/// <summary>
/// 增加
/// </summary>
/// <param name="UserAssist">UserAssist实体对象</param>
/// <returns>int值,返回自增ID</returns>
public int AddReturnId(UserAssist model)
{
SqlParameter[] param = new SqlParameter[]
{
new SqlParameter("@UserId", model.UserId),
new SqlParameter("@ObjId", model.ObjId),
new SqlParameter("@ObjType", model.ObjType),
new SqlParameter("@IsDelete", model.IsDelete),
new SqlParameter("@CreateDate", model.CreateDate)
};
return(Convert.ToInt32(DBHelper.ExecuteScalar("UserAssist_AddReturnId", param)));
}
/// <summary>
/// 增加
/// </summary>
/// <param name="UserAssist">UserAssist实体对象</param>
/// <returns>bool值,判断是否操作成功</returns>
public bool Add(UserAssist model)
{
SqlParameter[] param = new SqlParameter[]
{
new SqlParameter("@UserId", model.UserId),
new SqlParameter("@ObjId", model.ObjId),
new SqlParameter("@ObjType", model.ObjType),
new SqlParameter("@IsDelete", model.IsDelete),
new SqlParameter("@CreateDate", model.CreateDate)
};
return(DBHelper.ExecuteNonQuery("UserAssist_Add", param));
}
/// <summary>
/// 数据访问通过条件查询并分页排序
/// </summary>
/// <param name="WhereString">查询条件</param>
/// <param name="PageIndex">当前页码</param>
/// <param name="PageSize">页大小(每页显示多少条数据)</param>
/// <param name="OrderString">排序条件(排序条件为必须参数)</param>
/// <returns>UserAssist实体类对象</returns>
public List <UserAssist> SelectByWhereAndPage(string WhereString, int PageIndex, int PageSize, string OrderString, out int TotalCount)
{
SqlParameter[] param = new SqlParameter[]
{
new SqlParameter("@where", WhereString),
new SqlParameter("@pageIndex", PageIndex),
new SqlParameter("@pageSize", PageSize),
new SqlParameter("@orderString", OrderString),
new SqlParameter("@TotalCount", ParameterDirection.Output)
};
List <UserAssist> list = new List <UserAssist>();
UserAssist model = null;
using (SqlDataReader dr = DBHelper.RunProcedure("UserAssist_SelectByWhereAndPage", param))
{
while (dr.Read())
{
model = new UserAssist();
model.AssistId = Convert.ToInt32(dr["AssistId"]);
if (DBNull.Value != dr["UserId"])
{
model.UserId = Convert.ToInt32(dr["UserId"]);
}
if (DBNull.Value != dr["ObjId"])
{
model.ObjId = Convert.ToInt32(dr["ObjId"]);
}
if (DBNull.Value != dr["ObjType"])
{
model.ObjType = Convert.ToInt32(dr["ObjType"]);
}
if (DBNull.Value != dr["IsDelete"])
{
model.IsDelete = Convert.ToBoolean(dr["IsDelete"]);
}
if (DBNull.Value != dr["CreateDate"])
{
model.CreateDate = Convert.ToDateTime(dr["CreateDate"]);
}
list.Add(model);
}
if (dr.NextResult() && dr.Read())
{
TotalCount = Convert.ToInt32(dr["TotalCount"]);
}
else
{
TotalCount = 0;
}
}
return(list);
}
/// <summary>
///
/// </summary>
protected override void ProcessRecord()
{
switch (ParameterSetName)
{
case "ByVolume":
WriteObject(UserAssist.GetInstances(volume), true);
break;
case "ByPath":
WriteObject(UserAssist.Get(hivePath), true);
break;
}
}
public string GetUserAssistParam(UserAssist param)
{
StringBuilder sb = new StringBuilder();
sb.AppendFormat("where 1=1 ");
if (!DateTime.MinValue.Equals(param.CreateDate)) //0001/1/1 0:00:00
{
sb.AppendFormat(" and CreateDate >= '{0}' ", param.CreateDate);
}
return(sb.ToString());
}
/// <summary>
///
/// </summary>
/// <param name="volume"></param>
/// <returns></returns>
public static ForensicTimeline[] GetInstances(string volume)
{
List <ForensicTimeline> list = new List <ForensicTimeline>();
string volLetter = Helper.GetVolumeLetter(volume);
// File System
list.AddRange(ForensicTimeline.GetInstances(FileRecord.GetInstances(volume)));
// Amcache
list.AddRange(ForensicTimeline.GetInstances(Amcache.GetInstances(volume)));
// Prefetch
list.AddRange(ForensicTimeline.GetInstances(Prefetch.GetInstances(volume)));
// ScheduledJob
list.AddRange(ForensicTimeline.GetInstances(ScheduledJob.GetInstances(volume)));
// UserAssist
list.AddRange(ForensicTimeline.GetInstances(UserAssist.GetInstances(volume)));
// ShellLink
list.AddRange(ForensicTimeline.GetInstances(ShellLink.GetInstances(volume)));
// UsnJnrl
list.AddRange(ForensicTimeline.GetInstances(UsnJrnl.GetInstances(volume)));
// EventLog
list.AddRange(ForensicTimeline.GetInstances(EventRecord.GetInstances(volume)));
// Registry
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\DRIVERS")));
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SAM")));
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SECURITY")));
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SOFTWARE")));
list.AddRange(ForensicTimeline.GetInstances(NamedKey.GetInstancesRecurse(volLetter + "\\Windows\\system32\\config\\SYSTEM")));
