//store: root, subkey, value, path, id
//scandata: key root, string key, string value, string path, string img, string name, int scope, int id
private void StoreResults(cLightning.ROOT_KEY root, string subkey, string value, string data, RESULT_TYPE id)
{
int i = (int)id;
if (value.Length == 0)
{
value = STR_DEFAULT;
}
Data.Add(new ScanData(root, subkey, value, data, "", IdConverter(i), IdToScope(i), i));
// notify
MatchItem(root, subkey, value, data, id);
}
private void AppIDPaths(cLightning.ROOT_KEY Key, string SubKey)
{
// test for valid app registration ids
string id;
// CLSID pointer matches registered Application ->HKCR\CLSID\{value} <-> HKCR\AppId\{value}
if (_cLightning.ValueExists(Key, SubKey, STR_APPID))
{
id = _cLightning.ReadString(Key, SubKey, STR_APPID);
if (!_cLightning.KeyExists(Key, STR_APPID + CHR_BSLASH + id))
{
StoreResults(cLightning.ROOT_KEY.HKEY_CLASSES_ROOT, SubKey, STR_APPID, id, RESULT_TYPE.ControlAppID);
}
}
}
private void AddKeys(cLightning.ROOT_KEY Key, string SubKey, ref ArrayList Keys)
{
ArrayList al = _cLightning.EnumKeys(Key, SubKey);
// scan hkcr keys
foreach (string s in al)
{
Keys.Add(SubKey + CHR_BSLASH + s);
if (s.Length > 0 && (!s.Contains("Wow64")))//ignore wow key
{
AddKeys(Key, SubKey + CHR_BSLASH + s, ref Keys);
}
}
}
private ArrayList KeyCollector(cLightning.ROOT_KEY Key, string SubKey)
{
ArrayList al = new ArrayList();
al.Add(SubKey);
AddKeys(Key, SubKey, ref al);
return al;
}
public bool StartRestore(string Description)
{
int maj = Environment.OSVersion.Version.Major;
int min = Environment.OSVersion.Version.Minor;
RESTOREPTINFO tRPI = new RESTOREPTINFO();
SMGRSTATUS tStatus = new SMGRSTATUS();
// compatability
if (!(maj == 4 && min == 90 || maj > 4))
{
return false;
}
tRPI.dwEventType = BEGIN_SYSTEM_CHANGE;
tRPI.dwRestorePtType = (int)RESTORE_TYPE.MODIFY_SETTINGS;
tRPI.llSequenceNumber = 0;
tRPI.szDescription = Description;
// test for key that defines multiple restores per cycle
cLightning cl = new cLightning();
if (cl.ValueExists(cLightning.ROOT_KEY.HKEY_LOCAL_MACHINE, RESTORE_KEY, RESTORE_VALUE))
{
_iRestInt = cl.ReadDword(cLightning.ROOT_KEY.HKEY_LOCAL_MACHINE, RESTORE_KEY, RESTORE_VALUE);
}
// set to 2 minutes
cl.WriteDword(cLightning.ROOT_KEY.HKEY_LOCAL_MACHINE, RESTORE_KEY, RESTORE_VALUE, 2);
if (SRSetRestorePointW(ref tRPI, out tStatus))
{
_lSeqNum = tStatus.llSequenceNumber;
return true;
}
return false;
}
///References: From HKCU -> scan for valid link paths
///Method: Value type testing for valid entry
///Locations: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
///Locations: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
///Locations: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
///Locations: HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603
///Locations: HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5001
///Locations: HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5647
///Locations: HKEY_CURRENT_USER\"Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List"
///Locations: HKEY_CURRENT_USER\"Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites"
