/// <summary>
///
/// </summary>
/// <param name="hivePath"></param>
/// <returns></returns>
public static NetworkList[] GetInstancesByPath(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "SOFTWARE"))
{
string Key = @"Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey[] SignatureKey = NamedKey.GetInstances(bytes, hivePath, Key);
List <NetworkList> nlList = new List <NetworkList>();
foreach (NamedKey key in SignatureKey)
{
if (key.NumberOfSubKeys != 0)
{
foreach (NamedKey nk in key.GetSubKeys(bytes))
{
nlList.Add(new NetworkList(nk, bytes));
}
}
}
return(nlList.ToArray());
}
else
{
throw new Exception("Invalid SOFTWARE hive provided to -HivePath parameter.");
}
}
/// <summary>
///
/// </summary>
/// <param name="hivePath"></param>
/// <returns></returns>
public static UserAssist[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
List <UserAssist> uaList = new List <UserAssist>();
string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key);
foreach (NamedKey key in FileSubKey)
{
foreach (NamedKey nk in key.GetSubKeys(bytes))
{
if (nk.NumberOfValues != 0)
{
foreach (ValueKey vk in nk.GetValues(bytes))
{
uaList.Add(new UserAssist(RegistryHelper.GetUserHiveOwner(hivePath), vk, bytes));
}
}
}
}
return(uaList.ToArray());
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
public static UserAssist[] GetInstances(string hivePath)
{
List <UserAssist> uaList = new List <UserAssist>();
string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist";
byte[] bytes = Registry.Helper.GetHiveBytes(hivePath);
NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key);
foreach (NamedKey key in FileSubKey)
{
foreach (NamedKey nk in key.GetSubKeys(bytes, key.FullName))
{
if (nk.NumberOfValues != 0)
{
foreach (ValueKey vk in nk.GetValues(bytes))
{
uaList.Add(new UserAssist(vk, bytes));
}
}
}
}
return(uaList.ToArray());
}
public static Amcache[] GetInstancesByPath(string hivePath)
{
if (RegistryHeader.Get(hivePath).HivePath.Contains("Amcache.hve"))
{
string Key = @"Root\File";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key);
List <Amcache> amcacheList = new List <Amcache>();
foreach (NamedKey key in FileSubKey)
{
if (key.NumberOfSubKeys != 0)
{
foreach (NamedKey nk in key.GetSubKeys(bytes))
{
amcacheList.Add(new Amcache(nk, bytes));
}
}
}
return(amcacheList.ToArray());
}
else
{
throw new Exception("Invalid Amcache.hve hive provided to -HivePath parameter.");
}
}
public static string[] GetInstances(string hivePath)
{
string Key = @"Software\Microsoft\Internet Explorer";
byte[] bytes = Registry.Helper.GetHiveBytes(hivePath);
NamedKey[] keys = NamedKey.GetInstances(bytes, hivePath, Key);
string[] urls = new string[0];
foreach (NamedKey nk in keys)
{
if (nk.Name == "TypedURLs")
{
urls = new string[nk.NumberOfValues];
ValueKey[] vkArray = nk.GetValues(bytes);
for (int i = 0; i < vkArray.Length; i++)
{
urls[i] = Encoding.Unicode.GetString(vkArray[i].GetData(bytes));
}
}
}
return(urls);
}
/// <summary>
/// The ProcessRecord instantiates a FileRecord objects that
/// corresponds to the file(s) that is/are specified.
/// </summary>
protected override void ProcessRecord()
{
if (ParameterSetName == "Path")
{
if (!(MyInvocation.BoundParameters.ContainsKey("Key")))
{
key = null;
}
WriteObject(NamedKey.GetInstances(path, key));
}
}
/// <summary>
/// The ProcessRecord instantiates a FileRecord objects that
/// corresponds to the file(s) that is/are specified.
/// </summary>
protected override void ProcessRecord()
{
if (recurse)
{
WriteObject(NamedKey.GetInstancesRecurse(path));
}
else
{
if (!(MyInvocation.BoundParameters.ContainsKey("Key")))
{
key = null;
}
WriteObject(NamedKey.GetInstances(path, key), true);
}
}
public static Amcache[] GetInstancesByPath(string hivePath)
{
string Key = @"Root\File";
byte[] bytes = Registry.Helper.GetHiveBytes(hivePath);
NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key);
List <Amcache> amcacheList = new List <Amcache>();
foreach (NamedKey key in FileSubKey)
{
foreach (NamedKey nk in key.GetSubKeys(bytes))
{
amcacheList.Add(new Amcache(nk, bytes));
}
}
return(amcacheList.ToArray());
}
/// <summary>
/// The ProcessRecord method reads the raw contents of the Amcache.hve into memory and parses its
/// values to create/output AppCompat Objects.
/// </summary>
protected override void ProcessRecord()
{
if (!(this.MyInvocation.BoundParameters.ContainsKey("Path")))
{
hivePath = @"C:\Windows\AppCompat\Programs\Amcache.hve";
}
string Key = @"Root\File";
byte[] bytes = Registry.Helper.GetHiveBytes(hivePath);
NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key);
foreach (NamedKey key in FileSubKey)
{
foreach (NamedKey nk in key.GetSubKeys(bytes))
{
WriteObject(new AppCompat(nk, bytes));
}
}
} // ProcessRecord
public static NetworkList[] GetInstances(string hivePath)
{
string Key = @"Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures";
byte[] bytes = Registry.Helper.GetHiveBytes(hivePath);
NamedKey[] SignatureKey = NamedKey.GetInstances(bytes, hivePath, Key);
List <NetworkList> nlList = new List <NetworkList>();
foreach (NamedKey key in SignatureKey)
{
if (key.NumberOfSubKeys != 0)
{
foreach (NamedKey nk in key.GetSubKeys(bytes, key.FullName))
{
nlList.Add(new NetworkList(nk, bytes));
}
}
}
return(nlList.ToArray());
}
/// <summary>
///
/// </summary>
protected override void ProcessRecord()
{
string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist";
byte[] bytes = Registry.Helper.GetHiveBytes(hivePath);
NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key);
foreach (NamedKey key in FileSubKey)
{
foreach (NamedKey nk in key.GetSubKeys(bytes))
{
if (nk.NumberOfValues != 0)
{
foreach (ValueKey vk in nk.GetValues(bytes))
{
WriteObject(new UserAssist(vk, bytes));
}
}
}
}
} // ProcessRecord
/// <summary>
///
/// </summary>
protected override void ProcessRecord()
{
if (!(this.MyInvocation.BoundParameters.ContainsKey("Path")))
{
hivePath = @"C:\windows\system32\config\SOFTWARE";
}
string Key = @"Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures";
byte[] bytes = Registry.Helper.GetHiveBytes(hivePath);
NamedKey[] SignatureKey = NamedKey.GetInstances(bytes, hivePath, Key);
foreach (NamedKey key in SignatureKey)
{
if (key.NumberOfSubKeys != 0)
{
foreach (NamedKey nk in key.GetSubKeys(bytes))
{
WriteObject(new NetworkList(nk, bytes));
}
}
}
} // ProcessRecord