public void AppCompatTestCreators()
{
var r = new AppCompat();
var reg = new RegistryHive(@"D:\SynologyDrive\Registry\SYSTEM_Creators");
reg.ParseHive();
var key = reg.GetKey(@"ControlSet001\Control\Session Manager\AppCompatCache");
Check.That(r.Values.Count).IsEqualTo(0);
r.ProcessValues(key);
Check.That(r.Values.Count).IsEqualTo(506);
var ff = (ValuesOut)r.Values[0];
Check.That(ff.CacheEntryPosition).IsEqualTo(0);
Check.That(ff.ProgramName).Contains("nvstreg.exe");
}
public void AppCompatTest()
{
var r = new AppCompat();
var reg = new RegistryHive(@"D:\Sync\RegistryHives\SYSTEM");
reg.ParseHive();
var key = reg.GetKey(@"ControlSet001\Control\Session Manager\AppCompatCache");
Check.That(r.Values.Count).IsEqualTo(0);
r.ProcessValues(key);
Check.That(r.Values.Count).IsEqualTo(1024);
var ff = (ValuesOut)r.Values[0];
Check.That(ff.CacheEntryPosition).IsEqualTo(0);
Check.That(ff.ProgramName).Contains("java");
}
public void DeletedFindTestValue()
{
var f = @"D:\!downloads\yarp-master\hives_for_tests\DeletedDataHive";
var r = new RegistryHive(f);
r.RecoverDeleted = true;
r.ParseHive();
var k = r.GetKey("123");
Check.That(k.Values[0].VkRecord.IsFree).IsFalse();
Check.That(k.Values.Count).IsEqualTo(2);
Check.That(k.Values[1].VkRecord.IsFree).IsTrue();
foreach (var keyValue in k.Values)
{
Debug.WriteLine(keyValue);
}
}
public void FirstFolderTest()
{
var r = new FirstFolder();
var reg = new RegistryHive(@"..\..\Hives\ntuser1.dat");
reg.ParseHive();
var key = reg.GetKey(@"Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder");
Check.That(r.Values.Count).IsEqualTo(0);
r.ProcessValues(key);
Check.That(r.Values.Count).IsEqualTo(3);
var ff = (FolderInfo)r.Values[0];
Check.That(ff.MRUPosition).IsEqualTo(0);
Check.That(ff.Executable).Contains(@"C:\Program Files (x86)\Canon\MP Navigator EX 2.0\mpnex20.exe");
}
public void CidSizeTest()
{
var r = new CIDSizeMRU();
var reg = new RegistryHive(@"..\..\Hives\ntuser1.dat");
reg.ParseHive();
var key = reg.GetKey(@"Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU");
Check.That(r.Values.Count).IsEqualTo(0);
r.ProcessValues(key);
Check.That(r.Values.Count).IsEqualTo(8);
var ff = (CIDSizeInfo)r.Values[0];
Check.That(ff.MRUPosition).IsEqualTo(0);
Check.That(ff.Executable).Contains("AcroRd32.exe");
}
public void AppCompatTestOneOff()
{
var r = new AppCompat();
var reg = new RegistryHive(@"C:\Users\eric\Desktop\SYSTEM");
reg.ParseHive();
var key = reg.GetKey(@"ControlSet001\Control\Session Manager\AppCompatCache");
Check.That(r.Values.Count).IsEqualTo(0);
r.ProcessValues(key);
Check.That(r.Values.Count).IsEqualTo(325);
var ff = (ValuesOut)r.Values[0];
Check.That(ff.CacheEntryPosition).IsEqualTo(0);
Check.That(ff.ProgramName).Contains("Logon");
}
public void BlakeRecentDocs()
{
var r = new RecentDocs();
var reg = new RegistryHive(@"D:\SynologyDrive\Registry\NTUSER_dblake.DAT");
reg.ParseHive();
var key = reg.GetKey(@"Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs");
Check.That(r.Values.Count).IsEqualTo(0);
r.ProcessValues(key);
Check.That(r.Values.Count).IsEqualTo(192);
Check.That(r.Errors.Count).IsEqualTo(0);
var ff = (RecentDoc)r.Values[0];
Check.That(ff.ValueName).IsEqualTo("83");
Check.That(ff.Extension).Contains("RecentDocs");
}
public void SamPluginPWHint()
{
var r = new UserAccounts();
var reg = new RegistryHive(@"D:\SynologyDrive\Registry\SAM_hasBigEndianDWord");
reg.RecoverDeleted = true;
reg.ParseHive();
var key = reg.GetKey(@"SAM\Domains\Account\Users");
Check.That(r.Values.Count).IsEqualTo(0);
r.ProcessValues(key);
Check.That(r.Values.Count).IsStrictlyGreaterThan(0);
Check.That(r.Errors.Count).IsEqualTo(0);
var u = (UserOut)r.Values[2];
Check.That(u.PasswordHint).Equals("G");
}
public async Task <bool> IsOobeFinished()
{
var winVolume = await GetWindowsVolume();
if (winVolume == null)
{
return(false);
}
var path = Path.Combine(winVolume.RootDir.Name, "Windows", "System32", "Config", "System");
var hive = new RegistryHive(path)
{
RecoverDeleted = true
};
hive.ParseHive();
var key = hive.GetKey("Setup");
var val = key.Values.Single(x => x.ValueName == "OOBEInProgress");
return(int.Parse(val.ValueData) == 0);
}
public void AppCompatFlags()
{
var r = new AppCompatFlags();
var reg = new RegistryHive(@"D:\Temp\SoftwareCID\Software");
reg.ParseHive();
var key = reg.GetKey(@"Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System");
Check.That(r.Values.Count).IsEqualTo(0);
r.ProcessValues(key);
Check.That(r.Values.Count).IsEqualTo(37);
Check.That(r.Errors.Count).IsEqualTo(0);
var ff = (RegistryPlugin.AppCompatFlags.ValuesOut)r.Values[0];
Check.That(ff.ValueName).IsEqualTo("746E9C8C08A390000004EC55A1F64D10");
Check.That(ff.Executable).Contains("\\DEVICE");
}
public void BlakeServices()
{
var r = new Services();
var reg = new RegistryHive(@"D:\SynologyDrive\Registry\SYSTEM_dblake");
reg.ParseHive();
var key = reg.GetKey(@"ControlSet001\Services");
Check.That(r.Values.Count).IsEqualTo(0);
r.ProcessValues(key);
Check.That(r.Values.Count).IsEqualTo(553);
Check.That(r.Errors.Count).IsEqualTo(0);
var ff = (Service)r.Values[0];
Check.That(ff.Name).IsEqualTo(".NET CLR Data");
Check.That(ff.Description).IsEqualTo("");
Check.That(ff.NameKeyLastWrite.Year).IsEqualTo(2013);
ff = (Service)r.Values[8];
Check.That(ff.Name).IsEqualTo("3ware");
Check.That(ff.Description).IsEqualTo("");
Check.That(ff.NameKeyLastWrite.Year).IsEqualTo(2013);
ff = (Service)r.Values[263];
Check.That(ff.Name).IsEqualTo("napagent");
Check.That(ff.Description).IsEqualTo(@"@%SystemRoot%\system32\qagentrt.dll,-7");
Check.That(ff.StartMode).IsEqualTo(ServiceStartMode.Manual);
Check.That(ff.ServiceType).IsEqualTo(ServiceType.Win32ShareProcess);
Check.That(ff.ServiceDLL).IsEqualTo(@"%SystemRoot%\system32\qagentRT.dll");
Check.That(ff.NameKeyLastWrite.Year).IsEqualTo(2013);
}
public void TaskCache()
{
var r = new TaskCache();
var reg = new RegistryHive(@"D:\OneDrive\Registry\SOFTWARE_dblake");
// var l = new List<string>();
// l.Add(@"C:\Temp\tout\G\Users\fredr\ntuser.dat.LOG1");
// l.Add(@"C:\Temp\tout\G\Users\fredr\ntuser.dat.LOG2");
// reg.ProcessTransactionLogs(l, true);
reg.ParseHive();
var key = reg.GetKey(@"Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks");
Check.That(key).IsNotNull();
Check.That(r.Values.Count).IsEqualTo(0);
r.ProcessValues(key);
Debug.WriteLine(r.Values.Count);
foreach (var rValue in r.Values)
{
Debug.WriteLine(rValue);
}
}
public void Syscache()
{
var r = new SyscacheObjectTable();
var reg = new RegistryHive(@"D:\Temp\SoftwareCID\Syscache.hve");
reg.ParseHive();
var key = reg.GetKey(@"DefaultObjectStore\ObjectTablere");
Check.That(r.Values.Count).IsEqualTo(0);
r.ProcessValues(key);
Check.That(r.Values.Count).IsEqualTo(1585);
Check.That(r.Errors.Count).IsEqualTo(0);
var ff = (RegistryPlugin.SyscacheObjectTable.ValuesOut)r.Values[0];
Check.That(ff.Sha1).IsEqualTo("f34bbe523cf4b187b2c27da2bcd267412301745d");
Check.That(ff.MftEntryNumber).IsEqualTo(26442);
Check.That(ff.MftEntryNumber).IsEqualTo(26442);
Check.That(ff.KeyPath).IsEqualTo("DefaultObjectStore\\ObjectTable\\1");
}
public void RecentApps()
{
var r = new RecentApps();
var reg = new RegistryHive(@"D:\SynologyDrive\Registry\NTUSER_RecentAppsERZ.DAT");
reg.RecoverDeleted = true;
reg.ParseHive();
var key = reg.GetKey(@"Software\Microsoft\Windows\CurrentVersion\Search\RecentApps");
Check.That(r.Values.Count).IsEqualTo(0);
r.ProcessValues(key);
Check.That(r.Values.Count).IsStrictlyGreaterThan(0);
Check.That(r.Errors.Count).IsEqualTo(0);
var u = (RegistryPlugin.RecentApps.ValuesOut)r.Values[2];
Check.That(u.AppPath).Contains("chrome.exe");
Check.That(u.RecentItems.Count).Equals(10);
Check.That(u.RecentDocs).Contains("drivepr");
}
public void BlakeUserAssist()
{
var r = new UserAssist();
var reg = new RegistryHive(@"D:\SynologyDrive\Registry\NTUSER_dblake.DAT");
reg.ParseHive();
var key = reg.GetKey(@"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count");
Check.That(r.Values.Count).IsEqualTo(0);
r.ProcessValues(key);
Check.That(r.Values.Count).IsEqualTo(205);
Check.That(r.Errors.Count).IsEqualTo(0);
var ff = (RegistryPlugin.UserAssist.ValuesOut)r.Values[1];
Check.That(ff.RunCounter).IsEqualTo(0);
Check.That(ff.ProgramName).IsEqualTo("Microsoft.Windows.Explorer");
Check.That(ff.FocusCount).IsEqualTo(619);
Check.That(ff.FocusTime).IsEqualTo("0d, 3h, 46m, 24s");
}
public void BlakeOpenSavePidlMRU()
{
var r = new OpenSavePidlMRU();
var reg = new RegistryHive(@"D:\SynologyDrive\Registry\NTUSER_dblake.DAT");
reg.ParseHive();
var key = reg.GetKey(@"Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU");
Check.That(r.Values.Count).IsEqualTo(0);
r.ProcessValues(key);
Check.That(r.Values.Count).IsEqualTo(57);
Check.That(r.Errors.Count).IsEqualTo(0);
var ff = (RegistryPlugin.OpenSavePidlMRU.ValuesOut)r.Values[0];
Check.That(ff.AbsolutePath)
.IsEqualTo(
@"Web sites\https://asgardventurecapital.sharepoint.com\Shared Documents\Confidential Analysis Data\NETFLIX_10-K_20130201.xlsx");
Check.That(ff.ValueName).IsEqualTo("17");
}
public AppCompatCache(string filename, int controlSet, bool noLogs)
{
byte[] rawBytes = null;
Caches = new List <IAppCompatCache>();
var controlSetIds = new List <int>();
RegistryKey subKey = null;
var isLiveRegistry = string.IsNullOrEmpty(filename);
if (isLiveRegistry)
{
var keyCurrUser = Microsoft.Win32.Registry.LocalMachine;
var subKey2 = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache");
if (subKey2 == null)
{
subKey2 =
keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility");
if (subKey2 == null)
{
Console.WriteLine(
@"'CurrentControlSet\Control\Session Manager\AppCompatCache' key not found! Exiting");
return;
}
}
rawBytes = (byte[])subKey2.GetValue("AppCompatCache", null);
subKey2 = keyCurrUser.OpenSubKey(@"SYSTEM\Select");
ControlSet = (int)subKey2.GetValue("Current");
var is32Bit = Is32Bit(filename, null);
var cache = Init(rawBytes, is32Bit, ControlSet);
Caches.Add(cache);
return;
}
RegistryHive reg;
Privilege[] privileges = { Privilege.EnableDelegation, Privilege.Impersonate, Privilege.Tcb };
using (new PrivilegeEnabler(Privilege.Backup, privileges))
{
ControlSet = controlSet;
if (File.Exists(filename) == false && RawCopy.Helper.RawFileExists(filename) == false)
{
throw new FileNotFoundException($"File not found ({filename})!");
}
var dirname = Path.GetDirectoryName(filename);
var hiveBase = Path.GetFileName(filename);
List <RawCopy.RawCopyReturn> rawFiles = null;
try
{
reg = new RegistryHive(filename)
{
RecoverDeleted = true
};
}
catch (IOException)
{
//file is in use
if (RawCopy.Helper.IsAdministrator() == false)
{
throw new UnauthorizedAccessException("Administrator privileges not found!");
}
_logger.Warn($"'{filename}' is in use. Rerouting...\r\n");
var files = new List <string>();
files.Add(filename);
var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?").ToList();
var log1 = $"{dirname}\\{hiveBase}.LOG1";
var log2 = $"{dirname}\\{hiveBase}.LOG2";
if (logFiles.Count == 0)
{
if (RawCopy.Helper.RawFileExists(log1))
{
logFiles.Add(log1);
}
if (RawCopy.Helper.RawFileExists(log2))
{
logFiles.Add(log2);
}
}
foreach (var logFile in logFiles)
