public static byte[] Get(string hivePath)
{
if (RegistryHeader.Get(hivePath).HivePath.Contains("SYSTEM"))
{
ValueKey vk = ValueKey.Get(hivePath, @"ControlSet001\Control\Session Manager\AppCompatCache", "AppCompatCache");
byte[] bytes = vk.GetData();
switch (BitConverter.ToUInt32(bytes, 0x00))
{
// Windows 5.2 and 6.0 (Server 2003, Vista, & Server 2008)
case WINXP_MAGIC:
Console.WriteLine("XP");
break;
case NT5_2_MAGIC:
Console.WriteLine("5.2");
break;
case NT6_1_MAGIC:
Console.WriteLine("6.1");
break;
default:
//Console.WriteLine("Default");
break;
}
return(bytes);
}
else
{
throw new Exception("Invalid SYSTEM hive provided to -HivePath parameter.");
}
}
public void PivotData_Slice()
{
var testData = generateData();
var pvtData = new PivotData(new string[] { "name", "date", "qty", "total" }, new CountAggregatorFactory(), testData);
var slice1Data = pvtData.Slice(new string[] { "name", "qty" }, false);
Assert.Equal(2, slice1Data.Dimensions.Length);
var vk = new ValueKey("Test0", 0);
Assert.Equal(pvtData["Test0", Key.Empty, 0, Key.Empty].Value, slice1Data[vk].Value);
Assert.Equal(pvtData[Key.Empty, Key.Empty, Key.Empty, Key.Empty].Value, slice1Data[Key.Empty, Key.Empty].Value);
var slice2Data = pvtData.Slice(new string[] { "name", "qty" }, false, (v) => {
return(v.Key.DimKeys[0].Equals("Test0"));
});
Assert.Equal(((uint)pvtData[Key.Empty, Key.Empty, Key.Empty, Key.Empty].Value) / 2, slice2Data[Key.Empty, Key.Empty].Value);
// check zero-dim slice
var sliceZeroDimData = slice2Data.Slice(null, false);
Assert.Equal(slice2Data[Key.Empty, Key.Empty].Value, sliceZeroDimData[new object[0]].Value);
}
/// <summary>
///
/// </summary>
/// <param name="hivePath"></param>
/// <returns></returns>
public static RecentDocs[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string user = RegistryHelper.GetUserHiveOwner(hivePath);
byte[] bytes = RegistryHelper.GetHiveBytes(hivePath);
string key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs";
NamedKey RecentDocsKey = NamedKey.Get(bytes, hivePath, @"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs");
ValueKey MRUListEx = ValueKey.Get(bytes, hivePath, key, "MRUListEx");
byte[] MRUListBytes = (byte[])MRUListEx.GetData(bytes);
RecentDocs[] docs = new RecentDocs[MRUListBytes.Length / 4];
for (int i = 0; i < MRUListBytes.Length - 4; i += 4)
{
if (i == 0)
{
docs[i / 4] = new RecentDocs(user, Encoding.Unicode.GetString((byte[])ValueKey.Get(bytes, hivePath, key, BitConverter.ToInt32(MRUListBytes, i).ToString()).GetData(bytes)).Split('\0')[0], RecentDocsKey.WriteTime);
}
else
{
docs[i / 4] = new RecentDocs(user, Encoding.Unicode.GetString((byte[])ValueKey.Get(bytes, hivePath, key, BitConverter.ToInt32(MRUListBytes, i).ToString()).GetData(bytes)).Split('\0')[0]);
}
}
return(docs);
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to the -HivePath parameter.");
}
}
public void TestHashCodeAndEquals()
{
var k1 = new ValueKey("A", 5);
var k2 = new ValueKey("A", 5);
Assert.Equal(k1.GetHashCode(), k2.GetHashCode());
Assert.True(k1.Equals(k2));
var k3 = new ValueKey("row_1", "col_1");
var k4 = new ValueKey("row_1", "col_1");
Assert.Equal(k3.GetHashCode(), k4.GetHashCode());
Assert.NotEqual(k1.GetHashCode(), k3.GetHashCode());
Assert.True(k3.Equals(k4));
Assert.False(k4.Equals(k2));
var k5 = new ValueKey("row_2", "col_1");
Assert.NotEqual(k4.GetHashCode(), k5.GetHashCode());
Assert.False(k5.Equals(k3));
Assert.False(k5.Equals(null));
