public void ShouldFindAKeyWithClassName()
{
var systemOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SYSTEM");
var key = systemOnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\ControlSet001\Control\Lsa\Data");
Check.That(key.ClassName).IsNotEmpty();
}
public static bool Is32Bit(string fileName)
{
if (fileName.Length == 0)
{
var keyCurrUser = Microsoft.Win32.Registry.LocalMachine;
var subKey = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\Environment");
var val = subKey?.GetValue("PROCESSOR_ARCHITECTURE");
if (val != null)
{
return(val.ToString().Equals("x86"));
}
}
else
{
var hive = new RegistryHiveOnDemand(fileName);
var subKey = hive.GetKey("Select");
var currentCtlSet = int.Parse(subKey.Values.Single(c => c.ValueName == "Current").ValueData);
subKey = hive.GetKey($"ControlSet00{currentCtlSet}\\Control\\Session Manager\\Environment");
var val = subKey?.Values.SingleOrDefault(c => c.ValueName == "PROCESSOR_ARCHITECTURE");
if (val != null)
{
return(val.ValueData.Equals("x86"));
}
}
throw new NullReferenceException("Unable to determine CPU architecture!");
}
///// <summary>
///// NOT USED
///// </summary>
///// <param name="keys"></param>
///// <param name="pathPrefix"></param>
///// <param name="files"></param>
///// <param name="type"></param>
//private void EnumerateShellEx(List<string> keys,
// string pathPrefix,
// string files,
// string type)
//{
// foreach (string file in System.IO.Directory.EnumerateFiles(_registryPath,
// files,
// SearchOption.AllDirectories))
// {
// RegistryHiveOnDemand registry = OpenRegistry(file);
// if (registry == null)
// {
// continue;
// }
// foreach (string key in keys)
// {
// RegistryKey regKey = OpenKey(registry, key);
// if (regKey == null)
// {
// continue;
// }
// foreach (RegistryKey subKey in regKey.SubKeys)
// {
// if (subKey.Values.Where(v => v.ValueName.ToLower() == "default").SingleOrDefault() == null)
// {
// continue;
// }
// string guid = subKey.Values.Where(v => v.ValueName.ToLower() == "default").SingleOrDefault().ValueData;
// ProcessClsid(registry,
// pathPrefix + "\\" + key,
// subKey.KeyName,
// "ShellEx",
// guid,
// file);
// }
// }
// }
//}
/// <summary>
/// NOT USED
/// </summary>
//private void EnumerateShellExHooks()
//{
// foreach (string file in System.IO.Directory.EnumerateFiles(_registryPath,
// "software",
// SearchOption.AllDirectories))
// {
// RegistryHiveOnDemand registry = OpenRegistry(file);
// if (registry == null)
// {
// continue;
// }
// //foreach (string key in _keysGuidValue)
// //{
// // RegistryKey regKey = registry.Open(key);
// // if (regKey == null)
// // {
// // continue;
// // }
// // foreach (RegistryValue regValue in regKey.Values())
// // {
// // ProcessClsid(registry, "HKLM\\Software\\" + key, key, "ShellExecuteHooks", regValue.Value.ToString());
// // }
// //}
// }
//}
/// <summary>
/// Lookup the Classes\CLSID key, then the "InprocServer32" key of the GUID\InprocServer32, then the "(default)" value, normalise path, then check
/// </summary>
/// <param name="registry"></param>
/// <param name="path"></param>
/// <param name="type"></param>
/// <param name="info"></param>
/// <param name="guid"></param>
/// <param name="sourceFile"></param>
private void ProcessClsid(RegistryHiveOnDemand registry,
string path,
string type,
string info,
string guid,
string sourceFile)
{
RegistryKey regKey = OpenKey(registry, @"Classes\CLSID\" + guid + @"\InprocServer32");
if (regKey == null)
{
regKey = OpenKey(registry, @"Classes\Wow6432Node\CLSID\" + guid + @"\InprocServer32");
if (regKey == null)
{
return;
}
}
if (regKey.Values.Where(v => v.ValueName.ToLower() == "(default)").SingleOrDefault() == null)
{
return;
}
ProcessEntry(regKey.Values.Where(v => v.ValueName.ToLower() == "(default)").SingleOrDefault().ValueData, path, type, info, sourceFile, regKey.LastWriteTime);
}
public void TestVkRecordUnknownRegType()
{
var samDupeNameOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM_DUPENAME");
var key = samDupeNameOnDemand.GetKey(@"SAM\SAM\Domains\Account\Users");
Check.That(key).IsNotNull();
var val = key.Values.Single(e => e.ValueName == string.Empty);
Check.That(val).IsNotNull();
Check.That(val.VkRecord.RelativeOffset).IsEqualTo(0x1880);
Check.That(val.VkRecord.AbsoluteOffset).IsEqualTo(0x2880);
Check.That(val.VkRecord.Size).IsEqualTo(-24);
Check.That(val.VkRecord.Signature).IsEqualTo("vk");
Check.That(val.VkRecord.IsFree).IsFalse();
Check.That(val.VkRecord.NamePresentFlag).IsEqualTo(0x0);
Check.That(val.VkRecord.NameLength).IsEqualTo(0x0);
Check.That(val.VkRecord.ValueName).IsEmpty();
