tasks plugin and rdump --multi-timestamp

[l3fdb33f]

Hi, I'm currently not able to use the --multi-timestamp argument with the output of target-query the tasks plugin:

target-query -f tasks SysInternalsCase.E01 | rdump --multi-timestamp
[reading from stdin]
2023-12-08T20:08:25.193255Z [warning  ] <Target SysInternalsCase.E01>: Can't identify volume system or no volumes found, adding as raw volume instead: <EwfContainer size=42947575808 vs=None> [dissect.target.target]
Traceback (most recent call last):
  File "/home/duarte/.local/bin/rdump", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/utils.py", line 57, in wrapper
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/tools/rdump.py", line 229, in main
    for record in iter_timestamped_records(rec):
  File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/base.py", line 1032, in iter_timestamped_records
    record = extend_record(ts_record, [record], name=record_name)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/base.py", line 971, in extend_record
    return ExtendedRecord.init_from_dict(collections.ChainMap(*kv_maps))
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/base.py", line 546, in init_from_dict
    return self.recordType(**rdict)
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "<string>", line 101, in __init__
  File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/base.py", line 154, in __setattr__
    v = field_type(v)
        ^^^^^^^^^^^^^
ValueError: invalid literal for int() with base 10: 'true'

I think this has something to do with the TasksRecords and not GroupRecords. I have used target-dump with tasks and this error only appears with filesystem_windows_task.jsonl, not in filesystem_windows_task_grouped.jsonl:

rdump --multi-timestamp MSEDGEWIN10/tasks/filesystem_windows_task.jsonl
Traceback (most recent call last):
  File "/home/duarte/.local/bin/rdump", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/utils.py", line 57, in wrapper
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/tools/rdump.py", line 229, in main
    for record in iter_timestamped_records(rec):
  File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/base.py", line 1032, in iter_timestamped_records
    record = extend_record(ts_record, [record], name=record_name)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/base.py", line 971, in extend_record
    return ExtendedRecord.init_from_dict(collections.ChainMap(*kv_maps))
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/base.py", line 546, in init_from_dict
    return self.recordType(**rdict)
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "<string>", line 101, in __init__
  File "/home/duarte/.local/pipx/venvs/dissect/lib/python3.11/site-packages/flow/record/base.py", line 154, in __setattr__
    v = field_type(v)
        ^^^^^^^^^^^^^
ValueError: invalid literal for int() with base 10: 'true'

[yunzheng]

I've been able to trace back the issue to https://github.com/fox-it/dissect.target/blob/688dcb965084f268ef4515c0c7b76f0908714ed3/dissect/target/plugins/os/windows/tasks.py#L45 where allow_start_on_demand is declared twice. Once as boolean, and once as string.

[l3fdb33f]

Awesome, thank you so much!