public AppCompatCache(string filename, int controlSet) { byte[] rawBytes = null; Caches = new List <IAppCompatCache>(); var controlSetIds = new List <int>(); RegistryKey subKey = null; var isLiveRegistry = string.IsNullOrEmpty(filename); if (isLiveRegistry) { var keyCurrUser = Microsoft.Win32.Registry.LocalMachine; var subKey2 = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache"); if (subKey2 == null) { subKey2 = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility"); if (subKey2 == null) { Console.WriteLine( @"'CurrentControlSet\Control\Session Manager\AppCompatCache' key not found! Exiting"); return; } } rawBytes = (byte[])subKey2.GetValue("AppCompatCache", null); subKey2 = keyCurrUser.OpenSubKey(@"SYSTEM\Select"); ControlSet = (int)subKey2.GetValue("Current"); var is32Bit = Is32Bit(filename); var cache = Init(rawBytes, is32Bit, ControlSet); Caches.Add(cache); return; } ControlSet = controlSet; if (File.Exists(filename) == false) { throw new FileNotFoundException($"File not found ({filename})!"); } var hive = new RegistryHiveOnDemand(filename); if (controlSet == -1) { for (var i = 0; i < 10; i++) { subKey = hive.GetKey($@"ControlSet00{i}\Control\Session Manager\AppCompatCache"); if (subKey == null) { subKey = hive.GetKey($@"ControlSet00{i}\Control\Session Manager\AppCompatibility"); } if (subKey != null) { controlSetIds.Add(i); } } if (controlSetIds.Count > 1) { var log = LogManager.GetCurrentClassLogger(); log.Warn( $"***The following ControlSet00x keys will be exported: {string.Join(",", controlSetIds)}. Use -c to process keys individually\r\n"); } } else { //a control set was passed in subKey = hive.GetKey($@"ControlSet00{ControlSet}\Control\Session Manager\AppCompatCache"); if (subKey == null) { subKey = hive.GetKey($@"ControlSet00{ControlSet}\Control\Session Manager\AppCompatibility"); } if (subKey == null) { throw new Exception($"Could not find ControlSet00{ControlSet}. Exiting"); } controlSetIds.Add(ControlSet); } var is32 = Is32Bit(filename); var log1 = LogManager.GetCurrentClassLogger(); log1.Debug($@"**** Found {controlSetIds.Count} ids to process"); foreach (var id in controlSetIds) { log1.Debug($@"**** Processing id {id}"); var hive2 = new RegistryHiveOnDemand(filename); subKey = hive2.GetKey($@"ControlSet00{id}\Control\Session Manager\AppCompatCache"); if (subKey == null) { log1.Debug($@"**** Initial subkey null, getting appCompatability key"); subKey = hive2.GetKey($@"ControlSet00{id}\Control\Session Manager\AppCompatibility"); } log1.Debug($@"**** Looking AppCompatcache value"); var val = subKey?.Values.SingleOrDefault(c => c.ValueName == "AppCompatCache"); if (val != null) { log1.Debug($@"**** Found AppCompatcache value"); rawBytes = val.ValueDataRaw; } if (rawBytes == null) { var log = LogManager.GetCurrentClassLogger(); log.Error($@"'AppCompatCache' value not found for 'ControlSet00{id}'! Exiting"); } var cache = Init(rawBytes, is32, id); Caches.Add(cache); } }
private string GetCurrentControlSet() { const string keyname = @"Select"; var key = _hive.GetKey(keyname); var setNumber = key.Values.Single(t => t.ValueName == "Current").ValueData; return($"Controlset00{setNumber}"); }
public AppCompatCache(string filename, int controlSet, bool noLogs) { byte[] rawBytes = null; Caches = new List <IAppCompatCache>(); var controlSetIds = new List <int>(); RegistryKey subKey = null; var isLiveRegistry = string.IsNullOrEmpty(filename); if (isLiveRegistry) { var keyCurrUser = Microsoft.Win32.Registry.LocalMachine; var subKey2 = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache"); if (subKey2 == null) { subKey2 = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility"); if (subKey2 == null) { Console.WriteLine( @"'CurrentControlSet\Control\Session Manager\AppCompatCache' key not found! Exiting"); return; } } rawBytes = (byte[])subKey2.GetValue("AppCompatCache", null); subKey2 = keyCurrUser.OpenSubKey(@"SYSTEM\Select"); ControlSet = (int)subKey2.GetValue("Current"); var is32Bit = Is32Bit(filename); var cache = Init(rawBytes, is32Bit, ControlSet); Caches.Add(cache); return; } ControlSet = controlSet; if (File.Exists(filename) == false) { throw new FileNotFoundException($"File not found ({filename})!"); } var hive = new RegistryHive(filename); if (hive.Header.PrimarySequenceNumber != hive.Header.SecondarySequenceNumber) { var