Exemple #1
0
//----------------------------------------------------------------
int FileContient(char * file, char *chaine)
{
  int ret = -1;

  HANDLE hfile = CreateFile(file,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN,0);
  if (hfile != INVALID_HANDLE_VALUE)
  {
    DWORD dw =0, filesz = 0;
    filesz = GetFileSize(hfile,NULL);
    if (filesz > 0)
    {
      char *datas = malloc(filesz+1);
      if (datas != NULL)
      {
        if (ReadFile(hfile, datas, filesz, &dw, 0))
        {
          if(Contient(charToLowChar(datas), charToLowChar(chaine)) > -1) ret = TRUE;
          else ret = FALSE;
        }
        free(datas);
      }
    }
    CloseHandle(hfile);
  }
  return ret;
}
Exemple #2
0
//------------------------------------------------------------------------------
char *extractExtFromFile(char *file, char *ext, unsigned int ext_size_max)
{
  char *c = file;
  ext[0]  = 0;

  while(*c++);
  while(*c!='\\' && *c!='/' && *c!='.' && c>file)c--;
  if (*c == '.')
  {
    c++;
    strncpy(ext,c,ext_size_max);
    charToLowChar(ext);
    return ext;
  }else return NULL;
}
//------------------------------------------------------------------------------
void scan_file(char *path, HANDLE htv)
{
  WIN32_FIND_DATA data;
  char tmp_path[MAX_PATH], file[MAX_PATH];

  snprintf(tmp_path,MAX_PATH,"%s*.*",path);
  HANDLE hfic = FindFirstFile(tmp_path, &data);
  if (hfic == INVALID_HANDLE_VALUE)return;
  do
  {
    // return
    if(data.cFileName[0] == '.' && (data.cFileName[1] == 0 || data.cFileName[1] == '.')){}
    else if (data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
    {
      snprintf(tmp_path,MAX_PATH,"%s%s\\",path,data.cFileName);
      scan_file(tmp_path, htv);
    }else //file
    {
      strncpy(file,data.cFileName,MAX_PATH);
      AddItemFiletoTreeView(htv, charToLowChar(file), path, NULL);
    }
  }while(FindNextFile (hfic,&data));
}
//------------------------------------------------------------------------------
//------------------------------------------------------------------------------
DWORD WINAPI Scan_registry_user(LPVOID lParam)
{
  //init
  sqlite3 *db = (sqlite3 *)db_scan;
  unsigned int session_id = current_session_id;

  char file[MAX_PATH], file_SAM[MAX_PATH]="";
  HK_F_OPEN hks;

  char sk[MAX_PATH]="";

  char computer[DEFAULT_TMP_SIZE]="";
  BOOL ok_computer = FALSE;

  //files or local
  if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);
  HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_REGISTRY]);
  if (hitem!=NULL || !LOCAL_SCAN) //files
  {
    while(hitem!=NULL)
    {
      file[0] = 0;
      GetTextFromTrv(hitem, file, MAX_PATH);
      if (file[0] != 0)
      {
        charToLowChar(file);
        //check for SAM files
        if ((Contient(file,"sam")) && file_SAM[0] == 0)
        {
          strcpy(file_SAM,file);
          hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
          continue;
        }

        //open file + verify
        if(OpenRegFiletoMem(&hks, file))
        {
          //get syskey
          registry_syskey_file(&hks, sk, MAX_PATH);

          if (!ok_computer)
          {
            char tmp[DEFAULT_TMP_SIZE]="";
            Readnk_Value(hks.buffer, hks.taille_fic, (hks.pos_fhbin)+HBIN_HEADER_SIZE, hks.position, "ControlSet001\\Control\\ComputerName\\ComputerName", NULL,"ComputerName", tmp, DEFAULT_TMP_SIZE);

            if (tmp[0]!=0)
            {
              strcpy(computer,tmp);
              ok_computer = TRUE;
            }
          }

          Scan_registry_user_file(&hks, db, session_id,computer);

          CloseRegFiletoMem(&hks);
        }
      }
      hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
    }

    //SAM file in last
    if (file_SAM[0] != 0)
    {
      //open file + verify
      if(OpenRegFiletoMem(&hks, file_SAM))
      {
        Scan_registry_user_file(&hks, db, session_id,computer);
        CloseRegFiletoMem(&hks);
      }
    }


