Example #1
0
        public override bool Process()
        {
            RegistryValue value = Key.GetValue("NtfsEncryptPagingFile");

            if (null != value)
            {
                uint setting = (uint)value.GetDataAsObject();
                if (1 == setting)
                {
                    this.Reporter.Write("NtfsEncryptPagingFile : 1");
                    this.Reporter.Write("RESULT : Pagefile.sysは暗号化されています。");
                }
                else
                {
                    this.Reporter.Write("NtfsEncryptPagingFile : 0");
                    this.Reporter.Write("RESULT : Pagefile.sysは暗号化されていません。");
                }
            }
            else
            {
                this.Reporter.Write("NtfsEncryptPagingFileというValueは見つかりませんでした。");
            }

            return(true);
        }
Example #2
0
        public override bool Process()
        {
            string[]      commands = { "exe", "cmd", "bat", "hta", "pif" };
            string        keyPath  = string.Empty;
            RegistryValue value    = null;

            foreach (string command in commands)
            {
                keyPath = "Classes\\" + command + "file\\shell\\open\\command";
                RegistryKey key = RootKey.GetSubkey(keyPath);
                if (null != key)
                {
                    Reporter.Write(keyPath);
                    Reporter.Write("最終更新日時: " + Library.TransrateTimestamp(key.Timestamp, TimeZoneBias, OutputUtc));

                    value = key.GetValue("(Default)");
                    if (null != value)
                    {
                        Reporter.Write("\tCmd: " + value.GetDataAsObject().ToString());
                    }
                    else
                    {
                        Reporter.Write(command + "にはVALUEがありませんでした。");
                    }
                }
                else
                {
                    Reporter.Write(keyPath + " キーは見つかりませんでした。");
                }
            }
            Reporter.Write("");

            return(true);
        }
Example #3
0
        public override bool Process()
        {
            Reporter.Write("キーのパス:" + KeyPath);
            Reporter.Write("キーの最終更新日時:" + Library.TransrateTimestamp(Key.Timestamp, TimeZoneBias, OutputUtc));
            Reporter.Write("");

            Reporter.Write(KeyPath + " キー, fDenyTSConnections VALUE を表示します。");
            Reporter.Write("LastWrite Time " + Library.TransrateTimestamp(Key.Timestamp, TimeZoneBias, OutputUtc));

            RegistryValue value = Key.GetValue("fDenyTSConnections");

            if (null != value)
            {
                object data = value.GetDataAsObject();
                if (null != data)
                {
                    Reporter.Write("  fDenyTSConnections = " + data.ToString());
                }
                else
                {
                    Reporter.Write("fDenyTSConnections VALUE はありませんでした。");
                }
            }
            else
            {
                Reporter.Write("fDenyTSConnections VALUE はありませんでした。 ");
            }

            return(true);
        }
Example #4
0
        public override bool Process()
        {
            string version = string.Empty;

            RegistryValue value = this.Key.GetValue("Version");

            if (null != value)
            {
                this.Reporter.Write("IE Version = " + value.GetDataAsObject().ToString());
            }
            else
            {
                this.Reporter.Write("IE Version は見つかりませんでした。");
            }

            this.Reporter.Write("");

            RegistryKey subkey;

            foreach (string guid in GUIDS)
            {
                subkey = this.Key.GetSubkey("ActiveX Compatibility\\" + guid);
                if (null != subkey)
                {
                    this.Reporter.Write("GUID: " + guid);
                    value = subkey.GetValue("Compatibility Flags");

                    if (null != value)
                    {
                        this.Reporter.Write("Compatibility Flags  0x" + ((uint)value.GetDataAsObject()).ToString("X8"));
                    }
                    else
                    {
                        this.Reporter.Write("Compatibility Flags は見つかりませんでした。");
                    }
                }
                else
                {
                    this.Reporter.Write(guid + " は見つかりませんでした。");
                }
                this.Reporter.Write("");
            }

            return(true);
        }
Example #5
0
        public override bool Process()
        {
            // Get Last Registry key opened in RegEdit
            RegistryValue value = this.Key.GetValue("LastKey");

            if (null != value)
            {
                this.Reporter.Write("RegEdit で最後に閲覧した値 -> " + value.GetDataAsObject().ToString());
            }

            return(true);
        }
Example #6
0
        public override bool Process()
        {
            RegistryValue[] values = Key.GetListOfValues();
            if (null != values && 0 < values.Length)
            {
                foreach (RegistryValue value in values)
                {
                    Reporter.Write(value.Name + " : " + value.GetDataAsString());
                }
            }
            else
            {
                Library.WriteNoValue(KeyPath, Reporter);
            }
            Reporter.Write("");

