From d45beff0e06c3d047afede112a3a46302553391f Mon Sep 17 00:00:00 2001 From: Costas K <11378310+kacos2000@users.noreply.github.com> Date: Sat, 9 Jan 2021 23:57:32 +0200 Subject: [PATCH] Add files via upload --- MFTbrowser.ps1 | 1153 ++++++++++++++++++++++++------------------------ 1 file changed, 567 insertions(+), 586 deletions(-) diff --git a/MFTbrowser.ps1 b/MFTbrowser.ps1 index ecd8a29..9adbdea 100644 --- a/MFTbrowser.ps1 +++ b/MFTbrowser.ps1 @@ -3,7 +3,7 @@ .NOTES -------------------------------------------------------------------------------- Code generated by: SAPIEN Technologies, Inc., PowerShell Studio 2020 v5.7.182 - Generated on: 6/1/2021 + Generated on: 9/1/2021 Generated by: Costas Katsavounidis -------------------------------------------------------------------------------- .DESCRIPTION @@ -148,10 +148,10 @@ function Show-MainForm_psf $toolstripseparator11 = New-Object 'System.Windows.Forms.ToolStripSeparator' $Print_richtextbox = New-Object 'System.Windows.Forms.ToolStripMenuItem' $toolstripseparator12 = New-Object 'System.Windows.Forms.ToolStripSeparator' - $SearchTextbox = New-Object 'System.Windows.Forms.ToolStripTextBox' $ExpandAll2 = New-Object 'System.Windows.Forms.ToolStripMenuItem' $Properties = New-Object 'System.Windows.Forms.ToolStripMenuItem' $toolstripseparator13 = New-Object 'System.Windows.Forms.ToolStripSeparator' + $picturebox1 = New-Object 'System.Windows.Forms.PictureBox' $InitialFormWindowState = New-Object 'System.Windows.Forms.FormWindowState' #endregion Generated Form Objects @@ -172,20 +172,7 @@ function Show-MainForm_psf $Open.PerformClick() } #end MFTBrowser_Shown - function Get-NtSecurityDescriptor - { - param - ( - [string]$SecurityDescriptor - ) - $ntsecdesc = New-Object Byte[] ($SecurityDescriptor.Length) - - for ($i = 0; $i -lt $SecurityDescriptor.Length; $i += 2) - { - $ntsecdesc.Set(($i/2), ([Byte]::Parse($SecurityDescriptor.Substring($i, 2), [System.Globalization.NumberStyles]::HexNumber))) - } - [System.Security.AccessControl.RawSecurityDescriptor]::new($ntsecdesc, 0) - } + function MyGroup-Object { @@ -269,13 +256,13 @@ function Show-MainForm_psf $datagridview1.Rows.Clear() $cancel.Enabled = $true $cancelreading = $false - $SearchTextbox.Text = 'Search Files' [System.GC]::Collect() # Disable button $NewRecordRange.Enabled = $false # Hide Treeview & Datagridview etc + $picturebox1.Visible = $true $treeview1.Visible = $false $datagridview1.Visible = $false $richtextbox1.Visible = $false @@ -1439,7 +1426,7 @@ Name: (Variable)" $parentrecord.ToolTipText = "Parent ID: $($ParentID)" # Add Attribute details to Tree - $Null = $ANodes.Nodes["($("Attribute" + $Attributeoffset))"].Nodes.Add("Parent", "[0x$(($residentcontentoffset).tostring('X3'))] Parent Directory: $($mftparentnr)") + $Null = $ANodes.Nodes["($("Attribute" + $Attributeoffset))"].Nodes.Add("ParentDirectory", "[0x$(($residentcontentoffset).tostring('X3'))] Parent Directory: $($mftparentnr)") $Null = $ANodes.Nodes["($("Attribute" + $Attributeoffset))"].Nodes.Add("ParentSeqNr", "[0x$(($residentcontentoffset + 6).tostring('X3'))] Parent Directory SeqNr: $($2atparentsq)") $Null = $ANodes.Nodes["($("Attribute" + $Attributeoffset))"].Nodes.Add("ParentID", "[-----] Parent ID: $($ParentID)") $Null = $ANodes.Nodes["($("Attribute" + $Attributeoffset))"].Nodes.Add("Filename_File_Created", "[0x$(($residentcontentoffset + 8).tostring('X3'))] File Created: $($File_create)") @@ -1448,7 +1435,7 @@ Name: (Variable)" $Null = $ANodes.Nodes["($("Attribute" + $Attributeoffset))"].Nodes.Add("Filename_File_Last_Accessed", "[0x$(($residentcontentoffset + 32).tostring('X3'))] File Last Accessed: $($File_lastaccess)") $Null = $ANodes.Nodes["($("Attribute" + $Attributeoffset))"].Nodes.Add("Filename_Allocated_Size", "[0x$(($residentcontentoffset + 40).tostring('X3'))] File Allocated Size: $($fileallocsize)") $Null = $ANodes.Nodes["($("Attribute" + $Attributeoffset))"].Nodes.Add("Filename_Real_Size", "[0x$(($residentcontentoffset + 48).tostring('X3'))] File Real Size: $($filerealsize)") - $ANodes.Nodes["($("Attribute" + $Attributeoffset))"].Nodes["Parent"].Tag = @("$($residentcontentoffset)","6") + $ANodes.Nodes["($("Attribute" + $Attributeoffset))"].Nodes["ParentDirectory"].Tag = @("$($residentcontentoffset)","6") $ANodes.Nodes["($("Attribute" + $Attributeoffset))"].Nodes["ParentSeqNr"].Tag = @("$($residentcontentoffset + 6)", "2") $ANodes.Nodes["($("Attribute" + $Attributeoffset))"].Nodes["ParentID"].Tag = "$($ParentID)" $ANodes.Nodes["($("Attribute" + $Attributeoffset))"].Nodes["ParentID"].ForeColor = 'SaddleBrown' @@ -1935,7 +1922,7 @@ The object ID is assigned at file creation time." # https://github.com/libyal/libfsntfs/blob/main/documentation/New%20Technologies%20File%20System%20(NTFS).asciidoc#69-the-volume-information-attribute $VolumeInfoFlags = [Ordered]@{ - "15" = "Is dirty" + "15" = "Volume Is dirty" "14" = "Re-size journal (LogFile)" "13" = "Upgrade on next mount" "12" = "Mounted on Windows NT4" @@ -2000,7 +1987,7 @@ The object ID is assigned at file creation time." foreach ($v in $VolumeInfoFlags.GetEnumerator()) { - if ($volflagsBin[16 - $v.key] -eq '1') + if ($volflagsBin[15 - $v.key] -eq '1') { $Null = $volflags.Nodes.add("flag$($v.key)", "Flag bit [$($v.key)]: $($v.Value)") } @@ -2190,7 +2177,7 @@ The object ID is assigned at file creation time." [array]::reverse($idxref2mftsqb) $idxref2mftsqh = [System.BitConverter]::ToString($idxref2mftsqb) -replace '-', '' $idxreftomftrecordseqnr = [Convert]::ToUInt16($idxref2mftsqh, 16) - + # Length of Entry $idxentrylng = $data.substring($firstoffset + 8, 2) $idxentrylngb = [System.Text.Encoding]::getencoding(28591).GetBytes($idxentrylng) @@ -2221,7 +2208,16 @@ The object ID is assigned at file creation time." $Null = $indexEntriesNodesChild.Nodes.Add("File_SeQNr", "[0x$(($firstoffset + 6).tostring('X3'))] MFT file record SeqNr: $($idxreftomftrecordseqnr)") $indexEntriesNodesChild.Nodes["File_Record"].Tag = @("$($firstoffset)", "6") $indexEntriesNodesChild.Nodes["File_SeQNr"].Tag = @("$($firstoffset + 6)", "2") - }else{ + if($idxreftomftrecord -ge 1) { + $idxmftrecordid ="$($idxreftomftrecordseqnr.ToString('X4'))$($idxreftomftrecord.ToString('X12'))" + $idxrecIDnode = $indexEntriesNodesChild.Nodes.Add("File_RecordID", "[-----] MFT record ID: $($idxmftrecordid)") + $idxrecIDnode.Tag = "$($idxmftrecordid)" + $idxrecIDnode.ToolTipText = "$($idxmftrecordid)" + $idxrecIDnode.ForeColor = 'SaddleBrown' + } + } + else + { $Null = $indexEntriesNodesChild.Nodes.Add("Unknown_Value", "[0x$(($firstoffset).tostring('X3'))] Unknown: 0x$($unknown1)$($unknown2)") $indexEntriesNodesChild.Nodes["Unknown_Value"].Tag = @("$($firstoffset)", "8") } @@ -2367,8 +2363,17 @@ The object ID is assigned at file creation time." $idxFilename = [System.Text.Encoding]::Unicode.GetString($idxfnb) # Add entry properties to the tree - $Null = $indexEntriesNodesChild.Nodes.Add("IdxParent", "[0x$(($firstoffset + 16).tostring('X3'))] Parent Directory: $($idxmftparentnr)") + $Null = $indexEntriesNodesChild.Nodes.Add("IdxParent","[0x$(($firstoffset + 16).tostring('X3'))] Parent Directory: $($idxmftparentnr)") $Null = $indexEntriesNodesChild.Nodes.Add("IdxParentSeqNr", "[0x$(($firstoffset + 22).tostring('X3'))] Parent SeqNr: $($idxparentsq)") + if ($idxmftparentnr -ge 1) + { + $idxreftrecordparent = "$($idxparentsq.ToString('X4'))$($idxmftparentnr.ToString('X12'))" + $idxrecparentIDnode = $indexEntriesNodesChild.Nodes.Add("Parent_RecordID", "[-----] Parent ID: $($idxreftrecordparent)") + $idxrecparentIDnode.Tag = "$($idxreftrecordparent)" + $idxrecparentIDnode.ToolTipText = "$($idxreftrecordparent)" + $idxrecparentIDnode.ForeColor = 'SaddleBrown' + } + $Null = $indexEntriesNodesChild.Nodes.Add("File_Created", "[0x$(($firstoffset + 24).tostring('X3'))] File Created: $($Idx_File_create)") $Null = $indexEntriesNodesChild.Nodes.Add("File_Modified", "[0x$(($firstoffset + 32).tostring('X3'))] File Modified: $($Idx_File_mod)") $Null = $indexEntriesNodesChild.Nodes.Add("MFT_Modified", "[0x$(($firstoffset + 40).tostring('X3'))] MFT Record Modified: $($Idx_File_mftmod)") @@ -3409,6 +3414,7 @@ This value is available starting with Windows 10 April 2018 Update." # Disable Cancel button $cancel.Enabled = $false # Show Treeview & Datagridview + $picturebox1.Visible = $false $treeview1.Visible = $true #$datagridview1.Visible = $true $richtextbox1.Visible = $true @@ -3421,8 +3427,6 @@ This value is available starting with Windows 10 April 2018 Update." } # end Load-MFT - - function Read-MFT { param @@ -3435,8 +3439,8 @@ This value is available starting with Windows 10 April 2018 Update." [Int]$RangeEnd ) # Cancel Check - if($script:cancelreading -eq $true){Return} - else{ $Cancel.Enabled = $true} + if ($script:cancelreading -eq $true) { Return } + else { $Cancel.Enabled = $true } $Attributes = [Ordered]@{ "10000000" = "10000000 - $([char]36)Standard_Information" @@ -3458,7 +3462,8 @@ This value is available starting with Windows 10 April 2018 Update." if (!$MFTfile) { return } - if(!!$script:mftparts){ + if (!!