{
files.Add(logFile);
}
rawFiles = RawCopy.Helper.GetFiles(files);
reg = new RegistryHive(rawFiles.First().FileBytes, rawFiles.First().InputFilename);
}
if (reg.Header.PrimarySequenceNumber != reg.Header.SecondarySequenceNumber)
{
if (string.IsNullOrEmpty(dirname))
{
dirname = ".";
}
var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?").ToList();
var log1 = $"{dirname}\\{hiveBase}.LOG1";
var log2 = $"{dirname}\\{hiveBase}.LOG2";
if (logFiles.Count == 0)
{
if (File.Exists(log1))
{
logFiles.Add(log1);
}
if (File.Exists(log2))
{
logFiles.Add(log2);
}
}
if (logFiles.Count == 0)
{
if (RawCopy.Helper.RawFileExists(log1))
{
logFiles.Add(log1);
}
if (RawCopy.Helper.RawFileExists(log2))
{
logFiles.Add(log2);
}
}
if (logFiles.Count == 0)
{
if (noLogs == false)
{
_logger.Warn("Registry hive is dirty and no transaction logs were found in the same directory! LOGs should have same base name as the hive. Aborting!!");
throw new Exception("Sequence numbers do not match and transaction logs were not found in the same directory as the hive. Aborting");
}
else
{
_logger.Warn("Registry hive is dirty and no transaction logs were found in the same directory. Data may be missing! Continuing anyways...");
}
}
else
{
if (noLogs == false)
{
if (rawFiles != null)
{
var lt = new List <TransactionLogFileInfo>();
foreach (var rawCopyReturn in rawFiles.Skip(1).ToList())
{
var tt = new TransactionLogFileInfo(rawCopyReturn.InputFilename, rawCopyReturn.FileBytes);
lt.Add(tt);
}
reg.ProcessTransactionLogs(lt, true);
}
else
{
reg.ProcessTransactionLogs(logFiles.ToList(), true);
}
}
else
{
_logger.Warn("Registry hive is dirty and transaction logs were found in the same directory, but --nl was provided. Data may be missing! Continuing anyways...");
}
}
}
reg.ParseHive();
}
if (controlSet == -1)
{
for (var i = 0; i < 10; i++)
{
subKey = reg.GetKey($@"ControlSet00{i}\Control\Session Manager\AppCompatCache");
if (subKey == null)
{
subKey = reg.GetKey($@"ControlSet00{i}\Control\Session Manager\AppCompatibility");
}
if (subKey != null)
{
controlSetIds.Add(i);
}
}
if (controlSetIds.Count > 1)
{
_logger.Warn(
$"***The following ControlSet00x keys will be exported: {string.Join(",", controlSetIds)}. Use -c to process keys individually\r\n");
}
}
else
{
//a control set was passed in
subKey = reg.GetKey($@"ControlSet00{ControlSet}\Control\Session Manager\AppCompatCache");
if (subKey == null)
{
subKey = reg.GetKey($@"ControlSet00{ControlSet}\Control\Session Manager\AppCompatibility");
}
if (subKey == null)
{
throw new Exception($"Could not find ControlSet00{ControlSet}. Exiting");
}
controlSetIds.Add(ControlSet);
}
var is32 = Is32Bit(filename, reg);
_logger.Debug($@"**** Found {controlSetIds.Count} ids to process");
foreach (var id in controlSetIds)
{
_logger.Debug($@"**** Processing id {id}");
// var hive2 = new RegistryHiveOnDemand(filename);
subKey = reg.GetKey($@"ControlSet00{id}\Control\Session Manager\AppCompatCache");
if (subKey == null)
{
_logger.Debug($@"**** Initial subkey null, getting appCompatability key");
subKey = reg.GetKey($@"ControlSet00{id}\Control\Session Manager\AppCompatibility");
}
_logger.Debug($@"**** Looking AppCompatcache value");
var val = subKey?.Values.SingleOrDefault(c => c.ValueName == "AppCompatCache");
if (val != null)
{
_logger.Debug($@"**** Found AppCompatcache value");
rawBytes = val.ValueDataRaw;
}
if (rawBytes == null)
{
_logger.Error($@"'AppCompatCache' value not found for 'ControlSet00{id}'! Exiting");
}
var cache = Init(rawBytes, is32, id);
Caches.Add(cache);
}
}
public void Adobe()
{
/*var f = new List<string>();
* f.Add("D:20200618035802+05'30'");
* f.Add("D:20200618035756+05'30'");
* f.Add("D:20200618035751+05'30'");
* f.Add("D:20200618035744+05'30'");
* f.Add("D:20200618035737+05'30'");
* f.Add("D:20200617182700-04'00'");
* f.Add("D:20200617182636-04'00'");
* f.Add("D:20200617223217Z");
* f.Add("D:20200617182628-04'00'");
* f.Add("D:20200617181449-04'00'");
* f.Add("D:20200617181442-04'00'");
* f.Add("D:20200617181427-04'00'");
* f.Add("D:20200617221353Z");
* f.Add("D:20200617221332Z");
* f.Add("D:20200617221318Z");
* f.Add("D:20200617230951+01'00'");
* f.Add("D:20200617230941+01'00'");
* f.Add("D:20200617230930+01'00'");
* f.Add("D:20200617230922+01'00'");
* f.Add("D:20200617230912+01'00'");
* f.Add("D:20200617230902+01'00'");
* f.Add("D:20200617230854+01'00'");
* f.Add("D:20200617223156Z");
* f.Add("D:20200617230846+01'00'");
* f.Add("D:20200617230730+01'00'");
* f.Add("D:20200617230724+01'00'");
* f.Add("D:20200617230718+01'00'");
* f.Add("D:20200617223147Z");
* f.Add("D:20200617230712+01'00'");
* f.Add("D:20200617230702+01'00'");
* f.Add("D:20200617230655+01'00'");
* f.Add("D:20200617230647+01'00'");
* f.Add("D:20200617230640+01'00'");
* f.Add("D:20200617230217+01'00'");
* f.Add("D:20200617230020+01'00'");
* f.Add("D:20200617230016+01'00'");
* f.Add("D:20200617223137Z");
* f.Add("D:20200617223126Z");
* f.Add("D:20200617223024Z");
* f.Add("D:20200617223003Z");
*
* foreach (var f1 in f)
* {
* var start = f1.Substring(2);
* Console.WriteLine(start);
*
* var year = start.Substring(0, 4);
* var month = start.Substring(4, 2);
* var day = start.Substring(6, 2);
* var hours = start.Substring(8, 2);
* var mins = start.Substring(10, 2);
* var sec = start.Substring(12, 2);
* var tzi = start.Substring(14);
* tzi = tzi.Replace("'", ":").TrimEnd(':');
*
* var dateString = $"{month}/{day}/{year}";
* var timeString = $"{hours}:{mins}:{sec}";
*
* Console.WriteLine($"{dateString} {timeString} {tzi}");
*
* if (tzi.EndsWith("Z"))
* {
* tzi = "+0:00";
* }
*
* var aaa = DateTimeOffset.ParseExact($"{dateString} {timeString} {tzi}","MM/dd/yyyy HH:mm:ss zzz",CultureInfo.InvariantCulture);
*
* var dto = new DateTimeOffset(int.Parse(year),int.Parse(month),int.Parse(day),int.Parse(hours),int.Parse(mins),int.Parse(sec),TimeSpan.Zero);
*
* Console.WriteLine($"dto: {dto:yyyy-MM-dd HH:mm:ss}");
* Console.WriteLine($"As UTC: {aaa.ToUniversalTime():yyyy-MM-dd HH:mm:ss}");
* }*/
var r = new Adobe();
var reg = new RegistryHive(@"D:\Temp\Adobe_cRecentFiles_NTUSER.DAT");
reg.ParseHive();
var key = reg.GetKey(@"Software\Adobe");
Check.That(r.Values.Count).IsEqualTo(0);
r.ProcessValues(key);
Check.That(r.Values.Count).IsEqualTo(114);
Check.That(r.Errors.Count).IsEqualTo(0);
}
public void TerminalServers()
{
var r = new TerminalServerClient();
var reg = new RegistryHive(@"D:\SynologyDrive\Registry\ALL\NTUSER.DAT");
reg.ParseHive();
var key = reg.GetKey(@"Software\Microsoft\Terminal Server Client");
Check.That(r.Values.Count).IsEqualTo(0);
r.ProcessValues(key);
Check.That(r.Values.Count).IsEqualTo(6);
Check.That(r.Errors.Count).IsEqualTo(0);
var ff = (RegistryPlugin.TerminalServerClient.ValuesOut)r.Values[0];
Check.That(ff.MRUPosition).IsEqualTo(1);
Check.That(ff.HostName).Contains("GOON");
r = new TerminalServerClient();
reg = new RegistryHive(@"D:\SynologyDrive\Registry\ALL\NTUSER3.DAT");
reg.ParseHive();
key = reg.GetKey(@"Software\Microsoft\Terminal Server Client");
Check.That(r.Values.Count).IsEqualTo(0);
r.ProcessValues(key);
Check.That(r.Values.Count).IsEqualTo(7);
Check.That(r.Errors.Count).IsEqualTo(0);
ff = (RegistryPlugin.TerminalServerClient.ValuesOut)r.Values[0];
Check.That(ff.MRUPosition).IsEqualTo(-1);
Check.That(ff.HostName).Contains("GOON");
Check.That(ff.LastModified.Month).IsEqualTo(5);
Check.That(ff.LastModified.Minute).IsEqualTo(32);
Check.That(ff.LastModified.Second).IsEqualTo(8);
Check.That(ff.LastModified.Day).IsEqualTo(28);
ff = (RegistryPlugin.TerminalServerClient.ValuesOut)r.Values[3];
Check.That(ff.MRUPosition).IsEqualTo(-1);
Check.That(ff.HostName).Contains("SVR01");
r = new TerminalServerClient();
reg = new RegistryHive(@"D:\SynologyDrive\Registry\NTUSER_dblake.DAT");
reg.ParseHive();
key = reg.GetKey(@"Software\Microsoft\Terminal Server Client");
Check.That(r.Values.Count).IsEqualTo(0);
r.ProcessValues(key);
Check.That(r.Values.Count).IsEqualTo(0);
Check.That(r.Errors.Count).IsEqualTo(0);
}
public AppCompatCache(string filename, int controlSet)
{
byte[] rawBytes = null;
Caches = new List <IAppCompatCache>();
if (File.Exists(filename) == false)
{
throw new FileNotFoundException($"File not found ({filename})!");
}
var controlSetIds = new List <int>();
// var hive = new RegistryHiveOnDemand(filename);
var hive = new RegistryHive(filename);
if (hive.Header.PrimarySequenceNumber != hive.Header.SecondarySequenceNumber)
{
var hiveBase = Path.GetFileName(filename);
var dirname = Path.GetDirectoryName(filename);
if (string.IsNullOrEmpty(dirname))
{
dirname = ".";
}
var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?");
if (logFiles.Length == 0)
{
Console.WriteLine("Registry hive is dirty and no transaction logs were found. Try to parse without logs.");
}
else
{
hive.ProcessTransactionLogs(logFiles.ToList(), true);
}
}
hive.ParseHive();
RegistryKey subKey = hive.GetKey("Select");
var ControlSet = int.Parse(subKey.Values.Single(c => c.ValueName == "Current").ValueData);
// ControlSet = controlSet;
if (controlSet == -1)
{
for (var i = 0; i < 10; i++)
{
subKey = hive.GetKey($@"ControlSet00{i}\Control\Session Manager\AppCompatCache");
if (subKey == null)
{
subKey = hive.GetKey($@"ControlSet00{i}\Control\Session Manager\AppCompatibility");
}
if (subKey != null)
{
controlSetIds.Add(i);
}
}
if (controlSetIds.Count > 1)
{
Console.WriteLine($"***The following ControlSet00x keys will be exported: {string.Join(",", controlSetIds)}.\r\n");
}
}
else
{
//a control set was passed in
subKey = hive.GetKey($@"ControlSet00{ControlSet}\Control\Session Manager\AppCompatCache");
if (subKey == null)
{
subKey = hive.GetKey($@"ControlSet00{ControlSet}\Control\Session Manager\AppCompatibility");
}
if (subKey == null)
{
throw new Exception($"Could not find ControlSet00{ControlSet}. Exiting");
}
controlSetIds.Add(ControlSet);
}
var is32 = Is32Bit(filename);
string computerName = ComputerName(filename);
foreach (var id in controlSetIds)
{
var hive2 = new RegistryHiveOnDemand(filename);
subKey = hive2.GetKey($@"ControlSet00{id}\Control\Session Manager\AppCompatCache");
if (subKey == null)
{
subKey = hive2.GetKey($@"ControlSet00{id}\Control\Session Manager\AppCompatibility");
}
var val = subKey?.Values.SingleOrDefault(c => c.ValueName == "AppCompatCache");
if (val != null)
{
rawBytes = val.ValueDataRaw;
}
if (rawBytes == null)
{
throw new Exception($@"'AppCompatCache' value not found for 'ControlSet00{id}'! Exiting");
}
var cache = Init(rawBytes, is32, id, computerName);
Caches.Add(cache);
}
}
public void ShouldFindRegMultiSzValues()
{
var ntUser1OnDemand = new RegistryHiveOnDemand(@"..\..\Hives\NTUSER1.DAT");
var key =
ntUser1OnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Control Panel\International\User Profile");
Check.That(key).IsNotNull();
var val = key.Values.Single(t => t.ValueName == "Languages");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz);
Check.That(val.VkRecord.ValueData).IsEqualTo("en-US");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
var usrclassAcronis = new RegistryHive(@"..\..\Hives\Acronis_0x52_Usrclass.dat");
usrclassAcronis.RecoverDeleted = true;
