public RegistryInterop(RegistryHives hive, string subKey, string filePath)
{
int token = 0;
int retval = 0;
TOKEN_PRIVILEGES TP = new TOKEN_PRIVILEGES();
TOKEN_PRIVILEGES TP2 = new TOKEN_PRIVILEGES();
LUID RestoreLuid = new LUID();
LUID BackupLuid = new LUID();
retval = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref token);
retval = LookupPrivilegeValue(null, SE_RESTORE_NAME, ref RestoreLuid);
retval = LookupPrivilegeValue(null, SE_BACKUP_NAME, ref BackupLuid);
TP.PrivilegeCount = 1;
TP.Attributes = SE_PRIVILEGE_ENABLED;
TP.Luid = RestoreLuid;
TP2.PrivilegeCount = 1;
TP2.Attributes = SE_PRIVILEGE_ENABLED;
TP2.Luid = BackupLuid;
retval = AdjustTokenPrivileges(token, 0, ref TP, 1024, 0, 0);
retval = AdjustTokenPrivileges(token, 0, ref TP2, 1024, 0, 0);
uint regHive = (uint)hive;
this.Hive = hive;
this.SubKey = subKey;
RegLoadKey(regHive, subKey, filePath);
this.IsUnloaded = false;
}
public static RegistryKey OpenSubKey(RegistryHives registryHive, string keyPath)
{
switch (registryHive)
{
case RegistryHives.CLASSES_ROOT:
return(Registry.ClassesRoot.OpenSubKey(keyPath));
case RegistryHives.CURRENT_USER:
return(Registry.CurrentUser.OpenSubKey(keyPath));
case RegistryHives.LOCAL_MACHINE:
return(Registry.LocalMachine.OpenSubKey(keyPath));
case RegistryHives.USERS:
return(Registry.Users.OpenSubKey(keyPath));
case RegistryHives.CURRENT_CONFIG:
return(Registry.CurrentConfig.OpenSubKey(keyPath));
case RegistryHives.PERFORMANCE_DATA:
return(Registry.PerformanceData.OpenSubKey(keyPath));
default:
throw new InvalidOperationException("Invalid Registry Hive Enum");
}
}
public override bool OnUnloaded(bool forceExit)
{
if (!HivesLoaded)
{
// Registry hives not completely loaded, unload them
RegistryHives.Clear();
}
if (IsBusy)
{
MessageBox.Show(Application.Current.MainWindow,
"The Windows Registry is currently being analyzed/compacted. The operation cannot be completed at the moment.",
Utils.ProductName, MessageBoxButton.OK, MessageBoxImage.Error);
return(false);
}
if (CurrentControl is AnalyzeResults)
{
var exit = forceExit ||
MessageBox.Show(Application.Current.MainWindow,
"Analyze results will be reset. Would you like to continue?", Utils.ProductName,
MessageBoxButton.YesNo, MessageBoxImage.Question) == MessageBoxResult.Yes;
if (!exit)
{
return(false);
}
foreach (var h in RegistryHives)
{
h.Reset();
}
return(true);
}
return(true);
}
public RegistryKeyAttribute(RegistryHives Hive, String ValueName)
{
this.Hive = Hive;
this.ValueName = ValueName;
}
public (RegistryHive, IEnumerable <IShellItem>) ImportRegistry(bool parseAllUsers = false, bool useOfflineHive = false, string hiveLocation = null)
{
RegistryImportBegin?.Invoke(this, EventArgs.Empty);
IDictionary <RegistryKeyWrapper, IShellItem> keyShellMappings = new Dictionary <RegistryKeyWrapper, IShellItem>();
IList <IShellItem> parsedItems = new List <IShellItem>();
User user = null;
RegistryHive hive = null;
IEnumerable <RegistryKeyWrapper> registryEnumerator = useOfflineHive ?
GetOfflineRegistryKeyIterator(hiveLocation) :
GetOnlineRegistryKeyIterator(parseAllUsers);
foreach (RegistryKeyWrapper keyWrapper in registryEnumerator)
{
if (keyWrapper.Value != null) // Some Registry Keys are null
{
byte[] buffer = keyWrapper.Value;
int off = 0;
if (user == null)
{
user = Users.FirstOrDefault(
u => u.Name == keyWrapper.RegistryUser && u.SID == keyWrapper.RegistrySID
);
if (user != null)
{
return(null, null);
}
Users.SynchronizationContext?.Send((_) =>
{
user = new User {
Name = keyWrapper.RegistryUser, SID = keyWrapper.RegistrySID
};
Users.Add(user);
}, null);
}
if (hive == null)
{
string name = useOfflineHive ? Path.GetFileName(hiveLocation) : "Live Registry";
string pathname = useOfflineHive ? hiveLocation : "N/A";
hive = RegistryHives.FirstOrDefault(
u => u.Name == name && u.Path == pathname && u.User == user
);
if (hive != null)
{
return(null, null);
}
RegistryHives.SynchronizationContext?.Send((_) =>
{
hive = new RegistryHive {
Name = name, Path = pathname, User = user
};
RegistryHives.Add(hive);
}, null);
Users.SynchronizationContext?.Send((_) =>
{
user.RegistryHives.Add(hive);
}, null);
}
// extract shell items from registry value
while (off + 2 <= buffer.Length && BlockHelper.UnpackWord(buffer, off) != 0)
{
IShellItem parentShellItem = null;
//obtain the parent shellitem from the parent registry key (if it exists)
if (keyWrapper.Parent != null)
{
if (keyShellMappings.TryGetValue(keyWrapper.Parent, out IShellItem pShellItem))
{
parentShellItem = pShellItem;
}
}
byte[] value = buffer.Skip(off).ToArray();
IShellItem shellItem = ShellFactory.Create(hive, keyWrapper, value, parentShellItem);
if (shellItem != null)
{
off += shellItem.Size;
}
else
{
off += BlockHelper.UnpackWord(buffer, off);
// construct a placeholder item if the shellbag cannot be identified
shellItem = new UnknownShellItem()
{
Place = new UnknownPlace()
{
Name = "??",
PathName = parentShellItem != null?Path.Combine(parentShellItem.Place.PathName ?? string.Empty, parentShellItem.Place.Name) : null,
},
RegistryHive = hive,
Value = value,
NodeSlot = keyWrapper.NodeSlot,
SlotModifiedDate = keyWrapper.SlotModifiedDate,
LastRegistryWriteDate = keyWrapper.LastRegistryWriteDate,
Parent = parentShellItem
};
parentShellItem?.Children.Add(shellItem);
}
keyShellMappings.Add(keyWrapper, shellItem);
// add the shell item to the collection
ShellItems.Add(shellItem);
parsedItems.Add(shellItem);
// if the shell item has no parent then it belongs to root
if (shellItem.Parent == null)
{
hive.Items.Add(shellItem);
}
}
}
}
RegistryImportEnd?.Invoke(this, EventArgs.Empty);
return(hive, parsedItems);
}
