public void EscreverArquivoCSV(string local, List <Estudante> estudantes)
{
using (StreamWriter sw = new StreamWriter(local, false, new UTF8Encoding(true)))
{
using (CsvWriter csvWriter = new CsvHelper.CsvWriter(sw, System.Globalization.CultureInfo.InvariantCulture))
{
csvWriter.WriteHeader <Estudante>();
csvWriter.NextRecord();
foreach (Estudante est in estudantes)
{
csvWriter.WriteRecord <Estudante>(est);
csvWriter.NextRecord();
}
}
}
}
public void WriteCSVFile(string path, List <Movie> mv)
{
using (StreamWriter sw = new StreamWriter(path, false, new UTF8Encoding(true)))
{
using (var cw = new CsvHelper.CsvWriter(sw, System.Globalization.CultureInfo.CurrentCulture))
{
cw.WriteHeader <Movie>();
cw.NextRecord();
foreach (Movie stu in mv)
{
cw.WriteRecord <Movie>(stu);
cw.NextRecord();
}
}
}
}
private static void DoWork(string f, string csv, string csvf, int c, bool t, string dt, bool nl, bool debug, bool trace)
{
var levelSwitch = new LoggingLevelSwitch();
var template = "{Message:lj}{NewLine}{Exception}";
if (debug)
{
levelSwitch.MinimumLevel = LogEventLevel.Debug;
template = "[{Timestamp:HH:mm:ss.fff} {Level:u3}] {Message:lj}{NewLine}{Exception}";
}
if (trace)
{
levelSwitch.MinimumLevel = LogEventLevel.Verbose;
template = "[{Timestamp:HH:mm:ss.fff} {Level:u3}] {Message:lj}{NewLine}{Exception}";
}
var conf = new LoggerConfiguration()
.WriteTo.Console(outputTemplate: template)
.MinimumLevel.ControlledBy(levelSwitch);
Log.Logger = conf.CreateLogger();
var hiveToProcess = "Live Registry";
if (f?.Length > 0)
{
hiveToProcess = f;
if (!File.Exists(f))
{
Log.Warning("'{F}' not found. Exiting", f);
return;
}
}
else
{
if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
Log.Fatal("Live Registry support is not available on non-Windows systems");
Environment.Exit(0);
//throw new NotSupportedException("Live Registry support is not available on non-Windows systems");
}
}
Log.Information("{Header}", Header);
Console.WriteLine();
Log.Information("Command line: {Args}", string.Join(" ", _args));
Console.WriteLine();
if (IsAdministrator() == false)
{
Log.Fatal($"Warning: Administrator privileges not found!");
Console.WriteLine();
}
Log.Information("Processing hive '{HiveToProcess}'", hiveToProcess);
Console.WriteLine();
try
{
var appCompat = new AppCompatCache.AppCompatCache(f,
c, nl);
string outFileBase;
var ts1 = DateTime.Now.ToString("yyyyMMddHHmmss");
if (f?.Length > 0)
{
if (c >= 0)
{
outFileBase =
$"{ts1}_{appCompat.OperatingSystem}_{Path.GetFileNameWithoutExtension(f)}_ControlSet00{c}_AppCompatCache.csv";
}
else
{
outFileBase =
$"{ts1}_{appCompat.OperatingSystem}_{Path.GetFileNameWithoutExtension(f)}_AppCompatCache.csv";
}
}
else
{
outFileBase = $"{ts1}_{appCompat.OperatingSystem}_{Environment.MachineName}_AppCompatCache.csv";
}
if (csvf.IsNullOrEmpty() == false)
{
outFileBase = Path.GetFileName(csvf);
}
if (Directory.Exists(csv) == false)
{
Directory.CreateDirectory(csv !);
}
var outFilename = Path.Combine(csv, outFileBase);
var sw = new StreamWriter(outFilename);
var csvWriter = new CsvWriter(sw, CultureInfo.InvariantCulture);
var foo = csvWriter.Context.AutoMap <CacheEntry>();
var o = new TypeConverterOptions
{
DateTimeStyle = DateTimeStyles.AssumeUniversal & DateTimeStyles.AdjustToUniversal
};
