public static Prefetch[] GetInstances(bool fast)
{
// Get current volume
string volLetter = Directory.GetCurrentDirectory().Split('\\')[0];
// Build Prefetch directory path
string prefetchPath = volLetter + @"\\Windows\\Prefetch";
// Check prefetchPath exists
if (Directory.Exists(prefetchPath))
{
// Get list of file in the Prefetch directory that end in the .pf extension
var pfFiles = System.IO.Directory.GetFiles(prefetchPath, "*.pf");
// Instantiate an array of Prefetch objects
Prefetch[] pfArray = new Prefetch[pfFiles.Length];
// Iterate through Prefetch Files
for (int i = 0; i < pfFiles.Length; i++)
{
// Get bytes for specific Prefetch file
byte[] fileBytes = null;
try
{
fileBytes = File.ReadAllBytes(pfFiles[i]);
}
catch (ArgumentException)
{
throw new ArgumentException("ArgumentException thrown by Prefetch.GetInstance()");
}
catch (PathTooLongException)
{
throw new PathTooLongException("PathTooLongException thrown by Prefetch.GetInstance()");
}
catch (DirectoryNotFoundException)
{
throw new DirectoryNotFoundException("DirectoryNotFoundException thrown by Prefetch.GetInstance()");
}
catch (IOException)
{
throw new IOException("IOException thrown by Prefetch.GetInstance()");
}
catch (UnauthorizedAccessException)
{
throw new UnauthorizedAccessException("UnauthorizedAccessException thrown by Prefetch.GetInstance()");
}
// Output the Prefetch object for the corresponding file
pfArray[i] = (new Prefetch(fileBytes));
}
// Return array or Prefetch objects
return(pfArray);
}
else
{
return(null);
}
}
public static Prefetch[] GetInstances(string volume)
{
// Get current volume
NativeMethods.getVolumeName(ref volume);
// Get volume letter
string volLetter = volume.Split('\\')[3];
// Get a handle to the volume
IntPtr hVolume = NativeMethods.getHandle(volume);
// Create a FileStream to read from the volume handle
using (FileStream streamToRead = NativeMethods.getFileStream(hVolume))
{
// Get a byte array representing the Master File Table
byte[] MFT = MasterFileTable.GetBytes(streamToRead, volume);
// Build Prefetch directory path
string pfPath = volLetter + @"\Windows\Prefetch";
if (Directory.Exists(pfPath))
{
var pfFiles = System.IO.Directory.GetFiles(pfPath, "*.pf");
Prefetch[] pfArray = new Prefetch[pfFiles.Length];
// Get IndexEntry
IndexEntry[] pfEntries = IndexEntry.GetInstances(pfPath);
int i = 0;
foreach (IndexEntry entry in pfEntries)
{
if (entry.Filename.Contains(".pf"))
{
pfArray[i] = new Prefetch(new FileRecord(NativeMethods.GetSubArray(MFT, (uint)entry.RecordNumber * 0x400, 0x400), volume, true).GetBytes());
i++;
}
}
return(pfArray);
}
else
{
throw new Exception("Prefetch Directory does not exist. Check registry to ensure Prefetching is enabled.");
}
}
}
public static Prefetch[] GetInstances()
{
// Get current volume
string volLetter = Directory.GetCurrentDirectory().Split('\\')[0];
string volume = @"\\.\" + volLetter;
// Get a handle to the volume
IntPtr hVolume = NativeMethods.getHandle(volume);
// Create a FileStream to read from the volume handle
using (FileStream streamToRead = NativeMethods.getFileStream(hVolume))
{
// Get a byte array representing the Master File Table
byte[] MFT = MasterFileTable.GetBytes(hVolume, streamToRead);
// Build Prefetch directory path
string prefetchPath = volLetter + @"\\Windows\\Prefetch";
// Check prefetchPath exists
if (Directory.Exists(prefetchPath))
{
// Get list of file in the Prefetch directory that end in the .pf extension
var pfFiles = System.IO.Directory.GetFiles(prefetchPath, "*.pf");
// Instantiate an array of Prefetch objects
Prefetch[] pfArray = new Prefetch[pfFiles.Length];
// Iterate through Prefetch Files
for (int i = 0; i < pfFiles.Length; i++)
{
// Get bytes for specific Prefetch file
byte[] fileBytes = MFTRecord.getFile(volume, streamToRead, MFT, pfFiles[i]).ToArray();
// Output the Prefetch object for the corresponding file
pfArray[i] = (new Prefetch(fileBytes));
}
