C# (CSharp) PowerForensics.Artifacts RunMRU Beispiele

Programmiersprache: C# (CSharp)

Namespace / Paketname: PowerForensics.Artifacts

Klasse / Typ: RunMRU

Beispiele auf hotexamples.com: 2

C# (CSharp) PowerForensics.Artifacts RunMRU - 2 Beispiele gefunden. Dies sind die am besten bewerteten C# (CSharp) Beispiele für die PowerForensics.Artifacts.RunMRU, die aus Open Source-Projekten extrahiert wurden. Sie können Beispiele bewerten, um die Qualität der Beispiele zu verbessern.

Beispiel #1

Datei anzeigen

        /// <summary>
        ///
        /// </summary>
        /// <param name="hivePath"></param>
        /// <returns></returns>
        public static RunMRU[] Get(string hivePath)
        {
            if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
            {
                string user = RegistryHelper.GetUserHiveOwner(hivePath);
                string Key  = @"Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU";

                byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);

                NamedKey RunMRUKey = null;
                ValueKey MRUList   = null;

                try
                {
                    RunMRUKey = NamedKey.Get(bytes, hivePath, Key);
                }
                catch
                {
                    return(null);
                }

                try
                {
                    MRUList = ValueKey.Get(bytes, hivePath, Key, "MRUList");
                }
                catch
                {
                    return(null);
                }

                RunMRU[] RunMRUStrings = new RunMRU[RunMRUKey.NumberOfValues - 1];

                byte[] MRUListBytes = (byte[])MRUList.GetData(bytes);

                for (int i = 0; i <= MRUListBytes.Length - 4; i += 4)
                {
                    string MRUValue = Encoding.ASCII.GetString(MRUListBytes).TrimEnd('\0');
                    RunMRUStrings[i / 4] = new RunMRU(user, (string)ValueKey.Get(bytes, hivePath, Key, MRUValue.ToString()).GetData(bytes));
                }

                return(RunMRUStrings);
            }
            else
            {
                throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
            }
        }

Beispiel #2

Datei anzeigen

Datei: RunMRU.cs Projekt: JamesHabben/PowerForensics

        public static RunMRU[] Get(string hivePath)
        {
            if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
            {
                string user = RegistryHelper.GetUserHiveOwner(hivePath);
                string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU";

                byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);

                NamedKey RunMRUKey = null;
                ValueKey MRUList = null;

                try
                {
                    RunMRUKey = NamedKey.Get(bytes, hivePath, Key);
                }
                catch
                {
                    return null;
                }

                try
                {
                    MRUList = ValueKey.Get(bytes, hivePath, Key, "MRUList");
                }
                catch
                {
                    return null;
                }

                RunMRU[] RunMRUStrings = new RunMRU[RunMRUKey.NumberOfValues - 1];

                byte[] MRUListBytes = (byte[])MRUList.GetData(bytes);

                for(int i = 0; i <= MRUListBytes.Length - 4; i += 4)
                {
                    string MRUValue = Encoding.ASCII.GetString(MRUListBytes).TrimEnd('\0');
                    RunMRUStrings[i / 4] = new RunMRU(user, (string)ValueKey.Get(bytes, hivePath, Key, MRUValue.ToString()).GetData(bytes));
                }

                return RunMRUStrings;
            }
            else
            {
                throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
            }
        }