Forums
Main Category
General (Technical,...
Enscript Registry C...
 
Notifications
Clear all

Enscript Registry Class, multiple ntuser.dats

 
Page 2 / 2
General (Technical, Procedural, Software, Hardware etc.)
Last Post by Chris_Ed 13 years ago
16 Posts
4 Users
0 Reactions
1,700 Views
RSS
 jonstewart
(@jonstewart)
Eminent Member
Joined: 16 years ago
Posts: 47
24/07/2012 7:35 pm  

Hi Todd,

Were you able to get this to work? I don't have a good way to test this at the moment, but my memory is that EnCase will resolve the hive & key on the volume itself. That is, you don't have to pass in the "right" EntryClass object of the hive–EnCase will find it based on the volume of the EntryClass.

The downside is that you then lose control of processing specific registry hives. But, like I said, this is my memory and I haven't tested to reconfirm… so I'm curious as to whether my memory is correct.

cheers,

Jon


   
ReplyQuote
 toddjulius
(@toddjulius)
Active Member
Joined: 13 years ago
Posts: 11
Topic starter 24/07/2012 8:28 pm  

Hi jon,
Thanks for following up. i did get this to work and sent Chris quite an efusive thank You.Once I isolated the NtUser.dat file I was interested in by using its Isseelected Property, All the dataconfusion cleared up. I also used the Hkey_Entry_hive instead of HKey_Current user. as Chris suggestedI still dont understand how iEntryhive functions in encase and why I needed it. but it all works. I'm happy to share what I wrote with anyone who wants it. just PM me and 'll send it along. Thanks all!


   
ReplyQuote
 jonstewart
(@jonstewart)
Eminent Member
Joined: 16 years ago
Posts: 47
24/07/2012 8:33 pm  

Ah… HKEY_ENTRY_HIVE is the magic bit that tells EnCase to use the current entry as the hive. Cool.

Jon


   
ReplyQuote
 toddjulius
(@toddjulius)
Active Member
Joined: 13 years ago
Posts: 11
Topic starter 26/07/2012 9:04 pm  

Hello,
'm writing an enscript to pull multiple typed urltimevalues out of a uses registry. I have code to load multiple rreadvalue commands as below

RegCommandClass command1(cmds,
"TypedUrltime1",
RegCommandClassREADVALUE,
RegCommandClassHKEY_ENTRY_HIVE,
"Software\\Microsoft\\Internet Explorer\\TypedURLsTime",
"Url1",
0,
0xffffffff),command2(cmds,
"TypedUrltime2",
RegCommandClassREADVALUE,
RegCommandClassHKEY_ENTRY_HIVE,
"Software\\Microsoft\\Internet Explorer\\TypedURLsTime",
"Url2",
0,
0xffffffff);

My undersstanding is a single Reg.Run(cmds,regValues) will execute all the commands. To pull the values do I simply execute multiple find commands at any point i desire the values, or all together sequentially in the same order of the commands,i.e?

v1=regValues.Find("TypedUrltime1");
v2=regValues.Find("TypedUrltime2");

thoughts? hints? thank you,
Todd


   
ReplyQuote
 jonstewart
(@jonstewart)
Eminent Member
Joined: 16 years ago
Posts: 47
26/07/2012 9:07 pm  

Yeah, the retrieved values will all be in a tree structure, so you can use find or forall(), etc. When you're debugging, it'd probably be good to throw the results into a TreeTableEditClass dialog so you can see what things look like.

cheers,

Jon


   
ReplyQuote
Chris_Ed
 Chris_Ed
(@chris_ed)
Reputable Member
Joined: 16 years ago
Posts: 314
26/07/2012 9:20 pm  

Jon,

Any chance of an example? The TreeTableEdit EnScript help entry is a bit.. "obtuse".. )

Thanks,

Chris


   
ReplyQuote
Page 2 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: