private static UInt32 GetHiveValueFromString(RegHive RegistryHive) { //HKEY_CLASSES_ROOT = 2147483648 or 0x80000000 //HKEY_CURRENT_USER = 2147483649 or 0x80000001 //HKEY_LOCAL_MACHINE = 2147483650 or 0x80000002 //HKEY_USERS = 2147483651 or 0x80000003 //HKEY_CURRENT_CONFIG = 2147483653 or 0x80000005 UInt32 TmpRegHive = 0; if (RegistryHive == RegHive.CLASSES_ROOT) { TmpRegHive = 2147483648; } else if (RegistryHive == RegHive.CURRENT_USER) { TmpRegHive = 2147483649; } else if (RegistryHive == RegHive.LOCAL_MACHINE) { TmpRegHive = 2147483650; } else if (RegistryHive == RegHive.USERS) { TmpRegHive = 2147483651; } else if (RegistryHive == RegHive.CURRENT_CONFIG) { TmpRegHive = 2147483653; } return(TmpRegHive); }
public static RegType GetValueType(ManagementClass mc, RegHive hDefKey, string sSubKeyName, string sValueName) { ManagementBaseObject inParams = mc.GetMethodParameters("EnumValues"); inParams["hDefKey"] = hDefKey; inParams["sSubKeyName"] = sSubKeyName; ManagementBaseObject outParams = mc.InvokeMethod("EnumValues", inParams, null); if (Convert.ToUInt32(outParams["ReturnValue"]) == 0) { string[] sNames = outParams["sNames"] as String[]; int[] iTypes = outParams["Types"] as int[]; for (int i = 0; i < sNames.Length; i++) { if (sNames[i] == sValueName) { return((RegType)iTypes[i]); } } // value not found } else { // EnumValues call failed } }
private CimMethodParametersCollection SetRegParameters(RegHive RegistryHive, RegistryMethods RegMethod, string SubKeyPath, string AttributeName = "", string Value = "") { string StrRegMethod = Enum.GetName(typeof(RegistryMethods), RegMethod); CimMethodParametersCollection CimParams = GetParametersForMethod(RegistryNameSpace, RegistryClassName, StrRegMethod); CimParams["hDefKey"].Value = GetHiveValueFromString(RegistryHive); CimParams["sSubKeyName"].Value = SubKeyPath; if (StrRegMethod != "CreateKey" && StrRegMethod != "DeletKey" && StrRegMethod != "EnumKey" && StrRegMethod != "EnumValues" && StrRegMethod != "GetSecurityDescriptor") { if (StrRegMethod != "CheckAccess" && StrRegMethod != "SetSecurityDescriptor") { CimParams["sValueName"].Value = AttributeName; if (StrRegMethod == "SetStringValue" || StrRegMethod == "SetMultiStringValue" || StrRegMethod == "SetExpandedStringValue") { CimParams["sValue"].Value = Value; } else if (StrRegMethod == "SetDWORDValue" || StrRegMethod == "SetQWORDValue" || StrRegMethod == "SetBinaryValue") { CimParams["uValue"].Value = Value; } } else if (StrRegMethod == "CheckAccess") { CimParams["uRequired"].Value = Value; } else if (StrRegMethod == "SetSecurityDescriptor") { CimParams["Descriptor"].Value = Value; } } return(CimParams); }
internal RegistryNode(RegistryBase registry, RegHive hive) { Hive = hive; Key = string.Empty; Registry = registry; Children = new LinkedList <RegistryNode>(); _searchElements.Add(this); }
private static int Add_HKCR_Features() { int cnt = 0; /****************************************************************************************************/ //HKEY_CLASSES_ROOT\Installer\Features /****************************************************************************************************/ //HKEY_CLASSES_ROOT\Installer\Features\0040152C8855F3932AB75A480ABAB749 string sub = "Features"; Controller.UpdateProgress(@"Analyzing HKEY_CLASSES_ROOT\Installer\" + sub + "...", true); //RegHive reghive = new RegHive(@"HKEY_CLASSES_ROOT\Installer\" + sub); RegHive reghive = Controller.regHives[@"HKEY_CLASSES_ROOT\Installer\Features"]; //its subkeys are compressed product codes foreach (string key in reghive.subKeys) { string reg = String.Format(@"HKEY_CLASSES_ROOT\Installer\" + sub + @"\{0}", key); // Controller.UpdateProgress("Comparing " + reg); //for Features, use compressedProductCodes if (foundCompressedProductCodes.Contains(key) || sumSQLProduct.compressedProductCodes.Contains(key)) { if (!Controller.sqlRegKeys.ContainsKey(reg)) { string comment = "Product code from MSI package:" + key; if (sumSQLProduct.productCodeToName.ContainsKey(key)) { comment = sumSQLProduct.productCodeToName[key]; } Controller.sqlRegKeys.Add(reg, new Reason(SourceType.Installer_ProductCode, key, comment, true) ); cnt++; } if (!foundCompressedProductCodes.Contains(key)) { foundCompressedProductCodes.Add(key); } } } Controller.UpdateProgress("Add_HKCR_Features keys:" + cnt, true); return(cnt); }
/// <summary> /// Initiiazles a new RegistryNode /// </summary> /// <param name="view"></param> /// <param name="hive"></param> public RegistryNode(RegView view, RegHive hive) { Hive = hive; Key = string.Empty; if (view == RegView.x64) { Registry = new Registry64(); } else { Registry = new Registry32(); } Children = new LinkedList <RegistryNode>(); _searchElements.Add(this); }
private static int Add_HKCR_Dependencies() { int cnt = 0; /****************************************************************************************************/ //HKEY_CLASSES_ROOT\Installer\Dependencies /****************************************************************************************************/ string sub = "Dependencies"; //HKEY_CLASSES_ROOT\Installer\Dependencies\{070C38AC-05CE-43DF-9A20-141332F6AB2B} //hive_HKCR_Installer_Dependencies Controller.UpdateProgress(@"Analyzing HKEY_CLASSES_ROOT\Installer\" + sub + "...", true); //RegHive reghive = new RegHive(@"HKEY_CLASSES_ROOT\Installer\" + sub + ""); RegHive reghive = Controller.regHives[@"HKEY_CLASSES_ROOT\Installer\Dependencies"]; //its subkeys are product codes foreach (string key in reghive.subKeys) { string reg = String.Format(@"HKEY_CLASSES_ROOT\Installer\" + sub + @"\{0}", key); // Controller.UpdateProgress("Comparing " + reg); if (sumSQLProduct.productCodes.Contains(key)) { string compKey = Utility.ConvertGUID2CompressedRegistryStyle(key); string comment = "Product code from MSI package:" + key; if (sumSQLProduct.productCodeToName.ContainsKey(compKey)) { comment = sumSQLProduct.productCodeToName[compKey]; } if (!Controller.sqlRegKeys.ContainsKey(reg)) { Controller.sqlRegKeys.Add(reg, new Reason(SourceType.Installer_ProductCode, compKey, comment, false)); cnt++; } if (!foundCompressedProductCodes.Contains(compKey)) { foundCompressedProductCodes.Add(compKey); } } } Controller.UpdateProgress("Add_HKCR_Dependencies keys:" + cnt, true); return(cnt); }