csvWriter.Context.TypeConverterOptionsCache.AddOptions <CacheEntry>(o);
foo.Map(entry => entry.LastModifiedTimeUTC).Convert(entry => entry.Value.LastModifiedTimeUTC.HasValue ? entry.Value.LastModifiedTimeUTC.Value.ToString(dt): "");
foo.Map(entry => entry.CacheEntrySize).Ignore();
foo.Map(entry => entry.Data).Ignore();
foo.Map(entry => entry.InsertFlags).Ignore();
foo.Map(entry => entry.DataSize).Ignore();
foo.Map(entry => entry.LastModifiedFILETIMEUTC).Ignore();
foo.Map(entry => entry.PathSize).Ignore();
foo.Map(entry => entry.Signature).Ignore();
foo.Map(entry => entry.ControlSet).Index(0);
foo.Map(entry => entry.CacheEntryPosition).Index(1);
foo.Map(entry => entry.Path).Index(2);
foo.Map(entry => entry.LastModifiedTimeUTC).Index(3);
foo.Map(entry => entry.Executed).Index(4);
foo.Map(entry => entry.Duplicate).Index(5);
foo.Map(entry => entry.SourceFile).Index(6);
csvWriter.WriteHeader <CacheEntry>();
csvWriter.NextRecord();
Log.Debug("**** Found {Count} caches", appCompat.Caches.Count);
var cacheKeys = new HashSet <string>();
if (appCompat.Caches.Any())
{
foreach (var appCompatCach in appCompat.Caches)
{
Log.Verbose("Dumping cache details: {@Details}", appCompat);
try
{
Log.Information(
"Found {Count:N0} cache entries for {OperatingSystem} in {ControlSet}", appCompatCach.Entries.Count, appCompat.OperatingSystem, $"ControlSet00{appCompatCach.ControlSet}");
if (t)
{
foreach (var cacheEntry in appCompatCach.Entries)
{
cacheEntry.SourceFile = hiveToProcess;
cacheEntry.Duplicate = cacheKeys.Contains(cacheEntry.GetKey());
cacheKeys.Add(cacheEntry.GetKey());
csvWriter.WriteRecord(cacheEntry);
csvWriter.NextRecord();
}
}
else
{
foreach (var cacheEntry in appCompatCach.Entries)
{
cacheEntry.SourceFile = hiveToProcess;
cacheEntry.Duplicate = cacheKeys.Contains(cacheEntry.GetKey());
cacheKeys.Add(cacheEntry.GetKey());
csvWriter.WriteRecord(cacheEntry);
csvWriter.NextRecord();
}
}
}
catch (Exception ex)
{
Log.Error(ex, "There was an error: Error message: {Message}", ex.Message);
try
{
appCompatCach.PrintDump();
}
catch (Exception ex1)
{
Log.Error(ex1, "Couldn't PrintDump: {Message}", ex1.Message);
}
}
}
sw.Flush();
sw.Close();
Console.WriteLine();
Log.Warning("Results saved to '{OutFilename}'", outFilename);
Console.WriteLine();
}
else
{
Console.WriteLine();
Log.Warning("No caches were found!");
Console.WriteLine();
}
}
catch (Exception ex)
{
if (ex.Message.Contains("Sequence numbers do not match and transaction logs were not found in the same direct") == false)
{
if (ex.Message.Contains("Administrator privileges not found"))
{
Log.Fatal("Could not access '{F}'. Does it exist?", f);
Console.WriteLine();
Log.Fatal("Rerun the program with Administrator privileges to try again");
Console.WriteLine();
}
else if (ex.Message.Contains("Invalid diskName:"))
{
Log.Fatal("Could not access '{F}'. Invalid disk!", f);
Console.WriteLine();
}
else
{
Log.Error(ex, "There was an error: {Message}", ex.Message);
Console.WriteLine();
}
}
}
}
public void ClassMap_ClassMapTest()
{
var sb = new StringBuilder()
.AppendLine("fuga,Hega")
//.AppendLine("124 ,,\"1\"")
//.AppendLine(",sss,\"2\"")
//.AppendLine()
.AppendLine("123,\"3,4\"")
;
Console.WriteLine(sb.ToString());
//using (var sr = new StringReader(sb.ToString()))
//using (var csv = new CsvHelper.CsvReader(sr))
