public void ShouldFindAKeyWithClassName() { var systemOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SYSTEM"); var key = systemOnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\ControlSet001\Control\Lsa\Data"); Check.That(key.ClassName).IsNotEmpty(); }
public static bool Is32Bit(string fileName) { if (fileName.Length == 0) { var keyCurrUser = Microsoft.Win32.Registry.LocalMachine; var subKey = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\Environment"); var val = subKey?.GetValue("PROCESSOR_ARCHITECTURE"); if (val != null) { return(val.ToString().Equals("x86")); } } else { var hive = new RegistryHiveOnDemand(fileName); var subKey = hive.GetKey("Select"); var currentCtlSet = int.Parse(subKey.Values.Single(c => c.ValueName == "Current").ValueData); subKey = hive.GetKey($"ControlSet00{currentCtlSet}\\Control\\Session Manager\\Environment"); var val = subKey?.Values.SingleOrDefault(c => c.ValueName == "PROCESSOR_ARCHITECTURE"); if (val != null) { return(val.ValueData.Equals("x86")); } } throw new NullReferenceException("Unable to determine CPU architecture!"); }
///// <summary> ///// NOT USED ///// </summary> ///// <param name="keys"></param> ///// <param name="pathPrefix"></param> ///// <param name="files"></param> ///// <param name="type"></param> //private void EnumerateShellEx(List<string> keys, // string pathPrefix, // string files, // string type) //{ // foreach (string file in System.IO.Directory.EnumerateFiles(_registryPath, // files, // SearchOption.AllDirectories)) // { // RegistryHiveOnDemand registry = OpenRegistry(file); // if (registry == null) // { // continue; // } // foreach (string key in keys) // { // RegistryKey regKey = OpenKey(registry, key); // if (regKey == null) // { // continue; // } // foreach (RegistryKey subKey in regKey.SubKeys) // { // if (subKey.Values.Where(v => v.ValueName.ToLower() == "default").SingleOrDefault() == null) // { // continue; // } // string guid = subKey.Values.Where(v => v.ValueName.ToLower() == "default").SingleOrDefault().ValueData; // ProcessClsid(registry, // pathPrefix + "\\" + key, // subKey.KeyName, // "ShellEx", // guid, // file); // } // } // } //} /// <summary> /// NOT USED /// </summary> //private void EnumerateShellExHooks() //{ // foreach (string file in System.IO.Directory.EnumerateFiles(_registryPath, // "software", // SearchOption.AllDirectories)) // { // RegistryHiveOnDemand registry = OpenRegistry(file); // if (registry == null) // { // continue; // } // //foreach (string key in _keysGuidValue) // //{ // // RegistryKey regKey = registry.Open(key); // // if (regKey == null) // // { // // continue; // // } // // foreach (RegistryValue regValue in regKey.Values()) // // { // // ProcessClsid(registry, "HKLM\\Software\\" + key, key, "ShellExecuteHooks", regValue.Value.ToString()); // // } // //} // } //} /// <summary> /// Lookup the Classes\CLSID key, then the "InprocServer32" key of the GUID\InprocServer32, then the "(default)" value, normalise path, then check /// </summary> /// <param name="registry"></param> /// <param name="path"></param> /// <param name="type"></param> /// <param name="info"></param> /// <param name="guid"></param> /// <param name="sourceFile"></param> private void ProcessClsid(RegistryHiveOnDemand registry, string path, string type, string info, string guid, string sourceFile) { RegistryKey regKey = OpenKey(registry, @"Classes\CLSID\" + guid + @"\InprocServer32"); if (regKey == null) { regKey = OpenKey(registry, @"Classes\Wow6432Node\CLSID\" + guid + @"\InprocServer32"); if (regKey == null) { return; } } if (regKey.Values.Where(v => v.ValueName.ToLower() == "(default)").SingleOrDefault() == null) { return; } ProcessEntry(regKey.Values.Where(v => v.ValueName.ToLower() == "(default)").SingleOrDefault().ValueData, path, type, info, sourceFile, regKey.LastWriteTime); }
public void TestVkRecordUnknownRegType() { var samDupeNameOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM_DUPENAME"); var key = samDupeNameOnDemand.GetKey(@"SAM\SAM\Domains\Account\Users"); Check.That(key).IsNotNull(); var val = key.Values.Single(e => e.ValueName == string.Empty); Check.That(val).IsNotNull(); Check.That(val.VkRecord.RelativeOffset).IsEqualTo(0x1880); Check.That(val.VkRecord.AbsoluteOffset).IsEqualTo(0x2880); Check.That(val.VkRecord.Size).IsEqualTo(-24); Check.That(val.VkRecord.Signature).IsEqualTo("vk"); Check.That(val.VkRecord.IsFree).IsFalse(); Check.That(val.VkRecord.NamePresentFlag).IsEqualTo(0x0); Check.That(val.VkRecord.NameLength).IsEqualTo(0x0); Check.That(val.VkRecord.ValueName).IsEmpty(); Check.That(val.VkRecord.ValueData).IsInstanceOf <byte[]>(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegUnknown); Check.That(val.VkRecord.DataTypeRaw).IsEqualTo(15); Check.That(val.VkRecord.DataLength).Equals(0x80000000); Check.That(val.VkRecord.OffsetToData).Equals((uint)0); Check.That(val.VkRecord.Padding.Length).Equals(0); Check.That(val.VkRecord.ValueDataRaw.Length).IsEqualTo(4); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0); Check.That(val.VkRecord.ToString()).IsNotEmpty(); }
public void GetKeyShouldNotBeNullWithShortPathMixedSpelling() { var samOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM"); var key = samOnDemand.GetKey(@"SAM\DomAins\AccoUnt"); Check.That(key).IsNotNull(); }
public void TestVkRecordRegqWord() { var ntUser1OnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\NTUSER1.DAT"); var key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Store\RefreshBannedAppList"); Check.That(key).IsNotNull(); var val = key.Values.Single(e => e.ValueName == "BannedAppsLastModified"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.RelativeOffset).IsEqualTo(0x5ce0); Check.That(val.VkRecord.AbsoluteOffset).IsEqualTo(0x6ce0); Check.That(val.VkRecord.Size).IsEqualTo(-48); Check.That(val.VkRecord.Signature).IsEqualTo("vk"); Check.That(val.VkRecord.IsFree).IsFalse(); Check.That(val.VkRecord.NamePresentFlag).IsEqualTo(0x01); Check.That(val.VkRecord.NameLength).IsEqualTo(0x16); Check.That(val.VkRecord.ValueName).IsEqualTo("BannedAppsLastModified"); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegQword); Check.That(val.VkRecord.DataLength).Equals((uint)0x8); Check.That(val.VkRecord.OffsetToData).Equals((uint)0x3b70); Check.That(val.ValueData).Equals("0"); Check.That(val.VkRecord.Padding.Length).Equals(2); Check.That(val.VkRecord.ValueData).IsInstanceOf <ulong>(); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4); Check.That(val.VkRecord.ValueDataRaw.Length).IsEqualTo(8); Check.That(val.VkRecord.ToString()).IsNotEmpty(); }
public void GetKeyShouldNotBeNullWithFullPath() { var samOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM"); var key = samOnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\SAM\Domains\Account"); Check.That(key).IsNotNull(); }
public void GetKeyShouldBeNullWithNonExistentPath() { var samOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM"); var key = samOnDemand.GetKey(@"SAM\Domains\Account\This\Does\Not\Exist"); Check.That(key).IsNull(); }
public void ExportToRegFormatSingleKey() { var samOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM"); var key = samOnDemand.GetKey(@"SAM\Domains\Account"); var exported = Helpers.ExportToReg(@"exportSamTest.reg", key, HiveTypeEnum.Sam, false); Check.That(exported).IsTrue(); var ntUser1OnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\NTUSER1.DAT"); key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Console"); exported = Helpers.ExportToReg(@"exportntuser1Test.reg", key, HiveTypeEnum.NtUser, false); Check.That(exported).IsTrue(); var security = new RegistryHiveOnDemand(@"..\..\..\Hives\SECURITY"); key = security.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Policy\Accounts\S-1-5-9"); exported = Helpers.ExportToReg(@"exportsecTest.reg", key, HiveTypeEnum.Security, false); Check.That(exported).IsTrue(); var systemOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SYSTEM"); key = systemOnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\ControlSet001\Enum\ACPI\PNP0C02\1"); exported = Helpers.ExportToReg(@"exportsysTest.reg", key, HiveTypeEnum.System, false); Check.That(exported).IsTrue(); var usrClassFtp = new RegistryHiveOnDemand(@"..\..\..\Hives\UsrClass FTP.dat"); key = usrClassFtp.GetKey(@"S-1-5-21-2417227394-2575385136-2411922467-1105_Classes\.3g2"); exported = Helpers.ExportToReg(@"exportusrTest.reg", key, HiveTypeEnum.UsrClass, false); Check.That(exported).IsTrue(); var samDupeNameOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM_DUPENAME"); key = samDupeNameOnDemand.GetKey(@"SAM\SAM\Domains\Account\Aliases\000003E9"); exported = Helpers.ExportToReg(@"exportotherTest.reg", key, HiveTypeEnum.Other, false); Check.That(exported).IsTrue(); var usrclassDeleted = new RegistryHive(@"..\..\..\Hives\UsrClassDeletedBags.dat"); usrclassDeleted.RecoverDeleted = true; usrclassDeleted.FlushRecordListsAfterParse = false; usrclassDeleted.ParseHive(); key = usrclassDeleted.GetKey(@"S-1-5-21-146151751-63468248-1215037915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1"); exported = Helpers.ExportToReg(@"exportDeletedTest.reg", key, HiveTypeEnum.UsrClass, false); Check.That(exported).IsTrue(); }