usrclassAcronis.FlushRecordListsAfterParse = false;
usrclassAcronis.ParseHive();
key =
usrclassAcronis.GetKey(
@"S-1-5-21-3851833874-1800822990-1357392098-1000_Classes\Local Settings\MuiCache\12\52C64B7E");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "LanguageList");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz);
Check.That(val.VkRecord.ValueData).IsEqualTo("en-US en");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(0);
var bcd = new RegistryHive(@"..\..\Hives\BCD");
bcd.FlushRecordListsAfterParse = false;
bcd.RecoverDeleted = true;
bcd.ParseHive();
key =
bcd.GetKey(
@"System\Objects\{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}\Elements\14000006");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "Element");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz);
Check.That(val.VkRecord.ValueData)
.IsEqualTo("{4636856e-540f-4170-a130-a84776f4c654} {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(6);
key =
bcd.GetKey(
@"System\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\14000006");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "Element");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegMultiSz);
Check.That(val.VkRecord.ValueData).IsEqualTo("{7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}");
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(84);
}
public void ExportToRegFormatSingleKey()
{
var samOnDemand = new RegistryHiveOnDemand(@".\Hives\SAM");
var key = samOnDemand.GetKey(@"SAM\Domains\Account");
var exported = Helpers.ExportToReg(@"exportSamTest.reg", key, HiveTypeEnum.Sam, false);
Check.That(exported).IsTrue();
var ntUser1OnDemand = new RegistryHiveOnDemand(@".\Hives\NTUSER1.DAT");
key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Console");
exported = Helpers.ExportToReg(@"exportntuser1Test.reg", key, HiveTypeEnum.NtUser, false);
Check.That(exported).IsTrue();
var security = new RegistryHiveOnDemand(@".\Hives\SECURITY");
key =
security.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Policy\Accounts\S-1-5-9");
exported = Helpers.ExportToReg(@"exportsecTest.reg", key, HiveTypeEnum.Security, false);
Check.That(exported).IsTrue();
var systemOnDemand = new RegistryHiveOnDemand(@".\Hives\SYSTEM");
key =
systemOnDemand.GetKey(
@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\ControlSet001\Enum\ACPI\PNP0C02\1");
exported = Helpers.ExportToReg(@"exportsysTest.reg", key, HiveTypeEnum.System, false);
Check.That(exported).IsTrue();
var usrClassFtp = new RegistryHiveOnDemand(@".\Hives\UsrClass FTP.dat");
key = usrClassFtp.GetKey(@"S-1-5-21-2417227394-2575385136-2411922467-1105_Classes\.3g2");
exported = Helpers.ExportToReg(@"exportusrTest.reg", key, HiveTypeEnum.UsrClass, false);
Check.That(exported).IsTrue();
var samDupeNameOnDemand = new RegistryHiveOnDemand(@".\Hives\SAM_DUPENAME");
key = samDupeNameOnDemand.GetKey(@"SAM\SAM\Domains\Account\Aliases\000003E9");
exported = Helpers.ExportToReg(@"exportotherTest.reg", key, HiveTypeEnum.Other, false);
Check.That(exported).IsTrue();
var usrclassDeleted = new RegistryHive(@".\Hives\UsrClassDeletedBags.dat");
usrclassDeleted.RecoverDeleted = true;
usrclassDeleted.FlushRecordListsAfterParse = false;
usrclassDeleted.ParseHive();
key =
usrclassDeleted.GetKey(
@"S-1-5-21-146151751-63468248-1215037915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1");
exported = Helpers.ExportToReg(@"exportDeletedTest.reg", key, HiveTypeEnum.UsrClass, false);
Check.That(exported).IsTrue();
}
public AmcacheOld(string hive, bool recoverDeleted, bool noLogs)
{
_logger = LogManager.GetLogger("AmcacheOld");
RegistryHive reg;
var dirname = Path.GetDirectoryName(hive);
var hiveBase = Path.GetFileName(hive);
List <RawCopy.RawCopyReturn> rawFiles = null;
try
{
reg = new RegistryHive(hive)
{
RecoverDeleted = true
};
}
catch (IOException)
{
//file is in use
if (RawCopy.Helper.IsAdministrator() == false)
{
throw new UnauthorizedAccessException("Administrator privileges not found!");
}
_logger.Warn($"'{hive}' is in use. Rerouting...\r\n");
var files = new List <string>();
files.Add(hive);
var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?");
foreach (var logFile in logFiles)
{
files.Add(logFile);
}
rawFiles = RawCopy.Helper.GetFiles(files);
var b = new byte[rawFiles.First().FileStream.Length];
rawFiles.First().FileStream.Read(b, 0, (int)rawFiles.First().FileStream.Length);
reg = new RegistryHive(b, rawFiles.First().InputFilename);
}
if (reg.Header.PrimarySequenceNumber != reg.Header.SecondarySequenceNumber)
{
if (string.IsNullOrEmpty(dirname))
{
dirname = ".";
}
var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?");
var log = LogManager.GetCurrentClassLogger();
if (logFiles.Length == 0)
{
if (noLogs == false)
{
log.Warn("Registry hive is dirty and no transaction logs were found in the same directory! LOGs should have same base name as the hive. Aborting!!");
throw new Exception("Sequence numbers do not match and transaction logs were not found in the same directory as the hive. Aborting");
}
else
{
log.Warn("Registry hive is dirty and no transaction logs were found in the same directory. Data may be missing! Continuing anyways...");
}
}
else
{
if (noLogs == false)
{
if (rawFiles != null)
{
var lt = new List <TransactionLogFileInfo>();
foreach (var rawCopyReturn in rawFiles.Skip(1).ToList())
{
var b = new byte[rawCopyReturn.FileStream.Length];
rawCopyReturn.FileStream.Read(b, 0, (int)rawCopyReturn.FileStream.Length);
var tt = new TransactionLogFileInfo(rawCopyReturn.InputFilename, b);
lt.Add(tt);
}
reg.ProcessTransactionLogs(lt, true);
}
else
{
reg.ProcessTransactionLogs(logFiles.ToList(), true);
}
}
else
{
log.Warn("Registry hive is dirty and transaction logs were found in the same directory, but --nl was provided. Data may be missing! Continuing anyways...");
}
}
}
reg.ParseHive();
var fileKey = reg.GetKey(@"Root\File");
var programsKey = reg.GetKey(@"Root\Programs");
UnassociatedFileEntries = new List <FileEntryOld>();
ProgramsEntries = new List <ProgramsEntryOld>();
if (fileKey == null || programsKey == null)
{
_logger.Error("Hive does not contain a File and/or Programs key. Processing cannot continue");
return;
}
//First, we get data for all the Program entries under Programs key
_logger.Debug("Getting Programs data");
foreach (var registryKey in programsKey.SubKeys)
{
var ProgramName0 = "";
var ProgramVersion1 = "";
var Guid10 = "";
var UninstallGuid11 = "";
var Guid12 = "";
var Dword13 = 0;
var Dword14 = 0;
var Dword15 = 0;
var UnknownBytes = new byte[0];
long Qword17 = 0;
var Dword18 = 0;
var VenderName2 = "";
var LocaleID3 = "";
var Dword5 = 0;
var InstallSource6 = "";
var UninstallKey7 = "";
DateTimeOffset?EpochA = null;
DateTimeOffset?EpochB = null;
var PathListd = "";
var Guidf = "";
var RawFiles = "";
try
{
foreach (var value in registryKey.Values)
{
switch (value.ValueName)
{
case "0":
ProgramName0 = value.ValueData;
break;
case "1":
ProgramVersion1 = value.ValueData;
break;
case "2":
VenderName2 = value.ValueData;
break;
case "3":
LocaleID3 = value.ValueData;
break;
case "5":
Dword5 = int.Parse(value.ValueData);
break;
case "6":
InstallSource6 = value.ValueData;
break;
case "7":
UninstallKey7 = value.ValueData;
break;
case "a":
try
{
var seca = long.Parse(value.ValueData);
if (seca > 0)
{
EpochA = DateTimeOffset.FromUnixTimeSeconds(seca).ToUniversalTime();
}
}
catch (Exception)
{
//sometimes the number is way too big
}
break;
case "b":
var seconds = long.Parse(value.ValueData);
if (seconds > 0)
{
EpochB =
DateTimeOffset.FromUnixTimeSeconds(seconds).ToUniversalTime();
}
break;
case "d":
PathListd = value.ValueData;
break;
case "f":
Guidf = value.ValueData;
break;
case "10":
Guid10 = value.ValueData;
break;
case "11":
UninstallGuid11 = value.ValueData;
break;
case "12":
Guid12 = value.ValueData;
break;
case "13":
Dword13 = int.Parse(value.ValueData);
break;
case "14":
Dword13 = int.Parse(value.ValueData);
break;
case "15":
Dword13 = int.Parse(value.ValueData);
break;
case "16":
UnknownBytes = value.ValueDataRaw;
break;
case "17":
Qword17 = long.Parse(value.ValueData);
break;
case "18":
Dword18 = int.Parse(value.ValueData);
break;
case "Files":
RawFiles = value.ValueData;
break;
default:
_logger.Warn(
$"Unknown value name in Program at path {registryKey.KeyPath}: {value.ValueName}");
break;
}
}
var pe = new ProgramsEntryOld(ProgramName0, ProgramVersion1, VenderName2, LocaleID3, InstallSource6,
UninstallKey7, Guid10, Guid12, UninstallGuid11, Dword5, Dword13, Dword14, Dword15, UnknownBytes,
Qword17, Dword18, EpochA, EpochB, PathListd, Guidf, RawFiles, registryKey.KeyName,
registryKey.LastWriteTime.Value);
ProgramsEntries.Add(pe);
}
catch (Exception ex)
{
_logger.Error($"Error parsing ProgramsEntry at {registryKey.KeyPath}. Error: {ex.Message}");
_logger.Error(
$"Please send the following text to [email protected]. \r\n\r\nKey data: {registryKey}");
}
}
//For each Programs entry, add the related Files entries from Files\Volume subkey, put the rest in unassociated
_logger.Debug("Getting Files data");
foreach (var registryKey in fileKey.SubKeys)
{
//These are the guids for volumes
foreach (var subKey in registryKey.SubKeys)
{
var prodName = "";
int?langId = null;
var fileVerString = "";
var fileVerNum = "";
var fileDesc = "";
var compName = "";
var fullPath = "";
var switchBack = "";
var peHash = "";
var progID = "";
var sha = "";
long binProdVersion = 0;
ulong binFileVersion = 0;
var linkerVersion = 0;
var binType = 0;
var isLocal = 0;
var gProgramID = 0;
int? fileSize = null;
int? sizeOfImage = null;
uint? peHeaderChecksum = null;
DateTimeOffset?created = null;
DateTimeOffset?lm = null;
DateTimeOffset?lmStore = null;
DateTimeOffset?linkDate = null;
var hasLinkedProgram = false;
try
{
//these are the files executed from the volume
foreach (var keyValue in subKey.Values)
{
var keyVal = int.Parse(keyValue.ValueName, NumberStyles.HexNumber);
switch (keyVal)
{
case ProductName:
prodName = keyValue.ValueData;
break;
case CompanyName:
compName = keyValue.ValueData;
break;
case FileVersionNumber:
fileVerNum = keyValue.ValueData;
break;
case LanguageCode:
langId = int.Parse(keyValue.ValueData);
break;
case SwitchBackContext:
switchBack = keyValue.ValueData;
break;
case FileVersionString:
fileVerString = keyValue.ValueData;
break;
case FileSize:
fileSize = int.Parse(keyValue.ValueData);
break;
case SizeOfImage:
sizeOfImage = int.Parse(keyValue.ValueData);
break;
case PEHeaderHash:
peHash = keyValue.ValueData;
break;
case PEHeaderChecksum:
peHeaderChecksum = uint.Parse(keyValue.ValueData);
break;
case BinProductVersion:
binProdVersion = long.Parse(keyValue.ValueData);
break;
case BinFileVersion:
binFileVersion = ulong.Parse(keyValue.ValueData);
break;
case FileDescription:
fileDesc = keyValue.ValueData;
break;
case LinkerVersion:
linkerVersion = int.Parse(keyValue.ValueData);
break;
case LinkDate:
linkDate =
DateTimeOffset.FromUnixTimeSeconds(long.Parse(keyValue.ValueData))
.ToUniversalTime();
break;
case BinaryType:
binType = int.Parse(keyValue.ValueData);
break;
case LastModified:
lm = DateTimeOffset.FromFileTime(long.Parse(keyValue.ValueData)).ToUniversalTime();