Assert.True(Key.IsEmpty(Key.Empty));
Assert.False(Key.IsEmpty(1));
Assert.False(Key.IsEmpty(null));
Assert.True(Key.Equals("A", "A"));
Assert.False(Key.Equals("A", "B"));
Assert.False(Key.Equals("A", null));
Assert.False(Key.Equals(null, "A"));
Assert.True(Key.Equals(null, null));
}
static byte[] GetBootKey(RegistryHive systemHive)
{
ValueKey controlSet = GetValueKey(systemHive, "Select\\Default");
int cs = BitConverter.ToInt32(controlSet.Data, 0);
StringBuilder scrambledKey = new StringBuilder();
foreach (string key in new string[] { "JD", "Skew1", "GBG", "Data" })
{
NodeKey nk = GetNodeKey(systemHive, "ControlSet00" + cs + "\\Control\\Lsa\\" + key);
for (int i = 0; i < nk.ClassnameLength && i < 8; i++)
{
scrambledKey.Append((char)nk.ClassnameData [i * 2]);
}
}
byte[] skey = StringToByteArray(scrambledKey.ToString());
byte[] descramble = new byte[] { 0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3,
0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 };
byte[] bootkey = new byte[16];
for (int i = 0; i < bootkey.Length; i++)
{
bootkey[i] = skey [descramble [i]];
}
return(bootkey);
}
public void NaturalSort()
{
var set1 = new object[] { "aab", "aaa", "aca" };
var set2 = new object[] { 5, 4, DBNull.Value };
var copy1 = new List <object>(set1);
var copy2 = new List <object>(set2);
copy1.Sort(NaturalSortKeyComparer.Instance);
copy2.Sort(NaturalSortKeyComparer.Instance);
Assert.Equal(set1[1], copy1[0]);
Assert.Equal(set1[0], copy1[1]);
Assert.Equal(set2[2], copy2[0]);
Assert.Equal(set2[1], copy2[1]);
var valKeySet = new ValueKey[] {
new ValueKey("aab", 5, new DateTime(2015, 1, 1)),
new ValueKey("aaa", 5, new DateTime(2015, 1, 1)),
new ValueKey("aab", 4, new DateTime(2015, 1, 1)),
new ValueKey("aab", 5, new DateTime(2014, 1, 1))
};
var valKeySetCopy = new List <ValueKey>(valKeySet);
valKeySetCopy.Sort(NaturalSortKeyComparer.Instance);
Assert.Equal(valKeySet[1], valKeySetCopy[0]);
Assert.Equal(valKeySet[2], valKeySetCopy[1]);
Assert.Equal(valKeySet[3], valKeySetCopy[2]);
}
public QuestionNot(string[] splittedItems)
: base(String.Join(" ", splittedItems))
{
base.Operation = Operations.Not;
Value1 = new ValueKey(splittedItems[1], 0);
Result = new ValueKey(splittedItems[3], 0);
}
/// <inheritdoc/>
protected override void GetObjectData(SerializationInfo info, StreamingContext context)
{
base.GetObjectData(info, context);
var structureValue = Value as Structure;
if (typeof(IEntity).IsAssignableFrom(Field.ValueType))
{
// serializing entity value as key
if (ValueKey != null)
{
info.AddValue("value", ValueKey.Format());
}
else
{
info.AddValue("value", string.Empty);
}
}
else if (structureValue != null)
{
// serializing structure value as tuple
info.AddValue("value", structureValue.Tuple.ToRegular(), typeof(Tuple));
}
else
{
info.AddValue("value", Value, Field.ValueType);
}
}
public static Timezone Get(string hivePath)
{
ValueKey vk = ValueKey.Get(hivePath, @"ControlSet001\Control\TimeZoneInformation", "TimeZoneKeyName");
TimeZone tz = TimeZone.CurrentTimeZone;
return(new Timezone(System.Text.Encoding.Unicode.GetString(vk.GetData()), tz.StandardName, tz.DaylightName, tz.IsDaylightSavingTime(DateTime.Now)));
}
static void ListInstalledSoftware(RegistryHive softwareHive)
{
NodeKey key = GetNodeKey(softwareHive, "Microsoft\\Windows\\CurrentVersion\\Uninstall");
foreach (NodeKey child in key.ChildNodes)
{
Console.WriteLine("Found: " + child.Name);
