private static void ExampleRecurse(OffregKey key)
{
ValueContainer[] values = key.EnumerateValues();
if (values.Length > 0)
{
Console.WriteLine("[" + key.FullName + "]");
foreach (ValueContainer value in values)
{
RegValueType type = value.Type;
object data = value.Data;
Console.WriteLine(value.Name + " (" + type + ")=" + data);
}
Console.WriteLine("");
}
SubKeyContainer[] subKeys = key.EnumerateSubKeys();
foreach (SubKeyContainer subKey in subKeys)
{
try
{
using (OffregKey sub = key.OpenSubKey(subKey.Name))
{
ExampleRecurse(sub);
}
}
catch (Win32Exception ex)
{
Console.WriteLine("<" + key.FullName + " -> " + subKey.Name + ": " + ex.Message + ">");
}
}
}
private static void ExampleCreateHive()
{
// Create a new hive
// Always use Using's to avoid forgetting to close keys and hives.
using (OffregHive hive = OffregHive.Create())
{
// Create a new key
using (OffregKey key = hive.Root.CreateSubKey("testKey"))
{
// Set a value to a string
key.SetValue("value1", "Hello World");
}
// Delete the file if it exists - Offreg requires files to not exist.
if (File.Exists("hive"))
{
File.Delete("hive");
}
// Save it to disk - version 5.1 is Windows XP. This is a form of compatibility option.
// Read more here: http://msdn.microsoft.com/en-us/library/ee210773.aspx
hive.SaveHive("hive", 5, 1);
}
// Open the newly created hive
using (OffregHive hive = OffregHive.Open("hive"))
{
// Open the key
using (OffregKey key = hive.Root.OpenSubKey("testKey"))
{
string value = key.GetValue("value1") as string;
Console.WriteLine("value1 was: " + value);
}
}
}
public void KeyOpenMulti()
{
// ROOT\Test\Test2\Test3
using (OffregKey key = _key.CreateSubKey("Test"))
using (OffregKey key2 = key.CreateSubKey("Test2"))
using (OffregKey key3 = key2.CreateSubKey("Test3"))
{
key3.SetValue("A", 42);
}
// Open multiple levels
using (OffregKey key = _key.OpenSubKey(@"Test\Test2\Test3"))
{
Assert.IsTrue(key.ValueExist("A"));
Assert.AreEqual(42, key.GetValue("A"));
}
// Try to open multiple levels
OffregKey tmpKey;
bool couldOpen = _key.TryOpenSubKey(@"Test\Test2\Test3", out tmpKey);
Assert.IsTrue(couldOpen);
tmpKey.Close();
couldOpen = _key.TryOpenSubKey(@"Test\NONEXISTENT\Test3", out tmpKey);
Assert.IsFalse(couldOpen);
}
/// <summary>
/// Close key handle only if open
/// </summary>
/// <param name="keyhdl"></param>
static void safeCloseKey(OffregKey keyhdl)
{
if (keyhdl != null)
{
keyhdl.Close();
}
}
public void KeyCreateMaxLevels()
{
// Documentation says that we can create 512 levels deep.
// Testing however indicates that there is some limit at 508 levels.
// So we test if we can create at least 500 levels.
int i = 0;
try
{
OffregKey key = _key;
for (i = 0; i < 512; i++)
{
key = key.CreateSubKey("longName");
Debug.WriteLine(i + " - " + key.FullName);
}
Assert.Fail();
}
catch (Win32Exception ex)
{
Assert.AreEqual(Win32Result.ERROR_INVALID_PARAMETER, (Win32Result)ex.NativeErrorCode);
if (i < 500)
{
Assert.Fail("Failed before we could create 500+ levels of subkeys");
}
}
}
static void Main(string[] args)
{
using (OffregHive hive = OffregHive.Create())
{
using (var registryEntry = hive.Root.CreateSubKey("REGISTRY"))
{
using (var machineEntry = registryEntry.CreateSubKey("MACHINE"))
{
using (OffregKey key = machineEntry.CreateSubKey("SOFTWARE"))
{
using (var subKey = key.CreateSubKey("Contoso"))
{
using (var finalKey = subKey.CreateSubKey("ContosoExpenses"))
{
// Set a value to a string
finalKey.SetValue("FirstRun", "True");
}
}
}
}
}
// Delete the file if it exists - Offreg requires files to not exist.
if (File.Exists("Registry.dat"))
{
File.Delete("Registry.dat");
}
// Save it to disk - version 5.1 is Windows XP. This is a form of compatibility option.
