public override bool Process() { string[] commands = { "exe", "cmd", "bat", "hta", "pif" }; string keyPath = string.Empty; RegistryValue value = null; foreach (string command in commands) { keyPath = "Classes\\" + command + "file\\shell\\open\\command"; RegistryKey key = RootKey.GetSubkey(keyPath); if (null != key) { Reporter.Write(keyPath); Reporter.Write("最終更新日時: " + Library.TransrateTimestamp(key.Timestamp, TimeZoneBias, OutputUtc)); value = key.GetValue("(Default)"); if (null != value) { Reporter.Write("\tCmd: " + value.GetDataAsObject().ToString()); } else { Reporter.Write(command + "にはVALUEがありませんでした。"); } } else { Reporter.Write(keyPath + " キーは見つかりませんでした。"); } } Reporter.Write(""); return(true); }
/// <summary> /// Constructor /// </summary> /// <param name="rootKey"></param> /// <param name="reporter"></param> /// <param name="logger"></param> public ClassBase(RegistryKey rootKey, short timeZoneBias, bool outputUtc, Reporter reporter, Logger logger, string currentControlSet = "") { if (!string.IsNullOrEmpty(currentControlSet)) { Current = currentControlSet; } Initialize(); _rootKey = rootKey; _timeZoneBias = timeZoneBias; _outputUtc = outputUtc; _reporter = reporter; _logger = logger; Reporter.Write(Library.GetClassName(this)); Reporter.Write("キーの説明:" + Description); if (!string.IsNullOrEmpty(KeyPath)) { if (PrintKeyInBase) { Reporter.Write("キーのパス:" + KeyPath); } Key = RootKey.GetSubkey(KeyPath); if (null != Key) { if (PrintKeyInBase) { Reporter.Write("キーの最終更新日時:" + Library.TransrateTimestamp(Key.Timestamp, TimeZoneBias, OutputUtc)); Reporter.Write(""); } } else { Reporter.Write(""); if (!PrintKeyInBase) { Reporter.Write("検索したキーのパス:" + KeyPath); } Reporter.Write("Keyが見つかりませんでした。"); Reporter.Write(""); } } }
public override bool Process() { Reporter.Write("MsPaper"); string keyPath = "Software\\Microsoft"; RegistryKey key = RootKey.GetSubkey(keyPath); if (null != key) { RegistryKey[] subkeys = key.GetListOfSubkeys(); if (null != subkeys && 0 < subkeys.Length) { bool hasValue = false; foreach (RegistryKey subkey in subkeys) { string name = subkey.Name; if (name.StartsWith("MSPaper")) { hasValue = true; string mspKeyPath = subkey.Name + "\\Recent File List"; RegistryKey mspKey = key.GetSubkey(mspKeyPath); if (null != mspKey) { Reporter.Write("表す値:MSPaperの直近の履歴"); Reporter.Write("キーのパス:" + keyPath + "\\" + mspKeyPath); Reporter.Write("最終更新日:" + Library.TransrateTimestamp(mspKey.Timestamp, TimeZoneBias, OutputUtc)); RegistryValue[] values = mspKey.GetListOfValues(); if (null != values && 0 < values.Length) { List <KeyValuePair <ushort, string> > list = new List <KeyValuePair <ushort, string> >(); // Retrieve values and load into a hash for sorting string mspName; string source = string.Empty; ushort serial; foreach (RegistryValue value in values) { mspName = value.Name; if (mspName.StartsWith("File")) { source = mspName.Substring(4); if (ushort.TryParse(source, out serial)) { list.Add(new KeyValuePair <ushort, string>(serial, value.GetDataAsObject().ToString())); } } } list.Sort( delegate(KeyValuePair <ushort, string> first, KeyValuePair <ushort, string> next) { return(first.Key.CompareTo(next.Key)); } ); // Print sorted content to report file foreach (KeyValuePair <ushort, string> pair in list) { Reporter.Write(" File" + pair.Key.ToString() + " -> " + pair.Value); } } else { Reporter.Write(keyPath + "\\" + mspKeyPath + " にはVALUEがありませんでした。"); Reporter.Write(""); } } else { Reporter.Write(keyPath + "\\" + mspKeyPath + " キーは見つかりませんでした。"); Reporter.Write(""); } } } if (!hasValue) { Reporter.Write("SOFTWARE\\Microsoft\\MSPaper* から始まるキーは見つかりませんでした。"); Reporter.Write(""); } } else { // そんな状況ありえへんと思うが Reporter.Write(keyPath + " にはサブキーがありませんでした。"); } } else { // そんな状況ありえへんと思うが Reporter.Write(keyPath + " キーは見つかりませんでした。"); } return(true); }
