public object ReadMachineRegistry(out bool Status, string Root, string DataPath, string ProxyVM = null, string AlternateInterface = null) { // Until proven otherwise, we assume the status is 'False' Status = false; if (AlternateInterface != null && AlternateInterface != this.GetType().Name) { Type Plug = PluginLoader.FindType(AlternateInterface); if (Plug == null) { PluginLoader.ScanForPlugins(); Plug = PluginLoader.FindType(AlternateInterface); } if (Plug != null) { dynamic Alt = Activator.CreateInstance(Plug); return(Alt.ReadMachineRegistry(out Status, Root, DataPath, ProxyVM)); } return(null); } if (ProxyVM != null) { //TODO: Issue remote registry command to the VM throw new NotImplementedException(); } string winRoot = null; bool mountStatus = false; if (Path.HasExtension(Root) && VHDExtensions.Contains(Path.GetExtension(Root), StringComparer.InvariantCultureIgnoreCase)) { //This is a VHD file, mount it, and check each partition on it for a windows install. // Use the first win install we find. // If we don't find one, return Null with Status set to 'False' //Is this drive already mounted? var arr = MountVHD(out mountStatus, Root); if (mountStatus == false) { return(null); } winRoot = arr.FirstOrDefault(s => DetectWindows(s + @"\") != null); } else { // Not a VHD file. Find Windows on this partition. winRoot = DetectWindows(Root); } if (winRoot == null) // Can't get there from here. { return(null); } // Ok, we have a Windows registry (or appear to, at any rate). What hive do we need to load? var parts = DataPath.Split('\\'); int partIndex = 0; bool partFound = false; while (!partFound && partIndex < parts.Length) { if (parts[partIndex].Equals("SOFTWARE", StringComparison.InvariantCultureIgnoreCase) || parts[partIndex].Equals("SYSTEM", StringComparison.InvariantCultureIgnoreCase)) { partFound = true; } else { partIndex++; } } if (!partFound) { throw new ArgumentException("DataPath must refer to SOFTWARE or SYSTEM roots."); } string hiveFile = Path.Combine(winRoot + SysRegPostfix, parts[partIndex]); string newRoot = RegExtra.LoadHive(RegistryHive.LocalMachine, hiveFile); if (newRoot == null) { return(null); } var location = Registry.LocalMachine.OpenSubKey(newRoot); if (location == null) { return(null); } // try to be proactive about CurrentControlSet to avoid needless extra calls. if (parts[partIndex + 1].Equals("CurrentControlSet", StringComparison.InvariantCultureIgnoreCase)) { var tmpLoc = location.OpenSubKey("Select"); if (tmpLoc != null) { uint num = (uint)tmpLoc.GetValue("Current"); parts[partIndex + 1] = String.Format("ControlSet{0:000}", num); } } for (int i = partIndex + 1; i < parts.Length - 1; i++) { location = location.OpenSubKey(parts[i]); if (location == null) { return(null); } } var retval = location.GetValue(parts[parts.Length - 1]); Status = true; RegExtra.UnloadHive(RegistryHive.LocalMachine, hiveFile); if (mountStatus) { UnmountVHD(Root); } return(retval); }
public object ReadUserRegistry(out bool Status, string Root, string Username, string DataPath, string ProxyVM = null, string AlternateInterface = null) { // Until proven otherwise, we assume the status is 'False' Status = false; if (AlternateInterface != null && AlternateInterface != this.GetType().Name) { Type Plug = PluginLoader.FindType(AlternateInterface); if (Plug == null) { PluginLoader.ScanForPlugins(); Plug = PluginLoader.FindType(AlternateInterface); } if (Plug != null) { dynamic Alt = Activator.CreateInstance(Plug); return(Alt.ReadUserRegistry(out Status, Root, Username, DataPath, ProxyVM)); } return(null); } if (ProxyVM != null) { //TODO: Issue remote registry command to the VM throw new NotImplementedException(); } string userFileRoot = null; bool mountStatus = false; if (Path.HasExtension(Root) && VHDExtensions.Contains(Path.GetExtension(Root), StringComparer.InvariantCultureIgnoreCase)) { //This is a VHD file, mount it, and check each partition on it for a windows install. // Use the first win install we find. // If we don't find one, return Null with Status set to 'False' //Is this drive already mounted? var arr = GetMountPoints(Root) ?? new string[0]; if (arr.Length == 0) { //Nope, not mounted yet. Do so now. arr = MountVHD(out mountStatus, Root); if (mountStatus == false) { return(null); } } userFileRoot = arr.FirstOrDefault(s => LocateUserRoot(s + @"\") != null); } else { // Not a VHD file. Find Windows on this partition. userFileRoot = LocateUserRoot(Root); } if (userFileRoot == null) // Can't get there from here. { return(null); } // Ok, we have a root Users directory. Check for our user and load if possible. string userPath = Path.Combine(userFileRoot, Username); if (!Directory.Exists(userPath)) { throw new ArgumentException("Username not found. Invalid user path: " + userPath); } string hiveFile = Path.Combine(userPath, @"NTUSER.DAT"); if (!File.Exists(hiveFile)) { throw new ArgumentException("User data not found. Invalid file path: " + hiveFile); } string regRoot = RegExtra.LoadHive(RegistryHive.LocalMachine, hiveFile); if (regRoot == null) { return(null); } var location = Registry.LocalMachine.OpenSubKey(regRoot); if (location == null) { return(null); } var parts = DataPath.Split('\\'); // check for pathing... int startIndex = 0; if (parts[0].Equals("HKCU", StringComparison.InvariantCultureIgnoreCase) || parts[0].Equals("HKEY_CURRENT_USER", StringComparison.InvariantCultureIgnoreCase)) { startIndex = 1; } for (int i = startIndex; i < parts.Length - 1; i++) { location = location.OpenSubKey(parts[i]); if (location == null) { return(null); } } var retval = location.GetValue(parts[parts.Length - 1]); Status = true; RegExtra.UnloadHive(RegistryHive.LocalMachine, hiveFile); if (mountStatus) { UnmountVHD(Root); } return(retval); }