public static bool DeleteRegistryKeyValue(RegistryHive hive, string path, string name) => RegistryKey.OpenBaseKey(hive, RegistryView.Registry64).OpenWritableSubKeySafe(path, (key) => { key.DeleteValue(name, true); return true; });
public static RegistryKeyOptions CreateRegistryKey(this ProtoServer protoServer, RegistryHive hive, string name, Action<RegistryKeyOptions> options) { var proto = CreateRegistryKey(protoServer, hive, name); if (options != null) options(proto); return proto; }
public static object ReadKey(RegistryHive hive, RegistryView view, string subkey, string name) { // open root RegistryKey rootKey = Microsoft.Win32.RegistryKey.OpenBaseKey(hive, view); if (rootKey == null) { return null; } // look for key RegistryKey key = rootKey.OpenSubKey(subkey); if (key == null) { return null; } // look for value object value = key.GetValue(name); if (value == null) { return null; } return value; }
public IRegistryKey OpenBaseKey( RegistryHive hKey, RegistryView view ) { return new RegistryKeyWrap(RegistryKey.OpenBaseKey(hKey, view)); }
/// <summary> /// Удалить ключ реестра /// </summary> /// <param name="root">Ветка реестра</param> /// <param name="key">Ключ для удаления</param> public static void RemoveRegistrySubKey(RegistryHive root, string key) { switch (root) { case RegistryHive.ClassesRoot: Registry.ClassesRoot.DeleteSubKey(key); break; case RegistryHive.CurrentUser: Registry.CurrentUser.DeleteSubKey(key); break; case RegistryHive.LocalMachine: Registry.LocalMachine.DeleteSubKey(key); break; case RegistryHive.Users: Registry.Users.DeleteSubKey(key); break; case RegistryHive.CurrentConfig: Registry.CurrentConfig.DeleteSubKey(key); break; } }
public RegistrySettingsProvider (RegistryHive hKey, RegistryView view = RegistryView.Default, string baseKey = null) { this.hKey = hKey; this.view = view; this.baseKey = baseKey ?? ProductInfo.Company + "\\" + ProductInfo.Product; }
public void SetValue(RegistryHive hive, string registryValueName, object value) { RegistryKey rootKey = RegistryKey.OpenBaseKey(hive, RegistryView.Default); RegistryKey testKey = rootKey.CreateSubKey(TestKeyPath); Assert.NotNull(testKey); testKey.SetValue(registryValueName, value); }
public void HBinSizeShouldNotMatchReadSize() { var r = new RegistryHive(@"..\..\Hives\SAM_DUPENAME"); //if you don't call parse, it wont match Check.That(r.Header.Length).IsNotEqualTo(r.HBinRecordTotalSize); }
private static void CleanUpRegistry(RegistryHive hive) { var regValueNames = new[]{ Reg_LoggingEnabled, Reg_DebugLogEnabled, Reg_FileLogEnabled, Reg_Severity, Reg_Path}; using (RegistryKey rootKey = RegistryKey.OpenBaseKey(hive, RegistryView.Default)) { using (RegistryKey key = rootKey.OpenSubKey(TestKeyPath, true)) { if (key != null) { foreach (var regValueName in regValueNames) { try { key.DeleteValue(regValueName); } catch (ArgumentException) { // Assumption: ArgumentExceptions caused by values that are not present } } } } } }
protected override void DoRun() { using (Stream fileStream = File.OpenRead(_bcdFile.Value)) { using (RegistryHive hive = new RegistryHive(fileStream)) { Store bcdDb = new Store(hive.Root); foreach (var obj in bcdDb.Objects) { Console.WriteLine(obj.FriendlyName + ":"); Console.WriteLine(" Id: " + obj.ToString()); Console.WriteLine(" Type: " + obj.ObjectType); Console.WriteLine(" App Image Type: " + obj.ApplicationImageType); Console.WriteLine(" App Type: " + obj.ApplicationType); Console.WriteLine(" App can inherit: " + obj.IsInheritableBy(ObjectType.Application)); Console.WriteLine(" Dev can inherit: " + obj.IsInheritableBy(ObjectType.Device)); Console.WriteLine(" ELEMENTS"); foreach (var elem in obj.Elements) { Console.WriteLine(" " + elem.FriendlyName + ":"); Console.WriteLine(" Id: " + elem.ToString()); Console.WriteLine(" Class: " + elem.Class); Console.WriteLine(" Format: " + elem.Format); Console.WriteLine(" Value: " + elem.Value); } Console.WriteLine(); } } } }