break;
case Created:
created =
DateTimeOffset.FromFileTime(long.Parse(keyValue.ValueData)).ToUniversalTime();
break;
case FullPath:
fullPath = keyValue.ValueData;
break;
case IsLocal:
isLocal = int.Parse(keyValue.ValueData);
break;
case GuessProgramID:
gProgramID = int.Parse(keyValue.ValueData);
break;
case LastModifiedStore:
lmStore = DateTimeOffset.FromFileTime(long.Parse(keyValue.ValueData))
.ToUniversalTime();
break;
case ProgramID:
progID = keyValue.ValueData;
var program = ProgramsEntries.SingleOrDefault(t => t.ProgramID == progID);
if (program != null)
{
hasLinkedProgram = true;
}
break;
case SHA1:
sha = keyValue.ValueData;
break;
default:
_logger.Warn(
$"Unknown value name when processing FileEntry at path '{subKey.KeyPath}': 0x{keyVal:X}");
break;
}
}
if (fullPath.Length == 0)
{
continue;
}
TotalFileEntries += 1;
var fe = new FileEntryOld(prodName, progID, sha, fullPath, lmStore, registryKey.KeyName,
registryKey.LastWriteTime.Value, subKey.KeyName, subKey.LastWriteTime.Value,
isLocal, compName, langId, fileVerString, peHash, fileVerNum, fileDesc, binProdVersion,
binFileVersion,
linkerVersion, binType, switchBack, fileSize, linkDate, sizeOfImage,
lm, created, peHeaderChecksum, gProgramID, subKey.KeyName);
if (hasLinkedProgram)
{
var program = ProgramsEntries.SingleOrDefault(t => t.ProgramID == fe.ProgramID);
fe.ProgramName = program.ProgramName_0;
program.FileEntries.Add(fe);
}
else
{
fe.ProgramName = "Unassociated";
UnassociatedFileEntries.Add(fe);
}
}
catch (Exception ex)
{
_logger.Error($"Error parsing FileEntry at {subKey.KeyPath}. Error: {ex.Message}");
_logger.Error(
$"Please send the following text to [email protected]. \r\n\r\nKey data: {subKey}");
}
}
}
}
public static bool Is32Bit(string fileName, RegistryHive reg)
{
if (reg == null)
{
if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
throw new NotSupportedException("'Filename' is required on non-Windows platforms.");
}
var keyCurrUser = Microsoft.Win32.Registry.LocalMachine;
var subKey = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\Environment");
var val = subKey?.GetValue("PROCESSOR_ARCHITECTURE");
if (val != null)
{
return(val.ToString().Equals("x86"));
}
}
else
{
try
{
var subKey1 = reg.GetKey("Select");
var currentCtlSet = int.Parse(subKey1.Values.Single(c => c.ValueName == "Current").ValueData);
subKey1 = reg.GetKey($"ControlSet00{currentCtlSet}\\Control\\Session Manager\\Environment");
var val = subKey1?.Values.SingleOrDefault(c => c.ValueName == "PROCESSOR_ARCHITECTURE");
if (val != null)
{
return(val.ValueData.Equals("x86"));
}
}
catch (Exception)
{
var l = new List <string>();
l.Add(fileName);
var ff = Helper.GetRawFiles(l);
var b = new byte[ff.First().FileStream.Length];
var hive = new RegistryHiveOnDemand(b, fileName);
var subKey = hive.GetKey("Select");
var currentCtlSet = int.Parse(subKey.Values.Single(c => c.ValueName == "Current").ValueData);
subKey = hive.GetKey($"ControlSet00{currentCtlSet}\\Control\\Session Manager\\Environment");
var val = subKey?.Values.SingleOrDefault(c => c.ValueName == "PROCESSOR_ARCHITECTURE");
if (val != null)
{
return(val.ValueData.Equals("x86"));
}
}
}
throw new NullReferenceException("Unable to determine CPU architecture!");
}
public void ShouldFindKeyValueAndCheckProperties()
{
var sam = new RegistryHive(@"..\..\..\Hives\SAM");
sam.FlushRecordListsAfterParse = false;
sam.ParseHive();
var key = sam.GetKey(0x418);
Check.That(key).IsNotNull();
Check.That(key.ToString()).IsNotEmpty();
var val = key.Values[0];
//TODO Need to export to reg each kind too
Check.That(val).IsNotNull();
Check.That(val.ValueName).IsEmpty();
Check.That(val.ValueData).IsEmpty();
Check.That(val.ValueSlack).IsEmpty();
Check.That(val.ValueSlackRaw).IsEmpty();
Check.That(val.ToString()).IsNotEmpty();
Check.That(val.ValueName).IsEqualTo(string.Empty);
Check.That(val.ValueType).IsEqualTo("RegNone");
Check.That(val.ValueData).IsEmpty();
Check.That(val.ValueSlack).IsEmpty();
Check.That(val.VkRecord.Size).IsEqualTo(-24);
Check.That(val.VkRecord.RelativeOffset).IsEqualTo(0x270);
Check.That(val.VkRecord.AbsoluteOffset).IsEqualTo(0x1270);
Check.That(val.VkRecord.Signature).IsEqualTo("vk");
Check.That(val.VkRecord.IsFree).IsFalse();
Check.That(val.VkRecord.DataLength).IsEqualTo(0x80000000);
Check.That(val.VkRecord.OffsetToData).IsEqualTo(0);
Check.That(val.VkRecord.NameLength).IsEqualTo(0);
Check.That(val.VkRecord.NamePresentFlag).IsEqualTo(0);
//This key has slack
key = sam.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\SAM\Domains\Account\Users\000001F4");
Check.That(key).IsNotNull();
val = key.Values[0];
Check.That(val).IsNotNull();
Check.That(val.ValueName).IsNotEmpty();
Check.That(val.ValueData).IsNotEmpty();
Check.That(val.ValueSlack).IsNotEmpty();
Check.That(val.ValueSlackRaw.Length).IsStrictlyGreaterThan(0);
Check.That(val.ToString()).IsNotEmpty();
Check.That(val.ValueName).IsEqualTo("F");
Check.That(val.ValueData).IsNotEmpty();
Check.That(val.ValueData.Length).IsEqualTo(239);
Check.That(val.ValueSlack).IsNotEmpty();
Check.That(val.ValueSlack.Length).IsEqualTo(11);
Check.That(val.ValueSlackRaw.Length).IsEqualTo(4);
Check.That(val.ToString()).IsNotEmpty();
Check.That(val.ValueType).IsEqualTo("RegBinary");
Check.That(val.ValueData).IsEqualTo("02-00-01-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-FF-FF-FF-FF-FF-FF-FF-7F-00-00-00-00-00-00-00-00-F4-01-00-00-01-02-00-00-10-02-00-00-00-00-00-00-00-00-00-00-01-00-00-00-00-00-00-00-73-00-00-00");
Check.That(val.ValueSlack).IsEqualTo("1F-00-0F-00");
Check.That(val.VkRecord.Size).IsEqualTo(-32);
Check.That(val.VkRecord.RelativeOffset).IsEqualTo(0x39B8);
Check.That(val.VkRecord.AbsoluteOffset).IsEqualTo(0x49B8);
Check.That(val.VkRecord.Signature).IsEqualTo("vk");
Check.That(val.VkRecord.IsFree).IsFalse();
Check.That(val.VkRecord.DataLength).IsEqualTo(0x50);
Check.That(val.VkRecord.OffsetToData).IsEqualTo(0x39D8);
Check.That(val.VkRecord.NameLength).IsEqualTo(0x1);
Check.That(val.VkRecord.NamePresentFlag).IsEqualTo(1);
Check.That(val.VkRecord.Padding.Length).IsEqualTo(7);
}
public AppCompatCache(string filename, int controlSet, bool noLogs)
{
byte[] rawBytes = null;
Caches = new List <IAppCompatCache>();
var controlSetIds = new List <int>();
RegistryKey subKey = null;
var isLiveRegistry = string.IsNullOrEmpty(filename);
if (isLiveRegistry)
{
var keyCurrUser = Microsoft.Win32.Registry.LocalMachine;
var subKey2 = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache");
if (subKey2 == null)
{
subKey2 =
keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility");
if (subKey2 == null)
{
Console.WriteLine(
@"'CurrentControlSet\Control\Session Manager\AppCompatCache' key not found! Exiting");
return;
}
}
rawBytes = (byte[])subKey2.GetValue("AppCompatCache", null);
subKey2 = keyCurrUser.OpenSubKey(@"SYSTEM\Select");
ControlSet = (int)subKey2.GetValue("Current");
var is32Bit = Is32Bit(filename);
var cache = Init(rawBytes, is32Bit, ControlSet);
Caches.Add(cache);
return;
}
ControlSet = controlSet;
if (File.Exists(filename) == false)
{
throw new FileNotFoundException($"File not found ({filename})!");
}
var hive = new RegistryHive(filename);
if (hive.Header.PrimarySequenceNumber != hive.Header.SecondarySequenceNumber)
{
var hiveBase = Path.GetFileName(filename);
var dirname = Path.GetDirectoryName(filename);
if (string.IsNullOrEmpty(dirname))
{
dirname = ".";
}
var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?");
if (logFiles.Length == 0)
{
var log = LogManager.GetCurrentClassLogger();
if (noLogs == false)
{
log.Warn("Registry hive is dirty and no transaction logs were found in the same directory! LOGs should have same base name as the hive. Aborting!!");
throw new Exception("Sequence numbers do not match and transaction logs were not found in the same directory as the hive. Aborting");
}
log.Warn("Registry hive is dirty and no transaction logs were found in the same directory. Data may be missing! Continuing anyways...");
}
else
{
hive.ProcessTransactionLogs(logFiles.ToList(), true);
}
}
hive.ParseHive();
if (controlSet == -1)
{
for (var i = 0; i < 10; i++)
{
subKey = hive.GetKey($@"ControlSet00{i}\Control\Session Manager\AppCompatCache");
if (subKey == null)
{
subKey = hive.GetKey($@"ControlSet00{i}\Control\Session Manager\AppCompatibility");
}
if (subKey != null)
{
controlSetIds.Add(i);
}
}
if (controlSetIds.Count > 1)
{
var log = LogManager.GetCurrentClassLogger();
log.Warn(
$"***The following ControlSet00x keys will be exported: {string.Join(",", controlSetIds)}. Use -c to process keys individually\r\n");
}
}
else
{
//a control set was passed in
subKey = hive.GetKey($@"ControlSet00{ControlSet}\Control\Session Manager\AppCompatCache");
if (subKey == null)
{
subKey = hive.GetKey($@"ControlSet00{ControlSet}\Control\Session Manager\AppCompatibility");
}
if (subKey == null)
{
throw new Exception($"Could not find ControlSet00{ControlSet}. Exiting");
}
controlSetIds.Add(ControlSet);
}
var is32 = Is32Bit(filename);
var log1 = LogManager.GetCurrentClassLogger();
log1.Debug($@"**** Found {controlSetIds.Count} ids to process");
foreach (var id in controlSetIds)
{
log1.Debug($@"**** Processing id {id}");
var hive2 = new RegistryHiveOnDemand(filename);
subKey = hive2.GetKey($@"ControlSet00{id}\Control\Session Manager\AppCompatCache");
if (subKey == null)
{
log1.Debug($@"**** Initial subkey null, getting appCompatability key");
subKey = hive2.GetKey($@"ControlSet00{id}\Control\Session Manager\AppCompatibility");
}
log1.Debug($@"**** Looking AppCompatcache value");
var val = subKey?.Values.SingleOrDefault(c => c.ValueName == "AppCompatCache");
if (val != null)
{
log1.Debug($@"**** Found AppCompatcache value");
rawBytes = val.ValueDataRaw;
}
if (rawBytes == null)
{
var log = LogManager.GetCurrentClassLogger();
log.Error($@"'AppCompatCache' value not found for 'ControlSet00{id}'! Exiting");
}
var cache = Init(rawBytes, is32, id);
Caches.Add(cache);
}
}
public AmcacheNew(string hive, bool recoverDeleted, bool noLogs)
{
_logger = LogManager.GetCurrentClassLogger();
RegistryHive reg;
var dirname = Path.GetDirectoryName(hive);
var hiveBase = Path.GetFileName(hive);
List <RawCopyReturn> rawFiles = null;
try
{
reg = new RegistryHive(hive)
{
RecoverDeleted = true
};
}
catch (IOException)
{
//file is in use
if (RawCopy.Helper.IsAdministrator() == false)
{
throw new UnauthorizedAccessException("Administrator privileges not found!");
}
_logger.Warn($"'{hive}' is in use. Rerouting...\r\n");
var files = new List <string>();
files.Add(hive);
var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?");
foreach (var logFile in logFiles)
{
files.Add(logFile);
}
rawFiles = RawCopy.Helper.GetFiles(files);
var b = new byte[rawFiles.First().FileStream.Length];
rawFiles.First().FileStream.Read(b, 0, (int)rawFiles.First().FileStream.Length);
reg = new RegistryHive(b, rawFiles.First().InputFilename);
}
if (reg.Header.PrimarySequenceNumber != reg.Header.SecondarySequenceNumber)
{
if (string.IsNullOrEmpty(dirname))
{
dirname = ".";
}
var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?");