  }else Scan_registry_user_local(db, session_id);

  if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
  check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
  h_thread_test[(unsigned int)lParam] = 0;
  return 0;
}
//------------------------------------------------------------------------------
//format : http://www.forensicswiki.org/wiki/Windows_Prefetch_File_Format
DWORD WINAPI Scan_prefetch(LPVOID lParam)
{
  sqlite3 *db = (sqlite3 *)db_scan;
  unsigned int session_id = current_session_id;

  #ifdef CMD_LINE_ONLY_NO_DB
  printf("\"Prefetch\";\"file\";\"path\";\"create_time\";\"last_update\";\"last_access\";\"count\";\"exec\";\"session_id\";\"depend\";\r\n");
  #endif
  //check if local or not :)
  HTREEITEM hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_CHILD, (LPARAM)TRV_HTREEITEM_CONF[FILES_TITLE_APPLI]);
  if (hitem!=NULL || !LOCAL_SCAN || WINE_OS)
  {
    if(!SQLITE_FULL_SPEED)sqlite3_exec(db,"BEGIN TRANSACTION;", NULL, NULL, NULL);
    char tmp_file_pref[MAX_PATH],ext[MAX_PATH];
    while(hitem!=NULL)
    {
      tmp_file_pref[0] = 0;
      ext[0]           = 0;
      GetTextFromTrv(hitem, tmp_file_pref, MAX_PATH);
      if (!strcmp("pf",extractExtFromFile(charToLowChar(tmp_file_pref), ext, MAX_PATH)))
        PfCheck(session_id, db, tmp_file_pref);

      hitem = (HTREEITEM)SendMessage(htrv_files, TVM_GETNEXTITEM,(WPARAM)TVGN_NEXT, (LPARAM)hitem);
    }

    if(!SQLITE_FULL_SPEED)sqlite3_exec(db,"END TRANSACTION;", NULL, NULL, NULL);
    h_thread_test[(unsigned int)lParam] = 0;
    check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
    return 0;
  }

  //init
  if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"BEGIN TRANSACTION;", NULL, NULL, NULL);

  //get system path
  char path[MAX_PATH] ="%WINDIR%\\Prefetch\\*.pf";
  ReplaceEnv("WINDIR",path,MAX_PATH);

  char path_f[MAX_PATH];

  WIN32_FIND_DATA data;
  HANDLE hfic = FindFirstFile(path, &data);
  if (hfic != INVALID_HANDLE_VALUE)
  {
    do
    {
      if((data.cFileName[0] == '.' && (data.cFileName[1] == 0 || data.cFileName[1] == '.')) || (data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)){}
      else
      {
        strncpy(path_f,path,MAX_PATH);
        path_f[strlen(path_f)-4]=0;
        strncat(path_f,data.cFileName,MAX_PATH);
        strncat(path_f,"\0",MAX_PATH);

        PfCheck(session_id, db, path_f);
      }
    }while(FindNextFile (hfic,&data) && start_scan);
  }

  if(!SQLITE_FULL_SPEED)sqlite3_exec(db_scan,"END TRANSACTION;", NULL, NULL, NULL);
  check_treeview(htrv_test, H_tests[(unsigned int)lParam], TRV_STATE_UNCHECK);//db_scan
  h_thread_test[(unsigned int)lParam] = 0;
  return 0;
}
//------------------------------------------------------------------------------
void reg_read_enum_MRUNvalues(HKEY hk,char *chkey,char *key,char *exclu,char* description_id,unsigned int session_id, sqlite3 *db)
{
  HKEY CleTmp;
  if (RegOpenKey(hk,key,&CleTmp)!=ERROR_SUCCESS)return;

  DWORD nbValue,i,j;
  FILETIME last_update;
  if (RegQueryInfoKey (CleTmp,0,0,0,0,0,0,&nbValue,0,0,0,&last_update)!=ERROR_SUCCESS)
  {
    RegCloseKey(CleTmp);
    return;
  }

  //get date
  char parent_key_update[DATE_SIZE_MAX] = "";
  filetimeToString_GMT(last_update, parent_key_update, DATE_SIZE_MAX);

  //read USER + RID + SID
  char tmp[MAX_PATH];
  char user[MAX_PATH], RID[MAX_PATH], sid[MAX_PATH];
  GetRegistryKeyOwner(CleTmp, user, RID, sid, MAX_PATH);