///Locations: HKEY_CURRENT_USER\"Software\Microsoft\Windows\CurrentVersion\Applets\Regedit"
///Locations: HKEY_CURRENT_USER\"Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List"
///Locations: HKEY_CURRENT_USER\"Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU"
///Locations: HKEY_CURRENT_USER\"Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU"
///Locations: HKEY_CURRENT_USER\"Software\Microsoft\MediaPlayer\Player\RecentFileList"
///Locations: HKEY_CURRENT_USER\"Software\Microsoft\MediaPlayer\Player\RecentURLList"
private void MruScan(cLightning.ROOT_KEY Key, string SubKey)
{
LabelChange("MRU Scan", "Searching for MRU lists..");
ArrayList al = _cLightning.EnumKeys(Key, SubKey);
ArrayList cv = new ArrayList();
foreach (string k in al)
{
cv = _cLightning.EnumValues(Key, SubKey + CHR_BSLASH + k);
foreach (string v in cv)
{
if (v.Length > 0)
{
if (MruFilter(v))
{
string nk = SubKey + CHR_BSLASH + k;
StoreResults(cLightning.ROOT_KEY.HKEY_CURRENT_USER, nk, v, STR_EMPTYVALUE, RESULT_TYPE.Mru);
}
}
}
CurrentPath(REG_HKCUB, k);
KeyCount();
}
}
public ScanData(cLightning.ROOT_KEY root, string key, string value, string data, string img, string name, int scope, int id)
{
r = root;
k = key;
v = value;
d = data;
c = img;
n = name;
i = id;
s = scope;
}
private void ProcServerPaths(cLightning.ROOT_KEY Key, string SubKey)
{
// process server subkeys
string sp;
// test pointers to valid paths HKCR\CLSID\*Proc* <-> library path
// test for proc subkey existence
if (_cLightning.KeyExists(Key, SubKey + STR_PROC32B))
{
///* get the path
sp = _cLightning.ReadString(Key, SubKey + STR_PROC32B, "");
///* test path length and type
if (sp.Length > 0)
{
if (IsValidPath(sp))
{
// format path and test
if (!FileExists(CleanPath(sp)) && IsFileCandidate(sp))
{
// add hklm path
StoreResults(cLightning.ROOT_KEY.HKEY_CLASSES_ROOT, SubKey + CHR_BSLASH + STR_PROC32, STR_DEFAULT, sp, RESULT_TYPE.ControlProcServer);
}
}
}
}
if (_cLightning.KeyExists(Key, SubKey + STR_LOCAL32B))
{
sp = _cLightning.ReadString(Key, SubKey + STR_LOCAL32B, "");
if (sp.Length > 0)
{
if (IsValidPath(sp))
{
if (!FileExists(CleanPath(sp)) && IsFileCandidate(sp))
{
StoreResults(cLightning.ROOT_KEY.HKEY_CLASSES_ROOT, SubKey + CHR_BSLASH + STR_LOCAL32, STR_DEFAULT, sp, RESULT_TYPE.ControlProcServer);
}
}
}
}
if (_cLightning.KeyExists(Key, SubKey + STR_PROCB))
{
sp = _cLightning.ReadString(Key, SubKey + STR_PROCB, "");
if (sp.Length > 0)
{
if (IsValidPath(sp))
{
if (!FileExists(CleanPath(sp)) && IsFileCandidate(sp))
{
StoreResults(cLightning.ROOT_KEY.HKEY_CLASSES_ROOT, SubKey + CHR_BSLASH + STR_PROC, STR_DEFAULT, sp, RESULT_TYPE.ControlProcServer);
}
}
}
}
if (_cLightning.KeyExists(Key, SubKey + STR_LOCALB))
{
sp = _cLightning.ReadString(Key, SubKey + STR_LOCALB, "");
if (sp.Length > 0)
{
if (IsValidPath(sp))
{
if (!FileExists(CleanPath(sp)) && IsFileCandidate(sp))
{
StoreResults(cLightning.ROOT_KEY.HKEY_CLASSES_ROOT, SubKey + CHR_BSLASH + STR_LOCAL, STR_DEFAULT, STR_EMPTYVALUE, RESULT_TYPE.ControlProcServer);
}
}
}
}
}
///Locations: 1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
///References: From HKLM -> path test
///Method: Path testing for valid occurence.
