/// <summary> /// /// </summary> /// <param name="hivePath"></param> /// <returns></returns> public static NetworkList[] GetInstancesByPath(string hivePath) { if (RegistryHelper.isCorrectHive(hivePath, "SOFTWARE")) { string Key = @"Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures"; byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath); NamedKey[] SignatureKey = NamedKey.GetInstances(bytes, hivePath, Key); List <NetworkList> nlList = new List <NetworkList>(); foreach (NamedKey key in SignatureKey) { if (key.NumberOfSubKeys != 0) { foreach (NamedKey nk in key.GetSubKeys(bytes)) { nlList.Add(new NetworkList(nk, bytes)); } } } return(nlList.ToArray()); } else { throw new Exception("Invalid SOFTWARE hive provided to -HivePath parameter."); } }
/// <summary> /// /// </summary> /// <param name="hivePath"></param> /// <returns></returns> public static UserAssist[] Get(string hivePath) { if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT")) { List <UserAssist> uaList = new List <UserAssist>(); string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist"; byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath); NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key); foreach (NamedKey key in FileSubKey) { foreach (NamedKey nk in key.GetSubKeys(bytes)) { if (nk.NumberOfValues != 0) { foreach (ValueKey vk in nk.GetValues(bytes)) { uaList.Add(new UserAssist(RegistryHelper.GetUserHiveOwner(hivePath), vk, bytes)); } } } } return(uaList.ToArray()); } else { throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter."); } }
public static UserAssist[] GetInstances(string hivePath) { List <UserAssist> uaList = new List <UserAssist>(); string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist"; byte[] bytes = Registry.Helper.GetHiveBytes(hivePath); NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key); foreach (NamedKey key in FileSubKey) { foreach (NamedKey nk in key.GetSubKeys(bytes, key.FullName)) { if (nk.NumberOfValues != 0) { foreach (ValueKey vk in nk.GetValues(bytes)) { uaList.Add(new UserAssist(vk, bytes)); } } } } return(uaList.ToArray()); }
public static Amcache[] GetInstancesByPath(string hivePath) { if (RegistryHeader.Get(hivePath).HivePath.Contains("Amcache.hve")) { string Key = @"Root\File"; byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath); NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key); List <Amcache> amcacheList = new List <Amcache>(); foreach (NamedKey key in FileSubKey) { if (key.NumberOfSubKeys != 0) { foreach (NamedKey nk in key.GetSubKeys(bytes)) { amcacheList.Add(new Amcache(nk, bytes)); } } } return(amcacheList.ToArray()); } else { throw new Exception("Invalid Amcache.hve hive provided to -HivePath parameter."); } }
public static string[] GetInstances(string hivePath) { string Key = @"Software\Microsoft\Internet Explorer"; byte[] bytes = Registry.Helper.GetHiveBytes(hivePath); NamedKey[] keys = NamedKey.GetInstances(bytes, hivePath, Key); string[] urls = new string[0]; foreach (NamedKey nk in keys) { if (nk.Name == "TypedURLs") { urls = new string[nk.NumberOfValues]; ValueKey[] vkArray = nk.GetValues(bytes); for (int i = 0; i < vkArray.Length; i++) { urls[i] = Encoding.Unicode.GetString(vkArray[i].GetData(bytes)); } } } return(urls); }
/// <summary> /// The ProcessRecord instantiates a FileRecord objects that /// corresponds to the file(s) that is/are specified. /// </summary> protected override void ProcessRecord() { if (ParameterSetName == "Path") { if (!(MyInvocation.BoundParameters.ContainsKey("Key"))) { key = null; } WriteObject(NamedKey.GetInstances(path, key)); } }
/// <summary> /// The ProcessRecord instantiates a FileRecord objects that /// corresponds to the file(s) that is/are specified. /// </summary> protected override void ProcessRecord() { if (recurse) { WriteObject(NamedKey.GetInstancesRecurse(path)); } else { if (!(MyInvocation.BoundParameters.ContainsKey("Key"))) { key = null; } WriteObject(NamedKey.GetInstances(path, key), true); } }
public static Amcache[] GetInstancesByPath(string hivePath) { string Key = @"Root\File"; byte[] bytes = Registry.Helper.GetHiveBytes(hivePath); NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key); List <Amcache> amcacheList = new List <Amcache>(); foreach (NamedKey key in FileSubKey) { foreach (NamedKey nk in key.GetSubKeys(bytes)) { amcacheList.Add(new Amcache(nk, bytes)); } } return(amcacheList.ToArray()); }
/// <summary> /// The ProcessRecord method reads the raw contents of the Amcache.hve into memory and parses its /// values to create/output AppCompat Objects. /// </summary> protected override void ProcessRecord() { if (!(this.MyInvocation.BoundParameters.ContainsKey("Path"))) { hivePath = @"C:\Windows\AppCompat\Programs\Amcache.hve"; } string Key = @"Root\File"; byte[] bytes = Registry.Helper.GetHiveBytes(hivePath); NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key); foreach (NamedKey key in FileSubKey) { foreach (NamedKey nk in key.GetSubKeys(bytes)) { WriteObject(new AppCompat(nk, bytes)); } } } // ProcessRecord
public static NetworkList[] GetInstances(string hivePath) { string Key = @"Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures"; byte[] bytes = Registry.Helper.GetHiveBytes(hivePath); NamedKey[] SignatureKey = NamedKey.GetInstances(bytes, hivePath, Key); List <NetworkList> nlList = new List <NetworkList>(); foreach (NamedKey key in SignatureKey) { if (key.NumberOfSubKeys != 0) { foreach (NamedKey nk in key.GetSubKeys(bytes, key.FullName)) { nlList.Add(new NetworkList(nk, bytes)); } } } return(nlList.ToArray()); }
/// <summary> /// /// </summary> protected override void ProcessRecord() { string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist"; byte[] bytes = Registry.Helper.GetHiveBytes(hivePath); NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key); foreach (NamedKey key in FileSubKey) { foreach (NamedKey nk in key.GetSubKeys(bytes)) { if (nk.NumberOfValues != 0) { foreach (ValueKey vk in nk.GetValues(bytes)) { WriteObject(new UserAssist(vk, bytes)); } } } } } // ProcessRecord
/// <summary> /// /// </summary> protected override void ProcessRecord() { if (!(this.MyInvocation.BoundParameters.ContainsKey("Path"))) { hivePath = @"C:\windows\system32\config\SOFTWARE"; } string Key = @"Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures"; byte[] bytes = Registry.Helper.GetHiveBytes(hivePath); NamedKey[] SignatureKey = NamedKey.GetInstances(bytes, hivePath, Key); foreach (NamedKey key in SignatureKey) { if (key.NumberOfSubKeys != 0) { foreach (NamedKey nk in key.GetSubKeys(bytes)) { WriteObject(new NetworkList(nk, bytes)); } } } } // ProcessRecord