public void TestWin10DevEnvPfProperties()
{
var file = Path.Combine(TestPrefetchMain.Win10Path, @"DEVENV.EXE-854D7862.pf");
var pf = PrefetchFile.Open(file);
//PrefetchFile.DumpToJson(pf, true, @"D:\temp\DEVENV.json");
pf.Header.ExecutableFilename.Should().Be("DEVENV.EXE");
pf.Header.Hash.Should().Be("854D7862");
pf.Header.FileSize.Should().Be(380690);
pf.LastRunTimes[0].Should().Be(DateTimeOffset.Parse("2016-01-13T09: 50:34.6578416-07:00,"));
pf.RunCount.Should().Be(54);
pf.VolumeCount.Should().Be(1);
pf.VolumeInformation[0].DeviceName.Should().Be(@"\VOLUME{01d1217a9c4c6779-8c9f49ec}");
pf.VolumeInformation[0].SerialNumber.Should().Be("8C9F49EC");
pf.VolumeInformation[0].CreationTime.Should().Be(DateTimeOffset.Parse("2015-11-17T13:57:46.2434681-07:00"));
pf.VolumeInformation[0].DirectoryNames.Count.Should().Be(516);
pf.VolumeInformation[0].DirectoryNames[3].Should()
.Be(@"\VOLUME{01d1217a9c4c6779-8c9f49ec}\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\MSENV");
pf.VolumeInformation[0].FileReferences.Count.Should().Be(681);
pf.Filenames.Count.Should().Be(403);
pf.Filenames[3].Should()
.Be(
@"\VOLUME{01d1217a9c4c6779-8c9f49ec}\PROGRAM FILES (X86)\MICROSOFT VISUAL STUDIO 14.0\COMMON7\IDE\MICROSOFT.VISUALSTUDIO.ACTIVITIES.DLL");
pf.VolumeInformation[0].FileReferences[6].MFTEntryNumber.Should().Be((ulong)148922);
pf.VolumeInformation[0].FileReferences[6].MFTSequenceNumber.Should().Be(1);
pf.VolumeInformation[0].FileReferences[8].MFTEntryNumber.Should().Be((ulong)219686);
pf.VolumeInformation[0].FileReferences[8].MFTSequenceNumber.Should().Be(2);
}
public void TestWin7CalcPfProperties()
{
var file = Path.Combine(TestPrefetchMain.Win7Path, @"CALC.EXE-77FDF17F.pf");
var pf = PrefetchFile.Open(file);
//PrefetchFile.DumpToJson(pf, true, @"D:\temp\win7calc.json");
pf.Header.ExecutableFilename.Should().Be("CALC.EXE");
pf.Header.Hash.Should().Be("77FDF17F");
pf.Header.FileSize.Should().Be(23538);
pf.LastRunTimes[0].Should().Be(DateTimeOffset.Parse("2016-01-16T13: 27:01.1967500-07:00"));
pf.RunCount.Should().Be(2);
pf.VolumeCount.Should().Be(1);
pf.VolumeInformation[0].DeviceName.Should().Be(@"\DEVICE\HARDDISKVOLUME2");
pf.VolumeInformation[0].SerialNumber.Should().Be("88008C2F");
pf.VolumeInformation[0].CreationTime.Should().Be(DateTimeOffset.Parse("2016-01-16T14:15:18.1093750-07:00"));
pf.VolumeInformation[0].DirectoryNames.Count.Should().Be(8);
pf.VolumeInformation[0].DirectoryNames[3].Should()
.Be(@"\DEVICE\HARDDISKVOLUME2\WINDOWS\GLOBALIZATION\SORTING");
pf.VolumeInformation[0].FileReferences.Count.Should().Be(45);
pf.Filenames.Count.Should().Be(37);
pf.Filenames[3].Should().Be(@"\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\KERNELBASE.DLL");
pf.VolumeInformation[0].FileReferences[2].MFTEntryNumber.Should().Be((ulong)25654);
pf.VolumeInformation[0].FileReferences[2].MFTSequenceNumber.Should().Be(1);
}
public void TestWin8ChromePfProperties()
{
var file = Path.Combine(TestPrefetchMain.Win8xPath, @"CALC.EXE-77FDF17F.pf");
var pf = PrefetchFile.Open(file);
pf.Header.ExecutableFilename.Should().Be("CALC.EXE");
pf.Header.Hash.Should().Be("77FDF17F");
pf.Header.FileSize.Should().Be(22048);