hiveBase = Path.GetFileName(filename); var dirname = Path.GetDirectoryName(filename); if (string.IsNullOrEmpty(dirname)) { dirname = "."; } var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?"); if (logFiles.Length == 0) { var log = LogManager.GetCurrentClassLogger(); if (noLogs == false) { log.Warn("Registry hive is dirty and no transaction logs were found in the same directory! LOGs should have same base name as the hive. Aborting!!"); throw new Exception("Sequence numbers do not match and transaction logs were not found in the same directory as the hive. Aborting"); } log.Warn("Registry hive is dirty and no transaction logs were found in the same directory. Data may be missing! Continuing anyways..."); } else { hive.ProcessTransactionLogs(logFiles.ToList(), true); } } hive.ParseHive(); if (controlSet == -1) { for (var i = 0; i < 10; i++) { subKey = hive.GetKey($@"ControlSet00{i}\Control\Session Manager\AppCompatCache"); if (subKey == null) { subKey = hive.GetKey($@"ControlSet00{i}\Control\Session Manager\AppCompatibility"); } if (subKey != null) { controlSetIds.Add(i); } } if (controlSetIds.Count > 1) { var log = LogManager.GetCurrentClassLogger(); log.Warn( $"***The following ControlSet00x keys will be exported: {string.Join(",", controlSetIds)}. Use -c to process keys individually\r\n"); } } else { //a control set was passed in subKey = hive.GetKey($@"ControlSet00{ControlSet}\Control\Session Manager\AppCompatCache"); if (subKey == null) { subKey = hive.GetKey($@"ControlSet00{ControlSet}\Control\Session Manager\AppCompatibility"); } if (subKey == null) { throw new Exception($"Could not find ControlSet00{ControlSet}. Exiting"); } controlSetIds.Add(ControlSet); } var is32 = Is32Bit(filename); var log1 = LogManager.GetCurrentClassLogger(); log1.Debug($@"**** Found {controlSetIds.Count} ids to process"); foreach (var id in controlSetIds) { log1.Debug($@"**** Processing id {id}"); var hive2 = new RegistryHiveOnDemand(filename); subKey = hive2.GetKey($@"ControlSet00{id}\Control\Session Manager\AppCompatCache"); if (subKey == null) { log1.Debug($@"**** Initial subkey null, getting appCompatability key"); subKey = hive2.GetKey($@"ControlSet00{id}\Control\Session Manager\AppCompatibility"); } log1.Debug($@"**** Looking AppCompatcache value"); var val = subKey?.Values.SingleOrDefault(c => c.ValueName == "AppCompatCache"); if (val != null) { log1.Debug($@"**** Found AppCompatcache value"); rawBytes = val.ValueDataRaw; } if (rawBytes == null) { var log = LogManager.GetCurrentClassLogger(); log.Error($@"'AppCompatCache' value not found for 'ControlSet00{id}'! Exiting"); } var cache = Init(rawBytes, is32, id); Caches.Add(cache); } }
public void ShouldFindRegQWordValues() { var ntUser1OnDemand = new RegistryHiveOnDemand(@".\Hives\NTUSER1.DAT"); var key = ntUser1OnDemand.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\Windows Error Reporting"); Check.That(key).IsNotNull(); var val = key.Values.Single(t => t.ValueName == "LastWatsonCabUploaded"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegQword); Check.That(val.VkRecord.ValueData).IsEqualTo((ulong)130557640214774914); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4); key = ntUser1OnDemand.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Store\RefreshBannedAppList"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "BannedAppsLastModified"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegQword); Check.That(val.VkRecord.ValueData).IsEqualTo((ulong)0); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4); var usrclassAcronis = new RegistryHive(@".\Hives\Acronis_0x52_Usrclass.dat"); usrclassAcronis.RecoverDeleted = true; usrclassAcronis.FlushRecordListsAfterParse = false; usrclassAcronis.ParseHive(); key = usrclassAcronis.GetKey( @"S-1-5-21-3851833874-1800822990-1357392098-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "LastAdvertisement"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegQword); Check.That(val.VkRecord.ValueData).IsEqualTo((ulong)130294002389413697); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4); var usrclassDeleted = new RegistryHive(@".