            RegistryKey[] subkeys   = null;
            RegistryKey   volumeKey = Key.GetSubkey("Volume");

            if (null != volumeKey)
            {
                subkeys = volumeKey.GetListOfSubkeys();

                if (null != subkeys && 0 < subkeys.Length)
                {
                    RegistryValue nukeValue = null;
                    foreach (RegistryKey subkey in subkeys)
                    {
                        Reporter.Write(subkey.Name + " [" + Library.TransrateTimestamp(subkey.Timestamp, TimeZoneBias, OutputUtc) + "]");
                        nukeValue = subkey.GetValue("NukeOnDelete");
                        if (null != nukeValue)
                        {
                            Reporter.Write("   NukeOnDelete " + nukeValue.GetDataAsObject().ToString());
                        }
                        else
                        {
                            Reporter.Write("\\NukeOnDelete ではVALUEを取得できませんでした。");
                        }
                    }
                }
                else
                {
                    Library.WriteNoValue(KeyPath + "\\Volume", Reporter);
                }
            }
            else
            {
                Reporter.Write(KeyPath + "\\Volume サブキーにはアクセスできませんでした。");
            }

            return(true);
        }
Example #7
0
        public override bool Process()
        {
            // 取得用変数を定義
            RegistryValue value      = null;
            string        transrated = string.Empty;

            // load VALUEの処理
            value = this.Key.GetValue("load");
            if (null != value)
            {
                transrated = value.GetDataAsObject().ToString();
                this.Reporter.Write("load value = " + transrated);
//                this.Reporter.Write("*空になるはず; anything listed gets run when the user logs in.");
            }
            else
            {
                this.Reporter.Write("load VALUEは見つかりませんでした。");
            }
            // 後処理
            value      = null;
            transrated = string.Empty;

            // run VALUEの処理
            value = this.Key.GetValue("run");
            if (null != value)
            {
                transrated = value.GetDataAsObject().ToString();
                this.Reporter.Write("run value = " + transrated);
//                this.Reporter.Write("(*空になるはず; anything listed gets run when the user logs in.)");
            }
            else
            {
                this.Reporter.Write("run VALUEは見つかりませんでした。");
            }

            return(true);
        }
Example #8
0
        public override bool Process()
        {
            RegistryValue value = Key.GetValue("Logon User Name");

            if (null != value)
            {
                Reporter.Write("Logon User Name = " + value.GetDataAsObject().ToString());
            }
            else
            {
                Library.WriteNoValue(KeyPath, Reporter);
            }

            return(true);
        }
Example #9
0
        public override bool Process()
        {
            Dictionary <double, List <string> > dictionary = new Dictionary <double, List <string> >();
            List <string> list;

            RegistryKey[] subkeys = Key.GetListOfSubkeys();
            RegistryValue value   = null;
            string        data    = string.Empty;

            if (null != subkeys && 0 < subkeys.Length)
            {
                foreach (RegistryKey subkey in subkeys)
                {
                    value = subkey.GetValue("(Default)");
                    if (null != value)
                    {
                        data = value.GetDataAsObject().ToString();
                    }
                    else
                    {
                        data = string.Empty;
                    }
                    data = subkey.Name + " [" + data + "]";

                    if (dictionary.ContainsKey(subkey.Timestamp))
                    {
                        list = dictionary[subkey.Timestamp];
                        list.Add(data);
                        dictionary[subkey.Timestamp] = list;
                    }
                    else
                    {
                        list = new List <string>();
                        list.Add(data);
                        dictionary.Add(subkey.Timestamp, list);
                    }
                }

                List <KeyValuePair <double, List <string> > > sorted = new List <KeyValuePair <double, List <string> > >(dictionary);
                sorted.Sort(
                    delegate(KeyValuePair <double, List <string> > first, KeyValuePair <double, List <string> > next) {
                    return(next.Key.CompareTo(first.Key));
                }
                    );

                string precedent = string.Empty;
                string gmtdate   = string.Empty;
                foreach (KeyValuePair <double, List <string> > pair in sorted)
                {
                    gmtdate = Library.TransrateTimestamp(pair.Key, TimeZoneBias, OutputUtc);
                    if (!precedent.Equals(gmtdate))
                    {
                        Reporter.Write(gmtdate);
                        precedent = gmtdate;
                    }
                    foreach (string item in pair.Value)
                    {
                        Reporter.Write("  " + item);
                    }
                }
            }
            else
            {
                Reporter.Write(KeyPath + " にはサブキーがありませんでした。");
            }