  //enum values
  char value[MAX_PATH], data[MAX_PATH];
  DWORD valueSize,dataSize,type;
  for (i=0;i<nbValue && start_scan;i++)
  {
    valueSize = MAX_PATH;
    dataSize  = MAX_PATH;
    value[0]  = 0;
    data[0]   = 0;
    type      = 0;
    if (RegEnumValue (CleTmp,i,(LPTSTR)value,(LPDWORD)&valueSize,0,(LPDWORD)&type,(LPBYTE)data,(LPDWORD)&dataSize)==ERROR_SUCCESS)
    {
      if (Contient(charToLowChar(value),exclu))
      {
        switch(type)
        {
          case REG_EXPAND_SZ:
          case REG_SZ:
            convertStringToSQL(value, MAX_PATH);
            convertStringToSQL(data, MAX_PATH);
            addRegistryMRUtoDB("",chkey,key,value,data,description_id,user,RID,sid,parent_key_update,session_id,db);break;
          case REG_BINARY:
          case REG_LINK:
            snprintf(tmp,MAX_PATH,"%S",data);
            convertStringToSQL(value, MAX_PATH);
            convertStringToSQL(tmp, MAX_PATH);
            addRegistryMRUtoDB("",chkey,key,value,tmp,description_id,user,RID,sid,parent_key_update,session_id,db);break;
          case REG_MULTI_SZ:
            for (j=0;j<dataSize;j++)
            {
              if (data[j] == 0)data[j]=';';
            }
            convertStringToSQL(value, MAX_PATH);
            convertStringToSQL(data, MAX_PATH);
            addRegistryMRUtoDB("",chkey,key,value,data,description_id,user,RID,sid,parent_key_update,session_id,db);break;
        }
      }
    }
  }
  RegCloseKey(CleTmp);
}
//------------------------------------------------------------------------------
int callback_sqlite_registry_mru_file(void *datas, int argc, char **argv, char **azColName)
{
  FORMAT_CALBAK_TYPE *type = datas;
  unsigned int session_id = current_session_id;
  char tmp[MAX_LINE_SIZE];

  switch(type->type)
  {
    case SQLITE_REGISTRY_TYPE_MRU:
    {
      switch(atoi(argv[3]))//value_type
      {
        case TYPE_VALUE_STRING:
        case TYPE_VALUE_WSTRING:
          if (Readnk_Value(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,
                           argv[1], NULL, argv[2], tmp, MAX_LINE_SIZE))
          {
            //key update
            char parent_key_update[DATE_SIZE_MAX]="";
            char RID[MAX_PATH]="", sid[MAX_PATH]="";
            Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
                         argv[1], NULL, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
            //save
            convertStringToSQL(tmp, MAX_LINE_SIZE);
            addRegistryMRUtoDB(hks_mru.file,"",argv[1],argv[2],tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
          }
        break;
        case TYPE_ENUM_STRING_RVALUE://all string under one key
        {
          HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
          if (nk_h!=NULL)
          {
            //key update
            char parent_key_update[DATE_SIZE_MAX]="";
            char RID[MAX_PATH]="", sid[MAX_PATH]="";
            Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
                         NULL, nk_h, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);

            //get values
            char value[MAX_PATH];
            DWORD i, nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);

            for (i=0;i<nbSubValue && start_scan;i++)
            {
              if (GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i,value,MAX_PATH,tmp,MAX_LINE_SIZE))
              {
                //if (strcmp(charToLowChar(value),argv[2]) != 0)
                {
                  //save
                  convertStringToSQL(value, MAX_PATH);
                  convertStringToSQL(tmp, MAX_LINE_SIZE);
                  addRegistryMRUtoDB(hks_mru.file,"",argv[1],value,tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
                }
              }
            }
          }
        }
        break;
        case TYPE_ENUM_STRING_VALUE://list of all string in a directory and exclude "value"
        {
          HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
          if (nk_h!=NULL)
          {
            //key update
            char parent_key_update[DATE_SIZE_MAX]="";
            char RID[MAX_PATH]="", sid[MAX_PATH]="";
            Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
                         NULL, nk_h, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);

            //get values
            char value[MAX_PATH];
            DWORD i, nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
            for (i=0;i<nbSubValue && start_scan;i++)
            {
              if (GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i,value,MAX_PATH,tmp,MAX_LINE_SIZE))
              {
                //if (strcmp(charToLowChar(value),argv[2]) != 0)
                {
                  //save
                  convertStringToSQL(value, MAX_PATH);
                  convertStringToSQL(tmp, MAX_LINE_SIZE);
                  addRegistryMRUtoDB(hks_mru.file,"",argv[1],value,tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
                }
              }
            }
          }
        }
        break;
        case TYPE_ENUM_STRING_NVALUE://list of all string in a directory with "value"
        {
          HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
          if (nk_h!=NULL)
          {
            //key update
            char parent_key_update[DATE_SIZE_MAX]="";
            char RID[MAX_PATH]="", sid[MAX_PATH]="";
            Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
                         NULL, nk_h, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);