\Hives\UsrClassDeletedBags.dat"); usrclassDeleted.RecoverDeleted = true; usrclassDeleted.FlushRecordListsAfterParse = false; usrclassDeleted.ParseHive(); key = usrclassDeleted.GetKey( @"S-1-5-21-146151751-63468248-1215037915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "LastAdvertisement"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegQword); Check.That(val.VkRecord.ValueData).IsEqualTo((ulong)130672934390152518); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4); var ntUserSlack = new RegistryHive(@".\Hives\NTUSER slack.DAT"); ntUserSlack.FlushRecordListsAfterParse = false; ntUserSlack.ParseHive(); key = ntUserSlack.GetKey( @"$$$PROTO.HIV\Software\Microsoft\VisualStudio\7.0\External Tools"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "LastMerge"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegQword); Check.That(val.VkRecord.ValueData).IsEqualTo((ulong)127257359392030000); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4); }
public void ShouldFindRegSzValues() { var ntUser1OnDemand = new RegistryHiveOnDemand(@".\Hives\NTUSER1.DAT"); var key = ntUser1OnDemand.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}"); Check.That(key).IsNotNull(); var val = key.Values.Single(t => t.ValueName == "Default"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegSz); Check.That(val.VkRecord.ValueData).IsEqualTo("{00000000-0000-0000-0000-000000000000}"); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(6); key = ntUser1OnDemand.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\CTF\SortOrder\Language"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "00000000"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegSz); Check.That(val.VkRecord.ValueData).IsEqualTo("00000409"); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(2); key = ntUser1OnDemand.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Speech\Preferences\AppCompatDisableDictation"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "dwm.exe"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegSz); Check.That(val.VkRecord.ValueData).IsEqualTo(""); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0); key = ntUser1OnDemand.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\EUDC\932"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "SystemDefaultEUDCFont"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegSz); Check.That(val.VkRecord.ValueData).IsEqualTo("EUDC.TTE"); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(2); key = ntUser1OnDemand.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Control Panel\PowerCfg\PowerPolicies\4"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "Description"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegSz); Check.That(val.VkRecord.ValueData) .IsEqualTo("This scheme keeps the computer on and optimizes it for high performance."); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(2); }
public void ShouldFindRegMultiSzValues() { var ntUser1OnDemand = new RegistryHiveOnDemand(@".\Hives\NTUSER1.DAT"); var key = ntUser1OnDemand.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Control Panel\International\User Profile"); Check.That(key).IsNotNull(); var val = key.Values.Single(t => t.ValueName == "Languages"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz); Check.That(val.VkRecord.ValueData).IsEqualTo("en-US"); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0); var usrclassAcronis = new RegistryHive(@".\Hives\Acronis_0x52_Usrclass.dat"); usrclassAcronis.RecoverDeleted = true; usrclassAcronis.FlushRecordListsAfterParse = false; usrclassAcronis.ParseHive(); key = usrclassAcronis.GetKey( @"S-1-5-21-3851833874-1800822990-1357392098-1000_Classes\Local Settings\MuiCache\12\52C64B7E"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "LanguageList"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz); Check.That(val.VkRecord.ValueData).IsEqualTo("en-US en"); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0); var bcd = new RegistryHive(@".\Hives\BCD"); bcd.FlushRecordListsAfterParse = false; bcd.RecoverDeleted = true; bcd.ParseHive(); key = bcd.GetKey( @"System\Objects\{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}\Elements\14000006"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "Element"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz); Check.That(val.VkRecord.ValueData) .IsEqualTo("{4636856e-540f-4170-a130-a84776f4c654} {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}"); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(6); key = bcd.GetKey( @"System\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\14000006"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "Element"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz); Check.That(val.VkRecord.ValueData).IsEqualTo("{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}"); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(84); }