pf.LastRunTimes[0].Should().Be(DateTimeOffset.Parse("2016-01-16T14: 10:26.0583417-07:00"));
pf.RunCount.Should().Be(2);
pf.VolumeCount.Should().Be(1);
pf.VolumeInformation[0].DeviceName.Should().Be(@"\DEVICE\HARDDISKVOLUME2");
pf.VolumeInformation[0].SerialNumber.Should().Be("C6EE7444");
pf.VolumeInformation[0].CreationTime.Should().Be(DateTimeOffset.Parse("2016-01-16T15:04:54.3519546-07:00"));
pf.VolumeInformation[0].DirectoryNames.Count.Should().Be(7);
pf.VolumeInformation[0].DirectoryNames[3].Should()
.Be(@"\DEVICE\HARDDISKVOLUME2\WINDOWS\GLOBALIZATION\SORTING");
pf.VolumeInformation[0].FileReferences.Count.Should().Be(46);
pf.Filenames.Count.Should().Be(37);
pf.Filenames[3].Should().Be(@"\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\KERNELBASE.DLL");
pf.VolumeInformation[0].FileReferences[5].MFTEntryNumber.Should().Be((ulong)43858);
pf.VolumeInformation[0].FileReferences[5].MFTSequenceNumber.Should().Be(1);
pf.VolumeInformation[0].FileReferences[9].MFTEntryNumber.Should().Be((ulong)46917);
pf.VolumeInformation[0].FileReferences[9].MFTSequenceNumber.Should().Be(1);
}
public void TestWin10ChromePfProperties()
{
var file = Path.Combine(TestPrefetchMain.Win10Path, @"CHROME.EXE-B3BA7868.pf");
var pf = PrefetchFile.Open(file);
pf.Header.ExecutableFilename.Should().Be("CHROME.EXE");
pf.Header.Hash.Should().Be("B3BA7868");
pf.Header.FileSize.Should().Be(116042);
pf.LastRunTimes[0].Should().Be(DateTimeOffset.Parse("2016-01-13T11: 06:55.3344577-07:00"));
pf.RunCount.Should().Be(20);
pf.VolumeCount.Should().Be(1);
pf.VolumeInformation[0].DeviceName.Should().Be(@"\VOLUME{01d1217a9c4c6779-8c9f49ec}");
pf.VolumeInformation[0].SerialNumber.Should().Be("8C9F49EC");
pf.VolumeInformation[0].CreationTime.Should().Be(DateTimeOffset.Parse("2015-11-17T13:57:46.2434681-07:00"));
pf.VolumeInformation[0].DirectoryNames.Count.Should().Be(23);
pf.VolumeInformation[0].DirectoryNames[3].Should()
.Be(@"\VOLUME{01d1217a9c4c6779-8c9f49ec}\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION");
pf.VolumeInformation[0].FileReferences.Count.Should().Be(284);
pf.LastRunTimes.Count.Should().Be(8);
pf.Filenames.Count.Should().Be(282);
pf.Filenames[3].Should().Be(@"\VOLUME{01d1217a9c4c6779-8c9f49ec}\WINDOWS\SYSTEM32\KERNEL32.DLL");
pf.VolumeInformation[0].FileReferences[5].MFTEntryNumber.Should().Be((ulong)55125);
pf.VolumeInformation[0].FileReferences[5].MFTSequenceNumber.Should().Be(1);
pf.VolumeInformation[0].FileReferences[9].MFTEntryNumber.Should().Be((ulong)117682);
pf.VolumeInformation[0].FileReferences[9].MFTSequenceNumber.Should().Be(2);
}
public void TestWin8CmdPfProperties()
{
var file = Path.Combine(TestPrefetchMain.Win8xPath, @"_CMD.EXE-4A81B364.pf");
var pf = PrefetchFile.Open(file);
pf.Header.ExecutableFilename.Should().Be("CMD.EXE");
pf.Header.Hash.Should().Be("4A81B364");
pf.Header.FileSize.Should().Be(8590);
pf.LastRunTimes[0].Should().Be(DateTimeOffset.Parse("2016-01-16T14: 25:41.5341178-07:00"));
pf.RunCount.Should().Be(2);
pf.VolumeCount.Should().Be(1);
pf.VolumeInformation[0].DeviceName.Should().Be(@"\DEVICE\HARDDISKVOLUME2");
