public AppCompatCache(string filename, int controlSet)
{
byte[] rawBytes = null;
Caches = new List <IAppCompatCache>();
var controlSetIds = new List <int>();
RegistryKey subKey = null;
var isLiveRegistry = string.IsNullOrEmpty(filename);
if (isLiveRegistry)
{
var keyCurrUser = Microsoft.Win32.Registry.LocalMachine;
var subKey2 = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache");
if (subKey2 == null)
{
subKey2 =
keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility");
if (subKey2 == null)
{
Console.WriteLine(
@"'CurrentControlSet\Control\Session Manager\AppCompatCache' key not found! Exiting");
return;
}
}
rawBytes = (byte[])subKey2.GetValue("AppCompatCache", null);
subKey2 = keyCurrUser.OpenSubKey(@"SYSTEM\Select");
ControlSet = (int)subKey2.GetValue("Current");
var is32Bit = Is32Bit(filename);
var cache = Init(rawBytes, is32Bit, ControlSet);
Caches.Add(cache);
return;
}
ControlSet = controlSet;
if (File.Exists(filename) == false)
{
throw new FileNotFoundException($"File not found ({filename})!");
}
var hive = new RegistryHiveOnDemand(filename);
if (controlSet == -1)
{
for (var i = 0; i < 10; i++)
{
subKey = hive.GetKey($@"ControlSet00{i}\Control\Session Manager\AppCompatCache");
if (subKey == null)
{
subKey = hive.GetKey($@"ControlSet00{i}\Control\Session Manager\AppCompatibility");
}
if (subKey != null)
{
controlSetIds.Add(i);
}
}
if (controlSetIds.Count > 1)
{
var log = LogManager.GetCurrentClassLogger();
log.Warn(
$"***The following ControlSet00x keys will be exported: {string.Join(",", controlSetIds)}. Use -c to process keys individually\r\n");
}
}
else
{
//a control set was passed in
subKey = hive.GetKey($@"ControlSet00{ControlSet}\Control\Session Manager\AppCompatCache");
if (subKey == null)
{
subKey = hive.GetKey($@"ControlSet00{ControlSet}\Control\Session Manager\AppCompatibility");
}
if (subKey == null)
{
throw new Exception($"Could not find ControlSet00{ControlSet}. Exiting");
}
controlSetIds.Add(ControlSet);
}
var is32 = Is32Bit(filename);
var log1 = LogManager.GetCurrentClassLogger();
log1.Debug($@"**** Found {controlSetIds.Count} ids to process");
foreach (var id in controlSetIds)
{
log1.Debug($@"**** Processing id {id}");
var hive2 = new RegistryHiveOnDemand(filename);
subKey = hive2.GetKey($@"ControlSet00{id}\Control\Session Manager\AppCompatCache");
if (subKey == null)
{
log1.Debug($@"**** Initial subkey null, getting appCompatability key");
subKey = hive2.GetKey($@"ControlSet00{id}\Control\Session Manager\AppCompatibility");
}
log1.Debug($@"**** Looking AppCompatcache value");
var val = subKey?.Values.SingleOrDefault(c => c.ValueName == "AppCompatCache");
if (val != null)
{
log1.Debug($@"**** Found AppCompatcache value");
rawBytes = val.ValueDataRaw;
}
if (rawBytes == null)
{
var log = LogManager.GetCurrentClassLogger();
log.Error($@"'AppCompatCache' value not found for 'ControlSet00{id}'! Exiting");
}
var cache = Init(rawBytes, is32, id);
Caches.Add(cache);
}
}
private string GetCurrentControlSet()
{
const string keyname = @"Select";
var key = _hive.GetKey(keyname);
var setNumber = key.Values.Single(t => t.ValueName == "Current").ValueData;
return($"Controlset00{setNumber}");
}
public AppCompatCache(string filename, int controlSet, bool noLogs)
{
byte[] rawBytes = null;
Caches = new List <IAppCompatCache>();
var controlSetIds = new List <int>();
RegistryKey subKey = null;
var isLiveRegistry = string.IsNullOrEmpty(filename);
if (isLiveRegistry)
{
var keyCurrUser = Microsoft.Win32.Registry.LocalMachine;
var subKey2 = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache");
if (subKey2 == null)
{
subKey2 =
keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility");
if (subKey2 == null)
{
Console.WriteLine(
@"'CurrentControlSet\Control\Session Manager\AppCompatCache' key not found! Exiting");
return;
}
}
rawBytes = (byte[])subKey2.GetValue("AppCompatCache", null);
subKey2 = keyCurrUser.OpenSubKey(@"SYSTEM\Select");
ControlSet = (int)subKey2.GetValue("Current");
var is32Bit = Is32Bit(filename);
var cache = Init(rawBytes, is32Bit, ControlSet);
Caches.Add(cache);
return;
}
ControlSet = controlSet;
if (File.Exists(filename) == false)
{
throw new FileNotFoundException($"File not found ({filename})!");
}
var hive = new RegistryHive(filename);
