|
|
/*++
Copyright (c) 1998 Microsoft Corporation
Module Name:
regmain.c
Abstract:
Main module. Data definitions.
Author:
Dragos C. Sambotin (dragoss) 30-Dec-1998
Revision History:
--*/
#include "chkreg.h"
// check the hive structure.
BOOLEAN CheckHive = TRUE;
// compact the hive.
BOOLEAN CompactHive = FALSE;
// check for lost space (marked as used but not reffered).
BOOLEAN LostSpace = FALSE;
// repair damaged hives.
BOOLEAN FixHive = FALSE;
// repair damaged hives.
BOOLEAN SpaceUsage = FALSE;
// maximum level to dump
ULONG MaxLevel = 0;
// bin to examine space display
LONG BinIndex = -1;
// the hive file name
TCHAR *Hive = NULL;
// the root of the hive
HCELL_INDEX RootCell;
// Usage string
char *Usage="\
Checks a hive file and perform repairs, compacts or displays a status report.\n\n\CHKREG /F <filename[.<LOG>]> [/H] [/D [<level>] [/S [<bin>]] [/C] [/L] [/R]\n\n\ <filename> FileName of hive to be analyzed\n\ /H This manual\n\ /D [<level>] Dump subkeys up to level <level>. If level is not\n\ specified, dumps the entire hive. No checks are done\n\ when dumping.\n\ /S [<bin>] Displays space usage for the bin <bin>. When bin is\n\ not specified, displays usage for the entire hive.\n\ /C Compacts the hive. Bad hives cannot be compacted.\n\ The compacted hive will be written to <filename>.BAK\n\ /L Lost space detection.\n\ /R Repair the hive.\n\ ";
// Lost Space Warning
char *LostSpaceWarning="\n\
WARNING : Lost space detection may take a while. Are you sure you want this (y/n)?";
// Starting address of the in-memory maped hive image
PUCHAR Base;
// LostCells list used for lost space detection
UNKNOWN_LIST LostCells[FRAGMENTATION];
// OutputFile : future changes may use it to write the results to a file rather than to stdout
FILE *OutputFile;
#define NAME_BUFFERSIZE 2000
UNICODE_STRING KeyName;WCHAR NameBuffer[NAME_BUFFERSIZE];
// Miscelaneous variables used fo data statistics
ULONG TotalKeyNode=0;ULONG TotalKeyValue=0;ULONG TotalKeyIndex=0;ULONG TotalKeySecurity=0;ULONG TotalValueIndex=0;ULONG TotalUnknown=0;
ULONG CountKeyNode=0;ULONG CountKeyValue=0;ULONG CountKeyIndex=0;ULONG CountKeySecurity=0;ULONG CountValueIndex=0;ULONG CountUnknown=0;
ULONG CountKeyNodeCompacted=0;
ULONG TotalFree=0; ULONG FreeCount=0; ULONG TotalUsed=0;
PHBIN FirstBin;PHBIN MaxBin;ULONG HiveLength;
#define OPTION_MODE 0
#define FILE_MODE 1
#define LEVEL_MODE 2
#define BIN_MODE 3
VOIDChkDumpLogFile( PHBASE_BLOCK BaseBlock,ULONG Length );
VOIDParseArgs ( int argc, char *argv[] ){
char *p; int i; // specified what should we expect from the command line
int iMode = OPTION_MODE; for(i=0;i<argc;i++) { p = argv[i]; if ( *p == '/' || *p == '-' ) { // option mode
p++; iMode = OPTION_MODE; while ((*p != '\0') && (*p != ' ')) { switch (*p) { case 'h': case 'H': case '?': fprintf(stderr, "%s\n", Usage); ExitProcess(1); break; case 'f': case 'F': iMode = FILE_MODE; break; case 'd': case 'D': iMode = LEVEL_MODE; // when not specified, dump at least 100 levels
MaxLevel = 100; CheckHive = FALSE; break; case 's': case 'S': SpaceUsage = TRUE; iMode = BIN_MODE; break; case 'c': case 'C': p++; CompactHive = TRUE; break; case 'l': case 'L': p++; LostSpace = TRUE; break; case 'r': case 'R': p++; FixHive = TRUE; break; default: break; } if( iMode != OPTION_MODE ) { // break the loop; ignore the rest of the current argv
break; } } // while
} else { switch(iMode) { case FILE_MODE: Hive = argv[i]; break; case LEVEL_MODE: MaxLevel = (ULONG) atol(argv[i]); break; case BIN_MODE: BinIndex = (LONG) atol(argv[i]); break; default: break; } } } }
__cdeclmain( int argc, char *argv[] ){ ULONG FileIndex; HANDLE myFileHandle, myMMFHandle; LPBYTE myMMFViewHandle; BYTE lowChar, hiChar, modVal; DWORD dwFileSize; ULONG Index,Index2;
PHBASE_BLOCK PHBaseBlock; PHBIN NewBins; ULONG Offset; ULONG CellCount; ULONG SizeCount;
REG_USAGE TotalUsage; DWORD dwHiveFileAccess = GENERIC_READ; DWORD flHiveViewProtect = PAGE_READONLY; DWORD dwHiveViewAccess = FILE_MAP_READ; ParseArgs( argc, argv );
if (!Hive) { fprintf(stderr, "\nMust provide a hive name !!!\n\n"); fprintf(stderr, "%s\n", Usage); ExitProcess(-1); }
if(LostSpace) { // are you sure you want lost cells detection? It may take a while!