pf.VolumeInformation[0].SerialNumber.Should().Be("A26E529A");
pf.VolumeInformation[0].CreationTime.Should().Be(DateTimeOffset.Parse("2016-01-16T15:15:38.2977678-07:00"));
pf.VolumeInformation[0].DirectoryNames.Count.Should().Be(8);
pf.VolumeInformation[0].DirectoryNames[3].Should()
.Be(@"\DEVICE\HARDDISKVOLUME2\WINDOWS\BRANDING\BASEBRD\EN-US");
pf.VolumeInformation[0].FileReferences.Count.Should().Be(20);
pf.Filenames.Count.Should().Be(12);
pf.Filenames[3].Should().Be(@"\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\KERNELBASE.DLL");
pf.VolumeInformation[0].FileReferences[1].MFTEntryNumber.Should().Be((ulong)44760);
pf.VolumeInformation[0].FileReferences[1].MFTSequenceNumber.Should().Be(null);
}
public void TestWin2012RegEditPfProperties()
{
var file = Path.Combine(TestPrefetchMain.Win2012Path, @"REGEDIT.EXE-90FEEA06.pf");
var pf = PrefetchFile.Open(file);
pf.Header.ExecutableFilename.Should().Be("REGEDIT.EXE");
pf.Header.Hash.Should().Be("90FEEA06");
pf.Header.FileSize.Should().Be(22982);
pf.LastRunTimes[0].Should().Be(DateTimeOffset.Parse("2016-01-16T14: 36:18.7186980-07:00"));
pf.RunCount.Should().Be(1);
pf.VolumeCount.Should().Be(1);
pf.VolumeInformation[0].DeviceName.Should().Be(@"\DEVICE\HARDDISKVOLUME2");
pf.VolumeInformation[0].SerialNumber.Should().Be("2E25F20A");
pf.VolumeInformation[0].CreationTime.Should().Be(DateTimeOffset.Parse("2016-01-16T15:20:46.1666157-07:00"));
pf.VolumeInformation[0].DirectoryNames.Count.Should().Be(12);
pf.VolumeInformation[0].DirectoryNames[3].Should()
.Be(@"\DEVICE\HARDDISKVOLUME2\USERS\ADMINISTRATOR\APPDATA\LOCAL");
pf.VolumeInformation[0].FileReferences.Count.Should().Be(62);
pf.Filenames.Count.Should().Be(42);
//For whatever reason the sequence # is 1 for both of these when looking at the entry #
pf.VolumeInformation[0].FileReferences[5].MFTEntryNumber.Should().Be((ulong)27324);
pf.VolumeInformation[0].FileReferences[5].MFTSequenceNumber.Should().Be(null);
pf.VolumeInformation[0].FileReferences[9].MFTEntryNumber.Should().Be((ulong)29316);
pf.VolumeInformation[0].FileReferences[9].MFTSequenceNumber.Should().Be(null);
}
public void TestXPCalcPfProperties()
{
var file = Path.Combine(TestPrefetchMain.WinXpPath, @"CALC.EXE-02CD573A.pf");
var pf = PrefetchFile.Open(file);
// PrefetchFile.DumpToJson(pf,true,@"D:\temp\out.json");
pf.Header.ExecutableFilename.Should().Be("CALC.EXE");
pf.Header.Hash.Should().Be("2CD573A");
pf.Header.FileSize.Should().Be(11332);
pf.LastRunTimes[0].Should().Be(DateTimeOffset.Parse("2016-01-13T15: 05:51.2812500-07:00"));
pf.RunCount.Should().Be(3);
pf.VolumeCount.Should().Be(1);
pf.VolumeInformation[0].DeviceName.Should().Be(@"\DEVICE\HARDDISKVOLUME1");
pf.VolumeInformation[0].SerialNumber.Should().Be("E0F7E847");
pf.VolumeInformation[0].CreationTime.Should().Be(DateTimeOffset.Parse("2016-01-13T04:17:18.7187500-07:00"));
pf.VolumeInformation[0].DirectoryNames.Count.Should().Be(6);
pf.VolumeInformation[0].DirectoryNames[3].Should().Be(@"\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\");
pf.VolumeInformation[0].FileReferences.Count.Should().Be(36);
pf.Filenames.Count.Should().Be(30);