Check.That(val.VkRecord.ValueData).IsInstanceOf <byte[]>();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegUnknown);
Check.That(val.VkRecord.DataTypeRaw).IsEqualTo(15);
Check.That(val.VkRecord.DataLength).Equals(0x80000000);
Check.That(val.VkRecord.OffsetToData).Equals((uint)0);
Check.That(val.VkRecord.Padding.Length).Equals(0);
Check.That(val.VkRecord.ValueDataRaw.Length).IsEqualTo(4);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
Check.That(val.VkRecord.ToString()).IsNotEmpty();
}
public void GetKeyShouldNotBeNullWithShortPathMixedSpelling()
{
var samOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM");
var key = samOnDemand.GetKey(@"SAM\DomAins\AccoUnt");
Check.That(key).IsNotNull();
}
public void TestVkRecordRegqWord()
{
var ntUser1OnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\NTUSER1.DAT");
var key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Store\RefreshBannedAppList");
Check.That(key).IsNotNull();
var val = key.Values.Single(e => e.ValueName == "BannedAppsLastModified");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.RelativeOffset).IsEqualTo(0x5ce0);
Check.That(val.VkRecord.AbsoluteOffset).IsEqualTo(0x6ce0);
Check.That(val.VkRecord.Size).IsEqualTo(-48);
Check.That(val.VkRecord.Signature).IsEqualTo("vk");
Check.That(val.VkRecord.IsFree).IsFalse();
Check.That(val.VkRecord.NamePresentFlag).IsEqualTo(0x01);
Check.That(val.VkRecord.NameLength).IsEqualTo(0x16);
Check.That(val.VkRecord.ValueName).IsEqualTo("BannedAppsLastModified");
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegQword);
Check.That(val.VkRecord.DataLength).Equals((uint)0x8);
Check.That(val.VkRecord.OffsetToData).Equals((uint)0x3b70);
Check.That(val.ValueData).Equals("0");
Check.That(val.VkRecord.Padding.Length).Equals(2);
Check.That(val.VkRecord.ValueData).IsInstanceOf <ulong>();
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4);
Check.That(val.VkRecord.ValueDataRaw.Length).IsEqualTo(8);
Check.That(val.VkRecord.ToString()).IsNotEmpty();
}
public void GetKeyShouldNotBeNullWithFullPath()
{
var samOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM");
var key = samOnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\SAM\Domains\Account");
Check.That(key).IsNotNull();
}
public void GetKeyShouldBeNullWithNonExistentPath()
{
var samOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM");
var key = samOnDemand.GetKey(@"SAM\Domains\Account\This\Does\Not\Exist");
Check.That(key).IsNull();
}
public void ExportToRegFormatSingleKey()
{
var samOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM");
var key = samOnDemand.GetKey(@"SAM\Domains\Account");
var exported = Helpers.ExportToReg(@"exportSamTest.reg", key, HiveTypeEnum.Sam, false);
Check.That(exported).IsTrue();
var ntUser1OnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\NTUSER1.DAT");
key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Console");
exported = Helpers.ExportToReg(@"exportntuser1Test.reg", key, HiveTypeEnum.NtUser, false);
Check.That(exported).IsTrue();
var security = new RegistryHiveOnDemand(@"..\..\..\Hives\SECURITY");
key = security.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Policy\Accounts\S-1-5-9");
exported = Helpers.ExportToReg(@"exportsecTest.reg", key, HiveTypeEnum.Security, false);
Check.That(exported).IsTrue();
var systemOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SYSTEM");
key = systemOnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\ControlSet001\Enum\ACPI\PNP0C02\1");
exported = Helpers.ExportToReg(@"exportsysTest.reg", key, HiveTypeEnum.System, false);
Check.That(exported).IsTrue();
var usrClassFtp = new RegistryHiveOnDemand(@"..\..\..\Hives\UsrClass FTP.dat");
key = usrClassFtp.GetKey(@"S-1-5-21-2417227394-2575385136-2411922467-1105_Classes\.3g2");
exported = Helpers.ExportToReg(@"exportusrTest.reg", key, HiveTypeEnum.UsrClass, false);
Check.That(exported).IsTrue();
var samDupeNameOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM_DUPENAME");
key = samDupeNameOnDemand.GetKey(@"SAM\SAM\Domains\Account\Aliases\000003E9");
exported = Helpers.ExportToReg(@"exportotherTest.reg", key, HiveTypeEnum.Other, false);
Check.That(exported).IsTrue();
var usrclassDeleted = new RegistryHive(@"..\..\..\Hives\UsrClassDeletedBags.dat");
usrclassDeleted.RecoverDeleted = true;
usrclassDeleted.FlushRecordListsAfterParse = false;
usrclassDeleted.ParseHive();
key = usrclassDeleted.GetKey(@"S-1-5-21-146151751-63468248-1215037915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1");
exported = Helpers.ExportToReg(@"exportDeletedTest.reg", key, HiveTypeEnum.UsrClass, false);
Check.That(exported).IsTrue();
}
