//------------------------------------------------------------------------------ void reg_read_enum_MRUWvalues(HKEY hk,char *chkey,char *key,char *exclu,char* description_id,unsigned int session_id, sqlite3 *db) { HKEY CleTmp; if (RegOpenKey(hk,key,&CleTmp)!=ERROR_SUCCESS)return; DWORD nbValue,i; FILETIME last_update; if (RegQueryInfoKey (CleTmp,0,0,0,0,0,0,&nbValue,0,0,0,&last_update)!=ERROR_SUCCESS) { RegCloseKey(CleTmp); return; } //get date char parent_key_update[DATE_SIZE_MAX] = ""; filetimeToString_GMT(last_update, parent_key_update, DATE_SIZE_MAX); //read USER + RID + SID char user[MAX_PATH], RID[MAX_PATH], sid[MAX_PATH]; GetRegistryKeyOwner(CleTmp, user, RID, sid, MAX_PATH); //enum values char value[MAX_PATH], data[MAX_PATH], data_s[MAX_PATH]; DWORD valueSize,dataSize,type; for (i=0;i<nbValue && start_scan;i++) { valueSize = MAX_PATH; dataSize = MAX_PATH; value[0] = 0; data[0] = 0; type = 0; if (RegEnumValue (CleTmp,i,(LPTSTR)value,(LPDWORD)&valueSize,0,(LPDWORD)&type,(LPBYTE)data,(LPDWORD)&dataSize)==ERROR_SUCCESS) { convertStringToSQL(value, MAX_PATH); snprintf(data_s,MAX_LINE_SIZE,"%S",data); convertStringToSQL(data_s, MAX_PATH); addRegistryMRUtoDB("",chkey,key,value,data_s,description_id,user,RID,sid,parent_key_update,session_id,db); } } RegCloseKey(CleTmp); }
//------------------------------------------------------------------------------ //local function part !!! //------------------------------------------------------------------------------ void reg_read_enum_PathValues(HKEY hk,char *chkey,char *key,unsigned int session_id, sqlite3 *db) { HKEY CleTmp; if (RegOpenKey(hk,key,&CleTmp)!=ERROR_SUCCESS)return; DWORD nbValue,i,j; FILETIME last_update; if (RegQueryInfoKey (CleTmp,0,0,0,0,0,0,&nbValue,0,0,0,&last_update)!=ERROR_SUCCESS) { RegCloseKey(CleTmp); return; } //get date char parent_key_update[DATE_SIZE_MAX] = ""; filetimeToString_GMT(last_update, parent_key_update, DATE_SIZE_MAX); //read USER + RID + SID char user[MAX_PATH], RID[MAX_PATH], sid[MAX_PATH]; GetRegistryKeyOwner(CleTmp, user, RID, sid, MAX_PATH); //enum values char value[MAX_PATH], data[MAX_PATH]; DWORD valueSize,dataSize,type; for (i=0;i<nbValue && start_scan;i++) { valueSize = MAX_PATH; dataSize = MAX_PATH; value[0] = 0; type = 0; if (RegEnumValue (CleTmp,i,(LPTSTR)value,(LPDWORD)&valueSize,0,(LPDWORD)&type,(LPBYTE)data,(LPDWORD)&dataSize)==ERROR_SUCCESS) { switch(type) { case REG_EXPAND_SZ: case REG_SZ: convertStringToSQL(value, MAX_PATH); convertStringToSQL(data, MAX_PATH); addRegistryPathtoDB("",chkey,key,value,data,user,RID,sid,parent_key_update,session_id,db);break; /*case