public static Shimcache[] GetInstancesByPath(string hivePath)
{
if (RegistryHeader.Get(hivePath).HivePath.Contains("SYSTEM"))
{
string Key = @"ControlSet001\Control\Session Manager\AppCompatCache";
ValueKey vk = null;
try
{
vk = ValueKey.Get(hivePath, Key, "AppCompatCache");
}
catch
{
try
{
Key = @"ControlSet001\Control\Session Manager\AppCompatibility";
vk = ValueKey.Get(hivePath, Key, "AppCompatCache");
}
catch
{
throw new Exception("Error finding AppCompatCache registry value");
}
}
byte[] bytes = (byte[])vk.GetData();
string arch = (string)ValueKey.Get(hivePath, @"ControlSet001\Control\Session Manager\Environment", "PROCESSOR_ARCHITECTURE").GetData();
switch (BitConverter.ToUInt32(bytes, 0x00))
{
// Windows XP
case WINXP_MAGIC:
return(GetDEADBEEF(bytes));
// Server 2003, Windows Vista, Server 2008
case NT5dot2_MAGIC:
return(GetBADC0FFE(bytes, arch));
// Windows 7 and Server 2008 R2
case NT6dot1_MAGIC:
return(GetBADC0FEE(bytes, arch));
// Windows 8
// Windows 8.1
case WIN8dot1_MAGIC:
return(Get00000080(bytes));
// Windows 10
case WIN10_MAGIC:
return(Get00000030(bytes));
default:
return(null);
}
}
else
{
throw new Exception("Invalid SYSTEM hive provided to -HivePath parameter.");
}
}
public static Amcache[] GetInstancesByPath(string hivePath)
{
if (RegistryHeader.Get(hivePath).HivePath.Contains("Amcache.hve"))
{
string Key = @"Root\File";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key);
List <Amcache> amcacheList = new List <Amcache>();
foreach (NamedKey key in FileSubKey)
{
if (key.NumberOfSubKeys != 0)
{
foreach (NamedKey nk in key.GetSubKeys(bytes))
{
amcacheList.Add(new Amcache(nk, bytes));
}
}
}
return(amcacheList.ToArray());
}
else
{
throw new Exception("Invalid Amcache.hve hive provided to -HivePath parameter.");
}
}
public static byte[] Get(string hivePath)
{
if (RegistryHeader.Get(hivePath).HivePath.Contains("SYSTEM"))
{
ValueKey vk = ValueKey.Get(hivePath, @"ControlSet001\Control\Session Manager\AppCompatCache", "AppCompatCache");
byte[] bytes = vk.GetData();
switch (BitConverter.ToUInt32(bytes, 0x00))
{
// Windows 5.2 and 6.0 (Server 2003, Vista, & Server 2008)
case WINXP_MAGIC:
Console.WriteLine("XP");
break;
case NT5_2_MAGIC:
Console.WriteLine("5.2");
break;
case NT6_1_MAGIC:
Console.WriteLine("6.1");
break;
default:
//Console.WriteLine("Default");
break;
}
return(bytes);
}
else
{
throw new Exception("Invalid SYSTEM hive provided to -HivePath parameter.");
}
}
public static NetworkList[] GetInstances(string hivePath)
{
if (RegistryHeader.Get(hivePath).HivePath.Contains("SOFTWARE"))
{
string Key = @"Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures";
byte[] bytes = Registry.Helper.GetHiveBytes(hivePath);
NamedKey[] SignatureKey = NamedKey.GetInstances(bytes, hivePath, Key);
List <NetworkList> nlList = new List <NetworkList>();
foreach (NamedKey key in SignatureKey)
{
if (key.NumberOfSubKeys != 0)
{
foreach (NamedKey nk in key.GetSubKeys(bytes, key.FullName))
{
nlList.Add(new NetworkList(nk, bytes));
}
}
}
return(nlList.ToArray());
}
else
{
throw new Exception("Invalid SOFTWARE hive provided to -HivePath parameter.");
}
}
public static SecurityIdentifier Get(string hivePath)
{
if (RegistryHeader.Get(hivePath).HivePath.Contains("SAM"))
{
ValueKey vk = ValueKey.Get(hivePath, @"SAM\Domains\Account", "V");
return(new SecurityIdentifier(vk.GetData(), (int)vk.DataLength - 0x18));
}
else
{
throw new Exception("Invalid SAM hive provided to -HivePath parameter.");
}
}
public static WindowsVersion Get(string hivePath)
{
if (RegistryHeader.Get(hivePath).HivePath.Contains("SOFTWARE"))
{
byte[] bytes = Helper.GetHiveBytes(hivePath);
NamedKey nk = NamedKey.Get(bytes, hivePath, @"Micosoft\Windows NT\CurrentVersion");
return(new WindowsVersion(nk));
}
else
{
throw new Exception("Invalid SOFTWARE hive provided to -HivePath parameter.");
}
}
public static Timezone Get(string hivePath)
{
if (RegistryHeader.Get(hivePath).HivePath.Contains("SYSTEM"))
{
ValueKey vk = ValueKey.Get(hivePath, @"ControlSet001\Control\TimeZoneInformation", "TimeZoneKeyName");
TimeZone tz = TimeZone.CurrentTimeZone;
return(new Timezone(System.Text.Encoding.Unicode.GetString(vk.GetData()), tz.StandardName, tz.DaylightName, tz.IsDaylightSavingTime(DateTime.Now)));
}
else
{
throw new Exception("Invalid SYSTEM hive provided to -HivePath parameter.");
}
}