/// <summary>
///
/// </summary>
/// <param name="config"></param>
private void EnumerateBinaryFromStubPath(Config config)
{
foreach (string file in System.IO.Directory.EnumerateFiles(_registryPath,
config.Hive.GetEnumDescription(),
SearchOption.AllDirectories))
{
RegistryHiveOnDemand registry = OpenRegistry(file);
if (registry == null)
{
continue;
}
RegistryKey regKey = registry.GetKey(config.Path);
if (regKey == null)
{
continue;
}
foreach (RegistryKey subKey in regKey.SubKeys)
{
RegistryKey childKey = registry.GetKey(subKey.KeyPath);
if (childKey.Values.Where(v => v.ValueName.ToLower() == "stubpath").SingleOrDefault() == null)
{
continue;
}
ProcessEntry(childKey.Values.Where(v => v.ValueName.ToLower() == "stubpath").SingleOrDefault().ValueData,
@"HLKM\" + config.Hive.GetEnumDescription() + @"\" + config.Path + @"\" + childKey.KeyName,
config.Type,
@"HLKM\Software\Microsoft\Active Setup\Installed Components\" + childKey.KeyName,
file,
childKey.LastWriteTime);
}
}
}
private void BtnStart_Click(object sender, EventArgs e)
{
DialogResult result = _options.ShowDialog();
if (result != DialogResult.OK)
{
return;
}
string hivePath = _options.SystemHive;
if (string.IsNullOrWhiteSpace(hivePath) || !File.Exists(hivePath))
{
return;
}
_hive = new RegistryHiveOnDemand(hivePath);
ParseUSBStor();
if (_options.LiveSystem)
{
try
{
File.Delete(_options.SystemHive);
}
catch
{
MessageBox.Show("Error deleting temp hive at " + hivePath);
}
}
}
/// <summary>
/// Extracts the system key from a SYSTEM registry hive.
/// </summary>
/// <param name="systemHivePath">The file path of the SYSTEM registry hive.</param>
/// <returns>A byte array containing the 16 byte system key.</returns>
public static byte[] LoadSystemKeyFromHive(string systemHivePath)
{
systemHivePath = systemHivePath ?? throw new ArgumentNullException(nameof(systemHivePath));
// Load the registry hive
var hive = new RegistryHiveOnDemand(systemHivePath);
// Get the current control set version from the hive
var currentControlSetVersion = int.Parse(hive.GetKey("Select").Values[0].ValueData, CultureInfo.InvariantCulture);
// Get the class name of the four subkeys in which the sytem key is stored, and convert to hex to get the scrambled system key
var scrambledKeyList = new List <byte>();
foreach (var keyName in new string[] { "JD", "Skew1", "GBG", "Data" })
{
var key = hive.GetKey(Invariant($"ControlSet00{currentControlSetVersion}\\Control\\Lsa\\{keyName}"));
var className = key.ClassName;
scrambledKeyList.AddRange(Enumerable.Range(0, className.Length / 2).Select(x => Convert.ToByte(className.Substring(x * 2, 2), 16)).ToArray());
}
var scrambledKey = scrambledKeyList.ToArray();
// Unscramble the system key based on the known transforms
var systemKeyList = new List <byte>();
for (var i = 0; i < scrambledKey.Length; i++)
{
systemKeyList.Add(scrambledKey[SYSTEMKEYTRANSFORMS[i]]);
}
return(systemKeyList.ToArray());
}
public void TestVkRecordRegNone()
{
var samOnDemand = new RegistryHiveOnDemand(@".\Hives\SAM");
var key =
samOnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\SAM\Domains");
Check.That(key).IsNotNull();
var val = key.Values.Single(e => e.ValueName == "(default)");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.RelativeOffset).IsEqualTo(0x270);
Check.That(val.VkRecord.AbsoluteOffset).IsEqualTo(0x1270);
Check.That(val.VkRecord.Size).IsEqualTo(-24);
Check.That(val.VkRecord.Signature).IsEqualTo("vk");
Check.That(val.VkRecord.IsFree).IsFalse();
Check.That(val.VkRecord.NamePresentFlag).IsEqualTo(0x00);
Check.That(val.VkRecord.NameLength).IsEqualTo(0);
Check.That(val.VkRecord.ValueName).IsEqualTo("(default)");
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegNone);
Check.That(val.VkRecord.DataLength).Equals(0x80000000);
Check.That(val.VkRecord.OffsetToData).Equals((uint)0x0);
Check.That(val.VkRecord.Padding.Length).Equals(0);
Check.That(val.VkRecord.ValueData).IsInstanceOf <byte[]>();
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
Check.That(val.VkRecord.ValueDataRaw.Length).IsEqualTo(0);
Check.That(val.VkRecord.ToString()).IsNotEmpty();
}
public void TestVkRecordRegUnknown()
{
var samHasBigEndianOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM_hasBigEndianDWord");
var key = samHasBigEndianOnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\SAM\Domains\Account\Groups\Names\None");
Check.That(key).IsNotNull();
var val = key.Values.Single(e => e.ValueName == string.Empty);
Check.That(val).IsNotNull();
Check.That(val.VkRecord.RelativeOffset).IsEqualTo(0x1248);
Check.That(val.VkRecord.AbsoluteOffset).IsEqualTo(0x2248);