$script:mftparts) + { $MLcheck = $true } @@ -3471,14 +3476,13 @@ This value is available starting with Windows 10 April 2018 Update." $fs = (get-itemproperty "$MFTfile").Length $list = (0 .. [math]::Ceiling($fs/1024)) } - else{ + else + { $fs = ($RangeEnd - $RangeStart) $list = (($RangeStart/1024) .. ($RangeEnd/1024)) } #read MFT file - $Encoding = [System.Text.Encoding]::GetEncoding(28591) - $Stream = New-Object System.IO.FileStream $MFTfile, ([IO.FileMode]::Open), ([IO.FileAccess]::Read), ([IO.FileShare]::ReadWrite) - $BinaryReader = New-Object System.IO.BinaryReader -ArgumentList $Stream, $Encoding + $FileStream = New-Object IO.FileStream($MFTfile, ([IO.FileMode]::Open), ([IO.FileAccess]::Read), ([IO.FileShare]::ReadWrite)) $step = 0 if ($list.count -gt 100) { @@ -3492,11 +3496,12 @@ This value is available starting with Windows 10 April 2018 Update." $toolstripprogressbar1.Minimum = 0 $toolstripprogressbar1.Value = 0 } - else{ + else + { $toolstripprogressbar1.Maximum = $RangeEnd/1024 $toolstripprogressbar1.Minimum = $RangeStart/1024 $toolstripprogressbar1.Value = $RangeStart/1024 - } + } } $StreamList = [System.Collections.ArrayList]::new() @@ -3513,72 +3518,54 @@ This value is available starting with Windows 10 April 2018 Update." ######## Read Record ####### $data = $Attributeoffset = $null # Set offset to read from the file - $null = $BinaryReader.BaseStream.Seek([UInt64]($step * 1024), [System.IO.SeekOrigin]::Begin) + $null = $FileStream.Seek([UInt64]($step * 1024), [System.IO.SeekOrigin]::Begin) # Initialize the buffer $buffer = [System.Byte[]]::new([Int]1024) # Read offset to the buffer - $null = $BinaryReader.Read($buffer, 0, [Int]1024) - $data = [System.Text.Encoding]::GetEncoding(28591).getstring($buffer) + $null = $FileStream.Read($buffer, 0, [Int]1024) + $data = $buffer + $buffer = $null ## Process record ########## [System.Windows.Forms.Application]::DoEvents() - if ($step % 100 -eq 0) { - $toolstripprogressbar1.PerformStep() + if ($step % 100 -eq 0) + { + $toolstripprogressbar1.PerformStep() $Status.Text = "Reading records: $($toolstripprogressbar1.Value) of $($toolstripprogressbar1.Maximum)" } # File record Signature - $signature = $data.Substring(0, 4) - if ($signature -notin ('FILE','BAAD')) { continue } + $signature = [System.Text.Encoding]::Ascii.GetString($data[0 .. 3]) + if ($signature -notin ('FILE', 'BAAD')) { continue } # Sequence Number - $sqc = $data.Substring(16, 2) - $sqcb = [System.Text.Encoding]::getencoding(28591).GetBytes($sqc) - [array]::reverse($sqcb) - $sqcbh = [System.BitConverter]::ToString($sqcb) -replace '-', '' + $sqcount = [Bitconverter]::ToUInt16($data[16 .. 17], 0) # Skip if SeqNr is 0000 (record is unused) - if ($sqcbh -eq '0000') { continue } - $sqcount = [Convert]::TouInt16($sqcbh, 16) - + if ($sqcount -eq 0) { continue } + # Offset to 1st attribute (Contains an offset relative from the start of the MFT entry) - $of1 = $data.Substring(20, 2) - $of1b = [System.Text.Encoding]::getencoding(28591).GetBytes($of1) - [array]::reverse($of1b) - $of1bh = [System.BitConverter]::ToString($of1b) -replace '-', '' - $Attributeoffset = [Convert]::TouInt16($of1bh, 16) + $offfirst = [Bitconverter]::ToUInt16($data[20 .. 21], 0) # Allocation Status Flags - $as = $data.Substring(22, 2) - $asb = [System.Text.Encoding]::getencoding(28591).GetBytes($as) - [array]::reverse($asb) - $asbh = [System.BitConverter]::ToString($asb) -replace '-', '' + $flags = $data[22 .. 23] + [Array]::Reverse($flags) + $asbh = [System.BitConverter]::ToString($flags) -replace '-', '' $asbhb = [Convert]::ToString("0x$($asbh)", 2).PadLeft(16, '0') $dir = $asbhb[14] $InUse = $asbhb[15] # Logical Size of MFT record (number of bytes of the MFT entry that are in use) - $lrs = $data.Substring(24, 4) - $lrsb = [System.Text.Encoding]::getencoding(28591).GetBytes($lrs) - [array]::reverse($lrsb) - $lrsbh = [System.BitConverter]::ToString($lrsb) -replace '-', '' - $logicalsz = [Convert]::TouInt32($lrsbh, 16) + $logicalsz = [Bitconverter]::ToUInt32($data[24 .. 27], 0) # Base Record - $brr = $data.Substring(32, 6) - $brrb = [System.Text.Encoding]::getencoding(28591).GetBytes($brr) - [array]::reverse($brrb) - $brrbh = [System.BitConverter]::ToString($brrb) -replace '-', '' - $baserecord = [Convert]::TouInt64($brrbh, 16) + $baserecord = [Bitconverter]::ToUInt32($data[32 .. 35], 0) # Base Record Sequence Nr - $brrsn = $data.Substring(38, 2) - $brrsnb = [System.Text.Encoding]::getencoding(28591).GetBytes($brrsn) - [array]::reverse($brrsnb) - $brrsnbh = [System.BitConverter]::ToString($brrsnb) -replace '-', '' - $baserecordsequence = [Convert]::TouInt16($brrsnbh, 16) - + $baserecordsequence = [Bitconverter]::ToInt16($data[38 .. 39], 0) + + # Build BaseID if ($baserecordsequence -gt 0 -and $baserecord -gt 0) { $baseid = "$($baserecordsequence.ToString('X4'))$($baserecord.ToString('X12'))" @@ -3586,188 +3573,146 @@ This value is available starting with Windows 10 April 2018 Update." else { $baseid = 0 } # Next attribute - $nai = $data.Substring(40, 4) - $naib = [System.Text.Encoding]::getencoding(28591).GetBytes($nai) - [array]::reverse($naib) - $naibh = [System.BitConverter]::ToString($naib) -replace '-', '' - $nextattribute = [Convert]::TouInt64($naibh, 16) + $nextattribute = [Bitconverter]::ToUInt32($data[40 .. 43], 0) # MFT record Nr - $mid = $data.Substring(44, 4) - $midb = [System.Text.Encoding]::getencoding(28591).GetBytes($mid) - [array]::reverse($midb) - $midbh = [System.BitConverter]::ToString($midb) -replace '-', '' - $recordbnr = [Convert]::TouInt64($midbh, 16) + $recordbnr = [Bitconverter]::ToUInt32($data[44 .. 47], 0) + + # Create Record Reference Nr + $FileID = "$($sqcount.ToString('X4'))$($recordbnr.ToString('X12'))" + + # $fixupcheck1 = [System.BitConverter]::ToString($data[510 .. 511]) -eq [System.BitConverter]::ToString($data[48 .. 49]) + # $fixupcheck2 = [System.BitConverter]::ToString($data[510 .. 511]) -eq [System.BitConverter]::ToString($data[48 .. 49]) - # Replace FixUp values: - $fxe = $data.Substring(50, 2) - $sxe = $data.Substring(52, 2) # Replace Fix-up 1 (offset: 510 (2bytes) from start of record) - $data = $data.remove(510, 2).insert(510, $fxe) + $data[510] = $data[50] + $data[511] = $data[51] # Replace Fix-up 2 (offset: 1022 (2bytes) from start of record) - $data = $data.remove(1022, 2).insert(1022, $sxe) - + $data[1022] = $data[52] + $data[1023] = $data[53] + + $Attributeoffset = $offfirst $atinfo = [System.Collections.ArrayList]::new() $previousattributes = [System.Collections.ArrayList]::new() - + if ($nextattribute -ne 0) { - for ($a = 0; $a -lt $nextattribute; $a++) + for ($a = 0; $a -lt $nextattribute; $a++) { # Attribute Type - $at = $data.Substring($Attributeoffset, 4) - $atb = [System.Text.Encoding]::getencoding(28591).GetBytes($at) - $type = [System.BitConverter]::ToString($atb) -replace '-', '' + $type = [System.BitConverter]::ToString($data[$Attributeoffset .. ($Attributeoffset + 3)]) -replace '-', '' + + # Skip the rest of the record if there are no File Attributes left + if ($type -eq "FFFFFFFF" -or !$Attributes[$type]) { break } # add to previous attributes list $null = $previousattributes.Add($type) # Attribute Length - $ln = $data.Substring($Attributeoffset + 4, 4) - $lb = [System.Text.Encoding]::getencoding(28591).GetBytes($ln) - [array]::reverse($lb) - $lbh = [System.BitConverter]::ToString($lb) -replace '-', '' - $length = [Convert]::TouInt32($lbh, 16) + $length = [Bitconverter]::ToUInt32($data[($Attributeoffset + 4) .. ($Attributeoffset + 7)], 0) # See what comes next if (($Attributeoffset + $length + 65) -lt $logicalsz) { - $next = $data.Substring($Attributeoffset + $length, 4) - $nextb = [System.Text.Encoding]::getencoding(28591).GetBytes($next) - $nextatt = [System.BitConverter]::ToString($nextb) -replace '-', '' - }else{ $nextatt = $null} + $nextatt = [System.BitConverter]::ToString($data[($Attributeoffset + $length) .. ($Attributeoffset + $length + 3)]) -replace '-', '' + } + else { $nextatt = $null } # Attribute - Length of Stream Name (Number of Unicode characters ) - $atrl = $data.Substring($Attributeoffset + 9, 1) - $atrlb = [System.Text.Encoding]::getencoding(28591).GetBytes($atrl) - [array]::reverse($atrlb) - $atrlbh = [System.BitConverter]::ToString($atrlb) -replace '-', '' - $attlenstrN = [Convert]::TouInt16($atrlbh, 16) + $attlenstrN = $data[($Attributeoffset + 9)] # Attribute - Offset to Stream Name (From beginning of Attribute) - $atro = $data.Substring($Attributeoffset + 10, 2) - $atrob = [System.Text.Encoding]::getencoding(28591).GetBytes($atro) - [array]::reverse($atrob) - $atrobh = [System.BitConverter]::ToString($atrob) -replace '-', '' - $attrofftostream = [Convert]::ToUInt16($atrobh, 16) + $attrofftostream = [Bitconverter]::ToUInt16($data[($Attributeoffset + 10) .. ($Attributeoffset + 11)], 0) - if ($attlenstrN -gt 0) - { - # Stream Name - $sn = $data.Substring($Attributeoffset + $attrofftostream, $attlenstrN * 2) - $snb = [System.Text.Encoding]::getencoding(28591).GetBytes($sn) - $StreamName = [System.Text.Encoding]::Unicode.GetString($snb) - }else{ $StreamName = $null} - - # Skip the loop if there are no File Attributes left - if ($type -eq "FFFFFFFF" -or !$Attributes[$type]) { break } - elseif ($type -eq '30000000') + + if ($type -eq '30000000' -and $baseid -eq 0 -and $step -notin $atinfo.step) { - # Content offset from start of Attribute - $of = $data.Substring($Attributeoffset + 20, 2) - $ofb = [System.Text.Encoding]::getencoding(28591).GetBytes($of) - [array]::reverse($ofb) - $ofbh = [System.BitConverter]::ToString($ofb) -replace '-', '' - $contentoffset = [Convert]::TouInt16($ofbh, 16) - + $contentoffset = [Bitconverter]::ToInt16($data[($Attributeoffset + 20) .. ($Attributeoffset + 21)], 0) $residentcontentoffset = $Attributeoffset + $contentoffset # $MFT Record number of the parent directory - $mftprnr = $data.Substring($residentcontentoffset, 6) - $mftprnrb = [System.Text.Encoding]::getencoding(28591).GetBytes($mftprnr) - [array]::reverse($mftprnrb) - $mftprnrbh = [System.BitConverter]::ToString($mftprnrb) -replace '-', '' - $mftparentnr = [Convert]::TouInt64($mftprnrbh, 16) + $mftparentnr = [Bitconverter]::TouInt32($data[($residentcontentoffset) .. ($residentcontentoffset + 5)], 0) # Sequence number of the parent directory entry - $prsq = $data.Substring($residentcontentoffset + 6, 2) - $prsqb = [System.Text.Encoding]::getencoding(28591).GetBytes($prsq) - [array]::reverse($prsqb) - $prsqh = [System.BitConverter]::ToString($prsqb) -replace '-', '' - $prsqnr = [Convert]::TouInt16($prsqh, 16) + $prsqnr = [Bitconverter]::ToUInt16($data[($residentcontentoffset + 6) .. ($residentcontentoffset + 7)], 0) # Make Parent ID $pfid = "$($prsqnr.ToString('X4'))$($mftparentnr.ToString('X12'))" + # File name length - $fnlength = $data.Substring($residentcontentoffset + 64, 1) - $fnlengthb = [System.Text.Encoding]::getencoding(28591).GetBytes($fnlength) - $fnlengthbh = [System.BitConverter]::ToString($fnlengthb) - $fnamelength = [Convert]::TouInt16($fnlengthbh, 16) + $fnamelength = $data[($residentcontentoffset + 64)] - if (($residentcontentoffset + $fnamelength) -lt $length) { break } + # if (($residentcontentoffset + $fnamelength) -lt $length) { continue } # File name type (Namespace) - $fnn = $data.Substring($residentcontentoffset + 65, 1) - $fnnb = [System.Text.Encoding]::getencoding(28591).GetBytes($fnn) - $fnnbh = [System.BitConverter]::ToString($fnnb) - $filespace = [Convert]::TouInt16($fnnbh, 16) + $filespace = $data[($residentcontentoffset + 65)] if ($filespace -in (0, 1, 3) -and $pfid -notin $atinfo.PFileID) { - if($pfid -in $atinfo.PFileID){continue} # File name - $fn = $data.Substring($residentcontentoffset + 66, $fnamelength * 2) - $fnb = [System.Text.Encoding]::getencoding(28591).GetBytes($fn) + $fnb = $data[($residentcontentoffset + 66) .. ($residentcontentoffset + 66 + ($fnamelength * 2) - 1)] $fname = [System.Text.Encoding]::Unicode.GetString($fnb) $atinf = $null $atinf = [PSCustomObject][Ordered]@{ - Parent = $mftparentnr - PSeqr = $prsqnr - PFileID = "$($prsqnr.ToString('X4'))$($mftparentnr.ToString('X12'))" - fname = $fname - Base = $baserecord - BSeqNr = $baserecordsequence - BaseID = $baseid - } + 'Step' = $step + Parent = $mftparentnr + PSeqr = $prsqnr + PFileID = $pfid + fname = $fname + Base = $baserecord + BSeqNr = $baserecordsequence + BaseID = $baseid + } $null = $atinfo.add($atinf) } - elseif($filespace -eq 2 -and $previousattributes.Contains('20000000') -and $nextatt -ne '30000000' -and $pfid -notin $atinfo.PFileID) - { - - if ($pfid -in $atinfo.PFileID) { continue } - # File name - $fn = $data.Substring($residentcontentoffset + 66, $fnamelength * 2) - $fnb = [System.Text.Encoding]::getencoding(28591).GetBytes($fn) - $fname = [System.Text.Encoding]::Unicode.GetString($fnb) - $atinf = $null - $atinf = [PSCustomObject][Ordered]@{ - Parent = $mftparentnr - PSeqr = $prsqnr - PFileID = "$($prsqnr.ToString('X4'))$($mftparentnr.ToString('X12'))" - fname = $fname - Base = $baserecord - BSeqNr = $baserecordsequence - BaseID = $baseid - } - $null = $atinfo.add($atinf) + elseif ($filespace -eq 2 -and $previousattributes.Contains('20000000') -and $nextatt -ne '30000000' -and $pfid -notin $atinfo.PFileID) + { + # File name + $fnb = $data[($residentcontentoffset + 66) .. ($residentcontentoffset + 66 + ($fnamelength * 2) - 1)] + $fname = [System.Text.Encoding]::Unicode.GetString($fnb) + $atinf = $null + $atinf = [PSCustomObject][Ordered]@{ + 'Step' = $step + Parent = $mftparentnr + PSeqr = $prsqnr + PFileID = $pfid + fname = $fname + Base = $baserecord + BSeqNr = $baserecordsequence + BaseID = $baseid + } + $null = $atinfo.add($atinf) } } - # Continue and get any data stream names - elseif ($type -eq '80000000' -and $previousattributes.Contains('30000000') -and ![String]::IsNullOrEmpty($StreamName)) + elseif ($type -eq '80000000' -and $previousattributes.Contains('30000000') -and $attlenstrN -gt 0 -and $baseid -eq 0) { + # Stream Name + $StreamName = [System.Text.Encoding]::Unicode.GetString($data[($Attributeoffset + $attrofftostream) .. ($Attributeoffset + $attrofftostream + ($attlenstrN * 2) - 1)]) if ($Streamname -notin $StreamExcludeList) { $ADS = $null $ADS = [PSCustomObject][Ordered]@{ - filename = $atinfo.fname - 'Step' = $step - IsDir = $dir - InUse = $InUse - FileID = "$($sqcount.ToString('X4'))$($recordbnr.ToString('X12'))" - PFileID = "$($prsqnr.ToString('X4'))$($mftparentnr.ToString('X12'))" - StreamName = $StreamName + filename = $atinfo.fname + 'Step' = $step + IsDir = $dir + InUse = $InUse + FileID = $FileID + PFileID = $pfid + StreamName = $StreamName } $null = $StreamList.Add($ADS) # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3 } - } - # Get any records with no Filename attribute (Extension records?) - elseif(!!$Attributes[$type] -and $baserecordsequence -ne 0 ) + break + } + # Get any records with no Filename attribute i.e. no Parent (Extension records) + elseif (!!$Attributes[$type] -and $baseid -ne 0 -and $baseID -notin $atinfo.baseid) { $atinf = $null $atinf = [PSCustomObject][Ordered]@{ + 'Step' = $step Parent = $null PSeqr = $null PFileID = $null @@ -3777,35 +3722,38 @@ This value is available starting with Windows 10 April 2018 Update." BaseID = $baseid } $null = $atinfo.add($atinf) + break } # get the next attribute offset $Attributeoffset = $Attributeoffset + $length - if(($Attributeoffset + 65) -ge $logicalsz){break} - } #end atinfo - } #end if next attribute nr not 0 - - foreach ($fat in $atinfo){ - [pscustomobject][Ordered]@{ - Step = $step - MFTRecord = $recordbnr - SeqNr = $sqcount - FileID = "$($sqcount.ToString('X4'))$($recordbnr.ToString('X12'))" - IsDir = $dir - InUse = $InUse - BaseRecord = $baserecord - BSeqNr = $baserecordsequence - BaseID = $baseid - PFileID = $fat.PFileID - Parent = $fat.Parent - PSeqNr = $fat.PSeqr - fname = $fat.fname - } - } - } # end Reading the MFT + } #end foreach attribute + } # end if next not 0 + foreach ($fat in $atinfo) + { + [pscustomobject][Ordered]@{ + Step = $fat.step + MFTRecord = $recordbnr + SeqNr = $sqcount + FileID = $FileID + IsDir = $dir + InUse = $InUse + BaseRecord = $baserecord + BSeqNr = $baserecordsequence + BaseID = $baseid + PFileID = $fat.PFileID + Parent = $fat.Parent + PSeqNr = $fat.PSeqr + fname = $fat.fname + } + } # end foreach atinfo + } # end Reading the MFT else - { + { $Status.Text = "Process was Cancelled - Cleaning ..." + $FileStream.Close() + try { $FileStream.Dispose() } + catch { } $toolstrip1.Visible = $false $toolstripprogressbar1.Value = $false $richtextbox1.Text = $null @@ -3817,18 +3765,17 @@ This value is available starting with Windows 10 April 2018 Update." $Cancel.Enabled = $false $script:cancelreading = $false $stopWatch.Stop() - if($MLcheck -eq $true) - { $MFT_Part_List.Enabled} return } # End cancel check - + } # end foreach record - $BinaryReader.Close() - $Stream.Close() + $FileStream.Close() + $FileStream.Dispose() $toolstripprogressbar1.Value = $toolstripprogressbar1.Minimum $Status.Text = "Elapsed: $($stopWatch.Elapsed.Hours.ToString('0#')):$($stopWatch.Elapsed.Minutes.ToString('0#')) - Starting to process the records ..." + Start-Sleep -Milliseconds 150 $richtextbox1.ForeColor = 'Red' $richtextbox1.Text = "`n`n`n`tPlease wait .." @@ -3837,22 +3784,22 @@ This value is available starting with Windows 10 April 2018 Update." $unknown = $root.Nodes.Add("Unknown", "[Orphan]") # List of Directories - if($recordsinfo.where{ $_.IsDir -eq '1' -and ![string]::IsNullOrEmpty($_.fname) }.count -ge 1) + if ($recordsinfo.where{ $_.IsDir -eq '1' -and ![string]::IsNullOrEmpty($_.fname) }.count -ge 1) { $Status.Text = "Elapsed: $($stopWatch.Elapsed.Hours.ToString('0#')):$($stopWatch.Elapsed.Minutes.ToString('0#')) - Sorting Directories" $dirs = [System.Collections.ArrayList]::new() $null = $dirs.AddRange((($recordsinfo.where{ $_.IsDir -eq '1' -and ![string]::IsNullOrEmpty($_.fname) }) | sort -property @{ Expression = { [int]$_.Parent } })) #-Property parent, mftrecord, fname) $maxdirs = $dirs.count } - else{ $maxdirs = 0} + else { $maxdirs = 0 } # List of extension records if ($recordsinfo.where{ $_.BaseRecord -gt 0 }.count -ge 1) { $ExtensionRecords = [System.Collections.ArrayList]::new() - $null = $ExtensionRecords.AddRange((($recordsinfo.where{ $_.BaseRecord -gt 0 }) | sort -property @{ Expression = { [int]$_.BaseRecord } })) + $null = $ExtensionRecords.AddRange(@(($recordsinfo.where{ $_.BSeqNr -gt 0 }) | sort -property MFTRecord -Unique | sort -property @{ Expression = { [int]$_.BaseRecord } })) $ExtensionRecordsCount = $ExtensionRecords.count - } + } else { $ExtensionRecordsCount = 0} # List of files if ($recordsinfo.where{ $_.IsDir -eq '0' -and ![string]::IsNullOrEmpty($_.fname) }.count -ge 1) @@ -3862,39 +3809,44 @@ This value is available starting with Windows 10 April 2018 Update." $null = $filez.AddRange((($recordsinfo.where{ $_.IsDir -eq '0' -and ![string]::IsNullOrEmpty($_.fname) }) | sort -property @{ Expression = { [int]$_.Parent } }, fname)) $maxfilez = $filez.count } - else{ $maxfilez = 0} + else { $maxfilez = 0 } $StreamCount = $StreamList.count - + # Create Groups - if ($maxdirs -gt 1) + if ($maxdirs -ge 1) { $dirlist = [System.Collections.ArrayList]::new() $Status.Text = "Elapsed: $($stopWatch.Elapsed.Hours.ToString('0#')):$($stopWatch.Elapsed.Minutes.ToString('0#')) - Grouping Directories" - $null = $dirlist.AddRange( ($dirs | MyGroup-Object PFileID) ) # slow performance but does not alter sort sequence + $null = $dirlist.AddRange(@($dirs | MyGroup-Object PFileID)) $dircount = $dirlist.count - }else{ $dircount = 0} + } + else { $dircount = 0 } - if($maxfilez -ge 1) + if ($maxfilez -ge 1) { + $filegroups = [System.Collections.ArrayList]::new() $Status.Text = "Elapsed: $($stopWatch.Elapsed.Hours.ToString('0#')):$($stopWatch.Elapsed.Minutes.ToString('0#')) - Grouping Files" - $filegroups = ( (($filez | MyGroup-Object -Property PFileID ) | Sort-Object -Property Count) ) + $filegroups.AddRange(@(($filez | MyGroup-Object -Property PFileID) | Sort-Object -Property Count)) $maxfilegroups = $filegroups.count - }else{ $maxfilegroups = 0} + } + else { $maxfilegroups = 0 } - if ($ExtensionRecordsCount -gt 1) + if ($ExtensionRecordsCount -ge 1) { + $extensiongroups = [System.Collections.ArrayList]::new() $Status.Text = "Elapsed: $($stopWatch.Elapsed.Hours.ToString('0#')):$($stopWatch.Elapsed.Minutes.ToString('0#')) - Grouping Extension Records" - $extensiongroups = ($ExtensionRecords | MyGroup-Object -Property BaseID) + $extensiongroups.AddRange(@($ExtensionRecords| MyGroup-Object -Property BaseID)) $extgroupcount = $extensiongroups.count } # Add Directories - if ($maxdirs -ge 1 -and $dircount -gt 1) + if ($maxdirs -ge 1 -and $dircount -ge 1) { $checkbackdirs00 = [System.Collections.ArrayList]::new() $checkbackdirs0 = [System.Collections.ArrayList]::new() + $checkbackdirsX = [System.Collections.ArrayList]::new() $checkbackdirs = [System.Collections.ArrayList]::new() # set the progressbar @@ -3902,7 +3854,7 @@ This value is available starting with Windows 10 April 2018 Update." $toolstripprogressbar1.Minimum = 0 $toolstripprogressbar1.Value = 0 $toolstripprogressbar1.Step = 100 - + # Populate Directories $treeview2.BeginUpdate() # Add root node @@ -3913,6 +3865,7 @@ This value is available starting with Windows 10 April 2018 Update." $rootdir.ToolTipText = "MFT: Record: $($x.MFTRecord), SeqNr: $($x.SeqNr)" } $d = 0 + foreach ($p in $dirlist) #1 { # check if parent node (group name) exists @@ -3943,11 +3896,13 @@ This