public void ShouldFindRegExpandSzValues() { var ntUser1OnDemand = new RegistryHiveOnDemand(@".\Hives\NTUSER1.DAT"); var key = ntUser1OnDemand.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Environment"); Check.That(key).IsNotNull(); var val = key.Values.Single(t => t.ValueName == "TEMP"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegExpandSz); Check.That(val.VkRecord.ValueData).IsEqualTo(@"%USERPROFILE%\AppData\Local\Temp"); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(2); key = ntUser1OnDemand.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Control Panel\Cursors"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "Arrow"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegExpandSz); Check.That(val.VkRecord.ValueData).IsEqualTo(@"%SystemRoot%\cursors\aero_arrow.cur"); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4); key = ntUser1OnDemand.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\AppEvents\Schemes\Apps\.Default\WindowsUAC\.Current"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "(default)"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegExpandSz); Check.That(val.VkRecord.ValueData).IsEqualTo(@"%SystemRoot%\media\Windows User Account Control.wav"); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4); key = ntUser1OnDemand.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Themes"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "LastHighContrastTheme"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegExpandSz); Check.That(val.VkRecord.ValueData).IsEqualTo(@"%SystemRoot%\resources\Ease of Access Themes\hcblack.theme"); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(6); key = ntUser1OnDemand.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\ThemeManager"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "DllName"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegExpandSz); Check.That(val.VkRecord.ValueData).IsEqualTo(@"%SystemRoot%\resources\themes\Aero\Aero.msstyles"); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(2); }
public void ShouldFindRegDWordValues() { var ntUser1OnDemand = new RegistryHiveOnDemand(@".\Hives\NTUSER1.DAT"); var key = ntUser1OnDemand.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Wisp\Pen\SysEventParameters"); Check.That(key).IsNotNull(); var val = key.Values.Single(t => t.ValueName == "DblDist"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegDword); Check.That(val.VkRecord.ValueData).IsEqualTo((uint)20); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0); key = ntUser1OnDemand.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows NT\CurrentVersion\Windows"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "UserSelectedDefault"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegDword); Check.That(val.VkRecord.ValueData).IsEqualTo((uint)0); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0); key = ntUser1OnDemand.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows NT\CurrentVersion\MsiCorruptedFileRecovery\RepairedProducts"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "TimeWindowMinutes"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegDword); Check.That(val.VkRecord.ValueData).IsEqualTo((uint)1440); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0); key = ntUser1OnDemand.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\Windows Error Reporting"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "MaxArchiveCount"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegDword); Check.That(val.VkRecord.ValueData).IsEqualTo((uint)500); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0); key = ntUser1OnDemand.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Console"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "ColorTable11"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegDword); Check.That(val.VkRecord.ValueData).IsEqualTo((uint)16776960); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0); }