Check.That(val.VkRecord.Size).IsEqualTo(-24);
Check.That(val.VkRecord.Signature).IsEqualTo("vk");
Check.That(val.VkRecord.IsFree).IsFalse();
Check.That(val.VkRecord.NamePresentFlag).IsEqualTo(0x0);
Check.That(val.VkRecord.NameLength).IsEqualTo(0);
Check.That(val.VkRecord.ValueName).IsEmpty();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegUnknown);
Check.That(val.VkRecord.DataTypeRaw).IsEqualTo(513);
Check.That(val.VkRecord.DataLength).Equals(0x80000000);
Check.That(val.VkRecord.OffsetToData).Equals((uint)0);
Check.That(val.VkRecord.Padding.Length).Equals(0);
Check.That(val.VkRecord.ValueData).IsInstanceOf <byte[]>();
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
Check.That(val.VkRecord.ValueDataRaw.Length).IsEqualTo(4);
Check.That(val.VkRecord.ToString()).IsNotEmpty();
}
public AppCompatCache(string filename)
{
byte[] rawBytes = null;
if (File.Exists(filename) == false)
{
throw new FileNotFoundException($"File not found ({filename})!");
}
var hive = new RegistryHiveOnDemand(filename);
var subKey = hive.GetKey("Select");
var currentCtlSet = int.Parse(subKey.Values.Single(c => c.ValueName == "Current").ValueData);
subKey = hive.GetKey($@"ControlSet00{currentCtlSet}\Control\Session Manager\AppCompatCache");
var val = subKey?.Values.SingleOrDefault(c => c.ValueName == "AppCompatCache");
if (val != null)
{
rawBytes = val.ValueDataRaw;
}
if (rawBytes == null)
{
Console.WriteLine(@"'AppCompatCache' value not found! Exiting");
return;
}
var is32 = Is32Bit(filename);
string computerName = ComputerName(filename);
Init(rawBytes, is32, computerName);
}
public void TestVkRecordRegMultiSz()
{
var usrClassDeletedBagsOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\UsrClassDeletedBags.dat");
var key = usrClassDeletedBagsOnDemand.GetKey(@"S-1-5-21-146151751-63468248-1215037915-1000_Classes\Local Settings\MuiCache\6\52C64B7E");
Check.That(key).IsNotNull();
var val = key.Values.Single(e => e.ValueName == "LanguageList");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.RelativeOffset).IsEqualTo(0x5f0);
Check.That(val.VkRecord.AbsoluteOffset).IsEqualTo(0x15f0);
Check.That(val.VkRecord.Size).IsEqualTo(-40);
Check.That(val.VkRecord.Signature).IsEqualTo("vk");
Check.That(val.VkRecord.IsFree).IsFalse();
Check.That(val.VkRecord.NamePresentFlag).IsEqualTo(0x01);
Check.That(val.VkRecord.NameLength).IsEqualTo(0xC);
Check.That(val.VkRecord.ValueName).IsEqualTo("LanguageList");
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz);
Check.That(val.VkRecord.DataLength).Equals((uint)0x14);
Check.That(val.VkRecord.OffsetToData).Equals((uint)0xf70);
Check.That(val.ValueData).Equals("en-US en");
Check.That(val.VkRecord.Padding.Length).Equals(4);
Check.That(val.VkRecord.ValueData).IsInstanceOf <string>();
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
Check.That(val.VkRecord.ValueDataRaw.Length).IsEqualTo(20);
Check.That(val.VkRecord.ToString()).IsNotEmpty();
}
/// <summary>
///
/// </summary>
/// <param name="config"></param>
private void EnumerateAppInitDlls(Config config)
{
foreach (string file in System.IO.Directory.EnumerateFiles(_registryPath,
config.Hive.GetEnumDescription(),
SearchOption.AllDirectories))
{
RegistryHiveOnDemand registry = OpenRegistry(file);
if (registry == null)
{
continue;
}
RegistryKey regKey = OpenKey(registry, config.Path);
if (regKey == null)
{
continue;
}
if (regKey.Values.Where(v => v.ValueName.ToLower() == "appinit_dlls").SingleOrDefault() == null)
{
continue;
}
if (regKey.Values.Where(v => v.ValueName.ToLower() == "appinit_dlls").SingleOrDefault().ValueData.Length == 0)
{
continue;
}
ParseAppInitDll(config.Path, regKey.Values.Where(v => v.ValueName.ToLower() == "appinit_dlls").SingleOrDefault().ValueData, file, regKey.LastWriteTime);
}
}
public void TestVkRecordRegBinary()
{
var samOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM");
var key = samOnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\SAM\Domains\Account");
Check.That(key).IsNotNull();
var val = key.Values.Single(e => e.ValueName == "F");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.RelativeOffset).IsEqualTo(0x3078);
Check.That(val.VkRecord.AbsoluteOffset).IsEqualTo(0x4078);
Check.That(val.VkRecord.Size).IsEqualTo(-32);
Check.That(val.VkRecord.Signature).IsEqualTo("vk");
Check.That(val.VkRecord.IsFree).IsFalse();
Check.That(val.VkRecord.NamePresentFlag).IsEqualTo(0x01);
Check.That(val.VkRecord.NameLength).IsEqualTo(1);
Check.That(val.VkRecord.ValueName).IsEqualTo("F");
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegBinary);
Check.That(val.VkRecord.DataLength).Equals((uint)0xf0);
Check.That(val.VkRecord.OffsetToData).Equals((uint)0x3098);
