private static UInt32 GetHiveValueFromString(RegHive RegistryHive)
{
//HKEY_CLASSES_ROOT = 2147483648 or 0x80000000
//HKEY_CURRENT_USER = 2147483649 or 0x80000001
//HKEY_LOCAL_MACHINE = 2147483650 or 0x80000002
//HKEY_USERS = 2147483651 or 0x80000003
//HKEY_CURRENT_CONFIG = 2147483653 or 0x80000005
UInt32 TmpRegHive = 0;
if (RegistryHive == RegHive.CLASSES_ROOT)
{
TmpRegHive = 2147483648;
}
else if (RegistryHive == RegHive.CURRENT_USER)
{
TmpRegHive = 2147483649;
}
else if (RegistryHive == RegHive.LOCAL_MACHINE)
{
TmpRegHive = 2147483650;
}
else if (RegistryHive == RegHive.USERS)
{
TmpRegHive = 2147483651;
}
else if (RegistryHive == RegHive.CURRENT_CONFIG)
{
TmpRegHive = 2147483653;
}
return(TmpRegHive);
}
public static RegType GetValueType(ManagementClass mc, RegHive hDefKey, string sSubKeyName, string sValueName)
{
ManagementBaseObject inParams = mc.GetMethodParameters("EnumValues");
inParams["hDefKey"] = hDefKey;
inParams["sSubKeyName"] = sSubKeyName;
ManagementBaseObject outParams = mc.InvokeMethod("EnumValues", inParams, null);
if (Convert.ToUInt32(outParams["ReturnValue"]) == 0)
{
string[] sNames = outParams["sNames"] as String[];
int[] iTypes = outParams["Types"] as int[];
for (int i = 0; i < sNames.Length; i++)
{
if (sNames[i] == sValueName)
{
return((RegType)iTypes[i]);
}
}
// value not found
}
else
{
// EnumValues call failed
}
}
private CimMethodParametersCollection SetRegParameters(RegHive RegistryHive, RegistryMethods RegMethod, string SubKeyPath, string AttributeName = "", string Value = "")
{
string StrRegMethod = Enum.GetName(typeof(RegistryMethods), RegMethod);
CimMethodParametersCollection CimParams = GetParametersForMethod(RegistryNameSpace, RegistryClassName, StrRegMethod);
CimParams["hDefKey"].Value = GetHiveValueFromString(RegistryHive);
CimParams["sSubKeyName"].Value = SubKeyPath;
if (StrRegMethod != "CreateKey" && StrRegMethod != "DeletKey" && StrRegMethod != "EnumKey" && StrRegMethod != "EnumValues" && StrRegMethod != "GetSecurityDescriptor")
{
if (StrRegMethod != "CheckAccess" && StrRegMethod != "SetSecurityDescriptor")
{
CimParams["sValueName"].Value = AttributeName;
if (StrRegMethod == "SetStringValue" || StrRegMethod == "SetMultiStringValue" || StrRegMethod == "SetExpandedStringValue")
{
CimParams["sValue"].Value = Value;
}
else if (StrRegMethod == "SetDWORDValue" || StrRegMethod == "SetQWORDValue" || StrRegMethod == "SetBinaryValue")
{
CimParams["uValue"].Value = Value;
}
}
else if (StrRegMethod == "CheckAccess")
{
CimParams["uRequired"].Value = Value;
}
else if (StrRegMethod == "SetSecurityDescriptor")
{
CimParams["Descriptor"].Value = Value;
}
}
return(CimParams);
}
internal RegistryNode(RegistryBase registry, RegHive hive)
{
Hive = hive;
Key = string.Empty;
Registry = registry;
Children = new LinkedList <RegistryNode>();
_searchElements.Add(this);
}
private static int Add_HKCR_Features()
{
int cnt = 0;
/****************************************************************************************************/
//HKEY_CLASSES_ROOT\Installer\Features
/****************************************************************************************************/
//HKEY_CLASSES_ROOT\Installer\Features\0040152C8855F3932AB75A480ABAB749
string sub = "Features";
Controller.UpdateProgress(@"Analyzing HKEY_CLASSES_ROOT\Installer\" + sub + "...", true);
//RegHive reghive = new RegHive(@"HKEY_CLASSES_ROOT\Installer\" + sub);
RegHive reghive = Controller.regHives[@"HKEY_CLASSES_ROOT\Installer\Features"];
//its subkeys are compressed product codes
foreach (string key in reghive.subKeys)
{
string reg = String.Format(@"HKEY_CLASSES_ROOT\Installer\" + sub + @"\{0}", key);
// Controller.UpdateProgress("Comparing " + reg);
//for Features, use compressedProductCodes
if (foundCompressedProductCodes.Contains(key) ||
sumSQLProduct.compressedProductCodes.Contains(key))
{
if (!Controller.sqlRegKeys.ContainsKey(reg))
{
string comment = "Product code from MSI package:" + key;
if (sumSQLProduct.productCodeToName.ContainsKey(key))
{
comment = sumSQLProduct.productCodeToName[key];
}
Controller.sqlRegKeys.Add(reg,
new Reason(SourceType.Installer_ProductCode, key, comment, true)
);
cnt++;
}
if (!foundCompressedProductCodes.Contains(key))
{
foundCompressedProductCodes.Add(key);
}
}
}
Controller.UpdateProgress("Add_HKCR_Features keys:" + cnt, true);
return(cnt);
}
/// <summary>
/// Initiiazles a new RegistryNode
/// </summary>
/// <param name="view"></param>
/// <param name="hive"></param>
public RegistryNode(RegView view, RegHive hive)
{
Hive = hive;
Key = string.Empty;
if (view == RegView.x64)
{
Registry = new Registry64();
}
else
{
Registry = new Registry32();
}
Children = new LinkedList <RegistryNode>();
_searchElements.Add(this);
}
private static int Add_HKCR_Dependencies()
{
int cnt = 0;
/****************************************************************************************************/
//HKEY_CLASSES_ROOT\Installer\Dependencies
/****************************************************************************************************/
string sub = "Dependencies";
//HKEY_CLASSES_ROOT\Installer\Dependencies\{070C38AC-05CE-43DF-9A20-141332F6AB2B}
//hive_HKCR_Installer_Dependencies
Controller.UpdateProgress(@"Analyzing HKEY_CLASSES_ROOT\Installer\" + sub + "...", true);
//RegHive reghive = new RegHive(@"HKEY_CLASSES_ROOT\Installer\" + sub + "");
RegHive reghive = Controller.regHives[@"HKEY_CLASSES_ROOT\Installer\Dependencies"];
//its subkeys are product codes
foreach (string key in reghive.subKeys)
{
string reg = String.Format(@"HKEY_CLASSES_ROOT\Installer\" + sub + @"\{0}", key);
// Controller.UpdateProgress("Comparing " + reg);
if (sumSQLProduct.productCodes.Contains(key))
{
string compKey = Utility.ConvertGUID2CompressedRegistryStyle(key);
string comment = "Product code from MSI package:" + key;
if (sumSQLProduct.productCodeToName.ContainsKey(compKey))
{
comment = sumSQLProduct.productCodeToName[compKey];
}
if (!Controller.sqlRegKeys.ContainsKey(reg))
{
Controller.sqlRegKeys.Add(reg,
new Reason(SourceType.Installer_ProductCode, compKey, comment, false));
cnt++;
}