            //get values
            char value[MAX_PATH];
            DWORD i, nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
            for (i=0;i<nbSubValue && start_scan;i++)
            {
              if (GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i,value,MAX_PATH,tmp,MAX_LINE_SIZE))
              {
                if (Contient(charToLowChar(value),argv[2]))
                {
                  //save
                  convertStringToSQL(value, MAX_PATH);
                  convertStringToSQL(tmp, MAX_LINE_SIZE);
                  addRegistryMRUtoDB(hks_mru.file,"",argv[1],value,tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
                }
              }
            }
          }
        }
        break;
        case TYPE_ENUM_STRING_WVALUE:
        {
          HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
          if (nk_h!=NULL)
          {
            //key update
            char parent_key_update[DATE_SIZE_MAX]="";
            char RID[MAX_PATH]="", sid[MAX_PATH]="";
            Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
                         NULL, nk_h, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);

            //get values
            char value[MAX_PATH],data[MAX_LINE_SIZE];
            DWORD i, nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
            DWORD sz_value = MAX_LINE_SIZE;
            for (i=0;i<nbSubValue && start_scan;i++)
            {
              sz_value = MAX_LINE_SIZE;
              if (GetBinaryValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i,value,MAX_PATH,tmp,&sz_value))
              {
                //save
                convertStringToSQL(value, MAX_PATH);
                snprintf(data,MAX_LINE_SIZE,"%S",tmp);
                convertStringToSQL(tmp, MAX_LINE_SIZE);
                addRegistryMRUtoDB(hks_mru.file,"",argv[1],value,data,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
              }
            }
          }
        }
        break;

        case TYPE_ENUM_SUBNK_DATE:
        {
          HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
          if (nk_h!=NULL)
          {
            char parent_key_update[DATE_SIZE_MAX]="";
            char RID[MAX_PATH]="", sid[MAX_PATH]="";

            //get values
            char value[MAX_PATH], tmp_key[MAX_PATH];
            DWORD i, nbSubnk = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0);

            for (i=0;i<nbSubnk && start_scan;i++)
            {
              if (GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i, value, MAX_PATH))
              {
                snprintf(tmp_key,MAX_PATH,"%s\\%s",argv[1],value);
                HBIN_CELL_NK_HEADER *nk_ht = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,tmp_key);

                if (nk_ht!=NULL)
                {
                  //key update
                  Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
                               NULL, nk_ht, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);
                  //save
                  convertStringToSQL(tmp_key, MAX_PATH);
                  addRegistryMRUtoDB(hks_mru.file,"",tmp_key,"","",argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
                }
              }
            }
          }
        }
        break;
        case TYPE_DBL_ENUM_VALUE:
        {
          HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
          if (nk_h==NULL)break;

          char parent_key_update[DATE_SIZE_MAX]="";
          char RID[MAX_PATH]="", sid[MAX_PATH]="", data[MAX_PATH];
          HBIN_CELL_NK_HEADER *nk_ht, *nk_ht2;

          //get values
          char value2[MAX_PATH],value[MAX_PATH], tmp_key2[MAX_PATH], tmp_key[MAX_PATH];
          DWORD i,j, nbSubnk2, nbSubnk = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0);
          for (i=0;i<nbSubnk && start_scan;i++)
          {
            if (GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, i, value, MAX_PATH))
            {
              snprintf(tmp_key,MAX_PATH,"%s\\%s\\AVGeneral\\cRecentFiles",argv[1],value);
              nk_ht = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,tmp_key);

              nbSubnk2 = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_ht, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0);
              for (j=0;j<nbSubnk2 && start_scan;j++)
              {
                if (GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_ht, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, j, value2, MAX_PATH))
                {
                  snprintf(tmp_key2,MAX_PATH,"%s\\%s",tmp_key,value2);
                  nk_ht2 = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,tmp_key2);

                  //datas
                  if(Readnk_Value(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position, NULL, nk_ht2, argv[2],
                                  data, MAX_PATH))
                  {
                    //key update
                    Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
                                 NULL, nk_ht2, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);

