Esempio n. 1
0
 /// <summary>
 ///
 /// </summary>
 /// <param name="registry"></param>
 /// <param name="key"></param>
 /// <returns></returns>
 private Registry.Abstractions.RegistryKey OpenKey(Registry.RegistryHiveOnDemand registry,
                                                   string key)
 {
     try
     {
         return(registry.GetKey(key));
     }
     catch (Exception)
     {
         return(null);
     }
 }
        public static bool Is32Bit(string fileName)
        {
            if ((fileName.Length == 0))
            {
                var keyCurrUser = Microsoft.Win32.Registry.LocalMachine;
                var subKey = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\Environment");

                var val = subKey?.GetValue("PROCESSOR_ARCHITECTURE");

                if (val != null)
                {
                    return val.ToString().Equals("x86");
                }
            }
            else
            {
                var hive = new RegistryHiveOnDemand(fileName);
                var subKey = hive.GetKey("Select");

                var currentCtlSet = int.Parse(subKey.Values.Single(c => c.ValueName == "Current").ValueData);

                subKey = hive.GetKey($"ControlSet00{currentCtlSet}\\Control\\Session Manager\\Environment");

                var val = subKey?.Values.SingleOrDefault(c => c.ValueName == "PROCESSOR_ARCHITECTURE");

                if (val != null)
                {
                    return val.ValueData.Equals("x86");
                }
            }

            throw new NullReferenceException("Unable to determine CPU architecture!");
        }
        public AppCompatCache(string filename)
        {
            byte[] rawBytes = null;

            var isLiveRegistry = string.IsNullOrEmpty(filename);

            if (isLiveRegistry)
            {
                var keyCurrUser = Microsoft.Win32.Registry.LocalMachine;
                var subKey = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache");

                if (subKey == null)
                {
                    subKey = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility");

                    if (subKey == null)
                    {
                        Console.WriteLine(
                            @"'CurrentControlSet\Control\Session Manager\AppCompatCache' key not found! Exiting");
                        return;
                    }
                }

                rawBytes = (byte[]) subKey.GetValue("AppCompatCache", null);
            }
            else
            {
                if (File.Exists(filename) == false)
                {
                    throw new FileNotFoundException($"File not found ({filename})!");
                }

                var hive = new RegistryHiveOnDemand(filename);
                var subKey = hive.GetKey("Select");

                var currentCtlSet = int.Parse(subKey.Values.Single(c => c.ValueName == "Current").ValueData);

                subKey = hive.GetKey($@"ControlSet00{currentCtlSet}\Control\Session Manager\AppCompatCache");

                if (subKey == null)
                {
                    subKey = hive.GetKey($@"ControlSet00{currentCtlSet}\Control\Session Manager\AppCompatibility");
                }

                var val = subKey?.Values.SingleOrDefault(c => c.ValueName == "AppCompatCache");

                if (val != null)
                {
                    rawBytes = val.ValueDataRaw;
                }
            }

            if (rawBytes == null)
            {
                Console.WriteLine(@"'AppCompatCache' value not found! Exiting");
                return;
            }

            var is32 = Is32Bit(filename);
            string computerName = ComputerName(filename);

            Init(rawBytes, is32, computerName);
        }
        // added to retrieve ComputerName in SYSTEM hive
        public static string ComputerName(string fileName)
        {

            if ((fileName.Length == 0)) // Live Registry
            {
                var keyCurrUser = Microsoft.Win32.Registry.LocalMachine;
                var subKey = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName");
                string computerName = subKey?.GetValue("ComputerName").ToString();

                return computerName;

            }
            else
            {
                var hive = new RegistryHiveOnDemand(fileName);
                var subKey = hive.GetKey("Select");
                var currentCtlSet = int.Parse(subKey.Values.Single(c => c.ValueName == "Current").ValueData);
                subKey = hive.GetKey($"ControlSet00{currentCtlSet}\\Control\\ComputerName\\ComputerName");
                string computerName = subKey.Values.Single(c => c.ValueName == "ComputerName").ValueData;

                return computerName;
            }
        }