/// <summary> /// /// </summary> /// <param name="registry"></param> /// <param name="key"></param> /// <returns></returns> private Registry.Abstractions.RegistryKey OpenKey(Registry.RegistryHiveOnDemand registry, string key) { try { return(registry.GetKey(key)); } catch (Exception) { return(null); } }
public static bool Is32Bit(string fileName) { if ((fileName.Length == 0)) { var keyCurrUser = Microsoft.Win32.Registry.LocalMachine; var subKey = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\Environment"); var val = subKey?.GetValue("PROCESSOR_ARCHITECTURE"); if (val != null) { return val.ToString().Equals("x86"); } } else { var hive = new RegistryHiveOnDemand(fileName); var subKey = hive.GetKey("Select"); var currentCtlSet = int.Parse(subKey.Values.Single(c => c.ValueName == "Current").ValueData); subKey = hive.GetKey($"ControlSet00{currentCtlSet}\\Control\\Session Manager\\Environment"); var val = subKey?.Values.SingleOrDefault(c => c.ValueName == "PROCESSOR_ARCHITECTURE"); if (val != null) { return val.ValueData.Equals("x86"); } } throw new NullReferenceException("Unable to determine CPU architecture!"); }
public AppCompatCache(string filename) { byte[] rawBytes = null; var isLiveRegistry = string.IsNullOrEmpty(filename); if (isLiveRegistry) { var keyCurrUser = Microsoft.Win32.Registry.LocalMachine; var subKey = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache"); if (subKey == null) { subKey = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility"); if (subKey == null) { Console.WriteLine( @"'CurrentControlSet\Control\Session Manager\AppCompatCache' key not found! Exiting"); return; } } rawBytes = (byte[]) subKey.GetValue("AppCompatCache", null); } else { if (File.Exists(filename) == false) { throw new FileNotFoundException($"File not found ({filename})!"); } var hive = new RegistryHiveOnDemand(filename); var subKey = hive.GetKey("Select"); var currentCtlSet = int.Parse(subKey.Values.Single(c => c.ValueName == "Current").ValueData); subKey = hive.GetKey($@"ControlSet00{currentCtlSet}\Control\Session Manager\AppCompatCache"); if (subKey == null) { subKey = hive.GetKey($@"ControlSet00{currentCtlSet}\Control\Session Manager\AppCompatibility"); } var val = subKey?.Values.SingleOrDefault(c => c.ValueName == "AppCompatCache"); if (val != null) { rawBytes = val.ValueDataRaw; } } if (rawBytes == null) { Console.WriteLine(@"'AppCompatCache' value not found! Exiting"); return; } var is32 = Is32Bit(filename); string computerName = ComputerName(filename); Init(rawBytes, is32, computerName); }
// added to retrieve ComputerName in SYSTEM hive public static string ComputerName(string fileName) { if ((fileName.Length == 0)) // Live Registry { var keyCurrUser = Microsoft.Win32.Registry.LocalMachine; var subKey = keyCurrUser.OpenSubKey(@"SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName"); string computerName = subKey?.GetValue("ComputerName").ToString(); return computerName; } else { var hive = new RegistryHiveOnDemand(fileName); var subKey = hive.GetKey("Select"); var currentCtlSet = int.Parse(subKey.Values.Single(c => c.ValueName == "Current").ValueData); subKey = hive.GetKey($"ControlSet00{currentCtlSet}\\Control\\ComputerName\\ComputerName"); string computerName = subKey.Values.Single(c => c.ValueName == "ComputerName").ValueData; return computerName; } }