if (!foundCompressedProductCodes.Contains(compKey))
{
foundCompressedProductCodes.Add(compKey);
}
}
}
Controller.UpdateProgress("Add_HKCR_Dependencies keys:" + cnt, true);
return(cnt);
}
private static RegType GetValueType(ManagementClass mc, RegHive hDefKey, string sSubKeyName, string sValueName)
{
ManagementBaseObject inParams = mc.GetMethodParameters("EnumValues");
inParams["hDefKey"] = hDefKey;
inParams["sSubKeyName"] = sSubKeyName;
ManagementNamedValueCollection objCtx = new ManagementNamedValueCollection();
objCtx.Add("__ProviderArchitecture", 64);
objCtx.Add("__RequiredArchitecture", true);
InvokeMethodOptions invokeOptions = new InvokeMethodOptions();
invokeOptions.Context = objCtx;
ManagementBaseObject outParams = mc.InvokeMethod("EnumValues", inParams, invokeOptions);
if (Convert.ToUInt32(outParams["ReturnValue"]) == 0)
{
string[] sNames = outParams["sNames"] as String[];
int[] iTypes = outParams["Types"] as int[];
for (int i = 0; i < sNames.Length; i++)
{
if (sNames[i] == sValueName)
{
return((RegType)iTypes[i]);
}
}
return(0);
}
else
{
return(0);
}
return(0);
}
private static int Add_HKCR_UpgradeCodes()
{
int cnt = 0;
/****************************************************************************************************/
//HKEY_CLASSES_ROOT\Installer\UpgradeCodes
/****************************************************************************************************/
//HKEY_CLASSES_ROOT\Installer\UpgradeCodes\018E681CDBF373D3CA372AA3D490C521
string sub = "UpgradeCodes";
Controller.UpdateProgress(@"Analyzing HKEY_CLASSES_ROOT\Installer\" + sub + "...", true);
//RegHive reghive = new RegHive(@"HKEY_CLASSES_ROOT\Installer\" + sub);
RegHive reghive = Controller.regHives[@"HKEY_CLASSES_ROOT\Installer\UpgradeCodes"];
//first, check upgrade code
foreach (string key in reghive.subKeys)
{
string reg = String.Format(@"HKEY_CLASSES_ROOT\Installer\" + sub + @"\{0}", key);
// Controller.UpdateProgress("Comparing " + reg);
if (sumSQLProduct.compressedUpgradeCodes.Contains(key))
{
string comment = "Upgrade Code:" + key;
if (sumSQLProduct.upgradeCodeToName.ContainsKey(key))
{
comment = sumSQLProduct.upgradeCodeToName[key];
}
if (!Controller.sqlRegKeys.ContainsKey(reg))
{
cnt++;
Controller.sqlRegKeys.Add(reg,
new Reason(SourceType.Installer_UpgradeCode, key, comment, true));
}
if (!foundCompressedUpradeCodes.Contains(key))
{
foundCompressedUpradeCodes.Add(key);
}
if (!sumSQLProduct.upgradeCodeToName.ContainsKey(key))
{
sumSQLProduct.upgradeCodeToName.Add(key, comment);
}
RegKey rk = new RegKey(reg, "");
foreach (RegProperty rp in rk.RegProperties)
{
if (rp.Name.Length == 32)
{
if (!foundCompressedProductCodes.Contains(rp.Name))
{
foundCompressedProductCodes.Add(rp.Name);
}
if (!sumSQLProduct.productCodeToName.ContainsKey(rp.Name))
{
sumSQLProduct.productCodeToName.Add(rp.Name, comment);
}
}
}
}
}
//second,check product code under the key
//HKEY_CLASSES_ROOT\Installer\UpgradeCodes\0158E79888DB55D45B27961CE0F2428C->will store product code under this key
foreach (RegKey rk in reghive.regKeys)
{
bool found = false;
foreach (RegProperty rp in rk.RegProperties)
{
//If any name matches product code
if (foundCompressedProductCodes.Contains(rp.Name) ||
sumSQLProduct.compressedProductCodes.Contains(rp.Name))
{
string comment = "Product code:" + rp.Name;
if (sumSQLProduct.productCodeToName.ContainsKey(rp.Name))
{
comment = sumSQLProduct.productCodeToName[rp.Name];
}
if (!Controller.sqlRegKeys.ContainsKey(rk.Path))
{
cnt++;
Controller.sqlRegKeys.Add(rk.Path,
new Reason(SourceType.Installer_ProductCode, rp.Name, comment, true));
}
if (!foundCompressedProductCodes.Contains(rp.Name))
{
foundCompressedProductCodes.Add(rp.Name);
}
if (!sumSQLProduct.productCodeToName.ContainsKey(rp.Name))
{
sumSQLProduct.productCodeToName.Add(rp.Name, comment);
}
found = true;
}
if (found)
{
break;
}
} //foreach
} //forach
Controller.UpdateProgress("Add_HKCR_UpgradeCodes keys:" + cnt, true);
return(cnt);
}
} //Add
private static int Add_HKCR_Products()
{
int cnt = 0;
/****************************************************************************************************/
//HKEY_CLASSES_ROOT\Installer\Products
/****************************************************************************************************/
//HKEY_CLASSES_ROOT\Installer\Products\FCB7990CA27B16A4B88236108DBC3510\SourceList
string sub = "Products";
Controller.UpdateProgress(@"Analyzing HKEY_CLASSES_ROOT\Installer\" + sub + "...", true);
subKey sk = new subKey("SourceList", "PackageName");
// RegHive reghive = new RegHive(@"HKEY_CLASSES_ROOT\Installer\" + sub, sk);
RegHive reghive = Controller.regHives[@"HKEY_CLASSES_ROOT\Installer\Products"];
//first, check product code
foreach (string key in reghive.subKeys)
{
string reg = String.Format(@"HKEY_CLASSES_ROOT\Installer\" + sub + @"\{0}", key);
// Controller.UpdateProgress("Comparing " + reg);
string comment = "Product code:" + key;
if (sumSQLProduct.productCodeToName.ContainsKey(key))
{
comment = sumSQLProduct.productCodeToName[key];
}
if (foundCompressedProductCodes.Contains(key) ||
sumSQLProduct.compressedProductCodes.Contains(key)
)
{
if (!Controller.sqlRegKeys.ContainsKey(reg))
{
cnt++;
Controller.sqlRegKeys.Add(reg,
new Reason(SourceType.Installer_ProductCode, key, comment, true));
}
if (!foundCompressedProductCodes.Contains(key))
{
foundCompressedProductCodes.Add(key);
}
//Need to add patch information
string pKey = reg + "\\Patches";
if (RegHelper.IsKeyExist(pKey))
{
RegKey rk = new RegKey(pKey, "");
if (rk.Properties.ContainsKey("Patches"))
{
string[] patches = rk.Properties["Patches"][1].Split(new string[] { "\n" }, StringSplitOptions.RemoveEmptyEntries);
foreach (string s in patches)
{
if (!foundCompressedPatchCode.Contains(s.Trim()))
{
foundCompressedPatchCode.Add(s.Trim());
}
if (!sumSQLProduct.patchCodeToName.ContainsKey(s.Trim()))
{
sumSQLProduct.patchCodeToName.Add(s.Trim(), comment);
}
}
}
}
} //match
}
//second, check package name to add more
foreach (KeyValuePair <string, List <string> > kv in reghive.propertyMap)
{
//Just check *.msi, since we don't ship xml about patch.
