Beispiel #1
0
        public void ExpandoTest09()
        {
            var f2 = @"D:\SynologyDrive\Registry\ExpandoTestHives\ntuser.dat";
            var r2 = new RegistryHive(f2);

            r2.RecoverDeleted = true;

            r2.ParseHive();

            var keys2 = r2.ExpandKeyPath($"Software\\Microsoft\\Office\\16.0\\Excel\\User MRU\\{wildCardChar}\\File MRU".ToLowerInvariant());

            Check.That(keys2.Count).IsEqualTo(1);
            Check.That(keys2.First()).IsEqualTo("ROOT\\Software\\Microsoft\\Office\\16.0\\Excel\\User MRU\\AD_B8387EDCD97012482021633037177683B71660DC7C410BE924536ACDF94CD5B4\\File MRU".ToLowerInvariant());
        }
Beispiel #2
0
        public void ExpandoTest07()
        {
            var f = @"D:\SynologyDrive\Registry\ExpandoTestHives\system_registry_hive";
            var r = new RegistryHive(f);

            r.RecoverDeleted = true;

            r.ParseHive();

            var endCheck2 = r.ExpandKeyPath($"Setup\\AllowStart\\{wildCardChar}mss");

            Check.That(endCheck2.Count).IsEqualTo(1);
            Check.That(endCheck2.First()).IsEqualTo("$$$PROTO.HIV\\Setup\\AllowStart\\SamSs".ToLowerInvariant());
        }
        public void ExpandoTest15()
        {
            var f2 = @"D:\SynologyDrive\Registry\ExpandoTestHives\SYSTEM_loneWolf";
            var r2 = new RegistryHive(f2);

            r2.RecoverDeleted = true;

            r2.ParseHive();

            var keys2 = r2.ExpandKeyPath("ControlSet001\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}" + $"\\0001\\Ndi\\Params\\{wildCardChar}FlowControl");

            Check.That(keys2.Count).IsEqualTo(1);
            Check.That(keys2.First()).IsEqualTo(@"ROOT\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001\Ndi\Params\*FlowControl".ToLowerInvariant());
        }
        public void ExpandoTest14()
        {
            var f2 = @"D:\SynologyDrive\Registry\ExpandoTestHives\ntuser.dat";
            var r2 = new RegistryHive(f2);

            r2.RecoverDeleted = true;

            r2.ParseHive();

            //no wildcards should
            var keys2 = r2.ExpandKeyPath($"Software\\Microsoft\\Office\\16.0\\Excel\\User MRU\\AD_B8387EDCD97012482021633037177683B71660DC7C410BE924536ACDF94CD5B4\\");

            Check.That(keys2.Count).IsEqualTo(1);
        }
        public void ExpandoTest11()
        {
            var f2 = @"D:\SynologyDrive\Registry\ExpandoTestHives\SOFTWARE_win10";
            var r2 = new RegistryHive(f2);

            r2.RecoverDeleted = true;

            r2.ParseHive();

            var keys2 = r2.ExpandKeyPath($"WOW6432Node\\ODBC\\ODBCINST.INI\\Microsoft dBase Driver (*.dbf)");

            Check.That(keys2.Count).IsEqualTo(1);
            Check.That(keys2.First()).IsEqualTo(@"ROOT\WOW6432Node\ODBC\ODBCINST.INI\Microsoft dBase Driver (*.dbf)".ToLowerInvariant());
        }
        public void ExpandoTest10()
        {
            var f2 = @"D:\SynologyDrive\Registry\ExpandoTestHives\ntuser.dat";
            var r2 = new RegistryHive(f2);

            r2.RecoverDeleted = true;

            r2.ParseHive();

            var keys2 = r2.ExpandKeyPath($"SOFTWARE\\Microsoft\\Office\\{wildCardChar}\\{wildCardChar}\\User MRU");

            Check.That(keys2.Count).IsEqualTo(3);
            Check.That(keys2.First()).IsEqualTo(@"ROOT\Software\Microsoft\Office\16.0\Excel\User MRU".ToLowerInvariant());
        }
Beispiel #7
0
        public void ExpandoTest01()
        {
            var f = @"D:\SynologyDrive\Registry\system_registry_hive";
            var r = new RegistryHive(f);

            r.RecoverDeleted = true;

            r.ParseHive();

            var keys = r.ExpandKeyPath("ControlSet00*\\Services");