value is available starting with Windows 10 April 2018 Update." if ($x.inUse -eq '1') { $firstdirnodes.ImageIndex = 0 + $firstdirnodes.SelectedImageIndex = 0 } else { $firstdirnodes.ImageIndex = 4 + $firstdirnodes.SelectedImageIndex = 4 } } # end if parent exists else @@ -3971,16 +3926,16 @@ This value is available starting with Windows 10 April 2018 Update." $stopWatch.Stop() return } - $d=$d+1 + $d = $d + 1 } # end foreach #2 } # end directory adding #1 $treeview2.EndUpdate() - Start-Job -ScriptBlock { $dirs.Clear(); $dirlist.Clear()} -Name 'ClearDirs' - + Start-Job -ScriptBlock { $dirs.Clear(); $dirlist.Clear() } -Name 'ClearDirs' + $chk00count = $checkbackdirs00.count - if ($chk00count -ge 1) + if ($chk00count -ge 1) #2 { # set the progressbar $toolstripprogressbar1.Maximum = $chk00count @@ -3990,7 +3945,7 @@ This value is available starting with Windows 10 April 2018 Update." $u = 0 $Status.Text = "Elapsed: $($stopWatch.Elapsed.Hours.ToString('0#')):$($stopWatch.Elapsed.Minutes.ToString('0#')) - Re-Grouping Directories" - $checkback00 = ($checkbackdirs00 | sort -property @{ Expression = { [int]$_.Parent } }) | MyGroup-Object PFileID + $checkback00 = ($checkbackdirs00 | MyGroup-Object PFileID) # | sort -property @{ Expression = { [int]$_.Parent } }) $treeview2.BeginUpdate() foreach ($cb_group in $checkback00) { @@ -4017,16 +3972,19 @@ This value is available starting with Windows 10 April 2018 Update." if ($cb.inUse -eq '1') { $parentnode[0].Nodes["$($cb.FileID)"].ImageIndex = 0 + $parentnode[0].Nodes["$($cb.FileID)"].SelectedImageIndex = 0 } else { $parentnode[0].Nodes["$($cb.FileID)"].ImageIndex = 4 + $parentnode[0].Nodes["$($cb.FileID)"].SelectedImageIndex = 4 } $u = $u + 1 } else # add to 2nd checkback { $null = $checkbackdirs0.Add($cb) + $u = $u + 1 } #end add to checkback } # end if cancel is false @@ -4050,11 +4008,12 @@ This value is available starting with Windows 10 April 2018 Update." } # end foreach group } #end foreach $treeview2.EndUpdate() + $checkback00 = $null } #end checkback0 Start-Job -ScriptBlock { $checkbackdirs00.Clear() } -Name 'ClearDirs1' - + $chk0count = $checkbackdirs0.count - if ($chk0count -ge 1) + if ($chk0count -ge 1) #3 { # set the progressbar $toolstripprogressbar1.Maximum = $chk0count @@ -4064,74 +4023,155 @@ This value is available starting with Windows 10 April 2018 Update." $u = 0 $Status.Text = "Elapsed: $($stopWatch.Elapsed.Hours.ToString('0#')):$($stopWatch.Elapsed.Minutes.ToString('0#')) - Re-Grouping Directories" - $checkback0 = ($checkbackdirs0 | sort -property @{ Expression = { [int]$_.Parent } }) | MyGroup-Object PFileID # + $checkback0 = ($checkbackdirs0 | sort -property @{ Expression = { [int]$_.Parent }; Descending = $true }) | MyGroup-Object PFileID # $treeview2.BeginUpdate() foreach ($cb_group in $checkback0) + { + # check if parent exists + $parentnode = $root.Nodes.Find("$($cb_group.name)", $true) + foreach ($cb in $cb_group.group) { - # check if parent exists - $parentnode = $root.Nodes.Find("$($cb_group.name)", $true) - foreach ($cb in $cb_group.group) + # Show progress + [System.Windows.Forms.Application]::DoEvents() + if ($u % 50 -eq 0) { - # Show progress - [System.Windows.Forms.Application]::DoEvents() - if ($u % 50 -eq 0) - { - $toolstripprogressbar1.PerformStep() - $Status.Text = "Elapsed: $($stopWatch.Elapsed.Hours.ToString('0#')):$($stopWatch.Elapsed.Minutes.ToString('0#')) - pass 3 - Building Directory tree - Dir $($u) of $($chk0count)" - } - if ($script:cancelreading -eq $false) + $toolstripprogressbar1.PerformStep() + $Status.Text = "Elapsed: $($stopWatch.Elapsed.Hours.ToString('0#')):$($stopWatch.Elapsed.Minutes.ToString('0#')) - pass 3 - Building Directory tree - Dir $($u) of $($chk0count)" + } + if ($script:cancelreading -eq $false) + { + # if so, add record node + if (!!$parentnode) { - # if so, add record node - if (!!$parentnode) + $null = $parentnode[0].Nodes.Add("$($cb.FileID)", "$($cb.fname)") + $parentnode[0].Nodes["$($cb.FileID)"].Tag = @("$([int]$cb.Step)", "") + $parentnode[0].Nodes["$($cb.FileID)"].ToolTipText = "MFT: Record: $($cb.MFTRecord), SeqNr: $($cb.SeqNr)" + # add ico according to allocation status + if ($cb.inUse -eq '1') { - $null = $parentnode[0].Nodes.Add("$($cb.FileID)", "$($cb.fname)") - $parentnode[0].Nodes["$($cb.FileID)"].Tag = @("$([int]$cb.Step)", "") - $parentnode[0].Nodes["$($cb.FileID)"].ToolTipText = "MFT: Record: $($cb.MFTRecord), SeqNr: $($cb.SeqNr)" - # add ico according to allocation status - if ($cb.inUse -eq '1') - { - $parentnode[0].Nodes["$($cb.FileID)"].ImageIndex = 0 - } - else - { - $parentnode[0].Nodes["$($cb.FileID)"].ImageIndex = 4 - } - $u = $u + 1 + $parentnode[0].Nodes["$($cb.FileID)"].ImageIndex = 0 + $parentnode[0].Nodes["$($cb.FileID)"].SelectedImageIndex = 0 } - else # add to 2nd checkback + else { - $null = $checkbackdirs.Add($cb) - } #end add to checkback - - } # end if cancel is false - else - { - $Status.Text = "Process was Cancelled - Cleaning ..." - $toolstrip1.Visible = $false - $toolstripprogressbar1.Value = $false - $richtextbox1.Text = $null - $toolstripprogressbar1.Value = $null - $datagridview1.Rows.Clear() - $treeview1.Nodes.Clear() - $treeview2.Nodes.Clear() - $Status.Text = $null - $Cancel.Enabled = $false - $script:cancelreading = $false - $stopWatch.Stop() - $stopWatch.Reset() - if (!!$MLcheck) - { $MFT_Part_List.Enabled } - [GC]::Collect() - return + $parentnode[0].Nodes["$($cb.FileID)"].ImageIndex = 4 + $parentnode[0].Nodes["$($cb.FileID)"].SelectedImageIndex = 4 + } + $u = $u + 1 } - } # end foreach group - } #end foreach - $treeview2.EndUpdate() + else # add to 2nd checkback + { + $null = $checkbackdirsX.Add($cb) + $u = $u + 1 + } #end add to checkback + + } # end if cancel is false + else + { + $Status.Text = "Process was Cancelled - Cleaning ..." + $toolstrip1.Visible = $false + $toolstripprogressbar1.Value = $false + $richtextbox1.Text = $null + $toolstripprogressbar1.Value = $null + $datagridview1.Rows.Clear() + $treeview1.Nodes.Clear() + $treeview2.Nodes.Clear() + $Status.Text = $null + $Cancel.Enabled = $false + $script:cancelreading = $false + $stopWatch.Stop() + $stopWatch.Reset() + [GC]::Collect() + return + } + } # end foreach group + } #end foreach + $treeview2.EndUpdate() + $checkback0 = $null } #end checkback0 Start-Job -ScriptBlock { $checkbackdirs0.Clear() } -Name 'ClearDirs2' + $chkXcount = $checkbackdirsX.count + if ($chkXcount -ge 1) #4 + { + # set the progressbar + $toolstripprogressbar1.Maximum = $chkXcount + $toolstripprogressbar1.Minimum = 0 + $toolstripprogressbar1.Value = 0 + $toolstripprogressbar1.Step = 50 + + $ux = 0 + $Status.Text = "Elapsed: $($stopWatch.Elapsed.Hours.ToString('0#')):$($stopWatch.Elapsed.Minutes.ToString('0#')) - Re-Grouping Directories" + $checkbackX = ($checkbackdirsX | sort -property @{ Expression = { [int]$_.Parent }}) | MyGroup-Object PFileID # + $treeview2.BeginUpdate() + foreach ($cbx_group in $checkbackX) + { + # check if parent exists + $parentnode = $root.Nodes.Find("$($cbx_group.name)", $true) + foreach ($cb in $cbx_group.group) + { + # Show progress + [System.Windows.Forms.Application]::DoEvents() + if ($ux % 50 -eq 0) + { + $toolstripprogressbar1.PerformStep() + $Status.Text = "Elapsed: $($stopWatch.Elapsed.Hours.ToString('0#')):$($stopWatch.Elapsed.Minutes.ToString('0#')) - pass 4 - Building Directory tree - Dir $($ux) of $($chkXcount)" + } + if ($script:cancelreading -eq $false) + { + # if so, add record node + if (!!$parentnode) + { + $null = $parentnode[0].Nodes.Add("$($cb.FileID)", "$($cb.fname)") + $parentnode[0].Nodes["$($cb.FileID)"].Tag = @("$([int]$cb.Step)", "") + $parentnode[0].Nodes["$($cb.FileID)"].ToolTipText = "MFT: Record: $($cb.MFTRecord), SeqNr: $($cb.SeqNr)" + # add ico according to allocation status + if ($cb.inUse -eq '1') + { + $parentnode[0].Nodes["$($cb.FileID)"].ImageIndex = 0 + $parentnode[0].Nodes["$($cb.FileID)"].SelectedImageIndex = 0 + } + else + { + $parentnode[0].Nodes["$($cb.FileID)"].ImageIndex = 4 + $parentnode[0].Nodes["$($cb.FileID)"].SelectedImageIndex = 4 + } + $ux = $ux + 1 + } + else # add to 3nd $ final checkback + { + $null = $checkbackdirs.Add($cb) + $ux = $ux + 1 + } #end add to checkback + + } # end if cancel is false + else + { + $Status.Text = "Process was Cancelled - Cleaning ..." + $toolstrip1.Visible = $false + $toolstripprogressbar1.Value = $false + $richtextbox1.Text = $null + $toolstripprogressbar1.Value = $null + $datagridview1.Rows.Clear() + $treeview1.Nodes.Clear() + $treeview2.Nodes.Clear() + $Status.Text = $null + $Cancel.Enabled = $false + $script:cancelreading = $false + $stopWatch.Stop() + $stopWatch.Reset() + [GC]::Collect() + return + } + } # end foreach group + } #end foreach + $treeview2.EndUpdate() + $checkbackX = $null + } #end checkbackX + Start-Job -ScriptBlock { $checkbackdirsX.Clear() } -Name 'ClearDirs3' + $chkcount = $checkbackdirs.count - if ($chkcount -ge 1) + if ($chkcount -ge 1) #5 { $u = 0 # set the progressbar @@ -4140,7 +4180,7 @@ This value is available starting with Windows 10 April 2018 Update." $toolstripprogressbar1.Value = 0 $toolstripprogressbar1.Step = 10 $Status.Text = "Elapsed: $($stopWatch.Elapsed.Hours.ToString('0#')):$($stopWatch.Elapsed.Minutes.ToString('0#')) - Re-Grouping Directories" - $checkback = ($checkbackdirs | sort -property @{ Expression = { [int]$_.Parent } } )| MyGroup-Object PFileID + $checkback = ($checkbackdirs | sort -property @{ Expression = { [int]$_.Parent }; Descending = $false }) | MyGroup-Object PFileID $treeview2.BeginUpdate() foreach ($cb_group in $checkback) { @@ -4156,7 +4196,7 @@ This value is available starting with Windows 10 April 2018 Update." if ($u % 10 -eq 0) { $toolstripprogressbar1.PerformStep() - $Status.Text = "Elapsed: $($stopWatch.Elapsed.Hours.ToString('0#')):$($stopWatch.Elapsed.Minutes.ToString('0#')) - pass 4 - Building Directory tree - Dir $($u) of $($chkcount)" + $Status.Text = "Elapsed: $($stopWatch.Elapsed.Hours.ToString('0#')):$($stopWatch.Elapsed.Minutes.ToString('0#')) - pass 5 - Building Directory tree - Dir $($u) of $($chkcount)" } if ($script:cancelreading -eq $false) { @@ -4170,10 +4210,12 @@ This value is available starting with Windows 10 