www.pudn.com > Process_Mo18292312142004.rar > StartupKeys.cpp
/*******************************************************
This file is part of Process Monitor.
Copyright (c) 2004 by Michel van Kerkhof, ( michel000@planet.nl http://home.wxs.nl/~wijk0550/ )
For more information consult the Readme file.
This program is free software; you can redistribute it
and/or modify it under the terms of the GNU
General Public License as published by the Free
Software Foundation; either version 2 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will
be useful, but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU
General Public License along with this program;
if not, write to:
the Free Software Foundation, Inc.,
59 Temple Place,
Suite 330, Boston,
MA 02111-1307 USA
*******************************************************
If you like my work and you have a job for me please contact me at: michel000@planet.nl
*******************************************************/
#include "includes.h"
const char *szSubKeys[]={
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx",
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices",
NULL
};
#define HKEY_FILENAME (( HKEY ) 0x80000099 )
/*
Function Description:
go true all startupkey's and find szFile if found add to treeview (CProcInfo AddItem)
called by CProcInfo
Arguments:
IN szFile, Filename to search for
Returns:
void
*/
void CStartup::SearchStartupKeys(char *szFile)
{
char szData[MAX_PATH];
DWORD dwDataSize,
dwType;
int i;
strcpy(g_szFindString,szFile);
/*
Check normal startupkeys
*/
for(i=0;szSubKeys[i];i++)
{
EnumKeyValue(HKEY_LOCAL_MACHINE,szSubKeys[i]);
EnumKeyValue(HKEY_CURRENT_USER,szSubKeys[i]);
}
/*
check win.ini run & load
NOTE: winNT stores these values in the registry in win9x the are only visible in the file win.ini
but because we only run on a nt system read them from the registry
*/
char szWinini[]="Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows";
char szRun[] = "run";
char szLoad[] = "load";
dwDataSize=sizeof(szData);
GetKeyValue(
HKEY_LOCAL_MACHINE,
szWinini,
szRun,
&dwType,
szData,
&dwDataSize
);
dwDataSize=sizeof(szData);
GetKeyValue(
HKEY_LOCAL_MACHINE,
szWinini,
szLoad,
&dwType,
szData,
&dwDataSize
);
dwDataSize=sizeof(szData);
GetKeyValue(
HKEY_CURRENT_USER,
szWinini,
szRun,
&dwType,
szData,
&dwDataSize
);
dwDataSize=sizeof(szData);
GetKeyValue(
HKEY_CURRENT_USER,
szWinini,
szLoad,
&dwType,
szData,
&dwDataSize
);
/*
Check system.ini Shell=
NOTE:winNT stores these values in the registry in win9x the are only visible in the file system.ini
but because we only run on a nt system read them from the registry
the default value is run=explorer.exe
*/
dwDataSize=sizeof(szData);
GetKeyValue(
HKEY_LOCAL_MACHINE,
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
"Shell",
&dwType,
szData,
&dwDataSize
);
/*
Check the startup dirs
*/
dwDataSize=sizeof(szData);
if (GetKeyValue(
HKEY_CURRENT_USER,
"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders",
"Startup",
&dwType,
szData,
&dwDataSize) != NULL) {
SearchStartUpDir(szData);
}
dwDataSize=sizeof(szData);
if (GetKeyValue(
HKEY_LOCAL_MACHINE,
"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders",
"Common Startup",
&dwType,
szData,
&dwDataSize) != NULL) {
SearchStartUpDir(szData);
}
/*
Check Active Setup
*/
char szActiveSetup[] = "SOFTWARE\\Microsoft\\Active Setup\\Installed Components";