public void ShouldFindRegBinaryValues() { var ntUser1OnDemand = new RegistryHiveOnDemand(@".\Hives\NTUSER1.DAT"); var key = ntUser1OnDemand.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Control Panel\Appearance\Schemes"); Check.That(key).IsNotNull(); var val = key.Values.Single(t => t.ValueName == "@themeui.dll,-850"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegBinary); Check.That(val.VkRecord.ValueData).IsInstanceOf <byte[]>(); Check.That(val.ValueDataRaw.Length).IsEqualTo(712); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4); key = ntUser1OnDemand.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Control Panel\Desktop\WindowMetrics"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "IconFont"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegBinary); Check.That(val.VkRecord.ValueData).IsInstanceOf <byte[]>(); Check.That(val.ValueDataRaw.Length).IsEqualTo(92); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0); key = ntUser1OnDemand.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Control Panel\Mouse"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "SmoothMouseXCurve"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegBinary); Check.That(val.VkRecord.ValueData).IsInstanceOf <byte[]>(); Check.That(val.ValueDataRaw.Length).IsEqualTo(40); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4); key = ntUser1OnDemand.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Control Panel\PowerCfg\GlobalPowerPolicy"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "Policies"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegBinary); Check.That(val.VkRecord.ValueData).IsInstanceOf <byte[]>(); Check.That(val.ValueDataRaw.Length).IsEqualTo(176); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4); key = ntUser1OnDemand.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Control Panel\Input Method\Hot Keys\00000010"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "Key Modifiers"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegBinary); Check.That(val.VkRecord.ValueData).IsInstanceOf <byte[]>(); Check.That(val.ValueDataRaw.Length).IsEqualTo(4); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0); }
public void ExportToRegFormatSingleKey() { var samOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM"); var key = samOnDemand.GetKey(@"SAM\Domains\Account"); var exported = Helpers.ExportToReg(@"exportSamTest.reg", key, HiveTypeEnum.Sam, false); Check.That(exported).IsTrue(); var ntUser1OnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\NTUSER1.DAT"); key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Console"); exported = Helpers.ExportToReg(@"exportntuser1Test.reg", key, HiveTypeEnum.NtUser, false); Check.That(exported).IsTrue(); var security = new RegistryHiveOnDemand(@"..\..\..\Hives\SECURITY"); key = security.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Policy\Accounts\S-1-5-9"); exported = Helpers.ExportToReg(@"exportsecTest.reg", key, HiveTypeEnum.Security, false); Check.That(exported).IsTrue(); var systemOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SYSTEM"); key = systemOnDemand.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\ControlSet001\Enum\ACPI\PNP0C02\1"); exported = Helpers.ExportToReg(@"exportsysTest.reg", key, HiveTypeEnum.System, false); Check.That(exported).IsTrue(); var usrClassFtp = new RegistryHiveOnDemand(@"..\..\..\Hives\UsrClass FTP.dat"); key = usrClassFtp.GetKey(@"S-1-5-21-2417227394-2575385136-2411922467-1105_Classes\.3g2"); exported = Helpers.ExportToReg(@"exportusrTest.reg", key, HiveTypeEnum.UsrClass, false); Check.That(exported).IsTrue(); var samDupeNameOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM_DUPENAME"); key = samDupeNameOnDemand.GetKey(@"SAM\SAM\Domains\Account\Aliases\000003E9"); exported = Helpers.ExportToReg(@"exportotherTest.reg", key, HiveTypeEnum.Other, false); Check.That(exported).IsTrue(); var usrclassDeleted = new RegistryHive(@"..\..\..\Hives\UsrClassDeletedBags.dat"); usrclassDeleted.RecoverDeleted = true; usrclassDeleted.FlushRecordListsAfterParse = false; usrclassDeleted.ParseHive(); key = usrclassDeleted.GetKey( @"S-1-5-21-146151751-63468248-1215037915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1"); exported = Helpers.ExportToReg(@"exportDeletedTest.reg", key, HiveTypeEnum.UsrClass, false); Check.That(exported).IsTrue(); }