April 2018 Update." if ($cb.inUse -eq '1') { $parentnode[0].Nodes["$($cb.FileID)"].ImageIndex = 0 + $parentnode[0].Nodes["$($cb.FileID)"].SelectedImageIndex = 0 } else { $parentnode[0].Nodes["$($cb.FileID)"].ImageIndex = 4 + $parentnode[0].Nodes["$($cb.FileID)"].SelectedImageIndex = 4 } $u = $u + 1 } # end if cancel is false @@ -4217,12 +4259,14 @@ This value is available starting with Windows 10 April 2018 Update." if ($cb.inUse -eq '1') { $missing.Nodes["$($cb.FileID)"].ImageIndex = 0 + $missing.Nodes["$($cb.FileID)"].SelectedImageIndex = 0 } else { $missing.Nodes["$($cb.FileID)"].ImageIndex = 4 + $missing.Nodes["$($cb.FileID)"].SelectedImageIndex = 4 } - $u=$u+1 + $u = $u + 1 } # end if cancel is false else { @@ -4244,12 +4288,13 @@ This value is available starting with Windows 10 April 2018 Update." } # End cancel check } # end foreach group } # end Parent check + Orphanage - } #end foreach + } #end foreach $treeview2.EndUpdate() + $checkback = $null } #end checkback check $Status.Text = "Elapsed: $($stopWatch.Elapsed.Hours.ToString('0#')):$($stopWatch.Elapsed.Minutes.ToString('0#'))" $toolstripprogressbar1.Value = 0 - Start-Job -ScriptBlock { $checkbackdirs.Clear() } -Name 'ClearDirs3' + Start-Job -ScriptBlock { $checkbackdirs.Clear() } -Name 'ClearDirs4' } # end of directory count check @@ -4260,7 +4305,7 @@ This value is available starting with Windows 10 April 2018 Update." $Status.Text = "Elapsed: $($stopWatch.Elapsed.Hours.ToString('0#')):$($stopWatch.Elapsed.Minutes.ToString('0#')) - Sorting Directory Nodes" $null = $treeview2.Sort() $treeview2.EndUpdate() - + # Add Streams if ($StreamCount -ge 1) { @@ -4272,52 +4317,64 @@ This value is available starting with Windows 10 April 2018 Update." $toolstripprogressbar1.Step = 10 $treeview2.BeginUpdate() - for ($st = $StreamCount; $st -ge 0;$st--) + for ($st = $StreamCount; $st -ge 0; $st--) { $parentnode = $root.Nodes.Find("$($StreamList[$st].PFileID)", $true) #$file_record = $recordsinfo.where{ $_.FileID -eq $StreamList[$st].FileID } if (!!$parentnode) { if ($script:cancelreading -ne $true) + { + [System.Windows.Forms.Application]::DoEvents() + if ($s % 10 -eq 0) { - [System.Windows.Forms.Application]::DoEvents() - if ($s % 10 -eq 0) - { - $toolstripprogressbar1.PerformStep() - $Status.Text = "Elapsed: $($stopWatch.Elapsed.Hours.ToString('0#')):$($stopWatch.Elapsed.Minutes.ToString('0#')) - Adding ADStreams: $($s) of $($streamcount)" - } - # Add stream - $Null = $parentnode[0].Nodes.Add("$($s)Stream_$($StreamList[$st].FileID)", "$($StreamList[$st].filename):$($StreamList[$st].StreamName)") - $parentnode[0].Nodes["$($s)Stream_$($StreamList[$st].FileID)"].ForeColor = 'Green' - $parentnode[0].Nodes["$($s)Stream_$($StreamList[$st].FileID)"].Tag = @("$([int]$StreamList[$st].Step)", "") - $parentnode[0].Nodes["$($s)Stream_$($StreamList[$st].FileID)"].ToolTipText = "MFT Record ID: $($StreamList[$st].FileID)" - if($StreamList[$st].IsDir -eq '1' -and $StreamList[$st].inUse -eq '1') - { $parentnode[0].Nodes["$($s)Stream_$($StreamList[$st].FileID)"].ImageIndex = 0 } - elseif($StreamList[$st].IsDir -eq '1' -and $StreamList[$st].inUse -eq '0') - { $parentnode[0].Nodes["$($s)Stream_$($StreamList[$st].FileID)"].ImageIndex = 4 } - elseif ($StreamList[$st].IsDir -eq '0' -and $StreamList[$st].inUse -eq '1') - { $parentnode[0].Nodes["$($s)Stream_$($StreamList[$st].FileID)"].ImageIndex = 2 } - else { $parentnode[0].Nodes["$($s)Stream_$($StreamList[$st].FileID)"].ImageIndex = 1 } - $StreamList.Remove($StreamList[$st]) - - $s=$s+1 - } # end foreach group item + $toolstripprogressbar1.PerformStep() + $Status.Text = "Elapsed: $($stopWatch.Elapsed.Hours.ToString('0#')):$($stopWatch.Elapsed.Minutes.ToString('0#')) - Adding ADStreams: $($s) of $($streamcount)" + } + # Add stream + $streamnode = $parentnode[0].Nodes.Add("$($s)Stream_$($StreamList[$st].FileID)", "$($StreamList[$st].filename):$($StreamList[$st].StreamName)") + $streamnode.ForeColor = 'Green' + $streamnode.Tag = @("$([int]$StreamList[$st].Step)", "") + $streamnode.ToolTipText = "MFT Record ID: $($StreamList[$st].FileID)" + if ($StreamList[$st].IsDir -eq '1' -and $StreamList[$st].inUse -eq '1') + { + $streamnode.ImageIndex = 0 + $streamnode.SelectedImageIndex = 0 + } + elseif ($StreamList[$st].IsDir -eq '1' -and $StreamList[$st].inUse -eq '0') + { + $streamnode.ImageIndex = 4 + $streamnode.SelectedImageIndex = 4 + } + elseif ($StreamList[$st].IsDir -eq '0' -and $StreamList[$st].inUse -eq '1') + { + $streamnode.ImageIndex = 2 + $streamnode.SelectedImageIndex = 2 + } else { - $Status.Text = "Process was Cancelled - Cleaning ..." - $toolstrip1.Visible = $false - $toolstripprogressbar1.Value = $false - $richtextbox1.Text = $null - $toolstripprogressbar1.Value = $null - $datagridview1.Rows.Clear() - $treeview1.Nodes.Clear() - $treeview2.Nodes.Clear() - $Status.Text = $null - $Cancel.Enabled = $false - $script:cancelreading = $false - [gc]::Collect() - return + $streamnode.ImageIndex = 1 + $streamnode.SelectedImageIndex = 1 } + $StreamList.Remove($StreamList[$st]) + $s = $s + 1 + } # end foreach group item + else + { + $Status.Text = "Process was Cancelled - Cleaning ..." + $toolstrip1.Visible = $false + $toolstripprogressbar1.Value = $false + $richtextbox1.Text = $null + $toolstripprogressbar1.Value = $null + $datagridview1.Rows.Clear() + $treeview1.Nodes.Clear() + $treeview2.Nodes.Clear() + $Status.Text = $null + $Cancel.Enabled = $false + $script:cancelreading = $false + [gc]::Collect() + return + } } # end if parent exists } # End streams @@ -4358,15 +4415,17 @@ This value is available starting with Windows 10 April 2018 Update." $filenode = $parentnode[0].Nodes.Add("$($fi.FileID)", "$($fi.fname)") $filenode.Tag = @("$([int]$fi.Step)", "") $filenode.ToolTipText = "MFT: Record: $($fi.MFTRecord), SeqNr: $($fi.SeqNr)" - $f=$f+1 + $f = $f + 1 # add appropriate ico if ($fi.inUse -eq '1') { $filenode.ImageIndex = 2 + $filenode.SelectedImageIndex = 2 } else { $filenode.ImageIndex = 1 + $filenode.SelectedImageIndex = 1 } } # end if NOT cancelled else @@ -4406,23 +4465,25 @@ This value is available starting with Windows 10 April 2018 Update." if ($fi.inUse -eq '1') { $missing.Nodes["$($fi.FileID)"].ImageIndex = 2 + $missing.Nodes["$($fi.FileID)"].SelectedImageIndex = 2 } else { $missing.Nodes["$($fi.FileID)"].ImageIndex = 1 + $missing.Nodes["$($fi.FileID)"].SelectedImageIndex = 1 } } } } $treeview2.EndUpdate() } # end files count check - Start-Job -ScriptBlock { $filez.Clear() } -Name 'ClearFilez' - $filegroups = $null - + Start-Job -ScriptBlock { $filez.Clear(); $filegroups.Clear() } -Name 'ClearFilez' + $toolstripprogressbar1.Value = $toolstripprogressbar1.Minimum # add eXtension records - if($ExtensionRecordsCount -ge 1 -and $extgroupcount -ge 1){ + if ($ExtensionRecordsCount -ge 1 -and $extgroupcount -ge 1) + { # Add files to directory nodes ... $toolstripprogressbar1.Maximum = $ExtensionRecordsCount $toolstripprogressbar1.Minimum = 0 @@ -4434,25 +4495,26 @@ This value is available starting with Windows 10 April 2018 Update." foreach ($extgrp in $extensiongroups) { $parentnode = $root.Nodes.Find("$($extgrp.name)", $true) - foreach ($Xt in $extgrp.group) + if (!!$parentnode) { if ($script:cancelreading -ne $true) { [System.Windows.Forms.Application]::DoEvents() - if (!!$parentnode) + foreach ($Xt in $extgrp.group) { + if ($e % 50 -eq 0) + { + $toolstripprogressbar1.PerformStep() + $Status.Text = "Elapsed: $($stopWatch.Elapsed.Hours.ToString('0#')):$($stopWatch.Elapsed.Minutes.ToString('0#')) - Adding Extension records: $($e) of $($ExtensionRecordsCount)" + } + $e++ $Xnode = $parentnode[0].Nodes.Add("$($Xt.FileID)", "[Record: $($Xt.MFTrecord), SeqNr: $($Xt.SeqNr)]") $Xnode.Tag = @("$([int]$Xt.Step)", "") $Xnode.Tooltiptext = "MFT: Extension Record: $($Xt.MFTRecord), SeqNr: $($Xt.SeqNr)" - $Xnode.ImageIndex = 5 $Xnode.ForeColor = 'Red' - } - if ($e % 50 -eq 0) - { - $toolstripprogressbar1.PerformStep() - $Status.Text = "Elapsed: $($stopWatch.Elapsed.Hours.ToString('0#')):$($stopWatch.Elapsed.Minutes.ToString('0#')) - Adding Extension records: $($e) of $($ExtensionRecordsCount)" - } - $e++ + $Xnode.ImageIndex = 3 + $Xnode.SelectedImageIndex = 3 + } # end foreach } else { @@ -4470,16 +4532,15 @@ This value is available starting with Windows 10 April 2018 Update." [gc]::Collect() return } # end Cancelled - } # end foreach + } # if parent exists } # end foreach group $treeview2.EndUpdate } #end adding extension records - $extensiongroups = $null - Start-Job -ScriptBlock { $ExtensionRecords.Clear() } -Name 'ClearXtRecords' + Start-Job -ScriptBlock { $ExtensionRecords.Clear(); $extensiongroups.Clear() } -Name 'ClearXtRecords' # Just in case I forgot smtng - try{ $treeview2.EndUpdate()} - catch{} + try { $treeview2.EndUpdate() } + catch { } # Done $stopWatch.Stop() @@ -4494,19 +4555,20 @@ This value is available starting with Windows 10 April 2018 Update." # Show tree $treeview2.Visible = $true $Status.Text = "Ready - Total time to create the `$MFT tree: $($stopWatch.Elapsed.Hours.ToString('0#')):$($stopWatch.Elapsed.Minutes.ToString('0#')):$($stopWatch.Elapsed.Seconds.ToString('0#'))" - + $root.Expand() if (!!