foreach ($sources as $source => $keys) { if (count($keys) == 2 and isset($keys['type']) and isset($keys['value']) or !is_array($keys)) { //Do nothing } else { foreach ($keys as $key => $data) { if (substr($key, -11) == 'MessageFile' and !empty($data['value'])) { if (!isset($messageFiles[$log])) { $messageFiles[$log] = array(); } if (!isset($messageFiles[$log][$source])) { $messageFiles[$log][$source] = array(); } $messageFiles[$log][$source][] = $data['value']; } else { if ($key == 'providerGuid' and !empty($data['value'])) { $providerArray = Win32RegistryIterator($o_Win32Registry = new COM('winmgmts://./root/default:StdRegProv'), HKEY_LOCAL_MACHINE, 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Publishers\\' . $data['value']); foreach ($providerArray as $pkey => $pvalue) { if ($pkey == '(Default)') { $messageFiles[$log][$source]['sourceName'] = $pvalue['value']; } if ($pkey == 'MessageFileName') { $messageFiles[$log][$source][] = $pvalue['value']; } } } } } } } } $logfiles_array = array();
function Win32RegistryIterator(COM $o_Win32Registry, $i_HiveKey, $s_RootKey) { static $i_Depth = -1; static $a_RegTypes = array(1 => 'REG_SZ (1)', 2 => 'REG_EXPAND_SZ (2)', 3 => 'REG_BINARY (3)', 4 => 'REG_DWORD (4)', 7 => 'REG_MULTI_SZ (7)', 10 => 'REG_RESOURCE_REQUIREMENT_LIST (10)'); $a_Keys = new VARIANT(); $a_Names = new VARIANT(); $a_Types = new VARIANT(); $i_EnumKeyState = $o_Win32Registry->EnumKey($i_HiveKey, $s_RootKey, $a_Keys); $i_EnumValuesState = $o_Win32Registry->EnumValues($i_HiveKey, $s_RootKey, $a_Names, $a_Types); if (VT_NULL !== variant_get_type($a_Keys)) { foreach ($a_Keys as $i_Key => $s_Key) { echo '[', $s_Key, ']', PHP_EOL; Win32RegistryIterator($o_Win32Registry, $i_HiveKey, $s_RootKey . '\\' . $s_Key); } } if (VT_NULL !== variant_get_type($a_Names)) { $a_ExtractedTypes = array(); foreach ($a_Types as $i_Type) { $a_ExtractedTypes[] = $i_Type; } foreach ($a_Names as $i_Name => $s_Name) { $m_RegValue = new VARIANT(); echo $i_Name, ' => ', '' === $s_Name ? '(Default)' : $s_Name, ' of type ', $a_RegTypes[$a_ExtractedTypes[$i_Name]], ' with a value of '; switch ($a_ExtractedTypes[$i_Name]) { case 1: // REG_SZ $o_Win32Registry->GetStringValue($i_HiveKey, $s_RootKey, $s_Name, $m_RegValue); echo '"', $m_RegValue, '"'; break; case 2: // REG_EXPAND_SZ $o_Win32Registry->GetExpandedStringValue($i_HiveKey, $s_RootKey, $s_Name, $m_RegValue); echo '"', $m_RegValue, '"'; break; case 3: // REG_BINARY // REG_BINARY case 10: // REG_RESOURCE_REQUIREMENT_LIST $o_Win32Registry->GetBinaryValue($i_HiveKey, $s_RootKey, $s_Name, $m_RegValue); if (VT_NULL !== variant_get_type($m_RegValue)) { foreach ($m_RegValue as $i_RegValue) { echo str_pad(dechex($i_RegValue), 2, '0', STR_PAD_LEFT), ' '; } } break; case 4: // REG_DWORD $o_Win32Registry->GetDWORDValue($i_HiveKey, $s_RootKey, $s_Name, $m_RegValue); echo '0x', str_pad(dechex($m_RegValue), 8, '0', STR_PAD_LEFT), ' (', $m_RegValue, ')'; break; case 7: // REG_MUTLI_SZ $o_Win32Registry->GetMultiStringValue($i_HiveKey, $s_RootKey, $s_Name, $m_RegValue); if (VT_NULL !