private void localMachineEvent(object sender, EventArrivedEventArgs e)
{
Console.WriteLine("Event");
RegistryKey key = Registry.LocalMachine.OpenSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Run");
foreach (string v in key.GetValueNames())
{
if (!localMachineReg.ContainsKey(v))
{
Console.WriteLine("New Entry");
string value = Convert.ToString(key.GetValue(v));
builder.Clear();
builder.Append("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run");
builder.Append(v);
builder.Append(" - ");
builder.Append(value);
string detect = "";
if (value.Contains(".vbs")){
detect = "System Persistence";
}else{
detect = "New Startup Item";
}
RegistryKeyObject evt = new RegistryKeyObject();
evt.Key = "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
evt.KeyName = v;
evt.Detection = "Persistence";
evt.KeyType = "System Startup";
evt.Path = "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\" + v;
addRegistry(this, evt);
string date = DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString();
w.write(date, builder.ToString(), detect);
localMachineReg.Add(v, value);
}
}
List<string> toremove = new List<string>();
foreach (string val in localMachineReg.Keys)
{
if (!key.GetValueNames().Contains(val))
{
toremove.Add(val);
}
}
foreach (string val in toremove)
{
localMachineReg.Remove(val);
removedEntry(this, val);
}
}