Windows shim databases produce spurious UTMP events

[Spferical]

Describe the problem:

Plaso parses Windows sdb shim database files as utmp files. This false positive produces false linux:utmp:event events that look like e.g. User: EXE.AVAJÜ� Hostname: � Terminal: sdbf�x‚� PID: 0 Terminal identifier: 108 Status: NEW_TIME IP Address: 0338:0b60:0198:0000:0000:0378:0e00:0000 Exit status: 0

To Reproduce:

Plaso main branch, commit ed8a139982ad06bbff44eb8b80796a5af5f542ba

psteal --status-view linear -d -o dynamic -w out --source frxmain.sdb && cat out
<snip>
datetime,timestamp_desc,source,source_long,message,parser,display_name,tag
1970-01-01T00:31:36.601474+00:00,Content Modification Time,LOG,UTMP session,User: EXE.AVAJÜ Hostname: 
                                                                                                       Terminal: sdbfx‚ PID: 0 Terminal identifier: 108 Status: NEW_TIME IP Address: 0338:0b60:0198:0000:0000:0378:0e00:0000 Exit status: 0,utmp,OS:<snip>/frxmain.sdb,-

Data source: WindowsApplicationCompatibilityInstalledShimDatabases ForensicArtifacts artifact from Windows Server 2019 Standard. All 5 %%environ_windir%%\AppPatch\*.sdb produce similar results.

The method you used to install Plaso: pip install . in a python 3.11.4 virtualenv.

Expected behavior:

No false positive events.

[joachimmetz]

Thanks for flagging, unfortunately this is a side effect of certain formats not having many unique signatures. Similar issue: https://github.com/log2timeline/plaso/issues/3655