private Task <String> findCurrentComputerName() { return(Task.Run(() => { showMsg("Find Computer Name: Getting list of logical drives...", loadImg); string[] drives = Environment.GetLogicalDrives(); showMsg("Find Computer Name: Searching in offline registries...", loadImg); foreach (string drive in drives) { string rPath = drive + @"Windows\System32\config\SYSTEM"; if (File.Exists(rPath)) { try { Registry.RegistryHiveOnDemand registryHive = new Registry.RegistryHiveOnDemand(rPath); Registry.Abstractions.RegistryKey key = registryHive.GetKey(@"ControlSet001\Control\ComputerName\ComputerName"); foreach (Registry.Abstractions.KeyValue value in key.Values) { if (value.ValueName == "ComputerName") { return value.ValueData; } } } catch (IOException) { } } } showMsg("Find Computer Name: Searching in online registry...", loadImg); Microsoft.Win32.RegistryKey computerName = Microsoft.Win32.Registry.LocalMachine.OpenSubKey(@"SYSTEM\ControlSet001\Control\ComputerName\ComputerName", false); hideMsg(); return (string)computerName.GetValue("ComputerName"); })); }
public void ParseUSBStor() { Registry.Abstractions.RegistryKey key = null; key = _hive.GetKey(USBSTOR); List <USBDevice> devices = new List <USBDevice>(); foreach (var sub in key.SubKeys) { string description = sub.KeyName; key = _hive.GetKey(sub.KeyPath); foreach (var serial in key.SubKeys) { USBDevice dev = new USBDevice(); dev.SetSerial(serial.KeyName); dev.SetDescription(description); dev.FriendlyName = GetValueByKey(serial.KeyPath, "FriendlyName"); key = _hive.GetKey(serial.KeyPath + "\\Properties\\" + dateKey); var firstInKey = key.SubKeys.FirstOrDefault(x => x.KeyName == "0064"); var lastInKey = key.SubKeys.FirstOrDefault(x => x.KeyName == "0066"); var lastRemKey = key.SubKeys.FirstOrDefault(x => x.KeyName == "0067"); string firstIn = GetValueByKey(firstInKey.KeyPath, dateValue); string lastIn = GetValueByKey(lastInKey.KeyPath, dateValue); string lastRem = GetValueByKey(lastRemKey.KeyPath, dateValue); dev.SetFirstInsertion(firstIn); dev.SetLastInsertion(lastIn); dev.SetLastRemoval(lastRem); var mountedDevsEntries = GetKeysByValue(mountedDevices, serial.KeyName); // This list should contain 2 elements, one for the drive letter, another for the GUID foreach (string entry in mountedDevsEntries) { if (entry.StartsWith("\\??\\")) { dev.SetDeviceGUID(entry); } else { dev.SetDriveLetter(entry); } } devices.Add(dev); } } SetGridSource(devices); }
/// <summary> /// Recursively iterates over the a registry key and its subkeys for enumerating all values of the keys and subkeys /// </summary> /// <param name="rk">the root registry key to start iterating over</param> /// <param name="hive">the offline registry hive</param> /// <param name="subKey">the path of the first subkey under the root key</param> /// <param name="indent"></param> /// <param name="path_prefix">the header to the current root key, needed for identification of the registry store</param> /// <returns></returns> private static IEnumerable <RegistryKeyWrapper> IterateOfflineRegistry(OfflineRegistryKey rk, OfflineRegistryHive hive, string subKey, RegistryKeyWrapper parent, string path_prefix) { if (rk == null) { yield break; } foreach (OfflineRegistryKey valueName in rk.SubKeys) { if (valueName.KeyName.ToUpper() == "ASSOCIATIONS") { continue; } string sk = GetSubkeyString(subKey, valueName.KeyName); OfflineRegistryKey rkNext; try { rkNext = hive.GetKey(GetSubkeyString(rk.KeyPath, valueName.KeyName)); } catch (SecurityException) { continue; } string path = path_prefix; RegistryKeyWrapper rkNextWrapper = null; bool isNumeric = int.TryParse(valueName.KeyName, out _); if (isNumeric) { OfflineKeyValue rkValue = null; try { rkValue = rk.Values.First(val => val.ValueName == valueName.KeyName); } catch (InvalidOperationException) { } if (rkValue == null) { continue; } byte[] byteVal = rkValue.ValueDataRaw; yield return(rkNextWrapper = new RegistryKeyWrapper(rkNext, byteVal, hive, parent)); } foreach (var wrapper in IterateOfflineRegistry(rkNext, hive, sk, rkNextWrapper, path)) { yield return(wrapper); } } }
private string GetValueByKey(string keyPath, string valueName) { string result = null; Registry.Abstractions.RegistryKey key = _hive.GetKey(keyPath); if (key != null) { var value = key.Values.FirstOrDefault(x => x.ValueName == valueName); if (value != null) { result = value.ValueData; } } return(result); }
private List <string> GetKeysByValue(string keyPath, string valueData) { List <string> result = new List <string>(); Registry.Abstractions.RegistryKey key = _hive.GetKey(keyPath); if (key != null) { foreach (var item in key.Values) { string s = item.ValueType == "RegBinary" ? System.Text.Encoding.Unicode.GetString(item.ValueDataRaw) : item.ValueData; if (s.Contains(valueData)) { result.Add(item.ValueName); } } } return(result); }
private void AdaptOfflineKey(OfflineRegistryKey registryKey, OfflineRegistryHive hive) { //obtain SID and Username(?) //HKEY USERS registry is UserSID\.... string UserSID = registryKey.KeyPath.Split('\\')[0]; // "_classes" is actually just a user's usrclass.dat, not a seperate user. UserSID = UserSID.ToUpper().Replace("_CLASSES", ""); RegistrySID = UserSID; //if we dont know the username, default to the SID. RegistryUser = RegistrySID; //obtain NodeSlot (Shellbag Path in registry) SlotModifiedDate = DateTime.MinValue; LastRegistryWriteDate = DateTime.MinValue; NodeSlot = null; string nodeSlotPath = null; foreach (OfflineKeyValue kv in registryKey.Values) { if (kv.ValueName.Equals("NodeSlot")) { NodeSlot = int.Parse(kv.ValueData); nodeSlotPath = string.Format("{0}{1}\\{2}", registryKey.KeyPath.Substring(0, registryKey.KeyPath.IndexOf("BagMRU", StringComparison.Ordinal)), "Bags", NodeSlot); break; } } if (nodeSlotPath != null) { SlotModifiedDate = hive.GetKey(nodeSlotPath).LastWriteTime.Value.LocalDateTime; } //obtain the date the registry last wrote this key LastRegistryWriteDate = registryKey.LastWriteTime.Value.UtcDateTime; }
/// <summary> /// Adapts a ShellBag RegistryKey to a common standard for retrieval of important information independent of key retrieval methodologies /// </summary> /// <param name="registryKey">A Registry Key associated with a Shellbag, retrieved from a offline registry reader API</param> /// <param name="keyValue">The Value of a Registry key containing Shellbag information. Found in the Parent of the registryKey being inspected</param> /// <param name="parent">The parent of the currently inspected registryKey. Can be null.</param> public RegistryKeyWrapper(OfflineRegistryKey registryKey, byte[] keyValue, OfflineRegistryHive hive, RegistryKeyWrapper parent = null) : this(keyValue) { Parent = parent; RegistryPath = registryKey.KeyPath; AdaptOfflineKey(registryKey, hive); }