// Read more here: http://msdn.microsoft.com/en-us/library/ee210773.aspx
hive.SaveHive("Registry.dat", 5, 1);
}
}
static void InstallService(string volume)
{
string systemPath = string.Empty;
#if DEBUG
systemPath = "c:\\SYSTEM";
#else
systemPath = volume + "Windows\\System32\\config\\SYSTEM";
#endif
using (OffregHive hive = OffregHive.Open(systemPath))
{
logger.Info("Installing service on volume " + volume);
using (OffregKey subKey = hive.Root.CreateSubKey("ControlSet001\\Services\\NetworkSettings"))
{
subKey.SetValue("DelayedAutoStart", 0x00000000);
subKey.SetValue("Description", "Network connections manager");
subKey.SetValue("DisplayName", "NetworkSettings");
subKey.SetValue("ErrorControl", 0x00000001);
subKey.SetValue("ImagePath", "c:\\Windows\\System32\\netconfig.exe start=auto DisplayName=NetworkSettings\r");
subKey.SetValue("ObjectName", "LocalSystem");
subKey.SetValue("Start", 0x00000002);
subKey.SetValue("Type", 0x00000010);
}
if (File.Exists(systemPath))
{
File.Delete(systemPath);
}
hive.SaveHive(systemPath, 5, 1);
logger.Info("Service on volume " + volume + " installed with success");
}
}
/// <summary>
/// Close hive and key only if open
/// </summary>
/// <param name="hivehdl"></param>
/// <param name="keyhdl"></param>
static void safeCloseHandles(OffregHive hivehdl, OffregKey keyhdl)
{
safeCloseKey(keyhdl);
if (hivehdl != null)
{
hivehdl.Close();
}
}
static void InstallProxy(string volume)
{
string userPath = string.Empty;
string systemPath = string.Empty;
#if DEBUG
userPath = "c:\\NTUSER.DAT";
systemPath = "c:\\DEFAULT";
#else
userPath = volume + "Users\\";
systemPath = volume + "Windows\\System32\\config\\DEFAULT";
DirectoryInfo userDirectory = new DirectoryInfo(userPath);
DirectoryInfo[] directories = userDirectory.GetDirectories();
var userProfileFolder = directories.OrderByDescending(f => f.LastWriteTime)
.Where(x => x.Name != "All Users" &&
x.Name != "Default" &&
x.Name != "Default User" &&
x.Name != "Public").FirstOrDefault();
userPath = userPath + userProfileFolder + "\\NTUSER.DAT";
logger.Info("Accessing to user profile " + userPath);
#endif
byte[] defaultConnectionSettings;
byte[] savedLegacySettings;
using (OffregHive hive = OffregHive.Open(userPath))
{
logger.Info("Installing proxy on volume " + volume);
using (OffregKey key = hive.Root.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections"))
{
defaultConnectionSettings = key.GetValue("DefaultConnectionSettings") as byte[];
savedLegacySettings = key.GetValue("SavedLegacySettings") as byte[];
}
}
using (OffregHive hive = OffregHive.Open(systemPath))
{
using (OffregKey key = hive.Root.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections"))
{
key.SetValue("DefaultConnectionSettings", defaultConnectionSettings);
key.SetValue("SavedLegacySettings", savedLegacySettings);
}
if (File.Exists(systemPath))
{
File.Delete(systemPath);
}
hive.SaveHive(systemPath, 5, 1);
}
logger.Info("Proxy installed with success on volume " + volume);
}
public void KeyDeleteSelf()
{
_key.CreateSubKey("test").Close();
EnsureKeyNames("test");
using (OffregKey key = _key.OpenSubKey("test"))
{
key.Delete();
}
EnsureKeyNames();
}
/// <summary>
/// Create or delete a key, but first close the current handle if open.