private static bool ExistsInRemoteSubKey(string p_machineName, RegistryHive p_hive, string p_subKeyName, string p_attributeName, string p_name) { RegistryKey subkey; string displayName; using (RegistryKey regHive = RegistryKey.OpenRemoteBaseKey(p_hive, p_machineName)) { using (RegistryKey regKey = regHive.OpenSubKey(p_subKeyName)) { if (regKey != null) { foreach (string kn in regKey.GetSubKeyNames()) { using (subkey = regKey.OpenSubKey(kn)) { displayName = subkey.GetValue(p_attributeName) as string; if (p_name.Equals(displayName, StringComparison.OrdinalIgnoreCase) == true) // key found! { return true; } } } } } } return false; }
public Bin(RegistryHive hive, Stream stream) { _hive = hive; _fileStream = stream; _streamPos = stream.Position; stream.Position = _streamPos; byte[] buffer = Utilities.ReadFully(stream, 0x20); _header = new BinHeader(); _header.ReadFrom(buffer, 0); _fileStream.Position = _streamPos; _buffer = Utilities.ReadFully(_fileStream, _header.BinSize); // Gather list of all free cells. _freeCells = new List<Range<int, int>>(); int pos = 0x20; while (pos < _buffer.Length) { int size = Utilities.ToInt32LittleEndian(_buffer, pos); if (size > 0) { _freeCells.Add(new Range<int, int>(pos, size)); } pos += Math.Abs(size); } }
public static bool GetRegistryLocation(MapLocation which, ref RegistryHive hive, ref string keyname, ref string valuename) { hive = RegistryHive.CurrentUser; switch (which) { case MapLocation.LocalMachineKeyboardLayout: hive = RegistryHive.LocalMachine; keyname = @"SYSTEM\CurrentControlSet\Control\Keyboard Layout"; valuename = "Scancode Map"; break; case MapLocation.KeyMapperLocalMachineKeyboardLayout: keyname = AppController.ApplicationRegistryKeyName; valuename = "BootMaps"; break; case MapLocation.KeyMapperVistaMappingsCache: keyname = AppController.ApplicationRegistryKeyName; valuename = "VistaBootCache"; break; default: return false; } return true; }
public RegistryKeyMonitor( RegistryHive hive, string key, RegistryNotifyFilter filter, RegistryKeyWatch watch, KeyChangedDelegate keyChanged, ExceptionRaisedDelegate exceptionRaised) { if (keyChanged == null) { throw new ArgumentNullException(nameof(keyChanged)); } if (exceptionRaised == null) { throw new ArgumentNullException(nameof(exceptionRaised)); } RegistryHive = hive; Key = key; Filter = filter; WatchSubTree = watch == RegistryKeyWatch.KeyAndSubKeys; this.keyChanged = keyChanged; this.exceptionRaised = exceptionRaised; StartMonitor(); }
private UIntPtr OpenKey(RegistryHive hive, string keyname, int requiredAccess) { UIntPtr hiveptr; UIntPtr hkey; switch (hive) { case RegistryHive.ClassesRoot: hiveptr = (UIntPtr)0x80000000; break; case RegistryHive.CurrentUser: hiveptr = (UIntPtr)0x80000001; break; case RegistryHive.LocalMachine: hiveptr = (UIntPtr)0x80000002; break; case RegistryHive.Users: hiveptr = (UIntPtr)0x80000003; break; case RegistryHive.CurrentConfig: hiveptr = (UIntPtr)0x80000005; break; default: return UIntPtr.Zero; } int result = NativeMethods.RegOpenKeyEx(hiveptr, keyname, 0, requiredAccess, out hkey); if (result == 0) return hkey; return UIntPtr.Zero; }
private void add_key(IList<RegistryKey> keys, RegistryHive hive, RegistryView view) { FaultTolerance.try_catch_with_logging_exception( () => keys.Add(RegistryKey.OpenBaseKey(hive, view)), "Could not open registry hive '{0}' for view '{1}'".format_with(hive.to_string(), view.to_string()), logWarningInsteadOfError: true); }
private Int64 GetRawRegistryKeyTimestamp(RegistryHive hive, string keyname) { if (String.IsNullOrEmpty(keyname)) { return 0; // Otherwise the function opens HKLM (or HKCU) again. } UIntPtr hkey = OpenKey(hive, keyname, KEY_QUERY_VALUE); if (hkey == UIntPtr.Zero) { return 0; // Didn't open key } Int64 timestamp; uint result2 = NativeMethods.RegQueryInfoKey( hkey, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, out timestamp); if (result2 != 0) { timestamp = 0; // Failed, don't return whatever value was supplied. } NativeMethods.RegCloseKey(hkey); return timestamp; }
public static RegistryKey GetRegBaseKey(RegistryHive hive) { #if NET4 return RegistryKey.OpenBaseKey(hive, (Environment.Is64BitOperatingSystem ? RegistryView.Registry64 : RegistryView.Registry32)); #else RegistryKey result = null; switch (hive) { case RegistryHive.ClassesRoot: break; case RegistryHive.CurrentConfig: break; case RegistryHive.CurrentUser: break; case RegistryHive.DynData: break; case RegistryHive.PerformanceData: break; case RegistryHive.Users: break; default: result = Microsoft.Win32.Registry.LocalMachine; break; } return result; #endif }
