/// <summary>
/// Exports a Registry key to .reg format
/// </summary>
/// <remarks>
/// Do not use RegistryHiveOnDemand when exporting recursively or you will only get the key and its subkeys
/// exported
/// </remarks>
/// <param name="filename"></param>
/// <param name="key"></param>
/// <param name="hiveType"></param>
/// <param name="recursive"></param>
/// <returns></returns>
public static bool ExportToReg(string filename, RegistryKey key, HiveTypeEnum hiveType, bool recursive)
{
if (key == null)
{
throw new NullReferenceException("Key cannot be null");
}
var sb = new StringBuilder();
sb.AppendLine("Windows Registry Editor Version 5.00");
sb.AppendLine();
sb.AppendLine(";Generated by Registry parser (https://github.com/EricZimmerman/Registry)");
sb.AppendLine($";Generated on {DateTimeOffset.UtcNow}");
sb.AppendLine();
if ((key.KeyFlags & RegistryKey.KeyFlagsEnum.Deleted) == RegistryKey.KeyFlagsEnum.Deleted)
{
sb.AppendLine(";This is a deleted key");
sb.AppendLine();
}
var s = GetRegFormatData(key, hiveType, recursive);
sb.AppendLine(s);
using (var f = new StreamWriter(new FileStream(filename, FileMode.Create), Encoding.Unicode))
{
f.WriteLine(sb.ToString());
f.Flush();
}
return(true);
}
// public methods...
private static string GetRegFormatData(RegistryKey key, HiveTypeEnum hiveType, bool recursive)
{
var sb = new StringBuilder();
var s = key.GetRegFormat(hiveType);
sb.AppendLine(s);
if (!recursive)
{
return(sb.ToString());
}
foreach (var registryKey in key.SubKeys)
{
sb.AppendLine(GetRegFormatData(registryKey, hiveType, true).TrimEnd());
}
return(sb.ToString());
}
public string GetRegFormat(HiveTypeEnum hiveType)
{
var sb = new StringBuilder();
string keyBase;
switch (hiveType)
{
case HiveTypeEnum.NtUser:
keyBase = "HKEY_CURRENT_USER";
break;
case HiveTypeEnum.Sam:
keyBase = "HKEY_CURRENT_USER\\SAM";
break;
case HiveTypeEnum.Security:
keyBase = "HKEY_CURRENT_USER\\SECURITY";
break;
case HiveTypeEnum.Software:
keyBase = "HKEY_CURRENT_USER\\SOFTWARE";
break;
case HiveTypeEnum.System:
keyBase = "HKEY_CURRENT_USER\\SYSTEM";
break;
case HiveTypeEnum.UsrClass:
keyBase = "HKEY_CLASSES_ROOT";
break;
case HiveTypeEnum.Components:
keyBase = "HKEY_CURRENT_USER\\COMPONENTS";
break;
default:
keyBase = "HKEY_CURRENT_USER\\UNKNOWN_BASEPATH";
break;
}
var keyNames = KeyPath.Split('\\');
var normalizedKeyPath = string.Join("\\", keyNames.Skip(1));
var keyName = normalizedKeyPath.Length > 0
? $"[{keyBase}\\{normalizedKeyPath}]"
: $"[{keyBase}]";
sb.AppendLine();
sb.AppendLine(keyName);
sb.AppendLine($";Last write timestamp {LastWriteTime.Value.UtcDateTime.ToString("o")}");
//sb.AppendLine($";Last write timestamp {LastWriteTime.Value.UtcDateTime.ToString("o")}");
foreach (var keyValue in Values)
{
var keyNameOut = keyValue.ValueName;
if (keyNameOut.ToLowerInvariant() == "(default)")
{
keyNameOut = "@";
}
else
{
keyNameOut = keyNameOut.Replace("\\", "\\\\");
keyNameOut = $"\"{keyNameOut.Replace("\"", "\\\"")}\"";
}
var keyValueOut = "";
switch (keyValue.VKRecord.DataType)
{
case VKCellRecord.DataTypeEnum.RegSz:
keyValueOut = $"\"{keyValue.ValueData.Replace("\\", "\\\\").Replace("\"", "\\\"")}\"";
break;
case VKCellRecord.DataTypeEnum.RegNone:
case VKCellRecord.DataTypeEnum.RegDwordBigEndian:
case VKCellRecord.DataTypeEnum.RegFullResourceDescription:
case VKCellRecord.DataTypeEnum.RegMultiSz:
case VKCellRecord.DataTypeEnum.RegQword:
case VKCellRecord.DataTypeEnum.RegFileTime:
case VKCellRecord.DataTypeEnum.RegLink:
case VKCellRecord.DataTypeEnum.RegResourceRequirementsList:
case VKCellRecord.DataTypeEnum.RegExpandSz:
var prefix = $"hex({(int) keyValue.VKRecord.DataType:x}):";
keyValueOut =