//{
// csv.Configuration.PrepareHeaderForMatch = (header, index) => header.Trim().ToLower();
// csv.Configuration.RegisterClassMap<ClassMapImpl>();
// csv.Read();
// csv.ReadHeader();
// while (csv.Read())
// {
// var d = csv.GetRecord<Hoge>();
// Console.WriteLine("-" + d.Fuga.Code + "-");
// foreach (var h in csv.Context.HeaderRecord)
// {
// Console.WriteLine($"{h}, {csv.GetField(h)}");
// }
// }
// var records = csv.GetRecords<Hoge>();
// //foreach (var data in records)
// //{
// // Console.WriteLine(data.Fuga.Code);
// //}
//}
var srr = new StringWriter();
using (var csv = new CsvHelper.CsvWriter(srr))
{
csv.Configuration.RegisterClassMap <ClassMapImpl>();
var hoges = new List <Hoge>
{
new Hoge {
Fuga = new Fuga {
Code = "code"
}, Hega = new List <int> {
2, 3,
}
},
//new Hoge{ },
//new Hoge{Fuga = new Fuga{ Code = "11,333"} },
//new Hoge{Fuga = new Fuga{ Code = "hega\r\nfuga"} },
//new Hoge{Fuga = new Fuga{ Code = "11"} },
};
csv.WriteHeader <Hoge>();
csv.NextRecord();
foreach (var hoge in hoges)
{
csv.WriteRecord(hoge);
}
}
Console.WriteLine(srr.ToString());
}
private static void DoWork(string d, string f, bool q, string csv, string csvf, string dt, bool debug, bool trace)
{
ActiveDateTimeFormat = dt;
var formatter =
new DateTimeOffsetFormatter(CultureInfo.CurrentCulture);
var levelSwitch = new LoggingLevelSwitch();
var template = "{Message:lj}{NewLine}{Exception}";
if (debug)
{
levelSwitch.MinimumLevel = LogEventLevel.Debug;
template = "[{Timestamp:HH:mm:ss.fff} {Level:u3}] {Message:lj}{NewLine}{Exception}";
}
if (trace)
{
levelSwitch.MinimumLevel = LogEventLevel.Verbose;
template = "[{Timestamp:HH:mm:ss.fff} {Level:u3}] {Message:lj}{NewLine}{Exception}";
}
var conf = new LoggerConfiguration()
.WriteTo.Console(outputTemplate: template, formatProvider: formatter)
.MinimumLevel.ControlledBy(levelSwitch);
Log.Logger = conf.CreateLogger();
if (f.IsNullOrEmpty() &&
d.IsNullOrEmpty())
{
var helpBld = new HelpBuilder(LocalizationResources.Instance, Console.WindowWidth);
var hc = new HelpContext(helpBld, _rootCommand, Console.Out);
helpBld.Write(hc);
Log.Warning("Either -f or -d is required. Exiting");
return;
}
if (f.IsNullOrEmpty() == false &&
!File.Exists(f))
{
Log.Warning("File {F} not found. Exiting", f);
return;
}
if (d.IsNullOrEmpty() == false &&
!Directory.Exists(d))
{
Log.Warning("Directory {D} not found. Exiting", d);
return;
}
Log.Information("{Header}", Header);
Console.WriteLine();
Log.Information("Command line: {Args}", string.Join(" ", Environment.GetCommandLineArgs().Skip(1)));
if (IsAdministrator() == false)
{
Log.Warning("Warning: Administrator privileges not found!");
Console.WriteLine();
}
_csvOuts = new List <CsvOut>();
_failedFiles = new List <string>();
var files = new List <string>();
var sw = new Stopwatch();
sw.Start();
if (f?.Length > 0)
{
files.Add(f);
}
else
{
Console.WriteLine();
Log.Information("Looking for files in {Dir}", d);
if (!q)
{
Console.WriteLine();
}
files = GetRecycleBinFiles(d);
}
Log.Information("Found {Count:N0} files. Processing...", files.Count);
if (!q)
{
Console.WriteLine();
}
foreach (var file in files)
{
ProcessFile(file, q, dt);
}
sw.Stop();
Console.WriteLine();
Log.Information(
