internal static string[] GetUserHiveInstances(string volume)
{
List <string> userHiveList = new List <string>();
IndexEntry[] entries = null;
try
{
entries = IndexEntry.GetInstances(Helper.GetVolumeLetter(volume) + @"\Users");
}
catch
{
try
{
entries = IndexEntry.GetInstances(Helper.GetVolumeLetter(volume) + @"\Documents and Settings");
}
catch
{
throw new Exception("Could not locate User Registry Hives.");
}
}
foreach (IndexEntry e in entries)
{
try
{
userHiveList.Add(IndexEntry.Get(e.FullName + @"\NTUSER.DAT").FullName);
}
catch
{
}
}
return(userHiveList.ToArray());
}
/// <summary>
/// The ProcessRecord method calls ManagementClass.GetInstances()
/// method to iterate through each BindingObject on each system specified.
/// </summary>
protected override void ProcessRecord()
{
// Determine Volume Name
string volume = @"\\.\" + path.Split('\\')[0];
int indexNumber = 0;
if (ParameterSetName == "Path")
{
IndexEntry indexEntry = IndexEntry.Get(path);
indexNumber = (int)indexEntry.RecordNumber;
}
else
{
indexNumber = index;
}
FileRecord record = FileRecord.Get(volume, indexNumber, true);
byte[] fileBytes = record.GetBytes();
// Open file for writing
FileStream streamToWrite = new FileStream(destination, System.IO.FileMode.Create, System.IO.FileAccess.Write);
// Writes a block of bytes to this stream using data from a byte array.
streamToWrite.Write(fileBytes, 0, fileBytes.Length);
// Close file stream
streamToWrite.Close();
}
public static HiveBinHeader[] GetInstances(string path)
{
// Get bytes for the specific record
string volume = "\\\\.\\" + path.Split('\\')[0];
IndexEntry entry = IndexEntry.Get(path);
FileRecord record = new FileRecord(FileRecord.GetRecordBytes(volume, (int)entry.RecordNumber), volume);
byte[] bytes = record.GetBytes();
// Registry Header
RegistryHeader header = new RegistryHeader(NativeMethods.GetSubArray(bytes, 0x00, 0x200));
// Hive Bin Headers
HiveBinHeader[] headerArray = new HiveBinHeader[header.HiveBinsDataSize / 0x1000];
byte[] hbinHeaderBytes = new byte[0x20];
uint i = 0x1000;
while (i < header.HiveBinsDataSize + 0x1000)
{
HiveBinHeader hbinHeader = new HiveBinHeader(NativeMethods.GetSubArray(bytes, i, 0x20));
headerArray[((i / 0x1000) - 1)] = hbinHeader;
i += hbinHeader.hBinSize;
}
return(headerArray);
}
internal static ScheduledJob Get(string path)
{
string volume = "\\\\.\\" + path.Split('\\')[0];
IndexEntry index = IndexEntry.Get(path);
FileRecord record = new FileRecord(FileRecord.GetRecordBytes(volume, (int)index.RecordNumber), volume, true);
return(new ScheduledJob(record.GetBytes()));
}
public static byte[] GetHiveBytes(string path)
{
// Get bytes for the specific record
string volume = "\\\\.\\" + path.Split('\\')[0];
IndexEntry entry = IndexEntry.Get(path);
FileRecord record = new FileRecord(FileRecord.GetRecordBytes(volume, (int)entry.RecordNumber), volume, true);
return(record.GetBytes());
}
public static byte[] GetBytes(string path)
{
// Get bytes for the specific record
string volume = "\\\\.\\" + path.Split('\\')[0];
IndexEntry entry = IndexEntry.Get(path);
FileRecord record = new FileRecord(FileRecord.GetRecordBytes(volume, (int)entry.RecordNumber), volume);
byte[] bytes = record.GetBytes();
// Registry Header
return(NativeMethods.GetSubArray(bytes, 0x00, 0x200));
}
protected override void ProcessRecord()
{
if (ParameterSetName == "Path")
{
IndexEntry entry = IndexEntry.Get(filePath);
FileRecord record = new FileRecord(FileRecord.GetRecordBytes(volume, (int)entry.RecordNumber), volume);
if (record.Attribute != null)
{
foreach (Attr attr in record.Attribute)
{
if (attr.Name == Attr.ATTR_TYPE.DATA)
{
//if (attr.NameString != "")
if (attr.NameString.Length > 0)
{
