private Task <String> findCurrentComputerName()
{
return(Task.Run(() =>
{
showMsg("Find Computer Name: Getting list of logical drives...", loadImg);
string[] drives = Environment.GetLogicalDrives();
showMsg("Find Computer Name: Searching in offline registries...", loadImg);
foreach (string drive in drives)
{
string rPath = drive + @"Windows\System32\config\SYSTEM";
if (File.Exists(rPath))
{
try
{
Registry.RegistryHiveOnDemand registryHive = new Registry.RegistryHiveOnDemand(rPath);
Registry.Abstractions.RegistryKey key = registryHive.GetKey(@"ControlSet001\Control\ComputerName\ComputerName");
foreach (Registry.Abstractions.KeyValue value in key.Values)
{
if (value.ValueName == "ComputerName")
{
return value.ValueData;
}
}
}
catch (IOException) { }
}
}
showMsg("Find Computer Name: Searching in online registry...", loadImg);
Microsoft.Win32.RegistryKey computerName = Microsoft.Win32.Registry.LocalMachine.OpenSubKey(@"SYSTEM\ControlSet001\Control\ComputerName\ComputerName", false);
hideMsg();
return (string)computerName.GetValue("ComputerName");
}));
}
public void ParseUSBStor()
{
Registry.Abstractions.RegistryKey key = null;
key = _hive.GetKey(USBSTOR);
List <USBDevice> devices = new List <USBDevice>();
foreach (var sub in key.SubKeys)
{
string description = sub.KeyName;
key = _hive.GetKey(sub.KeyPath);
foreach (var serial in key.SubKeys)
{
USBDevice dev = new USBDevice();
dev.SetSerial(serial.KeyName);
dev.SetDescription(description);
dev.FriendlyName = GetValueByKey(serial.KeyPath, "FriendlyName");
key = _hive.GetKey(serial.KeyPath + "\\Properties\\" + dateKey);
var firstInKey = key.SubKeys.FirstOrDefault(x => x.KeyName == "0064");
var lastInKey = key.SubKeys.FirstOrDefault(x => x.KeyName == "0066");
var lastRemKey = key.SubKeys.FirstOrDefault(x => x.KeyName == "0067");
string firstIn = GetValueByKey(firstInKey.KeyPath, dateValue);
string lastIn = GetValueByKey(lastInKey.KeyPath, dateValue);
string lastRem = GetValueByKey(lastRemKey.KeyPath, dateValue);
dev.SetFirstInsertion(firstIn);
dev.SetLastInsertion(lastIn);
dev.SetLastRemoval(lastRem);
var mountedDevsEntries = GetKeysByValue(mountedDevices, serial.KeyName);
// This list should contain 2 elements, one for the drive letter, another for the GUID
foreach (string entry in mountedDevsEntries)
{
if (entry.StartsWith("\\??\\"))
{
dev.SetDeviceGUID(entry);
}
else
{
dev.SetDriveLetter(entry);
}
}
devices.Add(dev);
}
}
SetGridSource(devices);
}
/// <summary>
/// Recursively iterates over the a registry key and its subkeys for enumerating all values of the keys and subkeys
/// </summary>
/// <param name="rk">the root registry key to start iterating over</param>
/// <param name="hive">the offline registry hive</param>
/// <param name="subKey">the path of the first subkey under the root key</param>
/// <param name="indent"></param>
/// <param name="path_prefix">the header to the current root key, needed for identification of the registry store</param>
/// <returns></returns>
private static IEnumerable <RegistryKeyWrapper> IterateOfflineRegistry(OfflineRegistryKey rk, OfflineRegistryHive hive, string subKey, RegistryKeyWrapper parent, string path_prefix)
{
if (rk == null)
{
yield break;
}
foreach (OfflineRegistryKey valueName in rk.SubKeys)
{
if (valueName.KeyName.ToUpper() == "ASSOCIATIONS")
{
continue;
}
string sk = GetSubkeyString(subKey, valueName.KeyName);
