public void ExpandoTest09() { var f2 = @"D:\SynologyDrive\Registry\ExpandoTestHives\ntuser.dat"; var r2 = new RegistryHive(f2); r2.RecoverDeleted = true; r2.ParseHive(); var keys2 = r2.ExpandKeyPath($"Software\\Microsoft\\Office\\16.0\\Excel\\User MRU\\{wildCardChar}\\File MRU".ToLowerInvariant()); Check.That(keys2.Count).IsEqualTo(1); Check.That(keys2.First()).IsEqualTo("ROOT\\Software\\Microsoft\\Office\\16.0\\Excel\\User MRU\\AD_B8387EDCD97012482021633037177683B71660DC7C410BE924536ACDF94CD5B4\\File MRU".ToLowerInvariant()); }
public void ExpandoTest07() { var f = @"D:\SynologyDrive\Registry\ExpandoTestHives\system_registry_hive"; var r = new RegistryHive(f); r.RecoverDeleted = true; r.ParseHive(); var endCheck2 = r.ExpandKeyPath($"Setup\\AllowStart\\{wildCardChar}mss"); Check.That(endCheck2.Count).IsEqualTo(1); Check.That(endCheck2.First()).IsEqualTo("$$$PROTO.HIV\\Setup\\AllowStart\\SamSs".ToLowerInvariant()); }
public void ExpandoTest15() { var f2 = @"D:\SynologyDrive\Registry\ExpandoTestHives\SYSTEM_loneWolf"; var r2 = new RegistryHive(f2); r2.RecoverDeleted = true; r2.ParseHive(); var keys2 = r2.ExpandKeyPath("ControlSet001\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}" + $"\\0001\\Ndi\\Params\\{wildCardChar}FlowControl"); Check.That(keys2.Count).IsEqualTo(1); Check.That(keys2.First()).IsEqualTo(@"ROOT\ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001\Ndi\Params\*FlowControl".ToLowerInvariant()); }
public void ExpandoTest14() { var f2 = @"D:\SynologyDrive\Registry\ExpandoTestHives\ntuser.dat"; var r2 = new RegistryHive(f2); r2.RecoverDeleted = true; r2.ParseHive(); //no wildcards should var keys2 = r2.ExpandKeyPath($"Software\\Microsoft\\Office\\16.0\\Excel\\User MRU\\AD_B8387EDCD97012482021633037177683B71660DC7C410BE924536ACDF94CD5B4\\"); Check.That(keys2.Count).IsEqualTo(1); }
public void ExpandoTest11() { var f2 = @"D:\SynologyDrive\Registry\ExpandoTestHives\SOFTWARE_win10"; var r2 = new RegistryHive(f2); r2.RecoverDeleted = true; r2.ParseHive(); var keys2 = r2.ExpandKeyPath($"WOW6432Node\\ODBC\\ODBCINST.INI\\Microsoft dBase Driver (*.dbf)"); Check.That(keys2.Count).IsEqualTo(1); Check.That(keys2.First()).IsEqualTo(@"ROOT\WOW6432Node\ODBC\ODBCINST.INI\Microsoft dBase Driver (*.dbf)".ToLowerInvariant()); }
public void ExpandoTest10() { var f2 = @"D:\SynologyDrive\Registry\ExpandoTestHives\ntuser.dat"; var r2 = new RegistryHive(f2); r2.RecoverDeleted = true; r2.ParseHive(); var keys2 = r2.ExpandKeyPath($"SOFTWARE\\Microsoft\\Office\\{wildCardChar}\\{wildCardChar}\\User MRU"); Check.That(keys2.Count).IsEqualTo(3); Check.That(keys2.First()).IsEqualTo(@"ROOT\Software\Microsoft\Office\16.0\Excel\User MRU".ToLowerInvariant()); }
public void ExpandoTest01() { var f = @"D:\SynologyDrive\Registry\system_registry_hive"; var r = new RegistryHive(f); r.RecoverDeleted = true; r.ParseHive(); var keys = r.ExpandKeyPath("ControlSet00*\\Services"); Check.That(keys.Count).IsEqualTo(2); Check.That(keys.First()).IsEqualTo("ControlSet001\\Services"); Check.That(keys.Last()).IsEqualTo("ControlSet002\\Services"); }