if (hive.Header.PrimarySequenceNumber != hive.Header.SecondarySequenceNumber)
{
var hiveBase = Path.GetFileName(filename);
var dirname = Path.GetDirectoryName(filename);
if (string.IsNullOrEmpty(dirname))
{
dirname = ".";
}
var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?");
if (logFiles.Length == 0)
{
var log = LogManager.GetCurrentClassLogger();
if (noLogs == false)
{
log.Warn("Registry hive is dirty and no transaction logs were found in the same directory! LOGs should have same base name as the hive. Aborting!!");
throw new Exception("Sequence numbers do not match and transaction logs were not found in the same directory as the hive. Aborting");
}
log.Warn("Registry hive is dirty and no transaction logs were found in the same directory. Data may be missing! Continuing anyways...");
}
else
{
hive.ProcessTransactionLogs(logFiles.ToList(), true);
}
}
hive.ParseHive();
if (controlSet == -1)
{
for (var i = 0; i < 10; i++)
{
subKey = hive.GetKey($@"ControlSet00{i}\Control\Session Manager\AppCompatCache");
if (subKey == null)
{
subKey = hive.GetKey($@"ControlSet00{i}\Control\Session Manager\AppCompatibility");
}
if (subKey != null)
{
controlSetIds.Add(i);
}
}
if (controlSetIds.Count > 1)
{
var log = LogManager.GetCurrentClassLogger();
log.Warn(
$"***The following ControlSet00x keys will be exported: {string.Join(",", controlSetIds)}. Use -c to process keys individually\r\n");
}
}
else
{
//a control set was passed in
subKey = hive.GetKey($@"ControlSet00{ControlSet}\Control\Session Manager\AppCompatCache");
if (subKey == null)
{
subKey = hive.GetKey($@"ControlSet00{ControlSet}\Control\Session Manager\AppCompatibility");
}
if (subKey == null)
{
throw new Exception($"Could not find ControlSet00{ControlSet}. Exiting");
}
controlSetIds.Add(ControlSet);
}
var is32 = Is32Bit(filename);
var log1 = LogManager.GetCurrentClassLogger();
log1.Debug($@"**** Found {controlSetIds.Count} ids to process");
foreach (var id in controlSetIds)
{
log1.Debug($@"**** Processing id {id}");
var hive2 = new RegistryHiveOnDemand(filename);
subKey = hive2.GetKey($@"ControlSet00{id}\Control\Session Manager\AppCompatCache");
if (subKey == null)
{
log1.Debug($@"**** Initial subkey null, getting appCompatability key");
subKey = hive2.GetKey($@"ControlSet00{id}\Control\Session Manager\AppCompatibility");
}
log1.Debug($@"**** Looking AppCompatcache value");
var val = subKey?.Values.SingleOrDefault(c => c.ValueName == "AppCompatCache");
if (val != null)
{
log1.Debug($@"**** Found AppCompatcache value");
rawBytes = val.ValueDataRaw;
}
if (rawBytes == null)
{
var log = LogManager.GetCurrentClassLogger();
log.Error($@"'AppCompatCache' value not found for 'ControlSet00{id}'! Exiting");
}
var cache = Init(rawBytes, is32, id);
Caches.Add(cache);
}
}
public void ShouldFindRegQWordValues()
{
var ntUser1OnDemand = new RegistryHiveOnDemand(@".\Hives\NTUSER1.DAT");
var key =
ntUser1OnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\Windows Error Reporting");
Check.That(key).IsNotNull();
var val = key.Values.Single(t => t.ValueName == "LastWatsonCabUploaded");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegQword);
Check.That(val.VkRecord.ValueData).IsEqualTo((ulong)130557640214774914);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4);
key =
ntUser1OnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Store\RefreshBannedAppList");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "BannedAppsLastModified");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegQword);
Check.That(val.VkRecord.ValueData).IsEqualTo((ulong)0);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4);
var usrclassAcronis = new RegistryHive(@".\Hives\Acronis_0x52_Usrclass.dat");
usrclassAcronis.RecoverDeleted = true;
usrclassAcronis.FlushRecordListsAfterParse = false;
usrclassAcronis.ParseHive();
key =
usrclassAcronis.GetKey(
@"S-1-5-21-3851833874-1800822990-1357392098-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "LastAdvertisement");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegQword);
Check.That(val.VkRecord.ValueData).IsEqualTo((ulong)130294002389413697);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4);
var usrclassDeleted = new RegistryHive(@".\Hives\UsrClassDeletedBags.dat");
usrclassDeleted.RecoverDeleted = true;
usrclassDeleted.FlushRecordListsAfterParse = false;