var log = LogManager.GetCurrentClassLogger();
if (logFiles.Length == 0)
{
if (noLogs == false)
{
log.Warn(
"Registry hive is dirty and no transaction logs were found in the same directory! LOGs should have same base name as the hive. Aborting!!");
throw new Exception(
"Sequence numbers do not match and transaction logs were not found in the same directory as the hive. Aborting");
}
log.Warn(
"Registry hive is dirty and no transaction logs were found in the same directory. Data may be missing! Continuing anyways...");
}
else
{
if (noLogs == false)
{
if (rawFiles != null)
{
var lt = new List <TransactionLogFileInfo>();
foreach (var rawCopyReturn in rawFiles.Skip(1).ToList())
{
var b = new byte[rawCopyReturn.FileStream.Length];
rawCopyReturn.FileStream.Read(b, 0, (int)rawCopyReturn.FileStream.Length);
var tt = new TransactionLogFileInfo(rawCopyReturn.InputFilename, b);
lt.Add(tt);
}
reg.ProcessTransactionLogs(lt, true);
}
else
{
reg.ProcessTransactionLogs(logFiles.ToList(), true);
}
}
else
{
log.Warn(
"Registry hive is dirty and transaction logs were found in the same directory, but --nl was provided. Data may be missing! Continuing anyways...");
}
}
}
reg.ParseHive();
var fileKey = reg.GetKey(@"Root\InventoryApplicationFile");
var programsKey = reg.GetKey(@"Root\InventoryApplication");
UnassociatedFileEntries = new List <FileEntryNew>();
ProgramsEntries = new List <ProgramsEntryNew>();
DeviceContainers = new List <DeviceContainer>();
DevicePnps = new List <DevicePnp>();
DriveBinaries = new List <DriverBinary>();
DriverPackages = new List <DriverPackage>();
ShortCuts = new List <Shortcut>();
_logger.Debug("Getting Programs data");
if (programsKey != null)
{
foreach (var registryKey in programsKey.SubKeys)
{
var bundleManifestPath = string.Empty;
var hiddenArp = false;
var inboxModernApp = false;
DateTimeOffset?installDate = null;
var language = 0;
var manifestPath = string.Empty;
var msiPackageCode = string.Empty;
var msiProductCode = string.Empty;
var name = string.Empty;
var osVersionAtInstallTime = string.Empty;
var packageFullName = string.Empty;
var programId = string.Empty;
var programInstanceId = string.Empty;
var publisher = string.Empty;
var registryKeyPath = string.Empty;
var rootDirPath = string.Empty;
var source = string.Empty;
var storeAppType = string.Empty;
var type = string.Empty;
var uninstallString = string.Empty;
var version = string.Empty;
var installDateArpLastModified = string.Empty;
DateTimeOffset?installDateMsi = null;
var installDateFromLinkFile = string.Empty;
var manufacturer = string.Empty;
var driverVerVersion = string.Empty;
try
{
foreach (var registryKeyValue in registryKey.Values)
{
switch (registryKeyValue.ValueName)
{
case "BundleManifestPath":
bundleManifestPath = registryKeyValue.ValueData;
break;
case "HiddenArp":
hiddenArp = registryKeyValue.ValueData == "1";
break;
case "InboxModernApp":
inboxModernApp = registryKeyValue.ValueData == "1";
break;
case "InstallDate":
if (registryKeyValue.ValueData.Length > 0)
{
// _logger.Warn($"registryKeyValue.ValueData for InstallDate as InvariantCulture: {registryKeyValue.ValueData.ToString(CultureInfo.InvariantCulture)}");
var d = new DateTimeOffset(
DateTime.Parse(registryKeyValue.ValueData, DateTimeFormatInfo.InvariantInfo)
.Ticks,
TimeSpan.Zero);
installDate = d;
}
break;
case "Language":
if (registryKeyValue.ValueData.Length == 0)
{
language = 0;
}
else
{
language = int.Parse(registryKeyValue.ValueData);
}
break;
case "ManifestPath":
manifestPath = registryKeyValue.ValueData;
break;
case "MsiPackageCode":
msiPackageCode = registryKeyValue.ValueData;
break;
case "MsiProductCode":
msiProductCode = registryKeyValue.ValueData;
break;
case "Name":
name = registryKeyValue.ValueData;
break;
case "OSVersionAtInstallTime":
osVersionAtInstallTime = registryKeyValue.ValueData;
break;
case "PackageFullName":
packageFullName = registryKeyValue.ValueData;
break;
case "ProgramId":
programId = registryKeyValue.ValueData;
break;
case "ProgramInstanceId":
programInstanceId = registryKeyValue.ValueData;
break;
case "Publisher":
publisher = registryKeyValue.ValueData;
break;
case "RegistryKeyPath":
registryKeyPath = registryKeyValue.ValueData;
break;
case "RootDirPath":
rootDirPath = registryKeyValue.ValueData;
break;
case "Source":
source = registryKeyValue.ValueData;
break;
case "StoreAppType":
storeAppType = registryKeyValue.ValueData;
break;
case "Type":
type = registryKeyValue.ValueData;
break;
case "UninstallString":
uninstallString = registryKeyValue.ValueData;
break;
case "Version":
version = registryKeyValue.ValueData;
break;
case "InstallDateArpLastModified":
if (registryKeyValue.ValueData.Length > 0)
{
installDateArpLastModified = registryKeyValue.ValueData;
}
break;
case "InstallDateMsi":
if (registryKeyValue.ValueData.Length > 0)
{
// _logger.Warn($"registryKeyValue.ValueData for InstallDate as InvariantCulture: {registryKeyValue.ValueData.ToString(CultureInfo.InvariantCulture)}");
var d = new DateTimeOffset(
DateTime.Parse(registryKeyValue.ValueData, DateTimeFormatInfo.InvariantInfo)
.Ticks,
TimeSpan.Zero);
installDateMsi = d;
}
break;
case "InstallDateFromLinkFile":
if (registryKeyValue.ValueData.Length > 0)
{
installDateFromLinkFile = registryKeyValue.ValueData;
}
break;
case "DriverVerVersion":
case "BusReportedDescription":
case "HWID":
case "COMPID":
case "STACKID":
case "UpperClassFilters":
case "UpperFilters":
case "LowerFilters":
case "BinFileVersion":
case "(default)":
break;
case "Manufacturer":
if (registryKeyValue.ValueData.Length > 0)
{
manufacturer = registryKeyValue.ValueData;
}
break;
default:
_logger.Warn(
$"Unknown value name in InventoryApplication at path {registryKey.KeyPath}: {registryKeyValue.ValueName}");
break;
}
}
var pe = new ProgramsEntryNew(bundleManifestPath, hiddenArp, inboxModernApp, installDate,
language,
manifestPath, msiPackageCode, msiProductCode, name, osVersionAtInstallTime, packageFullName,
programId, programInstanceId, publisher, registryKeyPath, rootDirPath, source, storeAppType,
type, uninstallString, version, registryKey.LastWriteTime.Value, installDateArpLastModified,
installDateMsi, installDateFromLinkFile, manufacturer);
ProgramsEntries.Add(pe);
}
catch (Exception ex)
{
if (registryKey.NkRecord.IsFree == false)
{
_logger.Error($"Error parsing ProgramsEntry at {registryKey.KeyPath}. Error: {ex.Message}");
_logger.Error(
$"Please send the following text to [email protected]. \r\n\r\nKey data: {registryKey}");
}
}
}
}
else
{
_logger.Warn("Hive does not contain a Root\\InventoryApplication key.");
}
_logger.Debug("Getting Files data");
if (fileKey != null)
{
foreach (var subKey in fileKey.SubKeys)
{
var binaryType = string.Empty;
var binFileVersion = string.Empty;
var binProductVersion = string.Empty;
var fileId = string.Empty;
var isOsComponent = false;
var isPeFile = false;
var language = 0;
DateTimeOffset?linkDate = null;
var longPathHash = string.Empty;
var lowerCaseLongPath = string.Empty;
var name = string.Empty;
var productName = string.Empty;
var productVersion = string.Empty;
var programId = string.Empty;
var publisher = string.Empty;
long size = 0;
ulong usn = 0;
var version = string.Empty;
var description = string.Empty;
var hasLinkedProgram = false;
try
{
foreach (var subKeyValue in subKey.Values)
{
switch (subKeyValue.ValueName)
{
case "BinaryType":
binaryType = subKeyValue.ValueData;
break;
case "BinFileVersion":
binFileVersion = subKeyValue.ValueData;
break;
case "BinProductVersion":
binProductVersion = subKeyValue.ValueData;
break;
case "FileId":
fileId = subKeyValue.ValueData;
break;
case "IsOsComponent":
isOsComponent = subKeyValue.ValueData == "1";
break;
case "IsPeFile":
isPeFile = subKeyValue.ValueData == "1";
break;
case "Language":
language = int.Parse(subKeyValue.ValueData);
break;
case "LinkDate":
if (subKeyValue.ValueData.Length > 0)
{
var d = new DateTimeOffset(
DateTime.Parse(subKeyValue.ValueData, DateTimeFormatInfo.InvariantInfo)
.Ticks,
TimeSpan.Zero);
linkDate = d;
}
break;
case "LongPathHash":
longPathHash = subKeyValue.ValueData;
break;
case "LowerCaseLongPath":
lowerCaseLongPath = subKeyValue.ValueData;
break;
case "Name":
name = subKeyValue.ValueData;
break;
case "ProductName":
productName = subKeyValue.ValueData;
break;
case "ProductVersion":
productVersion = subKeyValue.ValueData;
break;
case "ProgramId":
programId = subKeyValue.ValueData;
var program = ProgramsEntries.SingleOrDefault(t => t.ProgramId == programId);
if (program != null)
{
hasLinkedProgram = true;
}
break;
case "Publisher":
publisher = subKeyValue.ValueData;
break;
case "Size":
try
{
if (subKeyValue.ValueData.StartsWith("0x"))
{
size = long.Parse(subKeyValue.ValueData.Replace("0x", ""),
NumberStyles.HexNumber);
}
else
{
size = long.Parse(subKeyValue.ValueData);
}
}
catch (Exception e)
{
}
break;
case "BusReportedDescription":
case "FileSize":
case "Model":
case "Manufacturer":
case "ParentId":
case "MatchingID":
case "ClassGuid":
case "DriverName":
case "Enumerator":
case "Service":
case "DeviceState":
case "InstallState":
case "DriverVerVersion":
case "DriverPackageStrongName":
case "DriverVerDate":
case "AppxPackageRelativeId":
case "AppxPackageFullName":
case "ContainerId":
case "HiddenArp":
case "Inf":
case "ProblemCode":
case "Provider":
case "Class":
break;
case "Description":
description = subKeyValue.ValueData;
break;
case "Version":
version = subKeyValue.ValueData;
break;
case "Usn":
usn = ulong.Parse(subKeyValue.ValueData);
break;
default:
if (subKeyValue.VkRecord.IsFree == false)
{
_logger.Warn(
$"Unknown value name when processing FileEntry at path '{subKey.KeyPath}': {subKeyValue.ValueName}");
}
break;
}
}
}
catch (Exception ex)
{
if (subKey.NkRecord.IsFree == false)
{
_logger.Error($"Error parsing FileEntry at {subKey.KeyPath}. Error: {ex.Message}");
_logger.Error(
$"Please send the following text to [email protected]. \r\n\r\nKey data: {subKey}");
}
}
TotalFileEntries += 1;
var fe = new FileEntryNew(binaryType, binFileVersion, productVersion, fileId, isOsComponent,
isPeFile,
language, linkDate, longPathHash, lowerCaseLongPath, name, productName, productVersion,
programId,
publisher, size, version, subKey.LastWriteTime.Value, binProductVersion, usn, description);
if (hasLinkedProgram)
{
var program = ProgramsEntries.SingleOrDefault(t => t.ProgramId == fe.ProgramId);
if (program != null)
{
fe.ApplicationName = program.Name;
program.FileEntries.Add(fe);
}
}
else
{
fe.ApplicationName = "Unassociated";
UnassociatedFileEntries.Add(fe);
}
}
}
else
{
_logger.Warn("Hive does not contain a Root\\InventoryApplicationFile key.");
}
_logger.Debug("Getting Shortcut data");
var shortCutkey = reg.GetKey(@"Root\InventoryApplicationShortcut");
if (shortCutkey != null)
{
foreach (var shortCutkeySubKey in shortCutkey.SubKeys)
{
var lnkName = "";
if (shortCutkeySubKey.Values.Count > 0)
{
lnkName = shortCutkeySubKey.Values.First().ValueData;
}
ShortCuts.Add(new Shortcut(shortCutkeySubKey.KeyName, lnkName,
shortCutkeySubKey.LastWriteTime.Value));
}
}
_logger.Debug("Getting InventoryDeviceContainer data");
var deviceKey = reg.GetKey(@"Root\InventoryDeviceContainer");