public override bool Process() { RegistryKey[] subkeys = Key.GetListOfSubkeys(); RegistryKey clsIdKey = null; string clsIdPath = string.Empty; Dictionary <string, object> dictionary = new Dictionary <string, object>(); if (null != subkeys && 0 < subkeys.Length) { foreach (RegistryKey subkey in subkeys) { if (subkey.Name.StartsWith("-")) { continue; } clsIdPath = "Classes\\CLSID\\" + subkey.Name; clsIdKey = RootKey.GetSubkey(clsIdPath); if (null != clsIdKey) { dictionary.Clear(); try { dictionary.Add("clsId", clsIdKey.GetValue("(Default)").GetDataAsObject().ToString()); } catch (Exception ex) { dictionary.Add("clsId", string.Empty); Logger.Write(LogLevel.ERROR, "\tError getting Class name for CLSID\\" + clsIdKey.Name + " : " + ex.Message); } try { dictionary.Add("module", clsIdKey.GetSubkey("InProcServer32").GetValue("(Default)").GetDataAsObject().ToString()); } catch (Exception ex) { dictionary.Add("module", string.Empty); Logger.Write(LogLevel.ERROR, "Error getting Module name for CLSID\\" + clsIdKey.Name + " : " + ex.Message); } try { dictionary.Add("timestamp", Library.TransrateTimestamp(clsIdKey.GetSubkey("InProcServer32").Timestamp, TimeZoneBias, OutputUtc)); } catch (Exception ex) { dictionary.Add("timestamp", string.Empty); Logger.Write(LogLevel.ERROR, "\tError getting LastWrite time for CLSID\\" + clsIdKey.Name + " : " + ex.Message); } Reporter.Write(subkey.Name); Reporter.Write("\tクラス => " + dictionary["clsId"].ToString()); Reporter.Write("\tモジュール => " + dictionary["module"].ToString()); Reporter.Write("\t最終更新日時 => " + dictionary["timestamp"].ToString()); Reporter.Write(""); } else { Reporter.Write(clsIdPath + " は見つかりませんでした。"); Reporter.Write(""); } } } else { Reporter.Write(KeyPath + " にサブキーはありませんでした。 ブラウザヘルパーオブジェクトは使われていません。"); } return(true); }
public override bool Process() { // Get all of the subkey names RegistryKey[] subkeys = Key.GetListOfSubkeys(); if (null != subkeys && 0 < subkeys.Length) { RegistryValue[] values; Dictionary <string, TimestampContainer2> dictionary = new Dictionary <string, TimestampContainer2>(); Dictionary <string, string> innerDictionary = new Dictionary <string, string>(); foreach (RegistryKey subkey in subkeys) { if ("Descriptions".Equals(subkey.Name)) { continue; } RegistryKey connectionKey = Key.GetSubkey(subkey.Name + "\\Connection"); if (null != connectionKey) { innerDictionary.Clear(); values = connectionKey.GetListOfValues(); foreach (RegistryValue value in values) { innerDictionary.Add(value.Name, value.GetDataAsObject().ToString()); } // See what the active NICs were on the system; "active" based on PnpInstanceID having // a string value // Get the GUID of the interface, the name, and the LastWrite time of the Connection // key if (innerDictionary.ContainsKey("PnpInstanceID") && !string.Empty.Equals(innerDictionary["PnpInstanceID"])) { dictionary.Add(subkey.Name, new TimestampContainer2(innerDictionary["Name"], connectionKey.Timestamp)); } } } Reporter.Write(""); // access the Tcpip Services key to get the IP address information if (0 < dictionary.Count) { RegistryKey interfaceKey = RootKey.GetSubkey(@"Services\Tcpip\Parameters\Interfaces"); if (null != interfaceKey) { Reporter.Write(interfaceKey.KeyPath); Reporter.Write("最終更新日時:" + Library.TransrateTimestamp(interfaceKey.Timestamp, TimeZoneBias, OutputUtc)); Reporter.Write(""); List <string> list = new List <string>(); // Dump the names of the subkeys under Parameters\Interfaces into a hash subkeys = interfaceKey.GetListOfSubkeys(); if (null != subkeys && 0 < subkeys.Length) { foreach (RegistryKey subkey in subkeys) { list.Add(subkey.Name); } } RegistryKey propertyKey; object data = null; string replacedData = string.Empty; StringBuilder builder = new StringBuilder(); foreach (KeyValuePair <string, TimestampContainer2> pair