Skip to content

Add ntds cli tools and add all tools as pyproject entry points#34

Merged
Schamper merged 16 commits intofox-it:mainfrom
william-billaud:ese_tools
Feb 19, 2026
Merged

Add ntds cli tools and add all tools as pyproject entry points#34
Schamper merged 16 commits intofox-it:mainfrom
william-billaud:ese_tools

Conversation

@william-billaud
Copy link
Contributor

@william-billaud william-billaud commented Feb 18, 2026

Add a cli tool to dump all object with a specific object class of an NTDS. This could mainly be used for testing.

E.g

python3 -m dissect.database.ese.ntds.ntds -o User ./paht/to//ntds.dit [--json]

Just a small point, it is a bit weird that NTDS tools is in dissect.database.ese.ntds, and others are in dissect.database.ese.tools. Maybe the ntds.py file should be moved in dissect.database.ese.tools (but that would require refactoring in some other project, and this is definitely not an important problem).

@william-billaud william-billaud changed the title Fix issue #33 Add ntds cli tools Feb 18, 2026
@Matthijsy
Copy link
Contributor

Matthijsy commented Feb 18, 2026

Doesn't it make more sense to put the tool in dissect.database.ese.tools and leave the NTDS class itself at the current path? That means you don't have to refactor anything and from the tool just call the NTDS class?

@william-billaud
Copy link
Contributor Author

william-billaud commented Feb 18, 2026

It's another option, we will see what is preferred by the maintainers.
I'm agree just putting the cli tools in dissect.database.ese.tools.ntds is probably the more "user friendly' and does not needs any refactoring.

@Schamper
Copy link
Member

Schamper commented Feb 19, 2026

I was thinking about the location too. Maybe dissect/database/ese/ntds/tools/inspect.py? That way we keep the tooling within the ntds namespace but out of the "library" part of it.

And you can add a console_script entry point too. Maybe dissect-ntds or ntds-inspect, or another name you suggest 😄.

@william-billaud
Copy link
Contributor Author

william-billaud commented Feb 19, 2026

I have added console script + edited readme for all script.
Feel free to move/rename if you prefer another name, I won't be offended ^^

Schamper
Schamper requested changes Feb 19, 2026
View reviewed changes
william-billaud and others added 6 commits February 19, 2026 11:50
@william-billaud @Schamper
Update pyproject.toml
9a563ac 
Co-authored-by: Erik Schamper <1254028+Schamper@users.noreply.github.com>
@william-billaud @Schamper
Update README.md
38c183c 
Co-authored-by: Erik Schamper <1254028+Schamper@users.noreply.github.com>
@william-billaud @Schamper
Update README.md
702c517 
Co-authored-by: Erik Schamper <1254028+Schamper@users.noreply.github.com>
@william-billaud @Schamper
Update dissect/database/ese/ntds/tools.py
d41cab3 
Co-authored-by: Erik Schamper <1254028+Schamper@users.noreply.github.com>
@william-billaud @Schamper
Update dissect/database/ese/ntds/tools.py
b3e8582 
Co-authored-by: Erik Schamper <1254028+Schamper@users.noreply.github.com>
@william-billaud
parser.add_argument("-j", "--json", action="store_true", default=Fal…
d649dec 
…se, help="output in JSON format") to all ese tools
@william-billaud
Copy link
Contributor Author

william-billaud commented Feb 19, 2026

I have also modified the ual/sru to support the '-j, --json output in JSON format'

E.g

uv run dissect-sru -p 'application' -j srudb.dat | head -n 3
{"AutoIncId": 55, "TimeStamp": 4676351156559788988, "AppId": 19, "UserId": 65, "ForegroundCycleTime": 68229922, "BackgroundCycleTime": 0, "FaceTime": 157506984, "ForegroundContextSwitches": 166, "BackgroundContextSwitches": 0, "ForegroundBytesRead": 0, "ForegroundBytesWritten": 0, "ForegroundNumReadOperations": 0, "ForegroundNumWriteOperations": 0, "ForegroundNumberOfFlushes": 0, "BackgroundBytesRead": 0, "BackgroundBytesWritten": 0, "BackgroundNumReadOperations": 0, "BackgroundNumWriteOperations": 0, "BackgroundNumberOfFlushes": 0, "provider": "{D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}"}
{"AutoIncId": 56, "TimeStamp": 4676351156559788988, "AppId": 19, "UserId": 66, "ForegroundCycleTime": 95656812, "BackgroundCycleTime": 0, "FaceTime": 12744437411, "ForegroundContextSwitches": 343, "BackgroundContextSwitches": 0, "ForegroundBytesRead": 0, "ForegroundBytesWritten": 0, "ForegroundNumReadOperations": 0, "ForegroundNumWriteOperations": 0, "ForegroundNumberOfFlushes": 0, "BackgroundBytesRead": 0, "BackgroundBytesWritten": 0, "BackgroundNumReadOperations": 0, "BackgroundNumWriteOperations": 0, "BackgroundNumberOfFlushes": 0, "provider": "{D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}"}
{"AutoIncId": 57, "TimeStamp": 4676351156559788988, "AppId": 19, "UserId": 67, "ForegroundCycleTime": 229011358, "BackgroundCycleTime": 0, "FaceTime": 18743077832, "ForegroundContextSwitches": 804, "BackgroundContextSwitches": 0, "ForegroundBytesRead": 0, "ForegroundBytesWritten": 0, "ForegroundNumReadOperations": 0, "ForegroundNumWriteOperations": 0, "ForegroundNumberOfFlushes": 0, "BackgroundBytesRead": 0, "BackgroundBytesWritten": 0, "BackgroundNumReadOperations": 0, "BackgroundNumWriteOperations": 0, "BackgroundNumberOfFlushes": 0, "provider": "{D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}"}

