Avatar of thinobjects
thinobjects
 asked on

Decript the value read from the binary subkey arp HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\..application....\SlowInfoCache

Please

I need a script in c# that can read and deciphers the binary value located in the following subkey in the registry :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppManagement\ARPCache\..application....\SlowInfoCache


Thanks
Fonts TypographyProgramming

Avatar of undefined
Last Comment
prvijesh

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
cookre

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
redpipe

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
David_Ward

oh,

>>I need a script in c# that ...

Just noticed that bit :(

ah well, perhaps someone could convert delphi to C Sharp for you ...

cookre

I'll post something Wednesday night (I'm GMT-4).
David_Ward

You probably noticed I had done nothing to resolve the date/time ...
I had a little more time today, so;

// add this new function
Function AdjustedDateTime(OriginalFTime: TFileTime): String;
var
  s1,s2:        String;
  LocalFTime:   TFileTime;
  SystemFTime:  TSystemTime;
  i1:           Integer;
begin
{
// bung this lot in the .DPR file immediately after the "Application.Initialize;" line

//
// ... force definitive data/time formats
// obviously, you should choose formats appropriate to you/your country ...
//
      dateseparator:='/';
      shortdateformat:='dd/mm/yyyy';
      longdateformat:='dd/mm/yyyy';
      timeseparator:=':';
      longtimeformat:='hh:mm:ss';
      shorttimeformat:='hh:mm:ss';
      DecimalSeparator:='.';
//
// don't forget; this lot are in the SysUtils unit
//
}

  FileTimeToLocalFileTime(OriginalFTime,LocalFTime);
  FileTimeToSystemTime(LocalFTime,SystemFTime);

  s1:=DateToStr(SystemTimeToDateTime(SystemFTime));
  if length(s1)<>length(ShortDateFormat) then
    s1:=DateToStr(0.0); // force -something- if it is blatantly -wrong- ...

  s2:=TimeToStr(SystemTimeToDateTime(SystemFTime));
  if (s2='') or (length(s2)<>length(LongTimeFormat)) then
    s2:=TimeToStr(0.0); // force -something- if it is blank, or, blatantly -wrong- ...

  Result:=s1+' '+s2;

//
// if any dates resolve to 01/01/1601 they have NO real date set
//
end;


Then, in;

Function GetCacheInfo(ThisRegSection: String): String;

replace this line;

s1:=s1+IntToStr(Int64((MyInfoCache.LastUsed.dwHighDateTime shl 32)+MyInfoCache.LastUsed.dwLowDateTime))+'","';

with this one;

s1:=s1+AdjustedDateTime(MyInfoCache.LastUsed)+'","';

Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
cookre

Here's some c# showing the filenames for all of the subkeys.  I'll post the parsing of the remaining fields tomorrow.

using System;
using System.Collections.Generic;
using System.Text;
using Microsoft.Win32;
using System.Runtime.InteropServices;
using System.IO;

namespace SlowCache
{
class Program
{


static void Main(string[] args)
{
Byte [] bytearr=new byte[552];
string Filename="";
int ctr=0;

RegistryKey reg=Registry.LocalMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache");
if (reg==null)
   {
   PutMsg("No such key");
   return;
   }
string [] AppNames=reg.GetSubKeyNames();  
for (int keyidx=0; keyidx<AppNames.Length; keyidx++)
    {
    RegistryKey AppKey=Registry.LocalMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache\\"+AppNames[keyidx]);

    // Get raw data    
    bytearr=(byte[])AppKey.GetValue("SlowInfoCache");
   
    // Get filename, if present
    Filename="--NONE--";
    if (bytearr[4]!=0)
       {
       ctr=0;
       // Find length of file name, then fetch it
       while (ctr<512)
             {
             if (bytearr[28+ctr]==0) break;
             ctr+=2;
             }
       Filename=Encoding.Unicode.GetString(bytearr,28,ctr);
       }
    PutMsg("["+AppNames[keyidx]+"] <"+Filename+">");
    }
}

static void PutMsg(string msg)
{
StreamWriter log;
log=new StreamWriter("SlowCache.log",true);
log.WriteLine(msg);
log.Close();
}



}
}
cookre

And the rest of it except for the FileTime field (alas, tomorrow night - I have so little time for fun things)



Byte [] byts=new byte[552];

byteunion x=new byteunion();

int cbSize=0;
int hasName=0;
long installSize=0;
int lastUsedDate=0;
int lastUsedTime=0;
int freq=0;

string Filename="";
int ctr=0;

RegistryKey reg=Registry.LocalMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache");
if (reg==null)
   {
   PutMsg("No such key");
   return;
   }
string [] AppNames=reg.GetSubKeyNames();  
for (int keyidx=0; keyidx<AppNames.Length; keyidx++)
    {
    RegistryKey AppKey=Registry.LocalMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache\\"+AppNames[keyidx]);

    // Get raw data    
    byts=(byte[])AppKey.GetValue("SlowInfoCache");