            Check.That(keys.Count).IsEqualTo(2);
            Check.That(keys.First()).IsEqualTo("ControlSet001\\Services");
            Check.That(keys.Last()).IsEqualTo("ControlSet002\\Services");
        }
Beispiel #8
0
        public void ExpandoTest01()
        {
            var f = @"D:\SynologyDrive\Registry\ExpandoTestHives\system_registry_hive";
            var r = new RegistryHive(f);

            r.RecoverDeleted = true;

            r.ParseHive();

            var keys = r.ExpandKeyPath($"ControlSet00{wildCardChar}\\Services");

            Check.That(keys.Count).IsEqualTo(2);
            Check.That(keys.First()).IsEqualTo("$$$PROTO.HIV\\ControlSet001\\Services".ToLowerInvariant());
            Check.That(keys.Last()).IsEqualTo("$$$PROTO.HIV\\ControlSet002\\Services".ToLowerInvariant());
        }
Beispiel #9
0
        public void ExpandoTest13()
        {
            var f2 = @"C:\Temp\NTUSER.DAT";
            var r2 = new RegistryHive(f2);

            r2.RecoverDeleted = true;

            r2.ParseHive();

            var keys2 = r2.ExpandKeyPath(@"Software\Microsoft\Office\16.0\Excel\User MRU\LiveId_2709CD201D69E509465D3C60D830CE2490A74738D87E3C8A95FEFEA94316F09F\*");

            Check.That(keys2.Count).IsEqualTo(2);
            Check.That(keys2.First()).IsEqualTo(@"Software\Microsoft\Office\16.0\Excel\User MRU\LiveId_2709CD201D69E509465D3C60D830CE2490A74738D87E3C8A95FEFEA94316F09F\File MRU");
            Check.That(keys2.Last()).IsEqualTo(@"Software\Microsoft\Office\16.0\Excel\User MRU\LiveId_2709CD201D69E509465D3C60D830CE2490A74738D87E3C8A95FEFEA94316F09F\Place MRU");
        }
Beispiel #10
0
        public void ExpandoTest16()
        {
            var f2 = @"C:\Temp\SYSTEM_loneWolf";
            var r2 = new RegistryHive(f2);

            r2.RecoverDeleted = true;

            r2.ParseHive();

            //TODO try to get this to work, if you do, remove WithoutWildCard
            var keys2 = r2.ExpandKeyPath(@"ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001\Ndi\Params\*FlowControl\*");

            Check.That(keys2.Count).IsEqualTo(1);
            Check.That(keys2.First()).IsEqualTo(@"ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001\Ndi\Params\*FlowControl\Enum");
        }
Beispiel #11
0
        public void ExpandoTestOneOff()
        {
            var f = @"D:\SynologyDrive\Registry\ExpandoTestHives\AdminUsrClass.dat";
            var r = new RegistryHive(f);

            r.RecoverDeleted = true;

            r.ParseHive();

            var keys = r.ExpandKeyPath($"Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\{wildCardChar}\\0\\0");

            Check.That(keys.Count).IsEqualTo(3);
            Check.That(keys.First()).IsEqualTo("S-1-5-21-2036804247-3058324640-2116585241-500_Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\0\\0\\0".ToLowerInvariant());
            Check.That(keys.Last()).IsEqualTo(@"S-1-5-21-2036804247-3058324640-2116585241-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0".ToLowerInvariant());
        }
Beispiel #12
0
        public void ExpandoTest06()
        {
            var f = @"D:\SynologyDrive\Registry\system_registry_hive";
            var r = new RegistryHive(f);

            r.RecoverDeleted = true;

            r.ParseHive();

            var endCheck = r.ExpandKeyPath(@"Setup\AllowStart\*ss");

            Check.That(endCheck.Count).IsEqualTo(2);
            Check.That(endCheck.First()).IsEqualTo(@"Setup\AllowStart\Rpcss");
            Check.That(endCheck.Last()).IsEqualTo(@"Setup\AllowStart\SamSs");
        }
Beispiel #13
0
        public void ExpandoTest03()
        {
            var f = @"D:\SynologyDrive\Registry\system_registry_hive";
            var r = new RegistryHive(f);

            r.RecoverDeleted = true;

            r.ParseHive();

            var evenMoreKeys = r.ExpandKeyPath(@"ControlSet001\Control\IDConfigDB\*\0001");

            Check.That(evenMoreKeys.Count).IsEqualTo(2);
            Check.That(evenMoreKeys.First()).IsEqualTo(@"ControlSet001\Control\IDConfigDB\Alias\0001");
            Check.That(evenMoreKeys.Last()).IsEqualTo(@"ControlSet001\Control\IDConfigDB\Hardware Profiles\0001");
        }
Beispiel #14
0
        public void ExpandoTest03()
        {
            var f = @"D:\SynologyDrive\Registry\ExpandoTestHives\system_registry_hive";
            var r = new RegistryHive(f);

            r.RecoverDeleted = true;

            r.ParseHive();

            var evenMoreKeys = r.ExpandKeyPath($"ControlSet001\\Control\\IDConfigDB\\{wildCardChar}\\0001");

