/// <summary>
///
/// </summary>
/// <param name="hivePath"></param>
/// <returns></returns>
public static RecentDocs[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string user = RegistryHelper.GetUserHiveOwner(hivePath);
byte[] bytes = RegistryHelper.GetHiveBytes(hivePath);
string key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs";
NamedKey RecentDocsKey = NamedKey.Get(bytes, hivePath, @"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs");
ValueKey MRUListEx = ValueKey.Get(bytes, hivePath, key, "MRUListEx");
byte[] MRUListBytes = (byte[])MRUListEx.GetData(bytes);
RecentDocs[] docs = new RecentDocs[MRUListBytes.Length / 4];
for (int i = 0; i < MRUListBytes.Length - 4; i += 4)
{
if (i == 0)
{
docs[i / 4] = new RecentDocs(user, Encoding.Unicode.GetString((byte[])ValueKey.Get(bytes, hivePath, key, BitConverter.ToInt32(MRUListBytes, i).ToString()).GetData(bytes)).Split('\0')[0], RecentDocsKey.WriteTime);
}
else
{
docs[i / 4] = new RecentDocs(user, Encoding.Unicode.GetString((byte[])ValueKey.Get(bytes, hivePath, key, BitConverter.ToInt32(MRUListBytes, i).ToString()).GetData(bytes)).Split('\0')[0]);
}
}
return(docs);
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to the -HivePath parameter.");
}
}
public static TypedUrls[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string Key = @"Software\Microsoft\Internet Explorer\TypedUrls";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey nk = NamedKey.Get(bytes, hivePath, Key);
TypedUrls[] urls = new TypedUrls[nk.NumberOfValues];
foreach (ValueKey vk in nk.GetValues(bytes))
{
for (int i = 0; i < urls.Length; i++)
{
urls[i] = new TypedUrls(RegistryHelper.GetUserHiveOwner(hivePath), (string)vk.GetData(bytes));
}
}
return(urls);
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
public static TypedPaths[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey nk = NamedKey.Get(bytes, hivePath, Key);
TypedPaths[] paths = new TypedPaths[nk.NumberOfValues];
int i = 0;
foreach (ValueKey vk in nk.GetValues(bytes))
{
paths[i] = new TypedPaths(RegistryHelper.GetUserHiveOwner(hivePath), (string)vk.GetData(bytes));
i++;
}
return(paths);
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
public static WindowsVersion Get(string hivePath)
{
if (RegistryHeader.Get(hivePath).HivePath.Contains("SOFTWARE"))
{
byte[] bytes = Helper.GetHiveBytes(hivePath);
NamedKey nk = NamedKey.Get(bytes, hivePath, @"Micosoft\Windows NT\CurrentVersion");
return(new WindowsVersion(nk));
}
else
{
throw new Exception("Invalid SOFTWARE hive provided to -HivePath parameter.");
}
}
/// <summary>
///
/// </summary>
/// <param name="hivePath"></param>
/// <returns></returns>
public static RunMRU[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string user = RegistryHelper.GetUserHiveOwner(hivePath);
string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey RunMRUKey = null;
ValueKey MRUList = null;
try
{
RunMRUKey = NamedKey.Get(bytes, hivePath, Key);
}
catch
{
return(null);
}
try
{
MRUList = ValueKey.Get(bytes, hivePath, Key, "MRUList");
}
catch
{
return(null);
}
RunMRU[] RunMRUStrings = new RunMRU[RunMRUKey.NumberOfValues - 1];
byte[] MRUListBytes = (byte[])MRUList.GetData(bytes);
for (int i = 0; i <= MRUListBytes.Length - 4; i += 4)
{
string MRUValue = Encoding.ASCII.GetString(MRUListBytes).TrimEnd('\0');
RunMRUStrings[i / 4] = new RunMRU(user, (string)ValueKey.Get(bytes, hivePath, Key, MRUValue.ToString()).GetData(bytes));
}
return(RunMRUStrings);
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
public static WordWheelQuery[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey nk = null;
try
{
nk = NamedKey.Get(bytes, hivePath, Key);
}
catch
{
return(null);
}
ValueKey MRUList = ValueKey.Get(bytes, hivePath, Key, "MRUListEx");
WordWheelQuery[] dataStrings = new WordWheelQuery[nk.NumberOfValues - 1];
byte[] MRUListBytes = (byte[])MRUList.GetData(bytes);
for (int i = 0; i < MRUListBytes.Length - 4; i += 4)
{
uint MRUValue = BitConverter.ToUInt32(MRUListBytes, i);
string SearchString = null;
try
{
SearchString = (string)ValueKey.Get(bytes, hivePath, Key, MRUValue.ToString()).GetData(bytes);
}
catch
{