/// <summary> /// /// </summary> /// <param name="config"></param> private void EnumerateBinaryFromStubPath(Config config) { foreach (string file in System.IO.Directory.EnumerateFiles(_registryPath, config.Hive.GetEnumDescription(), SearchOption.AllDirectories)) { RegistryHiveOnDemand registry = OpenRegistry(file); if (registry == null) { continue; } RegistryKey regKey = registry.GetKey(config.Path); if (regKey == null) { continue; } foreach (RegistryKey subKey in regKey.SubKeys) { RegistryKey childKey = registry.GetKey(subKey.KeyPath); if (childKey.Values.Where(v => v.ValueName.ToLower() == "stubpath").SingleOrDefault() == null) { continue; } ProcessEntry(childKey.Values.Where(v => v.ValueName.ToLower() == "stubpath").SingleOrDefault().ValueData, @"HLKM\" + config.Hive.GetEnumDescription() + @"\" + config.Path + @"\" + childKey.KeyName, config.Type, @"HLKM\Software\Microsoft\Active Setup\Installed Components\" + childKey.KeyName, file, childKey.LastWriteTime); } } }
private void BtnStart_Click(object sender, EventArgs e) { DialogResult result = _options.ShowDialog(); if (result != DialogResult.OK) { return; } string hivePath = _options.SystemHive; if (string.IsNullOrWhiteSpace(hivePath) || !File.Exists(hivePath)) { return; } _hive = new RegistryHiveOnDemand(hivePath); ParseUSBStor(); if (_options.LiveSystem) { try { File.Delete(_options.SystemHive); } catch { MessageBox.Show("Error deleting temp hive at " + hivePath); } } }
/// <summary> /// Extracts the system key from a SYSTEM registry hive. /// </summary> /// <param name="systemHivePath">The file path of the SYSTEM registry hive.</param> /// <returns>A byte array containing the 16 byte system key.</returns> public static byte[] LoadSystemKeyFromHive(string systemHivePath) { systemHivePath = systemHivePath ?? throw new ArgumentNullException(nameof(systemHivePath)); // Load the registry hive var hive = new RegistryHiveOnDemand(systemHivePath); // Get the current control set version from the hive var currentControlSetVersion = int.Parse(hive.GetKey("Select").Values[0].ValueData, CultureInfo.InvariantCulture); // Get the class name of the four subkeys in which the sytem key is stored, and convert to hex to get the scrambled system key var scrambledKeyList = new List <byte>(); foreach (var keyName in new string[] { "JD", "Skew1", "GBG", "Data" }) { var key = hive.GetKey(Invariant($"ControlSet00{currentControlSetVersion}\\Control\\Lsa\\{keyName}")); var className = key.ClassName; scrambledKeyList.AddRange(Enumerable.Range(0, className.Length / 2).Select(x => Convert.ToByte(className.Substring(x * 2, 2), 16)).ToArray()); } var scrambledKey = scrambledKeyList.ToArray(); // Unscramble the system key based on the known transforms var systemKeyList = new List <byte>(); for (var i = 0; i < scrambledKey.Length; i++) { systemKeyList.Add(scrambledKey[SYSTEMKEYTRANSFORMS[i]]); } return(systemKeyList.ToArray()); }
public void TestVkRecordRegNone() { var samOnDemand = new RegistryHiveOnDemand(@".\Hives\SAM"); var key = samOnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\SAM\Domains"); Check.That(key).IsNotNull(); var val = key.Values.Single(e => e.ValueName == "(default)"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.RelativeOffset).IsEqualTo(0x270); Check.That(val.VkRecord.AbsoluteOffset).IsEqualTo(0x1270); Check.That(val.VkRecord.Size).IsEqualTo(-24); Check.That(val.VkRecord.Signature).IsEqualTo("vk"); Check.That(val.VkRecord.IsFree).IsFalse(); Check.That(val.VkRecord.NamePresentFlag).IsEqualTo(0x00); Check.That(val.VkRecord.NameLength).IsEqualTo(0); Check.That(val.VkRecord.ValueName).IsEqualTo("(default)"); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegNone); Check.That(val.VkRecord.DataLength).Equals(0x80000000); Check.That(val.VkRecord.OffsetToData).Equals((uint)0x0); Check.That(val.VkRecord.Padding.Length).Equals(0); Check.That(val.VkRecord.ValueData).IsInstanceOf <byte[]>(); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0); Check.That(val.VkRecord.ValueDataRaw.Length).IsEqualTo(0); Check.That(val.VkRecord.ToString()).IsNotEmpty(); }
public void TestVkRecordRegUnknown() { var samHasBigEndianOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM_hasBigEndianDWord"); var key = samHasBigEndianOnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\SAM\Domains\Account\Groups\Names\None"); Check.That(key).IsNotNull(); var val = key.Values.Single(e => e.ValueName == string.Empty); Check.That(val).IsNotNull(); Check.That(val.VkRecord.RelativeOffset).IsEqualTo(0x1248); Check.That(val.VkRecord.AbsoluteOffset).IsEqualTo(0x2248); Check.That(val.VkRecord.Size).IsEqualTo(-24); Check.That(val.VkRecord.Signature).IsEqualTo("vk"); Check.That(val.VkRecord.IsFree).IsFalse(); Check.That(val.VkRecord.NamePresentFlag).IsEqualTo(0x0); Check.That(val.VkRecord.NameLength).IsEqualTo(0); Check.That(val.VkRecord.ValueName).IsEmpty(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegUnknown); Check.That(val.VkRecord.DataTypeRaw).IsEqualTo(513); Check.That(val.VkRecord.DataLength).Equals(0x80000000); Check.That(val.VkRecord.OffsetToData).Equals((uint)0); Check.That(val.VkRecord.Padding.Length).Equals(0); Check.That(val.VkRecord.ValueData).IsInstanceOf <byte[]>(); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0); Check.That(val.VkRecord.ValueDataRaw.Length).IsEqualTo(4); Check.That(val.VkRecord.ToString()).IsNotEmpty(); }