private static RegType GetValueType(ManagementClass mc, RegHive hDefKey, string sSubKeyName, string sValueName) { ManagementBaseObject inParams = mc.GetMethodParameters("EnumValues"); inParams["hDefKey"] = hDefKey; inParams["sSubKeyName"] = sSubKeyName; ManagementNamedValueCollection objCtx = new ManagementNamedValueCollection(); objCtx.Add("__ProviderArchitecture", 64); objCtx.Add("__RequiredArchitecture", true); InvokeMethodOptions invokeOptions = new InvokeMethodOptions(); invokeOptions.Context = objCtx; ManagementBaseObject outParams = mc.InvokeMethod("EnumValues", inParams, invokeOptions); if (Convert.ToUInt32(outParams["ReturnValue"]) == 0) { string[] sNames = outParams["sNames"] as String[]; int[] iTypes = outParams["Types"] as int[]; for (int i = 0; i < sNames.Length; i++) { if (sNames[i] == sValueName) { return((RegType)iTypes[i]); } } return(0); } else { return(0); } return(0); }
private static int Add_HKCR_UpgradeCodes() { int cnt = 0; /****************************************************************************************************/ //HKEY_CLASSES_ROOT\Installer\UpgradeCodes /****************************************************************************************************/ //HKEY_CLASSES_ROOT\Installer\UpgradeCodes\018E681CDBF373D3CA372AA3D490C521 string sub = "UpgradeCodes"; Controller.UpdateProgress(@"Analyzing HKEY_CLASSES_ROOT\Installer\" + sub + "...", true); //RegHive reghive = new RegHive(@"HKEY_CLASSES_ROOT\Installer\" + sub); RegHive reghive = Controller.regHives[@"HKEY_CLASSES_ROOT\Installer\UpgradeCodes"]; //first, check upgrade code foreach (string key in reghive.subKeys) { string reg = String.Format(@"HKEY_CLASSES_ROOT\Installer\" + sub + @"\{0}", key); // Controller.UpdateProgress("Comparing " + reg); if (sumSQLProduct.compressedUpgradeCodes.Contains(key)) { string comment = "Upgrade Code:" + key; if (sumSQLProduct.upgradeCodeToName.ContainsKey(key)) { comment = sumSQLProduct.upgradeCodeToName[key]; } if (!Controller.sqlRegKeys.ContainsKey(reg)) { cnt++; Controller.sqlRegKeys.Add(reg, new Reason(SourceType.Installer_UpgradeCode, key, comment, true)); } if (!foundCompressedUpradeCodes.Contains(key)) { foundCompressedUpradeCodes.Add(key); } if (!sumSQLProduct.upgradeCodeToName.ContainsKey(key)) { sumSQLProduct.upgradeCodeToName.Add(key, comment); } RegKey rk = new RegKey(reg, ""); foreach (RegProperty rp in rk.RegProperties) { if (rp.Name.Length == 32) { if (!foundCompressedProductCodes.Contains(rp.Name)) { foundCompressedProductCodes.Add(rp.Name); } if (!sumSQLProduct.productCodeToName.ContainsKey(rp.Name)) { sumSQLProduct.productCodeToName.Add(rp.Name, comment); } } } } } //second,check product code under the key //HKEY_CLASSES_ROOT\Installer\UpgradeCodes\0158E79888DB55D45B27961CE0F2428C->will store product code under this key foreach (RegKey rk in reghive.regKeys) { bool found = false; foreach (RegProperty rp in rk.RegProperties) { //If any name matches product code if (foundCompressedProductCodes.Contains(rp.Name) || sumSQLProduct.compressedProductCodes.Contains(rp.Name)) { string comment = "Product code:" + rp.Name; if (sumSQLProduct.productCodeToName.ContainsKey(rp.Name)) { comment = sumSQLProduct.productCodeToName[rp.Name]; } if (!Controller.sqlRegKeys.ContainsKey(rk.Path)) { cnt++; Controller.sqlRegKeys.Add(rk.Path, new Reason(SourceType.Installer_ProductCode, rp.Name, comment, true)); } if (!foundCompressedProductCodes.Contains(rp.Name)) { foundCompressedProductCodes.Add(rp.Name); } if (!sumSQLProduct.productCodeToName.ContainsKey(rp.Name)) { sumSQLProduct.productCodeToName.Add(rp.Name, comment); } found = true; } if (found) { break; } } //foreach } //forach Controller.UpdateProgress("Add_HKCR_UpgradeCodes keys:" + cnt, true); return(cnt); }
} //Add private static int Add_HKCR_Products() { int cnt = 0; /****************************************************************************************************/ //HKEY_CLASSES_ROOT\Installer\Products /****************************************************************************************************/ //HKEY_CLASSES_ROOT\Installer\Products\FCB7990CA27B16A4B88236108DBC3510\SourceList string sub = "Products"; Controller.UpdateProgress(@"Analyzing HKEY_CLASSES_ROOT\Installer\" + sub + "...", true); subKey sk = new subKey("SourceList", "PackageName"); // RegHive reghive = new RegHive(@"HKEY_CLASSES_ROOT\Installer\" + sub, sk); RegHive reghive = Controller.regHives[@"HKEY_CLASSES_ROOT\Installer\Products"]; //first, check product code foreach (string key in reghive.subKeys) { string reg = String.Format(@"HKEY_CLASSES_ROOT\Installer\" + sub + @"\{0}", key); // Controller.UpdateProgress("Comparing " + reg); string comment = "Product code:" + key; if (sumSQLProduct.productCodeToName.ContainsKey(key)) { comment = sumSQLProduct.productCodeToName[key]; } if (foundCompressedProductCodes.Contains(key) || sumSQLProduct.compressedProductCodes.Contains(key) ) { if (!Controller.sqlRegKeys.ContainsKey(reg)) { cnt++; Controller.sqlRegKeys.Add(reg, new Reason(SourceType.Installer_ProductCode, key, comment, true)); } if (!foundCompressedProductCodes.Contains(key)) { foundCompressedProductCodes.Add(key); } //Need to add patch information string pKey = reg + "\\Patches"; if (RegHelper.IsKeyExist(pKey)) { RegKey rk = new RegKey(pKey, ""); if (rk.Properties.ContainsKey("Patches")) { string[] patches = rk.Properties["Patches"][1].Split(new string[] { "\n" }, StringSplitOptions.RemoveEmptyEntries); foreach (string s in patches) { if (!foundCompressedPatchCode.Contains(s.Trim())) { foundCompressedPatchCode.Add(s.Trim()); } if (!sumSQLProduct.patchCodeToName.ContainsKey(s.Trim())) { sumSQLProduct.patchCodeToName.Add(s.Trim(), comment); } } } } } //match } //second, check package name to add more foreach (KeyValuePair <string, List <string> > kv in reghive.propertyMap) { //Just check *.msi, since we don't ship xml about patch. if (sumSQLProduct.packageNames.Contains(Path.GetFileName(kv.Key).ToLower())) { foreach (string path in kv.Value) { string comment = "Package name matches:" + kv.Key; string name1 = Path.GetFileName(kv.Key).ToLower(); if (sumSQLProduct.packageToName.ContainsKey(name1)) { comment = sumSQLProduct.packageToName[name1]; } if (!Controller.sqlRegKeys.ContainsKey(path)) { cnt++; Controller.sqlRegKeys.Add(path, new Reason(SourceType.FromMSI_PackageName, kv.Key, comment, true)); } int start = path.IndexOf("Products\\") + "Products\\".Length; string code = path.Substring(start, 32); if (!foundCompressedProductCodes.Contains(code)) { foundCompressedProductCodes.Add(code); } if (!sumSQLProduct.productCodeToName.ContainsKey(code)) { sumSQLProduct.productCodeToName.Add(code, comment); } //Need to add patch information string pKey = path + "\\Patches"; if (RegHelper.IsKeyExist(pKey)) { RegKey rk = new RegKey(pKey, ""); if (rk.Properties.ContainsKey("Patches")) { string[] patches = rk.Properties["Patches"][1].Split(new string[] { "\n" }, StringSplitOptions.RemoveEmptyEntries); foreach (string s in patches) { if (!foundCompressedPatchCode.Contains(s.Trim())) { foundCompressedPatchCode.Add(s.Trim()); } if (!sumSQLProduct.patchCodeToName.ContainsKey(s.Trim())) { sumSQLProduct.patchCodeToName.Add(s.Trim(), comment); } } } } } } //match } //third, scan package code to see if any matches...could hit less foreach (RegKey rk in reghive.regKeys) { if (rk.Properties.ContainsKey("PackageCode")) { string pcode = rk.Properties["PackageCode"][1]; if (sumSQLProduct.compressedPackageCodes.Contains(pcode)) { string comment = "Package Code:" + pcode; if (sumSQLProduct.packageCodeToName.ContainsKey(pcode)) { comment = sumSQLProduct.packageCodeToName[pcode]; } if (!Controller.sqlRegKeys.ContainsKey(rk.Path)) { cnt++; Controller.sqlRegKeys.Add(rk.Path, new Reason(SourceType.FromMSI_PackageCode, pcode, comment, true)); } int start = rk.Path.IndexOf("Products\\") + "Products\\".Length; string code = rk.Path.Substring(start, 32); if (!foundCompressedProductCodes.Contains(code)) { foundCompressedProductCodes.Add(code); } if (!sumSQLProduct.productCodeToName.ContainsKey(code)) { sumSQLProduct.productCodeToName.Add(code, comment); } //Need to add patch information string pKey = rk.Path + "\\Patches"; if (RegHelper.IsKeyExist(pKey)) { RegKey prk = new RegKey(pKey, ""); if (prk.Properties.ContainsKey("Patches")) { string[] patches = prk.Properties["Patches"][1].Split(new string[] { "\n" }, StringSplitOptions.RemoveEmptyEntries); foreach (string s in patches) { if (!foundCompressedPatchCode.Contains(s.Trim())) { foundCompressedPatchCode.Add(s.Trim()); } if (!sumSQLProduct.patchCodeToName.ContainsKey(s.Trim())) { sumSQLProduct.patchCodeToName.Add(s.Trim(), comment); } } } } } } }//foreach Controller.UpdateProgress("Add_HKCR_Products keys:" + cnt, true); return(cnt); }
public static object GetValue(ManagementClass mc, RegHive hDefKey, string sSubKeyName, string sValueName) { RegType rType = GetValueType(mc, hDefKey, sSubKeyName, sValueName); ManagementBaseObject inParams = mc.GetMethodParameters("GetStringValue"); inParams["hDefKey"] = hDefKey; inParams["sSubKeyName"] = sSubKeyName; inParams["sValueName"] = sValueName; object oValue = null; switch (rType) { case RegType.REG_SZ: ManagementBaseObject outParams = mc.InvokeMethod("GetStringValue", inParams, null); if (Convert.ToUInt32(outParams["ReturnValue"]) == 0) { oValue = outParams["sValue"]; } else { // GetStringValue call failed } break; case RegType.REG_EXPAND_SZ: outParams = mc.InvokeMethod("GetExpandedStringValue", inParams, null); if (Convert.ToUInt32(outParams["ReturnValue"]) == 0) { oValue = outParams["sValue"]; } else { // GetExpandedStringValue call failed } break; case RegType.REG_MULTI_SZ: outParams = mc.InvokeMethod("GetMultiStringValue", inParams, null); if (Convert.ToUInt32(outParams["ReturnValue"]) == 0) { oValue = outParams["sValue"]; } else { // GetMultiStringValue call failed } break; case RegType.REG_DWORD: outParams = mc.InvokeMethod("GetDWORDValue", inParams, null); if (Convert.ToUInt32(outParams["ReturnValue"]) == 0) { oValue = outParams["uValue"]; } else { // GetDWORDValue call failed } break; case RegType.REG_BINARY: outParams = mc.InvokeMethod("GetBinaryValue", inParams, null); if (Convert.ToUInt32(outParams["ReturnValue"]) == 0) { oValue = outParams["uValue"] as byte[]; } else { // GetBinaryValue call failed } break; } return oValue; }