pf.Filenames[3].Should().Be(@"\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LOCALE.NLS");
pf.VolumeInformation[0].FileReferences[34].MFTEntryNumber.Should().Be((ulong)126);
pf.VolumeInformation[0].FileReferences[34].MFTSequenceNumber.Should().Be(1);
}
public void TestWin2012R2RegEditPfProperties()
{
var file = Path.Combine(TestPrefetchMain.Win2012R2Path, @"NOTEPAD.EXE-D8414F97.pf");
var pf = PrefetchFile.Open(file);
// PrefetchFile.DumpToJson(pf, true, @"D:\temp\out.json");
pf.Header.ExecutableFilename.Should().Be("NOTEPAD.EXE");
pf.Header.Hash.Should().Be("D8414F97");
pf.Header.FileSize.Should().Be(15320);
pf.LastRunTimes[0].Should().Be(DateTimeOffset.Parse("2016-01-16T14: 40:31.2944718-07:00"));
pf.RunCount.Should().Be(2);
pf.VolumeCount.Should().Be(1);
pf.VolumeInformation[0].DeviceName.Should().Be(@"\DEVICE\HARDDISKVOLUME2");
pf.VolumeInformation[0].SerialNumber.Should().Be("7450B65F");
pf.VolumeInformation[0].CreationTime.Should().Be(DateTimeOffset.Parse("2016-01-16T15:21:57.7889266-07:00"));
pf.VolumeInformation[0].DirectoryNames.Count.Should().Be(7);
pf.VolumeInformation[0].DirectoryNames[3].Should()
.Be(@"\DEVICE\HARDDISKVOLUME2\WINDOWS\GLOBALIZATION\SORTING");
pf.VolumeInformation[0].FileReferences.Count.Should().Be(35);
pf.Filenames.Count.Should().Be(26);
pf.Filenames[3].Should().Be(@"\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\ADVAPI32.DLL");
//For whatever reason the sequence # is 1 for both of these when looking at the entry # in the MFT using X-Ways
pf.VolumeInformation[0].FileReferences[5].MFTEntryNumber.Should().Be((ulong)0);
pf.VolumeInformation[0].FileReferences[5].MFTSequenceNumber.Should().Be(null);
pf.VolumeInformation[0].FileReferences[1].MFTEntryNumber.Should().Be((ulong)18972);
pf.VolumeInformation[0].FileReferences[1].MFTSequenceNumber.Should().Be(null);
}
public void Test2k3CmdPfProperties()
{
var file = Path.Combine(TestPrefetchMain.Win2k3Path, @"CMD.EXE-087B4001.pf");
var pf = PrefetchFile.Open(file);
pf.Header.ExecutableFilename.Should().Be("CMD.EXE");
pf.Header.Hash.Should().Be("87B4001");
pf.Header.FileSize.Should().Be(6002);
pf.LastRunTimes[0].Should().Be(DateTimeOffset.Parse("2016-01-15T16: 01:40.8750000-07:00"));
pf.RunCount.Should().Be(3);
pf.VolumeCount.Should().Be(1);
pf.VolumeInformation[0].DeviceName.Should().Be(@"\DEVICE\HARDDISKVOLUME1");
pf.VolumeInformation[0].SerialNumber.Should().Be("64BB3469");
pf.VolumeInformation[0].CreationTime.Should().Be(DateTimeOffset.Parse("2016-01-15T08:45:15.8906250-07:00"));
pf.VolumeInformation[0].DirectoryNames.Count.Should().Be(4);
pf.VolumeInformation[0].DirectoryNames[3].Should().Be(@"\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\");
pf.VolumeInformation[0].FileReferences.Count.Should().Be(20);
pf.Filenames.Count.Should().Be(16);
pf.Filenames[3].Should().Be(@"\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LOCALE.NLS");
pf.VolumeInformation[0].FileReferences[5].MFTEntryNumber.Should().Be((ulong)250);
pf.VolumeInformation[0].FileReferences[5].MFTSequenceNumber.Should().Be(1);
}
public void InvalidFileShouldThrowException()
{
var badFile = Path.Combine(BadPath, "notAPrefetch.pf");
Action action = () => PrefetchFile.Open(badFile);