in dictionary) { if (list.Contains(pair.Key)) { propertyKey = interfaceKey.GetSubkey(pair.Key); Reporter.Write("Interface " + pair.Key); Reporter.Write("Name: " + pair.Value.Name); Reporter.Write("Control\\Network キーの最終更新日時:" + Library.TransrateTimestamp(pair.Value.Timestamp, TimeZoneBias, OutputUtc)); Reporter.Write("Services\\Tcpip キーの最終更新日時:" + Library.TransrateTimestamp(propertyKey.Timestamp, TimeZoneBias, OutputUtc)); values = propertyKey.GetListOfValues(); innerDictionary.Clear(); foreach (RegistryValue value in values) { if (value.Name.ToUpper().Contains("DHCP") || "IPAddressv".Equals(value.Name) || "SubnetMask".Equals(value.Name) || "DefaultGateway".Equals(value.Name)) { data = value.GetDataAsObject(); if (typeof(string[]).Equals(data.GetType())) { builder = new StringBuilder(); foreach (string item in (string[])data) { if (0 < builder.Length) { builder.Append(","); } builder.Append(item); } replacedData = builder.ToString(); } else { replacedData = data.ToString(); } innerDictionary.Add(value.Name, replacedData); } } if (innerDictionary.ContainsKey("EnableDHCP") && "1".Equals(innerDictionary["EnableDHCP"])) { Reporter.Write("\tDhcpDomain = " + EvaluateDictionary(innerDictionary, "DhcpDomain")); Reporter.Write("\tDhcpIPAddress = " + EvaluateDictionary(innerDictionary, "DhcpIPAddress")); Reporter.Write("\tDhcpSubnetMask = " + EvaluateDictionary(innerDictionary, "DhcpSubnetMask")); Reporter.Write("\tDhcpNameServer = " + EvaluateDictionary(innerDictionary, "DhcpNameServer")); Reporter.Write("\tDhcpServer = " + EvaluateDictionary(innerDictionary, "DhcpServer")); } else { Reporter.Write("\tIPAddress = " + EvaluateDictionary(innerDictionary, "IPAddressv")); Reporter.Write("\tSubnetMask = " + EvaluateDictionary(innerDictionary, "SubnetMask")); Reporter.Write("\tDefaultGateway = " + EvaluateDictionary(innerDictionary, "DefaultGateway")); } } else { Reporter.Write("インターフェイス「" + pair.Key + "」は " + interfaceKey.KeyPath + " にはありませんでした。"); } Reporter.Write(""); } } } else { //Reporter.Write("No active network interface cards were found."); //Logger.Write("No active network interface cards were found."); Reporter.Write("有効なNICは見つかりませんでした。"); } } else { Reporter.Write(KeyPath + " にはサブキーがありませんでした。"); } return(true); }
public override bool Process() { // First, let's find out which version of Office is installed List <int> versionList = new List <int>(); string versionTag = string.Empty; string keyPath; for (int ver = 7; ver <= CURRENT_VERSION; ver++) { versionTag = ver.ToString("0.0"); keyPath = @"Software\Microsoft\Office\" + versionTag + @"\Common\Open Find"; RegistryKey key = RootKey.GetSubkey(keyPath); if (null != key) { versionList.Add(ver); } } if (0 < versionList.Count) { foreach (int version in versionList) { Reporter.Write("MSOffice version " + version.ToString() + " located."); keyPath = "Software\\Microsoft\\Office\\" + versionTag; RegistryKey officeKey = RootKey.GetSubkey(keyPath); if (null != officeKey) { // Attempt to retrieve Word docs string[] paths = new string[] { // "Common\\Open Find\\Microsoft Office Word\\Settings\\Save As\\File Name MRU", // "Common\\Open Find\\Microsoft Office Word\\Settings\\File Save\\File Name MRU", @"Common\Open Find\Microsoft Office Word\Settings\名前を付けて保存\File Name MRU", @"Common\Open Find\Microsoft Office Excel\Settings\名前を付けて保存\File Name MRU", @"Common\Open Find\Microsoft Office PowerPoint\Settings\名前を付けて保存\File Name MRU", @"Common\Open Find\Microsoft Office Outlook\Settings\ファイル名を付けて保存\File Name MRU" }; RegistryKey branchKey; string[] branchData; bool succeed = false; foreach (string path in paths) { branchKey = officeKey.GetSubkey(path); if (null != branchKey) { Reporter.Write(path); Reporter.Write("LastWrite Time " + Library.TransrateTimestamp(branchKey.Timestamp, TimeZoneBias, OutputUtc)); branchData = (string[])branchKey.GetValue("Value").GetDataAsObject(); foreach (string datum in branchData) { Reporter.Write("\t" + datum); } Reporter.Write(""); succeed = true; } } if (!succeed) { paths = new string[] { @"Word\File MRU", @"Excel\File MRU", @"PowerPoint\File MRU", @"Outlook\Catalog", @"Outlook\Search\Catalog" }; foreach (string path in paths) { branchKey = officeKey.GetSubkey(path); if (null != branchKey) { RegistryValue[] values = branchKey.GetListOfValues(); if (0 < values.Length) { Reporter.Write("[" + path + "]"); foreach (RegistryValue value in values) { Reporter.Write("\t" + value.Name + " : " + value.GetDataAsString()); } } succeed = true; Reporter.Write(""); } } } if (!succeed) { Reporter.Write(keyPath + "配下においてはOffice保存先にあたるキーは見つかりませんでした。"); } } else { Reporter.Write(keyPath + "にはアクセスできませんでした。"); } } } else { Reporter.Write("MSOfficeのバージョンのキーは見つかりませんでした。"); } return(true); }
private void Recursive(RegistryKey key, string path, string folderName) { // NodeSlotから実体のフォルダの内容を取得 RegistryValue slotValue = key.GetValue("NodeSlot"); if (null != slotValue) { string slotNumber = slotValue.GetDataAsObject().ToString(); // RegistryKey bagKey = RootKey.GetSubkey(pathBuilder.ToString() + @"\" + slotValue.GetData().ToString()); RegistryKey bagKey = RootKey.GetSubkey(path.Remove(path.Length - 3) + @"s\" + slotNumber + @"\Shell"); if (null != bagKey) { RegistryKey[] subkeys = bagKey.GetListOfSubkeys(); if (null != subkeys) { } RegistryValue[] bagValues = bagKey.GetListOfValues(); if (null != bagValues) { Reporter.Write(" FolderName : " + ((0 != folderName.Length) ? folderName : "デスクトップ?")); Reporter.Write(" [ValueList]"); string dataString = ""; byte[] bytes; StringBuilder dataBuilder = new StringBuilder(); foreach (RegistryValue bagValue in bagValues) { if (Constants.REG_BINARY != bagValue.Type) { dataString = bagValue.GetDataAsString(); } else { bytes = bagValue.Data; foreach (byte item in bytes) { if (0 < dataBuilder.Length) { dataBuilder.Append(" "); } dataBuilder.Append(item.ToString("X2")); } dataString = dataBuilder.ToString(); } Reporter.Write(" " + bagValue.Name + " : " + dataString); } Reporter.Write(""); } } } // まずMRUListExを取得 RegistryValue mruValue = key.GetValue("MRUListEx"); if (null != mruValue) { byte[] mruData = (byte[])mruValue.GetDataAsObject(); if (null != mruData) { uint mru = 0; RegistryValue value; List <byte> byteList = new List <byte>(); byte[] bytes = null; for (uint count = 0; count < mruData.Length; count += 4) { mru = BitConverter.ToUInt16(Library.ExtractArrayElements(mruData, count, 4), 0); value = key.GetValue(mru.ToString()); if (null != value) { bytes = (byte[])value.GetDataAsObject(); if (0x19 == bytes[0]) { if (0 < folderName.Length) { Logger.Write(LogLevel.WARNING, folderName + " / " + mru.ToString() + "は怪しげです。"); } folderName = Encoding.ASCII.GetString(Library.ExtractArrayElements(bytes, 3, 3)); } else { byteList = new List <byte>(); // Reporter.Write("\t" + value.Name + "WriteTime : " Library.ExtractArrayElements(bytes, 8, 4)); //hoge++; //System.IO.File.WriteAllBytes(@"C:\WORK\KaniReg\dummyFile\" + hoge.ToString() + ".txt" , (byte[])data); bool start = false; for (uint innerCount = 4; innerCount < bytes.Length; innerCount++) { if (!start && 0x14 == bytes[innerCount - 4] && 0x00 == bytes[innerCount - 3] && 0x00 == bytes[innerCount - 2] && 0x00 == bytes[innerCount - 1]) { start = true; } if (!start) { continue; } byteList.Add(bytes[innerCount]); if (0x00 == bytes[innerCount] && 0x00 == bytes[innerCount + 1]) { break; } } if (0 < folderName.Length) { folderName += @"\"; } folderName += Encoding.Unicode.GetString(byteList.ToArray()); } } RegistryKey subKey = key.GetSubkey(mru.ToString()); if (null != subKey) { Recursive(subKey, path, folderName); } } } } }