Check.That(val.VkRecord.Padding.Length).Equals(7);
Check.That(val.VkRecord.ValueData).IsInstanceOf <byte[]>();
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4);
Check.That(val.VkRecord.ValueDataRaw.Length).IsEqualTo(240);
Check.That(val.VkRecord.ToString()).IsNotEmpty();
}
public void TestVkRecordRegDWord()
{
var samOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM");
var key = samOnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\SAM\LastSkuUpgrade");
Check.That(key).IsNotNull();
var val = key.Values.Single(e => e.ValueName == string.Empty);
Check.That(val).IsNotNull();
Check.That(val.VkRecord.RelativeOffset).IsEqualTo(0x258);
Check.That(val.VkRecord.AbsoluteOffset).IsEqualTo(0x1258);
Check.That(val.VkRecord.Size).IsEqualTo(-24);
Check.That(val.VkRecord.Signature).IsEqualTo("vk");
Check.That(val.VkRecord.IsFree).IsFalse();
Check.That(val.VkRecord.NamePresentFlag).IsEqualTo(0x00);
Check.That(val.VkRecord.NameLength).IsEqualTo(0);
Check.That(val.VkRecord.ValueName).IsEmpty();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegDword);
Check.That(val.VkRecord.DataLength).Equals(0x80000004);
Check.That(val.VkRecord.OffsetToData).Equals((uint)0x07);
Check.That(val.ValueData).Equals("7");
Check.That(val.VkRecord.Padding.Length).Equals(0);
Check.That(val.VkRecord.ValueData).IsInstanceOf <uint>();
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
Check.That(val.VkRecord.ValueDataRaw.Length).IsEqualTo(4);
Check.That(val.VkRecord.ToString()).IsNotEmpty();
}
public void TestVkRecordQWordWithLengthOfZero()
{
var samDupeNameOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM_DUPENAME");
var key = samDupeNameOnDemand.GetKey(@"SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-4271176276-4210259494-4108073714");
Check.That(key).IsNotNull();
var val = key.Values.Single(e => e.ValueName == string.Empty);
Check.That(val).IsNotNull();
Check.That(val.VkRecord.RelativeOffset).IsEqualTo(0xA88);
Check.That(val.VkRecord.AbsoluteOffset).IsEqualTo(0x1A88);
Check.That(val.VkRecord.Size).IsEqualTo(-24);
Check.That(val.VkRecord.Signature).IsEqualTo("vk");
Check.That(val.VkRecord.IsFree).IsFalse();
Check.That(val.VkRecord.NamePresentFlag).IsEqualTo(0x0);
Check.That(val.VkRecord.NameLength).IsEqualTo(0x0);
Check.That(val.VkRecord.ValueName).IsEmpty();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegQword);
Check.That(val.VkRecord.DataTypeRaw).IsEqualTo(11);
Check.That(val.VkRecord.DataLength).Equals(0x80000000);
Check.That(val.VkRecord.OffsetToData).Equals((uint)0);
Check.That(val.VkRecord.Padding.Length).Equals(0);
Check.That(val.VkRecord.ValueData).IsInstanceOf <ulong>();
Check.That(val.VkRecord.ValueData).IsEqualTo((ulong)0);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
Check.That(val.VkRecord.ValueDataRaw.Length).IsEqualTo(0);
Check.That(val.VkRecord.ToString()).IsNotEmpty();
}
public void TestVkRecordFileTimeRegType()
{
var systemOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SYSTEM");
var key = systemOnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\ControlSet001\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0008");
Check.That(key).IsNotNull();
var val = key.Values.Single(e => e.ValueName == "en-US");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.RelativeOffset).IsEqualTo(0x78170);
Check.That(val.VkRecord.AbsoluteOffset).IsEqualTo(0x79170);
Check.That(val.VkRecord.Size).IsEqualTo(-32);
Check.That(val.VkRecord.Signature).IsEqualTo("vk");
Check.That(val.VkRecord.IsFree).IsFalse();
Check.That(val.VkRecord.NamePresentFlag).IsEqualTo(0x1);
Check.That(val.VkRecord.NameLength).IsEqualTo(0x5);
Check.That(val.VkRecord.ValueName).IsEqualTo("en-US");
Check.That(val.VkRecord.ValueData).IsInstanceOf <DateTimeOffset>();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegFileTime);
Check.That(val.VkRecord.DataTypeRaw).IsEqualTo(0x0010);
Check.That(val.VkRecord.DataLength).Equals((uint)0x8);
Check.That(val.VkRecord.OffsetToData).Equals((uint)0x77d78);
Check.That(val.VkRecord.Padding.Length).Equals(3);
Check.That(val.VkRecord.ValueDataRaw.Length).IsEqualTo(8);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4);
Check.That(val.VkRecord.ToString()).IsNotEmpty();
}
public void TestVkRecordRegSz()
{
var samOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM");
var key = samOnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-727398572-3617256236-2003601904\00000201");
Check.That(key).IsNotNull();
var val = key.Values.Single(e => e.ValueName == string.Empty);
Check.That(val).IsNotNull();
Check.That(val.VkRecord.RelativeOffset).IsEqualTo(0xFE0);