== variant_get_type($m_RegValue)) { try { foreach ($m_RegValue as $s_RegValue) { echo PHP_EOL, $s_RegValue; } } catch (com_exception $e) { // As yet, I cannot determine if the $m_RegValue is empty for a REG_MULTI_SZ, // so catch the exception and test that instead. if (-2147352565 !== $e->getCode()) { throw $e; } } } break; } echo PHP_EOL; } } }
function Win32RegistryIterator(COM $o_Win32Registry, $i_HiveKey, $s_RootKey) { static $i_Depth = -1; static $a_RegTypes = array(1 => 'REG_SZ (1)', 2 => 'REG_EXPAND_SZ (2)', 3 => 'REG_BINARY (3)', 4 => 'REG_DWORD (4)', 7 => 'REG_MULTI_SZ (7)', 10 => 'REG_RESOURCE_REQUIREMENT_LIST (10)'); $return = array(); $a_Keys = new VARIANT(); $a_Names = new VARIANT(); $a_Types = new VARIANT(); $i_EnumKeyState = $o_Win32Registry->EnumKey($i_HiveKey, $s_RootKey, $a_Keys); $i_EnumValuesState = $o_Win32Registry->EnumValues($i_HiveKey, $s_RootKey, $a_Names, $a_Types); if (VT_NULL !== variant_get_type($a_Keys)) { foreach ($a_Keys as $i_Key => $s_Key) { $return[$s_Key] = Win32RegistryIterator($o_Win32Registry, $i_HiveKey, $s_RootKey . '\\' . $s_Key); } } if (VT_NULL !== variant_get_type($a_Names)) { $a_ExtractedTypes = array(); foreach ($a_Types as $i_Type) { $a_ExtractedTypes[] = $i_Type; } foreach ($a_Names as $i_Name => $s_Name) { $m_RegValue = new VARIANT(); switch ($a_ExtractedTypes[$i_Name]) { case 1: // REG_SZ $o_Win32Registry->GetStringValue($i_HiveKey, $s_RootKey, $s_Name, $m_RegValue); break; case 2: // REG_EXPAND_SZ $o_Win32Registry->GetExpandedStringValue($i_HiveKey, $s_RootKey, $s_Name, $m_RegValue); break; case 3: // REG_BINARY // REG_BINARY case 10: // REG_RESOURCE_REQUIREMENT_LIST $o_Win32Registry->GetBinaryValue($i_HiveKey, $s_RootKey, $s_Name, $m_RegValue); if (VT_NULL !== variant_get_type($m_RegValue)) { $tempval = ""; foreach ($m_RegValue as $i_RegValue) { $tempval .= str_pad(dechex($i_RegValue), 2, '0', STR_PAD_LEFT) . ' '; } $m_RegValue = $tempval; } break; case 4: // REG_DWORD $o_Win32Registry->GetDWORDValue($i_HiveKey, $s_RootKey, $s_Name, $m_RegValue); $m_RegValue = '0x' . str_pad(dechex($m_RegValue), 8, '0', STR_PAD_LEFT) . ' (' . $m_RegValue . ')'; break; case 7: // REG_MUTLI_SZ $o_Win32Registry->GetMultiStringValue($i_HiveKey, $s_RootKey, $s_Name, $m_RegValue); if (VT_NULL !== variant_get_type($m_RegValue)) { try { $tempval = ""; foreach ($m_RegValue as $s_RegValue) { $tempval .= $s_RegValue; } $m_RegValue = $tempval; } catch (com_exception $e) { // As yet, I cannot determine if the $m_RegValue is empty for a REG_MULTI_SZ, // so catch the exception and test that instead. if (-2147352565 !== $e->getCode()) { throw $e; } } } break; } if ('' === $s_Name) { $key = '(Default)'; } else { $key = $s_Name; } $return[$key] = array('type' => $a_RegTypes[$a_ExtractedTypes[$i_Name]], 'value' => (string) $m_RegValue); } } return $return; }