ValueKey val = child.ChildValues.SingleOrDefault(v => v.Name == "DisplayVersion");
if (val != null)
{
string version = System.Text.Encoding.UTF8.GetString(val.Data);
Console.WriteLine("\tVersion: " + version);
}
val = child.ChildValues.SingleOrDefault(v => v.Name == "InstallLocation");
if (val != null)
{
string location = System.Text.Encoding.UTF8.GetString(val.Data);
Console.WriteLine("\tLocation: " + location);
}
Console.WriteLine("----");
}
}
public static Shimcache[] GetInstancesByPath(string hivePath)
{
if (RegistryHeader.Get(hivePath).HivePath.Contains("SYSTEM"))
{
string Key = @"ControlSet001\Control\Session Manager\AppCompatCache";
ValueKey vk = null;
try
{
vk = ValueKey.Get(hivePath, Key, "AppCompatCache");
}
catch
{
try
{
Key = @"ControlSet001\Control\Session Manager\AppCompatibility";
vk = ValueKey.Get(hivePath, Key, "AppCompatCache");
}
catch
{
throw new Exception("Error finding AppCompatCache registry value");
}
}
byte[] bytes = (byte[])vk.GetData();
string arch = (string)ValueKey.Get(hivePath, @"ControlSet001\Control\Session Manager\Environment", "PROCESSOR_ARCHITECTURE").GetData();
switch (BitConverter.ToUInt32(bytes, 0x00))
{
// Windows XP
case WINXP_MAGIC:
return(GetDEADBEEF(bytes));
// Server 2003, Windows Vista, Server 2008
case NT5dot2_MAGIC:
return(GetBADC0FFE(bytes, arch));
// Windows 7 and Server 2008 R2
case NT6dot1_MAGIC:
return(GetBADC0FEE(bytes, arch));
// Windows 8
// Windows 8.1
case WIN8dot1_MAGIC:
return(Get00000080(bytes));
// Windows 10
case WIN10_MAGIC:
return(Get00000030(bytes));
default:
return(null);
}
}
else
{
throw new Exception("Invalid SYSTEM hive provided to -HivePath parameter.");
}
}
public ValueKeyInfo(ValueKey key) :
base(Gtk.WindowType.Toplevel)
{
this.Build();
this.SetSizeRequest(300, 200);
VBox vbox = new VBox(false, 10);
Label name = new Label("Name: " + key.Name);
if (key.ValueType == 1 && key.Data != null)
{
this.String = System.Text.Encoding.Unicode.GetString(key.Data);
}
else if (key.ValueType == 2 && key.Data != null)
{
this.String = System.Text.Encoding.Unicode.GetString(key.Data);
}
else if (key.ValueType == 3 && key.Data != null)
{
this.String = BitConverter.ToString(key.Data).Replace('-', ' ');
}
else if (key.ValueType == 4 && key.Data != null)
{
this.String = BitConverter.ToString(key.Data).Replace('-', ' ');
}
else if (key.ValueType == 7 && key.Data != null)
{
List <string> strings = new List <string>();
List <byte> bytes = new List <byte>();
foreach (byte b in key.Data)
{
bytes.Add(b);
if (b == 0x00)
{
strings.Add(System.Text.Encoding.Unicode.GetString(bytes.ToArray()));
bytes = new List <byte>();
}
}
this.String = string.Empty;
foreach (string str in strings)
{
this.String += str + "\n";
}
}
Label data = new Label(this.String.Trim());
vbox.PackStart(name, false, false, 0);
data.Wrap = true;
data.Justify = Justification.Fill;
vbox.PackStart(new Label("Data type: " + key.ValueType), false, false, 0);
vbox.PackStart(data, true, true, 0);
this.Add(vbox);
this.ShowAll();
}
public QuestionLShift(string[] splittedItems)
: base(String.Join(" ", splittedItems))
{
base.Operation = Operations.LShift;
base.Value1 = new ValueKey(splittedItems[0], 0);
base.Value2 = new ValueKey("", Convert.ToUInt16(splittedItems[2]));
Result = new ValueKey(splittedItems[4], 0);
}
public QuestionOr(string[] splittedItems)
: base(String.Join(" ", splittedItems))
{
base.Operation = Operations.Or;
base.Value1 = new ValueKey(splittedItems[0], 0);
base.Value2 = new ValueKey(splittedItems[2], 0);
