public static Timezone Get(string hivePath)
{
ValueKey vk = ValueKey.Get(hivePath, @"ControlSet001\Control\TimeZoneInformation", "TimeZoneKeyName");
TimeZone tz = TimeZone.CurrentTimeZone;
return(new Timezone(System.Text.Encoding.Unicode.GetString(vk.GetData()), tz.StandardName, tz.DaylightName, tz.IsDaylightSavingTime(DateTime.Now)));
}
public static byte[] Get(string hivePath)
{
if (RegistryHeader.Get(hivePath).HivePath.Contains("SYSTEM"))
{
ValueKey vk = ValueKey.Get(hivePath, @"ControlSet001\Control\Session Manager\AppCompatCache", "AppCompatCache");
byte[] bytes = vk.GetData();
switch (BitConverter.ToUInt32(bytes, 0x00))
{
// Windows 5.2 and 6.0 (Server 2003, Vista, & Server 2008)
case WINXP_MAGIC:
Console.WriteLine("XP");
break;
case NT5_2_MAGIC:
Console.WriteLine("5.2");
break;
case NT6_1_MAGIC:
Console.WriteLine("6.1");
break;
default:
//Console.WriteLine("Default");
break;
}
return(bytes);
}
else
{
throw new Exception("Invalid SYSTEM hive provided to -HivePath parameter.");
}
}
/// <summary>
///
/// </summary>
/// <param name="hivePath"></param>
/// <returns></returns>
public static RecentDocs[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string user = RegistryHelper.GetUserHiveOwner(hivePath);
byte[] bytes = RegistryHelper.GetHiveBytes(hivePath);
string key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs";
NamedKey RecentDocsKey = NamedKey.Get(bytes, hivePath, @"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs");
ValueKey MRUListEx = ValueKey.Get(bytes, hivePath, key, "MRUListEx");
byte[] MRUListBytes = (byte[])MRUListEx.GetData(bytes);
RecentDocs[] docs = new RecentDocs[MRUListBytes.Length / 4];
for (int i = 0; i < MRUListBytes.Length - 4; i += 4)
{
if (i == 0)
{
docs[i / 4] = new RecentDocs(user, Encoding.Unicode.GetString((byte[])ValueKey.Get(bytes, hivePath, key, BitConverter.ToInt32(MRUListBytes, i).ToString()).GetData(bytes)).Split('\0')[0], RecentDocsKey.WriteTime);
}
else
{
docs[i / 4] = new RecentDocs(user, Encoding.Unicode.GetString((byte[])ValueKey.Get(bytes, hivePath, key, BitConverter.ToInt32(MRUListBytes, i).ToString()).GetData(bytes)).Split('\0')[0]);
}
}
return(docs);
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to the -HivePath parameter.");
}
}
public static Shimcache[] GetInstancesByPath(string hivePath)
{
if (RegistryHeader.Get(hivePath).HivePath.Contains("SYSTEM"))
{
string Key = @"ControlSet001\Control\Session Manager\AppCompatCache";
ValueKey vk = null;
try
{
vk = ValueKey.Get(hivePath, Key, "AppCompatCache");
}
catch
{
try
{
Key = @"ControlSet001\Control\Session Manager\AppCompatibility";
vk = ValueKey.Get(hivePath, Key, "AppCompatCache");
}
catch
{
throw new Exception("Error finding AppCompatCache registry value");
}
}
byte[] bytes = (byte[])vk.GetData();
string arch = (string)ValueKey.Get(hivePath, @"ControlSet001\Control\Session Manager\Environment", "PROCESSOR_ARCHITECTURE").GetData();
switch (BitConverter.ToUInt32(bytes, 0x00))
{
// Windows XP
case WINXP_MAGIC:
return(GetDEADBEEF(bytes));
// Server 2003, Windows Vista, Server 2008
case NT5dot2_MAGIC:
return(GetBADC0FFE(bytes, arch));
// Windows 7 and Server 2008 R2
case NT6dot1_MAGIC:
return(GetBADC0FEE(bytes, arch));
// Windows 8
// Windows 8.1
case WIN8dot1_MAGIC:
return(Get00000080(bytes));
// Windows 10
case WIN10_MAGIC:
return(Get00000030(bytes));
default:
return(null);
}
}
else
{
throw new Exception("Invalid SYSTEM hive provided to -HivePath parameter.");
}
}
/// <summary>
///
/// </summary>
/// <param name="user"></param>
/// <param name="vk"></param>
/// <param name="bytes"></param>