            Check.That(evenMoreKeys.Count).IsEqualTo(2);
            Check.That(evenMoreKeys.First()).IsEqualTo("$$$PROTO.HIV\\ControlSet001\\Control\\IDConfigDB\\Alias\\0001".ToLowerInvariant());
            Check.That(evenMoreKeys.Last()).IsEqualTo("$$$PROTO.HIV\\ControlSet001\\Control\\IDConfigDB\\Hardware Profiles\\0001".ToLowerInvariant());
        }
Beispiel #15
0
        public void ExpandoTest04()
        {
            var f = @"D:\SynologyDrive\Registry\system_registry_hive";
            var r = new RegistryHive(f);

            r.RecoverDeleted = true;

            r.ParseHive();

            var otherKeys2 = r.ExpandKeyPath(@"ControlSet002\Services\Avg*x86");

            Check.That(otherKeys2.Count).IsEqualTo(3);
            Check.That(otherKeys2[0]).IsEqualTo(@"ControlSet002\Services\Avgldx86");
            Check.That(otherKeys2[1]).IsEqualTo(@"ControlSet002\Services\Avgmfx86");
            Check.That(otherKeys2[2]).IsEqualTo(@"ControlSet002\Services\Avgrkx86");
        }
Beispiel #16
0
        public void ExpandoTest02()
        {
            var f = @"D:\SynologyDrive\Registry\system_registry_hive";
            var r = new RegistryHive(f);

            r.RecoverDeleted = true;

            r.ParseHive();


            var otherKeys = r.ExpandKeyPath("ControlSet002\\Services\\aic*");

            Check.That(otherKeys.Count).IsEqualTo(2);
            Check.That(otherKeys.First()).IsEqualTo(@"ControlSet002\Services\aic78u2");
            Check.That(otherKeys.Last()).IsEqualTo(@"ControlSet002\Services\aic78xx");
        }
Beispiel #17
0
        public void ExpandoTestOneOff2()
        {
            //Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0
            var f = @"D:\SynologyDrive\Registry\ExpandoTestHives\SOFTWARE_win10";
            var r = new RegistryHive(f);

            r.RecoverDeleted = true;

            r.ParseHive();

            var keys = r.ExpandKeyPath($"Classes\\{wildCardChar}\\OpenWithProgIds");

            Check.That(keys.Count).IsEqualTo(95);
            Check.That(keys.First()).IsEqualTo("ROOT\\Classes\\.3g2\\OpenWithProgIds".ToLowerInvariant());
            Check.That(keys.Last()).IsEqualTo("ROOT\\Classes\\.zip\\OpenWithProgIds".ToLowerInvariant());
        }
Beispiel #18
0
        public void ExpandoTestRedux01()
        {
            var f = @"D:\SynologyDrive\Registry\ExpandoTestHives\UsrClassXWFPath.dat";
            var r = new RegistryHive(f);

            r.RecoverDeleted = true;

            r.ParseHive();

            var keys = r.ExpandKeyPath($"{wildCardChar}\\shell\\{wildCardChar}\\command");

            Check.That(keys.Count).IsEqualTo(224);

            Check.That(keys.First()).IsEqualTo("s-1-5-21-238543598-4054144643-4261915534-1114_classes\\*\\shell\\editpad\\command".ToLowerInvariant());
            Check.That(keys.Last()).IsEqualTo("s-1-5-21-238543598-4054144643-4261915534-1114_classes\\zoomrecording\\shell\\open\\command".ToLowerInvariant());
        }
Beispiel #19
0
        public void ExpandoTestOneOff3()
        {
            //Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0
            var f = @"D:\SynologyDrive\Registry\ExpandoTestHives\SOFTWARE_win10";
            var r = new RegistryHive(f);

            r.RecoverDeleted = true;

            r.ParseHive();

            var keys = r.ExpandKeyPath($"Classes\\{wildCardChar}\\ShellEx");

            Check.That(keys.Count).IsEqualTo(187);
            Check.That(keys.First()).IsEqualTo("root\\classes\\*\\shellex".ToLowerInvariant());
            Check.That(keys.Last()).IsEqualTo("root\\classes\\wshfile\\shellex".ToLowerInvariant());
        }