WriteObject(new AlternateDataStream(record.FullName, record.Name, attr.NameString));
}
}
}
}
}
else
{
FileRecord[] records = FileRecord.GetInstances(volume);
foreach (FileRecord record in records)
{
if (record.Attribute != null)
{
foreach (Attr attr in record.Attribute)
{
if (attr.Name == Attr.ATTR_TYPE.DATA)
{
//if (attr.NameString != "")
if (attr.NameString.Length > 0)
{
WriteObject(new AlternateDataStream(record.FullName, record.Name, attr.NameString));
}
}
}
}
}
}
} // ProcessRecord
public static Prefetch Get(string filePath)
{
// Get volume path from filePath
string volume = @"\\.\" + filePath.Split('\\')[0];
// Get a handle to the volume
IntPtr hVolume = NativeMethods.getHandle(volume);
// Get MFT Index for specified file
int index = (int)(IndexEntry.Get(filePath)).RecordNumber;
// Get bytes for specific Prefetch file
byte[] fileBytes = new FileRecord(FileRecord.GetRecordBytes(volume, index), volume, true).GetBytes();
try
{
// Return a Prefetch object for the Prefetch file stored at filePath
return(new Prefetch(fileBytes));
}
catch
{
throw new Exception("Error parsing Prefetch file");
}
}
/// <summary>
///
/// </summary>
protected override void ProcessRecord()
{
WriteObject(IndexEntry.Get(path).RecordNumber);
}
protected override void ProcessRecord()
{
int indexNo = 0;
byte[] contentArray = null;
#region Encoding
System.Text.Encoding contentEncoding = System.Text.Encoding.Default;
bool asBytes = false;
if (this.MyInvocation.BoundParameters.ContainsKey("Encoding"))
{
if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.Ascii)
{
contentEncoding = System.Text.Encoding.ASCII;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.BigEndianUnicode)
{
contentEncoding = System.Text.Encoding.BigEndianUnicode;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.Byte)
{
asBytes = true;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.String)
{
contentEncoding = System.Text.Encoding.Unicode;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.Unicode)
{
contentEncoding = System.Text.Encoding.Unicode;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.Unknown)
{
asBytes = true;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.UTF7)
{
contentEncoding = System.Text.Encoding.UTF7;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.UTF8)
{
contentEncoding = System.Text.Encoding.UTF8;
}
}
#endregion Encoding
if (this.MyInvocation.BoundParameters.ContainsKey("Path"))
{
string volLetter = filePath.Split('\\')[0];
string volume = @"\\.\" + volLetter;
indexNo = (int)IndexEntry.Get(filePath).RecordNumber;
contentArray = new FileRecord(FileRecord.GetRecordBytes(volume, indexNo), volume, true).GetBytes();
}
else if (this.MyInvocation.BoundParameters.ContainsKey("IndexNumber"))
{
NativeMethods.getVolumeName(ref volume);
contentArray = new FileRecord(FileRecord.GetRecordBytes(volume, index), volume, true).GetBytes();
}
if (asBytes)
{
WriteObject(contentArray);
}
else
{
string[] outputArray = contentEncoding.GetString(contentArray).Split('\n');
if (this.MyInvocation.BoundParameters.ContainsKey("TotalCount") && this.MyInvocation.BoundParameters.ContainsKey("Tail"))
{
throw new InvalidOperationException("The parameters TotalCount and Tail cannot be used together. Please specify only one parameter.");
}
else if (this.MyInvocation.BoundParameters.ContainsKey("TotalCount"))
{
for (int i = 0; (i < totalCount) && (i < outputArray.Length); i++)
{
WriteObject(outputArray[i]);
}
}
else if (this.MyInvocation.BoundParameters.ContainsKey("Tail"))
{
for (long i = tail; (i > 0); i--)
{
if (i > outputArray.Length)
{
i = outputArray.Length;
}
WriteObject(outputArray[outputArray.Length - i]);
}
}
else
{
WriteObject(outputArray);
}
}
} // ProcessRecord