action.ShouldThrow <Exception>().WithMessage("Invalid signature! Should be 'SCCA'");
}
public void TestVistaExplorerPfProperties()
{
var file = Path.Combine(TestPrefetchMain.WinVistaPath, @"EXPLORER.EXE-7A3328DA.pf");
var pf = PrefetchFile.Open(file);
pf.Header.ExecutableFilename.Should().Be("EXPLORER.EXE");
pf.Header.Hash.Should().Be("7A3328DA");
pf.Header.FileSize.Should().Be(38470);
pf.LastRunTimes[0].Should().Be(DateTimeOffset.Parse("2016-01-16T13: 02:00.8326765-07:00"));
pf.RunCount.Should().Be(1);
pf.VolumeCount.Should().Be(1);
pf.VolumeInformation[0].DeviceName.Should().Be(@"\DEVICE\HARDDISKVOLUME1");
pf.VolumeInformation[0].SerialNumber.Should().Be("E8EAB8B5");
pf.VolumeInformation[0].CreationTime.Should().Be(DateTimeOffset.Parse("2016-01-16T13:53:13.1093750-07:00"));
pf.VolumeInformation[0].DirectoryNames.Count.Should().Be(13);
pf.VolumeInformation[0].DirectoryNames[3].Should().Be(@"\DEVICE\HARDDISKVOLUME1\USERS\PUBLIC");
pf.VolumeInformation[0].FileReferences.Count.Should().Be(84);
pf.Filenames.Count.Should().Be(66);
pf.Filenames[3].Should().Be(@"\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\ADVAPI32.DLL");
pf.VolumeInformation[0].FileReferences[1].MFTEntryNumber.Should().Be((ulong)352);
pf.VolumeInformation[0].FileReferences[1].MFTSequenceNumber.Should().Be(null);
}
public void OneOff()
{
var f = @"C:\Temp\outLW\vss010\Windows\prefetch\SETUP.EXE-C52DC467.pf";
var pf = PrefetchFile.Open(f);
// pf.Should().NotBe(null);
}
public void Windows2k3ShouldHaveVersionNumber17()
{
foreach (var file in Directory.GetFiles(TestPrefetchMain.Win2k3Path, "*.pf"))
{
var pf = PrefetchFile.Open(file);
pf.SourceFilename.Should().Be(file);
pf.Header.Version.Should().Be(Version.WinXpOrWin2K3);
}
}
public void OneOff()
{
var f = @"C:\temp\fsout.bin";
var ms = new FileStream(f, FileMode.Open);
var pf = PrefetchFile.Open(ms, "foo");
pf.RunCount.Should().BeGreaterThan(0);
pf.RunCount.Should().Be(3);
// pf.Should().NotBe(null);
}
public void OneOff()
{
var f = @"C:\Temp\500sru\POWERSHELL.EXE-767FB1AE.pf";
var ms = new FileStream(f, FileMode.Open, FileAccess.Read);
var pf = PrefetchFile.Open(ms, "foo");
var aa = PrefetchFile.Open(f);
pf.RunCount.Should().BeGreaterThan(0);
pf.RunCount.Should().Be(3);
// pf.Should().NotBe(null);
}
public void Windows8xShouldHaveVersionNumber26()
{
foreach (var file in Directory.GetFiles(TestPrefetchMain.Win8xPath, "*.pf"))
{
var pf = PrefetchFile.Open(file);
var totalDirs = 0;
foreach (var volumeInfo in pf.VolumeInformation)
{
totalDirs += volumeInfo.DirectoryNames.Count;
}
pf.TotalDirectoryCount.Should().Be(totalDirs);
pf.SourceFilename.Should().Be(file);
pf.Header.Version.Should().Be(Version.Win8xOrWin2012x);
}
}
public void Windows2012ShouldHaveVersionNumber26()
{
foreach (var file in Directory.GetFiles(TestPrefetchMain.Win2012Path, "*.pf"))
{
var pf = PrefetchFile.Open(file);
pf.SourceFilename.Should().Be(file);
pf.Header.Version.Should().Be(Version.Win8xOrWin2012x);
}
foreach (var file in Directory.GetFiles(TestPrefetchMain.Win2012R2Path, "*.pf"))
{
var pf = PrefetchFile.Open(file);
pf.SourceFilename.Should().Be(file);
