/// <summary>
///
/// </summary>
/// <returns></returns>
public RegistryKey GetParent()
{
if (IsRoot())
{
return(null);
}
string[] keys = KeyPath.Split('\\');
StringBuilder parentBuilder = new StringBuilder();
for (int i = 0; i < keys.Length - 1; i++)
{
if (0 != i)
{
parentBuilder.Append("\\");
}
parentBuilder.Append(keys[i]);
}
return(new RegistryKey(RegFile, (uint)OffsetToParent, parentBuilder.ToString()));
}
public string GetRegFormat(HiveTypeEnum hiveType)
{
var sb = new StringBuilder();
string keyBase;
switch (hiveType)
{
case HiveTypeEnum.NtUser:
keyBase = "HKEY_CURRENT_USER";
break;
case HiveTypeEnum.Sam:
keyBase = "HKEY_CURRENT_USER\\SAM";
break;
case HiveTypeEnum.Security:
keyBase = "HKEY_CURRENT_USER\\SECURITY";
break;
case HiveTypeEnum.Software:
keyBase = "HKEY_CURRENT_USER\\SOFTWARE";
break;
case HiveTypeEnum.System:
keyBase = "HKEY_CURRENT_USER\\SYSTEM";
break;
case HiveTypeEnum.UsrClass:
keyBase = "HKEY_CLASSES_ROOT";
break;
case HiveTypeEnum.Components:
keyBase = "HKEY_CURRENT_USER\\COMPONENTS";
break;
default:
keyBase = "HKEY_CURRENT_USER\\UNKNOWN_BASEPATH";
break;
}
var keyNames = KeyPath.Split('\\');
var normalizedKeyPath = string.Join("\\", keyNames.Skip(1));
var keyName = normalizedKeyPath.Length > 0
? $"[{keyBase}\\{normalizedKeyPath}]"
: $"[{keyBase}]";
sb.AppendLine();
sb.AppendLine(keyName);
sb.AppendLine($";Last write timestamp {LastWriteTime.Value.UtcDateTime.ToString("o")}");
//sb.AppendLine($";Last write timestamp {LastWriteTime.Value.UtcDateTime.ToString("o")}");
foreach (var keyValue in Values)
{
var keyNameOut = keyValue.ValueName;
if (keyNameOut.ToLowerInvariant() == "(default)")
{
keyNameOut = "@";
}
else
{
keyNameOut = keyNameOut.Replace("\\", "\\\\");
keyNameOut = $"\"{keyNameOut.Replace("\"", "\\\"")}\"";
}
var keyValueOut = "";
switch (keyValue.VKRecord.DataType)
{
case VKCellRecord.DataTypeEnum.RegSz:
keyValueOut = $"\"{keyValue.ValueData.Replace("\\", "\\\\").Replace("\"", "\\\"")}\"";
break;
case VKCellRecord.DataTypeEnum.RegNone:
case VKCellRecord.DataTypeEnum.RegDwordBigEndian:
case VKCellRecord.DataTypeEnum.RegFullResourceDescription:
case VKCellRecord.DataTypeEnum.RegMultiSz:
case VKCellRecord.DataTypeEnum.RegQword:
case VKCellRecord.DataTypeEnum.RegFileTime:
case VKCellRecord.DataTypeEnum.RegLink:
case VKCellRecord.DataTypeEnum.RegResourceRequirementsList:
case VKCellRecord.DataTypeEnum.RegExpandSz:
var prefix = $"hex({(int) keyValue.VKRecord.DataType:x}):";
keyValueOut =
$"{prefix}{BitConverter.ToString(keyValue.ValueDataRaw).Replace("-", ",")}".ToLowerInvariant();
if (keyValueOut.Length + prefix.Length + keyNameOut.Length > 76)
{
keyValueOut =
$"{prefix}{FormatBinaryValueData(keyValue.ValueDataRaw, keyNameOut.Length, prefix.Length)}";
}
break;
case VKCellRecord.DataTypeEnum.RegDword:
keyValueOut =
$"dword:{BitConverter.ToInt32(keyValue.ValueDataRaw, 0):X8}"
.ToLowerInvariant();
break;
case VKCellRecord.DataTypeEnum.RegBinary:
keyValueOut =
$"hex:{BitConverter.ToString(keyValue.ValueDataRaw).Replace("-", ",")}"
.ToLowerInvariant();
if (keyValueOut.Length + 5 + keyNameOut.Length > 76)
{
keyValueOut = $"hex:{FormatBinaryValueData(keyValue.ValueDataRaw, keyNameOut.Length, 5)}";
}
break;
}
sb.AppendLine($"{keyNameOut}={keyValueOut}");
}
return(sb.ToString().TrimEnd());
}