$rootdir) { $rootdir.Expand() } - [System.Console]::Beep(2800,150) - Get-Job |Wait-Job|Remove-Job - $recordsinfo= $null + $messageText = "File size: $(($fs/1024).ToString('N0'))Kb`nDirectory records: $($maxdirs.ToString('N0'))`nFile records: $($maxfilez.ToString('N0'))`nAD Streams: $($StreamCount.ToString('N0'))`nExtension records: $($ExtensionRecordsCount.ToString('N0'))`nTotal time to create the `$MFT tree: $($stopWatch.Elapsed.Hours.ToString('0#')):$($stopWatch.Elapsed.Minutes.ToString('0#')):$($stopWatch.Elapsed.Seconds.ToString('0#'))" + [System.Console]::Beep(2800, 150) + $null = [System.Windows.Forms.MessageBox]::Show($MainForm, "$($messageText)", "`$MFT Browser","OK", "Information") + Get-Job | Wait-Job | Remove-Job + $recordsinfo = $null } # End Read-MFT - function Get-Details { param @@ -5291,7 +5353,7 @@ This value is available starting with Windows 10 April 2018 Update." } else { - if ($this.SelectedNode.Name -notin ("MFT")) + if ($_.Node.Name -ne 'MFT') { $this.SelectedNode = $_.Node.Collapse() } @@ -5427,14 +5489,13 @@ This value is available starting with Windows 10 April 2018 Update." $Status.Text = "Getting record details.." # File record Signature - $signature = $data.Substring(0, 4) - - $richtextbox1.Font = New-Object Drawing.Font($oldFont.FontFamily, $oldFont.Size, [Drawing.FontStyle]::Regular) - $richtextbox1.ForeColor = 'Black' - $richtextbox1.Text = $null - # Show Datagrid again - $datagridview1.Visible = $true - $datagridview1.FirstDisplayedCell = $datagridview1.Rows[0].Cells[0] + + $richtextbox1.Font = New-Object Drawing.Font($oldFont.FontFamily, $oldFont.Size, [Drawing.FontStyle]::Regular) + $richtextbox1.ForeColor = 'Black' + $richtextbox1.Text = $null + # Show Datagrid again + $datagridview1.Visible = $true + $datagridview1.FirstDisplayedCell = $datagridview1.Rows[0].Cells[0] #################################################### @@ -5474,8 +5535,9 @@ This value is available starting with Windows 10 April 2018 Update." if ($_.Node.Tag[3].ToString().Length -gt 1) { $ress = [System.Text.Encoding]::getencoding(28591).GetBytes($_.Node.Tag[2]) - $resutf = [System.Text.Encoding]::UTF8.GetString($ress) - $richtextbox1.Text = "`nResident Content (UTF8):`n$($resutf)" + $resutf = try { [System.Text.Encoding]::UTF8.GetString($ress) } + catch { [System.Text.Encoding]::ASCII.GetString($ress) } + $richtextbox1.Text = "`nResident Content:`n$($resutf)" $richtextbox1.AppendText("`n`nResident Content (Hex):`n$($_.Node.Tag[3].ToString())") # Display JSON resident files @@ -5832,8 +5894,9 @@ This value is available starting with Windows 10 April 2018 Update." if ($_.Node.Tag[3].ToString().Length -gt 1) { $ress = [System.Text.Encoding]::getencoding(28591).GetBytes($_.Node.Tag[2]) - $resultf = [System.Text.Encoding]::UTF8.GetString($ress) - $richtextbox1.Text = "`nResident Content (UTF8):`n$($resultf)" + $resultf = try { [System.Text.Encoding]::UTF8.GetString($ress) } + catch{ [System.Text.Encoding]::ASCII.GetString($ress)} + $richtextbox1.Text = "`nResident Content:`n$($resultf)" $richtextbox1.AppendText("`n`nResident Content (Hex):`n$($_.Node.Tag[3].ToString())") # Display JSON resident files @@ -5941,7 +6004,7 @@ This value is available starting with Windows 10 April 2018 Update." } # End Resident Content when HexView is blank # expand selected MFT record - if ($_.Action -eq 'ByMouse' -and $_.Node.Name -eq "MFTNr" -and $_.Node.Parent.Name -eq 'MFT') + <# if ($_.Action -eq 'ByMouse' -and $_.Node.Name -eq "MFTNr" -and $_.Node.Parent.Name -eq 'MFT') { $_.Node.Expand() @@ -5954,11 +6017,12 @@ This value is available starting with Windows 10 April 2018 Update." $_.Node.Nodes["Header"].Expand() $_.Node.Nodes["Attributes"].Expand() } - } + } # $_.Node.BackColor = 'Orange' # $_.Node.NodeFont = New-Object Drawing.Font($treeview1.Font, [Drawing.FontStyle]::Bold) - } + } + elseif ($_.Action -eq 'ByKeyboard' -and $_.Node.Name -in "MFTNr" -and $_.Node.Parent.Name -eq "MFT") { if (!!$datagridview1.Visible) @@ -5977,8 +6041,8 @@ This value is available starting with Windows 10 April 2018 Update." } } else { $_.Node.Collapse() } - } - elseif ($_.Action -eq 'ByMouse' -and $_.Node.Name -in ("MFT_FileID", "Parent", "ParentID", "BaseID", "BaseFileRecordID")) + } #> + elseif ($_.Action -eq 'ByMouse' -and $_.Node.Name -in ("MFT_FileID", "Parent", "ParentID", "File_RecordID", "Parent_RecordID", "BaseID", "BaseFileRecordID")) { $pnode = $_.Node.Tag $t2node = $treeview2.Nodes.Find("$($pnode)", $true) @@ -5997,6 +6061,8 @@ This value is available starting with Windows 10 April 2018 Update." } } #end treeview1_AfterSelect + + # New range - search the same MFT $NewRecordRange_Click = { @@ -6075,8 +6141,9 @@ This value is available starting with Windows 10 April 2018 Update." if ($openfiledialog1.ShowDialog() -eq 'OK') { - $SearchTextbox.Visible = $false $NewRecordRange.Enabled = $false + $treeview1.Visible = $false + $picturebox1.Visible= $true $Status.Text = "Doing some cleaning ..." $script:records = $null $global:MFTfile = $openfiledialog1.FileName @@ -6085,7 +6152,7 @@ This value is available starting with Windows 10 April 2018 Update." [int]$ceiling = [math]::Ceiling($fs/1024) - 1 $richtextbox1.Text = $null $datagridview1.Rows.Clear() - if ($treeview1.Nodes.Count -ge 1) { $treeview1.Nodes.Clear() } + if ($treeview1.Nodes.Count -ge 1){ $treeview1.Nodes.Clear() } if ($treeview2.Nodes.Count -ge 1){ $treeview2.Nodes.Clear() } [GC]::Collect() $Status.Text = $null @@ -6133,7 +6200,6 @@ This value is available starting with Windows 10 April 2018 Update." { $script:cancelreading = $false Read-MFT -MFTfile "$($global:MFTfile)" - $SearchTextbox.Visible = $true } ####### Start-Sleep -Milliseconds 250 @@ -6402,53 +6468,37 @@ This value is available starting with Windows 10 April 2018 Update." $script:cancelreading = $true }#end Cancel_Click - $treeview1_BeforeSelect=[System.Windows.Forms.TreeViewCancelEventHandler]{ - #Event Argument: $_ = [System.Windows.Forms.TreeViewCancelEventArgs] - if ($_.Action -eq 'ByMouse') - { - if ($_.Node.Parent.Name -eq "MFT") - { - $treeview1.BeginUpdate() - foreach ($node in $_.Node.Parent.Nodes) - { - if ($node -ne $_.Node) - { - $node.Collapse() - } - } - } - } - $treeview1.EndUpdate() - } #end treeview1_BeforeSelect + $treeview2_NodeMouseClick=[System.Windows.Forms.TreeNodeMouseClickEventHandler]{ #Event Argument: $_ = [System.Windows.Forms.TreeNodeMouseClickEventArgs] - if ($_.Button -eq 'Left') + + $Status.Text = $_.Node.FullPath.TrimStart("$($treeview2.nodes["MFT"].Text)") + if ($_.Button -eq 'Right') + { + $this.SelectedNode = $_.Node + } + elseif ($_.Button -eq 'Left') { $this.SelectedNode = $_.Node - $Status.Text = $_.Node.FullPath #.TrimStart($treeview2.TopNode.FullPath) - if (!$_.Node.IsExpanded) { $this.SelectedNode = $_.Node.Expand() } - else + elseif(!!$_.Node.IsExpanded) { $this.SelectedNode = $_.Node.Collapse() } } - elseif ($_.Button -eq 'Right') - { - $this.SelectedNode = $_.Node - } + #if($treeview1.HitTest($_.Location) -eq [System.Windows.Forms.TreeViewHitTestLocations]::PlusMinus) } #end treeview2_NodeMouseClick $treeview2_NodeMouseDoubleClick=[System.Windows.Forms.TreeNodeMouseClickEventHandler]{ #Event Argument: $_ = [System.Windows.Forms.TreeNodeMouseClickEventArgs] - $this.SelectedNode = $_.Node + # $this.SelectedNode = $_.Node if (!!$_.Node.Tag) { Load-MFT -MFTfile "$($global:MFTfile)" -MFTrecord $_.Node.Tag[0] @@ -6468,8 +6518,12 @@ This value is available starting with Windows 10 April 2018 Update." } #end treeview2_NodeMouseDoubleClick $Copy2_Click={ - $node.Text | clip - }#end Copy2_Click + if (!!$treeview2.SelectedNode) + { + $node = $treeview2.SelectedNode + $node.Text | clip + } + } #end Copy2_Click $Expand2_Click={ if (!!$treeview2.SelectedNode) @@ -6509,13 +6563,14 @@ This value is available starting with Windows 10 April 2018 Update." } #end ExpandAll2_Click $CollapseAll2_Click={ + $treeview2.BeginUpdate() $treeview2.CollapseAll() $treeview2.Nodes.Expand() if (!!$treeview2.Nodes["MFT"].Nodes[1]) { $treeview2.Nodes["MFT"].Nodes[1].Expand() } - + $treeview2.EndUpdate() } #end CollapseAll2_Click $Exit5_Click={ @@ -6541,15 +6596,11 @@ This value is available starting with Windows 10 April 2018 Update." } #end Print_richtextbox_Click - $treeview2_BeforeExpand=[System.Windows.Forms.TreeViewCancelEventHandler]{ - #Event Argument: $_ = [System.Windows.Forms.TreeViewCancelEventArgs] - if ($_.Action -eq 'ByMouse') { $_.Cancel = $true } - } #end treeview2_BeforeExpand - function GetNodes($nodes) { foreach ($n in $nodes) { + [System.Windows.Forms.Application]::DoEvents() $n GetNodes($n.Nodes) } @@ -6557,6 +6608,8 @@ This value is available starting with Windows 10 April 2018 Update." function HighlightNodes($nodes, $like) { + $treeview2.BeginUpdate() + $Status.Text = 'Please wait ..' if (!$like) { $treeview2.Nodes.Expand() @@ -6564,6 +6617,8 @@ This value is available starting with Windows 10 April 2018 Update." { $treeview2.Nodes["MFT"].Nodes[1].Expand() } + $treeview2.EndUpdate() + $Status.Text = 'Ready' return } if (!!$nodes.where{ $_ -notmatch "$like" }) @@ -6576,58 +6631,27 @@ This value is available starting with Windows 10 April 2018 Update." } } $nodes.where{ $_ -match "$like" } | foreach{ + [System.Windows.Forms.Application]::DoEvents() $_.BackColor = "Yellow" $_.EnsureVisible() } + $treeview2.EndUpdate() + $Status.Text = 'Ready' } function UnHighlightNodes($nodes) { $treeview2.BeginUpdate() - $nodes | foreach{ + $Status.Text = 'Please wait ..' + $nodes | foreach{ + [System.Windows.Forms.Application]::DoEvents() $_.BackColor = 'Gainsboro' $_.Collapse() } $treeview2.EndUpdate() + $Status.Text = 'Ready' } - $SearchTextbox_Click={ - if (![String]::IsNullOrEmpty($SearchTextbox.text) -or $SearchTextbox.text -ne "Search Files") - { - $SearchTextbox.text = $null - UnHighlightNodes -nodes (GetNodes -nodes $treeview2.Nodes) - if (!$treeview2.SelectedNode.IsExpanded) - { - $treeview2.BeginUpdate() - $treeview2.Nodes.Expand() - if (!!$treeview2.Nodes["MFT"].Nodes[1]) - { - $treeview2.Nodes["MFT"].Nodes[1].Expand() - } - $treeview2.EndUpdate() - } - - } - else{ $SearchTextbox.text = $null} - } #end SearchTextbox_Click - - $SearchTextbox_KeyPress=[System.Windows.Forms.KeyPressEventHandler]{ - #Event Argument: $_ = [System.Windows.Forms.KeyPressEventArgs] - $_.Handled = ![char]::IsControl($_.KeyChar) -and ![Char]::IsLetterOrDigit($_.KeyChar) -and !![System.Windows.Forms.Keys]::Enter - - }#end SearchTextbox_KeyPress - - $SearchTextbox_KeyUp=[System.Windows.Forms.KeyEventHandler]{ - #Event Argument: $_ = [System.Windows.Forms.KeyEventArgs] - if($_.KeyCode -eq 'Enter' -and $SearchTextbox.text -ne $null){ - $treeview2.BeginUpdate() - $like = $SearchTextbox.Text - HighlightNodes -nodes (GetNodes -nodes $treeview2.Nodes) -like $like - $treeview2.EndUpdate() - $SearchTextbox.text = $null - } - }#end SearchTextbox_KeyUp - $statusbar1_PanelClick=[System.Windows.Forms.StatusBarPanelClickEventHandler]{ #Event Argument: $_ = [System.Windows.Forms.StatusBarPanelClickEventArgs] if (![String]::IsNullOrEmpty($Status.text)) @@ -6661,44 +6685,6 @@ This value is available starting with Windows 10 April 2018 Update." $mftstructure|Out-File -FilePath e:\mftfile.txt -Encoding utf8 } #end $something_Click - $MFT_Part_List_SelectedIndexChanged={ - if (!!