Result = new ValueKey(splittedItems[4], 0);
}
/// <summary>
///
/// </summary>
/// <param name="user"></param>
/// <param name="vk"></param>
/// <param name="bytes"></param>
private UserAssist(string user, ValueKey vk, byte[] bytes)
{
User = user;
ImagePath = Decode(vk.Name);
byte[] data = (byte[])vk.GetData(bytes);
RunCount = BitConverter.ToUInt32(data, 0x04);
FocusTime = BitConverter.ToUInt32(data, 0x0C);
LastExecutionTimeUtc = DateTime.FromFileTimeUtc(BitConverter.ToInt64(data, 0x03C));
}
internal UserAssist(ValueKey vk, byte[] bytes)
{
Path = Decode(vk.Name);
byte[] data = vk.GetData(bytes);
RunCount = BitConverter.ToUInt32(data, 0x04);
FocusTime = BitConverter.ToUInt32(data, 0x0C);
LastExecutionTimeUtc = DateTime.FromFileTimeUtc(BitConverter.ToInt64(data, 0x03C));
}
private void FillOutValueKeyCollection()
{
ValueKey.Clear();
ValueKey.Add(new KeyValuePair <string, int>("Брестская область", GetNumberOfEmergencyPerDay("Брестская область")));
ValueKey.Add(new KeyValuePair <string, int>("Витебская область", GetNumberOfEmergencyPerDay("Витебская область")));
ValueKey.Add(new KeyValuePair <string, int>("Гомельская область", GetNumberOfEmergencyPerDay("Гомельская область")));
ValueKey.Add(new KeyValuePair <string, int>("Гродненская область", GetNumberOfEmergencyPerDay("Гродненская область")));
ValueKey.Add(new KeyValuePair <string, int>("Минская область", GetNumberOfEmergencyPerDay("Минская область")));
ValueKey.Add(new KeyValuePair <string, int>("Могилевская область", GetNumberOfEmergencyPerDay("Могилевская область")));
ValueKey.Add(new KeyValuePair <string, int>("г.Минск", GetNumberOfEmergencyPerDay("г.Минск")));
}
public void PivotData_2D()
{
var testData = generateData();
var pvtData1 = new PivotData(new string[] { "name", "qty" }, new CountAggregatorFactory(), testData);
Assert.Equal(2, pvtData1.GetDimensionKeys()[0].Length);
Assert.Equal(10, pvtData1.GetDimensionKeys()[1].Length);
foreach (var cKey in pvtData1.GetDimensionKeys()[0])
{
foreach (var rKey in pvtData1.GetDimensionKeys()[1])
{
var v = pvtData1[cKey, rKey];
if (v.Count > 0)
{
Assert.Equal(100, Convert.ToInt32(v.Value));
}
}
}
var pvtData = new PivotData(new string[] { "name", "date" }, new SumAggregatorFactory("i"), testData);
Assert.Equal(2, pvtData.GetDimensionKeys()[0].Length);
Assert.Equal(42, pvtData.GetDimensionKeys()[1].Length);
var rowTest0Totals = new ValueKey("Test0", Key.Empty);
Assert.Equal(1000M, pvtData[rowTest0Totals].Value);
// calc test
var calcData = new object[5][] {
new object[] { "A", 10, 50 },
new object[] { "A", 15, 40 },
new object[] { "B", 20, 50 },
new object[] { "B", 25, 60 },
new object[] { "C", 10, 0 }
};
Func <object, string, object> getVal = (r, f) => {
return(((object[])r)[Convert.ToInt32(f)]);
};
var countPvtData = new PivotData(new string[] { "0", "1" }, new CountAggregatorFactory());
countPvtData.ProcessData(calcData, getVal);
Assert.Equal(2, Convert.ToInt32(countPvtData["A", Key.Empty].Value));
Assert.Equal(1, Convert.ToInt32(countPvtData["C", Key.Empty].Value));
var avgPvtData = new PivotData(new string[] { "0", "1" }, new AverageAggregatorFactory("2"));
avgPvtData.ProcessData(calcData, getVal);
Assert.Equal(45M, avgPvtData["A", Key.Empty].Value);
Assert.Equal(0M, avgPvtData["C", Key.Empty].Value);
Assert.Equal(25M, avgPvtData[Key.Empty, 10].Value);
}
/// <summary>
/// The ProcessRecord method calls TimeZone.CurrentTimeZone to return a TimeZone object.
