public override bool Process() { RegistryValue value = Key.GetValue("NtfsEncryptPagingFile"); if (null != value) { uint setting = (uint)value.GetDataAsObject(); if (1 == setting) { this.Reporter.Write("NtfsEncryptPagingFile : 1"); this.Reporter.Write("RESULT : Pagefile.sysは暗号化されています。"); } else { this.Reporter.Write("NtfsEncryptPagingFile : 0"); this.Reporter.Write("RESULT : Pagefile.sysは暗号化されていません。"); } } else { this.Reporter.Write("NtfsEncryptPagingFileというValueは見つかりませんでした。"); } return(true); }
public override bool Process() { string[] commands = { "exe", "cmd", "bat", "hta", "pif" }; string keyPath = string.Empty; RegistryValue value = null; foreach (string command in commands) { keyPath = "Classes\\" + command + "file\\shell\\open\\command"; RegistryKey key = RootKey.GetSubkey(keyPath); if (null != key) { Reporter.Write(keyPath); Reporter.Write("最終更新日時: " + Library.TransrateTimestamp(key.Timestamp, TimeZoneBias, OutputUtc)); value = key.GetValue("(Default)"); if (null != value) { Reporter.Write("\tCmd: " + value.GetDataAsObject().ToString()); } else { Reporter.Write(command + "にはVALUEがありませんでした。"); } } else { Reporter.Write(keyPath + " キーは見つかりませんでした。"); } } Reporter.Write(""); return(true); }
public override bool Process() { Reporter.Write("キーのパス:" + KeyPath); Reporter.Write("キーの最終更新日時:" + Library.TransrateTimestamp(Key.Timestamp, TimeZoneBias, OutputUtc)); Reporter.Write(""); Reporter.Write(KeyPath + " キー, fDenyTSConnections VALUE を表示します。"); Reporter.Write("LastWrite Time " + Library.TransrateTimestamp(Key.Timestamp, TimeZoneBias, OutputUtc)); RegistryValue value = Key.GetValue("fDenyTSConnections"); if (null != value) { object data = value.GetDataAsObject(); if (null != data) { Reporter.Write(" fDenyTSConnections = " + data.ToString()); } else { Reporter.Write("fDenyTSConnections VALUE はありませんでした。"); } } else { Reporter.Write("fDenyTSConnections VALUE はありませんでした。 "); } return(true); }
public override bool Process() { string version = string.Empty; RegistryValue value = this.Key.GetValue("Version"); if (null != value) { this.Reporter.Write("IE Version = " + value.GetDataAsObject().ToString()); } else { this.Reporter.Write("IE Version は見つかりませんでした。"); } this.Reporter.Write(""); RegistryKey subkey; foreach (string guid in GUIDS) { subkey = this.Key.GetSubkey("ActiveX Compatibility\\" + guid); if (null != subkey) { this.Reporter.Write("GUID: " + guid); value = subkey.GetValue("Compatibility Flags"); if (null != value) { this.Reporter.Write("Compatibility Flags 0x" + ((uint)value.GetDataAsObject()).ToString("X8")); } else { this.Reporter.Write("Compatibility Flags は見つかりませんでした。"); } } else { this.Reporter.Write(guid + " は見つかりませんでした。"); } this.Reporter.Write(""); } return(true); }
public override bool Process() { // Get Last Registry key opened in RegEdit RegistryValue value = this.Key.GetValue("LastKey"); if (null != value) { this.Reporter.Write("RegEdit で最後に閲覧した値 -> " + value.GetDataAsObject().ToString()); } return(true); }
public override bool Process() { RegistryValue[] values = Key.GetListOfValues(); if (null != values && 0 < values.Length) { foreach (RegistryValue value in values) { Reporter.Write(value.Name + " : " + value.GetDataAsString()); } } else { Library.WriteNoValue(KeyPath, Reporter); } Reporter.Write(""); RegistryKey[] subkeys = null; RegistryKey volumeKey = Key.GetSubkey("Volume"); if (null != volumeKey) { subkeys = volumeKey.GetListOfSubkeys(); if (null != subkeys && 0 < subkeys.Length) { RegistryValue nukeValue = null; foreach (RegistryKey subkey in subkeys) { Reporter.Write(subkey.Name + " [" + Library.TransrateTimestamp(subkey.Timestamp, TimeZoneBias, OutputUtc) + "]"); nukeValue = subkey.GetValue("NukeOnDelete"); if (null != nukeValue) { Reporter.Write(" NukeOnDelete " + nukeValue.GetDataAsObject().ToString()); } else { Reporter.Write("\\NukeOnDelete ではVALUEを取得できませんでした。"); } } } else { Library.WriteNoValue(KeyPath + "\\Volume", Reporter); } } else { Reporter.Write(KeyPath + "\\Volume サブキーにはアクセスできませんでした。"); } return(true); }
public override bool Process() { // 取得用変数を定義 RegistryValue value = null; string transrated = string.Empty; // load VALUEの処理 value = this.Key.GetValue("load"); if (null != value) { transrated = value.GetDataAsObject().ToString(); this.Reporter.Write("load value = " + transrated); // this.Reporter.Write("*空になるはず; anything listed gets run when the user logs in."); } else { this.Reporter.Write("load VALUEは見つかりませんでした。"); } // 後処理 value = null; transrated = string.Empty; // run VALUEの処理 value = this.Key.GetValue("run"); if (null != value) { transrated = value.GetDataAsObject().ToString(); this.Reporter.Write("run value = " + transrated); // this.Reporter.Write("(*空になるはず; anything listed gets run when the user logs in.)"); } else { this.Reporter.Write("run VALUEは見つかりませんでした。"); } return(true); }