public static RegType GetValueType(ManagementClass mc, RegHive hDefKey, string sSubKeyName, string sValueName) { ManagementBaseObject inParams = mc.GetMethodParameters("EnumValues"); inParams["hDefKey"] = hDefKey; inParams["sSubKeyName"] = sSubKeyName; ManagementBaseObject outParams = mc.InvokeMethod("EnumValues", inParams, null); if (Convert.ToUInt32(outParams["ReturnValue"]) == 0) { string[] sNames = outParams["sNames"] as String[]; int[] iTypes = outParams["Types"] as int[]; for (int i = 0; i < sNames.Length; i++) { if (sNames[i] == sValueName) { return (RegType)iTypes[i]; } } return new RegType(); } else { // EnumValues call failed return new RegType(); } }
public static void Add() { var sumSQLProduct = Controller.sumSQLProduct; HashSet <string> foundCLSID = new HashSet <string>(); HashSet <string> foundTypeLib = new HashSet <string>(); HashSet <string> foundProgID = new HashSet <string>(); string[] hives = new string[] { "HKEY_CLASSES_ROOT", "HKEY_CLASSES_ROOT\\Wow6432Node" }; foreach (string hiveRoot in hives) { /*******************************************************************/ /* * HKEY_CLASSES_ROOT\CLSID */ /*******************************************************************/ int cnt = 0; subKey sbk = new subKey("InProcServer32", ""); Controller.UpdateProgress(@"Scanning " + hiveRoot, true); //RegHive reghive = new RegHive(hiveRoot + @"\CLSID", sbk); RegHive reghive = Controller.regHives[hiveRoot + @"\CLSID"]; Logger.LogMsg("reghive.propertyMap:" + reghive.propertyMap.Count); foreach (KeyValuePair <string, List <string> > kv in reghive.propertyMap) { //Ignore those like:C:\Program Files\Common Files\Microsoft Shared\VS7Debug\pdm.dll if (kv.Key.ToLower().Contains("microsoft shared")) { continue; } // foreach (SQLProduct sql in sqlProducts) { try { if (sumSQLProduct.files_EXE_DLL.Contains(Path.GetFileName(kv.Key).ToLower())) { foreach (string path in kv.Value) { if (!Controller.sqlRegKeys.ContainsKey(path)) { cnt++; Controller.sqlRegKeys.Add(path, new Reason(SourceType.FromMSI_File, kv.Key)); } //HKEY_CLASSES_ROOT\CLSID\{FE2D84B0-BBD5-4EC6-9A74-EE1C55148D78}\TypeLib string typeLibKey = path + "\\TypeLib"; if (RegHelper.IsKeyExist(typeLibKey)) { RegKey rk = new RegKey(typeLibKey, ""); if (rk.Properties.ContainsKey("(Default)")) { if (!foundTypeLib.Contains(rk.Properties["(Default)"][1].ToString())) { foundTypeLib.Add(rk.Properties["(Default)"][1].ToString()); } } } //HKEY_CLASSES_ROOT\CLSID\{02E7E69E-E80A-48E3-8B1D-6448C25B1710}\ProgID string progIDKey = path + "\\ProgID"; if (RegHelper.IsKeyExist(progIDKey)) { RegKey rk = new RegKey(progIDKey, ""); if (rk.Properties.ContainsKey("(Default)")) { if (!foundProgID.Contains(rk.Properties["(Default)"][1].ToString())) { foundProgID.Add(rk.Properties["(Default)"][1].ToString()); } } } int idx = path.IndexOf("CLSID\\") + 6; string CLSID = path.Substring(idx, 38); if (!foundCLSID.Contains(CLSID)) { foundCLSID.Add(CLSID); } } } } catch (Exception ex) { Logger.LogError(ex.Message); } } //foreach SQL products } Controller.UpdateProgress(reghive.hivePath + " Add keys:" + cnt, true); /*******************************************************************/ /* * HKEY_CLASSES_ROOT\TypeLib */ /*******************************************************************/ cnt = 0; Controller.UpdateProgress(@"Scanning " + hiveRoot, true); //reghive = new RegHive(hiveRoot + @"\TypeLib"); reghive = Controller.regHives[hiveRoot + @"\TypeLib"]; string[] winxx = new string[] { "win32", "win64" }; foreach (RegKey rk in reghive.regKeys) { foreach (string win in winxx) { string fullpath = RegHelper.FindSubKey(rk.Path, win, 4); if (!string.IsNullOrEmpty(fullpath)) { //we find one RegKey subrk = new RegKey(fullpath, ""); if (subrk.Properties.ContainsKey("(Default)")) { try { string file = subrk.Properties["(Default)"][1].ToLower(); string name = Path.GetFileName(file); if (file.Contains("microsoft shared")) { continue; } if (sumSQLProduct.files_EXE_DLL.Contains(name)) { if (!Controller.sqlRegKeys.ContainsKey(rk.Path)) { Controller.sqlRegKeys.Add(rk.Path, new Reason(SourceType.FromMSI_File, file)); cnt++; } if (!foundTypeLib.Contains(rk.leaf)) { foundTypeLib.Add(rk.leaf); } } } catch (Exception ex) { } } } //if } //foreach winxx } //foreach Controller.UpdateProgress(reghive.hivePath + " Add keys:" + cnt, true); //now check ProdID //HKEY_CLASSES_ROOT\DTS.ConnectionManagerOlap.5\CLSID //.this require .NET 45. so comment it // RegistryKey hkcr = RegistryKey.OpenBaseKey(RegistryHive.ClassesRoot, RegistryView.Registry64); var hkcr = RegistryExtensions.OpenBaseKey(RegistryHive.ClassesRoot, RegistryExtensions.RegistryHiveType.X64); string[] allnames = hkcr.GetSubKeyNames(); cnt = 0; foreach (string s in allnames) { string sub = hiveRoot + "\\" + s; RegistryKey subkey = hkcr.OpenSubKey(s); if (subkey == null) { continue; } string[] subnames = subkey.GetSubKeyNames(); if (subnames.Contains("CLSID") || subnames.Contains("Clsid")) { string result = RegHelper.GetValueForProperty(sub + "\\CLSID", ""); if (foundCLSID.Contains(result)) { //we find one if (!Controller.sqlRegKeys.ContainsKey(sub)) { Controller.sqlRegKeys.Add(sub, new Reason(SourceType.COMClass, result, "CLSID:" + result)); cnt++; } } } } Controller.UpdateProgress("HKEY_CLASSES_ROOT\\ProdID Add keys:" + cnt, true); //Add HKCR\ProdID cnt = 0; foreach (string s in foundProgID) { string path = hiveRoot + "\\" + s; if (Controller.sqlRegKeys.ContainsKey(path)) { continue; } else { if (RegHelper.IsKeyExist(path)) { cnt++; Controller.sqlRegKeys.Add(path, new