usrclassDeleted.ParseHive();
key =
usrclassDeleted.GetKey(
@"S-1-5-21-146151751-63468248-1215037915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "LastAdvertisement");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegQword);
Check.That(val.VkRecord.ValueData).IsEqualTo((ulong)130672934390152518);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4);
var ntUserSlack = new RegistryHive(@".\Hives\NTUSER slack.DAT");
ntUserSlack.FlushRecordListsAfterParse = false;
ntUserSlack.ParseHive();
key =
ntUserSlack.GetKey(
@"$$$PROTO.HIV\Software\Microsoft\VisualStudio\7.0\External Tools");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "LastMerge");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegQword);
Check.That(val.VkRecord.ValueData).IsEqualTo((ulong)127257359392030000);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4);
}
public void ShouldFindRegSzValues()
{
var ntUser1OnDemand = new RegistryHiveOnDemand(@".\Hives\NTUSER1.DAT");
var key =
ntUser1OnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}");
Check.That(key).IsNotNull();
var val = key.Values.Single(t => t.ValueName == "Default");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegSz);
Check.That(val.VkRecord.ValueData).IsEqualTo("{00000000-0000-0000-0000-000000000000}");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(6);
key =
ntUser1OnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\CTF\SortOrder\Language");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "00000000");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegSz);
Check.That(val.VkRecord.ValueData).IsEqualTo("00000409");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(2);
key =
ntUser1OnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Speech\Preferences\AppCompatDisableDictation");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "dwm.exe");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegSz);
Check.That(val.VkRecord.ValueData).IsEqualTo("");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
key =
ntUser1OnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\EUDC\932");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "SystemDefaultEUDCFont");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegSz);
Check.That(val.VkRecord.ValueData).IsEqualTo("EUDC.TTE");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(2);
key =
ntUser1OnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Control Panel\PowerCfg\PowerPolicies\4");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "Description");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegSz);
Check.That(val.VkRecord.ValueData)
.IsEqualTo("This scheme keeps the computer on and optimizes it for high performance.");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(2);
}
public void ShouldFindRegMultiSzValues()
{
var ntUser1OnDemand = new RegistryHiveOnDemand(@".\Hives\NTUSER1.DAT");
var key =
ntUser1OnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Control Panel\International\User Profile");
Check.That(key).IsNotNull();
var val = key.Values.Single(t => t.ValueName == "Languages");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz);
Check.That(val.VkRecord.ValueData).IsEqualTo("en-US");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
var usrclassAcronis = new RegistryHive(@".\Hives\Acronis_0x52_Usrclass.dat");
usrclassAcronis.RecoverDeleted = true;
usrclassAcronis.FlushRecordListsAfterParse = false;
usrclassAcronis.ParseHive();
key =
usrclassAcronis.GetKey(
@"S-1-5-21-3851833874-1800822990-1357392098-1000_Classes\Local Settings\MuiCache\12\52C64B7E");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "LanguageList");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz);
Check.That(val.VkRecord.ValueData).IsEqualTo("en-US en");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
var bcd = new RegistryHive(@".\Hives\BCD");
bcd.FlushRecordListsAfterParse = false;
bcd.RecoverDeleted = true;
bcd.ParseHive();
key =
bcd.GetKey(
@"System\Objects\{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}\Elements\14000006");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "Element");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz);
Check.That(val.VkRecord.ValueData)
.IsEqualTo("{4636856e-540f-4170-a130-a84776f4c654} {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(6);