if (sumSQLProduct.packageNames.Contains(Path.GetFileName(kv.Key).ToLower()))
{
foreach (string path in kv.Value)
{
string comment = "Package name matches:" + kv.Key;
string name1 = Path.GetFileName(kv.Key).ToLower();
if (sumSQLProduct.packageToName.ContainsKey(name1))
{
comment = sumSQLProduct.packageToName[name1];
}
if (!Controller.sqlRegKeys.ContainsKey(path))
{
cnt++;
Controller.sqlRegKeys.Add(path,
new Reason(SourceType.FromMSI_PackageName, kv.Key, comment, true));
}
int start = path.IndexOf("Products\\") + "Products\\".Length;
string code = path.Substring(start, 32);
if (!foundCompressedProductCodes.Contains(code))
{
foundCompressedProductCodes.Add(code);
}
if (!sumSQLProduct.productCodeToName.ContainsKey(code))
{
sumSQLProduct.productCodeToName.Add(code, comment);
}
//Need to add patch information
string pKey = path + "\\Patches";
if (RegHelper.IsKeyExist(pKey))
{
RegKey rk = new RegKey(pKey, "");
if (rk.Properties.ContainsKey("Patches"))
{
string[] patches = rk.Properties["Patches"][1].Split(new string[] { "\n" }, StringSplitOptions.RemoveEmptyEntries);
foreach (string s in patches)
{
if (!foundCompressedPatchCode.Contains(s.Trim()))
{
foundCompressedPatchCode.Add(s.Trim());
}
if (!sumSQLProduct.patchCodeToName.ContainsKey(s.Trim()))
{
sumSQLProduct.patchCodeToName.Add(s.Trim(), comment);
}
}
}
}
}
} //match
}
//third, scan package code to see if any matches...could hit less
foreach (RegKey rk in reghive.regKeys)
{
if (rk.Properties.ContainsKey("PackageCode"))
{
string pcode = rk.Properties["PackageCode"][1];
if (sumSQLProduct.compressedPackageCodes.Contains(pcode))
{
string comment = "Package Code:" + pcode;
if (sumSQLProduct.packageCodeToName.ContainsKey(pcode))
{
comment = sumSQLProduct.packageCodeToName[pcode];
}
if (!Controller.sqlRegKeys.ContainsKey(rk.Path))
{
cnt++;
Controller.sqlRegKeys.Add(rk.Path,
new Reason(SourceType.FromMSI_PackageCode, pcode, comment, true));
}
int start = rk.Path.IndexOf("Products\\") + "Products\\".Length;
string code = rk.Path.Substring(start, 32);
if (!foundCompressedProductCodes.Contains(code))
{
foundCompressedProductCodes.Add(code);
}
if (!sumSQLProduct.productCodeToName.ContainsKey(code))
{
sumSQLProduct.productCodeToName.Add(code, comment);
}
//Need to add patch information
string pKey = rk.Path + "\\Patches";
if (RegHelper.IsKeyExist(pKey))
{
RegKey prk = new RegKey(pKey, "");
if (prk.Properties.ContainsKey("Patches"))
{
string[] patches = prk.Properties["Patches"][1].Split(new string[] { "\n" }, StringSplitOptions.RemoveEmptyEntries);
foreach (string s in patches)
{
if (!foundCompressedPatchCode.Contains(s.Trim()))
{
foundCompressedPatchCode.Add(s.Trim());
}
if (!sumSQLProduct.patchCodeToName.ContainsKey(s.Trim()))
{
sumSQLProduct.patchCodeToName.Add(s.Trim(), comment);
}
}
}
}
}
}
}//foreach
Controller.UpdateProgress("Add_HKCR_Products keys:" + cnt, true);
return(cnt);
}
public static object GetValue(ManagementClass mc, RegHive hDefKey, string sSubKeyName, string sValueName)
{
RegType rType = GetValueType(mc, hDefKey, sSubKeyName, sValueName);
ManagementBaseObject inParams = mc.GetMethodParameters("GetStringValue");
inParams["hDefKey"] = hDefKey;
inParams["sSubKeyName"] = sSubKeyName;
inParams["sValueName"] = sValueName;
object oValue = null;
switch (rType)
{
case RegType.REG_SZ:
ManagementBaseObject outParams = mc.InvokeMethod("GetStringValue", inParams, null);
if (Convert.ToUInt32(outParams["ReturnValue"]) == 0)
{
oValue = outParams["sValue"];
}
else
{
// GetStringValue call failed
}
break;
case RegType.REG_EXPAND_SZ:
outParams = mc.InvokeMethod("GetExpandedStringValue", inParams, null);
if (Convert.ToUInt32(outParams["ReturnValue"]) == 0)
{
oValue = outParams["sValue"];
}
else
{
// GetExpandedStringValue call failed
}
break;
case RegType.REG_MULTI_SZ:
outParams = mc.InvokeMethod("GetMultiStringValue", inParams, null);
if (Convert.ToUInt32(outParams["ReturnValue"]) == 0)
{
oValue = outParams["sValue"];
}
else
{
// GetMultiStringValue call failed
}
break;
case RegType.REG_DWORD:
outParams = mc.InvokeMethod("GetDWORDValue", inParams, null);
if (Convert.ToUInt32(outParams["ReturnValue"]) == 0)
{
oValue = outParams["uValue"];
}
else
{
// GetDWORDValue call failed
}
break;
case RegType.REG_BINARY:
outParams = mc.InvokeMethod("GetBinaryValue", inParams, null);
if (Convert.ToUInt32(outParams["ReturnValue"]) == 0)
{
oValue = outParams["uValue"] as byte[];
}
else
{
// GetBinaryValue call failed
}
break;
}
return oValue;
}
public static RegType GetValueType(ManagementClass mc, RegHive hDefKey, string sSubKeyName, string sValueName)
{
ManagementBaseObject inParams = mc.GetMethodParameters("EnumValues");
inParams["hDefKey"] = hDefKey;
inParams["sSubKeyName"] = sSubKeyName;
ManagementBaseObject outParams = mc.InvokeMethod("EnumValues", inParams, null);
if (Convert.ToUInt32(outParams["ReturnValue"]) == 0)
{
string[] sNames = outParams["sNames"] as String[];
int[] iTypes = outParams["Types"] as int[];
for (int i = 0; i < sNames.Length; i++)
{
if (sNames[i] == sValueName)
{
return (RegType)iTypes[i];
}
}
return new RegType();
}
else
{
// EnumValues call failed
return new RegType();
}
}
public static void Add()
{
var sumSQLProduct = Controller.sumSQLProduct;
HashSet <string> foundCLSID = new HashSet <string>();
