internal static bool IsVersionOrLater(OperatingSystemVersion version) { // int major; int minor; PlatformID platform = PlatformID.Win32NT; switch (version) { case OperatingSystemVersion.Windows8: major = 6; minor = 2; break; case OperatingSystemVersion.Windows7: major = 6; minor = 1; break; case OperatingSystemVersion.WindowsVista: major = 6; minor = 0; break; case OperatingSystemVersion.WindowsXPSP2: default: major = 5; minor = 1; break; } OperatingSystem os = Environment.OSVersion; return (os.Platform == platform) && (((os.Version.Major == major) && (os.Version.Minor >= minor)) || (os.Version.Major > major)); }
internal static bool IsVersionOrLater(OperatingSystemVersion version) { int major; int minor; PlatformID platform = PlatformID.Win32NT; switch (version) { case OperatingSystemVersion.Windows8: major = 6; minor = 2; break; case OperatingSystemVersion.Windows7: major = 6; minor = 1; break; case OperatingSystemVersion.WindowsVista: major = 6; minor = 0; break; case OperatingSystemVersion.WindowsXPSP2: default: major = 5; minor = 1; break; } OperatingSystem os = Environment.OSVersion; return((os.Platform == platform) && (((os.Version.Major == major) && (os.Version.Minor >= minor)) || (os.Version.Major > major))); }
//https://github.com/libyal/winreg-kb/wiki/Application-Compatibility-Cache-key //https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf private void Init(byte[] rawBytes, bool is32) { IAppCompatCache appCache = null; OperatingSystem = OperatingSystemVersion.Unknown; string signature; //TODO check minimum length of rawBytes and throw exception if not enough data signature = Encoding.ASCII.GetString(rawBytes, 128, 4); if (signature == "\u0018\0\0\0" || signature == "Y\0\0\0") { OperatingSystem = OperatingSystemVersion.WindowsXP; appCache = new WindowsXP(rawBytes, is32); } else if (signature == "00ts") { OperatingSystem = OperatingSystemVersion.Windows80_Windows2012; appCache = new Windows8x(rawBytes, OperatingSystem); } else if (signature == "10ts") { OperatingSystem = OperatingSystemVersion.Windows81_Windows2012R2; appCache = new Windows8x(rawBytes, OperatingSystem); } else { //is it windows 10? signature = Encoding.ASCII.GetString(rawBytes, 48, 4); if (signature == "10ts") { OperatingSystem = OperatingSystemVersion.Windows10; appCache = new Windows10(rawBytes); } else { //win7 if (rawBytes[0] == 0xee & rawBytes[1] == 0xf & rawBytes[2] == 0xdc & rawBytes[3] == 0xba) { if (is32) { OperatingSystem = OperatingSystemVersion.Windows7x86; } else { OperatingSystem = OperatingSystemVersion.Windows7x64_Windows2008R2; } appCache = new Windows7(rawBytes, is32); } } } Cache = appCache; }
internal static void CheckAndApplyTheme(ContentControl control) { OperatingSystemVersion os = OperatingSystemVersion.Current; if (os.OSVersion == OSVersion.Win7) { ThemeManager.ApplyTheme(control, "BureauBlue"); } }
public OperatingSystemSupportedAttribute(OperatingSystemVersion mininum, OperatingSystemVersion maximum = OperatingSystemVersion.None) { if (mininum == OperatingSystemVersion.None) { throw new ArgumentOutOfRangeException(nameof(mininum)); } this.Mininum = GetVersion(mininum); this.Maximum = GetVersion(maximum); }
internal static bool IsOsVersionOrGreater(OperatingSystemVersion osVer) { switch (osVer) { case OperatingSystemVersion.Windows10RS5: return(IsOsWindows10RS5OrGreater); case OperatingSystemVersion.Windows10RS4: return(IsOsWindows10RS4OrGreater); case OperatingSystemVersion.Windows10RS3: return(IsOsWindows10RS3OrGreater); case OperatingSystemVersion.Windows10RS2: return(IsOsWindows10RS2OrGreater); case OperatingSystemVersion.Windows10RS1: return(IsOsWindows10RS1OrGreater); case OperatingSystemVersion.Windows10TH2: return(IsOsWindows10TH2OrGreater); case OperatingSystemVersion.Windows10: return(IsOsWindows10OrGreater); case OperatingSystemVersion.Windows8Point1: return(IsOsWindows8Point1OrGreater); case OperatingSystemVersion.Windows8: return(IsOsWindows8OrGreater); case OperatingSystemVersion.Windows7SP1: return(IsOsWindows7SP1OrGreater); case OperatingSystemVersion.Windows7: return(IsOsWindows7OrGreater); case OperatingSystemVersion.WindowsVistaSP2: return(IsOsWindowsVistaSP2OrGreater); case OperatingSystemVersion.WindowsVistaSP1: return(IsOsWindowsVistaSP1OrGreater); case OperatingSystemVersion.WindowsVista: return(IsOsWindowsVistaOrGreater); case OperatingSystemVersion.WindowsXPSP3: return(IsOsWindowsXPSP3OrGreater); case OperatingSystemVersion.WindowsXPSP2: return(IsOsWindowsXPSP2OrGreater); } throw new ArgumentException(string.Format("{0} is not a valid OS!", osVer.ToString()), "osVer"); }
/// <inheritdoc /> public override int GetHashCode() { unchecked { var hashCode = EntryAssemblyName?.GetHashCode() ?? 0; hashCode = (hashCode * 397) ^ (EntryAssemblyVersion?.GetHashCode() ?? 0); hashCode = (hashCode * 397) ^ (HostName?.GetHashCode() ?? 0); hashCode = (hashCode * 397) ^ (LocalTimeString?.GetHashCode() ?? 0); hashCode = (hashCode * 397) ^ (MachineName?.GetHashCode() ?? 0); hashCode = (hashCode * 397) ^ (OperatingSystem?.GetHashCode() ?? 0); hashCode = (hashCode * 397) ^ (OperatingSystemVersion?.GetHashCode() ?? 0); hashCode = (hashCode * 397) ^ (ProcessName?.GetHashCode() ?? 0); hashCode = (hashCode * 397) ^ (ProcessorCount?.GetHashCode() ?? 0); return(hashCode); } }
public override int GetHashCode() { unchecked { var hashCode = FrameworkDescription != null?FrameworkDescription.GetHashCode() : 0; hashCode = (hashCode * 397) ^ (RunningEnvironment != null ? RunningEnvironment.GetHashCode() : 0); hashCode = (hashCode * 397) ^ (EntryAssemblyName != null ? EntryAssemblyName.GetHashCode() : 0); hashCode = (hashCode * 397) ^ (EntryAssemblyVersion != null ? EntryAssemblyVersion.GetHashCode() : 0); hashCode = (hashCode * 397) ^ (LocalTimeString != null ? LocalTimeString.GetHashCode() : 0); hashCode = (hashCode * 397) ^ (MachineName != null ? MachineName.GetHashCode() : 0); hashCode = (hashCode * 397) ^ (OperatingSystemPlatform != null ? OperatingSystemPlatform.GetHashCode() : 0); hashCode = (hashCode * 397) ^ (OperatingSystemArchitecture != null ? OperatingSystemArchitecture.GetHashCode() : 0); hashCode = (hashCode * 397) ^ (OperatingSystemVersion != null ? OperatingSystemVersion.GetHashCode() : 0); hashCode = (hashCode * 397) ^ (ProcessArchitecture != null ? ProcessArchitecture.GetHashCode() : 0); hashCode = (hashCode * 397) ^ (ProcessorCount != null ? ProcessorCount.GetHashCode() : 0); return(hashCode); } }
/// <summary> /// Create an ETWReloggerTraceEventSource that can takes its input from a variety of sources (either a single file, /// a set of files, or a real time ETW session (based on 'type'), and can write these events to a new ETW output /// file 'outputFileName. /// </summary> public ETWReloggerTraceEventSource(string fileOrSessionName, TraceEventSourceType type, string outputFileName) : base() { if (!OperatingSystemVersion.AtLeast(62)) { throw new NotSupportedException("System Tracing is only supported on Windows 8 and above."); } m_relogger = new CTraceRelogger(); if (type == TraceEventSourceType.FileOnly) { m_traceHandleForFirstStream = m_relogger.AddLogfileTraceStream(fileOrSessionName, IntPtr.Zero); } else if (type == TraceEventSourceType.Session) { m_traceHandleForFirstStream = m_relogger.AddRealtimeTraceStream(fileOrSessionName, IntPtr.Zero); } else { Debug.Assert(type == TraceEventSourceType.MergeAll); List <string> logFileNames = ETWTraceEventSource.GetMergeAllLogFiles(fileOrSessionName); bool first = true; foreach (var logFileName in logFileNames) { var handle = m_relogger.AddLogfileTraceStream(logFileName, IntPtr.Zero); if (first) { m_traceHandleForFirstStream = handle; first = false; } } } m_relogger.SetOutputFilename(outputFileName); m_myCallbacks = new ReloggerCallbacks(this); m_relogger.RegisterCallback(m_myCallbacks); m_scratchBufferSize = 0; m_scratchBuffer = null; }