private void SharedDllScan(cLightning.ROOT_KEY Key, string SubKey)
{
LabelChange("Shared Libraries", "Path testing for valid shared library connections..");
// 17- delete value
ArrayList al = _cLightning.EnumValues(Key, SubKey);
//string sr = "";
CurrentPath(REG_HKLMB, SubKey);
KeyCount();
foreach (string s in al)
{
if (IsValidPath(s))
{
//sr = CleanPath(s);
if (IsValidRoot(s) && !FileExists(s) && IsFileCandidate(s))
{
StoreResults(cLightning.ROOT_KEY.HKEY_LOCAL_MACHINE, REG_HKLMSHARE, s, "0", RESULT_TYPE.Shared);
}
}
}
}
///Location: 1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
///Location: 2) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
///Location: 3) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
///References: From HKLM -> path test
///Method: Path testing for valid occurence.
private void StartupEntries(cLightning.ROOT_KEY Key, string SubKey)
{
LabelChange("Startup Application Paths", "Testing startup software entries..");
// 18- delete value
ArrayList al = _cLightning.EnumValues(Key, SubKey);
string sr = "";
CurrentPath(REG_HKLMB, SubKey);
KeyCount();
foreach (string s in al)
{
sr = _cLightning.ReadString(Key, SubKey, s);
// empty value
if (sr.Length == 0)
{
StoreResults(cLightning.ROOT_KEY.HKEY_LOCAL_MACHINE, SubKey, s, STR_EMPTYVALUE, RESULT_TYPE.Startup);
}
else
{
// test for shell directory shorthand
sr = TestSystemPaths(sr);
sr = CleanPath(sr);
if (IsValidRoot(sr) && !FileExists(CleanPath(sr)) && HasExtension(sr))
{
StoreResults(cLightning.ROOT_KEY.HKEY_LOCAL_MACHINE, SubKey, s, sr, RESULT_TYPE.Startup);
}
}
}
}
///Locations: 1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Help
///References: From HKLM -> Help registration
///Method: Path testing for valid occurence.
private void HelpScan(cLightning.ROOT_KEY Key, string SubKey)
{
LabelChange("Application Help Files", "Path testing for invalid system help files..");
ArrayList al = _cLightning.EnumValues(Key, SubKey);
string sr = "";
CurrentPath(REG_HKLMB, SubKey);
KeyCount();
foreach (string s in al)
{
if (s.Length > 0)
{
sr = _cLightning.ReadString(Key, SubKey, s);
if (sr.Length > 0)
{
// combine file name and path
if (!sr.EndsWith(CHR_BSLASH))
{
sr += CHR_BSLASH;
}
sr += s;
if (IsValidPath(sr))
{
if (IsValidRoot(sr) && !FileExists(sr) && IsFileCandidate(sr))
{
StoreResults(cLightning.ROOT_KEY.HKEY_LOCAL_MACHINE, SubKey, s, sr, RESULT_TYPE.Help);
}
}
}
}
}
}
///Locations: 1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
///References: From HKLM -> fonts folder
///Method: Path testing for valid occurence.