"Processed {FailedFilesCount:N0} out of {Count:N0} files in {TotalSeconds:N4} seconds", files.Count - _failedFiles.Count, files.Count, sw.Elapsed.TotalSeconds);
Console.WriteLine();
if (_failedFiles.Count > 0)
{
Console.WriteLine();
Log.Information("Failed files");
foreach (var failedFile in _failedFiles)
{
Log.Information(" {FailedFile}", failedFile);
}
}
if (csv.IsNullOrEmpty() == false && files.Count > 0)
{
if (Directory.Exists(csv) == false)
{
Log.Information("{Csv} does not exist. Creating...", csv);
Directory.CreateDirectory(csv);
}
var outName = $"{DateTimeOffset.Now:yyyyMMddHHmmss}_RBCmd_Output.csv";
if (csvf.IsNullOrEmpty() == false)
{
outName = Path.GetFileName(csvf);
}
var outFile = Path.Combine(csv, outName);
outFile =
Path.GetFullPath(outFile);
Log.Warning("CSV output will be saved to {Path}", Path.GetFullPath(outFile));
try
{
var sw1 = new StreamWriter(outFile);
var csvWriter = new CsvWriter(sw1, CultureInfo.InvariantCulture);
csvWriter.WriteHeader(typeof(CsvOut));
csvWriter.NextRecord();
foreach (var csvOut in _csvOuts)
{
csvWriter.WriteRecord(csvOut);
csvWriter.NextRecord();
}
sw1.Flush();
sw1.Close();
}
catch (Exception ex)
{
Log.Error(ex,
"Unable to open {OutFile} for writing. CSV export canceled. Error: {Message}", outFile, ex.Message);
}
}
}
private static void ProcessFile(string file, bool dedupe, bool fj, bool met)
{
if (File.Exists(file) == false)
{
Log.Warning("{File} does not exist! Skipping", file);
return;
}
if (file.StartsWith(VssDir))
{
Console.WriteLine();
Log.Information("Processing {Vss}", $"VSS{file.Replace($"{VssDir}\\", "")}");
}
else
{
Console.WriteLine();
Log.Information("Processing {File}...", file);
}
Stream fileS;
try
{
fileS = new FileStream(file, FileMode.Open, FileAccess.Read);
}
catch (Exception)
{
//file is in use
if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
Console.WriteLine();
Log.Fatal("Raw disk reads not supported on non-Windows platforms! Exiting!!");
Console.WriteLine();
Environment.Exit(0);
}
if (Helper.IsAdministrator() == false)
{
Console.WriteLine();
Log.Fatal("Administrator privileges not found! Exiting!!");
Console.WriteLine();
Environment.Exit(0);
}
if (file.StartsWith("\\\\"))
{
Log.Fatal($"Raw access across UNC shares is not supported! Run locally on the system or extract logs via other means and try again. Exiting");
Environment.Exit(0);
}
Console.WriteLine();
Log.Warning("{File} is in use. Rerouting...", file);
var files = new List <string>
{
file
};
var rawFiles = Helper.GetRawFiles(files);
fileS = rawFiles.First().FileStream;
}
try
{
if (dedupe)
{
var sha = Helper.GetSha1FromStream(fileS, 0);
fileS.Seek(0, SeekOrigin.Begin);
if (SeenHashes.Contains(sha))
{
Log.Debug("Skipping {File} as a file with SHA-1 {Sha} has already been processed", file, sha);
return;
}
SeenHashes.Add(sha);
}
EventLog.LastSeenTicks = 0;
var evt = new EventLog(fileS);
Log.Information("Chunk count: {ChunkCount:N0}, Iterating records...", evt.ChunkCount);
var seenRecords = 0;
var fsw = new Stopwatch();
fsw.Start();
foreach (var eventRecord in evt.GetEventRecords())
{
if (seenRecords % 10 == 0)
{
Console.Title = $"Processing chunk {eventRecord.ChunkNumber:N0} of {evt.ChunkCount} % complete: {(eventRecord.ChunkNumber / (double)evt.ChunkCount):P} Records found: {seenRecords:N0}";
}
if (_includeIds.Count > 0)
{
if (_includeIds.Contains(eventRecord.EventId) == false)