private void deleteRegistryKey(RegistryHive hive, string key) { using (var reg = RegistryKey.OpenBaseKey(hive, RegistryView.Default)) { reg.DeleteSubKey(key); } }
static Register() { ClassesRoot = new RegistryHive(Registry.ClassesRoot); CurrentUser = new RegistryHive(Registry.CurrentUser); LocalMachine = new RegistryHive(Registry.LocalMachine); Users = new RegistryHive(Registry.Users); CurrentConfig = new RegistryHive(Registry.CurrentConfig); }
public static string GetString( string computerName, RegistryHive rh, string registryPath, string valueName ) { using( var reg = RegistryKey.OpenRemoteBaseKey( rh, computerName ) ) { using( var regFolder = reg.OpenSubKey( registryPath ) ) { var result = GetString( regFolder, valueName ); return result; } } }
static void DeleteKey(RegistryHive hive, RegistryView view, string guid) { using (RegistryKey key = RegistryKey.OpenBaseKey(hive, view)) { key.DeleteSubKey("Software\\Classes\\CLSID\\" + guid + "\\ProgId", false); key.DeleteSubKey("Software\\Classes\\CLSID\\" + guid + "\\InProcServer32", false); key.DeleteSubKey("Software\\Classes\\CLSID\\" + guid, false); } }
public static void KeyExists(RegistryHive hive, string key) { using (var reg = RegistryKey.OpenBaseKey(hive, RegistryView.Default)) using (var subKey = reg.OpenSubKey(key)) { Assert.IsNotNull(subKey); } }
/// <summary> /// Returns the names of the subkeys under the provided key. /// </summary> /// <param name="hive">The hive where <paramref name="key"/> is located.</param> /// <param name="key">The key to search.</param> /// <returns>A list of subkeys.</returns> public string[] GetSubKeys(RegistryHive hive, string key) { RegistryKey hiveKey = getHiveKey(hive); using (RegistryKey openKey = hiveKey.OpenSubKey(key)) { return openKey.GetSubKeyNames(); } }
/// <summary> /// Construct an instance of a root registry key entry. /// </summary> internal RegistryKey (RegistryHive hiveId, IntPtr keyHandle, bool remoteRoot) { hive = hiveId; handle = keyHandle; qname = GetHiveName (hiveId); isRemoteRoot = remoteRoot; isWritable = true; // always consider root writable }
private object GetRegistryValue(RegistryHive hive, string registryValueName) { RegistryKey rootKey = RegistryKey.OpenBaseKey(hive, RegistryView.Default); RegistryKey testKey = rootKey.OpenSubKey(TestKeyPath); Assert.NotNull(testKey); return testKey.GetValue(registryValueName); }
public RegistryKeyMonitor( RegistryHive hive, string key, KeyChangedDelegate keyChanged, ExceptionRaisedDelegate exceptionRaised) : this(hive, key, ALL_FILTERS, keyChanged, exceptionRaised) { }
internal void Close() { if (_hive != null) { _hive.Dispose(); _hive = null; } }
public DateTime GetRegistryKeyTimestamp(RegistryHive hive, string keyName) { Int64 ts = GetRawRegistryKeyTimestamp(hive, keyName); DateTime dt = (ts != 0 ? DateTime.FromFileTimeUtc(ts) : DateTime.MinValue); return dt.ToLocalTime(); }
public IRegistryKey OpenRemoteBaseKey( RegistryHive hKey, string machineName, RegistryView view ) { return new RegistryKeyWrap(RegistryKey.OpenRemoteBaseKey(hKey, machineName, view)); }
public void ShouldFindAdbRecordWhileParsing() { var usrclass = new RegistryHive(@"..\..\..\Hives\SYSTEM"); usrclass.ParseHive(); }
public static bool CheckRegistry(string path, string name = null, string value = null, RegistryHive root = RegistryHive.CurrentUser) { string registryValue = GetRegistryValue(path, name, root); return(registryValue != null && (value == null || registryValue.Equals(value, StringComparison.InvariantCultureIgnoreCase))); }