pf.Header.Version.Should().Be(Version.Win8xOrWin2012x);
}
}
public void SignatureShouldBeSCCA()
{
foreach (var allPath in _allPaths)
{
foreach (var file in Directory.GetFiles(allPath, "*.pf"))
{
var pf = PrefetchFile.Open(file);
pf.Should().NotBe(null);
pf.Filenames.Count.Should().Be(pf.FileMetricsCount);
pf.VolumeCount.Should().Be(pf.VolumeInformation.Count);
pf.Header.Signature.Should().Be("SCCA");
}
}
}
public void TestWin10DcodeDecodePfProperties()
{
var file = Path.Combine(TestPrefetchMain.Win10Path, @"DCODEDCODEDCODEDCODEDCODEDCOD-E65B9FE8.pf");
var pf = PrefetchFile.Open(file);
//PrefetchFile.DumpToJson(pf, true, @"D:\temp\DCODEDCODEDCODEDCODEDCODEDCOD.json");
pf.Header.ExecutableFilename.Should().Be("DCODEDCODEDCODEDCODEDCODEDCOD");
pf.Header.Hash.Should().Be("E65B9FE8");
pf.Header.FileSize.Should().Be(33606);
pf.LastRunTimes[0].Should().Be(DateTimeOffset.Parse("2016-01-13T15: 47:25.7480759-07:00"));
pf.RunCount.Should().Be(2);
pf.VolumeCount.Should().Be(2);
pf.VolumeInformation[0].DeviceName.Should().Be(@"\VOLUME{01d12173f395296c-66f451bc}");
pf.VolumeInformation[0].SerialNumber.Should().Be("66F451BC");
pf.VolumeInformation[0].CreationTime.Should().Be(DateTimeOffset.Parse("2015-11-17T13:10:06.2049644-07:00"));
pf.VolumeInformation[1].DeviceName.Should().Be(@"\VOLUME{01d1217a9c4c6779-8c9f49ec}");
pf.VolumeInformation[1].SerialNumber.Should().Be("8C9F49EC");
pf.VolumeInformation[1].CreationTime.Should().Be(DateTimeOffset.Parse("2015-11-17T13:57:46.2434681-07:00"));
pf.VolumeInformation[1].DirectoryNames.Count.Should().Be(19);
pf.VolumeInformation[0].DirectoryNames.Count.Should().Be(1);
pf.VolumeInformation[0].DirectoryNames[0].Should()
.Be(@"\VOLUME{01d12173f395296c-66f451bc}\TEMP");
pf.VolumeInformation[0].FileReferences.Count.Should().Be(2);
pf.VolumeInformation[1].FileReferences.Count.Should().Be(85);
pf.Filenames.Count.Should().Be(57);
pf.Filenames[3].Should().Be(@"\VOLUME{01d1217a9c4c6779-8c9f49ec}\WINDOWS\SYSTEM32\KERNEL32.DLL");
pf.VolumeInformation[1].FileReferences[12].MFTEntryNumber.Should().Be((ulong)357876);
pf.VolumeInformation[1].FileReferences[12].MFTSequenceNumber.Should().Be(1);
pf.VolumeInformation[0].FileReferences[1].MFTEntryNumber.Should().Be((ulong)305846);
pf.VolumeInformation[0].FileReferences[1].MFTSequenceNumber.Should().Be(2);
}
public void TestWin7DCodePfProperties()
{
var file = Path.Combine(TestPrefetchMain.Win7Path, @"DCODEDCODEDCODEDCODEDCODEDCOD-9054DA3F.pf");
var pf = PrefetchFile.Open(file);
// PrefetchFile.DumpToJson(pf, true, @"D:\temp\win7DCODEDCODEDCODEDCODEDCODEDCOD.json");
pf.Header.ExecutableFilename.Should().Be("DCODEDCODEDCODEDCODEDCODEDCOD");
pf.Header.Hash.Should().Be("9054DA3F");
pf.Header.FileSize.Should().Be(29746);
pf.LastRunTimes[0].Should().Be(DateTimeOffset.Parse("2016-01-22T09: 23:16.3416250-07:00"));
pf.RunCount.Should().Be(5);
pf.VolumeCount.Should().Be(2);
pf.VolumeInformation[0].DeviceName.Should().Be(@"\DEVICE\HARDDISKVOLUME2");
pf.VolumeInformation[0].SerialNumber.Should().Be("88008C2F");
pf.VolumeInformation[0].CreationTime.Should().Be(DateTimeOffset.Parse("2016-01-16T14:15:18.1093750-07:00"));