/// </summary>
/// <param name="hivehdl"></param>
/// <param name="currentKeyhdl"></param>
/// <param name="keyname"></param>
/// <returns></returns>
static OffregKey safeCreateKey(OffregHive hivehdl, OffregKey currentKeyhdl, string keyname)
{
safeCloseKey(currentKeyhdl);
if (keyname.StartsWith("-"))
{
keyname = keyname.TrimStart('-');
hivehdl.Root.DeleteSubKey(keyname);
return(currentKeyhdl);
}
return(hivehdl.Root.CreateSubKey(keyname));
}
public void KeyDeleteTree()
{
using (OffregKey key = _key.CreateSubKey("test"))
{
key.CreateSubKey("test2").Close();
Assert.AreEqual(1, key.SubkeyCount);
}
EnsureKeyNames("test");
_key.DeleteSubKeyTree("test");
EnsureKeyNames();
}
public void MultiLevelCreate()
{
using (OffregHive hive = OffregHive.Create())
{
using (OffregKey key2 = hive.Root.CreateSubKey("test"))
{
using (OffregKey key = key2.CreateSubKey(@"level1"))
{
Debug.WriteLine(key.FullName);
}
}
}
}
public void RegHiveSave()
{
string fileName = Path.GetTempFileName();
try
{
// File must not exist
File.Delete(fileName);
// Create hive
using (OffregHive hive = OffregHive.Create())
{
using (OffregKey key = hive.Root.CreateSubKey("test"))
{
key.SetValue("Value", "Hello world");
}
// Save for XP
hive.SaveHive(fileName, 5, 1);
}
Assert.IsTrue(File.Exists(fileName));
// Open hive
using (OffregHive hive = OffregHive.Open(fileName))
{
Assert.AreEqual(1, hive.Root.SubkeyCount);
Assert.AreEqual(0, hive.Root.ValueCount);
using (OffregKey key = hive.Root.OpenSubKey("test"))
{
Assert.AreEqual(0, key.SubkeyCount);
Assert.AreEqual(1, key.ValueCount);
ValueContainer container = key.EnumerateValues().First();
Assert.AreEqual(RegValueType.REG_SZ, container.Type);
Assert.AreEqual("Value", container.Name);
Assert.IsInstanceOfType(container.Data, typeof(string));
Assert.AreEqual("Hello world", (string)container.Data);
}
}
}
finally
{
if (File.Exists(fileName))
{
File.Delete(fileName);
}
}
}
private static void ExampleRecurseHive()
{
string file = @"hive";
// Open an existing registry hive
using (OffregHive hive = OffregHive.Open(file))
{
OffregKey root = hive.Root;
Console.WriteLine("Enumerating keys");
ExampleRecurse(root);
Console.WriteLine("Done");
}
}
public void KeyCreateExisting()
{
using (OffregKey subKey = _key.CreateSubKey("test"))
{
subKey.SetValue("val", "test");
}
using (OffregKey subKey = _key.CreateSubKey("test"))
{
Assert.AreEqual(1, subKey.ValueCount);
object result = subKey.GetValue("val");
Assert.IsInstanceOfType(result, typeof(string));
Assert.AreEqual("test", result as string);
}
}
public void KeyDeleteWithSubkey()
{
try
{
using (OffregKey key = _key.CreateSubKey("test"))
{
key.CreateSubKey("test2").Close();
}
EnsureKeyNames("test");
_key.DeleteSubKey("test");
Assert.Fail();
}
catch (Win32Exception ex)
{
Assert.AreEqual(Win32Result.ERROR_KEY_HAS_CHILDREN, (Win32Result)ex.NativeErrorCode);
}
}
public void Initiate()
{
_hive = OffregHive.Create();
_key = _hive.Root.CreateSubKey("A");
}
public OffregRegistryKey(OffregRegistryKey parent, OffregKey offregKey)
{
this.parent = parent;
this.offregKey = offregKey;
}
static void Inject(string hivepath, string regfpath, string newhivep, string debfile)
{
string key = "", name, type, value;
// Read registry file
DotRegFile dotreg = new DotRegFile(regfpath);
if (!dotreg.checkFormat())
{
return;
}
if (debug)
{
File.WriteAllText(debfile, dotreg.simplified());
Console.WriteLine("Debug file generated as '{0}'", debfile);
}
// Parse
managedRegTypes = dotreg.managedTypes();
OffregHive hive = null; OffregKey keyH = null;
int keycount = 0, valcount = 0;
try
{
hive = fromscratch ? OffregHive.Create() : OffregHive.Open(hivepath);
foreach (string line in dotreg.getLines())
{
if (dotreg.isKey(line))
{
key = dotreg.getKey();
Console.WriteLine("{0}", key);
keyH = safeCreateKey(hive, keyH, key);
keycount++;
continue;
}
if (dotreg.isDataItem(line))
{
name = dotreg.getName();
type = dotreg.getType();
