From d3c314d4b5ce004570e13d07c6a9774f107a92ab Mon Sep 17 00:00:00 2001
From: Joachim Metz <joachim.metz@gmail.com>
Date: Wed, 17 Jul 2024 06:14:55 +0200
Subject: [PATCH] Improved normalization of EventLog paths #4890 (#4894)

---
 plaso/helpers/windows/eventlog_providers.py | 8 ++++----
 tests/helpers/windows/eventlog_providers.py | 3 +++
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/plaso/helpers/windows/eventlog_providers.py b/plaso/helpers/windows/eventlog_providers.py
index 73a133c0b3..38bbaac99d 100644
--- a/plaso/helpers/windows/eventlog_providers.py
+++ b/plaso/helpers/windows/eventlog_providers.py
@@ -33,8 +33,8 @@ def _GetNormalizedPath(self, path):
       path_segments = ['%SystemRoot%', 'System32']
 
     elif path_segments_lower[0] in ('system32', '$(runtime.system32)'):
-        # Note that the path can be relative so if it starts with "System32"
-        # asume this represents "%SystemRoot%\System32".
+      # Note that the path can be relative so if it starts with "System32"
+      # asume this represents "%SystemRoot%\System32".
       path_segments = ['%SystemRoot%', 'System32'] + path_segments[1:]
 
     elif path_segments_lower[0] in (
@@ -43,8 +43,8 @@ def _GetNormalizedPath(self, path):
 
     # Check if path starts with "\SystemRoot\", "\Windows\" or "\WinNT\" for
     # example: "\SystemRoot\system32\drivers\SerCx.sys"
-    elif not path_segments_lower[0] and path_segments_lower[1] in (
-        'systemroot', 'windows', 'winnt'):
+    elif (len(path_segments_lower) > 1 and not path_segments_lower[0] and
+          path_segments_lower[1] in ('systemroot', 'windows', 'winnt')):
       path_segments = ['%SystemRoot%'] + path_segments[2:]
 
     path_segments.append(filename)
diff --git a/tests/helpers/windows/eventlog_providers.py b/tests/helpers/windows/eventlog_providers.py
index c83d257377..6227191b2c 100644
--- a/tests/helpers/windows/eventlog_providers.py
+++ b/tests/helpers/windows/eventlog_providers.py
@@ -67,6 +67,9 @@ def testGetNormalizedPath(self):
     self.assertEqual(normalized_path, (
         '%SystemRoot%\\immersivecontrolpanel\\systemsettings.exe'))
 
+    normalized_path = test_helper._GetNormalizedPath('\\eventlogmessages.dll')
+    self.assertEqual(normalized_path, '\\eventlogmessages.dll')
+
     # TODO: add tests for Merge
     # TODO: add tests for NormalizeMessageFiles