Check.That(val.VkRecord.AbsoluteOffset).IsEqualTo(0x1FE0);
Check.That(val.VkRecord.Size).IsEqualTo(-24);
Check.That(val.VkRecord.Signature).IsEqualTo("vk");
Check.That(val.VkRecord.IsFree).IsFalse();
Check.That(val.VkRecord.NamePresentFlag).IsEqualTo(0x00);
Check.That(val.VkRecord.NameLength).IsEqualTo(0);
Check.That(val.VkRecord.ValueName).IsEmpty();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegSz);
Check.That(val.VkRecord.DataLength).Equals(0x80000004);
Check.That(val.VkRecord.OffsetToData).Equals((uint)0x0221);
Check.That(val.VkRecord.Padding.Length).Equals(0);
Check.That(val.VkRecord.ValueData).IsInstanceOf <string>();
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
Check.That(val.VkRecord.ValueDataRaw.Length).IsEqualTo(4);
Check.That(val.VkRecord.ToString()).IsNotEmpty();
}
public void ShouldFindRegMultiSzValues()
{
var ntUser1OnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\NTUSER1.DAT");
var key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Control Panel\International\User Profile");
Check.That(key).IsNotNull();
var val = key.Values.Single(t => t.ValueName == "Languages");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz);
Check.That(val.VkRecord.ValueData).IsEqualTo("en-US");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
var usrclassAcronis = new RegistryHive(@"..\..\..\Hives\Acronis_0x52_Usrclass.dat");
usrclassAcronis.RecoverDeleted = true;
usrclassAcronis.FlushRecordListsAfterParse = false;
usrclassAcronis.ParseHive();
key = usrclassAcronis.GetKey(@"S-1-5-21-3851833874-1800822990-1357392098-1000_Classes\Local Settings\MuiCache\12\52C64B7E");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "LanguageList");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz);
Check.That(val.VkRecord.ValueData).IsEqualTo("en-US en");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
var bcd = new RegistryHive(@"..\..\..\Hives\BCD");
bcd.FlushRecordListsAfterParse = false;
bcd.RecoverDeleted = true;
bcd.ParseHive();
key = bcd.GetKey(@"System\Objects\{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}\Elements\14000006");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "Element");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz);
Check.That(val.VkRecord.ValueData).IsEqualTo("{4636856e-540f-4170-a130-a84776f4c654} {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(6);
key = bcd.GetKey(@"System\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\14000006");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "Element");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz);
Check.That(val.VkRecord.ValueData).IsEqualTo("{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(84);
}
public void TestsListRecordsContinued3()
{
var usrClassFtp = new RegistryHiveOnDemand(@"..\..\..\Hives\UsrClass FTP.dat");
var key = usrClassFtp.GetKey(@"S-1-5-21-2417227394-2575385136-2411922467-1105_Classes\ActivatableClasses\CLSID");
Check.That(key).IsNotNull();
}
public void ShouldFindKeyWithMixedCaseNameWithoutRootName()
{
var usrClassFtp = new RegistryHiveOnDemand(@"..\..\..\Hives\UsrClass FTP.dat");
var key = usrClassFtp.GetKey(@"ActivAtableClasses\CLsID");
Check.That(key).IsNotNull();
}
public void ShouldFindKeyWithMixedCaseName()
{
var usrClassFtp = new RegistryHiveOnDemand(@"..\..\..\Hives\UsrClass FTP.dat");
var key = usrClassFtp.GetKey(@"S-1-5-21-2417227394-2575385136-2411922467-1105_CLAsses\ActivAtableClasses\CLsID");
Check.That(key).IsNotNull();
}
public void ShouldFindRegDWordValues()
{
var ntUser1OnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\NTUSER1.DAT");
var key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Wisp\Pen\SysEventParameters");
Check.That(key).IsNotNull();
var val = key.Values.Single(t => t.ValueName == "DblDist");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegDword);
Check.That(val.VkRecord.ValueData).IsEqualTo((uint)20);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows NT\CurrentVersion\Windows");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "UserSelectedDefault");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegDword);
Check.That(val.VkRecord.ValueData).IsEqualTo((uint)0);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows NT\CurrentVersion\MsiCorruptedFileRecovery\RepairedProducts");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "TimeWindowMinutes");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegDword);
Check.That(val.VkRecord.ValueData).IsEqualTo((uint)1440);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\Windows Error Reporting");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "MaxArchiveCount");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegDword);