if (deviceKey != null)
{
foreach (var deviceSubKey in deviceKey.SubKeys)
{
var categories = string.Empty;
var discoveryMethod = string.Empty;
var friendlyName = string.Empty;
var icon = string.Empty;
var isActive = false;
var isConnected = false;
var isMachineContainer = false;
var isNetworked = false;
var isPaired = false;
var manufacturer = string.Empty;
var modelId = string.Empty;
var modelName = string.Empty;
var modelNumber = string.Empty;
var primaryCategory = string.Empty;
var state = string.Empty;
try
{
foreach (var keyValue in deviceSubKey.Values)
{
switch (keyValue.ValueName)
{
case "Categories":
categories = keyValue.ValueData;
break;
case "DiscoveryMethod":
discoveryMethod = keyValue.ValueData;
break;
case "FriendlyName":
friendlyName = keyValue.ValueData;
break;
case "Icon":
icon = keyValue.ValueData;
break;
case "IsActive":
isActive = keyValue.ValueData == "1";
break;
case "IsConnected":
isConnected = keyValue.ValueData == "1";
break;
case "IsMachineContainer":
isMachineContainer = keyValue.ValueData == "1";
break;
case "IsNetworked":
isNetworked = keyValue.ValueData == "1";
break;
case "IsPaired":
isPaired = keyValue.ValueData == "1";
break;
case "Manufacturer":
manufacturer = keyValue.ValueData;
break;
case "ModelId":
modelId = keyValue.ValueData;
break;
case "ModelName":
modelName = keyValue.ValueData;
break;
case "ModelNumber":
modelNumber = keyValue.ValueData;
break;
case "PrimaryCategory":
primaryCategory = keyValue.ValueData;
break;
case "State":
state = keyValue.ValueData;
break;
case "(default)":
case "Model":
case "BusReportedDescription":
case "Version":
case "LowerClassFilters":
case "ManifestPath":
case "UpperClassFilters":
break;
default:
_logger.Warn(
$"Unknown value name when processing DeviceContainer at path '{deviceSubKey.KeyPath}': {keyValue.ValueName}");
break;
}
}
var dc = new DeviceContainer(deviceSubKey.KeyName, deviceSubKey.LastWriteTime.Value, categories,
discoveryMethod, friendlyName, icon, isActive, isConnected, isMachineContainer, isNetworked,
isPaired, manufacturer, modelId, modelName, modelNumber, primaryCategory, state);
DeviceContainers.Add(dc);
}
catch (Exception ex)
{
if (deviceSubKey.NkRecord.IsFree == false)
{
_logger.Error(
$"Error parsing DeviceContainer at {deviceSubKey.KeyPath}. Error: {ex.Message}");
_logger.Error(
$"Please send the following text to [email protected]. \r\n\r\nKey data: {deviceSubKey}");
}
}
}
}
_logger.Debug("Getting InventoryDevicePnp data");
var pnpKey = reg.GetKey(@"Root\InventoryDevicePnp");
if (pnpKey != null)
{
foreach (var pnpsKey in pnpKey.SubKeys)
{
var busReportedDescription = string.Empty;
var Class = string.Empty;
var classGuid = string.Empty;
var compid = string.Empty;
var containerId = string.Empty;
var description = string.Empty;
var deviceState = string.Empty;
var driverId = string.Empty;
var driverName = string.Empty;
var driverPackageStrongName = string.Empty;
var driverVerDate = string.Empty;
var driverVerVersion = string.Empty;
var enumerator = string.Empty;
var hwid = string.Empty;
var inf = string.Empty;
var installState = string.Empty;
var manufacturer = string.Empty;
var matchingId = string.Empty;
var model = string.Empty;
var parentId = string.Empty;
var problemCode = string.Empty;
var provider = string.Empty;
var service = string.Empty;
var stackid = string.Empty;
try
{
foreach (var keyValue in pnpsKey.Values)
{
switch (keyValue.ValueName)
{
case "BusReportedDescription":
busReportedDescription = keyValue.ValueData;
break;
case "Class":
Class = keyValue.ValueData;
break;
case "ClassGuid":
classGuid = keyValue.ValueData;
break;
case "COMPID":
compid = keyValue.ValueData;
break;
case "ContainerId":
containerId = keyValue.ValueData;
break;
case "Description":
description = keyValue.ValueData;
break;
case "DeviceState":
deviceState = keyValue.ValueData;
break;
case "DriverId":
driverId = keyValue.ValueData;
break;
case "DriverName":
driverName = keyValue.ValueData;
break;
case "DriverPackageStrongName":
driverPackageStrongName = keyValue.ValueData;
break;
case "DriverVerDate":
driverVerDate = keyValue.ValueData;
break;
case "DriverVerVersion":
driverVerVersion = keyValue.ValueData;
break;
case "Enumerator":
enumerator = keyValue.ValueData;
break;
case "HWID":
hwid = keyValue.ValueData;
break;
case "Inf":
inf = keyValue.ValueData;
break;
case "InstallState":
installState = keyValue.ValueData;
break;
case "LowerClassFilters":
case "LowerFilters":
break;
case "Manufacturer":
manufacturer = keyValue.ValueData;
break;
case "MatchingID":
matchingId = keyValue.ValueData;
break;
case "Model":
model = keyValue.ValueData;
break;
case "ParentId":
parentId = keyValue.ValueData;
break;
case "ProblemCode":
problemCode = keyValue.ValueData;
break;
case "Provider":
provider = keyValue.ValueData;
break;
case "Service":
service = keyValue.ValueData;
break;
case "STACKID":
stackid = keyValue.ValueData;
break;
case "UpperClassFilters":
case "UpperFilters":
case "ExtendedInfs":
case "DeviceInterfaceClasses":
case "(default)":
case "DeviceExtDriversFlightIds":
case "InstallDate":
case "FirstInstallDate":
case "DeviceDriverFlightId":
_logger.Debug($"Value: '{keyValue.ValueName}' --> {keyValue.ValueData}");
break;
default:
_logger.Warn(
$"Unknown value name when processing DevicePnp at path '{pnpsKey.KeyPath}': {keyValue.ValueName}");
break;
}
}
var dp = new DevicePnp(pnpsKey.KeyName, pnpsKey.LastWriteTime.Value, busReportedDescription,
Class, classGuid, compid, containerId, description, deviceState, driverId, driverName,
driverPackageStrongName, driverVerDate, driverVerVersion, enumerator, hwid, inf,
installState, manufacturer, matchingId, model, parentId, problemCode, provider, service,
stackid);
DevicePnps.Add(dp);
}
catch (Exception ex)
{
if (pnpKey.NkRecord.IsFree == false)
{
_logger.Error($"Error parsing DevicePnp at {pnpKey.KeyPath}. Error: {ex.Message}");
_logger.Error(
$"Please send the following text to [email protected]. \r\n\r\nKey data: {pnpKey}");
}
}
}
}
_logger.Debug("Getting InventoryDriverBinary data");
var binaryKey = reg.GetKey(@"Root\InventoryDriverBinary");
if (binaryKey != null)
{
foreach (var binKey in binaryKey.SubKeys)
{
var driverCheckSum = 0;
var driverCompany = string.Empty;
var driverId = string.Empty;
var driverInBox = false;
var driverIsKernelMode = false;
DateTimeOffset?driverLastWriteTime = null;
var driverName = string.Empty;
var driverPackageStrongName = string.Empty;
var driverSigned = false;
DateTimeOffset?driverTimeStamp = null;
var driverType = string.Empty;
var driverVersion = string.Empty;
var imageSize = 0;
var inf = string.Empty;
var product = string.Empty;
var productVersion = string.Empty;
var service = string.Empty;
var wdfVersion = string.Empty;
try
{
foreach (var keyValue in binKey.Values)
{
switch (keyValue.ValueName)
{
case "DriverCheckSum":
driverCheckSum = int.Parse(keyValue.ValueData);
break;
case "DriverCompany":
driverCompany = keyValue.ValueData;
break;
case "DriverId":
driverId = keyValue.ValueData;
break;
case "DriverInBox":
driverInBox = keyValue.ValueData == "1";
break;
case "DriverIsKernelMode":
driverIsKernelMode = keyValue.ValueData == "1";
break;
case "DriverLastWriteTime":
if (keyValue.ValueData.Length > 0)
{
var d = new DateTimeOffset(
DateTime.Parse(keyValue.ValueData, DateTimeFormatInfo.InvariantInfo).Ticks,
TimeSpan.Zero);
driverLastWriteTime = d;
}
break;
case "DriverName":
driverName = keyValue.ValueData;
break;
case "DriverPackageStrongName":
driverPackageStrongName = keyValue.ValueData;
break;
case "DriverSigned":
driverSigned = keyValue.ValueData == "1";
break;
case "DriverTimeStamp":
//DateTimeOffset.FromUnixTimeSeconds(seca).ToUniversalTime();
var seca = long.Parse(keyValue.ValueData);
if (seca > 0)
{
driverTimeStamp = DateTimeOffset.FromUnixTimeSeconds(seca).ToUniversalTime();
}
break;
case "DriverType":
driverType = keyValue.ValueData;
break;
case "DriverVersion":
driverVersion = keyValue.ValueData;
break;
case "ImageSize":
imageSize = int.Parse(keyValue.ValueData);
break;
case "Inf":
inf = keyValue.ValueData;
break;
case "Product":
product = keyValue.ValueData;
break;
case "ProductVersion":
productVersion = keyValue.ValueData;
break;
case "Service":
service = keyValue.ValueData;
break;
case "WdfVersion":
wdfVersion = keyValue.ValueData;
break;
case "(default)":
case "COMPID":
case "HWID":
break;
default:
_logger.Warn(
$"Unknown value name when processing DriverBinary at path '{binKey.KeyPath}': {keyValue.ValueName}");
break;
}
}
var db = new DriverBinary(binKey.KeyName, binKey.LastWriteTime.Value, driverCheckSum,
driverCompany, driverId, driverInBox, driverIsKernelMode, driverLastWriteTime, driverName,
driverPackageStrongName, driverSigned, driverTimeStamp, driverType, driverVersion,
imageSize, inf, product, productVersion, service, wdfVersion);
DriveBinaries.Add(db);
}
catch (Exception ex)
{
if (binaryKey.NkRecord.IsFree == false)
{
_logger.Error($"Error parsing DriverBinary at {binaryKey.KeyPath}. Error: {ex.Message}");
_logger.Error(
$"Please send the following text to [email protected]. \r\n\r\nKey data: {binaryKey}");
}
}
}
}
_logger.Debug("Getting InventoryDriverPackage data");
var packaheKey = reg.GetKey(@"Root\InventoryDriverPackage");
if (packaheKey != null)
{
foreach (var packKey in packaheKey.SubKeys)
{
var Class = string.Empty;
var ClassGuid = string.Empty;
DateTimeOffset?Date = null;
var Directory = string.Empty;
var DriverInBox = false;
var Hwids = string.Empty;
var Inf = string.Empty;
var Provider = string.Empty;
var SubmissionId = string.Empty;
var SYSFILE = string.Empty;
var Version = string.Empty;
try
{
foreach (var keyValue in packKey.Values)
{
switch (keyValue.ValueName)
{
case "Class":
Class = keyValue.ValueData;
break;
case "ClassGuid":
ClassGuid = keyValue.ValueData;
break;
case "Date":
if (keyValue.ValueData.Length > 0)
{
var d = new DateTimeOffset(
DateTime.Parse(keyValue.ValueData, DateTimeFormatInfo.InvariantInfo).Ticks,
TimeSpan.Zero);
Date = d;
}
break;
case "Directory":
Directory = keyValue.ValueData;
break;
case "DriverInBox":
DriverInBox = keyValue.ValueData == "1";
break;
case "Hwids":
Hwids = keyValue.ValueData;
break;
case "Inf":
Inf = keyValue.ValueData;
break;
case "Provider":
Provider = keyValue.ValueData;
break;
case "SubmissionId":
SubmissionId = keyValue.ValueData;
break;
case "SYSFILE":
SYSFILE = keyValue.ValueData;
break;
case "Version":
Version = keyValue.ValueData;
break;
case "IsActive":
break;
default:
_logger.Warn(
$"Unknown value name when processing DriverPackage at path '{packKey.KeyPath}': {keyValue.ValueName}");
break;
}
}
var dp = new DriverPackage(packKey.KeyName, packKey.LastWriteTime.Value, Class, ClassGuid,
Date, Directory, DriverInBox, Hwids, Inf, Provider, SubmissionId, SYSFILE, Version);
DriverPackages.Add(dp);
}
catch (Exception ex)
{
if (packaheKey.NkRecord.IsFree == false)
{
_logger.Error($"Error parsing DriverPackage at {packaheKey.KeyPath}. Error: {ex.Message}");
_logger.Error(
$"Please send the following text to [email protected]. \r\n\r\nKey data: {packaheKey}");
}
}
}
}
}
public void ShouldFindRegQWordValues()
{