EnumKey(HKEY_LOCAL_MACHINE,szActiveSetup,"StubPath",NULL);
/*
Check if it is the screensaver
*/
dwDataSize=sizeof(szData);
GetKeyValue(
HKEY_CURRENT_USER,
"Control Panel\\Desktop",
"SCRNSAVE.EXE",
&dwType,
szData,
&dwDataSize
);
/*
Check if it is taskmgr ctrl+alt+delete
*/
dwDataSize=sizeof(szData);
GetKeyValue(HKEY_LOCAL_MACHINE,
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe",
"debugger",
&dwType,
szData,
&dwDataSize
);
/*
Check shell\\open\\command
*/
EnumKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Classes",NULL,"\\shell\\open\\command");
EnumKey(HKEY_CLASSES_ROOT,NULL,NULL,"\\shell\\open\\command");
return;
}
/*
Function Description:
Opens and read registrykey value
calls CompareStrings and CreateString
Called by SearchStartupKeys
Arguments:
IN hRootKey, Handle to root key
IN szKey, name of subkey
IN szName, Value name
OUT dwType, Points to a variable that receives the key’s value type
OUT szRet, Buffer for value
OUT dwSize, Sizeof dwRet
Returns:
pointer to Value
*/
char *CStartup::GetKeyValue(
HKEY hRootKey,
char *szKey,
char *szName,
DWORD *dwType,
char *szRet,
DWORD *dwSize
)
{
long lRet=1;
HKEY hKey;
if (RegOpenKeyEx(hRootKey,szKey,0,KEY_READ,&hKey) == ERROR_SUCCESS) {
lRet=RegQueryValueEx(hKey,szName,NULL,dwType,(LPBYTE)szRet,dwSize);
RegCloseKey(hKey);
}
if (lRet == ERROR_SUCCESS) {
if (CompareStrings(szRet,*dwSize)) {
CreateString(hRootKey,szKey,szName,szRet);
}
return szName;
}
return NULL;
}
/*
Function Description:
Opens and read registrykey value
calls CompareStrings and CreateString
Called by SearchStartupKeys
Arguments:
IN hRootKey, Handle to root key
IN szKey, name of subkey
IN szName, Value name
OUT dwType, Points to a variable that receives the key’s value type
OUT szRet, Buffer for value
OUT dwSize, Sizeof dwRet
Returns:
pointer to Value
*/
bool CStartup::CompareStrings(char *szData,int Size)
{
int Count;
int iSize=strlen(g_szFindString);
for(Count=0;Count<(Size-iSize+1);Count++)
{
if (_strnicmp(szData+Count,g_szFindString,iSize) == 0) {
return true;
}
}
return false;
}
/*
Function Description:
Adds a key or filename to tree view
calls CProcInfo AddItem
called by CStartup
Arguments:
IN hRootKey, Handle to root key or HKEY_FILENAME
IN szBuffer, Key name or pathname if hRootKey == HKEY_FILENAME
IN szValue, Key value or filename if hRootKey == HKEY_FILENAME
IN szData, Value Data or ignored if hRootKey == HKEY_FILENAME
Returns:
void
*/
void CStartup::CreateString(
HKEY hRootKey,
const char *szBuffer,
const char *szValue,
const char *szData
)
{
char szBigBuf[MAX_PATH*3];
int iItem=TREE_KEY;
switch ((DWORD)hRootKey) {
case HKEY_LOCAL_MACHINE:
strcpy(szBigBuf,"HKEY_LOCAL_MACHINE\\");
break;
case HKEY_CURRENT_USER:
strcpy(szBigBuf,"HKEY_CURRENT_USER\\");
break;
case HKEY_CLASSES_ROOT:
strcpy(szBigBuf,"HKEY_CLASSES_ROOT\\");
break;
case HKEY_USERS:
strcpy(szBigBuf,"HKEY_USERS\\");
break;
case HKEY_FILENAME:
strcpy(szBigBuf,"File: ");
strcat(szBigBuf,szBuffer);
strcat(szBigBuf,"\\");
strcat(szBigBuf,szValue);
iItem=TREE_FILE;
break;
default:
return;
}
if (hRootKey != HKEY_FILENAME) {
if (szBuffer) strcat(szBigBuf,szBuffer);
strcat(szBigBuf," Name: ");
if (szValue) strcat(szBigBuf,szValue);
else strcat(szBigBuf,"Default");
strcat(szBigBuf," Data: ");
strcat(szBigBuf,szData);
}