private UserAssist(string user, ValueKey vk, byte[] bytes)
{
User = user;
ImagePath = Decode(vk.Name);
byte[] data = (byte[])vk.GetData(bytes);
RunCount = BitConverter.ToUInt32(data, 0x04);
FocusTime = BitConverter.ToUInt32(data, 0x0C);
LastExecutionTimeUtc = DateTime.FromFileTimeUtc(BitConverter.ToInt64(data, 0x03C));
}
internal UserAssist(ValueKey vk, byte[] bytes)
{
Path = Decode(vk.Name);
byte[] data = vk.GetData(bytes);
RunCount = BitConverter.ToUInt32(data, 0x04);
FocusTime = BitConverter.ToUInt32(data, 0x0C);
LastExecutionTimeUtc = DateTime.FromFileTimeUtc(BitConverter.ToInt64(data, 0x03C));
}
public static SecurityIdentifier Get(string hivePath)
{
if (RegistryHeader.Get(hivePath).HivePath.Contains("SAM"))
{
ValueKey vk = ValueKey.Get(hivePath, @"SAM\Domains\Account", "V");
return(new SecurityIdentifier(vk.GetData(), (int)vk.DataLength - 0x18));
}
else
{
throw new Exception("Invalid SAM hive provided to -HivePath parameter.");
}
}
public static SecurityIdentifier GetByPath(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "SAM"))
{
ValueKey vk = ValueKey.Get(hivePath, @"SAM\Domains\Account", "V");
return(new SecurityIdentifier((byte[])vk.GetData(), (int)vk.DataLength - 0x18));
}
else
{
throw new Exception("Invalid SAM hive provided to -HivePath parameter.");
}
}
/// <summary>
///
/// </summary>
/// <param name="hivePath"></param>
/// <returns></returns>
public static Timezone GetByPath(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "SYSTEM"))
{
ValueKey vk = ValueKey.Get(hivePath, @"ControlSet001\Control\TimeZoneInformation", "TimeZoneKeyName");
return(new Timezone((string)vk.GetData()));
}
else
{
throw new Exception("Invalid SYSTEM hive provided to -HivePath parameter.");
}
}
public static string GetByPath(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "SAM"))
{
ValueKey vk = ValueKey.Get(hivePath, @"SAM\Domains\Account", "V");
byte[] bytes = (byte[])vk.GetData();
return(Helper.GetSecurityDescriptor(Helper.GetSubArray(bytes, bytes.Length - 0x18, 0x18)));
}
else
{
throw new Exception("Invalid SAM hive provided to -HivePath parameter.");
}
}
public static Timezone Get(string hivePath)
{
if (RegistryHeader.Get(hivePath).HivePath.Contains("SYSTEM"))
{
ValueKey vk = ValueKey.Get(hivePath, @"ControlSet001\Control\TimeZoneInformation", "TimeZoneKeyName");
TimeZone tz = TimeZone.CurrentTimeZone;
return(new Timezone(System.Text.Encoding.Unicode.GetString(vk.GetData()), tz.StandardName, tz.DaylightName, tz.IsDaylightSavingTime(DateTime.Now)));
}
else
{
throw new Exception("Invalid SYSTEM hive provided to -HivePath parameter.");
}
}
public static Timezone Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "SYSTEM"))
{
ValueKey vk = ValueKey.Get(hivePath, @"ControlSet001\Control\TimeZoneInformation", "TimeZoneKeyName");
TimeZone tz = TimeZone.CurrentTimeZone;
return(new Timezone((string)vk.GetData(), tz.StandardName, tz.DaylightName, tz.IsDaylightSavingTime(DateTime.Now)));
}
else
{
throw new Exception("Invalid SYSTEM hive provided to -HivePath parameter.");
}
}
/// <summary>
///
/// </summary>
/// <param name="hivePath"></param>
/// <returns></returns>
public static RunMRU[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string user = RegistryHelper.GetUserHiveOwner(hivePath);
string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey RunMRUKey = null;
ValueKey MRUList = null;
try
{
RunMRUKey = NamedKey.Get(bytes, hivePath, Key);
}
catch
{
return(null);
}
try
{
MRUList = ValueKey.Get(bytes, hivePath, Key, "MRUList");
}
catch
{
return(null);
}
RunMRU[] RunMRUStrings = new RunMRU[RunMRUKey.NumberOfValues - 1];