HashSet <string> foundTypeLib = new HashSet <string>();
HashSet <string> foundProgID = new HashSet <string>();
string[] hives = new string[] { "HKEY_CLASSES_ROOT", "HKEY_CLASSES_ROOT\\Wow6432Node" };
foreach (string hiveRoot in hives)
{
/*******************************************************************/
/*
* HKEY_CLASSES_ROOT\CLSID
*/
/*******************************************************************/
int cnt = 0;
subKey sbk = new subKey("InProcServer32", "");
Controller.UpdateProgress(@"Scanning " + hiveRoot, true);
//RegHive reghive = new RegHive(hiveRoot + @"\CLSID", sbk);
RegHive reghive = Controller.regHives[hiveRoot + @"\CLSID"];
Logger.LogMsg("reghive.propertyMap:" + reghive.propertyMap.Count);
foreach (KeyValuePair <string, List <string> > kv in reghive.propertyMap)
{
//Ignore those like:C:\Program Files\Common Files\Microsoft Shared\VS7Debug\pdm.dll
if (kv.Key.ToLower().Contains("microsoft shared"))
{
continue;
}
// foreach (SQLProduct sql in sqlProducts)
{
try
{
if (sumSQLProduct.files_EXE_DLL.Contains(Path.GetFileName(kv.Key).ToLower()))
{
foreach (string path in kv.Value)
{
if (!Controller.sqlRegKeys.ContainsKey(path))
{
cnt++;
Controller.sqlRegKeys.Add(path, new Reason(SourceType.FromMSI_File, kv.Key));
}
//HKEY_CLASSES_ROOT\CLSID\{FE2D84B0-BBD5-4EC6-9A74-EE1C55148D78}\TypeLib
string typeLibKey = path + "\\TypeLib";
if (RegHelper.IsKeyExist(typeLibKey))
{
RegKey rk = new RegKey(typeLibKey, "");
if (rk.Properties.ContainsKey("(Default)"))
{
if (!foundTypeLib.Contains(rk.Properties["(Default)"][1].ToString()))
{
foundTypeLib.Add(rk.Properties["(Default)"][1].ToString());
}
}
}
//HKEY_CLASSES_ROOT\CLSID\{02E7E69E-E80A-48E3-8B1D-6448C25B1710}\ProgID
string progIDKey = path + "\\ProgID";
if (RegHelper.IsKeyExist(progIDKey))
{
RegKey rk = new RegKey(progIDKey, "");
if (rk.Properties.ContainsKey("(Default)"))
{
if (!foundProgID.Contains(rk.Properties["(Default)"][1].ToString()))
{
foundProgID.Add(rk.Properties["(Default)"][1].ToString());
}
}
}
int idx = path.IndexOf("CLSID\\") + 6;
string CLSID = path.Substring(idx, 38);
if (!foundCLSID.Contains(CLSID))
{
foundCLSID.Add(CLSID);
}
}
}
}
catch (Exception ex)
{
Logger.LogError(ex.Message);
}
} //foreach SQL products
}
Controller.UpdateProgress(reghive.hivePath + " Add keys:" + cnt, true);
/*******************************************************************/
/*
* HKEY_CLASSES_ROOT\TypeLib
*/
/*******************************************************************/
cnt = 0;
Controller.UpdateProgress(@"Scanning " + hiveRoot, true);
//reghive = new RegHive(hiveRoot + @"\TypeLib");
reghive = Controller.regHives[hiveRoot + @"\TypeLib"];
string[] winxx = new string[] { "win32", "win64" };
foreach (RegKey rk in reghive.regKeys)
{
foreach (string win in winxx)
{
string fullpath = RegHelper.FindSubKey(rk.Path, win, 4);
if (!string.IsNullOrEmpty(fullpath))
{
//we find one
RegKey subrk = new RegKey(fullpath, "");
if (subrk.Properties.ContainsKey("(Default)"))
{
try
{
string file = subrk.Properties["(Default)"][1].ToLower();
string name = Path.GetFileName(file);
if (file.Contains("microsoft shared"))
{
continue;
}
if (sumSQLProduct.files_EXE_DLL.Contains(name))
{
if (!Controller.sqlRegKeys.ContainsKey(rk.Path))
{
Controller.sqlRegKeys.Add(rk.Path, new Reason(SourceType.FromMSI_File, file));
cnt++;
}
if (!foundTypeLib.Contains(rk.leaf))
{
foundTypeLib.Add(rk.leaf);
}
}
}
catch (Exception ex) { }
}
} //if
} //foreach winxx
} //foreach
Controller.UpdateProgress(reghive.hivePath + " Add keys:" + cnt, true);
//now check ProdID
//HKEY_CLASSES_ROOT\DTS.ConnectionManagerOlap.5\CLSID
//.this require .NET 45. so comment it
// RegistryKey hkcr = RegistryKey.OpenBaseKey(RegistryHive.ClassesRoot, RegistryView.Registry64);
var hkcr = RegistryExtensions.OpenBaseKey(RegistryHive.ClassesRoot, RegistryExtensions.RegistryHiveType.X64);
string[] allnames = hkcr.GetSubKeyNames();
cnt = 0;
foreach (string s in allnames)
{
string sub = hiveRoot + "\\" + s;
RegistryKey subkey = hkcr.OpenSubKey(s);
if (subkey == null)
{
continue;
}
string[] subnames = subkey.GetSubKeyNames();
if (subnames.Contains("CLSID") || subnames.Contains("Clsid"))
{
string result = RegHelper.GetValueForProperty(sub + "\\CLSID", "");
if (foundCLSID.Contains(result))
{
//we find one
if (!Controller.sqlRegKeys.ContainsKey(sub))
{
Controller.sqlRegKeys.Add(sub, new Reason(SourceType.COMClass, result, "CLSID:" + result));
cnt++;
}
}
}
}
Controller.UpdateProgress("HKEY_CLASSES_ROOT\\ProdID Add keys:" + cnt, true);
//Add HKCR\ProdID
cnt = 0;
foreach (string s in foundProgID)
{
string path = hiveRoot + "\\" + s;
if (Controller.sqlRegKeys.ContainsKey(path))
{
continue;
}
else
{
if (RegHelper.IsKeyExist(path))
{
cnt++; Controller.sqlRegKeys.Add(path, new Reason(SourceType.COMClass, s, "ProdID:" + s));
}
}
}
Controller.UpdateProgress("HKEY_CLASSES_ROOT\\ProdID (from foundProgID) Add keys:" + cnt, true);
//for HKEY_CLASSES_ROOT\AppID I don't know how to add it here
//
/********************************************************/
//HKEY_CLASSES_ROOT\Interface
/********************************************************/
//HKEY_CLASSES_ROOT\Interface\{33d00d41-c94f-5a61-9ab7-280dcefa0b08}\ProxyStubClsid32
//below could have less hits...