Check.That(val.VkRecord.ValueData).IsEqualTo((uint)500);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Console");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "ColorTable11");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegDword);
Check.That(val.VkRecord.ValueData).IsEqualTo((uint)16776960);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
}
/// <summary>
/// Recursively iterates over the a registry key and its subkeys for enumerating all values of the keys and subkeys
/// </summary>
/// <param name="rk">the root registry key to start iterating over</param>
/// <param name="hive">the offline registry hive</param>
/// <param name="subKey">the path of the first subkey under the root key</param>
/// <param name="indent"></param>
/// <param name="path_prefix">the header to the current root key, needed for identification of the registry store</param>
/// <returns></returns>
static List <RegistryKeyWrapper> IterateRegistry(RegistryKey rk, RegistryHiveOnDemand hive, string subKey, RegistryKeyWrapper parent, string path_prefix)
{
List <RegistryKeyWrapper> retList = new List <RegistryKeyWrapper>();
if (rk == null)
{
return(retList);
}
foreach (RegistryKey valueName in rk.SubKeys)
{
if (valueName.KeyName.ToUpper() == "ASSOCIATIONS")
{
continue;
}
string sk = getSubkeyString(subKey, valueName.KeyName);
logger.Trace("{0}", sk);
RegistryKey rkNext;
try
{
rkNext = hive.GetKey(getSubkeyString(rk.KeyPath, valueName.KeyName));
}
catch (System.Security.SecurityException ex)
{
logger.Warn("ACCESS DENIED: " + ex.Message);
continue;
}
string path = path_prefix;
RegistryKeyWrapper rkNextWrapper = null;
bool isNumeric = int.TryParse(valueName.KeyName, out _);
if (isNumeric)
{
try
{
KeyValue rkValue = rk.Values.First(val => val.ValueName == valueName.KeyName);
byte[] byteVal = rkValue.ValueDataRaw;
rkNextWrapper = new RegistryKeyWrapper(rkNext, byteVal, hive, parent);
retList.Add(rkNextWrapper);
}
catch (OverrunBufferException ex)
{
logger.Warn("OverrunBufferException: " + valueName.KeyName);
}
catch (Exception ex)
{
logger.Warn(valueName.KeyName);
}
}
retList.AddRange(IterateRegistry(rkNext, hive, sk, rkNextWrapper, path));
}
return(retList);
}
public void ShouldFindRegSzValues()
{
var ntUser1OnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\NTUSER1.DAT");
var key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}");
Check.That(key).IsNotNull();
var val = key.Values.Single(t => t.ValueName == "Default");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegSz);
Check.That(val.VkRecord.ValueData).IsEqualTo("{00000000-0000-0000-0000-000000000000}");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(6);
key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\CTF\SortOrder\Language");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "00000000");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegSz);
Check.That(val.VkRecord.ValueData).IsEqualTo("00000409");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(2);
key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Speech\Preferences\AppCompatDisableDictation");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "dwm.exe");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegSz);
Check.That(val.VkRecord.ValueData).IsEqualTo("");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\EUDC\932");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "SystemDefaultEUDCFont");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegSz);
Check.That(val.VkRecord.ValueData).IsEqualTo("EUDC.TTE");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(2);
key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Control Panel\PowerCfg\PowerPolicies\4");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "Description");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegSz);
Check.That(val.VkRecord.ValueData).IsEqualTo("This scheme keeps the computer on and optimizes it for high performance.");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(2);
}
public void ShouldFindRegExpandSzValues()
{
var ntUser1OnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\NTUSER1.DAT");
var key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Environment");
Check.That(key).IsNotNull();
var val = key.Values.Single(t => t.ValueName == "TEMP");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegExpandSz);
Check.That(val.VkRecord.ValueData).IsEqualTo(@"%USERPROFILE%\AppData\Local\Temp");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(2);
