private void RecursivelyCollectKeyLevelData(RegistryKey key)
{
string[] sub_key_names = key.GetSubKeyNames();
string[] value_names = key.GetValueNames();
foreach (string vn in value_names)
{
string string_value = key.GetValue(vn).ToString();// deped
var value_kind = key.GetValueKind(vn);
Console.WriteLine(value_kind);
if (value_kind == RegistryValueKind.Binary)
{
var value = (byte[])key.GetValue(vn);
string_value = BitConverter.ToString(value);
string_value = string_value.Replace("-", "");
}
RegistryEntry entry = new RegistryEntry();
entry.KeyName = vn;
entry.Value = string_value;
entry.RegistryLocation = key.ToString();
RegistryEntries.Add(entry);
analyzer.NumEntriesRecorded += 1;
analyzer.ActiveRegistryLocation = entry.RegistryLocation;
analyzer.ActiveRegistryValue = string_value;
List <string> matching_fields = analyzer.CheckValueMatch(string_value);
if (matching_fields.Count != 0)
{
foreach (string mtf in matching_fields)
{
EntryLogger.LogMatchingEntry(entry, mtf);
MatchingRegistryEntries.Add(entry);
}
}
matching_fields = analyzer.CheckValueMatch(vn);
if (matching_fields.Count != 0)
{
foreach (string mtf in matching_fields)
{
EntryLogger.LogMatchingEntry(entry, mtf);
MatchingRegistryEntries.Add(entry);
}
}
matching_fields = analyzer.CheckValueMatch(entry.RegistryLocation);
if (matching_fields.Count != 0)
{
foreach (string mtf in matching_fields)
{
EntryLogger.LogMatchingEntry(entry, mtf);
MatchingRegistryEntries.Add(entry);
}
}
}
foreach (string sub_k in sub_key_names)
{
try
{
RegistryKey sk = key.OpenSubKey(sub_k, false);
RecursivelyCollectKeyLevelData(sk);
}
catch (SecurityException ex)
{
string no_access_location = sub_k.ToString();
InaccessibleEntries.Add(no_access_location);
}
}
}
private void RunAnalysisButton_Click(object sender, RoutedEventArgs e)
{
SetUIMode(false);
LogScrollViewer.Visibility = Visibility.Hidden;
SetOutputButtonEnabledStatus(false);
LogOnlyMatches = Convert.ToBoolean(CheckboxLogOnlyMatches.IsChecked);
MainApp.Analyzer = new RegistryAnalyzer(this);
MainApp.Analyzer.SearchTerms = new List <string>()
{
SearchTerm1TextBox.Text, SearchTerm2TextBox.Text, SearchTerm3TextBox.Text
};
EntryLogger.main_window = this;
AnalysisRunLogger.LogNewRun();
AnalysisRunLogger.UpdateCurrentRunID();
Console.WriteLine("Collecting registry data");
List <RegistryKey> keys_to_search = new List <RegistryKey>();
if (Convert.ToBoolean(CheckboxCurrentUser.IsChecked))
{
RegistryKey opened_key = Registry.CurrentUser.OpenSubKey("SOFTWARE", false);
if (opened_key != null)
{
keys_to_search.Add(opened_key);
}
}
if (Convert.ToBoolean(CheckboxLocalMachine.IsChecked))
{
RegistryKey opened_key = Registry.LocalMachine.OpenSubKey("SOFTWARE", false);
if (opened_key != null)
{
keys_to_search.Add(opened_key);
}
}
if (Convert.ToBoolean(CheckboxRecentApps.IsChecked))
{
RegistryKey opened_key = Registry.CurrentUser.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps");
if (opened_key != null)
{
keys_to_search.Add(opened_key);
}
else
{
Console.WriteLine("Recent apps is null.");
}
}
if (Convert.ToBoolean(CheckboxRecentAppsDocs.IsChecked))
{
RegistryKey opened_key = Registry.CurrentUser.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32");
if (opened_key != null)
{
keys_to_search.Add(opened_key);
}
else
{
Console.WriteLine("Recent apps docs is null.");
}
}
if (Convert.ToBoolean(CheckboxRecentTorrents.IsChecked))
{
RegistryKey opened_key = Registry.CurrentUser.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs");
if (opened_key != null)
{
keys_to_search.Add(opened_key);
}
else
{
Console.WriteLine("Recent Torrents is null.");
}
}
Thread collection_thread = new Thread(new ThreadStart(() =>
{
RegistryDataCollector[] collected_datas = MainApp.Analyzer.CollectRegistryData(keys_to_search);
MainApp.Analyzer.EntryCollectors = new List <RegistryDataCollector>(collected_datas);
List <RegistryEntry> recorded_entries = new List <RegistryEntry>();
foreach (RegistryDataCollector collector in collected_datas)
{
foreach (RegistryEntry entry in collector.RegistryEntries)
{
recorded_entries.Add(entry);
}
}
new Thread(new ThreadStart(() =>
{
if (!LogOnlyMatches)
{
SetUIMode(false);
EntryLogger.LogEntries(recorded_entries);
SetUIMode(true);
SetOutputButtonEnabledStatus(false);
}
})).Start();
OnDataCollectionIsFinished();
}));
collection_thread.Start();
}