public AppCompatCache(string filename) { byte[] rawBytes = null; if (File.Exists(filename) == false) { throw new FileNotFoundException($"File not found ({filename})!"); } var hive = new RegistryHiveOnDemand(filename); var subKey = hive.GetKey("Select"); var currentCtlSet = int.Parse(subKey.Values.Single(c => c.ValueName == "Current").ValueData); subKey = hive.GetKey($@"ControlSet00{currentCtlSet}\Control\Session Manager\AppCompatCache"); var val = subKey?.Values.SingleOrDefault(c => c.ValueName == "AppCompatCache"); if (val != null) { rawBytes = val.ValueDataRaw; } if (rawBytes == null) { Console.WriteLine(@"'AppCompatCache' value not found! Exiting"); return; } var is32 = Is32Bit(filename); string computerName = ComputerName(filename); Init(rawBytes, is32, computerName); }
public void TestVkRecordRegMultiSz() { var usrClassDeletedBagsOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\UsrClassDeletedBags.dat"); var key = usrClassDeletedBagsOnDemand.GetKey(@"S-1-5-21-146151751-63468248-1215037915-1000_Classes\Local Settings\MuiCache\6\52C64B7E"); Check.That(key).IsNotNull(); var val = key.Values.Single(e => e.ValueName == "LanguageList"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.RelativeOffset).IsEqualTo(0x5f0); Check.That(val.VkRecord.AbsoluteOffset).IsEqualTo(0x15f0); Check.That(val.VkRecord.Size).IsEqualTo(-40); Check.That(val.VkRecord.Signature).IsEqualTo("vk"); Check.That(val.VkRecord.IsFree).IsFalse(); Check.That(val.VkRecord.NamePresentFlag).IsEqualTo(0x01); Check.That(val.VkRecord.NameLength).IsEqualTo(0xC); Check.That(val.VkRecord.ValueName).IsEqualTo("LanguageList"); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz); Check.That(val.VkRecord.DataLength).Equals((uint)0x14); Check.That(val.VkRecord.OffsetToData).Equals((uint)0xf70); Check.That(val.ValueData).Equals("en-US en"); Check.That(val.VkRecord.Padding.Length).Equals(4); Check.That(val.VkRecord.ValueData).IsInstanceOf <string>(); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0); Check.That(val.VkRecord.ValueDataRaw.Length).IsEqualTo(20); Check.That(val.VkRecord.ToString()).IsNotEmpty(); }
/// <summary> /// /// </summary> /// <param name="config"></param> private void EnumerateAppInitDlls(Config config) { foreach (string file in System.IO.Directory.EnumerateFiles(_registryPath, config.Hive.GetEnumDescription(), SearchOption.AllDirectories)) { RegistryHiveOnDemand registry = OpenRegistry(file); if (registry == null) { continue; } RegistryKey regKey = OpenKey(registry, config.Path); if (regKey == null) { continue; } if (regKey.Values.Where(v => v.ValueName.ToLower() == "appinit_dlls").SingleOrDefault() == null) { continue; } if (regKey.Values.Where(v => v.ValueName.ToLower() == "appinit_dlls").SingleOrDefault().ValueData.Length == 0) { continue; } ParseAppInitDll(config.Path, regKey.Values.Where(v => v.ValueName.ToLower() == "appinit_dlls").SingleOrDefault().ValueData, file, regKey.LastWriteTime); } }
public void TestVkRecordRegBinary() { var samOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM"); var key = samOnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\SAM\Domains\Account"); Check.That(key).IsNotNull(); var val = key.Values.Single(e => e.ValueName == "F"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.RelativeOffset).IsEqualTo(0x3078); Check.That(val.VkRecord.AbsoluteOffset).IsEqualTo(0x4078); Check.That(val.VkRecord.Size).IsEqualTo(-32); Check.That(val.VkRecord.Signature).IsEqualTo("vk"); Check.That(val.VkRecord.IsFree).IsFalse(); Check.That(val.VkRecord.NamePresentFlag).IsEqualTo(0x01); Check.That(val.VkRecord.NameLength).IsEqualTo(1); Check.That(val.VkRecord.ValueName).IsEqualTo("F"); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegBinary); Check.That(val.VkRecord.DataLength).Equals((uint)0xf0); Check.That(val.VkRecord.OffsetToData).Equals((uint)0x3098); Check.That(val.VkRecord.Padding.Length).Equals(7); Check.That(val.VkRecord.ValueData).IsInstanceOf <byte[]>(); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4); Check.That(val.VkRecord.ValueDataRaw.Length).IsEqualTo(240); Check.That(val.VkRecord.ToString()).IsNotEmpty(); }