/// </summary>
protected override void ProcessRecord()
{
if (!(this.MyInvocation.BoundParameters.ContainsKey("Path")))
{
hivePath = @"C:\Windows\system32\config\SYSTEM";
}
ValueKey vk = ValueKey.Get(hivePath, @"ControlSet001\Control\TimeZoneInformation", "TimeZoneKeyName");
TimeZone tz = TimeZone.CurrentTimeZone;
WriteObject(new InvokeIR.PowerForensics.Artifacts.Timezone(System.Text.Encoding.Unicode.GetString(vk.GetData()), tz.StandardName, tz.DaylightName, tz.IsDaylightSavingTime(DateTime.Now)));
} // ProcessRecord
/// <summary>
///
/// </summary>
/// <param name="hivePath"></param>
/// <returns></returns>
public static Timezone GetByPath(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "SYSTEM"))
{
ValueKey vk = ValueKey.Get(hivePath, @"ControlSet001\Control\TimeZoneInformation", "TimeZoneKeyName");
return(new Timezone((string)vk.GetData()));
}
else
{
throw new Exception("Invalid SYSTEM hive provided to -HivePath parameter.");
}
}
public static SecurityIdentifier GetByPath(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "SAM"))
{
ValueKey vk = ValueKey.Get(hivePath, @"SAM\Domains\Account", "V");
return(new SecurityIdentifier((byte[])vk.GetData(), (int)vk.DataLength - 0x18));
}
else
{
throw new Exception("Invalid SAM hive provided to -HivePath parameter.");
}
}
protected CsvSpliter(StreamReader innerStream, int bufferSize)
{
this.innerStream = innerStream;
this.charBuffer = new char[bufferSize];
this.charIndex = 0;
this.oneLineBuffer = new List <char>();
this.temporary = new ValueKey();
this.cache = new ValueCache();
}
public static SecurityIdentifier Get(string hivePath)
{
if (RegistryHeader.Get(hivePath).HivePath.Contains("SAM"))
{
ValueKey vk = ValueKey.Get(hivePath, @"SAM\Domains\Account", "V");
return(new SecurityIdentifier(vk.GetData(), (int)vk.DataLength - 0x18));
}
else
{
throw new Exception("Invalid SAM hive provided to -HivePath parameter.");
}
}
public static string GetByPath(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "SAM"))
{
ValueKey vk = ValueKey.Get(hivePath, @"SAM\Domains\Account", "V");
byte[] bytes = (byte[])vk.GetData();
return(Helper.GetSecurityDescriptor(Helper.GetSubArray(bytes, bytes.Length - 0x18, 0x18)));
}
else
{
throw new Exception("Invalid SAM hive provided to -HivePath parameter.");
}
}
public static Timezone Get(string hivePath)
{
if (RegistryHeader.Get(hivePath).HivePath.Contains("SYSTEM"))
{
ValueKey vk = ValueKey.Get(hivePath, @"ControlSet001\Control\TimeZoneInformation", "TimeZoneKeyName");
TimeZone tz = TimeZone.CurrentTimeZone;
return(new Timezone(System.Text.Encoding.Unicode.GetString(vk.GetData()), tz.StandardName, tz.DaylightName, tz.IsDaylightSavingTime(DateTime.Now)));
}
else
{
throw new Exception("Invalid SYSTEM hive provided to -HivePath parameter.");
}
}
public static Timezone Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "SYSTEM"))
{
ValueKey vk = ValueKey.Get(hivePath, @"ControlSet001\Control\TimeZoneInformation", "TimeZoneKeyName");
TimeZone tz = TimeZone.CurrentTimeZone;
return(new Timezone((string)vk.GetData(), tz.StandardName, tz.DaylightName, tz.IsDaylightSavingTime(DateTime.Now)));
}
else
{
throw new Exception("Invalid SYSTEM hive provided to -HivePath parameter.");
}
}
private bool ParseAreaName(PgNpc item, object value, string parsedFile, string parsedKey)