Controller.UpdateProgress(@"Scanning " + hiveRoot, true);
// reghive = new RegHive(hiveRoot + @"\Interface");
reghive = Controller.regHives[hiveRoot + @"\Interface"];
cnt = 0;
foreach (string sub in reghive.subKeys)
{
try
{
string path = hiveRoot + "\\Interface\\" + sub;
if (!RegHelper.IsKeyExist(path + "\\ProxyStubClsid32"))
{
continue;
}
RegKey rk = new RegKey(path + "\\ProxyStubClsid32", "");
if (rk.Properties.ContainsKey("(Default)"))
{
string clsid = rk.Properties["(Default)"][1];
if (foundCLSID.Contains(clsid))
{
if (!Controller.sqlRegKeys.ContainsKey(path))
{
cnt++;
Controller.sqlRegKeys.Add(path, new Reason(SourceType.COMClass, clsid, "CLSID:" + clsid));
}
}
}
}
catch (Exception ex)
{
Logger.LogError(ex.Message);
}
}
Controller.UpdateProgress(reghive.hivePath + " Add keys:" + cnt, true);
}// for hiveRoot
}
public static object GetValue(ManagementClass mc, RegHive hDefKey, string sSubKeyName, string sValueName)
{
RegType rType = GetValueType(mc, hDefKey, sSubKeyName, sValueName);
ManagementBaseObject inParams = mc.GetMethodParameters("GetStringValue");
inParams["hDefKey"] = hDefKey;
inParams["sSubKeyName"] = sSubKeyName;
inParams["sValueName"] = sValueName;
object oValue = null;
switch (rType)
{
case RegType.REG_SZ:
ManagementBaseObject outParams = mc.InvokeMethod("GetStringValue", inParams, null);
if (Convert.ToUInt32(outParams["ReturnValue"]) == 0)
{
oValue = outParams["sValue"];
}
else
{
// GetStringValue call failed
}
break;
case RegType.REG_EXPAND_SZ:
outParams = mc.InvokeMethod("GetExpandedStringValue", inParams, null);
if (Convert.ToUInt32(outParams["ReturnValue"]) == 0)
{
oValue = outParams["sValue"];
}
else
{
// GetExpandedStringValue call failed
}
break;
case RegType.REG_MULTI_SZ:
outParams = mc.InvokeMethod("GetMultiStringValue", inParams, null);
if (Convert.ToUInt32(outParams["ReturnValue"]) == 0)
{
oValue = outParams["sValue"];
}
else
{
// GetMultiStringValue call failed
}
break;
case RegType.REG_DWORD:
outParams = mc.InvokeMethod("GetDWORDValue", inParams, null);
if (Convert.ToUInt32(outParams["ReturnValue"]) == 0)
{
oValue = outParams["uValue"];
}
else
{
// GetDWORDValue call failed
}
break;
case RegType.REG_BINARY:
outParams = mc.InvokeMethod("GetBinaryValue", inParams, null);
if (Convert.ToUInt32(outParams["ReturnValue"]) == 0)
{
oValue = outParams["uValue"] as byte[];
}
else
{
// GetBinaryValue call failed
}
break;
}
return(oValue);
}
private static int Add_HKLM_UpgradeCodes()
{
int cnt = 0;
/****************************************************************************************************/
//HKLM
/****************************************************************************************************/
/****************************************************************************************************/
//HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes
/****************************************************************************************************/
string sub = "UpgradeCodes";
Controller.UpdateProgress(@"Analyzing HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\" + sub + "...", true);
//RegHive reghive = new RegHive(@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\" + sub);
RegHive reghive = Controller.regHives[@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes"];
//first, check upgrade code
foreach (string key in reghive.subKeys)
{
string reg = String.Format(@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\" + sub + @"\{0}", key);
// Controller.UpdateProgress("Comparing " + reg);
if (sumSQLProduct.compressedUpgradeCodes.Contains(key) ||
foundCompressedUpradeCodes.Contains(key)
)
{
string comment = "Upgrade Code:" + key;
if (sumSQLProduct.upgradeCodeToName.ContainsKey(key))
{
comment = sumSQLProduct.upgradeCodeToName[key];
}
if (!Controller.sqlRegKeys.ContainsKey(reg))
{
cnt++;
Controller.sqlRegKeys.Add(reg,
new Reason(SourceType.Installer_UpgradeCode, key, comment, true));
}
if (!foundCompressedUpradeCodes.Contains(key))
{
foundCompressedUpradeCodes.Add(key);
}
if (!sumSQLProduct.upgradeCodeToName.ContainsKey(key))
{
sumSQLProduct.upgradeCodeToName.Add(key, comment);
}
//Need to add product code under this key
RegKey rk = new RegKey(reg, "");
foreach (RegProperty rp in rk.RegProperties)
{
if (rp.Name.Length == 32)
{
if (!foundCompressedProductCodes.Contains(rp.Name))
{
foundCompressedProductCodes.Add(rp.Name);
}
if (!sumSQLProduct.productCodeToName.ContainsKey(rp.Name))
{
sumSQLProduct.productCodeToName.Add(rp.Name, comment);
}
}
}
}
}
foreach (RegKey rk in reghive.regKeys)
{
bool found = false;
foreach (RegProperty rp in rk.RegProperties)
{
//If any name matches product code
if (foundCompressedProductCodes.Contains(rp.Name) ||
sumSQLProduct.compressedProductCodes.Contains(rp.Name))
{
string comment = "Product code:" + rp.Name;
if (sumSQLProduct.productCodeToName.ContainsKey(rp.Name))
{
comment = sumSQLProduct.productCodeToName[rp.Name];
}
if (!Controller.sqlRegKeys.ContainsKey(rk.Path))
{
cnt++;
Controller.sqlRegKeys.Add(rk.Path,
new Reason(SourceType.Installer_ProductCode, rp.Name, comment, true));
}
if (!foundCompressedProductCodes.Contains(rp.Name))
{
foundCompressedProductCodes.Add(rp.Name);
}
if (!sumSQLProduct.productCodeToName.ContainsKey(rp.Name))
{
sumSQLProduct.productCodeToName.Add(rp.Name, comment);
}
found = true;
}
if (found)
{
break;
}
} //foreach
} //forach
Controller.UpdateProgress("Add_HKLM_UpgradeCodes keys:" + cnt, true);
return(cnt);
}
public static void Add_HKLM_Components()
{
int cnt = 0;