if (m_hItem == NULL) m_hItem = CExtra->AddItem("Possible Startup key's",m_hRoot,m_Icon,TREE_KEYS_MAIN);
CExtra->AddItem(szBigBuf,m_hItem,m_Icon,iItem);
}
/*
Function Description:
Enum Registry keys en gets key value
calls CompareStrings CreateString
called by SearchStartupKeys
Arguments:
IN hRootKey, Handle to root key
IN szRootKey, Key name or NULL
IN szValue, Key value to search
IN szRunAs Subkeyname or NULL
Returns:
void
*/
void CStartup::EnumKey(HKEY hRootKey,char *szRootKey,char *szValue,char *szRunAs)
{
FILETIME ft;
char szData[MAX_PATH];
DWORD dwDataSize,
dwType;
HKEY hSubKey;
char szKey[MAX_PATH];
char szBuffer[MAX_PATH];
char *pbuf;
int i=0;
if (szRootKey) {
strcpy(szBuffer,szRootKey);
i=strlen(szBuffer);
szBuffer[i++]='\\';
szBuffer[i]=0;
}
pbuf=szBuffer+i;
DWORD dwKeySize,
dwIndex=0;
long lRet;
HKEY hKey;
if (szRootKey) {
if (RegOpenKeyEx(hRootKey,szRootKey,0,KEY_READ,&hKey) != ERROR_SUCCESS) return;
}
else hKey=hRootKey;
while (1) {
dwKeySize=sizeof(szKey);
lRet=RegEnumKeyEx(hKey,dwIndex,szKey,&dwKeySize,NULL,NULL,NULL,&ft);
if (lRet == ERROR_NO_MORE_ITEMS) break;
if (lRet == ERROR_SUCCESS) {
strcpy(pbuf,szKey);
if (szRunAs) {
strcat(pbuf,szRunAs);
}
if (RegOpenKeyEx(hRootKey,szBuffer,0,KEY_READ,&hSubKey) == ERROR_SUCCESS) {
dwDataSize=sizeof(szData);
if (RegQueryValueEx(hSubKey,szValue,NULL,&dwType,(LPBYTE)szData,&dwDataSize) == ERROR_SUCCESS) {
if (CompareStrings(szData,dwDataSize) == true) {
CreateString(hRootKey,szBuffer,szValue,szData);
}
}
RegCloseKey(hSubKey);
}
}
dwIndex++;
}
RegCloseKey(hKey);
return;
}
/*
Function Description:
Enum Registry key value's
calls CompareStrings CreateString
called by SearchStartupKeys
Arguments:
IN hRootKey, Handle to root key
IN szRootKey, Key name or NULL
IN szValue, Key value to search
IN szRunAs Subkeyname or NULL
Returns:
number of value's
*/
int CStartup::EnumKeyValue(HKEY hRootKey,const char *szKey)
{
char szValueName[MAX_PATH];
char szData[MAX_PATH];
DWORD dwValueSize,
dwDataSize,
dwIndex=0,
dwType;
LONG lRet;
HKEY hKey;
if (RegOpenKeyEx(hRootKey,szKey,0,KEY_READ,&hKey) != ERROR_SUCCESS) return 0;
while (1) {
dwValueSize=sizeof(szValueName),
dwDataSize=sizeof(szData),
lRet=RegEnumValue(hKey,dwIndex,szValueName,&dwValueSize,NULL,&dwType,(LPBYTE)szData,&dwDataSize);
if (lRet == ERROR_NO_MORE_ITEMS) break;
if (lRet == ERROR_SUCCESS && (dwType == REG_SZ || dwType == REG_EXPAND_SZ)) {
if (CompareStrings(szData,dwDataSize)) {
CreateString(hRootKey,szKey,szValueName,szData);
}
}
dwIndex++;
}
RegCloseKey(hKey);
return dwIndex;
}
/*
Function Description:
Search a directory and subdirectorys for filename matching search string
calls CompareStrings CreateString
called by SearchStartupKeys
Arguments:
IN szDir, Directory to start search in
Returns:
void
*/
void CStartup::SearchStartUpDir(char *szDir)
{
HANDLE hFindData;
WIN32_FIND_DATA WFD;
char szFindBuffer[512];
char Buffer[512];
sprintf(szFindBuffer,"%s\\*",szDir);
hFindData = FindFirstFile(szFindBuffer, &WFD);
if (hFindData) {
do {
sprintf(Buffer,"%s\\%s",szDir,WFD.cFileName);
if (WFD.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY && *WFD.cFileName != '.') {
SearchStartUpDir(Buffer);
}
else {
if (CompareStrings(WFD.cFileName,strlen(WFD.cFileName)) == true) {
CreateString((HKEY)HKEY_FILENAME,szDir,WFD.cFileName,WFD.cAlternateFileName);
}
}
} while (FindNextFile(hFindData, &WFD));
FindClose(hFindData);
}
return;
}