Link to home
Start Free TrialLog in
Avatar of thinobjects
thinobjects

asked on

Decript the value read from the binary subkey arp HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\..application....\SlowInfoCache

Please

I need a script in c# that can read and deciphers the binary value located in the following subkey in the registry :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppManagement\ARPCache\..application....\SlowInfoCache


Thanks
ASKER CERTIFIED SOLUTION
Avatar of cookre
cookre
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
oh,

>>I need a script in c# that ...

Just noticed that bit :(

ah well, perhaps someone could convert delphi to C Sharp for you ...

I'll post something Wednesday night (I'm GMT-4).
You probably noticed I had done nothing to resolve the date/time ...
I had a little more time today, so;

// add this new function
Function AdjustedDateTime(OriginalFTime: TFileTime): String;
var
  s1,s2:        String;
  LocalFTime:   TFileTime;
  SystemFTime:  TSystemTime;
  i1:           Integer;
begin
{
// bung this lot in the .DPR file immediately after the "Application.Initialize;" line

//
// ... force definitive data/time formats
// obviously, you should choose formats appropriate to you/your country ...
//
      dateseparator:='/';
      shortdateformat:='dd/mm/yyyy';
      longdateformat:='dd/mm/yyyy';
      timeseparator:=':';
      longtimeformat:='hh:mm:ss';
      shorttimeformat:='hh:mm:ss';
      DecimalSeparator:='.';
//
// don't forget; this lot are in the SysUtils unit
//
}

  FileTimeToLocalFileTime(OriginalFTime,LocalFTime);
  FileTimeToSystemTime(LocalFTime,SystemFTime);

  s1:=DateToStr(SystemTimeToDateTime(SystemFTime));
  if length(s1)<>length(ShortDateFormat) then
    s1:=DateToStr(0.0); // force -something- if it is blatantly -wrong- ...

  s2:=TimeToStr(SystemTimeToDateTime(SystemFTime));
  if (s2='') or (length(s2)<>length(LongTimeFormat)) then
    s2:=TimeToStr(0.0); // force -something- if it is blank, or, blatantly -wrong- ...

  Result:=s1+' '+s2;

//
// if any dates resolve to 01/01/1601 they have NO real date set
//
end;


Then, in;

Function GetCacheInfo(ThisRegSection: String): String;

replace this line;

s1:=s1+IntToStr(Int64((MyInfoCache.LastUsed.dwHighDateTime shl 32)+MyInfoCache.LastUsed.dwLowDateTime))+'","';

with this one;

s1:=s1+AdjustedDateTime(MyInfoCache.LastUsed)+'","';

Here's some c# showing the filenames for all of the subkeys.  I'll post the parsing of the remaining fields tomorrow.

using System;
using System.Collections.Generic;
using System.Text;
using Microsoft.Win32;
using System.Runtime.InteropServices;
using System.IO;

namespace SlowCache
{
class Program
{


static void Main(string[] args)
{
Byte [] bytearr=new byte[552];
string Filename="";
int ctr=0;

RegistryKey reg=Registry.LocalMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache");
if (reg==null)
   {
   PutMsg("No such key");
   return;
   }
string [] AppNames=reg.GetSubKeyNames();  
for (int keyidx=0; keyidx<AppNames.Length; keyidx++)
    {
    RegistryKey AppKey=Registry.LocalMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache\\"+AppNames[keyidx]);

    // Get raw data    
    bytearr=(byte[])AppKey.GetValue("SlowInfoCache");
   
    // Get filename, if present
    Filename="--NONE--";
    if (bytearr[4]!=0)
       {
       ctr=0;
       // Find length of file name, then fetch it
       while (ctr<512)
             {
             if (bytearr[28+ctr]==0) break;
             ctr+=2;
             }
       Filename=Encoding.Unicode.GetString(bytearr,28,ctr);
       }
    PutMsg("["+AppNames[keyidx]+"] <"+Filename+">");
    }
}

static void PutMsg(string msg)
{
StreamWriter log;
log=new StreamWriter("SlowCache.log",true);
log.WriteLine(msg);
log.Close();
}



}
}
And the rest of it except for the FileTime field (alas, tomorrow night - I have so little time for fun things)



Byte [] byts=new byte[552];

byteunion x=new byteunion();

int cbSize=0;
int hasName=0;
long installSize=0;
int lastUsedDate=0;
int lastUsedTime=0;
int freq=0;

string Filename="";
int ctr=0;

RegistryKey reg=Registry.LocalMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache");
if (reg==null)
   {
   PutMsg("No such key");
   return;
   }
string [] AppNames=reg.GetSubKeyNames();  
for (int keyidx=0; keyidx<AppNames.Length; keyidx++)
    {
    RegistryKey AppKey=Registry.LocalMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache\\"+AppNames[keyidx]);

    // Get raw data    
    byts=(byte[])AppKey.GetValue("SlowInfoCache");

