/// <summary> /// Recursively iterates over the a registry key and its subkeys for enumerating all values of the keys and subkeys /// </summary> /// <param name="rk">the root registry key to start iterating over</param> /// <param name="hive">the offline registry hive</param> /// <param name="subKey">the path of the first subkey under the root key</param> /// <param name="indent"></param> /// <param name="path_prefix">the header to the current root key, needed for identification of the registry store</param> /// <returns></returns> static List <RegistryKeyWrapper> IterateRegistry(RegistryKey rk, RegistryHiveOnDemand hive, string subKey, RegistryKeyWrapper parent, string path_prefix) { List <RegistryKeyWrapper> retList = new List <RegistryKeyWrapper>(); if (rk == null) { return(retList); } foreach (RegistryKey valueName in rk.SubKeys) { if (valueName.KeyName.ToUpper() == "ASSOCIATIONS") { continue; } string sk = getSubkeyString(subKey, valueName.KeyName); logger.Trace("{0}", sk); RegistryKey rkNext; try { rkNext = hive.GetKey(getSubkeyString(rk.KeyPath, valueName.KeyName)); } catch (System.Security.SecurityException ex) { logger.Warn("ACCESS DENIED: " + ex.Message); continue; } string path = path_prefix; RegistryKeyWrapper rkNextWrapper = null; bool isNumeric = int.TryParse(valueName.KeyName, out _); if (isNumeric) { try { KeyValue rkValue = rk.Values.First(val => val.ValueName == valueName.KeyName); byte[] byteVal = rkValue.ValueDataRaw; rkNextWrapper = new RegistryKeyWrapper(rkNext, byteVal, hive, parent); retList.Add(rkNextWrapper); } catch (OverrunBufferException ex) { logger.Warn("OverrunBufferException: " + valueName.KeyName); } catch (Exception ex) { logger.Warn(valueName.KeyName); } } retList.AddRange(IterateRegistry(rkNext, hive, sk, rkNextWrapper, path)); } return(retList); }
/// <summary> /// Wraps a IShellItem with the relevant Registry Metadata from which it was produced. /// Adds registry related properties to the <seealso cref="IShellItem.GetAllProperties"/> method return /// </summary> /// <param name="shellItem">The Shellitem to be encapsulated. Cannot be null</param> /// <param name="regKey">The Wrapper containing the information to be added to the <see cref="IShellItem"/> Can't be Null.</param> /// <param name="parentShellItem">The Shellitem which when hierarchically organized, contains the Shellitem. Can be null </param> public RegistryShellItemDecorator(IShellItem shellItem, RegistryKeyWrapper regKey, IShellItem parentShellItem = null) { BaseShellItem = shellItem ?? throw new ArgumentNullException(nameof(shellItem)); RegKey = regKey ?? throw new ArgumentNullException(nameof(regKey)); AbsolutePath = SetAbsolutePath(parentShellItem); }
/// <summary> /// Recursively iterates over the a registry key and its subkeys for enumerating all values of the keys and subkeys /// </summary> /// <param name="rk">The root registry key to start iterating over</param> /// <param name="subKey">the path of the first subkey under the root key</param> /// <param name="parent">The Parent Key of the Registry Key currently being iterated. Can be null</param> /// <returns></returns> static List <RegistryKeyWrapper> IterateRegistry(RegistryKey rk, string subKey, RegistryKeyWrapper parent) { List <RegistryKeyWrapper> retList = new List <RegistryKeyWrapper>(); if (rk == null) { return(retList); } string[] subKeys = rk.GetSubKeyNames(); string[] values = rk.GetValueNames(); logger.Trace("**" + subKey); foreach (string valueName in subKeys) { if (valueName.ToUpper() == "ASSOCIATIONS") { continue; } string sk = getSubkeyString(subKey, valueName); logger.Trace("{0}", sk); RegistryKey rkNext; try { rkNext = rk.OpenSubKey(valueName); } catch (System.Security.SecurityException ex) { logger.Warn("ACCESS DENIED: " + ex.Message); continue; } RegistryKeyWrapper rkNextWrapper = null; //shellbags only have their numerical identifer for the value name, not a shellbag otherwise bool isNumeric = int.TryParse(valueName, out _); if (isNumeric) { try { byte[] byteVal = (byte[])rk.GetValue(valueName); rkNextWrapper = new RegistryKeyWrapper(rkNext, byteVal, parent); retList.Add(rkNextWrapper); } catch (OverrunBufferException ex) { logger.Warn("OverrunBufferException: " + valueName); } catch (Exception ex) { logger.Warn(valueName + '\n' + ex); } } retList.AddRange(IterateRegistry(rkNext, sk, rkNextWrapper)); } return(retList); }