/// <summary>
///
/// </summary>
/// <param name="registry"></param>
/// <param name="key"></param>
/// <returns></returns>
private Registry.Abstractions.RegistryKey OpenKey(Registry.RegistryHiveOnDemand registry,
string key)
{
try
{
return(registry.GetKey(key));
}
catch (Exception)
{
return(null);
}
}
public static bool Is32Bit(string fileName)
{
if ((fileName.Length == 0))
{
var keyCurrUser = Microsoft.Win32.Registry.LocalMachine;
var subKey = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\Environment");
var val = subKey?.GetValue("PROCESSOR_ARCHITECTURE");
if (val != null)
{
return val.ToString().Equals("x86");
}
}
else
{
var hive = new RegistryHiveOnDemand(fileName);
var subKey = hive.GetKey("Select");
var currentCtlSet = int.Parse(subKey.Values.Single(c => c.ValueName == "Current").ValueData);
subKey = hive.GetKey($"ControlSet00{currentCtlSet}\\Control\\Session Manager\\Environment");
var val = subKey?.Values.SingleOrDefault(c => c.ValueName == "PROCESSOR_ARCHITECTURE");
if (val != null)
{
return val.ValueData.Equals("x86");
}
}
throw new NullReferenceException("Unable to determine CPU architecture!");
}
public AppCompatCache(string filename)
{
byte[] rawBytes = null;
var isLiveRegistry = string.IsNullOrEmpty(filename);
if (isLiveRegistry)
{
var keyCurrUser = Microsoft.Win32.Registry.LocalMachine;
var subKey = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache");
if (subKey == null)
{
subKey = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility");
if (subKey == null)
{
Console.WriteLine(
@"'CurrentControlSet\Control\Session Manager\AppCompatCache' key not found! Exiting");
return;
}
}
rawBytes = (byte[]) subKey.GetValue("AppCompatCache", null);
}
else
{
if (File.Exists(filename) == false)
{
throw new FileNotFoundException($"File not found ({filename})!");
}
var hive = new RegistryHiveOnDemand(filename);
var subKey = hive.GetKey("Select");
var currentCtlSet = int.Parse(subKey.Values.Single(c => c.ValueName == "Current").ValueData);
subKey = hive.GetKey($@"ControlSet00{currentCtlSet}\Control\Session Manager\AppCompatCache");
if (subKey == null)
{
subKey = hive.GetKey($@"ControlSet00{currentCtlSet}\Control\Session Manager\AppCompatibility");
}
var val = subKey?.Values.SingleOrDefault(c => c.ValueName == "AppCompatCache");
if (val != null)
{
rawBytes = val.ValueDataRaw;
}
}
if (rawBytes == null)
{
Console.WriteLine(@"'AppCompatCache' value not found! Exiting");
return;
}
var is32 = Is32Bit(filename);
string computerName = ComputerName(filename);
Init(rawBytes, is32, computerName);
}
// added to retrieve ComputerName in SYSTEM hive
public static string ComputerName(string fileName)
{
if ((fileName.Length == 0)) // Live Registry
{
var keyCurrUser = Microsoft.Win32.Registry.LocalMachine;
var subKey = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName");
string computerName = subKey?.GetValue("ComputerName").ToString();
return computerName;
}
else
{
var hive = new RegistryHiveOnDemand(fileName);
var subKey = hive.GetKey("Select");
var currentCtlSet = int.Parse(subKey.Values.Single(c => c.ValueName == "Current").ValueData);
subKey = hive.GetKey($"ControlSet00{currentCtlSet}\\Control\\ComputerName\\ComputerName");
string computerName = subKey.Values.Single(c => c.ValueName == "ComputerName").ValueData;
return computerName;
}
}