int chLost; fprintf(stdout, "%s",LostSpaceWarning); fflush(stdin); chLost = getchar(); if( (chLost != 'y') && (chLost != 'Y') ) { // he changed his mind
LostSpace = FALSE; } fprintf(stderr, "\n"); }
if( FixHive ) { dwHiveFileAccess |= GENERIC_WRITE; flHiveViewProtect = PAGE_READWRITE; dwHiveViewAccess = FILE_MAP_WRITE; } /* Create temporary file for mapping. */ if ((myFileHandle = CreateFile (Hive, dwHiveFileAccess, 0 , NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)) == (HANDLE) INVALID_HANDLE_VALUE) /* Bad handle */ { fprintf(stderr,"Could not create file %s\n", Hive); exit(-1); }
// Get the size of the file. I am assuming here that the
// file is smaller than 4 GB.
dwFileSize = GetFileSize(myFileHandle, NULL);
/* If we get here, we managed to name and create a temp file. Now we need
to create a mapping */
myMMFHandle = CreateFileMapping (myFileHandle, NULL, flHiveViewProtect, 0, dwFileSize, NULL); if (myMMFHandle == (HANDLE) INVALID_HANDLE_VALUE) { fprintf(stderr,"Could not map file %s\n", Hive); exit(-1); }
/* So we've mapped the file. Now try to map a view */
myMMFViewHandle = (LPBYTE) MapViewOfFile (myMMFHandle, dwHiveViewAccess, 0, 0, dwFileSize); if (!myMMFViewHandle) { fprintf(stderr,"Could not map view of file %s error = %lx\n", Hive,(ULONG)GetLastError()); exit(-1); }
/* Now we have a view. Read through it */
PHBaseBlock = (PHBASE_BLOCK) myMMFViewHandle;
if( strstr(Hive,".LOG") != NULL ) { // dumping log file
ChkDumpLogFile(PHBaseBlock,MaxLevel); } else {/*
if (PHBaseBlock->Minor < 4) { fprintf(stderr,"Hive version %d is too old, must be 3 or later\n", PHBaseBlock->Minor); ExitProcess(-1); }*/ // Initialization stuff
for(Index =0;Index<FRAGMENTATION;Index++) { LostCells[Index].Count = 0; for(Index2 = 0;Index2<SUBLISTS;Index2++) { LostCells[Index].List[Index2] = NULL; } } RootCell = PHBaseBlock->RootCell; OutputFile = stdout; Base = (PUCHAR)(PHBaseBlock) + HBLOCK_SIZE;
Offset=HBLOCK_SIZE; HiveLength = PHBaseBlock->Length;
MaxBin= (PHBIN) (Base + HiveLength); FirstBin = (PHBIN) (Base);
KeyName.Buffer = NameBuffer; KeyName.MaximumLength = NAME_BUFFERSIZE;
ChkBaseBlock(PHBaseBlock,dwFileSize); ChkSecurityDescriptors();
ChkPhysicalHive();
if (MaxLevel) { fprintf(stdout,"%6s,%6s,%7s,%10s, %s\n", "Keys", "Values", "Cells", "Size", "SubKeys"); }
DumpChkRegistry(0, 0, PHBaseBlock->RootCell,HCELL_NIL,&TotalUsage);
if(LostSpace) { // clear the dirt on the screen
fprintf(OutputFile,"\r \n"); }
DumpUnknownList(); FreeUnknownList();
fprintf(OutputFile,"\nSUMMARY: \n"); fprintf(OutputFile,"%15s,%15s, %s\n", "Cells", "Size", "Category");
fprintf(OutputFile,"%15lu,%15lu, Keys\n", CountKeyNode, TotalKeyNode ); fprintf(OutputFile,"%15lu,%15lu, Values\n", CountKeyValue, TotalKeyValue ); fprintf(OutputFile,"%15lu,%15lu, Key Index\n", CountKeyIndex, TotalKeyIndex ); fprintf(OutputFile,"%15lu,%15lu, Value Index\n", CountValueIndex, TotalValueIndex ); fprintf(OutputFile,"%15lu,%15lu, Security\n", CountKeySecurity, TotalKeySecurity ); fprintf(OutputFile,"%15lu,%15lu, Data\n", CountUnknown - CountValueIndex, TotalUnknown - TotalValueIndex );
fprintf(OutputFile,"%15lu,%15lu, Free\n", FreeCount, TotalFree );
CellCount = CountKeyNode + CountKeyValue + CountKeyIndex + CountKeySecurity + CountUnknown + FreeCount;
SizeCount = TotalKeyNode + TotalKeyValue + TotalKeyIndex + TotalKeySecurity + TotalUnknown + TotalFree;
fprintf(OutputFile,"%15lu,%15lu, %s\n", CellCount, SizeCount, "Total Hive");
fprintf(OutputFile,"\n%15lu compacted keys (all related cells in the same view)\n",CountKeyNodeCompacted); } UnmapViewOfFile(myMMFViewHandle); CloseHandle(myMMFHandle); CloseHandle(myFileHandle);
if(CompactHive) { DoCompactHive(); }
return(0);}
|
