public override bool Process()
{
string[] commands = { "exe", "cmd", "bat", "hta", "pif" };
string keyPath = string.Empty;
RegistryValue value = null;
foreach (string command in commands)
{
keyPath = "Classes\\" + command + "file\\shell\\open\\command";
RegistryKey key = RootKey.GetSubkey(keyPath);
if (null != key)
{
Reporter.Write(keyPath);
Reporter.Write("最終更新日時: " + Library.TransrateTimestamp(key.Timestamp, TimeZoneBias, OutputUtc));
value = key.GetValue("(Default)");
if (null != value)
{
Reporter.Write("\tCmd: " + value.GetDataAsObject().ToString());
}
else
{
Reporter.Write(command + "にはVALUEがありませんでした。");
}
}
else
{
Reporter.Write(keyPath + " キーは見つかりませんでした。");
}
}
Reporter.Write("");
return(true);
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="rootKey"></param>
/// <param name="reporter"></param>
/// <param name="logger"></param>
public ClassBase(RegistryKey rootKey, short timeZoneBias, bool outputUtc, Reporter reporter, Logger logger, string currentControlSet = "")
{
if (!string.IsNullOrEmpty(currentControlSet))
{
Current = currentControlSet;
}
Initialize();
_rootKey = rootKey;
_timeZoneBias = timeZoneBias;
_outputUtc = outputUtc;
_reporter = reporter;
_logger = logger;
Reporter.Write(Library.GetClassName(this));
Reporter.Write("キーの説明:" + Description);
if (!string.IsNullOrEmpty(KeyPath))
{
if (PrintKeyInBase)
{
Reporter.Write("キーのパス:" + KeyPath);
}
Key = RootKey.GetSubkey(KeyPath);
if (null != Key)
{
if (PrintKeyInBase)
{
Reporter.Write("キーの最終更新日時:" + Library.TransrateTimestamp(Key.Timestamp, TimeZoneBias, OutputUtc));
Reporter.Write("");
}
}
else
{
Reporter.Write("");
if (!PrintKeyInBase)
{
Reporter.Write("検索したキーのパス:" + KeyPath);
}
Reporter.Write("Keyが見つかりませんでした。");
Reporter.Write("");
}
}
}
public override bool Process()
{
Reporter.Write("MsPaper");
string keyPath = "Software\\Microsoft";
RegistryKey key = RootKey.GetSubkey(keyPath);
if (null != key)
{
RegistryKey[] subkeys = key.GetListOfSubkeys();
if (null != subkeys && 0 < subkeys.Length)
{
bool hasValue = false;
foreach (RegistryKey subkey in subkeys)
{
string name = subkey.Name;
if (name.StartsWith("MSPaper"))
{
hasValue = true;
string mspKeyPath = subkey.Name + "\\Recent File List";
RegistryKey mspKey = key.GetSubkey(mspKeyPath);
if (null != mspKey)
{
Reporter.Write("表す値:MSPaperの直近の履歴");
Reporter.Write("キーのパス:" + keyPath + "\\" + mspKeyPath);
Reporter.Write("最終更新日:" + Library.TransrateTimestamp(mspKey.Timestamp, TimeZoneBias, OutputUtc));
RegistryValue[] values = mspKey.GetListOfValues();
if (null != values && 0 < values.Length)
{
List <KeyValuePair <ushort, string> > list = new List <KeyValuePair <ushort, string> >();
// Retrieve values and load into a hash for sorting
string mspName;
string source = string.Empty;
ushort serial;
foreach (RegistryValue value in values)
{
mspName = value.Name;
if (mspName.StartsWith("File"))
{
source = mspName.Substring(4);
if (ushort.TryParse(source, out serial))
{
list.Add(new KeyValuePair <ushort, string>(serial, value.GetDataAsObject().ToString()));
}
}
}
list.Sort(