public static bool IsSupportedCosmetic(OperatingSystemVersion mininum, OperatingSystemVersion maximum = OperatingSystemVersion.None) => IsSupported(GetVersion(mininum), PreferencesPage.GetCosmeticVersion(), GetVersion(maximum));
public static bool IsSupported(OperatingSystemVersion mininum, OperatingSystemVersion maximum = OperatingSystemVersion.None) => IsSupported(GetVersion(mininum), GetVersion(maximum));
public static Version GetVersion(OperatingSystemVersion version) => version == OperatingSystemVersion.None ? null : _versions[(int)version - 1];
private void Initialize(string fileOrSessionName, TraceEventSourceType type) { // Allocate the LOGFILE and structures and arrays that hold them // Figure out how many log files we have if (type == TraceEventSourceType.MergeAll) { List <string> allLogFiles = GetMergeAllLogFiles(fileOrSessionName); logFiles = new TraceEventNativeMethods.EVENT_TRACE_LOGFILEW[allLogFiles.Count]; for (int i = 0; i < allLogFiles.Count; i++) { logFiles[i].LogFileName = allLogFiles[i]; } } else { logFiles = new TraceEventNativeMethods.EVENT_TRACE_LOGFILEW[1]; if (type == TraceEventSourceType.FileOnly) { logFiles[0].LogFileName = fileOrSessionName; } else { Debug.Assert(type == TraceEventSourceType.Session); logFiles[0].LoggerName = fileOrSessionName; logFiles[0].LogFileMode |= TraceEventNativeMethods.EVENT_TRACE_REAL_TIME_MODE; IsRealTime = true; } } handles = new ulong[logFiles.Length]; // Fill out the first log file information (we will clone it later if we have multiple files). logFiles[0].BufferCallback = this.TraceEventBufferCallback; handles[0] = TraceEventNativeMethods.INVALID_HANDLE_VALUE; useClassicETW = !OperatingSystemVersion.AtLeast(OperatingSystemVersion.Vista); if (useClassicETW) { IntPtr mem = Marshal.AllocHGlobal(sizeof(TraceEventNativeMethods.EVENT_RECORD)); TraceEventNativeMethods.ZeroMemory(mem, sizeof(TraceEventNativeMethods.EVENT_RECORD)); convertedHeader = (TraceEventNativeMethods.EVENT_RECORD *)mem; logFiles[0].EventCallback = RawDispatchClassic; } else { logFiles[0].LogFileMode |= TraceEventNativeMethods.PROCESS_TRACE_MODE_EVENT_RECORD; logFiles[0].EventCallback = RawDispatch; } // We want the raw timestamp because it is needed to match up stacks with the event they go with. logFiles[0].LogFileMode |= TraceEventNativeMethods.PROCESS_TRACE_MODE_RAW_TIMESTAMP; // Copy the information to any additional log files for (int i = 1; i < logFiles.Length; i++) { logFiles[i].BufferCallback = logFiles[0].BufferCallback; logFiles[i].EventCallback = logFiles[0].EventCallback; logFiles[i].LogFileMode = logFiles[0].LogFileMode; handles[i] = handles[0]; } DateTime minSessionStartTimeUTC = DateTime.MaxValue; DateTime maxSessionEndTimeUTC = DateTime.MinValue + new TimeSpan(1 * 365, 0, 0, 0); // TO avoid roundoff error when converting to QPC add a year. // Open all the traces for (int i = 0; i < handles.Length; i++) { handles[i] = TraceEventNativeMethods.OpenTrace(ref logFiles[i]); if (handles[i] == TraceEventNativeMethods.INVALID_HANDLE_VALUE) { Marshal.ThrowExceptionForHR(TraceEventNativeMethods.GetHRForLastWin32Error()); } // Start time is minimum of all start times DateTime logFileStartTimeUTC = SafeFromFileTimeUtc(logFiles[i].LogfileHeader.StartTime); DateTime logFileEndTimeUTC = SafeFromFileTimeUtc(logFiles[i].LogfileHeader.EndTime); if (logFileStartTimeUTC < minSessionStartTimeUTC) { minSessionStartTimeUTC = logFileStartTimeUTC; } // End