public static IEnumerable <RegistryObject> WalkHive(RegistryHive Hive, string startingKey = null) { Stack <RegistryKey> keys = new Stack <RegistryKey>(); RegistryKey x86_View = RegistryKey.OpenBaseKey(Hive, RegistryView.Registry32); if (startingKey != null) { x86_View = x86_View.OpenSubKey(startingKey); } keys.Push(x86_View); RegistryKey x64_View = RegistryKey.OpenBaseKey(Hive, RegistryView.Registry64); if (startingKey != null) { x64_View = x64_View.OpenSubKey(startingKey); } keys.Push(x64_View); while (keys.Count > 0) { RegistryKey currentKey = keys.Pop(); if (currentKey == null) { continue; } if (Filter.IsFiltered(Helpers.GetPlatformString(), "Scan", "Registry", "Key", currentKey.Name)) { continue; } // First push all the new subkeys onto our stack. foreach (string key in currentKey.GetSubKeyNames()) { try { var next = currentKey.OpenSubKey(name: key, writable: false); keys.Push(next); } // These are expected as we are running as administrator, not System. catch (System.Security.SecurityException e) { Log.Verbose(e, "Permission Denied: {0}", currentKey.Name); } // There seem to be some keys which are listed as existing by the APIs but don't actually exist. // Unclear if these are just super transient keys or what the other cause might be. // Since this isn't user actionable, also just supress these to the verbose stream. catch (System.IO.IOException e) { Log.Verbose(e, "Error Reading: {0}", currentKey.Name); } catch (Exception e) { Log.Information(e, "Unexpected error when parsing {0}:", currentKey.Name); Telemetry.TrackTrace(Microsoft.ApplicationInsights.DataContracts.SeverityLevel.Error, e); } } var regObj = RegistryKeyToRegistryObject(currentKey); if (regObj != null) { yield return(regObj); } } }
public static RegistryKey OpenBaseKey(RegistryHive hKey, RegistryView view) { ValidateKeyView(view); return(OpenBaseKeyCore(hKey, view)); }
public void BlahGetInstalledComponents() { // TODO: Does this make a difference, or does it depend just on the provider? const string softwareNode = @"Software"; //const string softwareNodeWow = @"Software\Wow6432Node"; //const string swUninstallSubnode = @"\Microsoft\Windows\CurrentVersion\Uninstall"; const string swUninstallSubnode = @"\Asus"; //ManagementClass reg = new ManagementClass(@"\\" + m_facade.Provider.Host + @"\root\Default", _REGISTRY_PROVIDER, null); RegistryHive hklm = RegistryHive.LocalMachine; const string subKey = softwareNode + swUninstallSubnode; // Set up in+out params and call EnumKey // string method = "EnumKey"; ManagementBaseObject inParams = m_registry.GetMethodParameters(method); inParams["hDefKey"] = (uint)hklm; inParams["sSubKeyName"] = subKey; ManagementBaseObject outParams = m_registry.InvokeMethod(method, inParams, null); if (null == outParams) { return; } string[] props = outParams.Properties["sNames"].Value as string[]; if (null == props) { return; } foreach (string pkgID in props) { string pkgKeyPath = subKey + "\\" + pkgID; // Set up in+out params and call GetStringValue // //string method = "GetExpandedStringValue"; const string method2 = "GetStringValue"; //const string field = "DisplayName"; const string field = "Version"; ManagementBaseObject inParams2 = m_registry.GetMethodParameters(method2); inParams2["hDefKey"] = (uint)hklm; inParams2["sSubKeyName"] = pkgKeyPath; inParams2["sValueName"] = field; ManagementBaseObject outParams2 = m_registry.InvokeMethod(method2, inParams2, null); string pkgName = (null == outParams2) ? string.Empty : (string)outParams2.Properties["sValue"].Value; // Other StringValue fields: DisplayVersion, InstallDate // Other ExpandedStringValue fields: InstallSource, UninstallString, QuietUninstallString } Console.WriteLine("Done."); }
internal async Task RegScan(RegistryHive RegHive, RegistryView RegView, List <AddSoftware> lScanList) { await Task.Run(() => _RegScan(RegHive, RegView, lScanList)); }
/// <summary> /// /// </summary> /// <param name="p_folder_type"></param> /// <param name="p_registry_hive"></param> public CRegistry(RegistryFolderType p_folder_type = RegistryFolderType.shared, RegistryHive p_registry_hive = RegistryHive.LocalMachine) : this("ODINSOFT", "SDK", "V5.2.2017.01", p_folder_type, p_registry_hive) { }
/// <summary> /// Initializes a new instance of the <see cref="RegistryMonitor"/> class. /// </summary> /// <param name="registryHive">The registry hive.</param> /// <param name="subkey">The subkey.</param> public RegistryMonitor(RegistryHive registryHive, string subkey) { this.InitRegistryKey(registryHive, subkey); }