REG_BINARY: case REG_LINK: { tmp[0] = 0; snprintf(tmp,MAX_PATH,"%S",data); convertStringToSQL(value, MAX_PATH); convertStringToSQL(tmp, MAX_PATH); addRegistryPathtoDB("",chkey,key,value,tmp,user,RID,sid,parent_key_update,session_id,db); } break;*/ case REG_MULTI_SZ: for (j=0;j<dataSize;j++) { if (data[j] == 0)data[j]=';'; } convertStringToSQL(value, MAX_PATH); convertStringToSQL(data, MAX_PATH); addRegistryPathtoDB("",chkey,key,value,data,user,RID,sid,parent_key_update,session_id,db); break; } } } RegCloseKey(CleTmp); }
//------------------------------------------------------------------------------ void ReadDatas(unsigned int type, HKEY hk, char *chk, char *key_path, char *value, char*description_id, unsigned int session_id, sqlite3 *db) { switch(type)//value_type { //list of all string in a directory and exclude "value" case TYPE_ENUM_STRING_VALUE:reg_read_enum_MRUvalues(hk, chk,key_path,value,description_id, session_id, db);break; case TYPE_ENUM_STRING_NVALUE:reg_read_enum_MRUNvalues(hk, chk,key_path,value,description_id, session_id, db);break; case TYPE_ENUM_STRING_WVALUE:reg_read_enum_MRUWvalues(hk, chk,key_path,value,description_id, session_id, db);break; case TYPE_ENUM_SUBNK_DATE: { //read all subkey HKEY CleTmp, CleTmp2; if (RegOpenKey(hk,key_path,&CleTmp)!=ERROR_SUCCESS)return; //enum keys DWORD nbSubKey=0,i; if (RegQueryInfoKey (CleTmp,NULL,NULL,NULL,&nbSubKey,NULL,NULL,NULL,NULL,NULL,NULL,NULL)!=ERROR_SUCCESS) { RegCloseKey(CleTmp); return; } char key[MAX_PATH], tmp_key[MAX_PATH], lastupdate[DATE_SIZE_MAX] =""; DWORD key_size; FILETIME LastWriteTime; char user[MAX_PATH], RID[MAX_PATH], sid[MAX_PATH]; for (i=0;i<nbSubKey && start_scan;i++) { key[0] = 0; key_size = MAX_PATH; if (RegEnumKeyEx (CleTmp,i,key,(LPDWORD)&key_size,NULL,NULL,NULL,&LastWriteTime)==ERROR_SUCCESS) { snprintf(tmp_key,MAX_PATH,"%s\\%s",key_path,key); if (RegOpenKey(hk,tmp_key,&CleTmp2)==ERROR_SUCCESS) { user[0] = 0; RID[0] = 0; sid[0] = 0; GetRegistryKeyOwner(CleTmp2, user, RID, sid, MAX_PATH); filetimeToString_GMT(LastWriteTime, lastupdate, DATE_SIZE_MAX); addRegistryMRUtoDB("",chk,tmp_key,"","",description_id,user,RID,sid,lastupdate,session_id,db); RegCloseKey(CleTmp2); } } } RegCloseKey(CleTmp); } break; case TYPE_DBL_ENUM_VALUE: { //read all subkey HKEY CleTmp, CleTmp2, CleTmp3; if (RegOpenKey(hk,key_path,&CleTmp)!=ERROR_SUCCESS)return; //enum keys DWORD nbSubKey=0, nbSubKey2,i,j; if (RegQueryInfoKey (CleTmp,NULL,NULL,NULL,&nbSubKey,NULL,NULL,NULL,NULL,NULL,NULL,NULL)!