public Windows8x(byte[] rawBytes, AppCompatCache.OperatingSystemVersion os, string computerName)
{
Entries = new List <CacheEntry>();
var index = 128;
var signature = "00ts";
if (os == AppCompatCache.OperatingSystemVersion.Windows81_Windows2012R2)
{
signature = "10ts";
}
var position = 0;
while (index < rawBytes.Length)
{
try
{
var ce = new CacheEntry
{
Signature = Encoding.ASCII.GetString(rawBytes, index, 4)
};
if (ce.Signature != signature)
{
break;
}
ce.ComputerName = computerName;
index += 4;
// skip 4 unknown
index += 4;
var ceDataSize = BitConverter.ToUInt32(rawBytes, index);
index += 4;
ce.PathSize = BitConverter.ToUInt16(rawBytes, index);
index += 2;
ce.Path = Encoding.Unicode.GetString(rawBytes, index, ce.PathSize);
index += ce.PathSize;
// skip 4 unknown (insertion flags?)
var Flag = BitConverter.ToInt32(rawBytes, index);
Flag = Flag & 2;
if (Flag == 2)
{
ce.Flag = "Executed";
}
index += 4;
// skip 4 unknown (shim flags?)
index += 4;
// skip 2 unknown
index += 2;
ce.LastModified =
DateTimeOffset.FromFileTime(BitConverter.ToInt64(rawBytes, index));
ce.TimeZone = ce.LastModified.ToString("zzz");
index += 8;
ce.DataSize = BitConverter.ToInt32(rawBytes, index);
index += 4;
ce.Data = rawBytes.Skip(index).Take(ce.DataSize).ToArray();
index += ce.DataSize;
ce.EntryPosition = position;
Entries.Add(ce);
position += 1;
}
catch (Exception ex)
{
//TODO report this
//take what we can get
Console.Error.WriteLine($"Error parsing cache entry. Position: {position} Index: {index}, Error: {ex.Message} ");
break;
}
}
}
public Windows8x(byte[] rawBytes, AppCompatCache.OperatingSystemVersion os, int controlSet)
{
Entries = new List <CacheEntry>();
var index = 128;
var signature = "00ts";
ControlSet = controlSet;
EntryCount = -1;
if (os == AppCompatCache.OperatingSystemVersion.Windows81_Windows2012R2)
{
signature = "10ts";
}
var position = 0;
while (index < rawBytes.Length)
{
try
{
var ce = new CacheEntry
{
Signature = Encoding.ASCII.GetString(rawBytes, index, 4)
};
if (ce.Signature != signature)
{
break;
}
index += 4;
// skip 4 unknown
index += 4;
var ceDataSize = BitConverter.ToUInt32(rawBytes, index);
index += 4;
ce.PathSize = BitConverter.ToUInt16(rawBytes, index);
index += 2;
ce.Path = Encoding.Unicode.GetString(rawBytes, index, ce.PathSize).Replace(@"\??\", "");
index += ce.PathSize;
var packageLen = BitConverter.ToUInt16(rawBytes, index);
index += 2;
//skip package data
index += packageLen;
// skip 4 unknown (insertion flags?)
ce.InsertFlags = (AppCompatCache.InsertFlag)BitConverter.ToInt32(rawBytes, index);
index += 4;
// skip 4 unknown (shim flags?)
index += 4;
ce.LastModifiedTimeUTC =
DateTimeOffset.FromFileTime(BitConverter.ToInt64(rawBytes, index)).ToUniversalTime();
index += 8;
ce.DataSize = BitConverter.ToInt32(rawBytes, index);
index += 4;
ce.Data = rawBytes.Skip(index).Take(ce.DataSize).ToArray();
index += ce.DataSize;
if ((ce.InsertFlags & AppCompatCache.InsertFlag.Executed) == AppCompatCache.InsertFlag.Executed)
{
ce.Executed = AppCompatCache.Execute.Yes;
}
else
{
ce.Executed = AppCompatCache.Execute.No;
}
ce.ControlSet = controlSet;
ce.CacheEntryPosition = position;
Entries.Add(ce);
position += 1;
}
catch (Exception ex)
{
var _log = LogManager.GetCurrentClassLogger();
_log.Error($"Error parsing cache entry. Position: {position} Index: {index}, Error: {ex.Message} ");
//TODO report this
//take what we can get
break;
}
}
}
public Windows8x(byte[] rawBytes, AppCompatCache.OperatingSystemVersion os)
{
Entries = new List <CacheEntry>();
var index = 128;
var signature = "00ts";
if (os == AppCompatCache.OperatingSystemVersion.Windows81_Windows2012R2)
{
signature = "10ts";
}
var position = 0;
while (index <= rawBytes.Length)
{
try
{
var ce = new CacheEntry
{
Signature = Encoding.ASCII.GetString(rawBytes, index, 4)
};
if (ce.Signature != signature)
{
break;
}
index += 4;
// skip 4 unknown
index += 4;
var ceDataSize = BitConverter.ToUInt32(rawBytes, index);
index += 4;
ce.PathSize = BitConverter.ToUInt16(rawBytes, index);
index += 2;
ce.Path = Encoding.Unicode.GetString(rawBytes, index, ce.PathSize);
index += ce.PathSize;
// skip 4 unknown (insertion flags?)
index += 4;
// skip 4 unknown (shim flags?)
index += 4;
// skip 2 unknown
index += 2;
ce.LastModifiedTimeUTC =
DateTimeOffset.FromFileTime(BitConverter.ToInt64(rawBytes, index)).ToUniversalTime();
index += 8;
ce.DataSize = BitConverter.ToInt32(rawBytes, index);
index += 4;
ce.Data = rawBytes.Skip(index).Take(ce.DataSize).ToArray();
index += ce.DataSize;
ce.CacheEntryPosition = position;
Entries.Add(ce);
position += 1;
}
catch (Exception ex)
{
//TODO report this
//take what we can get
break;
}
}
}