public static RegistryKey GetRegistryKey(string computerName, string keyPath) { int firstPeriodPos = keyPath.IndexOf("\\"); string hKeyName = keyPath.Substring(0, firstPeriodPos); RegistryHive hKey = RegistryHive.LocalMachine; switch (hKeyName.ToUpperInvariant()) { case "HKLM:": case "HKLM": case "HKEY_LOCAL_MACHINE": hKey = RegistryHive.LocalMachine; break; case "HKCR:": case "HKCR": case "HKEY_CLASSES_ROOT": hKey = RegistryHive.ClassesRoot; break; case "HKCC:": case "HKCC": case "HKEY_CURRENT_CONFIG": hKey = RegistryHive.CurrentConfig; break; case "HKCU:": case "HKCU": case "HKEY_CURRENT_USER": hKey = RegistryHive.CurrentUser; break; case "HKDD:": case "HKDD": case "HKEY_DYN_DATA": hKey = RegistryHive.DynData; break; case "HKPD:": case "HKPD": case "HKEY_PERFROMANCE_DATA": hKey = RegistryHive.PerformanceData; break; case "HKU:": case "HKU": case "HKEY_USERS": hKey = RegistryHive.Users; break; } RegistryKey remoteRegistry = RegistryKey.OpenRemoteBaseKey(hKey, LocalizeName(computerName)); string pathName = keyPath.Substring(firstPeriodPos + 1); if (string.IsNullOrEmpty(pathName)) { return(remoteRegistry); } else { return(remoteRegistry.OpenSubKey(pathName)); } }
public static string GetValueString(string path, string name = null, RegistryHive root = RegistryHive.CurrentUser, RegistryView view = RegistryView.Default) { return GetValue(path, name, root, view) as string; }
public static int GetValueDWord(string path, string name = null, RegistryHive root = RegistryHive.CurrentUser, RegistryView view = RegistryView.Default) { return (int)GetValue(path, name, root, view); }
private static RegistryKey GetKeyFromHive(RegistryHive hive, string path) => RegistryKey.OpenBaseKey(hive, RegistryView.Registry64).OpenSubKey(path);
private static RegistryKey OpenRemoteBaseKeyCore(RegistryHive hKey, string machineName, RegistryView view) { throw new PlatformNotSupportedException(SR.Security_RegistryPermission); // remote stores not supported on Unix }
private static RegistryKey OpenBaseKeyCore(RegistryHive hKey, RegistryView view) { throw new PlatformNotSupportedException(SR.PlatformNotSupported_Registry); }
public SECURITYHive(string filename) : base(filename) { _hive = this; }
public static bool IsNewFormat(string file, bool noLog) { RegistryKey fileKey = null; RegistryHive reg; var dirname = Path.GetDirectoryName(file); var hiveBase = Path.GetFileName(file); List <RawCopy.RawCopyReturn> rawFiles = null; try { try { reg = new RegistryHive(file) { RecoverDeleted = true }; } catch (IOException) { //file is in use if (RawCopy.Helper.IsAdministrator() == false) { throw new UnauthorizedAccessException("Administrator privileges not found!"); } var files = new List <string>(); files.Add(file); var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?"); foreach (var logFile in logFiles) { files.Add(logFile); } rawFiles = RawCopy.Helper.GetFiles(files); reg = new RegistryHive(rawFiles.First().FileBytes, rawFiles.First().InputFilename); } LogManager.DisableLogging(); if (reg.Header.PrimarySequenceNumber != reg.Header.SecondarySequenceNumber) { if (string.IsNullOrEmpty(dirname)) { dirname = "."; } var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?"); if (logFiles.Length == 0) { var log = LogManager.GetCurrentClassLogger(); if (noLog == false) { log.Warn("Registry hive is dirty and no transaction logs were found in the same directory! LOGs should have same base name as the hive. Aborting!!"); throw new Exception("Sequence numbers do not match and transaction logs were not found in the same directory as the hive. Aborting"); } log.Warn("Registry hive is dirty and no transaction logs were found in the same directory. Data may be missing! Continuing anyways..."); } else { if (rawFiles != null) { var lt = new List <TransactionLogFileInfo>(); foreach (var rawCopyReturn in rawFiles.Skip(1).ToList()) { var tt = new TransactionLogFileInfo(rawCopyReturn.InputFilename, rawCopyReturn.FileBytes); lt.Add(tt); } reg.ProcessTransactionLogs(lt, true); } else { reg.ProcessTransactionLogs(logFiles.ToList(), true); } } } reg.ParseHive(); fileKey = reg.GetKey(@"Root\InventoryApplicationFile"); LogManager.EnableLogging(); } catch (Exception) { LogManager.EnableLogging(); } return(fileKey != null); }