SearchString = Encoding.Unicode.GetString((byte[])ValueKey.Get(bytes, hivePath, Key, MRUValue.ToString()).GetData(bytes));
}
dataStrings[i / 4] = new WordWheelQuery(RegistryHelper.GetUserHiveOwner(hivePath), SearchString);
}
return(dataStrings);
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
/// <summary>
///
/// </summary>
/// <param name="hivePath"></param>
/// <returns></returns>
public static LastVisitedMRU[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey nk = null;
try
{
nk = NamedKey.Get(bytes, hivePath, Key);
}
catch
{
try
{
Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU";
nk = NamedKey.Get(bytes, hivePath, Key);
}
catch
{
return(null);
}
}
ValueKey MRUList = ValueKey.Get(bytes, hivePath, Key, "MRUListEx");
LastVisitedMRU[] dataStrings = new LastVisitedMRU[nk.NumberOfValues - 1];
byte[] MRUListBytes = (byte[])MRUList.GetData(bytes);
for (int i = 0; i < MRUListBytes.Length - 4; i += 4)
{
uint MRUValue = BitConverter.ToUInt32(MRUListBytes, i);
dataStrings[i / 4] = new LastVisitedMRU(RegistryHelper.GetUserHiveOwner(hivePath), (string)ValueKey.Get(bytes, hivePath, Key, MRUValue.ToString()).GetData(bytes));
}
return(dataStrings);
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
public static RunKey[] Get(string hivePath)
{
List <string> Keys = new List <string>();
string AutoRunLocation = null;
if (RegistryHelper.isCorrectHive(hivePath, "SOFTWARE"))
{
Keys.AddRange(new string[] { @"Microsoft\Windows\CurrentVersion\Run", @"Microsoft\Windows\CurrentVersion\RunOnce", @"Wow6432Node\Microsoft\Windows\CurrentVersion\Run" });
AutoRunLocation = @"HKLM\SOFTWARE\";
}
else if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
Keys.AddRange(new string[] { @"Software\Microsoft\Windows\CurrentVersion\Run", @"Software\Microsoft\Windows\CurrentVersion\RunOnce" });
AutoRunLocation = @"USER\" + RegistryHelper.GetUserHiveOwner(hivePath) + "\\";
}
else
{
throw new Exception("Invalid SOFTWARE or NTUSER.DAT hive provided.");
}
byte[] bytes = RegistryHelper.GetHiveBytes(hivePath);
List <RunKey> runList = new List <RunKey>();
foreach (string key in Keys)
{
try
{
NamedKey run = NamedKey.Get(bytes, hivePath, key);
if (run.NumberOfValues > 0)
{
foreach (ValueKey vk in run.GetValues(bytes))
{
runList.Add(new RunKey(AutoRunLocation + key, vk));
}
}
}
catch
{
}
}
return(runList.ToArray());
}
public static OutlookCatalog[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
byte[] hiveBytes = RegistryHelper.GetHiveBytes(hivePath);
string user = RegistryHelper.GetUserHiveOwner(hivePath);
string OfficeVersion = RegistryHelper.GetOfficeVersion(hiveBytes, hivePath);
List <OutlookCatalog> list = new List <OutlookCatalog>();
NamedKey CatalogKey = null;
if (OfficeVersion == "12.0")
{
CatalogKey = NamedKey.Get(hiveBytes, hivePath, @"Software\Microsoft\Office\" + OfficeVersion + @"\Outlook\Catalog");
}
else
{
CatalogKey = NamedKey.Get(hiveBytes, hivePath, @"Software\Microsoft\Office\" + OfficeVersion + @"\Outlook\Search\Catalog");
}
if (CatalogKey.NumberOfValues > 0)
{
foreach (ValueKey vk in CatalogKey.GetValues())
{
list.Add(new OutlookCatalog(user, vk));
}
}
return(list.ToArray());
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
/// <summary>
///
/// </summary>
/// <param name="hivePath"></param>
/// <returns></returns>
public static TrustRecord[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string user = RegistryHelper.GetUserHiveOwner(hivePath);
List <TrustRecord> trList = new List <TrustRecord>();
byte[] bytes = RegistryHelper.GetHiveBytes(hivePath);
string OfficeVersion = RegistryHelper.GetOfficeVersion(bytes, hivePath);
string[] applications = new string[] { "Word", "Excel", "PowerPoint" };
for (int i = 0; i < applications.Length; i++)
{
try
{
StringBuilder sb = new StringBuilder();
sb.Append(@"Software\Microsoft\Office\").Append(OfficeVersion).Append("\\").Append(applications[i]).Append(@"\Security\Trusted Documents\TrustRecords");
NamedKey nk = NamedKey.Get(bytes, hivePath, sb.ToString());
foreach (ValueKey vk in nk.GetValues(bytes))
{
trList.Add(new TrustRecord(bytes, user, vk));
}
}
catch
{
}
}
return(trList.ToArray());
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}