return(list.ToArray());
}
/// <summary>
/// 通过条件查询
/// </summary>
/// <param name="WhereString">查询条件</param>
/// <returns>UserAssist实体类对象</returns>
public List <UserAssist> SelectByWhere(string WhereString)
{
SqlParameter[] param = new SqlParameter[]
{
new SqlParameter("@where", WhereString)
};
List <UserAssist> list = new List <UserAssist>();
UserAssist model = null;
using (SqlDataReader dr = DBHelper.RunProcedure("UserAssist_SelectByWhere", param))
{
while (dr.Read())
{
model = new UserAssist();
model.AssistId = Convert.ToInt32(dr["AssistId"]);
if (DBNull.Value != dr["UserId"])
{
model.UserId = Convert.ToInt32(dr["UserId"]);
}
if (DBNull.Value != dr["ObjId"])
{
model.ObjId = Convert.ToInt32(dr["ObjId"]);
}
if (DBNull.Value != dr["ObjType"])
{
model.ObjType = Convert.ToInt32(dr["ObjType"]);
}
if (DBNull.Value != dr["IsDelete"])
{
model.IsDelete = Convert.ToBoolean(dr["IsDelete"]);
}
if (DBNull.Value != dr["CreateDate"])
{
model.CreateDate = Convert.ToDateTime(dr["CreateDate"]);
}
list.Add(model);
}
}
return(list);
}
/// <summary>
/// 通过Id查询
/// </summary>
/// <param name="Id">主键Id</param>
/// <returns>UserAssist实体类对象</returns>
public UserAssist SelectById(int Id)
{
SqlParameter[] param = new SqlParameter[]
{
new SqlParameter("@AssistId", Id)
};
UserAssist model = new UserAssist();
using (SqlDataReader dr = DBHelper.RunProcedure("UserAssist_SelectById", param))
{
if (dr.Read())
{
model.AssistId = Convert.ToInt32(dr["AssistId"]);
if (DBNull.Value != dr["UserId"])
{
model.UserId = Convert.ToInt32(dr["UserId"]);
}
if (DBNull.Value != dr["ObjId"])
{
model.ObjId = Convert.ToInt32(dr["ObjId"]);
}
if (DBNull.Value != dr["ObjType"])
{
model.ObjType = Convert.ToInt32(dr["ObjType"]);
}
if (DBNull.Value != dr["IsDelete"])
{
model.IsDelete = Convert.ToBoolean(dr["IsDelete"]);
}
if (DBNull.Value != dr["CreateDate"])
{
model.CreateDate = Convert.ToDateTime(dr["CreateDate"]);
}
}
}
return(model);
}
public void BlakeUserAssist()
{
var r = new UserAssist();
var reg = new RegistryHive(@"D:\SynologyDrive\Registry\NTUSER_dblake.DAT");
reg.ParseHive();
var key = reg.GetKey(@"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count");
Check.That(r.Values.Count).IsEqualTo(0);
r.ProcessValues(key);
Check.That(r.Values.Count).IsEqualTo(205);
Check.That(r.Errors.Count).IsEqualTo(0);
var ff = (RegistryPlugin.UserAssist.ValuesOut)r.Values[1];
Check.That(ff.RunCounter).IsEqualTo(0);
Check.That(ff.ProgramName).IsEqualTo("Microsoft.Windows.Explorer");
Check.That(ff.FocusCount).IsEqualTo(619);
Check.That(ff.FocusTime).IsEqualTo("0d, 3h, 46m, 24s");
}
/// <summary>
/// 查看全部
/// </summary>
/// <returns>list集合</returns>
public List <UserAssist> SelectAll()
{
List <UserAssist> list = new List <UserAssist>();
UserAssist model = null;
using (SqlDataReader dr = DBHelper.RunProcedure("UserAssist_SelectAll", null))
{
while (dr.Read())
{
model = new UserAssist();
model.AssistId = Convert.ToInt32(dr["AssistId"]);
if (DBNull.Value != dr["UserId"])
{
model.UserId = Convert.ToInt32(dr["UserId"]);
}
if (DBNull.Value != dr["ObjId"])
{
model.ObjId = Convert.ToInt32(dr["ObjId"]);
}
if (DBNull.Value != dr["ObjType"])
{
model.ObjType = Convert.ToInt32(dr["ObjType"]);
}
if (DBNull.Value != dr["IsDelete"])
{
model.IsDelete = Convert.ToBoolean(dr["IsDelete"]);
}
if (DBNull.Value != dr["CreateDate"])
{
model.CreateDate = Convert.ToDateTime(dr["CreateDate"]);
}
list.Add(model);
}
}
return(list);
}
/// <summary>
/// 修改
/// </summary>
/// <param name="UserAssist">UserAssist实体对象</param>
/// <returns>bool值,判断是否操作成功</returns>
public bool Change(UserAssist model)
{
return(dal.Change(model));
}
/// <summary>
/// 增加
/// </summary>
/// <param name="UserAssist">UserAssist实体对象</param>
/// <returns>int值,返回自增ID</returns>
public int AddReturnId(UserAssist model)
{
return(dal.AddReturnId(model));
}
/// <summary>
/// 增加
/// </summary>
/// <param name="UserAssist">UserAssist实体对象</param>
/// <returns>bool值,判断是否操作成功</returns>
public bool Add(UserAssist model)
{
return(dal.Add(model));
}
/// <summary>
///
/// </summary>
protected override void ProcessRecord()
{
WriteObject(UserAssist.GetInstances(hivePath), true);
}
/// <summary>
///
/// </summary>
/// <param name="input"></param>
/// <returns></returns>
public static ForensicTimeline Get(UserAssist input)
{
return(new ForensicTimeline(input.LastExecutionTimeUtc, "MACB", "USERASSIST", "", input.ImagePath, input.ToString()));
}