEYS["machine"])

dissect/target/plugins/os/windows/regf/firewall.py

@@ -1,4 +1,5 @@
 import re
+from typing import Iterator
 
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.record import DynamicDescriptor, TargetRecordDescriptor
@@ -19,7 +20,7 @@ class FirewallPlugin(Plugin):
             raise UnsupportedPluginError(f"Registry key {self.KEY} not found")
 
     @export(record=DynamicDescriptor(["uri"]))
-    def firewall(self):
+    def firewall(self) -> Iterator[DynamicDescriptor]:
         """Return firewall rules saved in the registry.
 
         For a Windows operating system, the Firewall rules are stored in the