public RegistryInterop(RegistryHives hive, string subKey, string filePath) { int token = 0; int retval = 0; TOKEN_PRIVILEGES TP = new TOKEN_PRIVILEGES(); TOKEN_PRIVILEGES TP2 = new TOKEN_PRIVILEGES(); LUID RestoreLuid = new LUID(); LUID BackupLuid = new LUID(); retval = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref token); retval = LookupPrivilegeValue(null, SE_RESTORE_NAME, ref RestoreLuid); retval = LookupPrivilegeValue(null, SE_BACKUP_NAME, ref BackupLuid); TP.PrivilegeCount = 1; TP.Attributes = SE_PRIVILEGE_ENABLED; TP.Luid = RestoreLuid; TP2.PrivilegeCount = 1; TP2.Attributes = SE_PRIVILEGE_ENABLED; TP2.Luid = BackupLuid; retval = AdjustTokenPrivileges(token, 0, ref TP, 1024, 0, 0); retval = AdjustTokenPrivileges(token, 0, ref TP2, 1024, 0, 0); uint regHive = (uint)hive; this.Hive = hive; this.SubKey = subKey; RegLoadKey(regHive, subKey, filePath); this.IsUnloaded = false; }
public static RegistryKey OpenSubKey(RegistryHives registryHive, string keyPath) { switch (registryHive) { case RegistryHives.CLASSES_ROOT: return(Registry.ClassesRoot.OpenSubKey(keyPath)); case RegistryHives.CURRENT_USER: return(Registry.CurrentUser.OpenSubKey(keyPath)); case RegistryHives.LOCAL_MACHINE: return(Registry.LocalMachine.OpenSubKey(keyPath)); case RegistryHives.USERS: return(Registry.Users.OpenSubKey(keyPath)); case RegistryHives.CURRENT_CONFIG: return(Registry.CurrentConfig.OpenSubKey(keyPath)); case RegistryHives.PERFORMANCE_DATA: return(Registry.PerformanceData.OpenSubKey(keyPath)); default: throw new InvalidOperationException("Invalid Registry Hive Enum"); } }
public override bool OnUnloaded(bool forceExit) { if (!HivesLoaded) { // Registry hives not completely loaded, unload them RegistryHives.Clear(); } if (IsBusy) { MessageBox.Show(Application.Current.MainWindow, "The Windows Registry is currently being analyzed/compacted. The operation cannot be completed at the moment.", Utils.ProductName, MessageBoxButton.OK, MessageBoxImage.Error); return(false); } if (CurrentControl is AnalyzeResults) { var exit = forceExit || MessageBox.Show(Application.Current.MainWindow, "Analyze results will be reset. Would you like to continue?", Utils.ProductName, MessageBoxButton.YesNo, MessageBoxImage.Question) == MessageBoxResult.Yes; if (!exit) { return(false); } foreach (var h in RegistryHives) { h.Reset(); } return(true); } return(true); }
public RegistryKeyAttribute(RegistryHives Hive, String ValueName) { this.Hive = Hive; this.ValueName = ValueName; }
public (RegistryHive, IEnumerable <IShellItem>) ImportRegistry(bool parseAllUsers = false, bool useOfflineHive = false, string hiveLocation = null) { RegistryImportBegin?.Invoke(this, EventArgs.Empty); IDictionary <RegistryKeyWrapper, IShellItem> keyShellMappings = new Dictionary <RegistryKeyWrapper, IShellItem>(); IList <IShellItem> parsedItems = new List <IShellItem>(); User user = null; RegistryHive hive = null; IEnumerable <RegistryKeyWrapper> registryEnumerator = useOfflineHive ? GetOfflineRegistryKeyIterator(hiveLocation) : GetOnlineRegistryKeyIterator(parseAllUsers); foreach (RegistryKeyWrapper keyWrapper in registryEnumerator) { if (keyWrapper.Value != null) // Some Registry Keys are null { byte[] buffer = keyWrapper.Value; int off = 0; if (user == null) { user = Users.FirstOrDefault( u => u.Name == keyWrapper.RegistryUser && u.SID == keyWrapper.RegistrySID ); if (user != null) { return(null, null); } Users.SynchronizationContext?.Send((_) => { user = new User { Name = keyWrapper.RegistryUser, SID = keyWrapper.RegistrySID }; Users.Add(user); }, null); } if (hive == null) { string name = useOfflineHive ? Path.GetFileName(hiveLocation) : "Live Registry"; string pathname = useOfflineHive ? hiveLocation : "N/A"; hive = RegistryHives.FirstOrDefault( u => u.Name == name && u.Path == pathname && u.User == user ); if (hive != null) { return(null, null); } RegistryHives.SynchronizationContext?.Send((_) => { hive = new RegistryHive { Name = name, Path = pathname, User = user }; RegistryHives.Add(hive); }, null); Users.SynchronizationContext?.Send((_) => { user.RegistryHives.Add(hive); }, null); } // extract shell items from registry value while (off + 2 <= buffer.Length && BlockHelper.UnpackWord(buffer, off) != 0) { IShellItem parentShellItem = null; //obtain the parent shellitem from the parent registry key (if it exists) if (keyWrapper.Parent != null) { if (keyShellMappings.TryGetValue(keyWrapper.Parent, out IShellItem pShellItem)) { parentShellItem = pShellItem; } } byte[] value = buffer.Skip(off).ToArray(); IShellItem shellItem = ShellFactory.Create(hive, keyWrapper, value, parentShellItem); if (shellItem != null) { off += shellItem.Size; } else { off += BlockHelper.UnpackWord(buffer, off); // construct a placeholder item if the shellbag cannot be identified shellItem = new UnknownShellItem() { Place = new UnknownPlace() { Name = "??", PathName = parentShellItem != null?Path.Combine(parentShellItem.Place.PathName ?? string.Empty, parentShellItem.Place.Name) : null, }, RegistryHive = hive, Value = value, NodeSlot = keyWrapper.NodeSlot, SlotModifiedDate = keyWrapper.SlotModifiedDate, LastRegistryWriteDate = keyWrapper.LastRegistryWriteDate, Parent = parentShellItem }; parentShellItem?.Children.Add(shellItem); } keyShellMappings.Add(keyWrapper, shellItem); // add the shell item to the collection ShellItems.Add(shellItem); parsedItems.Add(shellItem); // if the shell item has no parent then it belongs to root if (shellItem.Parent == null) { hive.Items.Add(shellItem); } } } } RegistryImportEnd?.Invoke(this, EventArgs.Empty); return(hive, parsedItems); }