byte[] MRUListBytes = (byte[])MRUList.GetData(bytes);
for (int i = 0; i <= MRUListBytes.Length - 4; i += 4)
{
string MRUValue = Encoding.ASCII.GetString(MRUListBytes).TrimEnd('\0');
RunMRUStrings[i / 4] = new RunMRU(user, (string)ValueKey.Get(bytes, hivePath, Key, MRUValue.ToString()).GetData(bytes));
}
return(RunMRUStrings);
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
public static WordWheelQuery[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey nk = null;
try
{
nk = NamedKey.Get(bytes, hivePath, Key);
}
catch
{
return(null);
}
ValueKey MRUList = ValueKey.Get(bytes, hivePath, Key, "MRUListEx");
WordWheelQuery[] dataStrings = new WordWheelQuery[nk.NumberOfValues - 1];
byte[] MRUListBytes = (byte[])MRUList.GetData(bytes);
for (int i = 0; i < MRUListBytes.Length - 4; i += 4)
{
uint MRUValue = BitConverter.ToUInt32(MRUListBytes, i);
string SearchString = null;
try
{
SearchString = (string)ValueKey.Get(bytes, hivePath, Key, MRUValue.ToString()).GetData(bytes);
}
catch
{
SearchString = Encoding.Unicode.GetString((byte[])ValueKey.Get(bytes, hivePath, Key, MRUValue.ToString()).GetData(bytes));
}
dataStrings[i / 4] = new WordWheelQuery(RegistryHelper.GetUserHiveOwner(hivePath), SearchString);
}
return(dataStrings);
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
/// <summary>
///
/// </summary>
/// <param name="hivePath"></param>
/// <returns></returns>
public static LastVisitedMRU[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey nk = null;
try
{
nk = NamedKey.Get(bytes, hivePath, Key);
}
catch
{
try
{
Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU";
nk = NamedKey.Get(bytes, hivePath, Key);
}
catch
{
return(null);
}
}
ValueKey MRUList = ValueKey.Get(bytes, hivePath, Key, "MRUListEx");
LastVisitedMRU[] dataStrings = new LastVisitedMRU[nk.NumberOfValues - 1];
byte[] MRUListBytes = (byte[])MRUList.GetData(bytes);
for (int i = 0; i < MRUListBytes.Length - 4; i += 4)
{
uint MRUValue = BitConverter.ToUInt32(MRUListBytes, i);
dataStrings[i / 4] = new LastVisitedMRU(RegistryHelper.GetUserHiveOwner(hivePath), (string)ValueKey.Get(bytes, hivePath, Key, MRUValue.ToString()).GetData(bytes));
}
return(dataStrings);
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
/// <summary>
/// The ProcessRecord method calls TimeZone.CurrentTimeZone to return a TimeZone object.
/// </summary>
protected override void ProcessRecord()
{
if (!(this.MyInvocation.BoundParameters.ContainsKey("Path")))
{
hivePath = @"C:\Windows\system32\config\SYSTEM";
}
ValueKey vk = ValueKey.Get(hivePath, @"ControlSet001\Control\TimeZoneInformation", "TimeZoneKeyName");
TimeZone tz = TimeZone.CurrentTimeZone;
WriteObject(new InvokeIR.PowerForensics.Artifacts.Timezone(System.Text.Encoding.Unicode.GetString(vk.GetData()), tz.StandardName, tz.DaylightName, tz.IsDaylightSavingTime(DateTime.Now)));
} // ProcessRecord
private RunKey(string location, ValueKey vk)
{
AutoRunLocation = location;
Name = vk.Name;
ImagePath = (string)vk.GetData();
}
public static SecurityIdentifier Get()
{
ValueKey vk = ValueKey.Get(@"C:\Windows\system32\config\SAM", @"SAM\Domains\Account", "V");
return(new SecurityIdentifier(vk.GetData(), (int)vk.DataLength - 0x18));
}
public static SecurityIdentifier Get(string hivePath)
{
ValueKey vk = ValueKey.Get(hivePath, @"SAM\Domains\Account", "V");
return(new SecurityIdentifier(vk.GetData(), (int)vk.DataLength - 0x18));
}
private TrustRecord(byte[] bytes, string user, ValueKey vk)
{
User = user;
Path = vk.Name;
TrustTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64((byte[])vk.GetData(bytes), 0x00));
}
