private void currentUserEvent(object sender, EventArrivedEventArgs e)
{
RegistryKey key = Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run");
foreach (string v in key.GetValueNames())
{
if (!currentUserReg.ContainsKey(v))
{
string value = Convert.ToString(key.GetValue(v));
builder.Clear();
builder.Append("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\");
builder.Append(v);
builder.Append(" - ");
builder.Append(value);
string detect = "";
if (value.Contains(".vbs"))
{
detect = "User Persistence";
}
else
{
detect = "New Startup Item";
}
RegistryKeyObject evt = new RegistryKeyObject();
evt.Key = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run";
evt.KeyName = v;
evt.Detection = "Persistence";
evt.KeyType = "User Startup";
evt.Path = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" + v;
addRegistry(this, evt);
string date = DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString();
w.write(date, builder.ToString(), detect);
currentUserReg.Add(v, value);
}
}
List<string> toremove = new List<string>();
foreach (string val in currentUserReg.Keys)
{
if (!key.GetValueNames().Contains(val))
{
toremove.Add(val);
}
}
foreach (string val in toremove)
{
currentUserReg.Remove(val);
removedEntry(this, val);
}
}