public void TestVkRecordRegDWord() { var samOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM"); var key = samOnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\SAM\LastSkuUpgrade"); Check.That(key).IsNotNull(); var val = key.Values.Single(e => e.ValueName == string.Empty); Check.That(val).IsNotNull(); Check.That(val.VkRecord.RelativeOffset).IsEqualTo(0x258); Check.That(val.VkRecord.AbsoluteOffset).IsEqualTo(0x1258); Check.That(val.VkRecord.Size).IsEqualTo(-24); Check.That(val.VkRecord.Signature).IsEqualTo("vk"); Check.That(val.VkRecord.IsFree).IsFalse(); Check.That(val.VkRecord.NamePresentFlag).IsEqualTo(0x00); Check.That(val.VkRecord.NameLength).IsEqualTo(0); Check.That(val.VkRecord.ValueName).IsEmpty(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegDword); Check.That(val.VkRecord.DataLength).Equals(0x80000004); Check.That(val.VkRecord.OffsetToData).Equals((uint)0x07); Check.That(val.ValueData).Equals("7"); Check.That(val.VkRecord.Padding.Length).Equals(0); Check.That(val.VkRecord.ValueData).IsInstanceOf <uint>(); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0); Check.That(val.VkRecord.ValueDataRaw.Length).IsEqualTo(4); Check.That(val.VkRecord.ToString()).IsNotEmpty(); }
public void TestVkRecordQWordWithLengthOfZero() { var samDupeNameOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM_DUPENAME"); var key = samDupeNameOnDemand.GetKey(@"SAM\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-4271176276-4210259494-4108073714"); Check.That(key).IsNotNull(); var val = key.Values.Single(e => e.ValueName == string.Empty); Check.That(val).IsNotNull(); Check.That(val.VkRecord.RelativeOffset).IsEqualTo(0xA88); Check.That(val.VkRecord.AbsoluteOffset).IsEqualTo(0x1A88); Check.That(val.VkRecord.Size).IsEqualTo(-24); Check.That(val.VkRecord.Signature).IsEqualTo("vk"); Check.That(val.VkRecord.IsFree).IsFalse(); Check.That(val.VkRecord.NamePresentFlag).IsEqualTo(0x0); Check.That(val.VkRecord.NameLength).IsEqualTo(0x0); Check.That(val.VkRecord.ValueName).IsEmpty(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegQword); Check.That(val.VkRecord.DataTypeRaw).IsEqualTo(11); Check.That(val.VkRecord.DataLength).Equals(0x80000000); Check.That(val.VkRecord.OffsetToData).Equals((uint)0); Check.That(val.VkRecord.Padding.Length).Equals(0); Check.That(val.VkRecord.ValueData).IsInstanceOf <ulong>(); Check.That(val.VkRecord.ValueData).IsEqualTo((ulong)0); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0); Check.That(val.VkRecord.ValueDataRaw.Length).IsEqualTo(0); Check.That(val.VkRecord.ToString()).IsNotEmpty(); }
public void TestVkRecordFileTimeRegType() { var systemOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SYSTEM"); var key = systemOnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\ControlSet001\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0008"); Check.That(key).IsNotNull(); var val = key.Values.Single(e => e.ValueName == "en-US"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.RelativeOffset).IsEqualTo(0x78170); Check.That(val.VkRecord.AbsoluteOffset).IsEqualTo(0x79170); Check.That(val.VkRecord.Size).IsEqualTo(-32); Check.That(val.VkRecord.Signature).IsEqualTo("vk"); Check.That(val.VkRecord.IsFree).IsFalse(); Check.That(val.VkRecord.NamePresentFlag).IsEqualTo(0x1); Check.That(val.VkRecord.NameLength).IsEqualTo(0x5); Check.That(val.VkRecord.ValueName).IsEqualTo("en-US"); Check.That(val.VkRecord.ValueData).IsInstanceOf <DateTimeOffset>(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegFileTime); Check.That(val.VkRecord.DataTypeRaw).IsEqualTo(0x0010); Check.That(val.VkRecord.DataLength).Equals((uint)0x8); Check.That(val.VkRecord.OffsetToData).Equals((uint)0x77d78); Check.That(val.VkRecord.Padding.Length).Equals(3); Check.That(val.VkRecord.ValueDataRaw.Length).IsEqualTo(8); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4); Check.That(val.VkRecord.ToString()).IsNotEmpty(); }
public void TestVkRecordRegSz() { var samOnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\SAM"); var key = samOnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\SAM\Domains\Builtin\Aliases\Members\S-1-5-21-727398572-3617256236-2003601904\00000201"); Check.That(key).IsNotNull(); var val = key.Values.Single(e => e.ValueName == string.Empty); Check.That(val).IsNotNull(); Check.That(val.VkRecord.RelativeOffset).IsEqualTo(0xFE0); Check.That(val.VkRecord.AbsoluteOffset).IsEqualTo(0x1FE0); Check.That(val.VkRecord.Size).IsEqualTo(-24); Check.That(val.VkRecord.Signature).IsEqualTo("vk"); Check.That(val.VkRecord.IsFree).IsFalse(); Check.That(val.VkRecord.NamePresentFlag).IsEqualTo(0x00); Check.That(val.VkRecord.NameLength).IsEqualTo(0); Check.That(val.VkRecord.ValueName).IsEmpty(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegSz); Check.That(val.VkRecord.DataLength).Equals(0x80000004); Check.That(val.VkRecord.OffsetToData).Equals((uint)0x0221); Check.That(val.VkRecord.Padding.Length).Equals(0); Check.That(val.VkRecord.ValueData).IsInstanceOf <string>(); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0); Check.That(val.VkRecord.ValueDataRaw.Length).IsEqualTo(4); Check.That(val.VkRecord.ToString()).IsNotEmpty(); }