/****************************************************************************************************/
//HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components
/****************************************************************************************************/
string sub = "Components";
Controller.UpdateProgress(@"Analyzing HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\" + sub + "...", true);
//RegHive reghive = new RegHive(@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\" + sub);
RegHive reghive = Controller.regHives[@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components"];
//first, check product code
//using regKeys instead subkeys
int k = 0;
foreach (RegKey rk in reghive.regKeys)
{
bool found = false;
string reg = rk.Path;
if (k % 2000 == 0)
{
Controller.UpdateProgress("Checking " + reg);
}
k++;
foreach (RegProperty rp in rk.RegProperties)
{
if (foundCompressedProductCodes.Contains(rp.Name) ||
sumSQLProduct.compressedProductCodes.Contains(rp.Name)
)
{
string comment = "Product code:" + rp.Name;
if (sumSQLProduct.productCodeToName.ContainsKey(rp.Name))
{
comment = sumSQLProduct.productCodeToName[rp.Name];
}
if (!Controller.sqlRegKeys.ContainsKey(reg))
{
cnt++;
Controller.sqlRegKeys.Add(reg,
new Reason(SourceType.Installer_Component, rp.Name, comment, false));
}
if (!foundCompressedProductCodes.Contains(rp.Name))
{
foundCompressedProductCodes.Add(rp.Name);
}
found = true;
}
/*, don't want to check this, though it can add some
* else
* {
*
* try
* {
* if (sumSQLProduct.files_EXE_DLL.Contains(Path.GetFileName(rp.Data.ToLower())))
* {
* if (!Controller.sqlRegKeys.ContainsKey(reg))
* {
*
* cnt++;
* Controller.sqlRegKeys.Add(reg,
* new Reason(SourceType.Installer_Component, rp.Name, "Product Code:" + rp.Name,true));
*
* }
*
* if (!foundCompressedProductCodes.Contains(rp.Name))
* foundCompressedProductCodes.Add(rp.Name);
* found = true;
* }
* }
* catch (Exception ex)
* {
*
* }
* }
*/
if (found)
{
break;
}
} //foreach
} //foreach
Controller.UpdateProgress("Add_HKLM_Components keys:" + cnt, true);
// return cnt;
}
private static int Add_HKLM_Products()
{
int cnt = 0;
/****************************************************************************************************/
//HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products
/****************************************************************************************************/
string sub = "Products";
Controller.UpdateProgress(@"Analyzing HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\" + sub + "...", true);
// RegHive reghive = new RegHive(@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\" + sub);
RegHive reghive = Controller.regHives[@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products"];
//first, check product code
foreach (string key in reghive.subKeys)
{
string reg = String.Format(@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\" + sub + @"\{0}", key);
// Controller.UpdateProgress("Comparing " + reg);
if (foundCompressedProductCodes.Contains(key) || //use this to shortcut it if it found already
sumSQLProduct.compressedProductCodes.Contains(key)
)
{
string comment = "Product code:" + key;
if (sumSQLProduct.productCodeToName.ContainsKey(key))
{
comment = sumSQLProduct.productCodeToName[key];
}
if (!Controller.sqlRegKeys.ContainsKey(reg))
{
cnt++;
Controller.sqlRegKeys.Add(reg,
new Reason(SourceType.Installer_ProductCode, key, comment, true));
}
if (!foundCompressedProductCodes.Contains(key))
{
foundCompressedProductCodes.Add(key);
}
if (!sumSQLProduct.productCodeToName.ContainsKey(key))
{
sumSQLProduct.productCodeToName.Add(key, comment);
}
//Save the patch if any.
string patchKey = reg + "\\Patches";
HashSet <string> mypatches = RegHelper.GetSubKeys(patchKey);
foreach (string s in mypatches)
{
if (!foundCompressedPatchCode.Contains(s))
{
foundCompressedPatchCode.Add(s);
}
if (!sumSQLProduct.patchCodeToName.ContainsKey(s.Trim()))
{
sumSQLProduct.patchCodeToName.Add(s.Trim(), comment);
}
}
}
}
Controller.UpdateProgress("Add_HKLM_Products keys:" + cnt, true);
return(cnt);
}
private static int Add_HKCR_Patches()
{
int cnt = 0;
/****************************************************************************************************/
//HKEY_CLASSES_ROOT\Installer\Patches
/****************************************************************************************************/
//HKEY_CLASSES_ROOT\Installer\Patches\023089E60AE02D343916E2D48AFCAA73\SourceList
string sub = "Patches";
Controller.UpdateProgress(@"Analyzing HKEY_CLASSES_ROOT\Installer\" + sub + "...", true);
subKey sk = new subKey("SourceList", "PackageName");
// RegHive reghive = new RegHive(@"HKEY_CLASSES_ROOT\Installer\" + sub, sk);
RegHive reghive = Controller.regHives[@"HKEY_CLASSES_ROOT\Installer\Patches"];
foreach (string key in reghive.subKeys)
{
string reg = String.Format(@"HKEY_CLASSES_ROOT\Installer\" + sub + @"\{0}", key);
// Controller.UpdateProgress("Comparing " + reg);
//for Patches, use Patch codes!!
if (foundCompressedPatchCode.Contains(key) ||
sumSQLProduct.compressedPatchCodes.Contains(key))
{
if (!Controller.sqlRegKeys.ContainsKey(reg))
{
string comment = "Patch code:" + key;
if (sumSQLProduct.patchCodeToName.ContainsKey(key))
{
comment = sumSQLProduct.patchCodeToName[key];
}
cnt++;
Controller.sqlRegKeys.Add(reg,
new Reason(SourceType.Installer_PatchCode, key, comment, true));
}
if (!foundCompressedPatchCode.Contains(key))
{
foundCompressedPatchCode.Add(key);
}
}
}
//check source->packageName, whether match?
