From 62b557a3233f7160af463e1e6326f39aef616e37 Mon Sep 17 00:00:00 2001
From: Joachim Metz <joachim.metz@gmail.com>
Date: Mon, 4 Mar 2019 07:28:53 +0100
Subject: [PATCH] Renamed WindowsEnvironmentVariableAllUsersAppData and clean
 up #324

---
 data/antivirus.yaml | 35 ++++++++++++++++++++++++-----------
 data/tomcat.yaml    | 15 ++++++++++-----
 data/windows.yaml   |  4 +++-
 3 files changed, 37 insertions(+), 17 deletions(-)

diff --git a/data/antivirus.yaml b/data/antivirus.yaml
index eeb26707..6f9b8a7a 100644
--- a/data/antivirus.yaml
+++ b/data/antivirus.yaml
@@ -19,8 +19,10 @@ sources:
 - type: FILE
   attributes:
     paths:
-    - '%%environ_allusersappdata%%\Microsoft\Microsoft Antimalware\Quarantine\**'
-    - '%%environ_allusersappdata%%\Microsoft\Windows Defender\Quarantine\**'
+    - '%%environ_allusersprofile%%\Application Data\Microsoft\Microsoft Antimalware\Quarantine\**'
+    - '%%environ_allusersprofile%%\Application Data\Microsoft\Windows Defender\Quarantine\**'
+    - '%%environ_programdata%%\Microsoft\Microsoft Antimalware\Quarantine\**'
+    - '%%environ_programdata%%\Microsoft\Windows Defender\Quarantine\**'
     separator: '\'
 supported_os: [Windows]
 ---
@@ -85,7 +87,9 @@ sources:
   supported_os: [Darwin]
 - type: FILE
   attributes:
-    paths: ['%%environ_allusersappdata%%\Sophos\Sophos Anti-Virus\Logs\*']
+    paths:
+    - '%%environ_allusersprofile%%\Application Data\Sophos\Sophos Anti-Virus\Logs\*'
+    - '%%environ_programdata%%\Sophos\Sophos Anti-Virus\Logs\*'
     separator: '\'
   supported_os: [Windows]
 supported_os: [Darwin, Windows]
@@ -98,7 +102,9 @@ sources:
   supported_os: [Darwin]
 - type: FILE
   attributes:
-    paths: ['%%environ_allusersappdata%%\Sophos\Sophos Anti-Virus\INFECTED\*']
+    paths:
+    - '%%environ_allusersprofile%%\Application Data\Sophos\Sophos Anti-Virus\INFECTED\*'
+    - '%%environ_programdata%%\Sophos\Sophos Anti-Virus\INFECTED\*'
     separator: '\'
   supported_os: [Windows]
 supported_os: [Darwin, Windows]
@@ -109,9 +115,12 @@ sources:
 - type: FILE
   attributes:
     paths:
-    - '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\*\Data\Logs\*.log'
-    - '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\*\Data\Logs\AV\*.log'
-    - '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\Logs\AV\*.log'
+    - '%%environ_allusersprofile%%\Application Data\Symantec\Symantec Endpoint Protection\*\Data\Logs\*.log'
+    - '%%environ_allusersprofile%%\Application Data\Symantec\Symantec Endpoint Protection\*\Data\Logs\AV\*.log'
+    - '%%environ_allusersprofile%%\Application Data\Symantec Endpoint Protection\Logs\AV\*.log'
+    - '%%environ_programdata%%\Symantec\Symantec Endpoint Protection\*\Data\Logs\*.log'
+    - '%%environ_programdata%%\Symantec\Symantec Endpoint Protection\*\Data\Logs\AV\*.log'
+    - '%%environ_programdata%%\Symantec\Symantec Endpoint Protection\Logs\AV\*.log'
     - '%%users.localappdata%%\Symantec\Symantec Endpoint Protection\Logs\*.log'
     separator: '\'
   supported_os: [Windows]
@@ -123,10 +132,14 @@ sources:
 - type: FILE
   attributes:
     paths:
-    - '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\**5\*.vbn'
-    - '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\Quarantine\**'
-    - '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\*\Data\Quarantine\**'
-    - '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\*\Data\CmnClnt\ccSubSDK\**'
+    - '%%environ_allusersprofile%%\Application Data\Symantec\Symantec Endpoint Protection\**5\*.vbn'