    // Extract out the various binary fields
    x.b0=byts[0];
    x.b1=byts[1];
    x.b2=byts[2];
    x.b3=byts[3];
    cbSize=x.i32;
   
    x.b0=byts[4];
    x.b1=byts[5];
    x.b2=byts[6];
    x.b3=byts[7];
    hasName=x.i32;

    x.b0=byts[8];
    x.b1=byts[9];
    x.b2=byts[10];
    x.b3=byts[11];
    x.b4=byts[12];
    x.b5=byts[13];
    x.b6=byts[14];
    x.b7=byts[15];
    installSize=x.i64;

    x.b0=byts[16];
    x.b1=byts[17];
    x.b2=byts[18];
    x.b3=byts[19];
    lastUsedTime=x.i32;
   
    x.b4=byts[20];
    x.b5=byts[21];
    x.b6=byts[22];
    x.b7=byts[23];
    lastUsedDate=x.i32;
   
    x.b0=byts[24];
    x.b1=byts[25];
    x.b2=byts[26];
    x.b3=byts[27];
    freq=x.i32;

    // Get filename, if present
    Filename="--NONE--";
    if (hasName!=0)
       {
       ctr=0;
       // Find length of file name, then fetch it
       while (ctr<552)
             {
             if (byts[28+ctr]==0) break;
             ctr+=2;
             }
       Filename=Encoding.Unicode.GetString(byts,28,ctr);
       }
    PutMsg("Name: "+AppNames[keyidx]);
    PutMsg("cbSize: "+cbSize.ToString());
    PutMsg("Filename: "+Filename);
    PutMsg("installSize: "+installSize.ToString());
    PutMsg("freq: "+freq.ToString());
    PutMsg(" ");
    }
}        
       
[StructLayout(LayoutKind.Explicit)]
public struct byteunion
{
[FieldOffset(0)] public byte b0;
[FieldOffset(1)] public byte b1;
[FieldOffset(2)] public byte b2;
[FieldOffset(3)] public byte b3;
[FieldOffset(4)] public byte b4;
[FieldOffset(5)] public byte b5;
[FieldOffset(6)] public byte b6;
[FieldOffset(7)] public byte b7;
[FieldOffset(0)] public int i32;
[FieldOffset(0)] public long i64;
[FieldOffset(0)] public ulong u64;
}
       
void PutMsg(string msg)
{
StreamWriter log;
log=new StreamWriter("SlowCache.log",true);
log.WriteLine(msg);
log.Close();
}
Here's the FileTime handling:


Byte [] byts=new byte[552];

byteunion x=new byteunion();

int cbSize=0;
int hasName=0;
long installSize=0;
DateTime dt;
Int64 lastUsed=0;
int freq=0;

string Filename="";
int ctr=0;

RegistryKey reg=Registry.LocalMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache");
if (reg==null)
   {
   PutMsg("No such key");
   return;
   }
string [] AppNames=reg.GetSubKeyNames();  
for (int keyidx=0; keyidx<AppNames.Length; keyidx++)
    {
    RegistryKey AppKey=Registry.LocalMachine.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache\\"+AppNames[keyidx]);

    // Get raw data    
    byts=(byte[])AppKey.GetValue("SlowInfoCache");

    // Extract out the various binary fields
    x.b0=byts[0];
    x.b1=byts[1];
    x.b2=byts[2];
    x.b3=byts[3];
    cbSize=x.i32;
   
    x.b0=byts[4];
    x.b1=byts[5];
    x.b2=byts[6];
    x.b3=byts[7];
    hasName=x.i32;

    x.b0=byts[8];
    x.b1=byts[9];
    x.b2=byts[10];
    x.b3=byts[11];
    x.b4=byts[12];
    x.b5=byts[13];
    x.b6=byts[14];
    x.b7=byts[15];
    installSize=x.i64;

    x.b0=byts[16];
    x.b1=byts[17];
    x.b2=byts[18];
    x.b3=byts[19];
    x.b4=byts[20];
    x.b5=byts[21];
    x.b6=byts[22];
    x.b7=byts[23];
    lastUsed=x.i64;
   
    x.b0=byts[24];
    x.b1=byts[25];
    x.b2=byts[26];
    x.b3=byts[27];
    freq=x.i32;

    // Get filename, if present
    Filename="--NONE--";
    if (hasName!=0)
       {
       ctr=0;
       // Find length of file name, then fetch it
       while (ctr<552)
             {
             if (byts[28+ctr]==0) break;
             ctr+=2;
             }
       Filename=Encoding.Unicode.GetString(byts,28,ctr);
       }
    PutMsg("Name: "+AppNames[keyidx]);
    PutMsg("cbSize: "+cbSize.ToString());
    PutMsg("Filename: "+Filename);
    if (lastUsed<1) dt=DateTime.MaxValue;
    else            dt=DateTime.FromFileTimeUtc(lastUsed);
    PutMsg("Lastused: "+dt.ToString());
    PutMsg("installSize: "+installSize.ToString());
    PutMsg("freq: "+freq.ToString());
    PutMsg(" ");
    }
Application.Exit();
Avatar of prvijesh
prvijesh

hi,

How can i extract Slowinfocache using Copymemory in vb 6.0. thanks