public static Shimcache[] GetInstancesByPath(string hivePath) { if (RegistryHeader.Get(hivePath).HivePath.Contains("SYSTEM")) { string Key = @"ControlSet001\Control\Session Manager\AppCompatCache"; ValueKey vk = null; try { vk = ValueKey.Get(hivePath, Key, "AppCompatCache"); } catch { try { Key = @"ControlSet001\Control\Session Manager\AppCompatibility"; vk = ValueKey.Get(hivePath, Key, "AppCompatCache"); } catch { throw new Exception("Error finding AppCompatCache registry value"); } } byte[] bytes = (byte[])vk.GetData(); string arch = (string)ValueKey.Get(hivePath, @"ControlSet001\Control\Session Manager\Environment", "PROCESSOR_ARCHITECTURE").GetData(); switch (BitConverter.ToUInt32(bytes, 0x00)) { // Windows XP case WINXP_MAGIC: return(GetDEADBEEF(bytes)); // Server 2003, Windows Vista, Server 2008 case NT5dot2_MAGIC: return(GetBADC0FFE(bytes, arch)); // Windows 7 and Server 2008 R2 case NT6dot1_MAGIC: return(GetBADC0FEE(bytes, arch)); // Windows 8 // Windows 8.1 case WIN8dot1_MAGIC: return(Get00000080(bytes)); // Windows 10 case WIN10_MAGIC: return(Get00000030(bytes)); default: return(null); } } else { throw new Exception("Invalid SYSTEM hive provided to -HivePath parameter."); } }
public static Amcache[] GetInstancesByPath(string hivePath) { if (RegistryHeader.Get(hivePath).HivePath.Contains("Amcache.hve")) { string Key = @"Root\File"; byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath); NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key); List <Amcache> amcacheList = new List <Amcache>(); foreach (NamedKey key in FileSubKey) { if (key.NumberOfSubKeys != 0) { foreach (NamedKey nk in key.GetSubKeys(bytes)) { amcacheList.Add(new Amcache(nk, bytes)); } } } return(amcacheList.ToArray()); } else { throw new Exception("Invalid Amcache.hve hive provided to -HivePath parameter."); } }
public static byte[] Get(string hivePath) { if (RegistryHeader.Get(hivePath).HivePath.Contains("SYSTEM")) { ValueKey vk = ValueKey.Get(hivePath, @"ControlSet001\Control\Session Manager\AppCompatCache", "AppCompatCache"); byte[] bytes = vk.GetData(); switch (BitConverter.ToUInt32(bytes, 0x00)) { // Windows 5.2 and 6.0 (Server 2003, Vista, & Server 2008) case WINXP_MAGIC: Console.WriteLine("XP"); break; case NT5_2_MAGIC: Console.WriteLine("5.2"); break; case NT6_1_MAGIC: Console.WriteLine("6.1"); break; default: //Console.WriteLine("Default"); break; } return(bytes); } else { throw new Exception("Invalid SYSTEM hive provided to -HivePath parameter."); } }
public static NetworkList[] GetInstances(string hivePath) { if (RegistryHeader.Get(hivePath).HivePath.Contains("SOFTWARE")) { string Key = @"Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures"; byte[] bytes = Registry.Helper.GetHiveBytes(hivePath); NamedKey[] SignatureKey = NamedKey.GetInstances(bytes, hivePath, Key); List <NetworkList> nlList = new List <NetworkList>(); foreach (NamedKey key in SignatureKey) { if (key.NumberOfSubKeys != 0) { foreach (NamedKey nk in key.GetSubKeys(bytes, key.FullName)) { nlList.Add(new NetworkList(nk, bytes)); } } } return(nlList.ToArray()); } else { throw new Exception("Invalid SOFTWARE hive provided to -HivePath parameter."); } }
public static SecurityIdentifier Get(string hivePath) { if (RegistryHeader.Get(hivePath).HivePath.Contains("SAM")) { ValueKey vk = ValueKey.Get(hivePath, @"SAM\Domains\Account", "V"); return(new SecurityIdentifier(vk.GetData(), (int)vk.DataLength - 0x18)); } else { throw new Exception("Invalid SAM hive provided to -HivePath parameter."); } }
public static WindowsVersion Get(string hivePath) { if (RegistryHeader.Get(hivePath).HivePath.Contains("SOFTWARE")) { byte[] bytes = Helper.GetHiveBytes(hivePath); NamedKey nk = NamedKey.Get(bytes, hivePath, @"Micosoft\Windows NT\CurrentVersion"); return(new WindowsVersion(nk)); } else { throw new Exception("Invalid SOFTWARE hive provided to -HivePath parameter."); } }
public static Timezone Get(string hivePath) { if (RegistryHeader.Get(hivePath).HivePath.Contains("SYSTEM")) { ValueKey vk = ValueKey.Get(hivePath, @"ControlSet001\Control\TimeZoneInformation", "TimeZoneKeyName"); TimeZone tz = TimeZone.CurrentTimeZone; return(new Timezone(System.Text.Encoding.Unicode.GetString(vk.GetData()), tz.StandardName, tz.DaylightName, tz.IsDaylightSavingTime(DateTime.Now))); } else { throw new Exception("Invalid SYSTEM hive provided to -HivePath parameter."); } }