uv run dissect-ual -j current.mdb | head -n 3
{"RoleGuid": "ad495fc3-0eaa-413d-ba7d-8b13fa7ec598", "FirstSeen": "2021-07-23 10:30:54.934538+00:00", "LastSeen": "2021-11-22 15:56:27.094593+00:00"}
{"RoleGuid": "7fb09bd3-7fe6-435e-8348-7d8aefb6cea3", "FirstSeen": "2021-07-23 10:30:55.191715+00:00", "LastSeen": "2021-11-22 15:51:56.144556+00:00"}
{"RoleGuid": "10a9226f-50ee-49d8-a393-9a501d47ce04", "FirstSeen": "2021-07-23 10:33:33.182354+00:00", "LastSeen": "2021-11-12 16:23:58.337612+00:00"}

Schamper
Schamper requested changes Feb 19, 2026
View reviewed changes
dissect/database/ese/tools/sru.py Outdated
generator = parser.entries()
for e in generator:
if args.json:
record_as_dict = e.record.as_dict()
Copy link
Member

@Schamper Schamper Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't you now miss the serialization that happens in Entry.__repr__? Maybe add an as_dict to the Entry class.

Copy link
Contributor Author

@william-billaud william-billaud Feb 19, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have added the as_dict method. No sure to understant what you mean by 'Wouldn't you now miss the serialization that happens'.
If by miss you speak of the AppId/UserId resolution / ts conversion, this is not done in repr either, but I can add it (but maybe in another PR).

Copy link
Member

@Schamper Schamper Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah apologies, I thought serialise_record_column_values was from this file and did some value conversion (the AppId, UserId, ts stuff), but that's not the case.

this is not done in repr either, but I can add it (but maybe in another PR).

Yes I only just now noticed this. That would be appreciated and can be a separate PR. Thanks!

william-billaud and others added 4 commits February 19, 2026 13:08
@william-billaud @Schamper
Update dissect/database/ese/ntds/tools/ntds.py
e139691 
Co-authored-by: Erik Schamper <1254028+Schamper@users.noreply.github.com>
@william-billaud @Schamper
Update dissect/database/ese/ntds/tools/ntds.py
5b81ab3 
Co-authored-by: Erik Schamper <1254028+Schamper@users.noreply.github.com>
@william-billaud
Add as_dict function to sru entrie
e07162c
@william-billaud
Merge branch 'main' into ese_tools
25f32b4
@william-billaud william-billaud changed the title Add ntds cli tools Add ntds cli tools and add all tools as pyproject entry points Feb 19, 2026
@codecov
Copy link

codecov bot commented Feb 19, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 0% with 36 lines in your changes missing coverage. Please review.
✅ Project coverage is 0.00%. Comparing base (658aa54) to head (d9be412).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
dissect/database/ese/ntds/tools/ntds.py 0.00% 19 Missing ⚠️
dissect/database/ese/tools/sru.py 0.00% 12 Missing ⚠️
dissect/database/ese/tools/ual.py 0.00% 5 Missing ⚠️
Additional details and impacted files 
@@          Coverage Diff          @@
##            main     #34   +/-   ##
=====================================
  Coverage   0.00%   0.00%           
=====================================
  Files        150     151    +1     
  Lines       4125    4155   +30     
=====================================
- Misses      4125    4155   +30
Flag Coverage Δ
unittests 0.00% <0.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@Schamper Schamper merged commit 357f642 into fox-it:main Feb 19, 2026
19 of 21 checks passed
@codspeed-hq
Copy link

codspeed-hq bot commented Feb 19, 2026
edited
Loading

Merging this PR will not alter performance

✅ 6 untouched benchmarks

Comparing william-billaud:ese_tools (d9be412) with main (658aa54)

Open in CodSpeed

@william-billaud william-billaud mentioned this pull request Feb 20, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Schamper Schamper Schamper approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add ntds cli tools

3 participants

@william-billaud @Matthijsy @Schamper