public void ShouldFindRegMultiSzValues() { var ntUser1OnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\NTUSER1.DAT"); var key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Control Panel\International\User Profile"); Check.That(key).IsNotNull(); var val = key.Values.Single(t => t.ValueName == "Languages"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz); Check.That(val.VkRecord.ValueData).IsEqualTo("en-US"); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0); var usrclassAcronis = new RegistryHive(@"..\..\..\Hives\Acronis_0x52_Usrclass.dat"); usrclassAcronis.RecoverDeleted = true; usrclassAcronis.FlushRecordListsAfterParse = false; usrclassAcronis.ParseHive(); key = usrclassAcronis.GetKey(@"S-1-5-21-3851833874-1800822990-1357392098-1000_Classes\Local Settings\MuiCache\12\52C64B7E"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "LanguageList"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz); Check.That(val.VkRecord.ValueData).IsEqualTo("en-US en"); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0); var bcd = new RegistryHive(@"..\..\..\Hives\BCD"); bcd.FlushRecordListsAfterParse = false; bcd.RecoverDeleted = true; bcd.ParseHive(); key = bcd.GetKey(@"System\Objects\{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}\Elements\14000006"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "Element"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz); Check.That(val.VkRecord.ValueData).IsEqualTo("{4636856e-540f-4170-a130-a84776f4c654} {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}"); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(6); key = bcd.GetKey(@"System\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\14000006"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "Element"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz); Check.That(val.VkRecord.ValueData).IsEqualTo("{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}"); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(84); }
public void TestsListRecordsContinued3() { var usrClassFtp = new RegistryHiveOnDemand(@"..\..\..\Hives\UsrClass FTP.dat"); var key = usrClassFtp.GetKey(@"S-1-5-21-2417227394-2575385136-2411922467-1105_Classes\ActivatableClasses\CLSID"); Check.That(key).IsNotNull(); }
public void ShouldFindKeyWithMixedCaseNameWithoutRootName() { var usrClassFtp = new RegistryHiveOnDemand(@"..\..\..\Hives\UsrClass FTP.dat"); var key = usrClassFtp.GetKey(@"ActivAtableClasses\CLsID"); Check.That(key).IsNotNull(); }
public void ShouldFindKeyWithMixedCaseName() { var usrClassFtp = new RegistryHiveOnDemand(@"..\..\..\Hives\UsrClass FTP.dat"); var key = usrClassFtp.GetKey(@"S-1-5-21-2417227394-2575385136-2411922467-1105_CLAsses\ActivAtableClasses\CLsID"); Check.That(key).IsNotNull(); }
public void ShouldFindRegDWordValues() { var ntUser1OnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\NTUSER1.DAT"); var key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Wisp\Pen\SysEventParameters"); Check.That(key).IsNotNull(); var val = key.Values.Single(t => t.ValueName == "DblDist"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegDword); Check.That(val.VkRecord.ValueData).IsEqualTo((uint)20); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0); key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows NT\CurrentVersion\Windows"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "UserSelectedDefault"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegDword); Check.That(val.VkRecord.ValueData).IsEqualTo((uint)0); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0); key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows NT\CurrentVersion\MsiCorruptedFileRecovery\RepairedProducts"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "TimeWindowMinutes"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegDword); Check.That(val.VkRecord.ValueData).IsEqualTo((uint)1440); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0); key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\Windows Error Reporting"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "MaxArchiveCount"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegDword); Check.That(val.VkRecord.ValueData).IsEqualTo((uint)500); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0); key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Console"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "ColorTable11"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegDword); Check.That(val.VkRecord.ValueData).IsEqualTo((uint)16776960); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0); }