$script:mftparts) - { - $messageText = if($MFT_Part_List.SelectedIndex -eq 0){ "Are you sure?`n This will load the full MFT file"} - else{ "Are you sure?`n This will load part [$($MFT_Part_List.SelectedIndex - 1)] 250Mb selection of the MFT file"} - switch ([System.Windows.Forms.MessageBox]::Show($MainForm, "$($messageText)", "`$MFT Browser", "YesNo", "Question", 'Button2')) - { - 'Yes' { - $Status.Text = "Doing some cleaning ..." - $script:records = $null - $richtextbox1.Text = $null - $datagridview1.Rows.Clear() - if ($treeview1.Nodes.Count -ge 1) { $treeview1.Nodes.Clear() } - if ($treeview2.Nodes.Count -ge 1) { $treeview2.Nodes.Clear() } - [GC]::Collect() - $Status.Text = $null - Start-Sleep -Milliseconds 250 - $NewRecordRange.Enabled = $true - $selectedidx = $MFT_Part_List.SelectedIndex - $script:cancelreading = $false - $Cancel.Enabled = $true - - if ($selectedidx -eq ($MFT_Part_List.Items.Count - 1)) - { - Read-MFT -MFTfile $global:MFTfile - } - else - { - Read-MFT -MFTfile $global:MFTfile -RangeStart $script:mftparts[$selectedidx-1].start -RangeEnd $script:mftparts[$selectedidx-1].end - } - } - 'No' { - $script:cancelreading = $true - Return - } - } - } - } #end MFT_Part_List_SelectedIndexChanged $Properties_Click={ $tag = $treeview2.SelectedNode.Tag @@ -6731,10 +6717,16 @@ This value is available starting with Windows 10 April 2018 Update." $treeview2_AfterSelect=[System.Windows.Forms.TreeViewEventHandler]{ #Event Argument: $_ = [System.Windows.Forms.TreeViewEventArgs] - $treeview2.SelectedNode.BackColor = 'Orange' + If (!!$treeview2.SelectedNode -and $_.Action -ne 'ByMouse' -and $_.Action -ne 'ByKeyboard') + { + $treeview2.SelectedNode.BackColor = 'Orange' + } + }#end treeview2_AfterSelect + + # --End User Generated Script-- #---------------------------------------------- #region Generated Events @@ -6786,7 +6778,6 @@ This value is available starting with Windows 10 April 2018 Update." $MFTBrowser.remove_Shown($MFTBrowser_Shown) $Open.remove_Click($Open_Click) $exitToolStripMenuItem.remove_Click($exitToolStripMenuItem_Click) - $treeview1.remove_BeforeSelect($treeview1_BeforeSelect) $treeview1.remove_AfterSelect($treeview1_AfterSelect) $treeview1.remove_NodeMouseClick($treeview1_NodeMouseClick) $datagridview1.remove_CellMouseEnter($datagridview1_CellMouseEnter) @@ -6812,7 +6803,6 @@ This value is available starting with Windows 10 April 2018 Update." $About1.remove_Click($About1_Click) $NewRecordRange.remove_Click($NewRecordRange_Click) $Cancel.remove_Click($Cancel_Click) - $treeview2.remove_BeforeExpand($treeview2_BeforeExpand) $treeview2.remove_BeforeSelect($treeview2_BeforeSelect) $treeview2.remove_AfterSelect($treeview2_AfterSelect) $treeview2.remove_NodeMouseClick($treeview2_NodeMouseClick) @@ -6823,9 +6813,6 @@ This value is available starting with Windows 10 April 2018 Update." $CollapseAll2.remove_Click($CollapseAll2_Click) $Exit5.remove_Click($Exit5_Click) $Print_richtextbox.remove_Click($Print_richtextbox_Click) - $SearchTextbox.remove_KeyPress($SearchTextbox_KeyPress) - $SearchTextbox.remove_KeyUp($SearchTextbox_KeyUp) - $SearchTextbox.remove_Click($SearchTextbox_Click) $ExpandAll2.remove_Click($ExpandAll2_Click) $Properties.remove_Click($Properties_Click) $MFTBrowser.remove_Load($Form_StateCorrection_Load) @@ -6863,7 +6850,7 @@ This value is available starting with Windows 10 April 2018 Update." $MFTBrowser.AutoSize = $True $MFTBrowser.AutoValidate = 'EnableAllowFocusChange' $MFTBrowser.BackColor = [System.Drawing.SystemColors]::ControlDark - $MFTBrowser.ClientSize = New-Object System.Drawing.Size(3474, 1729) + $MFTBrowser.ClientSize = New-Object System.Drawing.Size(3374, 1529) #region Binary Data $Formatter_binaryFomatter = New-Object System.Runtime.Serialization.Formatters.Binary.BinaryFormatter $System_IO_MemoryStream = New-Object System.IO.MemoryStream (,[byte[]][System.Convert]::FromBase64String(' @@ -6871,7 +6858,7 @@ AAEAAAD/////AQAAAAAAAAAMAgAAAFFTeXN0ZW0uRHJhd2luZywgVmVyc2lvbj00LjAuMC4wLCBD dWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWIwM2Y1ZjdmMTFkNTBhM2EFAQAAABNTeXN0 ZW0uRHJhd2luZy5JY29uAgAAAAhJY29uRGF0YQhJY29uU2l6ZQcEAhNTeXN0ZW0uRHJhd2luZy5T aXplAgAAAAIAAAAJAwAAAAX8////E1N5c3RlbS5EcmF3aW5nLlNpemUCAAAABXdpZHRoBmhlaWdo -dAAACAgCAAAAAAAAAAAAAAAPAwAAAK3tAgACAAABAAsAMDAAAAEACACoDgAAtgAAACAgAAABAAgA +dAAACAgCAAAAQAAAAEAAAAAPAwAAAK3tAgACAAABAAsAMDAAAAEACACoDgAAtgAAACAgAAABAAgA qAgAAF4PAAAQEAAAAQAIAGgFAAAGGAAAAAAAAAEAIAAHYgAAbh0AAICAAAABACAAKAgBAHV/AABg YAAAAQAgAKiUAACdhwEASEgAAAEAIACIVAAARRwCAEBAAAABACAAKEIAAM1wAgAwMAAAAQAgAKgl AAD1sgIAICAAAAEAIACoEAAAndgCABAQAAABACAAaAQAAEXpAgAoAAAAMAAAAGAAAAABAAgAAAAA @@ -10245,7 +10232,7 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAgAEAAAs=')) $System_IO_MemoryStream = $null $MFTBrowser.KeyPreview = $True $MFTBrowser.Margin = '9, 8, 9, 8' - $MFTBrowser.MinimumSize = New-Object System.Drawing.Size(1907, 1007) + $MFTBrowser.MinimumSize = New-Object System.Drawing.Size(2400, 1200) $MFTBrowser.Name = 'MFTBrowser' $MFTBrowser.StartPosition = 'CenterScreen' $MFTBrowser.Text = "`$MFT Browser" @@ -10263,22 +10250,22 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAgAEAAAs=')) $splitcontainer3.Name = 'splitcontainer3' [void]$splitcontainer3.Panel1.Controls.Add($treeview2) [void]$splitcontainer3.Panel2.Controls.Add($splitcontainer1) - $splitcontainer3.Size = New-Object System.Drawing.Size(3474, 1641) - $splitcontainer3.SplitterDistance = 937 + $splitcontainer3.Size = New-Object System.Drawing.Size(3374, 1441) + $splitcontainer3.SplitterDistance = 978 $splitcontainer3.SplitterWidth = 6 $splitcontainer3.TabIndex = 7 $splitcontainer3.TabStop = $False # # statusbar1 # - $statusbar1.Location = New-Object System.Drawing.Point(0, 1685) + $statusbar1.Location = New-Object System.Drawing.Point(0, 1485) $statusbar1.Margin = '6, 6, 6, 6' $statusbar1.Name = 'statusbar1' $statusbar1.Padding = '0, 12, 0, 0' [void]$statusbar1.Panels.Add($Status) [void]$statusbar1.Panels.Add($XY) $statusbar1.ShowPanels = $True - $statusbar1.Size = New-Object System.Drawing.Size(3474, 44) + $statusbar1.Size = New-Object System.Drawing.Size(3374, 44) $statusbar1.TabIndex = 5 $statusbar1.Text = 'statusbar1' $statusbar1.add_PanelClick($statusbar1_PanelClick) @@ -10293,12 +10280,11 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAgAEAAAs=')) [void]$menustrip1.Items.Add($NewRecordRange) [void]$menustrip1.Items.Add($Cancel) [void]$menustrip1.Items.Add($About) - [void]$menustrip1.Items.Add($SearchTextbox) $menustrip1.Location = New-Object System.Drawing.Point(0, 0) $menustrip1.Name = 'menustrip1' $menustrip1.Padding = '13, 4, 0, 4' $menustrip1.ShowItemToolTips = $True - $menustrip1.Size = New-Object System.Drawing.Size(3474, 44) + $menustrip1.Size = New-Object System.Drawing.Size(3374, 44) $menustrip1.TabIndex = 6 $menustrip1.Text = 'menustrip1' # @@ -10311,10 +10297,12 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAgAEAAAs=')) $splitcontainer1.Location = New-Object System.Drawing.Point(0, 0) $splitcontainer1.Margin = '0, 0, 0, 12' $splitcontainer1.Name = 'splitcontainer1' + $splitcontainer1.Panel1.BackgroundImageLayout = 'Center' [void]$splitcontainer1.Panel1.Controls.Add($treeview1) + [void]$splitcontainer1.Panel1.Controls.Add($picturebox1) [void]$splitcontainer1.Panel2.Controls.Add($splitcontainer2) - $splitcontainer1.Size = New-Object System.Drawing.Size(2531, 1641) - $splitcontainer1.SplitterDistance = 921 + $splitcontainer1.Size = New-Object System.Drawing.Size(2390, 1441) + $splitcontainer1.SplitterDistance = 1111 $splitcontainer1.SplitterWidth = 6 $splitcontainer1.TabIndex = 3 $splitcontainer1.TabStop = $False @@ -10385,7 +10373,7 @@ dD+HD+5i324JOyQ++Hp7sWnjWtav8WCDp4c74D+XIPwBF8beaT1+/VgAAAAASUVORK5CYIIL')) $Status.AutoSize = 'Spring' $Status.Name = 'Status' $Status.Text = 'Ready' - $Status.Width = 3431 + $Status.Width = 3331 # # treeview1 # @@ -10400,9 +10388,9 @@ dD+HD+5i324JOyQ++Hp7sWnjWtav8WCDp4c74D+XIPwBF8beaT1+/VgAAAAASUVORK5CYIIL')) $treeview1.Margin = '28, 24, 28, 24' $treeview1.Name = 'treeview1' $treeview1.ShowNodeToolTips = $True - $treeview1.Size = New-Object System.Drawing.Size(917, 1637) + $treeview1.Size = New-Object System.Drawing.Size(1107, 1437) $treeview1.TabIndex = 0 - $treeview1.add_BeforeSelect($treeview1_BeforeSelect) + $treeview1.Visible = $False $treeview1.add_AfterSelect($treeview1_AfterSelect) $treeview1.add_NodeMouseClick($treeview1_NodeMouseClick) # @@ -10413,14 +10401,14 @@ dD+HD+5i324JOyQ++Hp7sWnjWtav8WCDp4c74D+XIPwBF8beaT1+/VgAAAAASUVORK5CYIIL')) $richtextbox1.BulletIndent = 1 $richtextbox1.ContextMenuStrip = $contextmenustrip2 $richtextbox1.Dock = 'Fill' - $richtextbox1.Font = [System.Drawing.Font]::new('Lucida Console', '9') + $richtextbox1.Font = [System.Drawing.Font]::new('Lucida Console', '8') $richtextbox1.HideSelection = $False $richtextbox1.Location = New-Object System.Drawing.Point(0, 0) $richtextbox1.Margin = '6, 6, 6, 4' $richtextbox1.Name = 'richtextbox1' $richtextbox1.ReadOnly = $True $richtextbox1.ShowSelectionMargin = $True - $richtextbox1.Size = New-Object System.Drawing.Size(1600, 374) + $richtextbox1.Size = New-Object System.Drawing.Size(1269, 327) $richtextbox1.TabIndex = 0 $richtextbox1.Text = '' # @@ -10494,7 +10482,7 @@ dD+HD+5i324JOyQ++Hp7sWnjWtav8WCDp4c74D+XIPwBF8beaT1+/VgAAAAASUVORK5CYIIL')) $datagridview1.ShowCellErrors = $False $datagridview1.ShowEditingIcon = $False $datagridview1.ShowRowErrors = $False - $datagridview1.Size = New-Object System.Drawing.Size(1600, 1253) + $datagridview1.Size = New-Object System.Drawing.Size(1269, 1100) $datagridview1.TabIndex = 1 $datagridview1.Visible = $False $datagridview1.add_CellMouseEnter($datagridview1_CellMouseEnter) @@ -14124,8 +14112,8 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAgAEAAAs=')) [void]$splitcontainer2.Panel1.Controls.Add($toolstrip1) [void]$splitcontainer2.Panel1.Controls.Add($richtextbox1) [void]$splitcontainer2.Panel2.Controls.Add($datagridview1) - $splitcontainer2.Size = New-Object System.Drawing.Size(1604, 1641) - $splitcontainer2.SplitterDistance = 378 + $splitcontainer2.Size = New-Object System.Drawing.Size(1273, 1441) + $splitcontainer2.SplitterDistance = 