key =
bcd.GetKey(
@"System\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\14000006");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "Element");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz);
Check.That(val.VkRecord.ValueData).IsEqualTo("{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(84);
}
public void ShouldFindRegExpandSzValues()
{
var ntUser1OnDemand = new RegistryHiveOnDemand(@".\Hives\NTUSER1.DAT");
var key =
ntUser1OnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Environment");
Check.That(key).IsNotNull();
var val = key.Values.Single(t => t.ValueName == "TEMP");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegExpandSz);
Check.That(val.VkRecord.ValueData).IsEqualTo(@"%USERPROFILE%\AppData\Local\Temp");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(2);
key =
ntUser1OnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Control Panel\Cursors");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "Arrow");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegExpandSz);
Check.That(val.VkRecord.ValueData).IsEqualTo(@"%SystemRoot%\cursors\aero_arrow.cur");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4);
key =
ntUser1OnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\AppEvents\Schemes\Apps\.Default\WindowsUAC\.Current");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "(default)");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegExpandSz);
Check.That(val.VkRecord.ValueData).IsEqualTo(@"%SystemRoot%\media\Windows User Account Control.wav");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4);
key =
ntUser1OnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Themes");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "LastHighContrastTheme");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegExpandSz);
Check.That(val.VkRecord.ValueData).IsEqualTo(@"%SystemRoot%\resources\Ease of Access Themes\hcblack.theme");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(6);
key =
ntUser1OnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\ThemeManager");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "DllName");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegExpandSz);
Check.That(val.VkRecord.ValueData).IsEqualTo(@"%SystemRoot%\resources\themes\Aero\Aero.msstyles");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(2);
}
public void ShouldFindRegDWordValues()
{
var ntUser1OnDemand = new RegistryHiveOnDemand(@".\Hives\NTUSER1.DAT");
var key =
ntUser1OnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Wisp\Pen\SysEventParameters");
Check.That(key).IsNotNull();
var val = key.Values.Single(t => t.ValueName == "DblDist");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegDword);
Check.That(val.VkRecord.ValueData).IsEqualTo((uint)20);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
key =
ntUser1OnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows NT\CurrentVersion\Windows");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "UserSelectedDefault");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegDword);
Check.That(val.VkRecord.ValueData).IsEqualTo((uint)0);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
key =
ntUser1OnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows NT\CurrentVersion\MsiCorruptedFileRecovery\RepairedProducts");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "TimeWindowMinutes");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegDword);
Check.That(val.VkRecord.ValueData).IsEqualTo((uint)1440);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
key =
ntUser1OnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\Windows Error Reporting");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "MaxArchiveCount");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegDword);
Check.That(val.VkRecord.ValueData).IsEqualTo((uint)500);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
key =
ntUser1OnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Console");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "ColorTable11");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegDword);
Check.That(val.VkRecord.ValueData).IsEqualTo((uint)16776960);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
}
public void ShouldFindRegBinaryValues()
{
