using System; using System.Collections.Generic; using System.Linq; using Microsoft.Win32; namespace winPEAS.Helpers { static class RegistryHelper { /////////////////////////////////////////// /// Interf. for Keys and Values in Reg. /// /////////////////////////////////////////// /// Functions related to obtain keys and values from the registry /// Some parts adapted from Seatbelt public static string GetRegValue(string hive, string path, string value) { // returns a single registry value under the specified path in the specified hive (HKLM/HKCU) string regKeyValue = ""; if (hive == "HKCU") { var regKey = Registry.CurrentUser.OpenSubKey(path); if (regKey != null) { regKeyValue = string.Format("{0}", regKey.GetValue(value)); } return regKeyValue; } else if (hive == "HKU") { var regKey = Registry.Users.OpenSubKey(path); if (regKey != null) { regKeyValue = string.Format("{0}", regKey.GetValue(value)); } return regKeyValue; } else { var regKey = Registry.LocalMachine.OpenSubKey(path); if (regKey != null) { regKeyValue = string.Format("{0}", regKey.GetValue(value)); } return regKeyValue; } } public static Dictionary GetRegValues(string hive, string path) { // returns all registry values under the specified path in the specified hive (HKLM/HKCU) Dictionary keyValuePairs = null; try { if (hive == "HKCU") { using (var regKeyValues = Registry.CurrentUser.OpenSubKey(path)) { if (regKeyValues != null) { var valueNames = regKeyValues.GetValueNames(); keyValuePairs = valueNames.ToDictionary(name => name, regKeyValues.GetValue); } } } else if (hive == "HKU") { using (var regKeyValues = Registry.Users.OpenSubKey(path)) { if (regKeyValues != null) { var valueNames = regKeyValues.GetValueNames(); keyValuePairs = valueNames.ToDictionary(name => name, regKeyValues.GetValue); } } } else { using (var regKeyValues = Registry.LocalMachine.OpenSubKey(path)) { if (regKeyValues != null) { var valueNames = regKeyValues.GetValueNames(); keyValuePairs = valueNames.ToDictionary(name => name, regKeyValues.GetValue); } } } return keyValuePairs; } catch { return null; } } public static byte[] GetRegValueBytes(string hive, string path, string value) { // returns a byte array of single registry value under the specified path in the specified hive (HKLM/HKCU) byte[] regKeyValue = null; if (hive == "HKCU") { var regKey = Registry.CurrentUser.OpenSubKey(path); if (regKey != null) { regKeyValue = (byte[])regKey.GetValue(value); } return regKeyValue; } else if (hive == "HKU") { var regKey = Registry.Users.OpenSubKey(path); if (regKey != null) { regKeyValue = (byte[])regKey.GetValue(value); } return regKeyValue; } else { var regKey = Registry.LocalMachine.OpenSubKey(path); if (regKey != null) { regKeyValue = (byte[])regKey.GetValue(value); } return regKeyValue; } } public static string[] GetRegSubkeys(string hive, string path) { // returns an array of the subkeys names under the specified path in the specified hive (HKLM/HKCU/HKU) try { RegistryKey myKey = null; if (hive == "HKLM") { myKey = Registry.LocalMachine.OpenSubKey(path); } else if (hive == "HKU") { myKey = Registry.Users.OpenSubKey(path); } else { myKey = Registry.CurrentUser.OpenSubKey(path); } String[] subkeyNames = myKey.GetSubKeyNames(); return myKey.GetSubKeyNames(); } catch { return new string[0]; } } } }