delegate(KeyValuePair <ushort, string> first, KeyValuePair <ushort, string> next) {
return(first.Key.CompareTo(next.Key));
}
);
// Print sorted content to report file
foreach (KeyValuePair <ushort, string> pair in list)
{
Reporter.Write(" File" + pair.Key.ToString() + " -> " + pair.Value);
}
}
else
{
Reporter.Write(keyPath + "\\" + mspKeyPath + " にはVALUEがありませんでした。");
Reporter.Write("");
}
}
else
{
Reporter.Write(keyPath + "\\" + mspKeyPath + " キーは見つかりませんでした。");
Reporter.Write("");
}
}
}
if (!hasValue)
{
Reporter.Write("SOFTWARE\\Microsoft\\MSPaper* から始まるキーは見つかりませんでした。");
Reporter.Write("");
}
}
else
{
// そんな状況ありえへんと思うが
Reporter.Write(keyPath + " にはサブキーがありませんでした。");
}
}
else
{
// そんな状況ありえへんと思うが
Reporter.Write(keyPath + " キーは見つかりませんでした。");
}
return(true);
}
public override bool Process()
{
RegistryKey[] subkeys = Key.GetListOfSubkeys();
RegistryKey clsIdKey = null;
string clsIdPath = string.Empty;
Dictionary <string, object> dictionary = new Dictionary <string, object>();
if (null != subkeys && 0 < subkeys.Length)
{
foreach (RegistryKey subkey in subkeys)
{
if (subkey.Name.StartsWith("-"))
{
continue;
}
clsIdPath = "Classes\\CLSID\\" + subkey.Name;
clsIdKey = RootKey.GetSubkey(clsIdPath);
if (null != clsIdKey)
{
dictionary.Clear();
try {
dictionary.Add("clsId", clsIdKey.GetValue("(Default)").GetDataAsObject().ToString());
} catch (Exception ex) {
dictionary.Add("clsId", string.Empty);
Logger.Write(LogLevel.ERROR, "\tError getting Class name for CLSID\\" + clsIdKey.Name + " : " + ex.Message);
}
try {
dictionary.Add("module", clsIdKey.GetSubkey("InProcServer32").GetValue("(Default)").GetDataAsObject().ToString());
} catch (Exception ex) {
dictionary.Add("module", string.Empty);
Logger.Write(LogLevel.ERROR, "Error getting Module name for CLSID\\" + clsIdKey.Name + " : " + ex.Message);
}
try {
dictionary.Add("timestamp", Library.TransrateTimestamp(clsIdKey.GetSubkey("InProcServer32").Timestamp, TimeZoneBias, OutputUtc));
} catch (Exception ex) {
dictionary.Add("timestamp", string.Empty);
Logger.Write(LogLevel.ERROR, "\tError getting LastWrite time for CLSID\\" + clsIdKey.Name + " : " + ex.Message);
}
Reporter.Write(subkey.Name);
Reporter.Write("\tクラス => " + dictionary["clsId"].ToString());
Reporter.Write("\tモジュール => " + dictionary["module"].ToString());
Reporter.Write("\t最終更新日時 => " + dictionary["timestamp"].ToString());
Reporter.Write("");
}
else
{
Reporter.Write(clsIdPath + " は見つかりませんでした。");
Reporter.Write("");
}
}
}
else
{
Reporter.Write(KeyPath + " にサブキーはありませんでした。 ブラウザヘルパーオブジェクトは使われていません。");
}
return(true);
}
public override bool Process()
{
// Get all of the subkey names
RegistryKey[] subkeys = Key.GetListOfSubkeys();
if (null != subkeys && 0 < subkeys.Length)
{
RegistryValue[] values;
Dictionary <string, TimestampContainer2> dictionary = new Dictionary <string, TimestampContainer2>();
Dictionary <string, string> innerDictionary = new Dictionary <string, string>();
foreach (RegistryKey subkey in subkeys)
{
if ("Descriptions".Equals(subkey.Name))
{
continue;
}