var ntUser1OnDemand = new RegistryHiveOnDemand(@".\Hives\NTUSER1.DAT");
var key =
ntUser1OnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Control Panel\Appearance\Schemes");
Check.That(key).IsNotNull();
var val = key.Values.Single(t => t.ValueName == "@themeui.dll,-850");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegBinary);
Check.That(val.VkRecord.ValueData).IsInstanceOf <byte[]>();
Check.That(val.ValueDataRaw.Length).IsEqualTo(712);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4);
key =
ntUser1OnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Control Panel\Desktop\WindowMetrics");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "IconFont");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegBinary);
Check.That(val.VkRecord.ValueData).IsInstanceOf <byte[]>();
Check.That(val.ValueDataRaw.Length).IsEqualTo(92);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
key =
ntUser1OnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Control Panel\Mouse");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "SmoothMouseXCurve");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegBinary);
Check.That(val.VkRecord.ValueData).IsInstanceOf <byte[]>();
Check.That(val.ValueDataRaw.Length).IsEqualTo(40);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4);
key =
ntUser1OnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Control Panel\PowerCfg\GlobalPowerPolicy");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "Policies");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegBinary);
Check.That(val.VkRecord.ValueData).IsInstanceOf <byte[]>();
Check.That(val.ValueDataRaw.Length).IsEqualTo(176);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4);
key =
ntUser1OnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Control Panel\Input Method\Hot Keys\00000010");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "Key Modifiers");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegBinary);
Check.That(val.VkRecord.ValueData).IsInstanceOf <byte[]>();
Check.That(val.ValueDataRaw.Length).IsEqualTo(4);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
}
public void ExportToRegFormatSingleKey()
{
var samOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM");
var key = samOnDemand.GetKey(@"SAM\Domains\Account");
var exported = Helpers.ExportToReg(@"exportSamTest.reg", key, HiveTypeEnum.Sam, false);
Check.That(exported).IsTrue();
var ntUser1OnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\NTUSER1.DAT");
key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Console");
exported = Helpers.ExportToReg(@"exportntuser1Test.reg", key, HiveTypeEnum.NtUser, false);
Check.That(exported).IsTrue();
var security = new RegistryHiveOnDemand(@"..\..\..\Hives\SECURITY");
key =
security.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Policy\Accounts\S-1-5-9");
exported = Helpers.ExportToReg(@"exportsecTest.reg", key, HiveTypeEnum.Security, false);
Check.That(exported).IsTrue();
var systemOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SYSTEM");
key =
systemOnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\ControlSet001\Enum\ACPI\PNP0C02\1");
exported = Helpers.ExportToReg(@"exportsysTest.reg", key, HiveTypeEnum.System, false);
Check.That(exported).IsTrue();
var usrClassFtp = new RegistryHiveOnDemand(@"..\..\..\Hives\UsrClass FTP.dat");
key = usrClassFtp.GetKey(@"S-1-5-21-2417227394-2575385136-2411922467-1105_Classes\.3g2");
exported = Helpers.ExportToReg(@"exportusrTest.reg", key, HiveTypeEnum.UsrClass, false);
Check.That(exported).IsTrue();
var samDupeNameOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM_DUPENAME");
key = samDupeNameOnDemand.GetKey(@"SAM\SAM\Domains\Account\Aliases\000003E9");
exported = Helpers.ExportToReg(@"exportotherTest.reg", key, HiveTypeEnum.Other, false);
Check.That(exported).IsTrue();
var usrclassDeleted = new RegistryHive(@"..\..\..\Hives\UsrClassDeletedBags.dat");
usrclassDeleted.RecoverDeleted = true;
usrclassDeleted.FlushRecordListsAfterParse = false;
usrclassDeleted.ParseHive();
key =
usrclassDeleted.GetKey(
@"S-1-5-21-146151751-63468248-1215037915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1");
exported = Helpers.ExportToReg(@"exportDeletedTest.reg", key, HiveTypeEnum.UsrClass, false);
Check.That(exported).IsTrue();
}