key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Control Panel\Cursors");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "Arrow");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegExpandSz);
Check.That(val.VkRecord.ValueData).IsEqualTo(@"%SystemRoot%\cursors\aero_arrow.cur");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4);
key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\AppEvents\Schemes\Apps\.Default\WindowsUAC\.Current");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == string.Empty);
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegExpandSz);
Check.That(val.VkRecord.ValueData).IsEqualTo(@"%SystemRoot%\media\Windows User Account Control.wav");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4);
key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Themes");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "LastHighContrastTheme");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegExpandSz);
Check.That(val.VkRecord.ValueData).IsEqualTo(@"%SystemRoot%\resources\Ease of Access Themes\hcblack.theme");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(6);
key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\ThemeManager");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "DllName");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegExpandSz);
Check.That(val.VkRecord.ValueData).IsEqualTo(@"%SystemRoot%\resources\themes\Aero\Aero.msstyles");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(2);
}
public void ShouldTakeByteArrayInConstructor()
{
var fileStream = new FileStream(@"..\..\Hives\SAM", FileMode.Open, FileAccess.Read, FileShare.Read);
var binaryReader = new BinaryReader(fileStream);
binaryReader.BaseStream.Seek(0, SeekOrigin.Begin);
var fileBytes = binaryReader.ReadBytes((int) binaryReader.BaseStream.Length);
binaryReader.Close();
fileStream.Close();
var r = new RegistryHiveOnDemand(fileBytes);
Check.That(r.Header).IsNotNull();
Check.That(r.HivePath).IsEqualTo("None");
Check.That(r.HiveType).IsEqualTo(HiveTypeEnum.Sam);
}
public void InitializeObjects()
{
Debug.WriteLine("Initializing hives...");
SamOnDemand = new RegistryHiveOnDemand(@"..\..\Hives\SAM");
SamHasBigEndianOnDemand = new RegistryHiveOnDemand(@"..\..\Hives\SAM_hasBigEndianDWord");
SamDupeNameOnDemand = new RegistryHiveOnDemand(@"..\..\Hives\SAM_DUPENAME");
NtUser1OnDemand = new RegistryHiveOnDemand(@"..\..\Hives\NTUSER1.DAT");
UsrClassDeletedBagsOnDemand = new RegistryHiveOnDemand(@"..\..\Hives\UsrClassDeletedBags.dat");
SoftwareOnDemand = new RegistryHiveOnDemand(@"..\..\Hives\SOFTWARE");
SystemOnDemand = new RegistryHiveOnDemand(@"..\..\Hives\SYSTEM");
Bcd = new RegistryHive(@"..\..\Hives\BCD");
Bcd.FlushRecordListsAfterParse = false;
Bcd.RecoverDeleted = true;
Bcd.ParseHive();
UsrclassDeleted = new RegistryHive(@"..\..\Hives\UsrClassDeletedBags.dat");
UsrclassDeleted.RecoverDeleted = true;
UsrclassDeleted.FlushRecordListsAfterParse = false;
UsrclassDeleted.ParseHive();
UsrclassAcronis = new RegistryHive(@"..\..\Hives\Acronis_0x52_Usrclass.dat");
UsrclassAcronis.RecoverDeleted = true;
UsrclassAcronis.FlushRecordListsAfterParse = false;
UsrclassAcronis.ParseHive();
UsrClass1 = new RegistryHive(@"..\..\Hives\UsrClass 1.dat");
UsrClass1.RecoverDeleted = true;
UsrClass1.FlushRecordListsAfterParse = false;
UsrClass1.ParseHive();
UsrClass1OnDemand = new RegistryHiveOnDemand(@"..\..\Hives\UsrClass 1.dat");
UsrClassBeef = new RegistryHive(@"..\..\Hives\UsrClass BEEF000E.dat");
UsrClassBeef.RecoverDeleted = true;
UsrClassBeef.FlushRecordListsAfterParse = false;
UsrClassBeef.ParseHive();
NtUserSlack = new RegistryHive(@"..\..\Hives\NTUSER slack.DAT");
NtUserSlack.FlushRecordListsAfterParse = false;
NtUserSlack.ParseHive();
Sam = new RegistryHive(@"..\..\Hives\SAM");
Sam.FlushRecordListsAfterParse = false;
Sam.ParseHive();
SamRootValue = new RegistryHive(@"..\..\Hives\SAM_RootValue");
SamRootValue.FlushRecordListsAfterParse = false;
SamRootValue.ParseHive();
Security = new RegistryHiveOnDemand(@"..\..\Hives\SECURITY");
DriversOnDemand = new RegistryHiveOnDemand(@"..\..\Hives\DRIVERS");
Drivers = new RegistryHive(@"..\..\Hives\DRIVERS");
Drivers.FlushRecordListsAfterParse = false;
Drivers.RecoverDeleted = true;
Drivers.ParseHive();
System = new RegistryHive(@"..\..\Hives\System");
System.FlushRecordListsAfterParse = false;
System.ParseHive();
SanOther = new RegistryHiveOnDemand(@"..\..\Hives\SAN(OTHER)");
UsrClassFtp = new RegistryHiveOnDemand(@"..\..\Hives\UsrClass FTP.dat");
}
public void TestFileNameConstructor()
{
var r = new RegistryHiveOnDemand(@"..\..\Hives\SAM");
Check.That(r.Header).IsNotNull();
}