RegistryKey connectionKey = Key.GetSubkey(subkey.Name + "\\Connection");
if (null != connectionKey)
{
innerDictionary.Clear();
values = connectionKey.GetListOfValues();
foreach (RegistryValue value in values)
{
innerDictionary.Add(value.Name, value.GetDataAsObject().ToString());
}
// See what the active NICs were on the system; "active" based on PnpInstanceID having
// a string value
// Get the GUID of the interface, the name, and the LastWrite time of the Connection
// key
if (innerDictionary.ContainsKey("PnpInstanceID") &&
!string.Empty.Equals(innerDictionary["PnpInstanceID"]))
{
dictionary.Add(subkey.Name,
new TimestampContainer2(innerDictionary["Name"], connectionKey.Timestamp));
}
}
}
Reporter.Write("");
// access the Tcpip Services key to get the IP address information
if (0 < dictionary.Count)
{
RegistryKey interfaceKey = RootKey.GetSubkey(@"Services\Tcpip\Parameters\Interfaces");
if (null != interfaceKey)
{
Reporter.Write(interfaceKey.KeyPath);
Reporter.Write("最終更新日時:" + Library.TransrateTimestamp(interfaceKey.Timestamp, TimeZoneBias, OutputUtc));
Reporter.Write("");
List <string> list = new List <string>();
// Dump the names of the subkeys under Parameters\Interfaces into a hash
subkeys = interfaceKey.GetListOfSubkeys();
if (null != subkeys && 0 < subkeys.Length)
{
foreach (RegistryKey subkey in subkeys)
{
list.Add(subkey.Name);
}
}
RegistryKey propertyKey;
object data = null;
string replacedData = string.Empty;
StringBuilder builder = new StringBuilder();
foreach (KeyValuePair <string, TimestampContainer2> pair in dictionary)
{
if (list.Contains(pair.Key))
{
propertyKey = interfaceKey.GetSubkey(pair.Key);
Reporter.Write("Interface " + pair.Key);
Reporter.Write("Name: " + pair.Value.Name);
Reporter.Write("Control\\Network キーの最終更新日時:" + Library.TransrateTimestamp(pair.Value.Timestamp, TimeZoneBias, OutputUtc));
Reporter.Write("Services\\Tcpip キーの最終更新日時:" + Library.TransrateTimestamp(propertyKey.Timestamp, TimeZoneBias, OutputUtc));
values = propertyKey.GetListOfValues();
innerDictionary.Clear();
foreach (RegistryValue value in values)
{
if (value.Name.ToUpper().Contains("DHCP") || "IPAddressv".Equals(value.Name) ||
"SubnetMask".Equals(value.Name) || "DefaultGateway".Equals(value.Name))
{
data = value.GetDataAsObject();
if (typeof(string[]).Equals(data.GetType()))
{
builder = new StringBuilder();
foreach (string item in (string[])data)
{
if (0 < builder.Length)
{
builder.Append(",");
}
builder.Append(item);
}
replacedData = builder.ToString();
}
else
{
replacedData = data.ToString();
}
innerDictionary.Add(value.Name, replacedData);
}
}
if (innerDictionary.ContainsKey("EnableDHCP") && "1".Equals(innerDictionary["EnableDHCP"]))
{
Reporter.Write("\tDhcpDomain = " + EvaluateDictionary(innerDictionary, "DhcpDomain"));
Reporter.Write("\tDhcpIPAddress = " + EvaluateDictionary(innerDictionary, "DhcpIPAddress"));
Reporter.Write("\tDhcpSubnetMask = " + EvaluateDictionary(innerDictionary, "DhcpSubnetMask"));
Reporter.Write("\tDhcpNameServer = " + EvaluateDictionary(innerDictionary, "DhcpNameServer"));