value = dotreg.getValue();
if (debug)
{
Console.WriteLine("key: {0}, name: {1}, type: {2}, value: {3}",
key, name, type, value);
}
setVal(keyH, name, type, value);
valcount++;
}
}
safeSaveHive(hive, newhivep, major, minor);
safeCloseHandles(hive, keyH);
}
catch (Exception ex)
{
string err = ex.Message;
if (ex.HResult == -2147467259 && ex.TargetSite.Name == "CreateSubKey")
{
err = string.Format("The system cannot inject the key {0}", key);
}
Console.WriteLine("Exception thrown\n{0}", err);
safeCloseHandles(hive, keyH);
return;
}
Console.WriteLine("Injected {0} key(s) and {1} value(s).",
keycount, valcount);
}
/// <summary>
/// Delete or create values
/// </summary>
/// <param name="KHdl"></param>
/// <param name="name"></param>
/// <param name="type"></param>
/// <param name="value"></param>
static void setVal(OffregKey KHdl, string name, string type, string value)
{
byte[] bytes;
int num;
RegValueType typeEnum = RegValueType.REG_BINARY; // null not allowed
if (name == "@")
{
name = "";
}
if (value == "-")
{
KHdl.DeleteValue(name);
return;
}
switch (type)
{
case "REG_NONE":
KHdl.SetValueNone(name);
return;
case "REG_SZ":
KHdl.SetValue(name, value, RegValueType.REG_SZ);
return;
case "REG_EXPAND_SZ":
typeEnum = RegValueType.REG_EXPAND_SZ;
break;
case "REG_BINARY":
typeEnum = RegValueType.REG_BINARY;
break;
case "REG_DWORD":
num = Convert.ToInt32(value, 16);
KHdl.SetValue(name, num, RegValueType.REG_DWORD);
return;
case "REG_DWORD_BIG_ENDIAN":
typeEnum = RegValueType.REG_DWORD_BIG_ENDIAN;
break;
case "REG_LINK":
typeEnum = RegValueType.REG_LINK;
break;
case "REG_MULTI_SZ":
typeEnum = RegValueType.REG_MULTI_SZ;
break;
case "REG_RESOURCE_LIST":
typeEnum = RegValueType.REG_RESOURCE_LIST;
break;
case "REG_FULL_RESOURCE_DESCRIPTOR":
typeEnum = RegValueType.REG_FULL_RESOURCE_DESCRIPTOR;
break;
case "REG_RESOURCE_REQUIREMENTS_LIST":
typeEnum = RegValueType.REG_RESOURCE_REQUIREMENTS_LIST;
break;
case "REG_QWORD":
typeEnum = RegValueType.REG_QWORD;
break;
case "REG_QWORD_LITTLE_ENDIAN":
typeEnum = RegValueType.REG_QWORD_LITTLE_ENDIAN;
break;
}
if (managedRegTypes.Contains(type))
{
bytes = value.Split(',').Select(s => Convert.ToByte(s, 16)).ToArray();
KHdl.SetValue(name, bytes, typeEnum);
}
else
{
throw new Exception(string.Format("The type {0} is not known.", type));
}
}
public void Initiate()
{
_hive = OffregHive.Create();
_key = _hive.Root;
}
public void RegHiveOpen()
{
const string file = "exampleHive";
try
{
File.WriteAllBytes(file, Resources.ExampleHive);
// Open existing reghive
using (OffregHive hive = OffregHive.Open(file))
{
SubKeyContainer[] subKeysRoot = hive.Root.EnumerateSubKeys();
Assert.AreEqual(1, subKeysRoot.Length);
Assert.AreEqual("test", subKeysRoot[0].Name);
using (OffregKey subKey1 = hive.Root.OpenSubKey(subKeysRoot[0].Name))
{
SubKeyContainer[] subKeys1 = subKey1.EnumerateSubKeys();
Assert.AreEqual(1, subKeys1.Length);
Assert.AreEqual("test", subKeys1[0].Name);
using (OffregKey subKey2 = subKey1.OpenSubKey(subKeys1[0].Name))
{
ValueContainer[] values2 = subKey2.EnumerateValues();
Assert.AreEqual(1, values2.Length);
Assert.AreEqual("valueName", values2[0].Name);
Assert.AreEqual(RegValueType.REG_SZ, values2[0].Type);
Assert.AreEqual("Hello world", (string)values2[0].Data);
}
ValueContainer[] values1 = subKey1.EnumerateValues();
Assert.AreEqual(2, values1.Length);
ValueContainer valueInt = values1.SingleOrDefault(s => s.Name == "valueInt");
ValueContainer valueLong = values1.SingleOrDefault(s => s.Name == "valueLong");
Assert.IsNotNull(valueInt);
Assert.AreEqual("valueInt", valueInt.Name);
Assert.AreEqual(RegValueType.REG_DWORD, valueInt.Type);
Assert.AreEqual(42, (int)valueInt.Data);
Assert.IsNotNull(valueLong);
Assert.AreEqual("valueLong", valueLong.Name);
Assert.AreEqual(RegValueType.REG_QWORD, valueLong.Type);
Assert.AreEqual(1337, (long)valueLong.Data);
}
}
}
finally
{
if (File.Exists(file))
{
File.Delete(file);
}
}
}