time is maximum of all start times if (logFileEndTimeUTC > maxSessionEndTimeUTC) { maxSessionEndTimeUTC = logFileEndTimeUTC; } // TODO do we even need log pointer size anymore? // We take the max pointer size. if ((int)logFiles[i].LogfileHeader.PointerSize > pointerSize) { pointerSize = (int)logFiles[i].LogfileHeader.PointerSize; } } _QPCFreq = logFiles[0].LogfileHeader.PerfFreq; if (_QPCFreq == 0) { _QPCFreq = Stopwatch.Frequency; } // Real time providers don't set this to something useful if ((logFiles[0].LogFileMode & TraceEventNativeMethods.EVENT_TRACE_REAL_TIME_MODE) != 0) { DateTime nowUTC = DateTime.UtcNow; long nowQPC = QPCTime.GetUTCTimeAsQPC(nowUTC); _syncTimeQPC = nowQPC; _syncTimeUTC = nowUTC; sessionStartTimeQPC = nowQPC - _QPCFreq / 10; // Subtract 1/10 sec to keep now and nowQPC in sync. sessionEndTimeQPC = long.MaxValue; // Represents infinity. Debug.Assert(SessionStartTime < SessionEndTime); } else { _syncTimeUTC = minSessionStartTimeUTC; // UTCDateTimeToQPC is actually going to give the wrong value for these because we have // not set _syncTimeQPC, but will be adjusted when we see the event Header and know _syncTypeQPC. sessionStartTimeQPC = this.UTCDateTimeToQPC(minSessionStartTimeUTC); sessionEndTimeQPC = this.UTCDateTimeToQPC(maxSessionEndTimeUTC); } Debug.Assert(_QPCFreq != 0); if (pointerSize == 0) // Real time does not set this (grrr). { pointerSize = sizeof(IntPtr); Debug.Assert((logFiles[0].LogFileMode & TraceEventNativeMethods.EVENT_TRACE_REAL_TIME_MODE) != 0); } Debug.Assert(pointerSize == 4 || pointerSize == 8); cpuSpeedMHz = (int)logFiles[0].LogfileHeader.CpuSpeedInMHz; numberOfProcessors = (int)logFiles[0].LogfileHeader.NumberOfProcessors; // We ask for raw timestamps, but the log file may have used system time as its raw timestamp. // SystemTime is like a QPC time that happens 10M times a second (100ns). // ReservedFlags is actually the ClockType 0 = Raw, 1 = QPC, 2 = SystemTimne 3 = CpuTick (we don't support) if (logFiles[0].LogfileHeader.ReservedFlags == 2) // If ClockType == EVENT_TRACE_CLOCK_SYSTEMTIME { _QPCFreq = 10000000; } Debug.Assert(_QPCFreq != 0); int ver = (int)logFiles[0].LogfileHeader.Version; osVersion = new Version((byte)ver, (byte)(ver >> 8)); // Logic for looking up process names processNameForID = new Dictionary <int, string>(); var kernelParser = new KernelTraceEventParser(this, KernelTraceEventParser.ParserTrackingOptions.None); kernelParser.ProcessStartGroup += delegate(ProcessTraceData data) { // Get just the file name without the extension. Can't use the 'Path' class because // it tests to make certain it does not have illegal chars etc. Since KernelImageFileName // is not a true user mode path, we can get failures. string path = data.KernelImageFileName; int startIdx = path.LastIndexOf('\\'); if (0 <= startIdx) { startIdx++; } else { startIdx = 0; } int endIdx = path.LastIndexOf('.'); if (endIdx <= startIdx) { endIdx = path.Length; } processNameForID[data.ProcessID] = path.Substring(startIdx, endIdx - startIdx); }; kernelParser.ProcessEndGroup += delegate(ProcessTraceData data) { processNameForID.Remove(data.ProcessID); }; kernelParser.EventTraceHeader += delegate(EventTraceHeaderTraceData data) { if (_syncTimeQPC == 0) { // In merged files there can be more of these, we only set the QPC time on the first one // We were using a 'start location' of 0, but we want it to be the timestamp of this events, so we add this to our // existing QPC values. _syncTimeQPC = data.TimeStampQPC; sessionStartTimeQPC += data.TimeStampQPC; sessionEndTimeQPC += data.TimeStampQPC; } }; }
public static bool IsGreaterThan(this OperatingSystem operatingSystem, OperatingSystemVersion version) => operatingSystem.Version.Build > (int)version;