pf.VolumeInformation[0].DirectoryNames.Count.Should().Be(14);
pf.VolumeInformation[0].DirectoryNames[3].Should()
.Be(@"\DEVICE\HARDDISKVOLUME2\USERS\E\APPDATA\LOCAL");
pf.VolumeInformation[0].FileReferences.Count.Should().Be(63);
pf.VolumeInformation[1].DeviceName.Should().Be(@"\DEVICE\HARDDISKVOLUME3");
pf.VolumeInformation[1].SerialNumber.Should().Be("E892367F");
pf.VolumeInformation[1].CreationTime.Should().Be(DateTimeOffset.Parse("2016-01-22T09:11:36.5781250-07:00"));
pf.VolumeInformation[1].DirectoryNames.Count.Should().Be(2);
pf.VolumeInformation[1].DirectoryNames[1].Should()
.Be(@"\DEVICE\HARDDISKVOLUME3\TEMP\222");
pf.VolumeInformation[1].FileReferences.Count.Should().Be(3);
pf.Filenames.Count.Should().Be(50);
pf.Filenames[3].Should().Be(@"\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WOW64CPU.DLL");
pf.VolumeInformation[1].FileReferences[1].MFTEntryNumber.Should().Be((ulong)37);
pf.VolumeInformation[1].FileReferences[1].MFTSequenceNumber.Should().Be(1);
}
private static IPrefetch LoadFile(string pfFile)
{
if (_fluentCommandLineParser.Object.Quiet == false)
{
_logger.Warn($"Processing '{pfFile}'");
_logger.Info("");
}
var sw = new Stopwatch();
sw.Start();
try
{
var pf = PrefetchFile.Open(pfFile);
if (pf.ParsingError)
{
_failedFiles.Add($"'{pfFile}' is corrupt and did not parse completely!");
_logger.Fatal($"'{pfFile}' FILE DID NOT PARSE COMPLETELY!\r\n");
}
if (_fluentCommandLineParser.Object.Quiet == false)
{
if (pf.ParsingError)
{
_logger.Fatal("PARTIAL OUTPUT SHOWN BELOW\r\n");
}
var created = _fluentCommandLineParser.Object.LocalTime
? pf.SourceCreatedOn.ToLocalTime()
: pf.SourceCreatedOn;
var modified = _fluentCommandLineParser.Object.LocalTime
? pf.SourceModifiedOn.ToLocalTime()
: pf.SourceModifiedOn;
var accessed = _fluentCommandLineParser.Object.LocalTime
? pf.SourceAccessedOn.ToLocalTime()
: pf.SourceAccessedOn;
_logger.Info($"Created on: {created.ToString(_fluentCommandLineParser.Object.DateTimeFormat)}");
_logger.Info($"Modified on: {modified.ToString(_fluentCommandLineParser.Object.DateTimeFormat)}");
_logger.Info(
$"Last accessed on: {accessed.ToString(_fluentCommandLineParser.Object.DateTimeFormat)}");
_logger.Info("");
var dirString = pf.TotalDirectoryCount.ToString(CultureInfo.InvariantCulture);
var dd = new string('0', dirString.Length);
var dirFormat = $"{dd}.##";
var fString = pf.FileMetricsCount.ToString(CultureInfo.InvariantCulture);
var ff = new string('0', fString.Length);
var fileFormat = $"{ff}.##";
_logger.Info($"Executable name: {pf.Header.ExecutableFilename}");
_logger.Info($"Hash: {pf.Header.Hash}");
_logger.Info($"File size (bytes): {pf.Header.FileSize:N0}");
_logger.Info($"Version: {GetDescriptionFromEnumValue(pf.Header.Version)}");
_logger.Info("");
_logger.Info($"Run count: {pf.RunCount:N0}");
var lastRun = pf.LastRunTimes.First();
if (_fluentCommandLineParser.Object.LocalTime)
{
lastRun = lastRun.ToLocalTime();
}
_logger.Warn($"Last run: {lastRun.ToString(_fluentCommandLineParser.Object.DateTimeFormat)}");
if (pf.LastRunTimes.Count > 1)
{
var lastRuns = pf.LastRunTimes.Skip(1).ToList();
if (_fluentCommandLineParser.Object.LocalTime)
{