{
//it is NOT in the list, so skip
_droppedEvents += 1;
continue;
}
}
else if (_excludeIds.Count > 0)
{
if (_excludeIds.Contains(eventRecord.EventId))
{
//it IS in the list, so skip
_droppedEvents += 1;
continue;
}
}
if (_startDate.HasValue)
{
if (eventRecord.TimeCreated < _startDate.Value)
{
//too old
Log.Debug("Dropping record Id {EventRecordId} with timestamp {TimeCreated} as its too old", eventRecord.EventRecordId, eventRecord.TimeCreated);
_droppedEvents += 1;
continue;
}
}
if (_endDate.HasValue)
{
if (eventRecord.TimeCreated > _endDate.Value)
{
//too new
Log.Debug("Dropping record Id {EventRecordId} with timestamp {TimeCreated} as its too new", eventRecord.EventRecordId, eventRecord.TimeCreated);
_droppedEvents += 1;
continue;
}
}
if (file.StartsWith(VssDir))
{
eventRecord.SourceFile = $"VSS{file.Replace($"{VssDir}\\", "")}";
}
else
{
eventRecord.SourceFile = file;
}
try
{
var xdo = new XmlDocument();
xdo.LoadXml(eventRecord.Payload);
var payOut = JsonConvert.SerializeXmlNode(xdo);
eventRecord.Payload = payOut;
_csvWriter?.WriteRecord(eventRecord);
_csvWriter?.NextRecord();
var xml = string.Empty;
if (_swXml != null)
{
xml = eventRecord.ConvertPayloadToXml();
_swXml.WriteLine(xml);
}
if (_swJson != null)
{
var jsOut = eventRecord.ToJson();
if (fj)
{
if (xml.IsNullOrEmpty())
{
xml = eventRecord.ConvertPayloadToXml();
}
jsOut = GetPayloadAsJson(xml);
}
_swJson.WriteLine(jsOut);
}
seenRecords += 1;
}
catch (Exception e)
{
Log.Error("Error processing record #{RecordNumber}: {Message}", eventRecord.RecordNumber, e.Message);
evt.ErrorRecords.Add(21, e.Message);
}
}
fsw.Stop();
if (evt.ErrorRecords.Count > 0)
{
var fn = file;
if (file.StartsWith(VssDir))
{
fn = $"VSS{file.Replace($"{VssDir}\\", "")}";
}
_errorFiles.Add(fn, evt.ErrorRecords.Count);
}
_fileCount += 1;
Console.WriteLine();
Log.Information("Event log details");
Log.Information("{Evt}", evt);
Log.Information("Records included: {SeenRecords:N0} Errors: {ErrorRecordsCount:N0} Events dropped: {DroppedEvents:N0}", seenRecords, evt.ErrorRecords.Count, _droppedEvents);
if (evt.ErrorRecords.Count > 0)
{
Console.WriteLine();
Log.Information("Errors");
foreach (var evtErrorRecord in evt.ErrorRecords)
{
Log.Information("Record #{Key}: Error: {Value}", evtErrorRecord.Key, evtErrorRecord.Value);
}
}
if (met && evt.EventIdMetrics.Count > 0)
{
Console.WriteLine();
Log.Information("Metrics (including dropped events)");
Log.Information("Event ID\tCount");
foreach (var esEventIdMetric in evt.EventIdMetrics.OrderBy(t => t.Key))
{
if (_includeIds.Count > 0)
{
if (_includeIds.Contains((int)esEventIdMetric.Key) == false)
{
//it is NOT in the list, so skip
continue;
}
}
else if (_excludeIds.Count > 0)
{
if (_excludeIds.Contains((int)esEventIdMetric.Key))
{
//it IS in the list, so skip
continue;
}
}
Log.Information("{Key}\t\t{Value:N0}", esEventIdMetric.Key, esEventIdMetric.Value);
}
}
}
catch (Exception e)
{
var fn = file;
if (file.StartsWith(VssDir))
{
fn = $"VSS{file.Replace($"{VssDir}\\", "")}";
}
if (e.Message.Contains("Invalid signature! Expected 'ElfFile"))
{
Log.Information("{Fn} is not an evtx file! Message: {Message} Skipping...", fn, e.Message);
}
else
{
Log.Error("Error processing {Fn}! Message: {Message}", fn, e.Message);
}
}
fileS?.Close();
}