var ntUser1OnDemand = new RegistryHiveOnDemand(@"..\..\..\Hives\NTUSER1.DAT");
var key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\Windows Error Reporting");
Check.That(key).IsNotNull();
var val = key.Values.Single(t => t.ValueName == "LastWatsonCabUploaded");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegQword);
Check.That(val.VkRecord.ValueData).IsEqualTo((ulong)130557640214774914);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4);
key = ntUser1OnDemand.GetKey(@"CsiTool-CreateHive-{00000000-0000-0000-0000-000000000000}\Software\Microsoft\Windows\CurrentVersion\Store\RefreshBannedAppList");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "BannedAppsLastModified");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegQword);
Check.That(val.VkRecord.ValueData).IsEqualTo((ulong)0);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4);
var usrclassAcronis = new RegistryHive(@"..\..\..\Hives\Acronis_0x52_Usrclass.dat");
usrclassAcronis.RecoverDeleted = true;
usrclassAcronis.FlushRecordListsAfterParse = false;
usrclassAcronis.ParseHive();
key = usrclassAcronis.GetKey(@"S-1-5-21-3851833874-1800822990-1357392098-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "LastAdvertisement");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegQword);
Check.That(val.VkRecord.ValueData).IsEqualTo((ulong)130294002389413697);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4);
var usrclassDeleted = new RegistryHive(@"..\..\..\Hives\UsrClassDeletedBags.dat");
usrclassDeleted.RecoverDeleted = true;
usrclassDeleted.FlushRecordListsAfterParse = false;
usrclassDeleted.ParseHive();
key = usrclassDeleted.GetKey(@"S-1-5-21-146151751-63468248-1215037915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "LastAdvertisement");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegQword);
Check.That(val.VkRecord.ValueData).IsEqualTo((ulong)130672934390152518);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4);
var ntUserSlack = new RegistryHive(@"..\..\..\Hives\NTUSER slack.DAT");
ntUserSlack.FlushRecordListsAfterParse = false;
ntUserSlack.ParseHive();
key = ntUserSlack.GetKey(@"$$$PROTO.HIV\Software\Microsoft\VisualStudio\7.0\External Tools");
Check.That(key).IsNotNull();
val = key.Values.Single(t => t.ValueName == "LastMerge");
Check.That(val).IsNotNull();
Check.That(val.VkRecord.DataType).IsEqualTo(VkCellRecord.DataTypeEnum.RegQword);
Check.That(val.VkRecord.ValueData).IsEqualTo((ulong)127257359392030000);
Check.That(val.VkRecord.ValueDataSlack.Length).IsEqualTo(4);
}
public static bool IsNewFormat(string file, bool noLog)
{
RegistryKey fileKey = null;
RegistryHive reg;
var dirname = Path.GetDirectoryName(file);
var hiveBase = Path.GetFileName(file);
List <RawCopy.RawCopyReturn> rawFiles = null;
try
{
try
{
reg = new RegistryHive(file)
{
RecoverDeleted = true
};
}
catch (IOException)
{
//file is in use
if (RawCopy.Helper.IsAdministrator() == false)
{
throw new UnauthorizedAccessException("Administrator privileges not found!");
}
var files = new List <string>();
files.Add(file);
var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?");
foreach (var logFile in logFiles)
{
files.Add(logFile);
}
rawFiles = RawCopy.Helper.GetFiles(files);
var b = new byte[rawFiles.First().FileStream.Length];
rawFiles.First().FileStream.Read(b, 0, (int)rawFiles.First().FileStream.Length);
reg = new RegistryHive(b, rawFiles.First().InputFilename);
}
LogManager.DisableLogging();
if (reg.Header.PrimarySequenceNumber != reg.Header.SecondarySequenceNumber)
{
if (string.IsNullOrEmpty(dirname))
{
dirname = ".";
}
var logFiles = Directory.GetFiles(dirname, $"{hiveBase}.LOG?");
if (logFiles.Length == 0 || noLog)
{
var log = LogManager.GetCurrentClassLogger();
if (noLog == false)
{
log.Warn("Registry hive is dirty and no transaction logs were found in the same directory! LOGs should have same base name as the hive. Aborting!!");
throw new Exception("Sequence numbers do not match and transaction logs were not found in the same directory as the hive. Aborting");
}
log.Warn("Registry hive is dirty and no transaction logs were found in the same directory. Data may be missing! Continuing anyways...");
}
else
{
if (rawFiles != null)
{
var lt = new List <TransactionLogFileInfo>();
foreach (var rawCopyReturn in rawFiles.Skip(1).ToList())
{
var b = new byte[rawCopyReturn.FileStream.Length];
rawCopyReturn.FileStream.Read(b, 0, (int)rawCopyReturn.FileStream.Length);
var tt = new TransactionLogFileInfo(rawCopyReturn.InputFilename, b);
lt.Add(tt);
}
reg.ProcessTransactionLogs(lt, true);
}
else
{
reg.ProcessTransactionLogs(logFiles.ToList(), true);
}
}
}
reg.ParseHive();
fileKey = reg.GetKey(@"Root\InventoryApplicationFile");
LogManager.EnableLogging();
}
catch (Exception)
{
LogManager.EnableLogging();
}
return(fileKey != null);
}
public AmcacheNew(string hive, bool recoverDeleted)
{
_logger = LogManager.GetCurrentClassLogger();
var reg = new RegistryHive(hive)
{
RecoverDeleted = recoverDeleted
};
reg.ParseHive();
var fileKey = reg.GetKey(@"Root\InventoryApplicationFile");
var programsKey = reg.GetKey(@"Root\InventoryApplication");
UnassociatedFileEntries = new List <FileEntryNew>();
ProgramsEntries = new List <ProgramsEntryNew>();
DeviceContainers = new List <DeviceContainer>();
DevicePnps = new List <DevicePnp>();
DriveBinaries = new List <DriverBinary>();
DriverPackages = new List <DriverPackage>();
ShortCuts = new List <Shortcut>();
if (fileKey == null || programsKey == null)
{
_logger.Error(
"Hive does not contain a InventoryApplicationFile and/or InventoryApplication key. Processing cannot continue");
return;
}
foreach (var registryKey in programsKey.SubKeys)
{
var bundleManifestPath = string.Empty;
var hiddenArp = false;
var inboxModernApp = false;
DateTimeOffset?installDate = null;
var language = 0;
var manifestPath = string.Empty;
var msiPackageCode = string.Empty;
var msiProductCode = string.Empty;
var name = string.Empty;
var osVersionAtInstallTime = string.Empty;
var packageFullName = string.Empty;
var programId = string.Empty;
var programInstanceId = string.Empty;
var publisher = string.Empty;
var registryKeyPath = string.Empty;
var rootDirPath = string.Empty;
var source = string.Empty;
var storeAppType = string.Empty;
var type = string.Empty;
var uninstallString = string.Empty;
var version = string.Empty;
try
{
foreach (var registryKeyValue in registryKey.Values)
{
switch (registryKeyValue.ValueName)
{
case "BundleManifestPath":
bundleManifestPath = registryKeyValue.ValueData;
break;
case "HiddenArp":
hiddenArp = registryKeyValue.ValueData == "1";
break;
case "InboxModernApp":
inboxModernApp = registryKeyValue.ValueData == "1";
break;
case "InstallDate":
if (registryKeyValue.ValueData.Length > 0)
{
var d = new DateTimeOffset(DateTime.Parse(registryKeyValue.ValueData).Ticks,
TimeSpan.Zero);
installDate = d;
}
break;
case "Language":
language = int.Parse(registryKeyValue.ValueData);
break;
case "ManifestPath":
manifestPath = registryKeyValue.ValueData;
break;
case "MsiPackageCode":
msiPackageCode = registryKeyValue.ValueData;
break;
case "MsiProductCode":
msiProductCode = registryKeyValue.ValueData;
break;
case "Name":
name = registryKeyValue.ValueData;
break;
case "OSVersionAtInstallTime":
osVersionAtInstallTime = registryKeyValue.ValueData;
break;
case "PackageFullName":
packageFullName = registryKeyValue.ValueData;
break;
case "ProgramId":
programId = registryKeyValue.ValueData;
break;
case "ProgramInstanceId":
programInstanceId = registryKeyValue.ValueData;
break;
case "Publisher":
publisher = registryKeyValue.ValueData;
break;
case "RegistryKeyPath":
registryKeyPath = registryKeyValue.ValueData;
break;
case "RootDirPath":
rootDirPath = registryKeyValue.ValueData;
break;
case "Source":
source = registryKeyValue.ValueData;
break;
case "StoreAppType":
storeAppType = registryKeyValue.ValueData;
break;
case "Type":
type = registryKeyValue.ValueData;
break;
case "UninstallString":
uninstallString = registryKeyValue.ValueData;
break;
case "Version":
version = registryKeyValue.ValueData;
break;
default:
_logger.Warn(
$"Unknown value name in InventoryApplication at path {registryKey.KeyPath}: {registryKeyValue.ValueName}");
break;
}
}
var pe = new ProgramsEntryNew(bundleManifestPath, hiddenArp, inboxModernApp, installDate, language,
manifestPath, msiPackageCode, msiProductCode, name, osVersionAtInstallTime, packageFullName,
programId, programInstanceId, publisher, registryKeyPath, rootDirPath, source, storeAppType,
type, uninstallString, version, registryKey.LastWriteTime.Value);
ProgramsEntries.Add(pe);
}
catch (Exception ex)
{
_logger.Error($"Error parsing ProgramsEntry at {registryKey.KeyPath}. Error: {ex.Message}");
_logger.Error(
$"Please send the following text to [email protected]. \r\n\r\nKey data: {registryKey}");
}
}
foreach (var subKey in fileKey.SubKeys)
{
var binaryType = string.Empty;
var binFileVersion = string.Empty;
var binProductVersion = string.Empty;
var fileId = string.Empty;
var isOsComponent = false;
var isPeFile = false;
var language = 0;
DateTimeOffset?linkDate = null;
var longPathHash = string.Empty;
var lowerCaseLongPath = string.Empty;
var name = string.Empty;
var productName = string.Empty;
var productVersion = string.Empty;
var programId = string.Empty;
var publisher = string.Empty;
var size = 0;
var version = string.Empty;
var hasLinkedProgram = false;
try
{
foreach (var subKeyValue in subKey.Values)
{
switch (subKeyValue.ValueName)
{
case "BinaryType":
binaryType = subKeyValue.ValueData;
break;
case "BinFileVersion":
binFileVersion = subKeyValue.ValueData;
break;
case "BinProductVersion":
binProductVersion = subKeyValue.ValueData;
break;
case "FileId":
fileId = subKeyValue.ValueData;
break;
case "IsOsComponent":
isOsComponent = subKeyValue.ValueData == "1";
break;
case "IsPeFile":
isPeFile = subKeyValue.ValueData == "1";
break;
case "Language":
language = int.Parse(subKeyValue.ValueData);
break;
case "LinkDate":
if (subKeyValue.ValueData.Length > 0)
{
var d = new DateTimeOffset(DateTime.Parse(subKeyValue.ValueData).Ticks,
TimeSpan.Zero);
linkDate = d;
}
break;
case "LongPathHash":
longPathHash = subKeyValue.ValueData;
break;
case "LowerCaseLongPath":
lowerCaseLongPath = subKeyValue.ValueData;
break;
case "Name":
name = subKeyValue.ValueData;
break;
case "ProductName":
productName = subKeyValue.ValueData;
break;
case "ProductVersion":
productVersion = subKeyValue.ValueData;
break;
case "ProgramId":
programId = subKeyValue.ValueData;
var program = ProgramsEntries.SingleOrDefault(t => t.ProgramId == programId);
if (program != null)
{
hasLinkedProgram = true;
}
break;
case "Publisher":
publisher = subKeyValue.ValueData;
break;
case "Size":
size = int.Parse(subKeyValue.ValueData);
break;
case "Version":
version = subKeyValue.ValueData;
break;
default:
_logger.Warn(
$"Unknown value name when processing FileEntry at path '{subKey.KeyPath}': {subKeyValue.ValueName}");
break;
}
}
}
catch (Exception ex)
{
_logger.Error($"Error parsing FileEntry at {subKey.KeyPath}. Error: {ex.Message}");
_logger.Error(
$"Please send the following text to [email protected]. \r\n\r\nKey data: {subKey}");
