/// <summary>
///
/// </summary>
/// <param name="volume"></param>
/// <returns></returns>
public static EventRecord[] GetInstances(string volume)
{
Helper.getVolumeName(ref volume);
List <EventRecord> recordList = new List <EventRecord>();
string volLetter = Helper.GetVolumeLetter(volume);
string EventLogPath = volLetter + @"\Windows\system32\winevt\Logs";
IndexEntry[] entries = IndexEntry.GetInstances(EventLogPath);
foreach (IndexEntry entry in entries)
{
try
{
EventRecord[] records = Get(entry.FullName);
recordList.AddRange(records);
}
catch
{
Console.WriteLine(entry.FullName);
}
}
return(recordList.ToArray());
}
internal static string[] GetUserHiveInstances(string volume)
{
List <string> userHiveList = new List <string>();
IndexEntry[] entries = null;
try
{
entries = IndexEntry.GetInstances(Helper.GetVolumeLetter(volume) + @"\Users");
}
catch
{
try
{
entries = IndexEntry.GetInstances(Helper.GetVolumeLetter(volume) + @"\Documents and Settings");
}
catch
{
throw new Exception("Could not locate User Registry Hives.");
}
}
foreach (IndexEntry e in entries)
{
try
{
userHiveList.Add(IndexEntry.Get(e.FullName + @"\NTUSER.DAT").FullName);
}
catch
{
}
}
return(userHiveList.ToArray());
}
private static ScheduledJob[] GetInstances(string volume, string path)
{
List <ScheduledJob> jobList = new List <ScheduledJob>();
foreach (IndexEntry entry in IndexEntry.GetInstances(path))
{
if (entry.Filename.Contains(".job"))
{
jobList.Add(ScheduledJob.Get(volume, (int)entry.RecordNumber));
}
}
return(jobList.ToArray());
}
public static Prefetch[] GetInstances(string volume)
{
// Get current volume
NativeMethods.getVolumeName(ref volume);
// Get volume letter
string volLetter = volume.Split('\\')[3];
// Get a handle to the volume
IntPtr hVolume = NativeMethods.getHandle(volume);
// Create a FileStream to read from the volume handle
using (FileStream streamToRead = NativeMethods.getFileStream(hVolume))
{
VolumeBootRecord VBR = VolumeBootRecord.Get(streamToRead);
// Get a byte array representing the Master File Table
byte[] MFT = MasterFileTable.GetBytes(streamToRead, volume);
// Build Prefetch directory path
string pfPath = volLetter + @"\Windows\Prefetch";
if (Directory.Exists(pfPath))
{
var pfFiles = System.IO.Directory.GetFiles(pfPath, "*.pf");
Prefetch[] pfArray = new Prefetch[pfFiles.Length];
// Get IndexEntry
IndexEntry[] pfEntries = IndexEntry.GetInstances(pfPath);
int i = 0;
foreach (IndexEntry entry in pfEntries)
{
if (entry.Filename.Contains(".pf"))
{
pfArray[i] = new Prefetch(new FileRecord(NativeMethods.GetSubArray(MFT, (uint)entry.RecordNumber * 0x400, 0x400), volume, true).GetBytes(VBR));
i++;
}
}
return(pfArray);
}
else
{
throw new Exception("Prefetch Directory does not exist. Check registry to ensure Prefetching is enabled.");
}
}
}
public static Prefetch[] GetInstances(string volume)
{
// Get current volume
Util.getVolumeName(ref volume);
// Get a handle to the volume
IntPtr hVolume = Util.getHandle(volume);
// Create a FileStream to read from the volume handle
using (FileStream streamToRead = Util.getFileStream(hVolume))
{
VolumeBootRecord VBR = VolumeBootRecord.Get(streamToRead);
// Get a byte array representing the Master File Table
byte[] MFT = MasterFileTable.GetBytes(streamToRead, volume);
// Build Prefetch directory path
string pfPath = volume.Split('\\')[3] + @"\Windows\Prefetch";
/*if(CheckStatus(volume.Split('\\')[3] + @"\Windows\system32\config\SAM") != PREFETCH_ENABLED.DISABLED)
* {*/
// Get IndexEntry
IndexEntry[] pfEntries = IndexEntry.GetInstances(pfPath);
Prefetch[] pfArray = new Prefetch[pfEntries.Length];
int i = 0;
foreach (IndexEntry entry in pfEntries)
{
if (entry.Filename.Contains(".pf"))
{
pfArray[i] = new Prefetch(new FileRecord(Util.GetSubArray(MFT, (uint)entry.RecordNumber * 0x400, 0x400), volume, true).GetContent(VBR));
i++;
}
}
return(pfArray);
/*}
* else
* {
* throw new Exception("Prefetching is disabled. Check registry to ensure Prefetching is enabled.");
* }*/
}
}
/// <summary>
/// The ProcessRecord method calls TimeZone.CurrentTimeZone to return a TimeZone object.
/// </summary>
protected override void ProcessRecord()
{
if (this.MyInvocation.BoundParameters.ContainsKey("Path"))
{
WriteObject(ScheduledJob.Get(filePath));
}
else
{
NativeMethods.getVolumeName(ref volume);
string taskPath = volume.Split('\\')[3] + @"\Windows\Tasks";
foreach (IndexEntry entry in IndexEntry.GetInstances(taskPath))
{
if (entry.Filename.Contains(".job"))
{
WriteObject(ScheduledJob.Get(volume, (int)entry.RecordNumber));
}
}
}
} // ProcessRecord
/// <summary>
///
/// </summary>
/// <param name="volume"></param>
/// <returns></returns>
public static Prefetch[] GetInstances(string volume)
{
// Get current volume
Helper.getVolumeName(ref volume);
using (FileStream streamToRead = Helper.getFileStream(volume))
{
NtfsVolumeBootRecord VBR = VolumeBootRecord.Get(streamToRead) as NtfsVolumeBootRecord;
// Get a byte array representing the Master File Table
byte[] MFT = MasterFileTable.GetBytes(streamToRead, volume);
// Build Prefetch directory path
string pfPath = Helper.GetVolumeLetter(volume) + @"\Windows\Prefetch";
/*if(CheckStatus(Helper.GetVolumeLetter(volume) + @"\Windows\system32\config\SAM") != PREFETCH_ENABLED.DISABLED)
* {*/
// Get IndexEntry
IndexEntry[] pfEntries = IndexEntry.GetInstances(pfPath);
Prefetch[] pfArray = new Prefetch[pfEntries.Length];
int i = 0;
foreach (IndexEntry entry in pfEntries)
{
if (entry.Filename.Contains(".pf"))
{
pfArray[i] = new Prefetch(FileRecord.Get(volume, (int)entry.RecordNumber, true).GetContent(VBR));
i++;
}
}
return(pfArray);
/*}
* else
* {
* throw new Exception("Prefetching is disabled. Check registry to ensure Prefetching is enabled.");
* }*/
}
}