/// <summary> /// Recursively iterates over the a registry key and its subkeys for enumerating all values of the keys and subkeys /// </summary> /// <param name="rk">the root registry key to start iterating over</param> /// <param name="hive">the offline registry hive</param> /// <param name="subKey">the path of the first subkey under the root key</param> /// <param name="indent"></param> /// <param name="path_prefix">the header to the current root key, needed for identification of the registry store</param> /// <returns></returns> static List <RegistryKeyWrapper> IterateRegistry(RegistryKey rk, RegistryHiveOnDemand hive, string subKey, RegistryKeyWrapper parent, string path_prefix) { List <RegistryKeyWrapper> retList = new List <RegistryKeyWrapper>(); if (rk == null) { return(retList); } foreach (RegistryKey valueName in rk.SubKeys) { if (valueName.KeyName.ToUpper() == "ASSOCIATIONS") { continue; } string sk = getSubkeyString(subKey, valueName.KeyName); logger.Trace("{0}", sk); RegistryKey rkNext; try { rkNext = hive.GetKey(getSubkeyString(rk.KeyPath, valueName.KeyName)); } catch (System.Security.SecurityException ex) { logger.Warn("ACCESS DENIED: " + ex.Message); continue; } string path = path_prefix; RegistryKeyWrapper rkNextWrapper = null; bool isNumeric = int.TryParse(valueName.KeyName, out _); if (isNumeric) { try { KeyValue rkValue = rk.Values.First(val => val.ValueName == valueName.KeyName); byte[] byteVal = rkValue.ValueDataRaw; rkNextWrapper = new RegistryKeyWrapper(rkNext, byteVal, hive, parent); retList.Add(rkNextWrapper); } catch (OverrunBufferException ex) { logger.Warn("OverrunBufferException: " + valueName.KeyName); } catch (Exception ex) { logger.Warn(valueName.KeyName); } } retList.AddRange(IterateRegistry(rkNext, hive, sk, rkNextWrapper, path)); } return(retList); }
public void ShouldFindRegSzValues() { var ntUser1OnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\NTUSER1.DAT"); var key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\CTF\Assemblies\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}"); Check.That(key).IsNotNull(); var val = key.Values.Single(t => t.ValueName == "Default"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegSz); Check.That(val.VkRecord.ValueData).IsEqualTo("{00000000-0000-0000-0000-000000000000}"); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(6); key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\CTF\SortOrder\Language"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "00000000"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegSz); Check.That(val.VkRecord.ValueData).IsEqualTo("00000409"); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(2); key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Speech\Preferences\AppCompatDisableDictation"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "dwm.exe"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegSz); Check.That(val.VkRecord.ValueData).IsEqualTo(""); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0); key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\EUDC\932"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "SystemDefaultEUDCFont"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegSz); Check.That(val.VkRecord.ValueData).IsEqualTo("EUDC.TTE"); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(2); key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Control Panel\PowerCfg\PowerPolicies\4"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "Description"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegSz); Check.That(val.VkRecord.ValueData).IsEqualTo("This scheme keeps the computer on and optimizes it for high performance."); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(2); }