=ERROR_SUCCESS) { RegCloseKey(CleTmp); return; } char key[MAX_PATH], key2[MAX_PATH], tmp_key[MAX_PATH], tmp_key2[MAX_PATH], lastupdate[DATE_SIZE_MAX] =""; DWORD key_size,key_size2; FILETIME LastWriteTime; char user[MAX_PATH], RID[MAX_PATH], sid[MAX_PATH], data[MAX_PATH]; for (i=0;i<nbSubKey && start_scan;i++) { key[0] = 0; key_size = MAX_PATH; if (RegEnumKeyEx (CleTmp,i,key,(LPDWORD)&key_size,NULL,NULL,NULL,NULL)==ERROR_SUCCESS) { snprintf(tmp_key,MAX_PATH,"%s\\%s\\AVGeneral\\cRecentFiles",key_path,key); if (RegOpenKey(hk,tmp_key,&CleTmp2)==ERROR_SUCCESS) { nbSubKey2 = 0; if (RegQueryInfoKey (CleTmp2,NULL,NULL,NULL,&nbSubKey2,NULL,NULL,NULL,NULL,NULL,NULL,NULL)!=ERROR_SUCCESS) { RegCloseKey(CleTmp2); continue; } for (j=0;j<nbSubKey2 && start_scan;j++) { key2[0] = 0; key_size2 = MAX_PATH; if (RegEnumKeyEx (CleTmp2,j,key2,(LPDWORD)&key_size2,NULL,NULL,NULL,&LastWriteTime)==ERROR_SUCCESS) { snprintf(tmp_key2,MAX_PATH,"%s\\%s",tmp_key,key2); if (RegOpenKey(hk,tmp_key2,&CleTmp3)==ERROR_SUCCESS) { user[0] = 0; RID[0] = 0; sid[0] = 0; data[0] = 0; GetRegistryKeyOwner(CleTmp3, user, RID, sid, MAX_PATH); filetimeToString_GMT(LastWriteTime, lastupdate, DATE_SIZE_MAX); if(ReadValue(hk,tmp_key2,value,data, MAX_PATH)) { convertStringToSQL(data, MAX_PATH); addRegistryMRUtoDB("",chk,tmp_key2,value,data,description_id,user,RID,sid,lastupdate,session_id,db); } RegCloseKey(CleTmp3); } } } RegCloseKey(CleTmp2); } } } RegCloseKey(CleTmp); } break; //all string under one key case TYPE_ENUM_STRING_RVALUE: { //read all subkey HKEY CleTmp; if (RegOpenKey(hk,key_path,&CleTmp)!=ERROR_SUCCESS)return; DWORD nbSubKey=0,i; if (RegQueryInfoKey (CleTmp,NULL,NULL,NULL,&nbSubKey,NULL,NULL,NULL,NULL,NULL,NULL,NULL)!=ERROR_SUCCESS) { RegCloseKey(CleTmp); return; } char key[MAX_PATH], tmp_key[MAX_PATH]; DWORD key_size; for (i=0;i<nbSubKey && start_scan;i++) { key[0] = 0; key_size = MAX_PATH; if (RegEnumKeyEx (CleTmp,i,key,(LPDWORD)&key_size,NULL,NULL,NULL,NULL)==ERROR_SUCCESS) { snprintf(tmp_key,MAX_PATH,"%s\\%s",key_path,key); reg_read_enum_MRUvalues(hk,chk,tmp_key,value,description_id, session_id, db_scan); } } RegCloseKey(CleTmp); }break; //all string under thow key + key case TYPE_ENUM_STRING_RRVALUE: { //read all subkey HKEY CleTmp,CleTmp2; if (RegOpenKey(hk,key_path,&CleTmp)!=ERROR_SUCCESS)return; DWORD nbSubKey=0,nbSubKey2,i,j; if (RegQueryInfoKey (CleTmp,NULL,NULL,NULL,&nbSubKey,NULL,NULL,NULL,NULL,NULL,NULL,NULL)!=ERROR_SUCCESS) { RegCloseKey(CleTmp); return; } char key[MAX_PATH], tmp_key[MAX_PATH],key2[MAX_PATH], tmp_key2[MAX_PATH]; DWORD key_size,key_size2; for (i=0;i<nbSubKey && start_scan;i++) { key[0] = 0; key_size = MAX_PATH; if (RegEnumKeyEx (CleTmp,i,key,(LPDWORD)&key_size,NULL,NULL,NULL,NULL)==ERROR_SUCCESS) { snprintf(tmp_key,MAX_PATH,"%s\\%s",key_path,key); //second key !!! if (RegOpenKey(hk,tmp_key,&CleTmp2)!