foreach (KeyValuePair <string, List <string> > kv in reghive.propertyMap)
{
//check msp as well, sumSQLProduct.packageNames may not have .msp but it could have.msi file
if (sumSQLProduct.packageNames.Contains(Path.GetFileName(kv.Key).ToLower()) ||
sumSQLProduct.packageNames.Contains(Path.GetFileNameWithoutExtension(kv.Key).ToLower() + ".msi")
)
{
foreach (string path in kv.Value)
{
string comment = "Package name matches:" + kv.Key;
string name1 = Path.GetFileName(kv.Key).ToLower();
string name2 = Path.GetFileNameWithoutExtension(kv.Key).ToLower() + ".msi";
if (sumSQLProduct.packageToName.ContainsKey(name1))
{
comment = sumSQLProduct.packageToName[name1];
}
else if (sumSQLProduct.packageToName.ContainsKey(name2))
{
comment = sumSQLProduct.packageToName[name2];
}
if (!Controller.sqlRegKeys.ContainsKey(path))
{
cnt++;
Controller.sqlRegKeys.Add(path,
new Reason(SourceType.FromMSI_PackageName, kv.Key, comment, true));
}
int start = path.IndexOf("Patches\\") + "Patches\\".Length;
string code = path.Substring(start, 32);
if (!foundCompressedPatchCode.Contains(code))
{
foundCompressedPatchCode.Add(code);
}
if (!sumSQLProduct.patchCodeToName.ContainsKey(code))
{
sumSQLProduct.patchCodeToName.Add(code, comment);
}
}
}
}
Controller.UpdateProgress("Add_HKCR_Patches keys:" + cnt, true);
return(cnt);
}
private static int Add_HKLM_Patches()
{
int cnt = 0;
/****************************************************************************************************/
//HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches
/****************************************************************************************************/
string sub = "Patches";
Controller.UpdateProgress(@"Analyzing HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\" + sub + "...", true);
// RegHive reghive = new RegHive(@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\" + sub);
RegHive reghive = Controller.regHives[@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Patches"];
//first, check product code
//using regKeys instead subkeys
foreach (RegKey rk in reghive.regKeys)
{
string reg = rk.Path;
// Controller.UpdateProgress("Comparing " + reg);
if (foundCompressedPatchCode.Contains(rk.leaf) ||
sumSQLProduct.compressedPatchCodes.Contains(rk.leaf)
)
{
string comment = "Patch code:" + rk.leaf;
if (sumSQLProduct.patchCodeToName.ContainsKey(rk.leaf))
{
comment = sumSQLProduct.patchCodeToName[rk.leaf];
}
if (!Controller.sqlRegKeys.ContainsKey(reg))
{
cnt++;
Controller.sqlRegKeys.Add(reg,
new Reason(SourceType.Installer_PatchCode, rk.leaf, comment, true));
}
if (!foundCompressedPatchCode.Contains(rk.leaf))
{
foundCompressedPatchCode.Add(rk.leaf);
}
}
else
{
//read the local package (*.msp) and read its patch code?
if (rk.Properties.ContainsKey("LocalPackage"))
{
string lp = rk.Properties["LocalPackage"][1];
MspPackage pkg = new MspPackage(lp);
if (!string.IsNullOrEmpty(pkg.TargetProductName))
{
if (sumSQLProduct.targetProductNames.Contains(pkg.TargetProductName))
{
string comment = "TargetProductName:" + pkg.TargetProductName;
if (sumSQLProduct.othersToName.ContainsKey(pkg.TargetProductName))
{
comment = sumSQLProduct.patchCodeToName[pkg.TargetProductName];
}
if (!Controller.sqlRegKeys.ContainsKey(reg))
{
cnt++;
Controller.sqlRegKeys.Add(reg,
new Reason(SourceType.FromMSI_TargetProductName, pkg.TargetProductName, comment, true));
}
if (!foundCompressedPatchCode.Contains(rk.leaf))
{
foundCompressedPatchCode.Add(rk.leaf);
}
}
} // if (!string.IsNullOrEmpty(pkg.TargetProductName))
}
} //else
}
Controller.UpdateProgress("Add_HKLM_Patches keys:" + cnt, true);
return(cnt);
}
public static void Add()
{
var sumSQLProduct = Controller.sumSQLProduct;
bool found = false;
/****************************************************************************************************/
//HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
/****************************************************************************************************/
string[] hives = new string[] { "", "\\Wow6432Node" };
Controller.UpdateProgress(@"Analyzing HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall", true);
int cnt = 0;
foreach (string hiveRoot in hives)
{
if (!RegHelper.IsKeyExist(@"HKEY_LOCAL_MACHINE\SOFTWARE" + hiveRoot + @"\Microsoft\Windows\CurrentVersion\Uninstall"))
{
continue;
}
RegHive reghive = new RegHive(@"HKEY_LOCAL_MACHINE\SOFTWARE" + hiveRoot + @"\Microsoft\Windows\CurrentVersion\Uninstall");
//first, check product code
//using regKeys instead subkeys
foreach (RegKey rk in reghive.regKeys)
{
found = false;
string reg = rk.Path;
string leaf = rk.leaf.ToLower();
string code = Utility.ConvertGUID2CompressedRegistryStyle(leaf);
if (!String.IsNullOrEmpty(code))
{
if (Installer.foundCompressedProductCodes.Contains(code) ||
sumSQLProduct.compressedProductCodes.Contains(code)
)
{
if (!Controller.sqlRegKeys.ContainsKey(reg))
{
cnt++;
Controller.sqlRegKeys.Add(reg,
new Reason(SourceType.Uninstall, code, "Uninstall:Product Code:" + code, true));
}
if (!Installer.foundCompressedProductCodes.Contains(code))
{
Installer.foundCompressedProductCodes.Add(code);
}
}
} //if it is GUID
else //If it is KB article?
