private UserDetail(byte[] bytes, NamedKey nk)
{
ValueKey[] values = nk.GetValues(bytes);
foreach (ValueKey vk in values)
{
}
}
public static TypedUrls[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string Key = @"Software\Microsoft\Internet Explorer\TypedUrls";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey nk = NamedKey.Get(bytes, hivePath, Key);
TypedUrls[] urls = new TypedUrls[nk.NumberOfValues];
foreach (ValueKey vk in nk.GetValues(bytes))
{
for (int i = 0; i < urls.Length; i++)
{
urls[i] = new TypedUrls(RegistryHelper.GetUserHiveOwner(hivePath), (string)vk.GetData(bytes));
}
}
return(urls);
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
public static TypedPaths[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths";
byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);
NamedKey nk = NamedKey.Get(bytes, hivePath, Key);
TypedPaths[] paths = new TypedPaths[nk.NumberOfValues];
int i = 0;
foreach (ValueKey vk in nk.GetValues(bytes))
{
paths[i] = new TypedPaths(RegistryHelper.GetUserHiveOwner(hivePath), (string)vk.GetData(bytes));
i++;
}
return(paths);
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
internal Amcache(NamedKey nk, byte[] bytes)
{
/*
* Console.WriteLine(nk.Name);
* ulong FileReference = ulong.Parse(nk.Name, System.Globalization.NumberStyles.AllowHexSpecifier);
* byte[] filerefbytes = BitConverter.GetBytes(FileReference);
* SequenceNumber = (BitConverter.ToUInt16(filerefbytes, 0x06));
* RecordNumber = (BitConverter.ToUInt64(filerefbytes, 0x00) & 0x0000FFFFFFFFFFFF);
*/
foreach (ValueKey vk in nk.GetValues(bytes))
{
switch (vk.Name)
{
case "0":
ProductName = (string)vk.GetData(bytes);
break;
case "1":
CompanyName = (string)vk.GetData(bytes);
break;
case "6":
FileSize = BitConverter.ToUInt32((byte[])vk.GetData(bytes), 0x00);
break;
case "c":
Description = (string)vk.GetData(bytes);
break;
case "f":
CompileTime = Util.FromUnixTime(BitConverter.ToUInt32((byte[])vk.GetData(bytes), 0x00));
break;
case "11":
ModifiedTimeUtc = DateTime.FromFileTimeUtc(BitConverter.ToInt64((byte[])vk.GetData(bytes), 0x00));
break;
case "12":
BornTimeUtc = DateTime.FromFileTimeUtc(BitConverter.ToInt64((byte[])vk.GetData(bytes), 0x00));
break;
case "15":
Path = (string)vk.GetData(bytes);
break;
case "17":
ModifiedTime2Utc = DateTime.FromFileTimeUtc(BitConverter.ToInt64((byte[])vk.GetData(bytes), 0x00));
break;
case "101":
string hash = (string)vk.GetData(bytes);
Hash = hash.TrimStart('0');
break;
default:
break;
}
}
}
internal UserDetail(byte[] bytes, NamedKey nk)
{
ValueKey[] values = nk.GetValues(bytes);
foreach (ValueKey vk in values)
{
switch (vk.Name)
{
}
}
}
internal AppCompat(NamedKey nk, byte[] bytes)
{
foreach (ValueKey vk in nk.GetValues(bytes))
{
switch (vk.Name)
{
case "0":
ProductName = Encoding.Unicode.GetString(vk.GetData(bytes));
break;
case "1":
CompanyName = Encoding.Unicode.GetString(vk.GetData(bytes));
break;
case "6":
FileSize = BitConverter.ToUInt32(vk.GetData(bytes), 0x00);
break;
case "c":
Description = Encoding.Unicode.GetString(vk.GetData(bytes));
break;
case "f":
CompileTime = new DateTime(1970, 1, 1).AddSeconds(BitConverter.ToInt32(vk.GetData(bytes), 0x00));
break;
case "11":
ModifiedTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(vk.GetData(bytes), 0x00));
break;
case "12":
BornTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(vk.GetData(bytes), 0x00));
break;
case "15":
Path = Encoding.Unicode.GetString(vk.GetData(bytes));
break;
case "17":
ModifiedTime2 = DateTime.FromFileTimeUtc(BitConverter.ToInt64(vk.GetData(bytes), 0x00));
break;
case "101":
Hash = Encoding.Unicode.GetString(vk.GetData(bytes)).TrimStart('0');
break;
default:
break;
}
}
}
public static RunKey[] Get(string hivePath)
{
List <string> Keys = new List <string>();
string AutoRunLocation = null;
if (RegistryHelper.isCorrectHive(hivePath, "SOFTWARE"))
{
Keys.AddRange(new string[] { @"Microsoft\Windows\CurrentVersion\Run", @"Microsoft\Windows\CurrentVersion\RunOnce", @"Wow6432Node\Microsoft\Windows\CurrentVersion\Run" });
AutoRunLocation = @"HKLM\SOFTWARE\";
}
else if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
Keys.AddRange(new string[] { @"Software\Microsoft\Windows\CurrentVersion\Run", @"Software\Microsoft\Windows\CurrentVersion\RunOnce" });
AutoRunLocation = @"USER\" + RegistryHelper.GetUserHiveOwner(hivePath) + "\\";
}
else
{
throw new Exception("Invalid SOFTWARE or NTUSER.DAT hive provided.");