+    - '%%environ_allusersprofile%%\Application Data\environ_programdata%%\Symantec\Symantec Endpoint Protection\Quarantine\**'
+    - '%%environ_allusersprofile%%\Application Data\environ_programdata%%\Symantec\Symantec Endpoint Protection\*\Data\Quarantine\**'
+    - '%%environ_allusersprofile%%\Application Data\environ_programdata%%\Symantec\Symantec Endpoint Protection\*\Data\CmnClnt\ccSubSDK\**'
+    - '%%environ_programdata%%\Symantec\Symantec Endpoint Protection\**5\*.vbn'
+    - '%%environ_programdata%%\Symantec\Symantec Endpoint Protection\Quarantine\**'
+    - '%%environ_programdata%%\Symantec\Symantec Endpoint Protection\*\Data\Quarantine\**'
+    - '%%environ_programdata%%\Symantec\Symantec Endpoint Protection\*\Data\CmnClnt\ccSubSDK\**'
     separator: '\'
   supported_os: [Windows]
 supported_os: [Windows]
diff --git a/data/tomcat.yaml b/data/tomcat.yaml
index 38b44e7b..9e612069 100644
--- a/data/tomcat.yaml
+++ b/data/tomcat.yaml
@@ -16,10 +16,14 @@ sources:
 - type: FILE
   attributes:
     paths:
-    - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\**\access_log*'
-    - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\access_log*'
-    - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out'
-    - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\logs\catalina.out'
+    - '%%environ_allusersprofile%%\Application Data\Apache Software Foundation\Tomcat*\logs\**\access_log*'
+    - '%%environ_allusersprofile%%\Application Data\Apache Software Foundation\Tomcat*\logs\access_log*'
+    - '%%environ_allusersprofile%%\Application Data\Apache Software Foundation\Tomcat*\logs\**\catalina.out'
+    - '%%environ_allusersprofile%%\Application Data\Apache Software Foundation\Tomcat*\logs\catalina.out'
+    - '%%environ_programdata%%\Apache Software Foundation\Tomcat*\logs\**\access_log*'
+    - '%%environ_programdata%%\Apache Software Foundation\Tomcat*\logs\access_log*'
+    - '%%environ_programdata%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out'
+    - '%%environ_programdata%%\Apache Software Foundation\Tomcat*\logs\catalina.out'
     - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\**\access_log*'
     - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\access_log*'
     - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\logs\**\catalina.out'
@@ -78,7 +82,8 @@ sources:
 - type: FILE
   attributes:
     paths:
-    - '%%environ_allusersappdata%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml'
+    - '%%environ_allusersprofile%%\Application Data\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml'
+    - '%%environ_programdata%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml'
     - '%%environ_programfiles%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml'
     - '%%environ_programfilesx86%%\Apache Software Foundation\Tomcat*\conf\tomcat-users.xml'
     separator: '\'
diff --git a/data/windows.yaml b/data/windows.yaml
index 1bf4ce40..dc2615b2 100644
--- a/data/windows.yaml
+++ b/data/windows.yaml
@@ -1996,7 +1996,9 @@ doc: Windows Search database (Windows.edb).
 sources:
 - type: FILE
   attributes:
-    paths: ['%%environ_allusersappdata%%\Microsoft\Search\Data\Applications\Windows\Windows.edb']
+    paths:
+    - '%%environ_allusersprofile%%\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb'
+    - '%%environ_programdata%%\Microsoft\Search\Data\Applications\Windows\Windows.edb'
     separator: '\'
 supported_os: [Windows]
 urls: ['https://forensicswiki.xyz/wiki/index.php?title=Windows_Desktop_Search']