=ERROR_SUCCESS)continue; nbSubKey2 = 0; if (RegQueryInfoKey (CleTmp2,NULL,NULL,NULL,&nbSubKey2,NULL,NULL,NULL,NULL,NULL,NULL,NULL)!=ERROR_SUCCESS) { RegCloseKey(CleTmp2); continue; } for (j=0;j<nbSubKey2 && start_scan;j++) { key2[0] = 0; key_size2 = MAX_PATH; if (RegEnumKeyEx (CleTmp2,j,key2,(LPDWORD)&key_size2,NULL,NULL,NULL,NULL)==ERROR_SUCCESS) { snprintf(tmp_key2,MAX_PATH,"%s\\%s\\%s",tmp_key,key2,value); reg_read_enum_MRUvalues(hk,chk,tmp_key2,"",description_id, session_id, db_scan); } } RegCloseKey(CleTmp2); } } RegCloseKey(CleTmp); }break; //all string under one key + key case TYPE_ENUM_STRING_R_VALUE: { //read all subkey HKEY CleTmp; if (RegOpenKey(hk,key_path,&CleTmp)!=ERROR_SUCCESS)return; DWORD nbSubKey=0,i; if (RegQueryInfoKey (CleTmp,NULL,NULL,NULL,&nbSubKey,NULL,NULL,NULL,NULL,NULL,NULL,NULL)!=ERROR_SUCCESS) { RegCloseKey(CleTmp); return; } char key[MAX_PATH], tmp_key[MAX_PATH]; DWORD key_size; for (i=0;i<nbSubKey && start_scan;i++) { key[0] = 0; key_size = MAX_PATH; if (RegEnumKeyEx (CleTmp,i,key,(LPDWORD)&key_size,NULL,NULL,NULL,NULL)==ERROR_SUCCESS) { snprintf(tmp_key,MAX_PATH,"%s\\%s\\%s",key_path,key,value); reg_read_enum_MRUvalues(hk,chk,tmp_key,"",description_id, session_id, db_scan); } } RegCloseKey(CleTmp); }break; //only one value case TYPE_VALUE_STRING: { char data[MAX_PATH]; if (ReadValue(hk,key_path,value,data, MAX_PATH)) { HKEY CleTmp; if (RegOpenKey(hk,key_path,&CleTmp)==ERROR_SUCCESS) { char user[MAX_PATH]="", RID[MAX_PATH]="", SID[MAX_PATH]=""; GetRegistryKeyOwner(CleTmp, user, RID, SID, MAX_PATH); RegCloseKey(CleTmp); char parent_key_update[DATE_SIZE_MAX]=""; ReadKeyUpdate(hk,key_path, parent_key_update, DATE_SIZE_MAX); convertStringToSQL(data, MAX_PATH); addRegistryMRUtoDB("",chk,key_path,value,data,description_id,user,RID,SID,parent_key_update,session_id,db_scan); } } }break; //only one value case TYPE_VALUE_WSTRING: { char data[MAX_PATH],tmp[MAX_PATH]; if (ReadValue(hk,key_path,value,tmp, MAX_PATH)) { HKEY CleTmp; if (RegOpenKey(hk,key_path,&CleTmp)==ERROR_SUCCESS) { snprintf(data,MAX_PATH,"%S",tmp); char user[MAX_PATH]="", RID[MAX_PATH]="", SID[MAX_PATH]=""; GetRegistryKeyOwner(CleTmp, user, RID, SID, MAX_PATH); RegCloseKey(CleTmp); char parent_key_update[DATE_SIZE_MAX]=""; ReadKeyUpdate(hk,key_path, parent_key_update, DATE_SIZE_MAX); convertStringToSQL(data, MAX_PATH); addRegistryMRUtoDB("",chk,key_path,value,data,description_id,user,RID,SID,parent_key_update,session_id,db_scan); } } }break; } }