}
byte[] bytes = RegistryHelper.GetHiveBytes(hivePath);
List <RunKey> runList = new List <RunKey>();
foreach (string key in Keys)
{
try
{
NamedKey run = NamedKey.Get(bytes, hivePath, key);
if (run.NumberOfValues > 0)
{
foreach (ValueKey vk in run.GetValues(bytes))
{
runList.Add(new RunKey(AutoRunLocation + key, vk));
}
}
}
catch
{
}
}
return(runList.ToArray());
}
private WindowsVersion(byte[] bytes, NamedKey nk)
{
foreach (ValueKey vk in nk.GetValues(bytes))
{
switch (vk.Name)
{
case "ProductName":
ProductName = (string)vk.GetData(bytes);
break;
case "CurrentMajorVersionNumber":
CurrentMajorVersion = BitConverter.ToUInt32((byte[])vk.GetData(bytes), 0x00);
break;
case "CurrentMinorVersionNumber":
CurrentMinorVersion = BitConverter.ToUInt32((byte[])vk.GetData(bytes), 0x00);
break;
case "CurrentVersion":
CurrentVersion = new Version((string)vk.GetData(bytes));
break;
case "InstallTime":
InstallTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64((byte[])vk.GetData(bytes), 0x00));
break;
case "RegisteredOwner":
RegisteredOwner = (string)vk.GetData(bytes);
break;
case "SystemRoot":
SystemRoot = (string)vk.GetData(bytes);
break;
default:
break;
}
}
//ProductName = ;
//CurrentVersion = ;
}
public static OutlookCatalog[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
byte[] hiveBytes = RegistryHelper.GetHiveBytes(hivePath);
string user = RegistryHelper.GetUserHiveOwner(hivePath);
string OfficeVersion = RegistryHelper.GetOfficeVersion(hiveBytes, hivePath);
List <OutlookCatalog> list = new List <OutlookCatalog>();
NamedKey CatalogKey = null;
if (OfficeVersion == "12.0")
{
CatalogKey = NamedKey.Get(hiveBytes, hivePath, @"Software\Microsoft\Office\" + OfficeVersion + @"\Outlook\Catalog");
}
else
{
CatalogKey = NamedKey.Get(hiveBytes, hivePath, @"Software\Microsoft\Office\" + OfficeVersion + @"\Outlook\Search\Catalog");
}
if (CatalogKey.NumberOfValues > 0)
{
foreach (ValueKey vk in CatalogKey.GetValues())
{
list.Add(new OutlookCatalog(user, vk));
}
}
return(list.ToArray());
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
private NetworkList(NamedKey nk, byte[] bytes)
{
WriteTimeUtc = nk.WriteTime;
foreach (ValueKey vk in nk.GetValues(bytes))
{
switch (vk.Name)
{
case "ProfileGuid":
ProfileGuid = (string)vk.GetData(bytes);
break;
case "Description":
Description = (string)vk.GetData(bytes);
break;
case "Source":
Source = BitConverter.ToUInt32((byte[])vk.GetData(bytes), 0x00);
break;
case "DnsSuffix":
DnsSuffix = (string)vk.GetData(bytes);
break;
case "FirstNetwork":
FirstNetwork = (string)vk.GetData(bytes);
break;
case "DefaultGatewayMac":
DefaultGatewayMac = (byte[])vk.GetData(bytes);
break;
default:
break;
}
}
}
internal NetworkList(NamedKey nk, byte[] bytes)
{
WriteTime = nk.WriteTime;
foreach (ValueKey vk in nk.GetValues(bytes))
{
switch (vk.Name)
{
case "ProfileGuid":
ProfileGuid = Encoding.Unicode.GetString(vk.GetData(bytes));
break;
case "Description":
Description = Encoding.Unicode.GetString(vk.GetData(bytes));
break;
case "Source":
Source = BitConverter.ToUInt32(vk.GetData(bytes), 0x00);
break;
case "DnsSuffix":
DnsSuffix = Encoding.Unicode.GetString(vk.GetData(bytes));
break;
case "FirstNetwork":
FirstNetwork = Encoding.Unicode.GetString(vk.GetData(bytes));
break;
case "DefaultGatewayMac":
DefaultGatewayMac = new PhysicalAddress(vk.GetData(bytes));
break;
default:
break;
}
}
}
/// <summary>
///
/// </summary>
/// <param name="hivePath"></param>
/// <returns></returns>
public static TrustRecord[] Get(string hivePath)
{
if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
{
string user = RegistryHelper.GetUserHiveOwner(hivePath);
List <TrustRecord> trList = new List <TrustRecord>();
byte[] bytes = RegistryHelper.GetHiveBytes(hivePath);
string OfficeVersion = RegistryHelper.GetOfficeVersion(bytes, hivePath);
string[] applications = new string[] { "Word", "Excel", "PowerPoint" };
for (int i = 0; i < applications.Length; i++)
{
try
{
StringBuilder sb = new StringBuilder();
sb.Append(@"Software\Microsoft\Office\").Append(OfficeVersion).Append("\\").Append(applications[i]).Append(@"\Security\Trusted Documents\TrustRecords");
NamedKey nk = NamedKey.Get(bytes, hivePath, sb.ToString());
foreach (ValueKey vk in nk.GetValues(bytes))
{
trList.Add(new TrustRecord(bytes, user, vk));
}
}
catch
{
}
}
return(trList.ToArray());
}
else
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}