                    //save
                    convertStringToSQL(data, MAX_PATH);
                    addRegistryMRUtoDB(hks_mru.file,"",tmp_key2,argv[2],data,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
                  }
                }
              }
            }
          }
        }
        break;
        case TYPE_ENUM_STRING_RRVALUE://all string under thow key + key
        {
          HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
          if (nk_h == NULL)return 0;

          char parent_key_update[DATE_SIZE_MAX]="";
          char RID[MAX_PATH]="", sid[MAX_PATH]="";
          char value[MAX_PATH];

          char tmp_key[MAX_PATH], tmp_key2[MAX_PATH], key_path[MAX_PATH];
          HBIN_CELL_NK_HEADER *nk_h_tmp, *nk_h_tmp2;
          DWORD i,j,k, nbSubValue,nbSubKey2,nbSubKey = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, 0, NULL, 0);
          for (i=0;i<nbSubKey && start_scan;i++)
          {
            if(GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, i, tmp_key, MAX_PATH))
            {
              //get nk of key :)
              nk_h_tmp = GetSubNKtonk(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, i);
              if (nk_h_tmp == NULL)continue;

              nbSubKey2 = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h_tmp, hks_mru.position, 0, NULL, 0);
              for (j=0;j<nbSubKey2 && start_scan;j++)
              {
                if(GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h_tmp, hks_mru.position, j, tmp_key2, MAX_PATH))
                {
                  //get nk of key :)
                  snprintf(key_path,MAX_PATH,"%s\\%s\\%s\\%s",argv[1],tmp_key,tmp_key2,argv[2]);
                  nk_h_tmp2 = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,key_path);
                  if (nk_h_tmp2 == NULL)continue;

                  //key update
                  Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
                               NULL, nk_h_tmp2, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);

                  //get values
                  nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h_tmp2, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
                  for (k=0;k<nbSubValue;k++)
                  {
                    if (GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h_tmp2, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, k,value,MAX_PATH,tmp,MAX_LINE_SIZE))
                    {
                      //save
                      convertStringToSQL(value, MAX_PATH);
                      convertStringToSQL(tmp, MAX_LINE_SIZE);
                      addRegistryMRUtoDB(hks_mru.file,"",key_path,value,tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
                    }
                  }
                }
              }
            }
          }
        }
        break;
        case TYPE_ENUM_STRING_R_VALUE://all string under one key + key
        {
          HBIN_CELL_NK_HEADER *nk_h = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,argv[1]);
          if (nk_h == NULL)return 0;

          char parent_key_update[DATE_SIZE_MAX]="";
          char RID[MAX_PATH]="", sid[MAX_PATH]="";
          char value[MAX_PATH];

          char tmp_key[MAX_PATH], key_path[MAX_PATH];
          HBIN_CELL_NK_HEADER *nk_h_tmp, *nk_h_tmp2;
          DWORD i,k, nbSubValue,nbSubKey = GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, 0, NULL, 0);
          for (i=0;i<nbSubKey && start_scan;i++)
          {
            if(GetSubNK(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, i, tmp_key, MAX_PATH))
            {
              //get nk of key :)
              nk_h_tmp = GetSubNKtonk(hks_mru.buffer, hks_mru.taille_fic, nk_h, hks_mru.position, i);
              if (nk_h_tmp == NULL)continue;

              snprintf(key_path,MAX_PATH,"%s\\%s\\%s",argv[1],tmp_key,argv[2]);
              nk_h_tmp2 = GetRegistryNK(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, hks_mru.position,key_path);
              if (nk_h_tmp2 == NULL)continue;

              //key update
              Readnk_Infos(hks_mru.buffer,hks_mru.taille_fic, (hks_mru.pos_fhbin), hks_mru.position,
                           NULL, nk_h_tmp2, parent_key_update, DATE_SIZE_MAX, RID, MAX_PATH,sid, MAX_PATH);

              //get values
              nbSubValue = GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h_tmp2, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, 0, NULL, 0, NULL, 0);
              for (k=0;k<nbSubValue;k++)
              {
                if (GetValueData(hks_mru.buffer,hks_mru.taille_fic, nk_h_tmp2, (hks_mru.pos_fhbin)+HBIN_HEADER_SIZE, k,value,MAX_PATH,tmp,MAX_LINE_SIZE))
                {
                  //save
                  convertStringToSQL(value, MAX_PATH);
                  convertStringToSQL(tmp, MAX_LINE_SIZE);
                  addRegistryMRUtoDB(hks_mru.file,"",key_path,value,tmp,argv[5],"",RID,sid,parent_key_update,session_id,db_scan);
                }
              }
            }
          }
        }
        break;
      }
    }break;
  }
  return 0;
}