private void FontScan(cLightning.ROOT_KEY Key, string SubKey)
{
LabelChange("Font Paths", "Path testing for invalid fonts..");
// 15- delete value
ArrayList al = _cLightning.EnumValues(Key, SubKey);
string sr = "";
CurrentPath(REG_HKLMB, REG_HKLMFONTS);
KeyCount();
foreach (string s in al)
{
if (s.Length > 0)
{
string v = _cLightning.ReadString(Key, SubKey, s);
if (IsValidPath(v))
{
sr = CleanPath(v);
if (IsValidRoot(sr) && !FileExists(sr) && IsFileCandidate(sr))
{
StoreResults(cLightning.ROOT_KEY.HKEY_LOCAL_MACHINE, REG_HKLMFONTS, s, sr, RESULT_TYPE.Font);
}
}
else
{
sr = _sFontsDirectory + CleanPath(v);
if (!FileExists(sr) && HasExtension(sr))
{
StoreResults(cLightning.ROOT_KEY.HKEY_LOCAL_MACHINE, REG_HKLMFONTS, s, v, RESULT_TYPE.Font);
}
}
}
}
}
private void TypePaths(cLightning.ROOT_KEY Key, string SubKey)
{
// test for empty help keys
// 6- delete key
// 7- delete values
string u = "";
string sp = "";
ArrayList al = KeyCollector(Key, SubKey);
foreach (string s in al)
{
u = s.ToUpper();
// test pointers to valid help file registration HKCR\\TypeLib\*name*\helpdir->path
if (u.Contains(STR_HELP))
{
if (_cLightning.KeyIsEmpty(Key, SubKey))
{
StoreResults(cLightning.ROOT_KEY.HKEY_CLASSES_ROOT, s, STR_DEFAULT, STR_EMPTYVALUE, RESULT_TYPE.ControlTypeHelp);
}
}
// test pointers to valid win32 library registration HKCR\\TypeLib\*name*\win32->path
else if (u.Contains(STR_WIN32))
{
sp = _cLightning.ReadString(Key, s, "");
if (sp.Length > 0)
{
if (IsFileCandidate(sp))
{
sp = CleanPath(sp);
if (!FileExists(sp))
{
StoreResults(cLightning.ROOT_KEY.HKEY_CLASSES_ROOT, s, STR_DEFAULT, sp, RESULT_TYPE.ControlTypeWin32);
}
}
}
}
}
}
private void ClassSubPaths(cLightning.ROOT_KEY Key, string SubKey)
{
// test class key subpaths
string sp = "";
if (SubKey.Contains(STR_CLASS) || SubKey.Contains(STR_TYPE) || SubKey.Contains(STR_INTERFACE))
{
return;
}
// default application ->HKCR\extension\default->path
if (SubKey.StartsWith(CHR_PERIOD))
{
if (_cLightning.KeyIsEmpty(Key, SubKey))
{
StoreResults(cLightning.ROOT_KEY.HKEY_CLASSES_ROOT, SubKey, STR_DEFAULT, STR_EMPTY, RESULT_TYPE.ControlClassSubExt);
}
}
else
{
// default shell ->HKCR\name\shell\open\command\default->path
if (_cLightning.KeyExists(Key, SubKey + STR_SHELLOPEN))
{
sp = _cLightning.ReadString(Key, SubKey + STR_SHELLOPEN, "");
if (sp.Length > 4)
{
if (IsValidPath(sp))
{
sp = CleanPath(sp);
if (!FileExists(sp))
{
StoreResults(cLightning.ROOT_KEY.HKEY_CLASSES_ROOT, SubKey + STR_SHELLOPEN, STR_DEFAULT, sp, RESULT_TYPE.ControlClassSubOpen);
}
}
}
}
// default editing tool ->HKCR\name\shell\edit\command\default->path
if (_cLightning.KeyExists(Key, SubKey + STR_SHELLEDIT))
{
sp = _cLightning.ReadString(Key, SubKey + STR_SHELLEDIT, "");
if (sp.Length > 4)
{
if (IsValidPath(sp))
{
sp = CleanPath(sp);
if (!FileExists(sp) && IsFileCandidate(sp))
{
StoreResults(cLightning.ROOT_KEY.HKEY_CLASSES_ROOT, SubKey + STR_SHELLEDIT, STR_DEFAULT, sp, RESULT_TYPE.ControlClassSubEdit);
}
}
}
}
}
}
///Locations: 1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
///References: From HKLM -> path test
///Method: Path testing for valid occurence.