public override bool Process() { RegistryValue value = Key.GetValue("Logon User Name"); if (null != value) { Reporter.Write("Logon User Name = " + value.GetDataAsObject().ToString()); } else { Library.WriteNoValue(KeyPath, Reporter); } return(true); }
public override bool Process() { Dictionary <double, List <string> > dictionary = new Dictionary <double, List <string> >(); List <string> list; RegistryKey[] subkeys = Key.GetListOfSubkeys(); RegistryValue value = null; string data = string.Empty; if (null != subkeys && 0 < subkeys.Length) { foreach (RegistryKey subkey in subkeys) { value = subkey.GetValue("(Default)"); if (null != value) { data = value.GetDataAsObject().ToString(); } else { data = string.Empty; } data = subkey.Name + " [" + data + "]"; if (dictionary.ContainsKey(subkey.Timestamp)) { list = dictionary[subkey.Timestamp]; list.Add(data); dictionary[subkey.Timestamp] = list; } else { list = new List <string>(); list.Add(data); dictionary.Add(subkey.Timestamp, list); } } List <KeyValuePair <double, List <string> > > sorted = new List <KeyValuePair <double, List <string> > >(dictionary); sorted.Sort( delegate(KeyValuePair <double, List <string> > first, KeyValuePair <double, List <string> > next) { return(next.Key.CompareTo(first.Key)); } ); string precedent = string.Empty; string gmtdate = string.Empty; foreach (KeyValuePair <double, List <string> > pair in sorted) { gmtdate = Library.TransrateTimestamp(pair.Key, TimeZoneBias, OutputUtc); if (!precedent.Equals(gmtdate)) { Reporter.Write(gmtdate); precedent = gmtdate; } foreach (string item in pair.Value) { Reporter.Write(" " + item); } } } else { Reporter.Write(KeyPath + " にはサブキーがありませんでした。"); } return(true); }
private void Recursive(RegistryKey key, string path, string folderName) { // NodeSlotから実体のフォルダの内容を取得 RegistryValue slotValue = key.GetValue("NodeSlot"); if (null != slotValue) { string slotNumber = slotValue.GetDataAsObject().ToString(); // RegistryKey bagKey = RootKey.GetSubkey(pathBuilder.ToString() + @"\" + slotValue.GetData().ToString()); RegistryKey bagKey = RootKey.GetSubkey(path.Remove(path.Length - 3) + @"s\" + slotNumber + @"\Shell"); if (null != bagKey) { RegistryKey[] subkeys = bagKey.GetListOfSubkeys(); if (null != subkeys) { } RegistryValue[] bagValues = bagKey.GetListOfValues(); if (null != bagValues) { Reporter.Write(" FolderName : " + ((0 != folderName.Length) ? folderName : "デスクトップ?")); Reporter.Write(" [ValueList]"); string dataString = ""; byte[] bytes; StringBuilder dataBuilder = new StringBuilder(); foreach (RegistryValue bagValue in bagValues) { if (Constants.REG_BINARY != bagValue.Type) { dataString = bagValue.GetDataAsString(); } else { bytes = bagValue.Data; foreach (byte item in bytes) { if (0 < dataBuilder.Length) { dataBuilder.Append(" "); } dataBuilder.Append(item.ToString("X2")); } dataString = dataBuilder.ToString(); } Reporter.Write(" " + bagValue.Name + " : " + dataString); } Reporter.Write(""); } } } // まずMRUListExを取得 RegistryValue mruValue = key.GetValue("MRUListEx"); if (null != mruValue) { byte[] mruData = (byte[])mruValue.GetDataAsObject(); if (null != mruData) { uint mru = 0; RegistryValue value; List <byte> byteList = new List <byte>(); byte[] bytes = null; for (uint count = 0; count < mruData.Length; count += 4) { mru = BitConverter.ToUInt16(Library.ExtractArrayElements(mruData, count, 4), 0); value = key.GetValue(mru.ToString()); if (null != value) { bytes = (byte[])value.GetDataAsObject(); if (0x19 == bytes[0]) { if (0 < folderName.Length) { Logger.Write(LogLevel.WARNING, folderName + " / " + mru.ToString() + "は怪しげです。"); } folderName = Encoding.ASCII.GetString(Library.ExtractArrayElements(bytes, 3, 3)); } else { byteList = new List <byte>(); // Reporter.Write("\t" + value.Name + "WriteTime : " Library.ExtractArrayElements(bytes, 8, 4)); //hoge++; //System.IO.File.WriteAllBytes(@"C:\WORK\KaniReg\dummyFile\" + hoge.ToString() + ".txt" , (byte[])data); bool start = false; for (uint innerCount = 4; innerCount < bytes.Length; innerCount++) { if (!start && 0x14 == bytes[innerCount - 4] && 0x00 == bytes[innerCount - 3] && 0x00 == bytes[innerCount - 2] && 0x00 == bytes[innerCount - 1]) { start = true; } if (!start) { continue; } byteList.Add(bytes[innerCount]); if (0x00 == bytes[innerCount] && 0x00 == bytes[innerCount + 1]) { break; } } if (0 < folderName.Length) { folderName += @"\"; } folderName += Encoding.Unicode.GetString(byteList.ToArray()); } } RegistryKey subKey = key.GetSubkey(mru.ToString()); if (null != subKey) { Recursive(subKey, path, folderName); } } } } }