public void ExpandoTest01() { var f = @"D:\SynologyDrive\Registry\ExpandoTestHives\system_registry_hive"; var r = new RegistryHive(f); r.RecoverDeleted = true; r.ParseHive(); var keys = r.ExpandKeyPath($"ControlSet00{wildCardChar}\\Services"); Check.That(keys.Count).IsEqualTo(2); Check.That(keys.First()).IsEqualTo("$$$PROTO.HIV\\ControlSet001\\Services".ToLowerInvariant()); Check.That(keys.Last()).IsEqualTo("$$$PROTO.HIV\\ControlSet002\\Services".ToLowerInvariant()); }
public void ExpandoTest13() { var f2 = @"C:\Temp\NTUSER.DAT"; var r2 = new RegistryHive(f2); r2.RecoverDeleted = true; r2.ParseHive(); var keys2 = r2.ExpandKeyPath(@"Software\Microsoft\Office\16.0\Excel\User MRU\LiveId_2709CD201D69E509465D3C60D830CE2490A74738D87E3C8A95FEFEA94316F09F\*"); Check.That(keys2.Count).IsEqualTo(2); Check.That(keys2.First()).IsEqualTo(@"Software\Microsoft\Office\16.0\Excel\User MRU\LiveId_2709CD201D69E509465D3C60D830CE2490A74738D87E3C8A95FEFEA94316F09F\File MRU"); Check.That(keys2.Last()).IsEqualTo(@"Software\Microsoft\Office\16.0\Excel\User MRU\LiveId_2709CD201D69E509465D3C60D830CE2490A74738D87E3C8A95FEFEA94316F09F\Place MRU"); }
public void ExpandoTest16() { var f2 = @"C:\Temp\SYSTEM_loneWolf"; var r2 = new RegistryHive(f2); r2.RecoverDeleted = true; r2.ParseHive(); //TODO try to get this to work, if you do, remove WithoutWildCard var keys2 = r2.ExpandKeyPath(@"ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001\Ndi\Params\*FlowControl\*"); Check.That(keys2.Count).IsEqualTo(1); Check.That(keys2.First()).IsEqualTo(@"ControlSet001\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001\Ndi\Params\*FlowControl\Enum"); }
public void ExpandoTestOneOff() { var f = @"D:\SynologyDrive\Registry\ExpandoTestHives\AdminUsrClass.dat"; var r = new RegistryHive(f); r.RecoverDeleted = true; r.ParseHive(); var keys = r.ExpandKeyPath($"Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\{wildCardChar}\\0\\0"); Check.That(keys.Count).IsEqualTo(3); Check.That(keys.First()).IsEqualTo("S-1-5-21-2036804247-3058324640-2116585241-500_Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU\\0\\0\\0".ToLowerInvariant()); Check.That(keys.Last()).IsEqualTo(@"S-1-5-21-2036804247-3058324640-2116585241-500_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0".ToLowerInvariant()); }
public void ExpandoTest06() { var f = @"D:\SynologyDrive\Registry\system_registry_hive"; var r = new RegistryHive(f); r.RecoverDeleted = true; r.ParseHive(); var endCheck = r.ExpandKeyPath(@"Setup\AllowStart\*ss"); Check.That(endCheck.Count).IsEqualTo(2); Check.That(endCheck.First()).IsEqualTo(@"Setup\AllowStart\Rpcss"); Check.That(endCheck.Last()).IsEqualTo(@"Setup\AllowStart\SamSs"); }
public void ExpandoTest03() { var f = @"D:\SynologyDrive\Registry\system_registry_hive"; var r = new RegistryHive(f); r.RecoverDeleted = true; r.ParseHive(); var evenMoreKeys = r.ExpandKeyPath(@"ControlSet001\Control\IDConfigDB\*\0001"); Check.That(evenMoreKeys.Count).IsEqualTo(2); Check.That(evenMoreKeys.First()).IsEqualTo(@"ControlSet001\Control\IDConfigDB\Alias\0001"); Check.That(evenMoreKeys.Last()).IsEqualTo(@"ControlSet001\Control\IDConfigDB\Hardware Profiles\0001"); }