OfflineRegistryKey rkNext;
try
{
rkNext = hive.GetKey(GetSubkeyString(rk.KeyPath, valueName.KeyName));
}
catch (SecurityException)
{
continue;
}
string path = path_prefix;
RegistryKeyWrapper rkNextWrapper = null;
bool isNumeric = int.TryParse(valueName.KeyName, out _);
if (isNumeric)
{
OfflineKeyValue rkValue = null;
try
{
rkValue = rk.Values.First(val => val.ValueName == valueName.KeyName);
}
catch (InvalidOperationException) { }
if (rkValue == null)
{
continue;
}
byte[] byteVal = rkValue.ValueDataRaw;
yield return(rkNextWrapper = new RegistryKeyWrapper(rkNext, byteVal, hive, parent));
}
foreach (var wrapper in IterateOfflineRegistry(rkNext, hive, sk, rkNextWrapper, path))
{
yield return(wrapper);
}
}
}
private string GetValueByKey(string keyPath, string valueName)
{
string result = null;
Registry.Abstractions.RegistryKey key = _hive.GetKey(keyPath);
if (key != null)
{
var value = key.Values.FirstOrDefault(x => x.ValueName == valueName);
if (value != null)
{
result = value.ValueData;
}
}
return(result);
}
private List <string> GetKeysByValue(string keyPath, string valueData)
{
List <string> result = new List <string>();
Registry.Abstractions.RegistryKey key = _hive.GetKey(keyPath);
if (key != null)
{
foreach (var item in key.Values)
{
string s = item.ValueType == "RegBinary" ?
System.Text.Encoding.Unicode.GetString(item.ValueDataRaw) : item.ValueData;
if (s.Contains(valueData))
{
result.Add(item.ValueName);
}
}
}
return(result);
}
private void AdaptOfflineKey(OfflineRegistryKey registryKey, OfflineRegistryHive hive)
{
//obtain SID and Username(?)
//HKEY USERS registry is UserSID\....
string UserSID = registryKey.KeyPath.Split('\\')[0];
// "_classes" is actually just a user's usrclass.dat, not a seperate user.
UserSID = UserSID.ToUpper().Replace("_CLASSES", "");
RegistrySID = UserSID;
//if we dont know the username, default to the SID.
RegistryUser = RegistrySID;
//obtain NodeSlot (Shellbag Path in registry)
SlotModifiedDate = DateTime.MinValue;
LastRegistryWriteDate = DateTime.MinValue;
NodeSlot = null;
string nodeSlotPath = null;
foreach (OfflineKeyValue kv in registryKey.Values)
{
if (kv.ValueName.Equals("NodeSlot"))
{
NodeSlot = int.Parse(kv.ValueData);
nodeSlotPath = string.Format("{0}{1}\\{2}", registryKey.KeyPath.Substring(0, registryKey.KeyPath.IndexOf("BagMRU", StringComparison.Ordinal)), "Bags", NodeSlot);
break;
}
}
if (nodeSlotPath != null)
{
SlotModifiedDate = hive.GetKey(nodeSlotPath).LastWriteTime.Value.LocalDateTime;
}
//obtain the date the registry last wrote this key
LastRegistryWriteDate = registryKey.LastWriteTime.Value.UtcDateTime;
}
/// <summary>
/// Adapts a ShellBag RegistryKey to a common standard for retrieval of important information independent of key retrieval methodologies
/// </summary>
/// <param name="registryKey">A Registry Key associated with a Shellbag, retrieved from a offline registry reader API</param>
/// <param name="keyValue">The Value of a Registry key containing Shellbag information. Found in the Parent of the registryKey being inspected</param>
/// <param name="parent">The parent of the currently inspected registryKey. Can be null.</param>
public RegistryKeyWrapper(OfflineRegistryKey registryKey, byte[] keyValue, OfflineRegistryHive hive, RegistryKeyWrapper parent = null) : this(keyValue)
{
Parent = parent;
RegistryPath = registryKey.KeyPath;
AdaptOfflineKey(registryKey, hive);
}