for (var i = 0; i < lastRuns.Count; i++)
{
lastRuns[i] = lastRuns[i].ToLocalTime();
}
}
var otherRunTimes = string.Join(", ",
lastRuns.Select(t => t.ToString(_fluentCommandLineParser.Object.DateTimeFormat)));
_logger.Info($"Other run times: {otherRunTimes}");
}
//
// if (_fluentCommandLineParser.Object.Quiet == false)
// {
_logger.Info("");
_logger.Info("Volume information:");
_logger.Info("");
var volnum = 0;
foreach (var volumeInfo in pf.VolumeInformation)
{
var localCreate = volumeInfo.CreationTime;
if (_fluentCommandLineParser.Object.LocalTime)
{
localCreate = localCreate.ToLocalTime();
}
_logger.Info(
$"#{volnum}: Name: {volumeInfo.DeviceName} Serial: {volumeInfo.SerialNumber} Created: {localCreate.ToString(_fluentCommandLineParser.Object.DateTimeFormat)} Directories: {volumeInfo.DirectoryNames.Count:N0} File references: {volumeInfo.FileReferences.Count:N0}");
volnum += 1;
}
_logger.Info("");
var totalDirs = pf.TotalDirectoryCount;
if (pf.Header.Version == Version.WinXpOrWin2K3)
{
totalDirs = 0;
//this has -1 for total directories, so we have to calculate it
foreach (var volumeInfo in pf.VolumeInformation)
{
totalDirs += volumeInfo.DirectoryNames.Count;
}
}
_logger.Info($"Directories referenced: {totalDirs:N0}");
_logger.Info("");
var dirIndex = 0;
foreach (var volumeInfo in pf.VolumeInformation)
{
foreach (var directoryName in volumeInfo.DirectoryNames)
{
var found = false;
foreach (var keyword in _keywords)
{
if (directoryName.ToLower().Contains(keyword))
{
_logger.Fatal($"{dirIndex.ToString(dirFormat)}: {directoryName}");
found = true;
break;
}
}
if (!found)
{
_logger.Info($"{dirIndex.ToString(dirFormat)}: {directoryName}");
}
dirIndex += 1;
}
}
_logger.Info("");
_logger.Info($"Files referenced: {pf.Filenames.Count:N0}");
_logger.Info("");
var fileIndex = 0;
foreach (var filename in pf.Filenames)
{
if (filename.Contains(pf.Header.ExecutableFilename))
{
_logger.Error($"{fileIndex.ToString(fileFormat)}: {filename}");
}
else
{
var found = false;
foreach (var keyword in _keywords)
{
if (filename.ToLower().Contains(keyword))
{
_logger.Fatal($"{fileIndex.ToString(fileFormat)}: {filename}");
found = true;
break;
}
}
if (!found)
{
_logger.Info($"{fileIndex.ToString(fileFormat)}: {filename}");
}
}
fileIndex += 1;
}
}
sw.Stop();
if (_fluentCommandLineParser.Object.Quiet == false)
{
_logger.Info("");
}
_logger.Info(
$"---------- Processed '{pf.SourceFilename}' in {sw.Elapsed.TotalSeconds:N8} seconds ----------");
if (_fluentCommandLineParser.Object.Quiet == false)
{
_logger.Info("\r\n");
}
return(pf);
}
catch (ArgumentNullException an)
{
_logger.Error(
$"Error opening '{pfFile}'.\r\n\r\nThis appears to be a Windows 10 prefetch file. You must be running Windows 8 or higher to decompress Windows 10 prefetch files");
_logger.Info("");
_failedFiles.Add(
$"{pfFile} ==> ({an.Message} (This appears to be a Windows 10 prefetch file. You must be running Windows 8 or higher to decompress Windows 10 prefetch files))");
}
catch (Exception ex)
{
_logger.Error($"Error opening '{pfFile}'. Message: {ex.Message}");
_logger.Info("");
_failedFiles.Add($"{pfFile} ==> ({ex.Message})");
}
return(null);
}