private void UninstallStringsScan(cLightning.ROOT_KEY Key, string SubKey)
{
LabelChange("Uninstall Executable Paths", "Path testing for user installed software..");
// 18- delete value
ArrayList al = _cLightning.EnumKeys(Key, SubKey);
string sr = "";
foreach (string s in al)
{
sr = s.ToUpper();
// ms stuff to skip
if (!sr.Contains(STR_KILO) && !sr.Contains(STR_PACK))
{
sr = _cLightning.ReadString(Key, SubKey + CHR_BSLASH + s, STR_UIST);
if (sr.Length != 0)
{
sr = CleanPath(sr);
if (IsValidRoot(sr) && !FileExists(sr) && HasExtension(sr))
{
StoreResults(cLightning.ROOT_KEY.HKEY_LOCAL_MACHINE, REG_HKLMUISL + s, STR_UIST, sr, RESULT_TYPE.Uninstall);
}
}
}
CurrentPath(REG_HKLMB, s);
KeyCount();
}
}
private void InterfacePaths(cLightning.ROOT_KEY Key, string SubKey)
{
// test paths from \proxystub -> CLSID
// test paths from \typelib -> TypeLib
// remove value
string sp = "";
ArrayList al = KeyCollector(Key, SubKey);
// test pointers to valid type libraries HKCR\Interface\*name*\TypeLib <-> HKCR\TypeLib\{value}
foreach (string s in al)
{
if (s.Contains(STR_TYPE))
{
sp = _cLightning.ReadString(Key, s, "");
if (!_cLightning.KeyExists(Key, STR_TYPEB + sp))
{
StoreResults(cLightning.ROOT_KEY.HKEY_CLASSES_ROOT, s, STR_DEFAULT, sp, RESULT_TYPE.ControlInterfaceType);
}
break;
}
}
// test pointers to valid stub HKCR\Interface\*name*\ProxyStubClsid32 <-> HKCR\CLSID\{value}
foreach (string s in al)
{
if (s.Contains(STR_PROXY) && (!Is64BitOperatingSystem())) //invalid in 64bit OS
{
sp = _cLightning.ReadString(Key, s, "");
if (!_cLightning.KeyExists(Key, STR_CLASSB + sp))
{
StoreResults(cLightning.ROOT_KEY.HKEY_CLASSES_ROOT, s, STR_DEFAULT, sp, RESULT_TYPE.ControlInterfaceProxy);
}
break;
}
}
}
///Locations: 1) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\VirtualDeviceDrivers
///References: From HKLM -> fix for 16bit VDM value type mismatch
///Method: Value type testing for valid entry
private void VDMScan(cLightning.ROOT_KEY Key, string SubKey)
{
LabelChange("Virtual Device Registration", "Testing for VDM bug..");
CurrentPath(REG_HKLMB, SubKey);
KeyCount();
if (_cLightning.ReadBinary(Key, SubKey, STR_VDD).Length > 0)
{
StoreResults(cLightning.ROOT_KEY.HKEY_LOCAL_MACHINE, REG_HKLMVDEV, SubKey, STR_VDD, RESULT_TYPE.Vdf);
}
}
private void TypeLibPaths(cLightning.ROOT_KEY Key, string SubKey)
{
// test typelib registration id
string sr;
// test pointers to valid type library registration HKCR\CLSID\*name*\TypeLib {value} <-> HKCR\TypeLib\{value}
// test for typelib subkey
if (_cLightning.KeyExists(Key, SubKey + CHR_BSLASH + STR_TYPE))
{
// get the clsid
sr = _cLightning.ReadString(Key, SubKey + CHR_BSLASH + STR_TYPE, "");
// test id length
if (sr.Length > 0)
{
// tlb is not registered
if (!_cLightning.KeyExists(Key, STR_TYPEB + sr))
{
StoreResults(cLightning.ROOT_KEY.HKEY_CLASSES_ROOT, SubKey + CHR_BSLASH + STR_TYPE, STR_DEFAULT, sr, RESULT_TYPE.ControlTypeLib);
}
}
}
}
public bool EndRestore(bool Cancel)
{
RESTOREPTINFO tRPI = new RESTOREPTINFO();
SMGRSTATUS tStatus = new SMGRSTATUS();
bool success = false;
tRPI.dwEventType = END_SYSTEM_CHANGE;
tRPI.llSequenceNumber = _lSeqNum;
if (Cancel == true)
{
tRPI.dwRestorePtType = CANCELLED_OPERATION;
}
try
{
success = (SRSetRestorePointW(ref tRPI, out tStatus));
}
finally
{
// reset
cLightning cl = new cLightning();
cl.WriteDword(cLightning.ROOT_KEY.HKEY_LOCAL_MACHINE, RESTORE_KEY, RESTORE_VALUE, _iRestInt);
}
return success;
}