public void ShouldFindRegExpandSzValues() { var ntUser1OnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\NTUSER1.DAT"); var key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Environment"); Check.That(key).IsNotNull(); var val = key.Values.Single(t => t.ValueName == "TEMP"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegExpandSz); Check.That(val.VkRecord.ValueData).IsEqualTo(@"%USERPROFILE%\AppData\Local\Temp"); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(2); key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Control Panel\Cursors"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "Arrow"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegExpandSz); Check.That(val.VkRecord.ValueData).IsEqualTo(@"%SystemRoot%\cursors\aero_arrow.cur"); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4); key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\AppEvents\Schemes\Apps\.Default\WindowsUAC\.Current"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == string.Empty); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegExpandSz); Check.That(val.VkRecord.ValueData).IsEqualTo(@"%SystemRoot%\media\Windows User Account Control.wav"); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4); key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Themes"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "LastHighContrastTheme"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegExpandSz); Check.That(val.VkRecord.ValueData).IsEqualTo(@"%SystemRoot%\resources\Ease of Access Themes\hcblack.theme"); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(6); key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\ThemeManager"); Check.That(key).IsNotNull(); val = key.Values.Single(t => t.ValueName == "DllName"); Check.That(val).IsNotNull(); Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegExpandSz); Check.That(val.VkRecord.ValueData).IsEqualTo(@"%SystemRoot%\resources\themes\Aero\Aero.msstyles"); Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(2); }
public void ShouldTakeByteArrayInConstructor() { var fileStream = new FileStream(@"..\..\Hives\SAM", FileMode.Open, FileAccess.Read, FileShare.Read); var binaryReader = new BinaryReader(fileStream); binaryReader.BaseStream.Seek(0, SeekOrigin.Begin); var fileBytes = binaryReader.ReadBytes((int) binaryReader.BaseStream.Length); binaryReader.Close(); fileStream.Close(); var r = new RegistryHiveOnDemand(fileBytes); Check.That(r.Header).IsNotNull(); Check.That(r.HivePath).IsEqualTo("None"); Check.That(r.HiveType).IsEqualTo(HiveTypeEnum.Sam); }
public void InitializeObjects() { Debug.WriteLine("Initializing hives..."); SamOnDemand = new RegistryHiveOnDemand(@"..\..\Hives\SAM"); SamHasBigEndianOnDemand = new RegistryHiveOnDemand(@"..\..\Hives\SAM_hasBigEndianDWord"); SamDupeNameOnDemand = new RegistryHiveOnDemand(@"..\..\Hives\SAM_DUPENAME"); NtUser1OnDemand = new RegistryHiveOnDemand(@"..\..\Hives\NTUSER1.DAT"); UsrClassDeletedBagsOnDemand = new RegistryHiveOnDemand(@"..\..\Hives\UsrClassDeletedBags.dat"); SoftwareOnDemand = new RegistryHiveOnDemand(@"..\..\Hives\SOFTWARE"); SystemOnDemand = new RegistryHiveOnDemand(@"..\..\Hives\SYSTEM"); Bcd = new RegistryHive(@"..\..\Hives\BCD"); Bcd.FlushRecordListsAfterParse = false; Bcd.RecoverDeleted = true; Bcd.ParseHive(); UsrclassDeleted = new RegistryHive(@"..\..\Hives\UsrClassDeletedBags.dat"); UsrclassDeleted.RecoverDeleted = true; UsrclassDeleted.FlushRecordListsAfterParse = false; UsrclassDeleted.ParseHive(); UsrclassAcronis = new RegistryHive(@"..\..\Hives\Acronis_0x52_Usrclass.dat"); UsrclassAcronis.RecoverDeleted = true; UsrclassAcronis.FlushRecordListsAfterParse = false; UsrclassAcronis.ParseHive(); UsrClass1 = new RegistryHive(@"..\..\Hives\UsrClass 1.dat"); UsrClass1.RecoverDeleted = true; UsrClass1.FlushRecordListsAfterParse = false; UsrClass1.ParseHive(); UsrClass1OnDemand = new RegistryHiveOnDemand(@"..\..\Hives\UsrClass 1.dat"); UsrClassBeef = new RegistryHive(@"..\..\Hives\UsrClass BEEF000E.dat"); UsrClassBeef.RecoverDeleted = true; UsrClassBeef.FlushRecordListsAfterParse = false; UsrClassBeef.ParseHive(); NtUserSlack = new RegistryHive(@"..\..\Hives\NTUSER slack.DAT"); NtUserSlack.FlushRecordListsAfterParse = false; NtUserSlack.ParseHive(); Sam = new RegistryHive(@"..\..\Hives\SAM"); Sam.FlushRecordListsAfterParse = false; Sam.ParseHive(); SamRootValue = new RegistryHive(@"..\..\Hives\SAM_RootValue"); SamRootValue.FlushRecordListsAfterParse = false; SamRootValue.ParseHive(); Security = new RegistryHiveOnDemand(@"..\..\Hives\SECURITY"); DriversOnDemand = new RegistryHiveOnDemand(@"..\..\Hives\DRIVERS"); Drivers = new RegistryHive(@"..\..\Hives\DRIVERS"); Drivers.FlushRecordListsAfterParse = false; Drivers.RecoverDeleted = true; Drivers.ParseHive(); System = new RegistryHive(@"..\..\Hives\System"); System.FlushRecordListsAfterParse = false; System.ParseHive(); SanOther = new RegistryHiveOnDemand(@"..\..\Hives\SAN(OTHER)"); UsrClassFtp = new RegistryHiveOnDemand(@"..\..\Hives\UsrClass FTP.dat"); }
public void TestFileNameConstructor() { var r = new RegistryHiveOnDemand(@"..\..\Hives\SAM"); Check.That(r.Header).IsNotNull(); }