            return(true);
        }
Example #10
0
        private void Recursive(RegistryKey key, string path, string folderName)
        {
            // NodeSlotから実体のフォルダの内容を取得
            RegistryValue slotValue = key.GetValue("NodeSlot");

            if (null != slotValue)
            {
                string slotNumber = slotValue.GetDataAsObject().ToString();
                //                RegistryKey bagKey = RootKey.GetSubkey(pathBuilder.ToString() + @"\" + slotValue.GetData().ToString());
                RegistryKey bagKey = RootKey.GetSubkey(path.Remove(path.Length - 3) + @"s\" + slotNumber + @"\Shell");

                if (null != bagKey)
                {
                    RegistryKey[] subkeys = bagKey.GetListOfSubkeys();
                    if (null != subkeys)
                    {
                    }

                    RegistryValue[] bagValues = bagKey.GetListOfValues();

                    if (null != bagValues)
                    {
                        Reporter.Write("  FolderName : " + ((0 != folderName.Length) ? folderName : "デスクトップ?"));
                        Reporter.Write("    [ValueList]");
                        string        dataString = "";
                        byte[]        bytes;
                        StringBuilder dataBuilder = new StringBuilder();
                        foreach (RegistryValue bagValue in bagValues)
                        {
                            if (Constants.REG_BINARY != bagValue.Type)
                            {
                                dataString = bagValue.GetDataAsString();
                            }
                            else
                            {
                                bytes = bagValue.Data;
                                foreach (byte item in bytes)
                                {
                                    if (0 < dataBuilder.Length)
                                    {
                                        dataBuilder.Append(" ");
                                    }
                                    dataBuilder.Append(item.ToString("X2"));
                                }
                                dataString = dataBuilder.ToString();
                            }
                            Reporter.Write("      " + bagValue.Name + " : " + dataString);
                        }
                        Reporter.Write("");
                    }
                }
            }

            // まずMRUListExを取得
            RegistryValue mruValue = key.GetValue("MRUListEx");

            if (null != mruValue)
            {
                byte[] mruData = (byte[])mruValue.GetDataAsObject();
                if (null != mruData)
                {
                    uint          mru = 0;
                    RegistryValue value;
                    List <byte>   byteList = new List <byte>();
                    byte[]        bytes    = null;

                    for (uint count = 0; count < mruData.Length; count += 4)
                    {
                        mru = BitConverter.ToUInt16(Library.ExtractArrayElements(mruData, count, 4), 0);

                        value = key.GetValue(mru.ToString());

                        if (null != value)
                        {
                            bytes = (byte[])value.GetDataAsObject();

                            if (0x19 == bytes[0])
                            {
                                if (0 < folderName.Length)
                                {
                                    Logger.Write(LogLevel.WARNING, folderName + " / " + mru.ToString() + "は怪しげです。");
                                }
                                folderName = Encoding.ASCII.GetString(Library.ExtractArrayElements(bytes, 3, 3));
                            }
                            else
                            {
                                byteList = new List <byte>();
                                //                                Reporter.Write("\t" + value.Name + "WriteTime  : " Library.ExtractArrayElements(bytes, 8, 4));
                                //hoge++;
                                //System.IO.File.WriteAllBytes(@"C:\WORK\KaniReg\dummyFile\" + hoge.ToString() + ".txt" , (byte[])data);
                                bool start = false;
                                for (uint innerCount = 4; innerCount < bytes.Length; innerCount++)
                                {
                                    if (!start && 0x14 == bytes[innerCount - 4] && 0x00 == bytes[innerCount - 3] && 0x00 == bytes[innerCount - 2] && 0x00 == bytes[innerCount - 1])
                                    {
                                        start = true;
                                    }

                                    if (!start)
                                    {
                                        continue;
                                    }

                                    byteList.Add(bytes[innerCount]);
                                    if (0x00 == bytes[innerCount] && 0x00 == bytes[innerCount + 1])
                                    {
                                        break;
                                    }
                                }
                                if (0 < folderName.Length)
                                {
                                    folderName += @"\";
                                }
                                folderName += Encoding.Unicode.GetString(byteList.ToArray());
                            }
                        }

                        RegistryKey subKey = key.GetSubkey(mru.ToString());

                        if (null != subKey)
                        {
                            Recursive(subKey, path, folderName);
                        }
                    }
                }
            }
        }