/// <summary>
/// The ProcessRecord method calls ManagementClass.GetInstances()
/// method to iterate through each BindingObject on each system specified.
/// </summary>
protected override void ProcessRecord()
{
// Determine Volume Name
string volume = @"\\.\" + path.Split('\\')[0];
//
byte[] fileBytes = MFTRecord.getFile(volume, path);
// Open file for writing
FileStream streamToWrite = new FileStream(destination, System.IO.FileMode.Create, System.IO.FileAccess.Write);
// Writes a block of bytes to this stream using data from a byte array.
streamToWrite.Write(fileBytes, 0, fileBytes.Length);
// Close file stream
streamToWrite.Close();
} // ProcessRecord
public static Prefetch[] GetInstances()
{
// Get current volume
string volLetter = Directory.GetCurrentDirectory().Split('\\')[0];
string volume = @"\\.\" + volLetter;
// Get a handle to the volume
IntPtr hVolume = NativeMethods.getHandle(volume);
// Create a FileStream to read from the volume handle
using (FileStream streamToRead = NativeMethods.getFileStream(hVolume))
{
// Get a byte array representing the Master File Table
byte[] MFT = MasterFileTable.GetBytes(hVolume, streamToRead);
// Build Prefetch directory path
string prefetchPath = volLetter + @"\\Windows\\Prefetch";
// Check prefetchPath exists
if (Directory.Exists(prefetchPath))
{
// Get list of file in the Prefetch directory that end in the .pf extension
var pfFiles = System.IO.Directory.GetFiles(prefetchPath, "*.pf");
// Instantiate an array of Prefetch objects
Prefetch[] pfArray = new Prefetch[pfFiles.Length];
// Iterate through Prefetch Files
for (int i = 0; i < pfFiles.Length; i++)
{
// Get bytes for specific Prefetch file
byte[] fileBytes = MFTRecord.getFile(volume, streamToRead, MFT, pfFiles[i]).ToArray();
// Output the Prefetch object for the corresponding file
pfArray[i] = (new Prefetch(fileBytes));
}
// Return array or Prefetch objects
return(pfArray);
}
else
{
return(null);
}
}
}
public static Prefetch Get(string filePath)
{
// Get volume path from filePath
string volume = @"\\.\" + filePath.Split('\\')[0];
// Get a handle to the volume
IntPtr hVolume = NativeMethods.getHandle(volume);
// Create a FileStream to read from the volume handle
using (FileStream streamToRead = NativeMethods.getFileStream(hVolume))
{
// Get a byte array representing the Master File Table
byte[] MFT = MasterFileTable.GetBytes(hVolume, streamToRead);
// Get bytes for specific Prefetch file
byte[] fileBytes = MFTRecord.getFile(volume, streamToRead, MFT, filePath).ToArray();
// Return a Prefetch object for the Prefetch file stored at filePath
return(new Prefetch(fileBytes));
}
}
public static Prefetch Get(string volume, FileStream streamToRead, byte[] MFT, string prefetchPath)
{
// Get bytes for specific Prefetch file
byte[] fileBytes = MFTRecord.getFile(volume, streamToRead, MFT, prefetchPath).ToArray();
// Check for Prefetch Magic Number (Value) SCCA at offset 0x04 - 0x07
if (checkPfMagic(fileBytes))
{
// Check Prefetch file for version (0x1A = Win 8, 0x17 = Win 7, 0x11 = Win XP)
byte pfVersion = fileBytes[0];
string appName = null;
string[] dependencyArray = null;
appName = System.Text.Encoding.Unicode.GetString((fileBytes.Skip(0x10).Take(0x3C).ToArray())).TrimEnd('\0');
dependencyArray = getPfDependencies(getPfDependencySection(fileBytes));
Prefetch prefetch = new Prefetch(
Enum.GetName(typeof(PREFETCH_VERSION), pfVersion),
appName,
getPfPathHash(fileBytes),
getPfAccessTime(pfVersion, fileBytes),
dependencyArray,
dependencyArray.Length,
getPfPath(appName, dependencyArray),
getPfDeviceCount(fileBytes),
getPfRunCount(pfVersion, fileBytes)
);
return(prefetch);
}
else
{
return(null);
}
}
/// <summary>
/// The ProcessRecord outputs the raw bytes of the specified File
/// </summary>
protected override void ProcessRecord()
{
int indexNo = 0;
byte[] contentArray = null;
#region Encoding
System.Text.Encoding contentEncoding = System.Text.Encoding.Default;
bool asBytes = false;
if (this.MyInvocation.BoundParameters.ContainsKey("Encoding"))
{
if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.Ascii)
{
contentEncoding = System.Text.Encoding.ASCII;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.BigEndianUnicode)
{
contentEncoding = System.Text.Encoding.BigEndianUnicode;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.Byte)
{
asBytes = true;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.String)
{
contentEncoding = System.Text.Encoding.Unicode;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.Unicode)
{
contentEncoding = System.Text.Encoding.Unicode;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.Unknown)
{
asBytes = true;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.UTF7)
{
contentEncoding = System.Text.Encoding.UTF7;
}
else if (encoding == Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding.UTF8)
{
contentEncoding = System.Text.Encoding.UTF8;
}
}
#endregion Encoding
if (this.MyInvocation.BoundParameters.ContainsKey("Path"))
{
string volLetter = filePath.Split('\\')[0];
string volume = @"\\.\" + volLetter;
indexNo = NTFS.IndexNumber.Get(volume, filePath);
contentArray = MFTRecord.getFile(volume, indexNo);
}
else if (this.MyInvocation.BoundParameters.ContainsKey("IndexNumber"))
{
Regex lettersOnly = new Regex("^[a-zA-Z]{1}$");
if (lettersOnly.IsMatch(volume))
{
volume = @"\\.\" + volume + ":";
}
indexNo = index;
contentArray = MFTRecord.getFile(volume, indexNo);
}
if (asBytes)
{
WriteObject(contentArray);
}
else
{
string[] outputArray = contentEncoding.GetString(contentArray).Split('\n');
if (this.MyInvocation.BoundParameters.ContainsKey("TotalCount") && this.MyInvocation.BoundParameters.ContainsKey("Tail"))
{
throw new InvalidOperationException("The parameters TotalCount and Tail cannot be used together. Please specify only one parameter.");
}
else if (this.MyInvocation.BoundParameters.ContainsKey("TotalCount"))
{
for (int i = 0; (i < totalCount) && (i < outputArray.Length); i++)
{
WriteObject(outputArray[i]);
}
}
else if (this.MyInvocation.BoundParameters.ContainsKey("Tail"))
{
for (long i = tail; (i > 0); i--)
{
if (i > outputArray.Length)
{
i = outputArray.Length;
}
WriteObject(outputArray[outputArray.Length - i]);
}
}
else
{
WriteObject(outputArray);
}
}
} // ProcessRecord