Reason(SourceType.COMClass, s, "ProdID:" + s)); } } } Controller.UpdateProgress("HKEY_CLASSES_ROOT\\ProdID (from foundProgID) Add keys:" + cnt, true); //for HKEY_CLASSES_ROOT\AppID I don't know how to add it here // /********************************************************/ //HKEY_CLASSES_ROOT\Interface /********************************************************/ //HKEY_CLASSES_ROOT\Interface\{33d00d41-c94f-5a61-9ab7-280dcefa0b08}\ProxyStubClsid32 //below could have less hits... Controller.UpdateProgress(@"Scanning " + hiveRoot, true); // reghive = new RegHive(hiveRoot + @"\Interface"); reghive = Controller.regHives[hiveRoot + @"\Interface"]; cnt = 0; foreach (string sub in reghive.subKeys) { try { string path = hiveRoot + "\\Interface\\" + sub; if (!RegHelper.IsKeyExist(path + "\\ProxyStubClsid32")) { continue; } RegKey rk = new RegKey(path + "\\ProxyStubClsid32", ""); if (rk.Properties.ContainsKey("(Default)")) { string clsid = rk.Properties["(Default)"][1]; if (foundCLSID.Contains(clsid)) { if (!Controller.sqlRegKeys.ContainsKey(path)) { cnt++; Controller.sqlRegKeys.Add(path, new Reason(SourceType.COMClass, clsid, "CLSID:" + clsid)); } } } } catch (Exception ex) { Logger.LogError(ex.Message); } } Controller.UpdateProgress(reghive.hivePath + " Add keys:" + cnt, true); }// for hiveRoot }
public static object GetValue(ManagementClass mc, RegHive hDefKey, string sSubKeyName, string sValueName) { RegType rType = GetValueType(mc, hDefKey, sSubKeyName, sValueName); ManagementBaseObject inParams = mc.GetMethodParameters("GetStringValue"); inParams["hDefKey"] = hDefKey; inParams["sSubKeyName"] = sSubKeyName; inParams["sValueName"] = sValueName; object oValue = null; switch (rType) { case RegType.REG_SZ: ManagementBaseObject outParams = mc.InvokeMethod("GetStringValue", inParams, null); if (Convert.ToUInt32(outParams["ReturnValue"]) == 0) { oValue = outParams["sValue"]; } else { // GetStringValue call failed } break; case RegType.REG_EXPAND_SZ: outParams = mc.InvokeMethod("GetExpandedStringValue", inParams, null); if (Convert.ToUInt32(outParams["ReturnValue"]) == 0) { oValue = outParams["sValue"]; } else { // GetExpandedStringValue call failed } break; case RegType.REG_MULTI_SZ: outParams = mc.InvokeMethod("GetMultiStringValue", inParams, null); if (Convert.ToUInt32(outParams["ReturnValue"]) == 0) { oValue = outParams["sValue"]; } else { // GetMultiStringValue call failed } break; case RegType.REG_DWORD: outParams = mc.InvokeMethod("GetDWORDValue", inParams, null); if (Convert.ToUInt32(outParams["ReturnValue"]) == 0) { oValue = outParams["uValue"]; } else { // GetDWORDValue call failed } break; case RegType.REG_BINARY: outParams = mc.InvokeMethod("GetBinaryValue", inParams, null); if (Convert.ToUInt32(outParams["ReturnValue"]) == 0) { oValue = outParams["uValue"] as byte[]; } else { // GetBinaryValue call failed } break; } return(oValue); }
private static int Add_HKLM_UpgradeCodes() { int cnt = 0; /****************************************************************************************************/ //HKLM /****************************************************************************************************/ /****************************************************************************************************/ //HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes /****************************************************************************************************/ string sub = "UpgradeCodes"; Controller.UpdateProgress(@"Analyzing HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\" + sub + "...", true); //RegHive reghive = new RegHive(@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\" + sub); RegHive reghive = Controller.regHives[@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes"]; //first, check upgrade code foreach (string key in reghive.subKeys) { string reg = String.Format(@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\" + sub + @"\{0}", key); // Controller.UpdateProgress("Comparing " + reg); if (sumSQLProduct.compressedUpgradeCodes.Contains(key) || foundCompressedUpradeCodes.Contains(key) ) { string comment = "Upgrade Code:" + key; if (sumSQLProduct.upgradeCodeToName.ContainsKey(key)) { comment = sumSQLProduct.upgradeCodeToName[key]; } if (!Controller.sqlRegKeys.ContainsKey(reg)) { cnt++; Controller.sqlRegKeys.Add(reg, new Reason(SourceType.Installer_UpgradeCode, key, comment, true)); } if (!foundCompressedUpradeCodes.Contains(key)) { foundCompressedUpradeCodes.Add(key); } if (!sumSQLProduct.upgradeCodeToName.ContainsKey(key)) { sumSQLProduct.upgradeCodeToName.Add(key, comment); } //Need to add product code under this key RegKey rk = new RegKey(reg, ""); foreach (RegProperty rp in rk.RegProperties) { if (rp.Name.Length == 32) { if (!foundCompressedProductCodes.Contains(rp.Name)) { foundCompressedProductCodes.Add(rp.Name); } if (!sumSQLProduct.productCodeToName.ContainsKey(rp.Name)) { sumSQLProduct.productCodeToName.Add(rp.Name, comment); } } } } } foreach (RegKey rk in reghive.regKeys) { bool found = false; foreach (RegProperty rp in rk.RegProperties) { //If any name matches product code if (foundCompressedProductCodes.Contains(rp.Name) || sumSQLProduct.compressedProductCodes.Contains(rp.Name)) { string comment = "Product code:" + rp.Name; if (sumSQLProduct.productCodeToName.ContainsKey(rp.Name)) { comment = sumSQLProduct.productCodeToName[rp.Name]; } if (!Controller.sqlRegKeys.ContainsKey(rk.Path)) { cnt++; Controller.sqlRegKeys.Add(rk.Path, new Reason(SourceType.Installer_ProductCode, rp.Name, comment, true)); } if (!foundCompressedProductCodes.Contains(rp.Name)) { foundCompressedProductCodes.Add(rp.Name); } if (!sumSQLProduct.productCodeToName.ContainsKey(rp.Name)) { sumSQLProduct.productCodeToName.Add(rp.Name, comment); } found = true; } if (found) { break; } } //foreach } //forach Controller.UpdateProgress("Add_HKLM_UpgradeCodes keys:" + cnt, true); return(cnt); }
public static void Add_HKLM_Components() { int cnt = 0; /****************************************************************************************************/ //HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components /****************************************************************************************************/ string sub = "Components"; Controller.UpdateProgress(@"Analyzing HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\" + sub + "...", true); //RegHive reghive = new RegHive(@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\" + sub); RegHive reghive = Controller.regHives[@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components"]; //first, check product code //using regKeys instead subkeys int k = 0; foreach (RegKey rk in reghive.regKeys) { bool found = false; string reg = rk.Path; if (k % 2000 == 0) { Controller.UpdateProgress("Checking " + reg); } k++; foreach (RegProperty rp in rk.RegProperties) { if (foundCompressedProductCodes.Contains(rp.Name) || sumSQLProduct.compressedProductCodes.Contains(rp.Name) ) { string comment = "Product code:" + rp.Name; if (sumSQLProduct.productCodeToName.ContainsKey(rp.Name)) { comment = sumSQLProduct.productCodeToName[rp.Name]; } if (!Controller.sqlRegKeys.ContainsKey(reg)) { cnt++; Controller.sqlRegKeys.Add(reg, new Reason(SourceType.Installer_Component, rp.Name, comment, false)); } if (!foundCompressedProductCodes.Contains(rp.Name)) { foundCompressedProductCodes.Add(rp.Name); } found = true; } /*, don't want to check this, though it can add some * else * { * * try * { * if (sumSQLProduct.files_EXE_DLL.Contains(Path.GetFileName(rp.Data.ToLower()))) * { * if (!Controller.sqlRegKeys.ContainsKey(reg)) * { * * cnt++; * Controller.sqlRegKeys.Add(reg, * new Reason(SourceType.Installer_Component, rp.Name, "Product Code:" + rp.Name,true)); * * } * * if (!foundCompressedProductCodes.Contains(rp.Name)) * foundCompressedProductCodes.Add(rp.Name); * found = true; * } * } * catch (Exception ex) * { * * } * } */ if (found) { break; } } //foreach } //foreach Controller.UpdateProgress("Add_HKLM_Components keys:" + cnt, true); // return cnt; }
private static int Add_HKLM_Products() { int cnt = 0; /****************************************************************************************************/ //HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products /****************************************************************************************************/ string sub = "Products"; Controller.UpdateProgress(@"Analyzing HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\" + sub + "...", true); // RegHive reghive = new RegHive(@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\" + sub); RegHive reghive = Controller.regHives[@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products"]; //first, check product code foreach (string key in reghive.subKeys) { string reg = String.Format(@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\" + sub + @"\{0}", key); // Controller.UpdateProgress("Comparing " + reg); if (foundCompressedProductCodes.Contains(key) || //use this to shortcut it if it found already sumSQLProduct.compressedProductCodes.Contains(key) ) { string comment = "Product code:" + key; if (sumSQLProduct.productCodeToName.ContainsKey(key)) { comment = sumSQLProduct.productCodeToName[key]; } if (!Controller.sqlRegKeys.ContainsKey(reg)) { cnt++; Controller.sqlRegKeys.Add(reg, new Reason(SourceType.Installer_ProductCode, key, comment, true)); } if (!foundCompressedProductCodes.Contains(key)) { foundCompressedProductCodes.Add(key); } if (!sumSQLProduct.productCodeToName.ContainsKey(key)) { sumSQLProduct.productCodeToName.Add(key, comment); } //Save the patch if any. string patchKey = reg + "\\Patches"; HashSet <string> mypatches = RegHelper.GetSubKeys(patchKey); foreach (string s in mypatches) { if (!foundCompressedPatchCode.Contains(s)) { foundCompressedPatchCode.Add(s); } if (!sumSQLProduct.patchCodeToName.ContainsKey(s.Trim())) { sumSQLProduct.patchCodeToName.Add(s.Trim(), comment); } } } } Controller.UpdateProgress("Add_HKLM_Products keys:" + cnt, true); return(cnt); }
private static int Add_HKCR_Patches() { int cnt = 0; /****************************************************************************************************/ //HKEY_CLASSES_ROOT\Installer\Patches /****************************************************************************************************/ //HKEY_CLASSES_ROOT\Installer\Patches\023089E60AE02D343916E2D48AFCAA73\SourceList string sub = "Patches"; Controller.UpdateProgress(@"Analyzing HKEY_CLASSES_ROOT\Installer\" + sub + "...", true); subKey sk = new subKey("SourceList", "PackageName"); // RegHive reghive = new RegHive(@"HKEY_CLASSES_ROOT\Installer\" + sub, sk); RegHive reghive = Controller.regHives[@"HKEY_CLASSES_ROOT\Installer\Patches"]; foreach (string key in reghive.subKeys) { string reg = String.Format(@"HKEY_CLASSES_ROOT\Installer\" + sub + @"\{0}", key); // Controller.UpdateProgress("Comparing " + reg); //for Patches, use Patch codes!! if (foundCompressedPatchCode.Contains(key) || sumSQLProduct.compressedPatchCodes.Contains(key)) { if (!Controller.sqlRegKeys.ContainsKey(reg)) { string comment = "Patch code:" + key; if (sumSQLProduct.patchCodeToName.ContainsKey(key)) { comment = sumSQLProduct.patchCodeToName[key]; } cnt++; Controller.sqlRegKeys.Add(reg, new Reason(SourceType.Installer_PatchCode, key, comment, true)); } if (!foundCompressedPatchCode.Contains(key)) { foundCompressedPatchCode.Add(key); } } } //check source->packageName, whether match? foreach (KeyValuePair <string, List <string> > kv in reghive.propertyMap) { //check msp as well, sumSQLProduct.packageNames may not have .msp but it could have.msi file if (sumSQLProduct.packageNames.Contains(Path.GetFileName(kv.Key).ToLower()) || sumSQLProduct.packageNames.Contains(Path.GetFileNameWithoutExtension(kv.Key).ToLower() + ".msi") ) { foreach (string path in kv.Value) { string comment = "Package name matches:" + kv.Key; string name1 = Path.GetFileName(kv.Key).ToLower(); string name2 = Path.GetFileNameWithoutExtension(kv.Key).ToLower() + ".msi"; if (sumSQLProduct.packageToName.ContainsKey(name1)) { comment = sumSQLProduct.packageToName[name1]; } else if (sumSQLProduct.packageToName.ContainsKey(name2)) { comment = sumSQLProduct.packageToName[name2]; } if (!Controller.sqlRegKeys.ContainsKey(path)) { cnt++; Controller.sqlRegKeys.Add(path, new Reason(SourceType.FromMSI_PackageName, kv.Key, comment, true)); } int start = path.IndexOf("Patches\\") + "Patches\\".Length; string code = path.Substring(start, 32); if (!foundCompressedPatchCode.Contains(code)) { foundCompressedPatchCode.Add(code); } if (!sumSQLProduct.patchCodeToName.ContainsKey(code)) { sumSQLProduct.patchCodeToName.Add(code, comment); } } } } Controller.UpdateProgress("Add_HKCR_Patches keys:" + cnt, true); return(cnt); }
private static int Add_HKLM_Patches() { int cnt = 0; /****************************************************************************************************/ //HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches /****************************************************************************************************/ string sub = "Patches"; Controller.UpdateProgress(@"Analyzing HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\" + sub + "...", true); // RegHive reghive = new RegHive(@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\" + sub); RegHive reghive = Controller.regHives[@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches"]; //first, check product code //using regKeys instead subkeys foreach (RegKey rk in reghive.regKeys) { string reg = rk.Path; // Controller.UpdateProgress("Comparing " + reg); if (foundCompressedPatchCode.Contains(rk.leaf) || sumSQLProduct.compressedPatchCodes.Contains(rk.leaf) ) { string comment = "Patch code:" + rk.leaf; if (sumSQLProduct.patchCodeToName.ContainsKey(rk.leaf)) { comment = sumSQLProduct.patchCodeToName[rk.leaf]; } if (!Controller.sqlRegKeys.ContainsKey(reg)) { cnt++; Controller.sqlRegKeys.Add(reg, new Reason(SourceType.Installer_PatchCode, rk.leaf, comment, true)); } if (!foundCompressedPatchCode.Contains(rk.leaf)) { foundCompressedPatchCode.Add(rk.leaf); } } else { //read the local package (*.msp) and read its patch code? if (rk.Properties.ContainsKey("LocalPackage")) { string lp = rk.Properties["LocalPackage"][1]; MspPackage pkg = new MspPackage(lp); if (!string.IsNullOrEmpty(pkg.TargetProductName)) { if (sumSQLProduct.targetProductNames.Contains(pkg.TargetProductName)) { string comment = "TargetProductName:" + pkg.TargetProductName; if (sumSQLProduct.othersToName.ContainsKey(pkg.TargetProductName)) { comment = sumSQLProduct.patchCodeToName[pkg.TargetProductName]; } if (!Controller.sqlRegKeys.ContainsKey(reg)) { cnt++; Controller.sqlRegKeys.Add(reg, new Reason(SourceType.FromMSI_TargetProductName, pkg.TargetProductName, comment, true)); } if (!foundCompressedPatchCode.Contains(rk.leaf)) { foundCompressedPatchCode.Add(rk.leaf); } } } // if (!string.IsNullOrEmpty(pkg.TargetProductName)) } } //else } Controller.UpdateProgress("Add_HKLM_Patches keys:" + cnt, true); return(cnt); }
public static void Add() { var sumSQLProduct = Controller.sumSQLProduct; bool found = false; /****************************************************************************************************/ //HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /****************************************************************************************************/ string[] hives = new string[] { "", "\\Wow6432Node" }; Controller.UpdateProgress(@"Analyzing HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall", true); int cnt = 0; foreach (string hiveRoot in hives) { if (!RegHelper.IsKeyExist(@"HKEY_LOCAL_MACHINE\SOFTWARE" + hiveRoot + @"\Microsoft\Windows\CurrentVersion\Uninstall")) { continue; } RegHive reghive = new RegHive(@"HKEY_LOCAL_MACHINE\SOFTWARE" + hiveRoot + @"\Microsoft\Windows\CurrentVersion\Uninstall"); //first, check product code //using regKeys instead subkeys foreach (RegKey rk in reghive.regKeys) { found = false; string reg = rk.Path; string leaf = rk.leaf.ToLower(); string code = Utility.ConvertGUID2CompressedRegistryStyle(leaf); if (!String.IsNullOrEmpty(code)) { if (Installer.foundCompressedProductCodes.Contains(code) || sumSQLProduct.compressedProductCodes.Contains(code) ) { if (!Controller.sqlRegKeys.ContainsKey(reg)) { cnt++; Controller.sqlRegKeys.Add(reg, new Reason(SourceType.Uninstall, code, "Uninstall:Product Code:" + code, true)); } if (!Installer.foundCompressedProductCodes.Contains(code)) { Installer.foundCompressedProductCodes.Add(code); } } } //if it is GUID else //If it is KB article? { if (sumSQLProduct.kbArticles.Contains(leaf)) { if (!Controller.sqlRegKeys.ContainsKey(reg)) { cnt++; Controller.sqlRegKeys.Add(reg, new Reason(SourceType.FromMSI_KBArticle, leaf, "Uninstall:Product Code:" + leaf, true)); } } else //sometimes the meta is outdated so check more: { //If the key has SQLProductPatchFamilyCode && ProductId="SQLxxx", or ProductId="SQL2008", it is SQL patch key if (rk.Properties.ContainsKey("SQLProductPatchFamilyCode") && rk.Properties.ContainsKey("ProductId") && rk.Properties["ProductId"][1].StartsWith("SQL") ) { //it is SQL patch key if (!Controller.sqlRegKeys.ContainsKey(reg)) { cnt++; Controller.sqlRegKeys.Add(reg, new Reason(SourceType.Uninstall, "SQLProductPatchFamilyCode", "Uninstall:SQLProductPatchFamilyCode", true)); } } else if ( rk.Properties.ContainsKey("ProductId") && rk.Properties["ProductId"][1].StartsWith("SQL2008") ) { //it is SQL patch key if (!Controller.sqlRegKeys.ContainsKey(reg)) { cnt++; Controller.sqlRegKeys.Add(reg, new Reason(SourceType.Uninstall, "ProductId", "ProductId=SQL2008", true)); } } else if (rk.leaf.StartsWith("Microsoft SQL Server")) { if (!Controller.sqlRegKeys.ContainsKey(reg)) { cnt++; Controller.sqlRegKeys.Add(reg, new Reason(SourceType.Uninstall, "Microsoft SQL Server", "It starts with \"Microsoft SQL Server\".", true)); } } } } } }//hiveRoot Controller.UpdateProgress("Uninstall Add keys:" + cnt, true); }
public static List <string> GetConvertedRegKeysIntoInfKeys(List <KeyValuePair <string, Hashtable> > regs, RegHive kind, string relativeTo = "", BaseInf baseInf = null) { var list = new List <string>(); regs.ForEach(reg => { var k = ""; switch (kind) { case RegHive.HKLM: k = kind + "," + reg.Key.GetPartAfterTo("HKEY_LOCAL_MACHINE").Replace(Reg2Inf.SystemNameKey, "SYSTEM", StringComparison.InvariantCultureIgnoreCase).Replace(Reg2Inf.SoftwareNameKey, "SOFTWARE", StringComparison.InvariantCultureIgnoreCase); break; case RegHive.HKCU: k = kind + "," + reg.Key.GetPartAfterTo("HKEY_CURRENT_USER").Replace(Reg2Inf.SystemNameKey, "SYSTEM", StringComparison.InvariantCultureIgnoreCase).Replace(Reg2Inf.SoftwareNameKey, "SOFTWARE", StringComparison.InvariantCultureIgnoreCase); break; case RegHive.HKCR: k = kind + "," + reg.Key.GetPartAfterTo("HKEY_CLASSES_ROOT").Replace(Reg2Inf.SystemNameKey, "SYSTEM", StringComparison.InvariantCultureIgnoreCase).Replace(Reg2Inf.SoftwareNameKey, "SOFTWARE", StringComparison.InvariantCultureIgnoreCase); break; case RegHive.HKU: k = kind + "," + reg.Key.GetPartAfterTo("HKEY_USERS").Replace(Reg2Inf.SystemNameKey, "SYSTEM", StringComparison.InvariantCultureIgnoreCase).Replace(Reg2Inf.SoftwareNameKey, "SOFTWARE", StringComparison.InvariantCultureIgnoreCase); break; case RegHive.HKR: k = kind + "," + reg.Key.GetPartAfterTo(relativeTo).Replace(Reg2Inf.SystemNameKey, "SYSTEM", StringComparison.InvariantCultureIgnoreCase).Replace(Reg2Inf.SoftwareNameKey, "SOFTWARE", StringComparison.InvariantCultureIgnoreCase); break; case RegHive.NONE: k = reg.Key.GetPartAfterTo(relativeTo).Replace(Reg2Inf.SystemNameKey, "SYSTEM", StringComparison.InvariantCultureIgnoreCase).Replace(Reg2Inf.SoftwareNameKey, "SOFTWARE", StringComparison.InvariantCultureIgnoreCase); break; case RegHive.AUTO_DETECT: k = (reg.Key.ToUpper().StartsWith("HKEY_LOCAL_MACHINE") ? "HKLM" : reg.Key.ToUpper().StartsWith("HKEY_CURRENT_USER") ? "HKCU" : reg.Key.ToUpper().StartsWith("HKEY_CLASSES_ROOT") ? "HKCR" : "HKU") + "," + reg.Key.Replace("HKEY_LOCAL_MACHINE\\", "", StringComparison.InvariantCultureIgnoreCase).Replace("HKEY_CURRENT_USER\\", "", StringComparison.InvariantCultureIgnoreCase) .Replace("HKEY_CLASSES_ROOT\\", "", StringComparison.InvariantCultureIgnoreCase).Replace("HKEY_USERS\\", "", StringComparison.InvariantCultureIgnoreCase) .Replace(Reg2Inf.SystemNameKey, "SYSTEM", StringComparison.InvariantCultureIgnoreCase).Replace(Reg2Inf.SoftwareNameKey, "SOFTWARE", StringComparison.InvariantCultureIgnoreCase); break; default: break; } foreach (DictionaryEntry keynamevalue in reg.Value) { var key = (keynamevalue.Key as string).Replace("@", ""); if ((keynamevalue.Value as string).ToLower().Contains("dword:")) //REG_DWORD { list.Add(k + "," + key + "," + "0x00010001,0x" + (keynamevalue.Value as string).Split(':')[1]); } else if ((keynamevalue.Value as string).ToLower().Contains("hex:")) //REG_BINARY { list.Add(k + "," + key + "," + "0x00000001," + string.Join(",", CleanSplitHexString(keynamevalue.Value as string))); } else if ((keynamevalue.Value as string).ToLower().Contains("\"")) //REG_SZ { list.Add(k + "," + key + "," + "0x00000000," + (keynamevalue.Value as string).Replace("\\\\", "\\")); } else if ((keynamevalue.Value as string).ToLower().Contains("hex(2)")) //REG_MULTI_SZ { list.Add(k + "," + key + "," + "0x00020000,\"" + StringArrayHexToString(CleanSplitHexString(keynamevalue.Value as string)).Replace("%", "%%") + "\""); } else if ((keynamevalue.Value as string).ToLower().Contains("hex(7)")) //REG_EXPAND_SZ { string tmp = ""; StringArrayHexToString(CleanSplitHexString(keynamevalue.Value as string)).Replace("\r", "").Split('\n').ToList().ForEach(s => tmp += $"\"{s}\","); if (tmp.EndsWith(",")) { tmp = tmp.Substring(0, tmp.Length - 1); } list.Add(k + "," + key + "," + "0x00010000," + tmp); } else { //Console.WriteLine("(reg2inf) unrecognized key: " + keynamevalue.Value); if (baseInf != null) { baseInf.ParsingLog += $"{reg.Key.Replace(Reg2Inf.SystemNameKey, "SYSTEM", StringComparison.InvariantCultureIgnoreCase).Replace(Reg2Inf.SoftwareNameKey, "SOFTWARE", StringComparison.InvariantCultureIgnoreCase)} --> {keynamevalue.Key}={keynamevalue.Value}\r\n"; } } } }); return(list); }