    // Extract out the various binary fields
    x.b0=byts[0];
    x.b1=byts[1];
    x.b2=byts[2];
    x.b3=byts[3];
    cbSize=x.i32;
   
    x.b0=byts[4];
    x.b1=byts[5];
    x.b2=byts[6];
    x.b3=byts[7];
    hasName=x.i32;

    x.b0=byts[8];
    x.b1=byts[9];
    x.b2=byts[10];
    x.b3=byts[11];
    x.b4=byts[12];
    x.b5=byts[13];
    x.b6=byts[14];
    x.b7=byts[15];
    installSize=x.i64;

    x.b0=byts[16];
    x.b1=byts[17];
    x.b2=byts[18];
    x.b3=byts[19];
    lastUsedTime=x.i32;
   
    x.b4=byts[20];
    x.b5=byts[21];
    x.b6=byts[22];
    x.b7=byts[23];
    lastUsedDate=x.i32;
   
    x.b0=byts[24];
    x.b1=byts[25];
    x.b2=byts[26];
    x.b3=byts[27];
    freq=x.i32;

    // Get filename, if present
    Filename="--NONE--";
    if (hasName!=0)
       {
       ctr=0;
       // Find length of file name, then fetch it
       while (ctr<552)
             {
             if (byts[28+ctr]==0) break;
             ctr+=2;
             }
       Filename=Encoding.Unicode.GetString(byts,28,ctr);
       }
    PutMsg("Name: "+AppNames[keyidx]);
    PutMsg("cbSize: "+cbSize.ToString());
    PutMsg("Filename: "+Filename);
    PutMsg("installSize: "+installSize.ToString());
    PutMsg("freq: "+freq.ToString());
    PutMsg(" ");
    }
}        
       
[StructLayout(LayoutKind.Explicit)]
public struct byteunion
{
[FieldOffset(0)] public byte b0;
[FieldOffset(1)] public byte b1;
[FieldOffset(2)] public byte b2;
[FieldOffset(3)] public byte b3;
[FieldOffset(4)] public byte b4;
[FieldOffset(5)] public byte b5;
[FieldOffset(6)] public byte b6;
[FieldOffset(7)] public byte b7;
[FieldOffset(0)] public int i32;
[FieldOffset(0)] public long i64;
[FieldOffset(0)] public ulong u64;
}
       
void PutMsg(string msg)
{
StreamWriter log;
log=new StreamWriter("SlowCache.log",true);
log.WriteLine(msg);
log.Close();
}
cookre

Here's the FileTime handling:


Byte [] byts=new byte[552];

byteunion x=new byteunion();

int cbSize=0;
int hasName=0;
long installSize=0;
DateTime dt;
Int64 lastUsed=0;
int freq=0;

string Filename="";
int ctr=0;

RegistryKey reg=Registry.LocalMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache");
if (reg==null)
   {
   PutMsg("No such key");
   return;
   }
string [] AppNames=reg.GetSubKeyNames();  
for (int keyidx=0; keyidx<AppNames.Length; keyidx++)
    {
    RegistryKey AppKey=Registry.LocalMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache\\"+AppNames[keyidx]);

    // Get raw data    
    byts=(byte[])AppKey.GetValue("SlowInfoCache");

    // Extract out the various binary fields
    x.b0=byts[0];
    x.b1=byts[1];
    x.b2=byts[2];
    x.b3=byts[3];
    cbSize=x.i32;
   
    x.b0=byts[4];
    x.b1=byts[5];
    x.b2=byts[6];
    x.b3=byts[7];
    hasName=x.i32;

    x.b0=byts[8];
    x.b1=byts[9];
    x.b2=byts[10];
    x.b3=byts[11];
    x.b4=byts[12];
    x.b5=byts[13];
    x.b6=byts[14];
    x.b7=byts[15];
    installSize=x.i64;

    x.b0=byts[16];
    x.b1=byts[17];
    x.b2=byts[18];
    x.b3=byts[19];
    x.b4=byts[20];
    x.b5=byts[21];
    x.b6=byts[22];
    x.b7=byts[23];
    lastUsed=x.i64;
   
    x.b0=byts[24];
    x.b1=byts[25];
    x.b2=byts[26];
    x.b3=byts[27];
    freq=x.i32;

    // Get filename, if present
    Filename="--NONE--";
    if (hasName!=0)
       {
       ctr=0;
       // Find length of file name, then fetch it
       while (ctr<552)
             {
             if (byts[28+ctr]==0) break;
             ctr+=2;
             }
       Filename=Encoding.Unicode.GetString(byts,28,ctr);
       }
    PutMsg("Name: "+AppNames[keyidx]);
    PutMsg("cbSize: "+cbSize.ToString());
    PutMsg("Filename: "+Filename);
    if (lastUsed<1) dt=DateTime.MaxValue;
    else            dt=DateTime.FromFileTimeUtc(lastUsed);
    PutMsg("Lastused: "+dt.ToString());
    PutMsg("installSize: "+installSize.ToString());
    PutMsg("freq: "+freq.ToString());
    PutMsg(" ");
    }
Application.Exit();
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
prvijesh

hi,

How can i extract Slowinfocache using Copymemory in vb 6.0. thanks