Reporter.Write("\tDhcpServer = " + EvaluateDictionary(innerDictionary, "DhcpServer"));
}
else
{
Reporter.Write("\tIPAddress = " + EvaluateDictionary(innerDictionary, "IPAddressv"));
Reporter.Write("\tSubnetMask = " + EvaluateDictionary(innerDictionary, "SubnetMask"));
Reporter.Write("\tDefaultGateway = " + EvaluateDictionary(innerDictionary, "DefaultGateway"));
}
}
else
{
Reporter.Write("インターフェイス「" + pair.Key + "」は " + interfaceKey.KeyPath + " にはありませんでした。");
}
Reporter.Write("");
}
}
}
else
{
//Reporter.Write("No active network interface cards were found.");
//Logger.Write("No active network interface cards were found.");
Reporter.Write("有効なNICは見つかりませんでした。");
}
}
else
{
Reporter.Write(KeyPath + " にはサブキーがありませんでした。");
}
return(true);
}
public override bool Process()
{
// First, let's find out which version of Office is installed
List <int> versionList = new List <int>();
string versionTag = string.Empty;
string keyPath;
for (int ver = 7; ver <= CURRENT_VERSION; ver++)
{
versionTag = ver.ToString("0.0");
keyPath = @"Software\Microsoft\Office\" + versionTag + @"\Common\Open Find";
RegistryKey key = RootKey.GetSubkey(keyPath);
if (null != key)
{
versionList.Add(ver);
}
}
if (0 < versionList.Count)
{
foreach (int version in versionList)
{
Reporter.Write("MSOffice version " + version.ToString() + " located.");
keyPath = "Software\\Microsoft\\Office\\" + versionTag;
RegistryKey officeKey = RootKey.GetSubkey(keyPath);
if (null != officeKey)
{
// Attempt to retrieve Word docs
string[] paths = new string[] {
// "Common\\Open Find\\Microsoft Office Word\\Settings\\Save As\\File Name MRU",
// "Common\\Open Find\\Microsoft Office Word\\Settings\\File Save\\File Name MRU",
@"Common\Open Find\Microsoft Office Word\Settings\名前を付けて保存\File Name MRU",
@"Common\Open Find\Microsoft Office Excel\Settings\名前を付けて保存\File Name MRU",
@"Common\Open Find\Microsoft Office PowerPoint\Settings\名前を付けて保存\File Name MRU",
@"Common\Open Find\Microsoft Office Outlook\Settings\ファイル名を付けて保存\File Name MRU"
};
RegistryKey branchKey;
string[] branchData;
bool succeed = false;
foreach (string path in paths)
{
branchKey = officeKey.GetSubkey(path);
if (null != branchKey)
{
Reporter.Write(path);
Reporter.Write("LastWrite Time " + Library.TransrateTimestamp(branchKey.Timestamp, TimeZoneBias, OutputUtc));
branchData = (string[])branchKey.GetValue("Value").GetDataAsObject();
foreach (string datum in branchData)
{
Reporter.Write("\t" + datum);
}
Reporter.Write("");
succeed = true;
}
}
if (!succeed)
{
paths = new string[] {
@"Word\File MRU",
@"Excel\File MRU",
@"PowerPoint\File MRU",
@"Outlook\Catalog",
@"Outlook\Search\Catalog"
};
foreach (string path in paths)
{
branchKey = officeKey.GetSubkey(path);
if (null != branchKey)
{
RegistryValue[] values = branchKey.GetListOfValues();
if (0 < values.Length)
{
Reporter.Write("[" + path + "]");
foreach (RegistryValue value in values)
{
Reporter.Write("\t" + value.Name + " : " + value.GetDataAsString());
}
}
succeed = true;
Reporter.Write("");
}
}
}
if (!succeed)
{