}
TotalFileEntries += 1;
Debug.WriteLine(name);
var fe = new FileEntryNew(binaryType, binFileVersion, productVersion, fileId, isOsComponent, isPeFile,
language, linkDate, longPathHash, lowerCaseLongPath, name, productName, productVersion, programId,
publisher, size, version, subKey.LastWriteTime.Value, binProductVersion);
if (hasLinkedProgram)
{
var program = ProgramsEntries.SingleOrDefault(t => t.ProgramId == fe.ProgramId);
fe.ApplicationName = program.Name;
program.FileEntries.Add(fe);
}
else
{
fe.ApplicationName = "Unassociated";
UnassociatedFileEntries.Add(fe);
}
}
var shortCutkey = reg.GetKey(@"Root\InventoryApplicationShortcut");
if (shortCutkey != null)
{
foreach (var shortCutkeySubKey in shortCutkey.SubKeys)
{
ShortCuts.Add(new Shortcut(shortCutkeySubKey.KeyName, shortCutkeySubKey.Values.First().ValueData,
shortCutkeySubKey.LastWriteTime.Value));
}
}
var deviceKey = reg.GetKey(@"Root\InventoryDeviceContainer");
if (deviceKey != null)
{
foreach (var deviceSubKey in deviceKey.SubKeys)
{
var categories = string.Empty;
var discoveryMethod = string.Empty;
var friendlyName = string.Empty;
var icon = string.Empty;
var isActive = false;
var isConnected = false;
var isMachineContainer = false;
var isNetworked = false;
var isPaired = false;
var manufacturer = string.Empty;
var modelId = string.Empty;
var modelName = string.Empty;
var modelNumber = string.Empty;
var primaryCategory = string.Empty;
var state = string.Empty;
try
{
foreach (var keyValue in deviceSubKey.Values)
{
switch (keyValue.ValueName)
{
case "Categories":
categories = keyValue.ValueData;
break;
case "DiscoveryMethod":
discoveryMethod = keyValue.ValueData;
break;
case "FriendlyName":
friendlyName = keyValue.ValueData;
break;
case "Icon":
icon = keyValue.ValueData;
break;
case "IsActive":
isActive = keyValue.ValueData == "1";
break;
case "IsConnected":
isConnected = keyValue.ValueData == "1";
break;
case "IsMachineContainer":
isMachineContainer = keyValue.ValueData == "1";
break;
case "IsNetworked":
isNetworked = keyValue.ValueData == "1";
break;
case "IsPaired":
isPaired = keyValue.ValueData == "1";
break;
case "Manufacturer":
manufacturer = keyValue.ValueData;
break;
case "ModelId":
modelId = keyValue.ValueData;
break;
case "ModelName":
modelName = keyValue.ValueData;
break;
case "ModelNumber":
modelNumber = keyValue.ValueData;
break;
case "PrimaryCategory":
primaryCategory = keyValue.ValueData;
break;
case "State":
state = keyValue.ValueData;
break;
default:
_logger.Warn(
$"Unknown value name when processing DeviceContainer at path '{deviceSubKey.KeyPath}': {keyValue.ValueName}");
break;
}
}
var dc = new DeviceContainer(deviceSubKey.KeyName, deviceSubKey.LastWriteTime.Value, categories,
discoveryMethod, friendlyName, icon, isActive, isConnected, isMachineContainer, isNetworked,
isPaired, manufacturer, modelId, modelName, modelNumber, primaryCategory, state);
DeviceContainers.Add(dc);
}
catch (Exception ex)
{
_logger.Error($"Error parsing DeviceContainer at {deviceSubKey.KeyPath}. Error: {ex.Message}");
_logger.Error(
$"Please send the following text to [email protected]. \r\n\r\nKey data: {deviceSubKey}");
}
}
}
var pnpKey = reg.GetKey(@"Root\InventoryDevicePnp");
if (pnpKey != null)
{
foreach (var pnpsKey in pnpKey.SubKeys)
{
var busReportedDescription = string.Empty;
var Class = string.Empty;
var classGuid = string.Empty;
var compid = string.Empty;
var containerId = string.Empty;
var description = string.Empty;
var deviceState = string.Empty;
var driverId = string.Empty;
var driverName = string.Empty;
var driverPackageStrongName = string.Empty;
var driverVerDate = string.Empty;
var driverVerVersion = string.Empty;
var enumerator = string.Empty;
var hwid = string.Empty;
var inf = string.Empty;
var installState = string.Empty;
var manufacturer = string.Empty;
var matchingId = string.Empty;
var model = string.Empty;
var parentId = string.Empty;
var problemCode = string.Empty;
var provider = string.Empty;
var service = string.Empty;
var stackid = string.Empty;
try
{
foreach (var keyValue in pnpsKey.Values)
{
switch (keyValue.ValueName)
{
case "BusReportedDescription":
busReportedDescription = keyValue.ValueData;
break;
case "Class":
Class = keyValue.ValueData;
break;
case "ClassGuid":
classGuid = keyValue.ValueData;
break;
case "COMPID":
compid = keyValue.ValueData;
break;
case "ContainerId":
containerId = keyValue.ValueData;
break;
case "Description":
description = keyValue.ValueData;
break;
case "DeviceState":
deviceState = keyValue.ValueData;
break;
case "DriverId":
driverId = keyValue.ValueData;
break;
case "DriverName":
driverName = keyValue.ValueData;
break;
case "DriverPackageStrongName":
driverPackageStrongName = keyValue.ValueData;
break;
case "DriverVerDate":
driverVerDate = keyValue.ValueData;
break;
case "DriverVerVersion":
driverVerVersion = keyValue.ValueData;
break;
case "Enumerator":
enumerator = keyValue.ValueData;
break;
case "HWID":
hwid = keyValue.ValueData;
break;
case "Inf":
inf = keyValue.ValueData;
break;
case "InstallState":
installState = keyValue.ValueData;
break;
case "LowerClassFilters":
case "LowerFilters":
break;
case "Manufacturer":
manufacturer = keyValue.ValueData;
break;
case "MatchingID":
matchingId = keyValue.ValueData;
break;
case "Model":
model = keyValue.ValueData;
break;
case "ParentId":
parentId = keyValue.ValueData;
break;
case "ProblemCode":
problemCode = keyValue.ValueData;
break;
case "Provider":
provider = keyValue.ValueData;
break;
case "Service":
service = keyValue.ValueData;
break;
case "STACKID":
stackid = keyValue.ValueData;
break;
case "UpperClassFilters":
case "UpperFilters":
break;
default:
_logger.Warn(
$"Unknown value name when processing DevicePnp at path '{pnpsKey.KeyPath}': {keyValue.ValueName}");
break;
}
}
var dp = new DevicePnp(pnpsKey.KeyName, pnpKey.LastWriteTime.Value, busReportedDescription,
Class, classGuid, compid, containerId, description, deviceState, driverId, driverName,
driverPackageStrongName, driverVerDate, driverVerVersion, enumerator, hwid, inf,
installState, manufacturer, matchingId, model, parentId, problemCode, provider, service,
stackid);
DevicePnps.Add(dp);
}
catch (Exception ex)
{
_logger.Error($"Error parsing DevicePnp at {pnpKey.KeyPath}. Error: {ex.Message}");
_logger.Error(
$"Please send the following text to [email protected]. \r\n\r\nKey data: {pnpKey}");
}
}
}
var binaryKey = reg.GetKey(@"Root\InventoryDriverBinary");
if (binaryKey != null)
{
foreach (var binKey in binaryKey.SubKeys)
{
var driverCheckSum = 0;
var driverCompany = string.Empty;
var driverId = string.Empty;
var driverInBox = false;
var driverIsKernelMode = false;
DateTimeOffset?driverLastWriteTime = null;
var driverName = string.Empty;
var driverPackageStrongName = string.Empty;
var driverSigned = false;
DateTimeOffset?driverTimeStamp = null;
var driverType = string.Empty;
var driverVersion = string.Empty;
var imageSize = 0;
var inf = string.Empty;
var product = string.Empty;
var productVersion = string.Empty;
var service = string.Empty;
var wdfVersion = string.Empty;
try
{
foreach (var keyValue in binKey.Values)
{
switch (keyValue.ValueName)
{
case "DriverCheckSum":
driverCheckSum = int.Parse(keyValue.ValueData);
break;
case "DriverCompany":
driverCompany = keyValue.ValueData;
break;
case "DriverId":
driverId = keyValue.ValueData;
break;
case "DriverInBox":
driverInBox = keyValue.ValueData == "1";
break;
case "DriverIsKernelMode":
driverIsKernelMode = keyValue.ValueData == "1";
break;
case "DriverLastWriteTime":
if (keyValue.ValueData.Length > 0)
{
var d = new DateTimeOffset(DateTime.Parse(keyValue.ValueData).Ticks,
TimeSpan.Zero);
driverLastWriteTime = d;
}
break;
case "DriverName":
driverName = keyValue.ValueData;
break;
case "DriverPackageStrongName":
driverPackageStrongName = keyValue.ValueData;
break;
case "DriverSigned":
driverSigned = keyValue.ValueData == "1";
break;
case "DriverTimeStamp":
//DateTimeOffset.FromUnixTimeSeconds(seca).ToUniversalTime();
var seca = long.Parse(keyValue.ValueData);
if (seca > 0)
{
driverTimeStamp = DateTimeOffset.FromUnixTimeSeconds(seca).ToUniversalTime();
}
break;
case "DriverType":
driverType = keyValue.ValueData;
break;
case "DriverVersion":
driverVersion = keyValue.ValueData;
break;
case "ImageSize":
imageSize = int.Parse(keyValue.ValueData);
break;
case "Inf":
inf = keyValue.ValueData;
break;
case "Product":
product = keyValue.ValueData;
break;
case "ProductVersion":
productVersion = keyValue.ValueData;
break;
case "Service":
service = keyValue.ValueData;
break;
case "WdfVersion":
wdfVersion = keyValue.ValueData;
break;
default:
_logger.Warn(
$"Unknown value name when processing DriverBinary at path '{binKey.KeyPath}': {keyValue.ValueName}");
break;
}
}
var db = new DriverBinary(binKey.KeyName, binaryKey.LastWriteTime.Value, driverCheckSum,
driverCompany, driverId, driverInBox, driverIsKernelMode, driverLastWriteTime, driverName,
driverPackageStrongName, driverSigned, driverTimeStamp, driverType, driverVersion,
imageSize, inf, product, productVersion, service, wdfVersion);
DriveBinaries.Add(db);
}
catch (Exception ex)
{
_logger.Error($"Error parsing DriverBinary at {binaryKey.KeyPath}. Error: {ex.Message}");
_logger.Error(
$"Please send the following text to [email protected]. \r\n\r\nKey data: {binaryKey}");
}
}
}
var packaheKey = reg.GetKey(@"Root\InventoryDriverPackage");
if (packaheKey != null)
{
foreach (var packKey in packaheKey.SubKeys)
{
var Class = string.Empty;
var ClassGuid = string.Empty;
DateTimeOffset?Date = null;
var Directory = string.Empty;
var DriverInBox = false;
var Hwids = string.Empty;
var Inf = string.Empty;
var Provider = string.Empty;
var SubmissionId = string.Empty;
var SYSFILE = string.Empty;
var Version = string.Empty;
try
{
foreach (var keyValue in packKey.Values)
{
switch (keyValue.ValueName)
{
case "Class":
Class = keyValue.ValueData;
break;
case "ClassGuid":
ClassGuid = keyValue.ValueData;
break;
case "Date":
if (keyValue.ValueData.Length > 0)
{
var d = new DateTimeOffset(DateTime.Parse(keyValue.ValueData).Ticks,
TimeSpan.Zero);
Date = d;
}
break;
case "Directory":
Directory = keyValue.ValueData;
break;
case "DriverInBox":
DriverInBox = keyValue.ValueData == "1";
break;
case "Hwids":
Hwids = keyValue.ValueData;
break;
case "Inf":
Inf = keyValue.ValueData;
break;
case "Provider":
Provider = keyValue.ValueData;
break;
case "SubmissionId":
SubmissionId = keyValue.ValueData;
break;
case "SYSFILE":
SYSFILE = keyValue.ValueData;
break;
case "Version":
Version = keyValue.ValueData;
break;
default:
_logger.Warn(
$"Unknown value name when processing DriverPackage at path '{packKey.KeyPath}': {keyValue.ValueName}");
break;
}
}
var dp = new DriverPackage(packKey.KeyName, packaheKey.LastWriteTime.Value, Class, ClassGuid,
Date, Directory, DriverInBox, Hwids, Inf, Provider, SubmissionId, SYSFILE, Version);
DriverPackages.Add(dp);
}
catch (Exception ex)
{
_logger.Error($"Error parsing DriverPackage at {packaheKey.KeyPath}. Error: {ex.Message}");
_logger.Error(
$"Please send the following text to [email protected]. \r\n\r\nKey data: {packaheKey}");
}
}
}
}