private void RecursivelyCollectKeyLevelData(RegistryKey key) { string[] sub_key_names = key.GetSubKeyNames(); string[] value_names = key.GetValueNames(); foreach (string vn in value_names) { string string_value = key.GetValue(vn).ToString();// deped var value_kind = key.GetValueKind(vn); Console.WriteLine(value_kind); if (value_kind == RegistryValueKind.Binary) { var value = (byte[])key.GetValue(vn); string_value = BitConverter.ToString(value); string_value = string_value.Replace("-", ""); } RegistryEntry entry = new RegistryEntry(); entry.KeyName = vn; entry.Value = string_value; entry.RegistryLocation = key.ToString(); RegistryEntries.Add(entry); analyzer.NumEntriesRecorded += 1; analyzer.ActiveRegistryLocation = entry.RegistryLocation; analyzer.ActiveRegistryValue = string_value; List <string> matching_fields = analyzer.CheckValueMatch(string_value); if (matching_fields.Count != 0) { foreach (string mtf in matching_fields) { EntryLogger.LogMatchingEntry(entry, mtf); MatchingRegistryEntries.Add(entry); } } matching_fields = analyzer.CheckValueMatch(vn); if (matching_fields.Count != 0) { foreach (string mtf in matching_fields) { EntryLogger.LogMatchingEntry(entry, mtf); MatchingRegistryEntries.Add(entry); } } matching_fields = analyzer.CheckValueMatch(entry.RegistryLocation); if (matching_fields.Count != 0) { foreach (string mtf in matching_fields) { EntryLogger.LogMatchingEntry(entry, mtf); MatchingRegistryEntries.Add(entry); } } } foreach (string sub_k in sub_key_names) { try { RegistryKey sk = key.OpenSubKey(sub_k, false); RecursivelyCollectKeyLevelData(sk); } catch (SecurityException ex) { string no_access_location = sub_k.ToString(); InaccessibleEntries.Add(no_access_location); } } }
private void RunAnalysisButton_Click(object sender, RoutedEventArgs e) { SetUIMode(false); LogScrollViewer.Visibility = Visibility.Hidden; SetOutputButtonEnabledStatus(false); LogOnlyMatches = Convert.ToBoolean(CheckboxLogOnlyMatches.IsChecked); MainApp.Analyzer = new RegistryAnalyzer(this); MainApp.Analyzer.SearchTerms = new List <string>() { SearchTerm1TextBox.Text, SearchTerm2TextBox.Text, SearchTerm3TextBox.Text }; EntryLogger.main_window = this; AnalysisRunLogger.LogNewRun(); AnalysisRunLogger.UpdateCurrentRunID(); Console.WriteLine("Collecting registry data"); List <RegistryKey> keys_to_search = new List <RegistryKey>(); if (Convert.ToBoolean(CheckboxCurrentUser.IsChecked)) { RegistryKey opened_key = Registry.CurrentUser.OpenSubKey("SOFTWARE", false); if (opened_key != null) { keys_to_search.Add(opened_key); } } if (Convert.ToBoolean(CheckboxLocalMachine.IsChecked)) { RegistryKey opened_key = Registry.LocalMachine.OpenSubKey("SOFTWARE", false); if (opened_key != null) { keys_to_search.Add(opened_key); } } if (Convert.ToBoolean(CheckboxRecentApps.IsChecked)) { RegistryKey opened_key = Registry.CurrentUser.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps"); if (opened_key != null) { keys_to_search.Add(opened_key); } else { Console.WriteLine("Recent apps is null."); } } if (Convert.ToBoolean(CheckboxRecentAppsDocs.IsChecked)) { RegistryKey opened_key = Registry.CurrentUser.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32"); if (opened_key != null) { keys_to_search.Add(opened_key); } else { Console.WriteLine("Recent apps docs is null."); } } if (Convert.ToBoolean(CheckboxRecentTorrents.IsChecked)) { RegistryKey opened_key = Registry.CurrentUser.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs"); if (opened_key != null) { keys_to_search.Add(opened_key); } else { Console.WriteLine("Recent Torrents is null."); } } Thread collection_thread = new Thread(new ThreadStart(() => { RegistryDataCollector[] collected_datas = MainApp.Analyzer.CollectRegistryData(keys_to_search); MainApp.Analyzer.EntryCollectors = new List <RegistryDataCollector>(collected_datas); List <RegistryEntry> recorded_entries = new List <RegistryEntry>(); foreach (RegistryDataCollector collector in collected_datas) { foreach (RegistryEntry entry in collector.RegistryEntries) { recorded_entries.Add(entry); } } new Thread(new ThreadStart(() => { if (!LogOnlyMatches) { SetUIMode(false); EntryLogger.LogEntries(recorded_entries); SetUIMode(true); SetOutputButtonEnabledStatus(false); } })).Start(); OnDataCollectionIsFinished(); })); collection_thread.Start(); }