//https://github.com/libyal/winreg-kb/wiki/Application-Compatibility-Cache-key //https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf private IAppCompatCache Init(byte[] rawBytes, bool is32, int controlSet) { IAppCompatCache appCache = null; OperatingSystem = OperatingSystemVersion.Unknown; string signature; var sigNum = BitConverter.ToUInt32(rawBytes, 0); //TODO check minimum length of rawBytes and throw exception if not enough data signature = Encoding.ASCII.GetString(rawBytes, 128, 4); var log1 = LogManager.GetCurrentClassLogger(); log1.Debug($@"**** Signature {signature}, Sig num 0x{sigNum:X}"); if (sigNum == 0xDEADBEEF) //DEADBEEF, WinXp { OperatingSystem = OperatingSystemVersion.WindowsXP; log1.Debug(@"**** Processing XP hive"); appCache = new WindowsXP(rawBytes, is32, controlSet); } else if (sigNum == 0xbadc0ffe) { OperatingSystem = OperatingSystemVersion.WindowsVistaWin2k3Win2k8; appCache = new VistaWin2k3Win2k8(rawBytes, is32, controlSet); } else if (sigNum == 0xBADC0FEE) //BADC0FEE, Win7 { if (is32) { OperatingSystem = OperatingSystemVersion.Windows7x86; } else { OperatingSystem = OperatingSystemVersion.Windows7x64_Windows2008R2; } appCache = new Windows7(rawBytes, is32, controlSet); } else if (signature == "00ts") { OperatingSystem = OperatingSystemVersion.Windows80_Windows2012; appCache = new Windows8x(rawBytes, OperatingSystem, controlSet); } else if (signature == "10ts") { OperatingSystem = OperatingSystemVersion.Windows81_Windows2012R2; appCache = new Windows8x(rawBytes, OperatingSystem, controlSet); } else { //is it windows 10? var offsetToEntries = BitConverter.ToInt32(rawBytes, 0); OperatingSystem = OperatingSystemVersion.Windows10; if (offsetToEntries == 0x34) { OperatingSystem = OperatingSystemVersion.Windows10Creators; } signature = Encoding.ASCII.GetString(rawBytes, offsetToEntries, 4); if (signature == "10ts") { appCache = new Windows10(rawBytes, controlSet); } } if (appCache == null) { throw new Exception("Unable to determine operating system! Please send the hive to [email protected]"); } return(appCache); }
// added computerName argument private IAppCompatCache Init(byte[] rawBytes, bool is32, int controlSet, string computerName) { IAppCompatCache appCache = null; OperatingSystem = OperatingSystemVersion.Unknown; string signature; var sigNum = BitConverter.ToUInt32(rawBytes, 0); //TODO check minimum length of rawBytes and throw exception if not enough data signature = Encoding.ASCII.GetString(rawBytes, 128, 4); if (sigNum == 0xbadc0ffe) // Vista { OperatingSystem = OperatingSystemVersion.WindowsVistaWin2k3Win2k8; appCache = new VistaWin2k3Win2k8(rawBytes, is32, controlSet, computerName); } else if (sigNum == 0xbadc0fee) // Win7 { if (is32) { OperatingSystem = OperatingSystemVersion.Windows7x86; } else { OperatingSystem = OperatingSystemVersion.Windows7x64_Windows2008R2; } appCache = new Windows7(rawBytes, is32, controlSet, computerName); } else if ((signature == "00ts")) { OperatingSystem = OperatingSystemVersion.Windows80_Windows2012; appCache = new Windows8x(rawBytes, OperatingSystem, controlSet, computerName); } else if (signature == "10ts") { OperatingSystem = OperatingSystemVersion.Windows81_Windows2012R2; appCache = new Windows8x(rawBytes, OperatingSystem, controlSet, computerName); } else { //is it windows 10? var offsetToEntries = BitConverter.ToInt32(rawBytes, 0); OperatingSystem = OperatingSystemVersion.Windows10; if (offsetToEntries == 0x34) { OperatingSystem = OperatingSystemVersion.Windows10Creators; } signature = Encoding.ASCII.GetString(rawBytes, offsetToEntries, 4); if ((signature == "10ts")) { appCache = new Windows10(rawBytes, controlSet, computerName); } } if (appCache == null) { throw new Exception("Unable to determine operating system..."); } return(appCache); }