issue #1019 - for subkeys, return the modified time of the subkey itself, not its parent key

Dave Lassalle · Dave Lassalle · commit 95c468c4f8ae · 2023-10-12T10:16:56.000-05:00
diff --git a/volatility3/framework/plugins/windows/registry/printkey.py b/volatility3/framework/plugins/windows/registry/printkey.py
@@ -153,6 +153,9 @@ def _printkey_iterator(
                     vollog.debug(excp)
                     key_node_name = renderers.UnreadableValue()
 
+                # if the item is a subkey, use the LastWriteTime of that subkey
+                last_write_time = conversion.wintime_to_datetime(node.LastWriteTime.QuadPart)
+
                 yield (
                     depth,
                     (

Original file line number	Diff line number	Diff line change
`@@ -153,6 +153,9 @@ def _printkey_iterator(`
`153`	`153`	`vollog.debug(excp)`
`154`	`154`	`key_node_name = renderers.UnreadableValue()`
`155`	`155`
	`156`	`+ # if the item is a subkey, use the LastWriteTime of that subkey`
	`157`	`+ last_write_time = conversion.wintime_to_datetime(node.LastWriteTime.QuadPart)`
	`158`	`+`
`156`	`159`	`yield (`
`157`	`160`	`depth,`
`158`	`161`	`(`