/// <summary>Retrieves a new RegistryKey that represents the requested key on a foreign machine.</summary> /// <param name="hKey">hKey HKEY_* to open.</param> /// <param name="machineName">Name the machine to connect to.</param> /// <returns>The RegistryKey requested.</returns> public static RegistryKey OpenRemoteBaseKey(RegistryHive hKey, string machineName) { return(OpenRemoteBaseKey(hKey, machineName, RegistryView.Default)); }
public DynamicRegistryKey(RegistryHive hive, RegistryView view, RegistrySecurity rs, bool writable = false) { this.writable = writable; this.key = RegistryKey.OpenBaseKey(hive, view); }
public RegistryKey OpenRemoteBaseKey(RegistryHive hKey, string machineName) { throw new NotImplementedException(); }
public DynamicRegistryKey(RegistryHive hive, RegistrySecurity rs, bool writable = false) : this(hive, RegistryView.Default, rs, writable) { }
static RegistryKey getBaseKey64(RegistryHive hive) => RegistryKey.OpenBaseKey(hive, RegistryView.Registry64);
/// <summary> /// Initializes a new instance of the <see cref="RegistryMonitor"/> class. /// </summary> /// <param name="registryHive">The registry hive.</param> /// <param name="subKey">The sub key.</param> public RegistryMonitor(RegistryHive registryHive, string subKey) { InitRegistryKey(registryHive, subKey); }
public AmcacheOld(string hive, bool recoverDeleted, bool noLogs) { _logger = LogManager.GetCurrentClassLogger(); var reg = new RegistryHive(hive) { RecoverDeleted = recoverDeleted }; if (reg.Header.PrimarySequenceNumber != reg.Header.SecondarySequenceNumber) { var hiveBase = Path.GetFileName(hive); var dirname = Path.GetDirectoryName(hive); if (string.IsNullOrEmpty(dirname)) { dirname = "."; } var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?"); if (logFiles.Length == 0) { var log = LogManager.GetCurrentClassLogger(); if (noLogs == false) { log.Warn("Registry hive is dirty and no transaction logs were found in the same directory! LOGs should have same base name as the hive. Aborting!!"); throw new Exception("Sequence numbers do not match and transaction logs were not found in the same directory as the hive. Aborting"); } else { log.Warn("Registry hive is dirty and no transaction logs were found in the same directory. Data may be missing! Continuing anyways..."); } } else { reg.ProcessTransactionLogs(logFiles.ToList(), true); } } reg.ParseHive(); var fileKey = reg.GetKey(@"Root\File"); var programsKey = reg.GetKey(@"Root\Programs"); UnassociatedFileEntries = new List <FileEntryOld>(); ProgramsEntries = new List <ProgramsEntryOld>(); if (fileKey == null || programsKey == null) { _logger.Error("Hive does not contain a File and/or Programs key. Processing cannot continue"); return; } //First, we get data for all the Program entries under Programs key foreach (var registryKey in programsKey.SubKeys) { var ProgramName0 = ""; var ProgramVersion1 = ""; var Guid10 = ""; var UninstallGuid11 = ""; var Guid12 = ""; var Dword13 = 0; var Dword14 = 0; var Dword15 = 0; var UnknownBytes = new byte[0]; long Qword17 = 0; var Dword18 = 0; var VenderName2 = ""; var LocaleID3 = ""; var Dword5 = 0; var InstallSource6 = ""; var UninstallKey7 = ""; DateTimeOffset?EpochA = null; DateTimeOffset?EpochB = null; var PathListd = ""; var Guidf = ""; var RawFiles = ""; try { foreach (var value in registryKey.Values) { switch (value.ValueName) { case "0": ProgramName0 = value.ValueData; break; case "1": ProgramVersion1 = value.ValueData; break; case "2": VenderName2 = value.ValueData; break; case "3": LocaleID3 = value.ValueData; break; case "5": Dword5 = int.Parse(value.ValueData); break; case "6": InstallSource6 = value.ValueData; break; case "7": UninstallKey7 = value.ValueData; break; case "a": try { var seca = long.Parse(value.ValueData); if (seca > 0) { EpochA = DateTimeOffset.FromUnixTimeSeconds(seca).ToUniversalTime(); } } catch (Exception) { //sometimes the number is way too big } break; case "b": var seconds = long.Parse(value.ValueData); if (seconds > 0) { EpochB = DateTimeOffset.FromUnixTimeSeconds(seconds).ToUniversalTime(); } break; case "d": PathListd = value.ValueData; break; case "f": Guidf = value.ValueData; break; case "10": Guid10 = value.ValueData; break; case "11": UninstallGuid11 = value.ValueData; break; case "12": Guid12 = value.ValueData; break; case "13": Dword13 = int.Parse(value.ValueData); break; case "14": Dword13 = int.Parse(value.ValueData); break; case "15": Dword13 = int.Parse(value.ValueData); break; case "16": UnknownBytes = value.ValueDataRaw; break; case "17": Qword17 = long.Parse(value.ValueData); break; case "18": Dword18 = int.Parse(value.ValueData); break; case "Files": RawFiles = value.ValueData; break; default: _logger.Warn( $"Unknown value name in Program at path {registryKey.KeyPath}: {value.ValueName}"); break; } } var pe = new ProgramsEntryOld(ProgramName0, ProgramVersion1, VenderName2, LocaleID3, InstallSource6, UninstallKey7, Guid10, Guid12, UninstallGuid11, Dword5, Dword13, Dword14, Dword15, UnknownBytes, Qword17, Dword18, EpochA, EpochB, PathListd, Guidf, RawFiles, registryKey.KeyName, registryKey.LastWriteTime.Value); ProgramsEntries.Add(pe); } catch (Exception ex) { _logger.Error($"Error parsing ProgramsEntry at {registryKey.KeyPath}. Error: {ex.Message}"); _logger.Error( $"Please send the following text to [email protected]. \r\n\r\nKey data: {registryKey}"); } } //For each Programs entry, add the related Files entries from Files\Volume subkey, put the rest in unassociated foreach (var registryKey in fileKey.SubKeys) { //These are the guids for volumes foreach (var subKey in registryKey.SubKeys) { var prodName = ""; int?langId = null; var fileVerString = ""; var fileVerNum = ""; var fileDesc = ""; var compName = ""; var fullPath = ""; var switchBack = ""; var peHash = ""; var progID = ""; var sha = ""; long binProdVersion = 0; ulong binFileVersion = 0; var linkerVersion = 0; var binType = 0; var isLocal = 0; var gProgramID = 0; int? fileSize = null; int? sizeOfImage = null; uint? peHeaderChecksum = null; DateTimeOffset?created = null; DateTimeOffset?lm = null; DateTimeOffset?lmStore = null; DateTimeOffset?linkDate = null; var hasLinkedProgram = false; try { //these are the files executed from the volume foreach (var keyValue in subKey.Values) { var keyVal = int.Parse(keyValue.ValueName, NumberStyles.HexNumber); switch (keyVal) { case ProductName: prodName = keyValue.ValueData; break; case CompanyName: compName = keyValue.ValueData; break; case FileVersionNumber: fileVerNum = keyValue.ValueData; break; case LanguageCode: langId = int.Parse(keyValue.ValueData); break; case SwitchBackContext: switchBack = keyValue.ValueData; break; case FileVersionString: fileVerString = keyValue.ValueData; break; case FileSize: fileSize = int.Parse(keyValue.ValueData); break; case SizeOfImage: sizeOfImage = int.Parse(keyValue.ValueData); break; case PEHeaderHash: peHash = keyValue.ValueData; break; case PEHeaderChecksum: peHeaderChecksum = uint.Parse(keyValue.ValueData); break; case BinProductVersion: binProdVersion = long.Parse(keyValue.ValueData); break; case BinFileVersion: binFileVersion = ulong.Parse(keyValue.ValueData); break; case FileDescription: fileDesc = keyValue.ValueData; break; case LinkerVersion: linkerVersion = int.Parse(keyValue.ValueData); break; case LinkDate: linkDate = DateTimeOffset.FromUnixTimeSeconds(long.Parse(keyValue.ValueData)) .ToUniversalTime(); break; case BinaryType: binType = int.Parse(keyValue.ValueData); break; case LastModified: lm = DateTimeOffset.FromFileTime(long.Parse(keyValue.ValueData)).ToUniversalTime(); break; case Created: created = DateTimeOffset.FromFileTime(long.Parse(keyValue.ValueData)).ToUniversalTime(); break; case FullPath: fullPath = keyValue.ValueData; break; case IsLocal: isLocal = int.Parse(keyValue.ValueData); break; case GuessProgramID: gProgramID = int.Parse(keyValue.ValueData); break; case LastModifiedStore: lmStore = DateTimeOffset.FromFileTime(long.Parse(keyValue.ValueData)) .ToUniversalTime(); break; case ProgramID: progID = keyValue.ValueData; var program = ProgramsEntries.SingleOrDefault(t => t.ProgramID == progID); if (program != null) { hasLinkedProgram = true; } break; case SHA1: sha = keyValue.ValueData; break; default: _logger.Warn( $"Unknown value name when processing FileEntry at path '{subKey.KeyPath}': 0x{keyVal:X}"); break; } } if (fullPath.Length == 0) { continue; } TotalFileEntries += 1; var fe = new FileEntryOld(prodName, progID, sha, fullPath, lmStore, registryKey.KeyName, registryKey.LastWriteTime.Value, subKey.KeyName, subKey.LastWriteTime.Value, isLocal, compName, langId, fileVerString, peHash, fileVerNum, fileDesc, binProdVersion, binFileVersion, linkerVersion, binType, switchBack, fileSize, linkDate, sizeOfImage, lm, created, peHeaderChecksum, gProgramID, subKey.KeyName); if (hasLinkedProgram) { var program = ProgramsEntries.SingleOrDefault(t => t.ProgramID == fe.ProgramID); fe.ProgramName = program.ProgramName_0; program.FileEntries.Add(fe); } else { fe.ProgramName = "Unassociated"; UnassociatedFileEntries.Add(fe); } } catch (Exception ex) { _logger.Error($"Error parsing FileEntry at {subKey.KeyPath}. Error: {ex.Message}"); _logger.Error( $"Please send the following text to [email protected]. \r\n\r\nKey data: {subKey}"); } } } }
public static RegistryKey OpenBaseKey(RegistryHive hKey) { return(OpenBaseKey(hKey, RegistryView.Default)); }
internal RegistryKey(RegistryHive hiveId) { throw new PlatformNotSupportedException(); }
public static void CreateRegistry(string path, int value, RegistryHive root = RegistryHive.CurrentUser) { CreateRegistry(path, null, value, root); }
public static RegistryKey OpenBaseKey(RegistryHive hKey, RegistryView view) { throw new PlatformNotSupportedException(); }
public void ExportToRegFormatSingleKey() { var samOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM"); var key = samOnDemand.GetKey(@"SAM\Domains\Account"); var exported = Helpers.ExportToReg(@"exportSamTest.reg", key, HiveTypeEnum.Sam, false); Check.That(exported).IsTrue(); var ntUser1OnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\NTUSER1.DAT"); key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Console"); exported = Helpers.ExportToReg(@"exportntuser1Test.reg", key, HiveTypeEnum.NtUser, false); Check.That(exported).IsTrue(); var security = new RegistryHiveOnDemand(@"..\..\..\Hives\SECURITY"); key = security.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Policy\Accounts\S-1-5-9"); exported = Helpers.ExportToReg(@"exportsecTest.reg", key, HiveTypeEnum.Security, false); Check.That(exported).IsTrue(); var systemOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SYSTEM"); key = systemOnDemand.GetKey( @"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\ControlSet001\Enum\ACPI\PNP0C02\1"); exported = Helpers.ExportToReg(@"exportsysTest.reg", key, HiveTypeEnum.System, false); Check.That(exported).IsTrue(); var usrClassFtp = new RegistryHiveOnDemand(@"..\..\..\Hives\UsrClass FTP.dat"); key = usrClassFtp.GetKey(@"S-1-5-21-2417227394-2575385136-2411922467-1105_Classes\.3g2"); exported = Helpers.ExportToReg(@"exportusrTest.reg", key, HiveTypeEnum.UsrClass, false); Check.That(exported).IsTrue(); var samDupeNameOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM_DUPENAME"); key = samDupeNameOnDemand.GetKey(@"SAM\SAM\Domains\Account\Aliases\000003E9"); exported = Helpers.ExportToReg(@"exportotherTest.reg", key, HiveTypeEnum.Other, false); Check.That(exported).IsTrue(); var usrclassDeleted = new RegistryHive(@"..\..\..\Hives\UsrClassDeletedBags.dat"); usrclassDeleted.RecoverDeleted = true; usrclassDeleted.FlushRecordListsAfterParse = false; usrclassDeleted.ParseHive(); key = usrclassDeleted.GetKey( @"S-1-5-21-146151751-63468248-1215037915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1"); exported = Helpers.ExportToReg(@"exportDeletedTest.reg", key, HiveTypeEnum.UsrClass, false); Check.That(exported).IsTrue(); }
public void ShouldThrowExceptionWithBadHbinHeader() { Check.ThatCode(() => { var r = new RegistryHive(@"..\..\Hives\SAMBadHBinHeader"); r.ParseHive(); }).Throws <Exception>(); }
public static bool CheckStringValue(string path, string name = null, string value = null, RegistryHive root = RegistryHive.CurrentUser, RegistryView view = RegistryView.Default) { string registryValue = GetValueString(path, name, root, view); return registryValue != null && (value == null || registryValue.Equals(value, StringComparison.OrdinalIgnoreCase)); }