$"{prefix}{BitConverter.ToString(keyValue.ValueDataRaw).Replace("-", ",")}".ToLowerInvariant();
if (keyValueOut.Length + prefix.Length + keyNameOut.Length > 76)
{
keyValueOut =
$"{prefix}{FormatBinaryValueData(keyValue.ValueDataRaw, keyNameOut.Length, prefix.Length)}";
}
break;
case VKCellRecord.DataTypeEnum.RegDword:
keyValueOut =
$"dword:{BitConverter.ToInt32(keyValue.ValueDataRaw, 0):X8}"
.ToLowerInvariant();
break;
case VKCellRecord.DataTypeEnum.RegBinary:
keyValueOut =
$"hex:{BitConverter.ToString(keyValue.ValueDataRaw).Replace("-", ",")}"
.ToLowerInvariant();
if (keyValueOut.Length + 5 + keyNameOut.Length > 76)
{
keyValueOut = $"hex:{FormatBinaryValueData(keyValue.ValueDataRaw, keyNameOut.Length, 5)}";
}
break;
}
sb.AppendLine($"{keyNameOut}={keyValueOut}");
}
return sb.ToString().TrimEnd();
}
public string GetRegFormat(HiveTypeEnum hiveType)
{
var sb = new StringBuilder();
string keyBase;
switch (hiveType)
{
case HiveTypeEnum.NtUser:
keyBase = "HKEY_CURRENT_USER";
break;
case HiveTypeEnum.Sam:
keyBase = "HKEY_CURRENT_USER\\SAM";
break;
case HiveTypeEnum.Security:
keyBase = "HKEY_CURRENT_USER\\SECURITY";
break;
case HiveTypeEnum.Software:
keyBase = "HKEY_CURRENT_USER\\SOFTWARE";
break;
case HiveTypeEnum.System:
keyBase = "HKEY_CURRENT_USER\\SYSTEM";
break;
case HiveTypeEnum.UsrClass:
keyBase = "HKEY_CLASSES_ROOT";
break;
case HiveTypeEnum.Components:
keyBase = "HKEY_CURRENT_USER\\COMPONENTS";
break;
default:
keyBase = "HKEY_CURRENT_USER\\UNKNOWN_BASEPATH";
break;
}
var keyNames = KeyPath.Split('\\');
var normalizedKeyPath = string.Join("\\", keyNames.Skip(1));
var keyName = normalizedKeyPath.Length > 0
? $"[{keyBase}\\{normalizedKeyPath}]"
: $"[{keyBase}]";
sb.AppendLine();
sb.AppendLine(keyName);
sb.AppendLine($";Last write timestamp {LastWriteTime.Value.UtcDateTime.ToString("o")}");
//sb.AppendLine($";Last write timestamp {LastWriteTime.Value.UtcDateTime.ToString("o")}");
foreach (var keyValue in Values)
{
var keyNameOut = keyValue.ValueName;
if (keyNameOut.ToLowerInvariant() == "(default)")
{
keyNameOut = "@";
}
else
{
keyNameOut = keyNameOut.Replace("\\", "\\\\");
keyNameOut = $"\"{keyNameOut.Replace("\"", "\\\"")}\"";
}
var keyValueOut = "";
switch (keyValue.VKRecord.DataType)
{
case VKCellRecord.DataTypeEnum.RegSz:
keyValueOut = $"\"{keyValue.ValueData.Replace("\\", "\\\\").Replace("\"", "\\\"")}\"";
break;
case VKCellRecord.DataTypeEnum.RegNone:
case VKCellRecord.DataTypeEnum.RegDwordBigEndian:
case VKCellRecord.DataTypeEnum.RegFullResourceDescription:
case VKCellRecord.DataTypeEnum.RegMultiSz:
case VKCellRecord.DataTypeEnum.RegQword:
case VKCellRecord.DataTypeEnum.RegFileTime:
case VKCellRecord.DataTypeEnum.RegLink:
case VKCellRecord.DataTypeEnum.RegResourceRequirementsList:
case VKCellRecord.DataTypeEnum.RegExpandSz:
var prefix = $"hex({(int) keyValue.VKRecord.DataType:x}):";
keyValueOut =
$"{prefix}{BitConverter.ToString(keyValue.ValueDataRaw).Replace("-", ",")}".ToLowerInvariant();
if (keyValueOut.Length + prefix.Length + keyNameOut.Length > 76)
{
keyValueOut =
$"{prefix}{FormatBinaryValueData(keyValue.ValueDataRaw, keyNameOut.Length, prefix.Length)}";
}
break;
case VKCellRecord.DataTypeEnum.RegDword:
keyValueOut =
$"dword:{BitConverter.ToInt32(keyValue.ValueDataRaw, 0):X8}"
.ToLowerInvariant();
break;
case VKCellRecord.DataTypeEnum.RegBinary:
keyValueOut =
$"hex:{BitConverter.ToString(keyValue.ValueDataRaw).Replace("-", ",")}"
.ToLowerInvariant();
if (keyValueOut.Length + 5 + keyNameOut.Length > 76)
{
keyValueOut = $"hex:{FormatBinaryValueData(keyValue.ValueDataRaw, keyNameOut.Length, 5)}";
}
break;
}
sb.AppendLine($"{keyNameOut}={keyValueOut}");
}
return(sb.ToString().TrimEnd());
}