Reporter.Write(keyPath + "配下においてはOffice保存先にあたるキーは見つかりませんでした。");
}
}
else
{
Reporter.Write(keyPath + "にはアクセスできませんでした。");
}
}
}
else
{
Reporter.Write("MSOfficeのバージョンのキーは見つかりませんでした。");
}
return(true);
}
private void Recursive(RegistryKey key, string path, string folderName)
{
// NodeSlotから実体のフォルダの内容を取得
RegistryValue slotValue = key.GetValue("NodeSlot");
if (null != slotValue)
{
string slotNumber = slotValue.GetDataAsObject().ToString();
// RegistryKey bagKey = RootKey.GetSubkey(pathBuilder.ToString() + @"\" + slotValue.GetData().ToString());
RegistryKey bagKey = RootKey.GetSubkey(path.Remove(path.Length - 3) + @"s\" + slotNumber + @"\Shell");
if (null != bagKey)
{
RegistryKey[] subkeys = bagKey.GetListOfSubkeys();
if (null != subkeys)
{
}
RegistryValue[] bagValues = bagKey.GetListOfValues();
if (null != bagValues)
{
Reporter.Write(" FolderName : " + ((0 != folderName.Length) ? folderName : "デスクトップ?"));
Reporter.Write(" [ValueList]");
string dataString = "";
byte[] bytes;
StringBuilder dataBuilder = new StringBuilder();
foreach (RegistryValue bagValue in bagValues)
{
if (Constants.REG_BINARY != bagValue.Type)
{
dataString = bagValue.GetDataAsString();
}
else
{
bytes = bagValue.Data;
foreach (byte item in bytes)
{
if (0 < dataBuilder.Length)
{
dataBuilder.Append(" ");
}
dataBuilder.Append(item.ToString("X2"));
}
dataString = dataBuilder.ToString();
}
Reporter.Write(" " + bagValue.Name + " : " + dataString);
}
Reporter.Write("");
}
}
}
// まずMRUListExを取得
RegistryValue mruValue = key.GetValue("MRUListEx");
if (null != mruValue)
{
byte[] mruData = (byte[])mruValue.GetDataAsObject();
if (null != mruData)
{
uint mru = 0;
RegistryValue value;
List <byte> byteList = new List <byte>();
byte[] bytes = null;
for (uint count = 0; count < mruData.Length; count += 4)
{
mru = BitConverter.ToUInt16(Library.ExtractArrayElements(mruData, count, 4), 0);
value = key.GetValue(mru.ToString());
if (null != value)
{
bytes = (byte[])value.GetDataAsObject();
if (0x19 == bytes[0])
{
if (0 < folderName.Length)
{
Logger.Write(LogLevel.WARNING, folderName + " / " + mru.ToString() + "は怪しげです。");
}
folderName = Encoding.ASCII.GetString(Library.ExtractArrayElements(bytes, 3, 3));
}
else
{
byteList = new List <byte>();
// Reporter.Write("\t" + value.Name + "WriteTime : " Library.ExtractArrayElements(bytes, 8, 4));
//hoge++;
//System.IO.File.WriteAllBytes(@"C:\WORK\KaniReg\dummyFile\" + hoge.ToString() + ".txt" , (byte[])data);
bool start = false;
for (uint innerCount = 4; innerCount < bytes.Length; innerCount++)
{
if (!start && 0x14 == bytes[innerCount - 4] && 0x00 == bytes[innerCount - 3] && 0x00 == bytes[innerCount - 2] && 0x00 == bytes[innerCount - 1])
{
start = true;
}
if (!start)
{
continue;
}
byteList.Add(bytes[innerCount]);
if (0x00 == bytes[innerCount] && 0x00 == bytes[innerCount + 1])
{
break;
}
}
if (0 < folderName.Length)
{
folderName += @"\";
}
folderName += Encoding.Unicode.GetString(byteList.ToArray());
}
}
RegistryKey subKey = key.GetSubkey(mru.ToString());
if (null != subKey)
{
Recursive(subKey, path, folderName);
}
}
}
}
}