// Return array or Prefetch objects
return(pfArray);
}
else
{
return(null);
}
}
}
public static Prefetch Get(string volume, FileStream streamToRead, byte[] MFT, string prefetchPath)
{
// Get bytes for specific Prefetch file
byte[] fileBytes = MFTRecord.getFile(volume, streamToRead, MFT, prefetchPath).ToArray();
// Check for Prefetch Magic Number (Value) SCCA at offset 0x04 - 0x07
if (checkPfMagic(fileBytes))
{
// Check Prefetch file for version (0x1A = Win 8, 0x17 = Win 7, 0x11 = Win XP)
byte pfVersion = fileBytes[0];
string appName = null;
string[] dependencyArray = null;
appName = System.Text.Encoding.Unicode.GetString((fileBytes.Skip(0x10).Take(0x3C).ToArray())).TrimEnd('\0');
dependencyArray = getPfDependencies(getPfDependencySection(fileBytes));
Prefetch prefetch = new Prefetch(
Enum.GetName(typeof(PREFETCH_VERSION), pfVersion),
appName,
getPfPathHash(fileBytes),
getPfAccessTime(pfVersion, fileBytes),
dependencyArray,
dependencyArray.Length,
getPfPath(appName, dependencyArray),
getPfDeviceCount(fileBytes),
getPfRunCount(pfVersion, fileBytes)
);
return(prefetch);
}
else
{
return(null);
}
}
public static Mactime[] Get(Prefetch pf)
{
return null;
}
public static Prefetch[] GetInstances(string volume, bool fast)
{
// Get current volume
NativeMethods.getVolumeName(ref volume);
// Get volume letter
string volLetter = volume.Split('\\')[3];
// Build Prefetch directory path
string prefetchPath = volLetter + @"\\Windows\\Prefetch";
// Check prefetchPath exists
if (Directory.Exists(prefetchPath))
{
// Get list of file in the Prefetch directory that end in the .pf extension
var pfFiles = System.IO.Directory.GetFiles(prefetchPath, "*.pf");
// Instantiate an array of Prefetch objects
Prefetch[] pfArray = new Prefetch[pfFiles.Length];
// Iterate through Prefetch Files
for (int i = 0; i < pfFiles.Length; i++)
{
// Get bytes for specific Prefetch file
byte[] fileBytes = null;
try
{
fileBytes = File.ReadAllBytes(pfFiles[i]);
}
catch (ArgumentException)
{
throw new ArgumentException("ArgumentException thrown by Prefetch.GetInstance()");
}
catch(PathTooLongException)
{
throw new PathTooLongException("PathTooLongException thrown by Prefetch.GetInstance()");
}
catch (DirectoryNotFoundException)
{
throw new DirectoryNotFoundException("DirectoryNotFoundException thrown by Prefetch.GetInstance()");
}
catch (IOException)
{
throw new IOException("IOException thrown by Prefetch.GetInstance()");
}
catch (UnauthorizedAccessException)
{
throw new UnauthorizedAccessException("UnauthorizedAccessException thrown by Prefetch.GetInstance()");
}
// Output the Prefetch object for the corresponding file
pfArray[i] = (new Prefetch(fileBytes));
}
// Return array or Prefetch objects
return pfArray;
}
else
{
return null;
}
}
public static Prefetch[] GetInstances(string volume)
{
// Get current volume
NativeMethods.getVolumeName(ref volume);
// Get volume letter
string volLetter = volume.Split('\\')[3];
// Get a handle to the volume
IntPtr hVolume = NativeMethods.getHandle(volume);
// Create a FileStream to read from the volume handle
using (FileStream streamToRead = NativeMethods.getFileStream(hVolume))
{
// Get a byte array representing the Master File Table
byte[] MFT = MasterFileTable.GetBytes(streamToRead, volume);
// Build Prefetch directory path
string pfPath = volLetter + @"\Windows\Prefetch";
if (Directory.Exists(pfPath))
{
var pfFiles = System.IO.Directory.GetFiles(pfPath, "*.pf");
Prefetch[] pfArray = new Prefetch[pfFiles.Length];
// Get IndexEntry
IndexEntry[] pfEntries = IndexEntry.GetInstances(pfPath);
int i = 0;
foreach(IndexEntry entry in pfEntries)
{
if (entry.Filename.Contains(".pf"))
{
pfArray[i] = new Prefetch(new FileRecord(NativeMethods.GetSubArray(MFT, (uint)entry.RecordNumber * 0x400, 0x400), volume, true).GetBytes());
i++;
}
}
return pfArray;
}
else
{
throw new Exception("Prefetch Directory does not exist. Check registry to ensure Prefetching is enabled.");
}
}
}