{
if (!(value is string ValueKey))
{
return(Program.ReportFailure(parsedFile, parsedKey, $"Value '{value}' was expected to be a string"));
}
if (!ValueKey.StartsWith("Area"))
{
return(Program.ReportFailure(parsedFile, parsedKey, $"Invalid area name '{ValueKey}'"));
}
string ValueAreaName = ValueKey.Substring(4);
return(StringToEnumConversion <MapAreaName> .SetEnum((MapAreaName valueEnum) => item.AreaName = valueEnum, ValueAreaName));
}
public static WordWheelQuery[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey nk = null;
try
{
nk = NamedKey.Get(bytes, hivePath, Key);
}
catch
{
return(null);
}
ValueKey MRUList = ValueKey.Get(bytes, hivePath, Key, "MRUListEx");
WordWheelQuery[] dataStrings = new WordWheelQuery[nk.NumberOfValues - 1];
byte[] MRUListBytes = (byte[])MRUList.GetData(bytes);
for (int i = 0; i < MRUListBytes.Length - 4; i += 4)
{
uint MRUValue = BitConverter.ToUInt32(MRUListBytes, i);
string SearchString = null;
try
{
SearchString = (string)ValueKey.Get(bytes, hivePath, Key, MRUValue.ToString()).GetData(bytes);
}
catch
{
SearchString = Encoding.Unicode.GetString((byte[])ValueKey.Get(bytes, hivePath, Key, MRUValue.ToString()).GetData(bytes));
}
dataStrings[i / 4] = new WordWheelQuery(RegistryHelper.GetUserHiveOwner(hivePath), SearchString);
}
return(dataStrings);
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
/// <summary>
///
/// </summary>
/// <param name="hivePath"></param>
/// <returns></returns>
public static RunMRU[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string user = RegistryHelper.GetUserHiveOwner(hivePath);
string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey RunMRUKey = null;
ValueKey MRUList = null;
try
{
RunMRUKey = NamedKey.Get(bytes, hivePath, Key);
}
catch
{
return(null);
}
try
{
MRUList = ValueKey.Get(bytes, hivePath, Key, "MRUList");
}
catch
{
return(null);
}
RunMRU[] RunMRUStrings = new RunMRU[RunMRUKey.NumberOfValues - 1];
byte[] MRUListBytes = (byte[])MRUList.GetData(bytes);
for (int i = 0; i <= MRUListBytes.Length - 4; i += 4)
{
string MRUValue = Encoding.ASCII.GetString(MRUListBytes).TrimEnd('\0');
RunMRUStrings[i / 4] = new RunMRU(user, (string)ValueKey.Get(bytes, hivePath, Key, MRUValue.ToString()).GetData(bytes));
}
return(RunMRUStrings);
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
/// <summary>
///
/// </summary>
/// <param name="hivePath"></param>
/// <returns></returns>
public static LastVisitedMRU[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey nk = null;
try
{
nk = NamedKey.Get(bytes, hivePath, Key);
}
catch
{
try
{
Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU";
nk = NamedKey.Get(bytes, hivePath, Key);
}
catch
{
return(null);
}
}
ValueKey MRUList = ValueKey.Get(bytes, hivePath, Key, "MRUListEx");
LastVisitedMRU[] dataStrings = new LastVisitedMRU[nk.NumberOfValues - 1];
byte[] MRUListBytes = (byte[])MRUList.GetData(bytes);
for (int i = 0; i < MRUListBytes.Length - 4; i += 4)
{
uint MRUValue = BitConverter.ToUInt32(MRUListBytes, i);
dataStrings[i / 4] = new LastVisitedMRU(RegistryHelper.GetUserHiveOwner(hivePath), (string)ValueKey.Get(bytes, hivePath, Key, MRUValue.ToString()).GetData(bytes));
}
return(dataStrings);
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
