fix: resolve double-counting and password age display bugs

Bug B1 - Double-counting in credential validation:
- validate_specific_tasks() was storing each result twice (SMB path AND RPC path)
- Now only stores with original SMB path; lookup code already handles both formats

Bug B2 - Password age data not displayed:
- LDAP pwdLastSet was converted to timezone-naive datetime
- Task dates are parsed as timezone-aware (UTC)
- Comparison failed with 'can't compare offset-naive and offset-aware datetimes'
- Fixed by adding tz=timezone.utc to datetime creation in batch_get_user_attributes()

Author: r0BIT

taskhound/smb/task_rpc.py

@@ -368,9 +368,8 @@ def validate_specific_tasks(
             log_debug(f"Validating credentials for task: {rpc_path} (SMB: {original_path})")
             run_info = self.get_task_run_info(rpc_path)
             if run_info:
-                # Store with BOTH paths for correlation
+                # Store with original SMB path for correlation with crawled tasks
                 results[original_path] = run_info
-                results[rpc_path] = run_info
             else:
                 log_debug(f"Could not get run info for {rpc_path}")
 

taskhound/utils/sid_resolver.py

@@ -888,17 +888,19 @@ def batch_get_user_attributes(
                                     if filetime > 0:
                                         # Windows FILETIME is 100-nanosecond intervals since 1601
                                         unix_ts = (filetime - 116444736000000000) / 10000000
-                                        from datetime import datetime
-                                        entry_attrs["pwdLastSet"] = datetime.fromtimestamp(unix_ts)
+                                        from datetime import datetime, timezone
+                                        # Use UTC timezone for consistency with task date parsing
+                                        entry_attrs["pwdLastSet"] = datetime.fromtimestamp(unix_ts, tz=timezone.utc)
                                 except (ValueError, OSError):
                                     pass
                             elif attr_name.lower() == "lastlogon":
                                 try:
                                     filetime = int(attr_vals[0]) if attr_vals else 0
                                     if filetime > 0:
                                         unix_ts = (filetime - 116444736000000000) / 10000000
-                                        from datetime import datetime
-                                        entry_attrs["lastLogon"] = datetime.fromtimestamp(unix_ts)
+                                        from datetime import datetime, timezone
+                                        # Use UTC timezone for consistency
+                                        entry_attrs["lastLogon"] = datetime.fromtimestamp(unix_ts, tz=timezone.utc)
                                 except (ValueError, OSError):
                                     pass
                             elif attr_name.lower() == "objectsid":

tests/test_task_rpc.py

@@ -628,7 +628,7 @@ def test_validate_task_returns_none(self, mock_get_info):
 
     @patch.object(TaskSchedulerRPC, 'get_task_run_info')
     def test_validate_preserves_original_path(self, mock_get_info):
-        """Test that results contain original SMB paths."""
+        """Test that results contain original SMB paths only (not duplicated with RPC path)."""
         mock_info = TaskRunInfo(
             task_path="\\TestTask",
             last_run=datetime(2024, 1, 1),
@@ -643,9 +643,9 @@ def test_validate_preserves_original_path(self, mock_get_info):
         original_path = "Windows\\System32\\Tasks\\TestTask"
         results = self.rpc.validate_specific_tasks([original_path])
 
-        # Should have both original SMB path and RPC path
+        # Should have only the original SMB path (no duplication with RPC path)
         assert original_path in results
-        assert "\\TestTask" in results
+        assert len(results) == 1  # Only one entry, not duplicated
 
 
 class TestTaskSchedulerRPCConnect: