public override bool Process() { RegistryValue[] values = Key.GetListOfValues(); if (null != values && 0 < values.Length) { foreach (RegistryValue value in values) { Reporter.Write(value.Name + " : " + value.GetDataAsString()); } } else { Library.WriteNoValue(KeyPath, Reporter); } Reporter.Write(""); RegistryKey[] subkeys = null; RegistryKey volumeKey = Key.GetSubkey("Volume"); if (null != volumeKey) { subkeys = volumeKey.GetListOfSubkeys(); if (null != subkeys && 0 < subkeys.Length) { RegistryValue nukeValue = null; foreach (RegistryKey subkey in subkeys) { Reporter.Write(subkey.Name + " [" + Library.TransrateTimestamp(subkey.Timestamp, TimeZoneBias, OutputUtc) + "]"); nukeValue = subkey.GetValue("NukeOnDelete"); if (null != nukeValue) { Reporter.Write(" NukeOnDelete " + nukeValue.GetDataAsObject().ToString()); } else { Reporter.Write("\\NukeOnDelete ではVALUEを取得できませんでした。"); } } } else { Library.WriteNoValue(KeyPath + "\\Volume", Reporter); } } else { Reporter.Write(KeyPath + "\\Volume サブキーにはアクセスできませんでした。"); } return(true); }
public override bool Process() { // 製品名保持用 string productName = string.Empty; // First, let's find out which version of Adobe Acrobat Reader is installed RegistryKey[] subkeys = Key.GetListOfSubkeys(); RegistryKey key = null; foreach (RegistryKey subkey in subkeys) { if (READER.Equals(subkey.Name)) { productName = READER; key = subkey; break; } else if (ACROBAT.Equals(subkey.Name)) { productName = ACROBAT; key = subkey; break; } } if (null != key) { subkeys = key.GetListOfSubkeys(); key = null; if (null != subkeys && 0 < subkeys.Length) { foreach (RegistryKey subkey in subkeys) { if (Regex.IsMatch(subkey.Name, @"[0-9]+\.[0-9]+")) { key = subkey; break; } } // バージョンが見つかった場合は処理 if (null != key) { Reporter.Write("Adobe は " + productName + " がインストールされており、バージョンは " + key.Name + " です。"); // RecentFileを取得する string keyPath = @"AVGeneral\cRecentFiles"; key = key.GetSubkey(keyPath); if (null != key) { Reporter.Write("最近更新したファイルのキーパス:" + key.Name + @"\" + keyPath); Reporter.Write("最終更新日:" + Library.TransrateTimestamp(key.Timestamp, TimeZoneBias, OutputUtc)); // サブキーを取得 subkeys = key.GetListOfSubkeys(); if (null != subkeys && 0 < subkeys.Length) { foreach (RegistryKey subkey in subkeys) { // なぜShift_JISで入ってるんだ… // 海外で使えんじゃないか。 string data = Encoding.GetEncoding(0).GetString((byte[])subkey.GetValue("sDI").GetDataAsObject()); data = data.Replace("\0", string.Empty); Reporter.Write(subkey.Name + " " + Library.TransrateTimestamp(subkey.Timestamp, TimeZoneBias, OutputUtc) + " " + data); } } else { Reporter.Write(keyPath + " にはサブキーがありません。"); } } else { Reporter.Write("ファイルの編集がありません。"); } } else { // でなければ記録して終了 Reporter.Write("Adobe " + productName + " のバージョンは見つかりませんでした。"); } } } return(true); }
public override bool Process() { Reporter.Write("MsPaper"); string keyPath = "Software\\Microsoft"; RegistryKey key = RootKey.GetSubkey(keyPath); if (null != key) { RegistryKey[] subkeys = key.GetListOfSubkeys(); if (null != subkeys && 0 < subkeys.Length) { bool hasValue = false; foreach (RegistryKey subkey in subkeys) { string name = subkey.Name; if (name.StartsWith("MSPaper")) { hasValue = true; string mspKeyPath = subkey.Name + "\\Recent File List"; RegistryKey mspKey = key.GetSubkey(mspKeyPath); if (null != mspKey) { Reporter.Write("表す値:MSPaperの直近の履歴"); Reporter.Write("キーのパス:" + keyPath + "\\" + mspKeyPath); Reporter.Write("最終更新日:" + Library.TransrateTimestamp(mspKey.Timestamp, TimeZoneBias, OutputUtc)); RegistryValue[] values = mspKey.GetListOfValues(); if (null != values && 0 < values.Length) { List <KeyValuePair <ushort, string> > list = new List <KeyValuePair <ushort, string> >(); // Retrieve values and load into a hash for sorting string mspName; string source = string.Empty; ushort serial; foreach (RegistryValue value in values) { mspName = value.Name; if (mspName.StartsWith("File")) { source = mspName.Substring(4); if (ushort.TryParse(source, out serial)) { list.Add(new KeyValuePair <ushort, string>(serial, value.GetDataAsObject().ToString())); } } } list.Sort( delegate(KeyValuePair <ushort, string> first, KeyValuePair <ushort, string> next) { return(first.Key.CompareTo(next.Key)); } ); // Print sorted content to report file foreach (KeyValuePair <ushort, string> pair in list) { Reporter.Write(" File" + pair.Key.ToString() + " -> " + pair.Value); } } else { Reporter.Write(keyPath + "\\" + mspKeyPath + " にはVALUEがありませんでした。"); Reporter.Write(""); } } else { Reporter.Write(keyPath + "\\" + mspKeyPath + " キーは見つかりませんでした。"); Reporter.Write(""); } } } if (!hasValue) { Reporter.Write("SOFTWARE\\Microsoft\\MSPaper* から始まるキーは見つかりませんでした。"); Reporter.Write(""); } } else { // そんな状況ありえへんと思うが Reporter.Write(keyPath + " にはサブキーがありませんでした。"); } } else { // そんな状況ありえへんと思うが Reporter.Write(keyPath + " キーは見つかりませんでした。"); } return(true); }
public override bool Process() { RegistryKey key = null; RegistryKey[] subkeys = null; string[] splitted; List <TimestampContainer> list = new List <TimestampContainer>(); string precedent; string timestamp; // Get devices from the Disk GUID key = Key.GetSubkey("{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"); if (null != key) { Reporter.Write(""); Reporter.Write("[DeviceClasses - Disks]"); Reporter.Write("キーのパス:" + key.KeyPath); Reporter.Write("キーの最終更新日時:" + Library.TransrateTimestamp(key.Timestamp, TimeZoneBias, OutputUtc)); Reporter.Write(""); subkeys = key.GetListOfSubkeys(); if (null != subkeys && 0 < subkeys.Length) { foreach (RegistryKey subkey in subkeys) { if (subkey.Name.Contains("USBSTOR")) { splitted = subkey.Name.Split('#'); list.Add(new TimestampContainer(subkey.Timestamp, splitted[4] + "," + splitted[5])); } } list.Sort( delegate(TimestampContainer first, TimestampContainer next) { return(next.Timestamp.CompareTo(first.Timestamp)); } ); precedent = string.Empty; foreach (TimestampContainer container in list) { timestamp = Library.TransrateTimestamp(container.Timestamp, TimeZoneBias, OutputUtc); if (!precedent.Equals(timestamp)) { Reporter.Write(timestamp); precedent = timestamp; } Reporter.Write("\t" + container.Data); } } else { Reporter.Write("Diskにはサブキーがありませんでした。"); } } else { Reporter.Write("Diskのキーは見つかりませんでした。"); } Reporter.Write(""); // Get devices from the Volume GUID key = Key.GetSubkey("{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"); if (null != key) { Reporter.Write("[DeviceClasses - Volumes]"); Reporter.Write("キーのパス:" + key.KeyPath); Reporter.Write("キーの最終更新日時:" + Library.TransrateTimestamp(key.Timestamp, TimeZoneBias, OutputUtc)); Reporter.Write(""); subkeys = key.GetListOfSubkeys(); if (null != subkeys && 0 < subkeys.Length) { list.Clear(); foreach (RegistryKey subkey in subkeys) { if (subkey.Name.Contains("RemovableMedia")) { splitted = subkey.Name.Split('#'); list.Add(new TimestampContainer(subkey.Timestamp, splitted[5])); } } list.Sort( delegate(TimestampContainer first, TimestampContainer next) { return(next.Timestamp.CompareTo(first.Timestamp)); } ); precedent = string.Empty; foreach (TimestampContainer container in list) { timestamp = Library.TransrateTimestamp(container.Timestamp, TimeZoneBias, OutputUtc); if (!precedent.Equals(timestamp)) { Reporter.Write(timestamp); precedent = timestamp; } Reporter.Write("\tParentPrefixID: " + container.Data); } } else { Reporter.Write("Volumesにはサブキーがありませんでした。"); } } else { Reporter.Write("Volumesのキーは見つかりませんでした。"); } return(true); }
public override bool Process() { // Get all of the subkey names RegistryKey[] subkeys = Key.GetListOfSubkeys(); if (null != subkeys && 0 < subkeys.Length) { RegistryValue[] values; Dictionary <string, TimestampContainer2> dictionary = new Dictionary <string, TimestampContainer2>(); Dictionary <string, string> innerDictionary = new Dictionary <string, string>(); foreach (RegistryKey subkey in subkeys) { if ("Descriptions".Equals(subkey.Name)) { continue; } RegistryKey connectionKey = Key.GetSubkey(subkey.Name + "\\Connection"); if (null != connectionKey) { innerDictionary.Clear(); values = connectionKey.GetListOfValues(); foreach (RegistryValue value in values) { innerDictionary.Add(value.Name, value.GetDataAsObject().ToString()); } // See what the active NICs were on the system; "active" based on PnpInstanceID having // a string value // Get the GUID of the interface, the name, and the LastWrite time of the Connection // key if (innerDictionary.ContainsKey("PnpInstanceID") && !string.Empty.Equals(innerDictionary["PnpInstanceID"])) { dictionary.Add(subkey.Name, new TimestampContainer2(innerDictionary["Name"], connectionKey.Timestamp)); } } } Reporter.Write(""); // access the Tcpip Services key to get the IP address information if (0 < dictionary.Count) { RegistryKey interfaceKey = RootKey.GetSubkey(@"Services\Tcpip\Parameters\Interfaces"); if (null != interfaceKey) { Reporter.Write(interfaceKey.KeyPath); Reporter.Write("最終更新日時:" + Library.TransrateTimestamp(interfaceKey.Timestamp, TimeZoneBias, OutputUtc)); Reporter.Write(""); List <string> list = new List <string>(); // Dump the names of the subkeys under Parameters\Interfaces into a hash subkeys = interfaceKey.GetListOfSubkeys(); if (null != subkeys && 0 < subkeys.Length) { foreach (RegistryKey subkey in subkeys) { list.Add(subkey.Name); } } RegistryKey propertyKey; object data = null; string replacedData = string.Empty; StringBuilder builder = new StringBuilder(); foreach (KeyValuePair <string, TimestampContainer2> pair in dictionary) { if (list.Contains(pair.Key)) { propertyKey = interfaceKey.GetSubkey(pair.Key); Reporter.Write("Interface " + pair.Key); Reporter.Write("Name: " + pair.Value.Name); Reporter.Write("Control\\Network キーの最終更新日時:" + Library.TransrateTimestamp(pair.Value.Timestamp, TimeZoneBias, OutputUtc)); Reporter.Write("Services\\Tcpip キーの最終更新日時:" + Library.TransrateTimestamp(propertyKey.Timestamp, TimeZoneBias, OutputUtc)); values = propertyKey.GetListOfValues(); innerDictionary.Clear(); foreach (RegistryValue value in values) { if (value.Name.ToUpper().Contains("DHCP") || "IPAddressv".Equals(value.Name) || "SubnetMask".Equals(value.Name) || "DefaultGateway".Equals(value.Name)) { data = value.GetDataAsObject(); if (typeof(string[]).Equals(data.GetType())) { builder = new StringBuilder(); foreach (string item in (string[])data) { if (0 < builder.Length) { builder.Append(","); } builder.Append(item); } replacedData = builder.ToString(); } else { replacedData = data.ToString(); } innerDictionary.Add(value.Name, replacedData); } } if (innerDictionary.ContainsKey("EnableDHCP") && "1".Equals(innerDictionary["EnableDHCP"])) { Reporter.Write("\tDhcpDomain = " + EvaluateDictionary(innerDictionary, "DhcpDomain")); Reporter.Write("\tDhcpIPAddress = " + EvaluateDictionary(innerDictionary, "DhcpIPAddress")); Reporter.Write("\tDhcpSubnetMask = " + EvaluateDictionary(innerDictionary, "DhcpSubnetMask")); Reporter.Write("\tDhcpNameServer = " + EvaluateDictionary(innerDictionary, "DhcpNameServer")); Reporter.Write("\tDhcpServer = " + EvaluateDictionary(innerDictionary, "DhcpServer")); } else { Reporter.Write("\tIPAddress = " + EvaluateDictionary(innerDictionary, "IPAddressv")); Reporter.Write("\tSubnetMask = " + EvaluateDictionary(innerDictionary, "SubnetMask")); Reporter.Write("\tDefaultGateway = " + EvaluateDictionary(innerDictionary, "DefaultGateway")); } } else { Reporter.Write("インターフェイス「" + pair.Key + "」は " + interfaceKey.KeyPath + " にはありませんでした。"); } Reporter.Write(""); } } } else { //Reporter.Write("No active network interface cards were found."); //Logger.Write("No active network interface cards were found."); Reporter.Write("有効なNICは見つかりませんでした。"); } } else { Reporter.Write(KeyPath + " にはサブキーがありませんでした。"); } return(true); }
public override bool Process() { RegistryKey[] subkeys = Key.GetListOfSubkeys(); if (null != subkeys && 0 < subkeys.Length) { foreach (RegistryKey subkey in subkeys) { Reporter.Write(""); Reporter.Write(subkey.Name + " [" + Library.TransrateTimestamp(subkey.Timestamp, TimeZoneBias, OutputUtc) + "]"); RegistryKey[] endkeys = subkey.GetListOfSubkeys(); if (null != endkeys && 0 < endkeys.Length) { foreach (RegistryKey endkey in endkeys) { Reporter.Write(endkey.Name + " [" + Library.TransrateTimestamp(endkey.Timestamp, TimeZoneBias, OutputUtc) + "]"); try { Reporter.Write("FriendlyName : " + endkey.GetValue("FriendlyName").GetDataAsObject().ToString()); } catch (Exception ex) { // 原文noopだが一応ログ Logger.Write(LogLevel.ERROR, "error occurred when getting FriendlyName value./" + ex.Message); } Reporter.Write(""); } } if ("Control".Equals(subkey.Name)) { RegistryKey key = subkey.GetSubkey(@"DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"); if (null != key) { Reporter.Write("DeviceClasses - Disks"); Reporter.Write(key.Name); List <TimestampContainer> list = new List <TimestampContainer>(); string[] splitted = null; RegistryKey[] nestedkeys = key.GetListOfSubkeys(); if (null != subkeys && 0 < subkeys.Length) { foreach (RegistryKey nestedKey in nestedkeys) { if (nestedKey.Name.Contains("IDE")) { splitted = subkey.Name.Split('#'); list.Add(new TimestampContainer(nestedKey.Timestamp, splitted[4] + "," + splitted[5])); } } if (0 < list.Count) { Reporter.Write(""); list.Sort( delegate(TimestampContainer first, TimestampContainer next) { return(next.Timestamp.CompareTo(first.Timestamp)); } ); foreach (TimestampContainer container in list) { Reporter.Write(Library.TransrateTimestamp(container.Timestamp, TimeZoneBias, OutputUtc)); Reporter.Write("\t" + container.Data); } } else { Reporter.Write("No IDE subkeys were found."); return(true); } } else { Reporter.Write(key.KeyPath + "にはサブキーはありませんでした。"); } } else { Reporter.Write(key.KeyPath + "は見つかりませんでした。"); } } } } else { Reporter.Write("サブキーはありませんでした。"); } return(true); }
private void Recursive(RegistryKey key, string path, string folderName) { // NodeSlotから実体のフォルダの内容を取得 RegistryValue slotValue = key.GetValue("NodeSlot"); if (null != slotValue) { string slotNumber = slotValue.GetDataAsObject().ToString(); // RegistryKey bagKey = RootKey.GetSubkey(pathBuilder.ToString() + @"\" + slotValue.GetData().ToString()); RegistryKey bagKey = RootKey.GetSubkey(path.Remove(path.Length - 3) + @"s\" + slotNumber + @"\Shell"); if (null != bagKey) { RegistryKey[] subkeys = bagKey.GetListOfSubkeys(); if (null != subkeys) { } RegistryValue[] bagValues = bagKey.GetListOfValues(); if (null != bagValues) { Reporter.Write(" FolderName : " + ((0 != folderName.Length) ? folderName : "デスクトップ?")); Reporter.Write(" [ValueList]"); string dataString = ""; byte[] bytes; StringBuilder dataBuilder = new StringBuilder(); foreach (RegistryValue bagValue in bagValues) { if (Constants.REG_BINARY != bagValue.Type) { dataString = bagValue.GetDataAsString(); } else { bytes = bagValue.Data; foreach (byte item in bytes) { if (0 < dataBuilder.Length) { dataBuilder.Append(" "); } dataBuilder.Append(item.ToString("X2")); } dataString = dataBuilder.ToString(); } Reporter.Write(" " + bagValue.Name + " : " + dataString); } Reporter.Write(""); } } } // まずMRUListExを取得 RegistryValue mruValue = key.GetValue("MRUListEx"); if (null != mruValue) { byte[] mruData = (byte[])mruValue.GetDataAsObject(); if (null != mruData) { uint mru = 0; RegistryValue value; List <byte> byteList = new List <byte>(); byte[] bytes = null; for (uint count = 0; count < mruData.Length; count += 4) { mru = BitConverter.ToUInt16(Library.ExtractArrayElements(mruData, count, 4), 0); value = key.GetValue(mru.ToString()); if (null != value) { bytes = (byte[])value.GetDataAsObject(); if (0x19 == bytes[0]) { if (0 < folderName.Length) { Logger.Write(LogLevel.WARNING, folderName + " / " + mru.ToString() + "は怪しげです。"); } folderName = Encoding.ASCII.GetString(Library.ExtractArrayElements(bytes, 3, 3)); } else { byteList = new List <byte>(); // Reporter.Write("\t" + value.Name + "WriteTime : " Library.ExtractArrayElements(bytes, 8, 4)); //hoge++; //System.IO.File.WriteAllBytes(@"C:\WORK\KaniReg\dummyFile\" + hoge.ToString() + ".txt" , (byte[])data); bool start = false; for (uint innerCount = 4; innerCount < bytes.Length; innerCount++) { if (!start && 0x14 == bytes[innerCount - 4] && 0x00 == bytes[innerCount - 3] && 0x00 == bytes[innerCount - 2] && 0x00 == bytes[innerCount - 1]) { start = true; } if (!start) { continue; } byteList.Add(bytes[innerCount]); if (0x00 == bytes[innerCount] && 0x00 == bytes[innerCount + 1]) { break; } } if (0 < folderName.Length) { folderName += @"\"; } folderName += Encoding.Unicode.GetString(byteList.ToArray()); } } RegistryKey subKey = key.GetSubkey(mru.ToString()); if (null != subKey) { Recursive(subKey, path, folderName); } } } } }