/// <summary> /// Exports a Registry key to .reg format /// </summary> /// <remarks> /// Do not use RegistryHiveOnDemand when exporting recursively or you will only get the key and its subkeys /// exported /// </remarks> /// <param name="filename"></param> /// <param name="key"></param> /// <param name="hiveType"></param> /// <param name="recursive"></param> /// <returns></returns> public static bool ExportToReg(string filename, RegistryKey key, HiveTypeEnum hiveType, bool recursive) { if (key == null) { throw new NullReferenceException("Key cannot be null"); } var sb = new StringBuilder(); sb.AppendLine("Windows Registry Editor Version 5.00"); sb.AppendLine(); sb.AppendLine(";Generated by Registry parser (https://github.com/EricZimmerman/Registry)"); sb.AppendLine($";Generated on {DateTimeOffset.UtcNow}"); sb.AppendLine(); if ((key.KeyFlags & RegistryKey.KeyFlagsEnum.Deleted) == RegistryKey.KeyFlagsEnum.Deleted) { sb.AppendLine(";This is a deleted key"); sb.AppendLine(); } var s = GetRegFormatData(key, hiveType, recursive); sb.AppendLine(s); using (var f = new StreamWriter(new FileStream(filename, FileMode.Create), Encoding.Unicode)) { f.WriteLine(sb.ToString()); f.Flush(); } return(true); }
// public methods... private static string GetRegFormatData(RegistryKey key, HiveTypeEnum hiveType, bool recursive) { var sb = new StringBuilder(); var s = key.GetRegFormat(hiveType); sb.AppendLine(s); if (!recursive) { return(sb.ToString()); } foreach (var registryKey in key.SubKeys) { sb.AppendLine(GetRegFormatData(registryKey, hiveType, true).TrimEnd()); } return(sb.ToString()); }
public string GetRegFormat(HiveTypeEnum hiveType) { var sb = new StringBuilder(); string keyBase; switch (hiveType) { case HiveTypeEnum.NtUser: keyBase = "HKEY_CURRENT_USER"; break; case HiveTypeEnum.Sam: keyBase = "HKEY_CURRENT_USER\\SAM"; break; case HiveTypeEnum.Security: keyBase = "HKEY_CURRENT_USER\\SECURITY"; break; case HiveTypeEnum.Software: keyBase = "HKEY_CURRENT_USER\\SOFTWARE"; break; case HiveTypeEnum.System: keyBase = "HKEY_CURRENT_USER\\SYSTEM"; break; case HiveTypeEnum.UsrClass: keyBase = "HKEY_CLASSES_ROOT"; break; case HiveTypeEnum.Components: keyBase = "HKEY_CURRENT_USER\\COMPONENTS"; break; default: keyBase = "HKEY_CURRENT_USER\\UNKNOWN_BASEPATH"; break; } var keyNames = KeyPath.Split('\\'); var normalizedKeyPath = string.Join("\\", keyNames.Skip(1)); var keyName = normalizedKeyPath.Length > 0 ? $"[{keyBase}\\{normalizedKeyPath}]" : $"[{keyBase}]"; sb.AppendLine(); sb.AppendLine(keyName); sb.AppendLine($";Last write timestamp {LastWriteTime.Value.UtcDateTime.ToString("o")}"); //sb.AppendLine($";Last write timestamp {LastWriteTime.Value.UtcDateTime.ToString("o")}"); foreach (var keyValue in Values) { var keyNameOut = keyValue.ValueName; if (keyNameOut.ToLowerInvariant() == "(default)") { keyNameOut = "@"; } else { keyNameOut = keyNameOut.Replace("\\", "\\\\"); keyNameOut = $"\"{keyNameOut.Replace("\"", "\\\"")}\""; } var keyValueOut = ""; switch (keyValue.VKRecord.DataType) { case VKCellRecord.DataTypeEnum.RegSz: keyValueOut = $"\"{keyValue.ValueData.Replace("\\", "\\\\").Replace("\"", "\\\"")}\""; break; case VKCellRecord.DataTypeEnum.RegNone: case VKCellRecord.DataTypeEnum.RegDwordBigEndian: case VKCellRecord.DataTypeEnum.RegFullResourceDescription: case VKCellRecord.DataTypeEnum.RegMultiSz: case VKCellRecord.DataTypeEnum.RegQword: case VKCellRecord.DataTypeEnum.RegFileTime: case VKCellRecord.DataTypeEnum.RegLink: case VKCellRecord.DataTypeEnum.RegResourceRequirementsList: case VKCellRecord.DataTypeEnum.RegExpandSz: var prefix = $"hex({(int) keyValue.VKRecord.DataType:x}):"; keyValueOut = $"{prefix}{BitConverter.ToString(keyValue.ValueDataRaw).Replace("-", ",")}".ToLowerInvariant(); if (keyValueOut.Length + prefix.Length + keyNameOut.Length > 76) { keyValueOut = $"{prefix}{FormatBinaryValueData(keyValue.ValueDataRaw, keyNameOut.Length, prefix.Length)}"; } break; case VKCellRecord.DataTypeEnum.RegDword: keyValueOut = $"dword:{BitConverter.ToInt32(keyValue.ValueDataRaw, 0):X8}" .ToLowerInvariant(); break; case VKCellRecord.DataTypeEnum.RegBinary: keyValueOut = $"hex:{BitConverter.ToString(keyValue.ValueDataRaw).Replace("-", ",")}" .ToLowerInvariant(); if (keyValueOut.Length + 5 + keyNameOut.Length > 76) { keyValueOut = $"hex:{FormatBinaryValueData(keyValue.ValueDataRaw, keyNameOut.Length, 5)}"; } break; } sb.AppendLine($"{keyNameOut}={keyValueOut}"); } return sb.ToString().TrimEnd(); }
public string GetRegFormat(HiveTypeEnum hiveType) { var sb = new StringBuilder(); string keyBase; switch (hiveType) { case HiveTypeEnum.NtUser: keyBase = "HKEY_CURRENT_USER"; break; case HiveTypeEnum.Sam: keyBase = "HKEY_CURRENT_USER\\SAM"; break; case HiveTypeEnum.Security: keyBase = "HKEY_CURRENT_USER\\SECURITY"; break; case HiveTypeEnum.Software: keyBase = "HKEY_CURRENT_USER\\SOFTWARE"; break; case HiveTypeEnum.System: keyBase = "HKEY_CURRENT_USER\\SYSTEM"; break; case HiveTypeEnum.UsrClass: keyBase = "HKEY_CLASSES_ROOT"; break; case HiveTypeEnum.Components: keyBase = "HKEY_CURRENT_USER\\COMPONENTS"; break; default: keyBase = "HKEY_CURRENT_USER\\UNKNOWN_BASEPATH"; break; } var keyNames = KeyPath.Split('\\'); var normalizedKeyPath = string.Join("\\", keyNames.Skip(1)); var keyName = normalizedKeyPath.Length > 0 ? $"[{keyBase}\\{normalizedKeyPath}]" : $"[{keyBase}]"; sb.AppendLine(); sb.AppendLine(keyName); sb.AppendLine($";Last write timestamp {LastWriteTime.Value.UtcDateTime.ToString("o")}"); //sb.AppendLine($";Last write timestamp {LastWriteTime.Value.UtcDateTime.ToString("o")}"); foreach (var keyValue in Values) { var keyNameOut = keyValue.ValueName; if (keyNameOut.ToLowerInvariant() == "(default)") { keyNameOut = "@"; } else { keyNameOut = keyNameOut.Replace("\\", "\\\\"); keyNameOut = $"\"{keyNameOut.Replace("\"", "\\\"")}\""; } var keyValueOut = ""; switch (keyValue.VKRecord.DataType) { case VKCellRecord.DataTypeEnum.RegSz: keyValueOut = $"\"{keyValue.ValueData.Replace("\\", "\\\\").Replace("\"", "\\\"")}\""; break; case VKCellRecord.DataTypeEnum.RegNone: case VKCellRecord.DataTypeEnum.RegDwordBigEndian: case VKCellRecord.DataTypeEnum.RegFullResourceDescription: case VKCellRecord.DataTypeEnum.RegMultiSz: case VKCellRecord.DataTypeEnum.RegQword: case VKCellRecord.DataTypeEnum.RegFileTime: case VKCellRecord.DataTypeEnum.RegLink: case VKCellRecord.DataTypeEnum.RegResourceRequirementsList: case VKCellRecord.DataTypeEnum.RegExpandSz: var prefix = $"hex({(int) keyValue.VKRecord.DataType:x}):"; keyValueOut = $"{prefix}{BitConverter.ToString(keyValue.ValueDataRaw).Replace("-", ",")}".ToLowerInvariant(); if (keyValueOut.Length + prefix.Length + keyNameOut.Length > 76) { keyValueOut = $"{prefix}{FormatBinaryValueData(keyValue.ValueDataRaw, keyNameOut.Length, prefix.Length)}"; } break; case VKCellRecord.DataTypeEnum.RegDword: keyValueOut = $"dword:{BitConverter.ToInt32(keyValue.ValueDataRaw, 0):X8}" .ToLowerInvariant(); break; case VKCellRecord.DataTypeEnum.RegBinary: keyValueOut = $"hex:{BitConverter.ToString(keyValue.ValueDataRaw).Replace("-", ",")}" .ToLowerInvariant(); if (keyValueOut.Length + 5 + keyNameOut.Length > 76) { keyValueOut = $"hex:{FormatBinaryValueData(keyValue.ValueDataRaw, keyNameOut.Length, 5)}"; } break; } sb.AppendLine($"{keyNameOut}={keyValueOut}"); } return(sb.ToString().TrimEnd()); }