public void ExpandoTest03() { var f = @"D:\SynologyDrive\Registry\ExpandoTestHives\system_registry_hive"; var r = new RegistryHive(f); r.RecoverDeleted = true; r.ParseHive(); var evenMoreKeys = r.ExpandKeyPath($"ControlSet001\\Control\\IDConfigDB\\{wildCardChar}\\0001"); Check.That(evenMoreKeys.Count).IsEqualTo(2); Check.That(evenMoreKeys.First()).IsEqualTo("$$$PROTO.HIV\\ControlSet001\\Control\\IDConfigDB\\Alias\\0001".ToLowerInvariant()); Check.That(evenMoreKeys.Last()).IsEqualTo("$$$PROTO.HIV\\ControlSet001\\Control\\IDConfigDB\\Hardware Profiles\\0001".ToLowerInvariant()); }
public void ExpandoTest04() { var f = @"D:\SynologyDrive\Registry\system_registry_hive"; var r = new RegistryHive(f); r.RecoverDeleted = true; r.ParseHive(); var otherKeys2 = r.ExpandKeyPath(@"ControlSet002\Services\Avg*x86"); Check.That(otherKeys2.Count).IsEqualTo(3); Check.That(otherKeys2[0]).IsEqualTo(@"ControlSet002\Services\Avgldx86"); Check.That(otherKeys2[1]).IsEqualTo(@"ControlSet002\Services\Avgmfx86"); Check.That(otherKeys2[2]).IsEqualTo(@"ControlSet002\Services\Avgrkx86"); }
public void ExpandoTest02() { var f = @"D:\SynologyDrive\Registry\system_registry_hive"; var r = new RegistryHive(f); r.RecoverDeleted = true; r.ParseHive(); var otherKeys = r.ExpandKeyPath("ControlSet002\\Services\\aic*"); Check.That(otherKeys.Count).IsEqualTo(2); Check.That(otherKeys.First()).IsEqualTo(@"ControlSet002\Services\aic78u2"); Check.That(otherKeys.Last()).IsEqualTo(@"ControlSet002\Services\aic78xx"); }
public void ExpandoTestOneOff2() { //Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 var f = @"D:\SynologyDrive\Registry\ExpandoTestHives\SOFTWARE_win10"; var r = new RegistryHive(f); r.RecoverDeleted = true; r.ParseHive(); var keys = r.ExpandKeyPath($"Classes\\{wildCardChar}\\OpenWithProgIds"); Check.That(keys.Count).IsEqualTo(95); Check.That(keys.First()).IsEqualTo("ROOT\\Classes\\.3g2\\OpenWithProgIds".ToLowerInvariant()); Check.That(keys.Last()).IsEqualTo("ROOT\\Classes\\.zip\\OpenWithProgIds".ToLowerInvariant()); }
public void ExpandoTestRedux01() { var f = @"D:\SynologyDrive\Registry\ExpandoTestHives\UsrClassXWFPath.dat"; var r = new RegistryHive(f); r.RecoverDeleted = true; r.ParseHive(); var keys = r.ExpandKeyPath($"{wildCardChar}\\shell\\{wildCardChar}\\command"); Check.That(keys.Count).IsEqualTo(224); Check.That(keys.First()).IsEqualTo("s-1-5-21-238543598-4054144643-4261915534-1114_classes\\*\\shell\\editpad\\command".ToLowerInvariant()); Check.That(keys.Last()).IsEqualTo("s-1-5-21-238543598-4054144643-4261915534-1114_classes\\zoomrecording\\shell\\open\\command".ToLowerInvariant()); }
public void ExpandoTestOneOff3() { //Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 var f = @"D:\SynologyDrive\Registry\ExpandoTestHives\SOFTWARE_win10"; var r = new RegistryHive(f); r.RecoverDeleted = true; r.ParseHive(); var keys = r.ExpandKeyPath($"Classes\\{wildCardChar}\\ShellEx"); Check.That(keys.Count).IsEqualTo(187); Check.That(keys.First()).IsEqualTo("root\\classes\\*\\shellex".ToLowerInvariant()); Check.That(keys.Last()).IsEqualTo("root\\classes\\wshfile\\shellex".ToLowerInvariant()); }