{
if (sumSQLProduct.kbArticles.Contains(leaf))
{
if (!Controller.sqlRegKeys.ContainsKey(reg))
{
cnt++;
Controller.sqlRegKeys.Add(reg,
new Reason(SourceType.FromMSI_KBArticle, leaf, "Uninstall:Product Code:" + leaf, true));
}
}
else //sometimes the meta is outdated so check more:
{
//If the key has SQLProductPatchFamilyCode && ProductId="SQLxxx", or ProductId="SQL2008", it is SQL patch key
if (rk.Properties.ContainsKey("SQLProductPatchFamilyCode") &&
rk.Properties.ContainsKey("ProductId") &&
rk.Properties["ProductId"][1].StartsWith("SQL")
)
{
//it is SQL patch key
if (!Controller.sqlRegKeys.ContainsKey(reg))
{
cnt++;
Controller.sqlRegKeys.Add(reg,
new Reason(SourceType.Uninstall, "SQLProductPatchFamilyCode", "Uninstall:SQLProductPatchFamilyCode", true));
}
}
else if (
rk.Properties.ContainsKey("ProductId") &&
rk.Properties["ProductId"][1].StartsWith("SQL2008")
)
{
//it is SQL patch key
if (!Controller.sqlRegKeys.ContainsKey(reg))
{
cnt++;
Controller.sqlRegKeys.Add(reg,
new Reason(SourceType.Uninstall, "ProductId", "ProductId=SQL2008", true));
}
}
else if (rk.leaf.StartsWith("Microsoft SQL Server"))
{
if (!Controller.sqlRegKeys.ContainsKey(reg))
{
cnt++;
Controller.sqlRegKeys.Add(reg,
new Reason(SourceType.Uninstall, "Microsoft SQL Server", "It starts with \"Microsoft SQL Server\".", true));
}
}
}
}
}
}//hiveRoot
Controller.UpdateProgress("Uninstall Add keys:" + cnt, true);
}
public static List <string> GetConvertedRegKeysIntoInfKeys(List <KeyValuePair <string, Hashtable> > regs, RegHive kind, string relativeTo = "", BaseInf baseInf = null)
{
var list = new List <string>();
regs.ForEach(reg =>
{
var k = "";
switch (kind)
{
case RegHive.HKLM:
k = kind + "," + reg.Key.GetPartAfterTo("HKEY_LOCAL_MACHINE").Replace(Reg2Inf.SystemNameKey, "SYSTEM", StringComparison.InvariantCultureIgnoreCase).Replace(Reg2Inf.SoftwareNameKey, "SOFTWARE", StringComparison.InvariantCultureIgnoreCase);
break;
case RegHive.HKCU:
k = kind + "," + reg.Key.GetPartAfterTo("HKEY_CURRENT_USER").Replace(Reg2Inf.SystemNameKey, "SYSTEM", StringComparison.InvariantCultureIgnoreCase).Replace(Reg2Inf.SoftwareNameKey, "SOFTWARE", StringComparison.InvariantCultureIgnoreCase);
break;
case RegHive.HKCR:
k = kind + "," + reg.Key.GetPartAfterTo("HKEY_CLASSES_ROOT").Replace(Reg2Inf.SystemNameKey, "SYSTEM", StringComparison.InvariantCultureIgnoreCase).Replace(Reg2Inf.SoftwareNameKey, "SOFTWARE", StringComparison.InvariantCultureIgnoreCase);
break;
case RegHive.HKU:
k = kind + "," + reg.Key.GetPartAfterTo("HKEY_USERS").Replace(Reg2Inf.SystemNameKey, "SYSTEM", StringComparison.InvariantCultureIgnoreCase).Replace(Reg2Inf.SoftwareNameKey, "SOFTWARE", StringComparison.InvariantCultureIgnoreCase);
break;
case RegHive.HKR:
k = kind + "," + reg.Key.GetPartAfterTo(relativeTo).Replace(Reg2Inf.SystemNameKey, "SYSTEM", StringComparison.InvariantCultureIgnoreCase).Replace(Reg2Inf.SoftwareNameKey, "SOFTWARE", StringComparison.InvariantCultureIgnoreCase);
break;
case RegHive.NONE:
k = reg.Key.GetPartAfterTo(relativeTo).Replace(Reg2Inf.SystemNameKey, "SYSTEM", StringComparison.InvariantCultureIgnoreCase).Replace(Reg2Inf.SoftwareNameKey, "SOFTWARE", StringComparison.InvariantCultureIgnoreCase);
break;
case RegHive.AUTO_DETECT:
k = (reg.Key.ToUpper().StartsWith("HKEY_LOCAL_MACHINE") ? "HKLM" : reg.Key.ToUpper().StartsWith("HKEY_CURRENT_USER") ? "HKCU" :
reg.Key.ToUpper().StartsWith("HKEY_CLASSES_ROOT") ? "HKCR" : "HKU") + "," +
reg.Key.Replace("HKEY_LOCAL_MACHINE\\", "", StringComparison.InvariantCultureIgnoreCase).Replace("HKEY_CURRENT_USER\\", "", StringComparison.InvariantCultureIgnoreCase)
.Replace("HKEY_CLASSES_ROOT\\", "", StringComparison.InvariantCultureIgnoreCase).Replace("HKEY_USERS\\", "", StringComparison.InvariantCultureIgnoreCase)
.Replace(Reg2Inf.SystemNameKey, "SYSTEM", StringComparison.InvariantCultureIgnoreCase).Replace(Reg2Inf.SoftwareNameKey, "SOFTWARE", StringComparison.InvariantCultureIgnoreCase);
break;
default:
break;
}
foreach (DictionaryEntry keynamevalue in reg.Value)
{
var key = (keynamevalue.Key as string).Replace("@", "");
if ((keynamevalue.Value as string).ToLower().Contains("dword:")) //REG_DWORD
{
list.Add(k + "," + key + "," + "0x00010001,0x" + (keynamevalue.Value as string).Split(':')[1]);
}
else if ((keynamevalue.Value as string).ToLower().Contains("hex:")) //REG_BINARY
{
list.Add(k + "," + key + "," + "0x00000001," + string.Join(",", CleanSplitHexString(keynamevalue.Value as string)));
}
else if ((keynamevalue.Value as string).ToLower().Contains("\"")) //REG_SZ
{
list.Add(k + "," + key + "," + "0x00000000," + (keynamevalue.Value as string).Replace("\\\\", "\\"));
}
else if ((keynamevalue.Value as string).ToLower().Contains("hex(2)")) //REG_MULTI_SZ
{
list.Add(k + "," + key + "," + "0x00020000,\"" + StringArrayHexToString(CleanSplitHexString(keynamevalue.Value as string)).Replace("%", "%%") + "\"");
}
else if ((keynamevalue.Value as string).ToLower().Contains("hex(7)")) //REG_EXPAND_SZ
{
string tmp = "";
StringArrayHexToString(CleanSplitHexString(keynamevalue.Value as string)).Replace("\r", "").Split('\n').ToList().ForEach(s => tmp += $"\"{s}\",");
if (tmp.EndsWith(","))
{
tmp = tmp.Substring(0, tmp.Length - 1);
}
list.Add(k + "," + key + "," + "0x00010000," + tmp);
}
else
{
//Console.WriteLine("(reg2inf) unrecognized key: " + keynamevalue.Value);
if (baseInf != null)
{
baseInf.ParsingLog += $"{reg.Key.Replace(Reg2Inf.SystemNameKey, "SYSTEM", StringComparison.InvariantCultureIgnoreCase).Replace(Reg2Inf.SoftwareNameKey, "SOFTWARE", StringComparison.InvariantCultureIgnoreCase)} --> {keynamevalue.Key}={keynamevalue.Value}\r\n";
}
}
}
});
return(list);
}