331 $splitcontainer2.SplitterWidth = 6 $splitcontainer2.TabIndex = 3 # @@ -14450,6 +14438,7 @@ V3r+l7leIiAvDHlrTQXSM4H5tGn/AjkLWg2DRQjrAAAAAElFTkSuQmCCCw==')) # treeview2 # $treeview2.BackColor = [System.Drawing.Color]::Gainsboro + $treeview2.BorderStyle = 'None' $treeview2.ContextMenuStrip = $contextmenustrip5 $treeview2.Dock = 'Fill' $treeview2.Font = [System.Drawing.Font]::new('Microsoft Sans Serif', '9') @@ -14458,11 +14447,10 @@ V3r+l7leIiAvDHlrTQXSM4H5tGn/AjkLWg2DRQjrAAAAAElFTkSuQmCCCw==')) $treeview2.Location = New-Object System.Drawing.Point(0, 0) $treeview2.Margin = '6, 6, 6, 6' $treeview2.Name = 'treeview2' - $treeview2.SelectedImageIndex = 3 + $treeview2.SelectedImageIndex = 0 $treeview2.ShowNodeToolTips = $True - $treeview2.Size = New-Object System.Drawing.Size(937, 1641) + $treeview2.Size = New-Object System.Drawing.Size(978, 1441) $treeview2.TabIndex = 0 - $treeview2.add_BeforeExpand($treeview2_BeforeExpand) $treeview2.add_BeforeSelect($treeview2_BeforeSelect) $treeview2.add_AfterSelect($treeview2_AfterSelect) $treeview2.add_NodeMouseClick($treeview2_NodeMouseClick) @@ -14476,7 +14464,7 @@ V3r+l7leIiAvDHlrTQXSM4H5tGn/AjkLWg2DRQjrAAAAAElFTkSuQmCCCw==')) AAEAAAD/////AQAAAAAAAAAMAgAAAFdTeXN0ZW0uV2luZG93cy5Gb3JtcywgVmVyc2lvbj00LjAu MC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAA ACZTeXN0ZW0uV2luZG93cy5Gb3Jtcy5JbWFnZUxpc3RTdHJlYW1lcgEAAAAERGF0YQcCAgAAAAkD -AAAADwMAAABQDAAAAk1TRnQBSQFMAgEBBgEAAdABAAHQAQABEAEAARABAAT/AQkBAAj/AUIBTQE2 +AAAADwMAAAAoCwAAAk1TRnQBSQFMAgEBBQEAARgBAAEYAQABEAEAARABAAT/AQkBAAj/AUIBTQE2 AQQGAAE2AQQCAAEoAwABQAMAASADAAEBAQABCAYAAQgYAAGAAgABgAMAAoABAAGAAwABgAEAAYAB AAKAAgADwAEAAcAB3AHAAQAB8AHKAaYBAAEzBQABMwEAATMBAAEzAQACMwIAAxYBAAMcAQADIgEA AykBAANVAQADTQEAA0IBAAM5AQABgAF8Af8BAAJQAf8BAAGTAQAB1gEAAf8B7AHMAQABxgHWAe8B @@ -14506,32 +14494,27 @@ AAH/AZkBMwEAAf8BmQFmAQAB/wKZAQAB/wGZAcwBAAH/AZkB/wEAAf8BzAIAAf8BzAEzAQAB/wHM AWYBAAH/AcwBmQEAAf8CzAEAAf8BzAH/AQAC/wEzAQABzAH/AWYBAAL/AZkBAAL/AcwBAAJmAf8B AAFmAf8BZgEAAWYC/wEAAf8CZgEAAf8BZgH/AQAC/wFmAQABIQEAAaUBAANfAQADdwEAA4YBAAOW AQADywEAA7IBAAPXAQAD3QEAA+MBAAPqAQAD8QEAA/gBAAHwAfsB/wEAAaQCoAEAA4ADAAH/AgAB -/wMAAv8BAAH/AwAB/wEAAf8BAAL/AgAD/xcAAQ4BNwH7ATABAAEQLQABIgRTASIB/wMAAeoBKQE3 -AX4DXgF+ATcBAAH/JAAG+wExBiwDAAFDAVcCWAVdAVgBVwEpAf8hAAHtBzgBJgEsBJoBLAEmAQAB -/wFQAlcBWAE3A/8BNwFYAlciAAHtBzgBJgFNBP8BTQEmAgABVgJXAjYD/wI2AlcBVgEQIAAB7Qc4 -ASwGTQElAQABTwFWBFcD/wNXAlYhAAHtCDgBFwQWARcBMQHzA1YJ/wJWAUkgAAHtCDgBMgH5Ar0B -+QErATgB7wFVAlYJ/wJWAVUgAAHtClkFOAHwAU8CVgn/AlYBTyAAAe0NWQI4AQABTwOXAlYD/wFW -A5cBViEAAe0OegE4AgABdwSXA/8ElwFPIQAB7QeaATcBJAUrAUwBAAEHAU8BnQOXA/8DlwGdAUgh -AAHxATIFwwGaCFMDAAFOA5gDlwOYAU4B6iIAARUGAAg4BAABTgYIAZ0BTgFDNgABBwEABE4BSAEA -Af86AAHwAe8B8zgAB/ABvAFzAjIBAAHwAQAQ/wYAAQ4BNwH7ATABAAEQFAAB6wHyBv8B8gEsBFMB -LAHwAf8OrAG0AwAB6gEpATcBfgNeAX4BNwEAAf8CAAH/DPIB8wH/AQABbQHzBv8BTQEsAf8BdQH2 -Af8BLAEAD/8BrAIAAUMBVwJYBV0BWAFXASkB/wEAAf8BUgugAXkB/wEAAW0B9AH/AbwB8gK8AfAC -JgT/AiYP/wGsAQAB/wFQAlcBWAI3ATsCNwFYAlcCAAH/AXoBoAqaAaAB9AEAAW0C/wPsApIBJgFH -AfYC/wF1AUcBJg//AawCAAFWAlcCNgE3AVgBfgI2AlcBVgEQAf8BoAGaAXoJmgGgAZkBAAFtAv8C -8QHzAfEB/wEmAU0E/wFNAQsP/wGsAQABTwFWBFcBNgFYAv8CVwJWAQAB/wGgAVIBmgp6AXQB/wFt -CP8B4wQWAUcBEA//AawB8wNWCP8DVgFJAf8BoAF0AcMKegHDAf8BbQL/AZIB7AGSAe8B7QHsAe0B -+QGUARYBIAIAAv8M9AH/AawB7wFVAlYJ/wJWAVUB/wHDAXoEUgd6AZoBGgFtAv8B8AHxAfIB8QEH -AvEC/wHsAwAC/wzzAfQBrAHwAU8CVgj/AU8CVgFPAf8BwwV6AXQHwwFSAW0L/wHsAwAC/wzzAfIB -rAEAAU8DlwNWAXgC/wFWApcBVgEAAf8Bwwt6AVIB9AH/AW0C/wHwAQcB8AMHAbwC/wHsAwAC/wzy -AfEBrAIAAXcFlwGYAf8ElwFPAQAB/wHDC3oBUgIAAW0B/wH0AZIBBwHsAQcB7ALtAvQB7AMAAv8N -8AGsAQABBwFPAZ0DlwF4AZcBeAOXAZ0BSAEAAf8BwwN6AcMHUgGZAgABbQH/CvQB7AMAAf8BGQ20 -AawDAAFOCZgBTgHqAQAB/wVSAf8JAAFtAf8K8wHsAwAB/wEJDLMCsgQAAU4GCAGdAU4BQxMAAe8K -/wQAAf8OsgG7BAABBwEABE4BSAEAAf8VAAltAZIbAAHwAe8B8wYAAUIBTQE+BwABPgMAASgDAAFA -AwABIAMAAQEBAAEBBgABARYAA/8BAAH/AcMB+AEPBAAB/wGAAeABAwQAAYABAAHAAQEGAAGAAQEG -AAGABwABgB8AAYAHAAGABwABgAEBBgABwAEBBAABgAEAAeABAwQAAf8BAAHwAQcEAAL/Af4BPwQA -Av8BgAEBAgAB+AEPAv8EAAHgAQMBAAEBBAABwAEBAQABAQQAAYABAQEAAQEEAAGAAgABAQQAAYAM -AAEBBwABBwcAAQcCAAGABAABBwIAAYACAAEDAQABBwIAAYABAQEAAQMBAAEHAgABwAIBAf8BAAEH -AgAB4AEDAv8BgAEHAgAB8AEHAv8BwAEPAv8B/gE/Cw==')) +/wMAAv8BAAH/AwAB/wEAAf8BAAL/AgAD/0oAASIEUwEiAf8yAAb7ATEGLDEAAe0HOAEmASwEmgEs +ASYwAAHtBzgBJgFNBP8BTQEmMAAB7Qc4ASwGTQElMAAB7Qg4ARcEFgEXATEwAAHtCDgBMgH5Ar0B ++QErATgwAAHtClkFODAAAe0NWQI4MAAB7Q56ATgwAAHtB5oBNwEkBSsBTDAAAfEBMgXDAZoIUzEA +ARUGAAg4wgAH8AG8AXMCMgEAAfABABD/BgABDgE3AfsBMAEAARAUAAHrAfIG/wHyASwEUwEsAfAB +/w6sAbQDAAHqASkBNwF+A14BfgE3AQAB/wIAAf8M8gHzAf8BAAFtAfMG/wFNASwB/wF1AfYB/wEs +AQAP/wGsAgABQwFXAlgFXQFYAVcBKQH/AQAB/wFSC6ABeQH/AQABbQH0Af8BvAHyArwB8AImBP8C +Jg//AawBAAH/AVACVwFYAjcBOwI3AVgCVwIAAf8BegGgCpoBoAH0AQABbQL/A+wCkgEmAUcB9gL/ +AXUBRwEmD/8BrAIAAVYCVwI2ATcBWAF+AjYCVwFWARAB/wGgAZoBegmaAaABmQEAAW0C/wLxAfMB +8QH/ASYBTQT/AU0BCw//AawBAAFPAVYEVwE2AVgC/wJXAlYBAAH/AaABUgGaCnoBdAH/AW0I/wHj +BBYBRwEQD/8BrAHzA1YI/wNWAUkB/wGgAXQBwwp6AcMB/wFtAv8BkgHsAZIB7wHtAewB7QH5AZQB +FgEgAgAC/wz0Af8BrAHvAVUCVgn/AlYBVQH/AcMBegRSB3oBmgEaAW0C/wHwAfEB8gHxAQcC8QL/ +AewDAAL/DPMB9AGsAfABTwJWCP8BTwJWAU8B/wHDBXoBdAfDAVIBbQv/AewDAAL/DPMB8gGsAQAB +TwOXA1YBeAL/AVYClwFWAQAB/wHDC3oBUgH0Af8BbQL/AfABBwHwAwcBvAL/AewDAAL/DPIB8QGs +AgABdwWXAZgB/wSXAU8BAAH/AcMLegFSAgABbQH/AfQBkgEHAewBBwHsAu0C9AHsAwAC/w3wAawB +AAEHAU8BnQOXAXgBlwF4A5cBnQFIAQAB/wHDA3oBwwdSAZkCAAFtAf8K9AHsAwAB/wEZDbQBrAMA +AU4JmAFOAeoBAAH/BVIB/wkAAW0B/wrzAewDAAH/AQkMswKyBAABTgYIAZ0BTgFDEwAB7wr/BAAB +/w6yAbsEAAEHAQAETgFIAQAB/xUACW0BkhsAAfAB7wHzBgABQgFNAT4HAAE+AwABKAMAAUADAAEg +AwABAQEAAQEGAAEBFgAD/wEAAf8BwwYAAf8BgAYAAYBXAAGABwAB/wcAAv8GAAL/AYABAQIAAfgB +DwL/BAAB4AEDAQABAQQAAcABAQEAAQEEAAGAAQEBAAEBBAABgAIAAQEEAAGADAABAQcAAQcHAAEH +AgABgAQAAQcCAAGAAgABAwEAAQcCAAGAAQEBAAEDAQABBwIAAcACAQH/AQABBwIAAeABAwL/AYAB +BwIAAfABBwL/AcABDwL/Af4BPws=')) #endregion $imagelist1.ImageStream = $Formatter_binaryFomatter.Deserialize($System_IO_MemoryStream) $Formatter_binaryFomatter = $null @@ -14542,7 +14525,6 @@ AgAB4AEDAv8BgAEHAgAB8AEHAv8BwAEPAv8B/gE/Cw==')) $imagelist1.Images.SetKeyName(2,'application.ico') $imagelist1.Images.SetKeyName(3,'Button Next-01.ico') $imagelist1.Images.SetKeyName(4,'Folder Delete-01.ico') - $imagelist1.Images.SetKeyName(5,'Button Add-01.ico') # # contextmenustrip5 # @@ -14623,20 +14605,6 @@ AgAB4AEDAv8BgAEHAgAB8AEHAv8BwAEPAv8B/gE/Cw==')) $toolstripseparator12.Name = 'toolstripseparator12' $toolstripseparator12.Size = New-Object System.Drawing.Size(210, 6) # - # SearchTextbox - # - $SearchTextbox.BackColor = [System.Drawing.Color]::Honeydew - $SearchTextbox.Margin = '50, 0, 1, 0' - $SearchTextbox.Name = 'SearchTextbox' - $SearchTextbox.Size = New-Object System.Drawing.Size(300, 39) - $SearchTextbox.Text = 'Search Files' - $SearchTextbox.ToolTipText = 'Type File/Folder name and press Enter -Click on the this Textbox to clear highlighted items.' - $SearchTextbox.Visible = $False - $SearchTextbox.add_KeyPress($SearchTextbox_KeyPress) - $SearchTextbox.add_KeyUp($SearchTextbox_KeyUp) - $SearchTextbox.add_Click($SearchTextbox_Click) - # # ExpandAll2 # $ExpandAll2.Name = 'ExpandAll2' @@ -14655,6 +14623,19 @@ Click on the this Textbox to clear highlighted items.' # $toolstripseparator13.Name = 'toolstripseparator13' $toolstripseparator13.Size = New-Object System.Drawing.Size(258, 6) + # + # picturebox1 + # + $picturebox1.BackgroundImageLayout = 'Center' + $picturebox1.Dock = 'Fill' + $picturebox1.Location = New-Object System.Drawing.Point(0, 0) + $picturebox1.Margin = '20, 20, 20, 20' + $picturebox1.Name = 'picturebox1' + $picturebox1.Size = New-Object System.Drawing.Size(1107, 1437) + $picturebox1.SizeMode = 'CenterImage' + $picturebox1.TabIndex = 1 + $picturebox1.TabStop = $False + $picturebox1.Visible = $False $contextmenustrip5.ResumeLayout() $toolstrip1.ResumeLayout() $splitcontainer2.ResumeLayout() @@ -18541,8 +18522,8 @@ Main ($CommandLine) # SIG # Begin signature block # MIIfcAYJKoZIhvcNAQcCoIIfYTCCH10CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG -# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCA2BvV2gO08RZWt -# pN0I6e0iVWPv8ZC04lVPJ7V9JuPFIaCCGf4wggQVMIIC/aADAgECAgsEAAAAAAEx +# KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCA3cnVy6KR4/IEe +# 6z3Jo+zIbnUSGU2tsVmJ0h68cSYb1qCCGf4wggQVMIIC/aADAgECAgsEAAAAAAEx # icZQBDANBgkqhkiG9w0BAQsFADBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3Qg # Q0EgLSBSMzETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2ln # bjAeFw0xMTA4MDIxMDAwMDBaFw0yOTAzMjkxMDAwMDBaMFsxCzAJBgNVBAYTAkJF @@ -18685,26 +18666,26 @@ Main ($CommandLine) # R3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9T # ZWN0aWdvIExpbWl0ZWQxJDAiBgNVBAMTG1NlY3RpZ28gUlNBIENvZGUgU2lnbmlu # ZyBDQQIRALjpohQ9sxfPAIfj9za0FgUwDQYJYIZIAWUDBAIBBQCgTDAZBgkqhkiG -# 9w0BCQMxDAYKKwYBBAGCNwIBBDAvBgkqhkiG9w0BCQQxIgQgMeviloQIIq8aMwM7 -# Biy0qdlG4Siplpe8cIbvdj/h2AowDQYJKoZIhvcNAQEBBQAEggEAvD+f4/6Oe5lp -# UzvWXyqsJAAIQLc8tEZMfPZGB7Yp0L9Il2clzIAuIJMpRecST6J2mK4HWj7Ka8xF -# SLZwyv6x6+UUKh62Y5oj5a+Lk0UoNMYj4Wt5ZxcBXeASShNgLhourxDuqMSPpJqN -# X2lCJrp+E849mS232h+vu9Loiutq4I8NHCmzpdjktrgl2VBvto0paSaM6XeDHhL+ -# GvHNyadRzzYwlzASmsxe2sMC969UP22fYdVYnNgWi+If7YqjFE8jda77Sz0PL+X7 -# EDYOvuevetlupDF0eIjK2LmbP61kLIMKcMbkN5nlRKzRRwoPgbWuPBoEsDVP/A7F -# ziWSrPATf6GCArkwggK1BgkqhkiG9w0BCQYxggKmMIICogIBATBrMFsxCzAJBgNV +# 9w0BCQMxDAYKKwYBBAGCNwIBBDAvBgkqhkiG9w0BCQQxIgQgtleCrKb5GaUUdmXM +# Zz2ggUNNHB5+zKjLrPtM+EzAGBwwDQYJKoZIhvcNAQEBBQAEggEAqKl3cADW2IZn +# +G4+y2FHUy+HflRqsNnaZpl6rI1UVSOjC2GUnSnvIOpKRq7ng8/5X6xhuiBw32Ye +# Kedv1RujNqVJC/TUI/75mWZA4jJmdWneWUuCI9g0/BMV/XVepAp8VJa8GgYwp//f +# lDY7YU3+XW86i9xmNC+4E3K+sPieeQdC6EnM/KSevS0hIrHnc7aDSZS6Sa+OfDik +# kep/+FplyasUFv97RhUaHYj4dsIXPsj2D0tIW8d1KZ5ybc5cSnPeEqcDmKOJq502 +# aZ0bonuS366ufacl1HkzarmyfJJF8Jlrf47b/qHP/uMhwxzdloTAR/bF3yWPNK8S +# BjlRsTu6I6GCArkwggK1BgkqhkiG9w0BCQYxggKmMIICogIBATBrMFsxCzAJBgNV # BAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTEwLwYDVQQDEyhHbG9i # YWxTaWduIFRpbWVzdGFtcGluZyBDQSAtIFNIQTI1NiAtIEcyAgwkVLh/HhRTrTf6 # oXgwDQYJYIZIAWUDBAIBBQCgggEMMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw -# HAYJKoZIhvcNAQkFMQ8XDTIxMDEwNjEyMzQyNFowLwYJKoZIhvcNAQkEMSIEIGFd -# IeNfeySP0eKVXUEuJl3mJ2s2zb2G0OpH3Y4O5eq+MIGgBgsqhkiG9w0BCRACDDGB +# HAYJKoZIhvcNAQkFMQ8XDTIxMDEwOTIxNTUzNFowLwYJKoZIhvcNAQkEMSIEILwz +# MNeFQFxEKgv3S1TAkWGDqXNTtAfAAWZnnQ6335WXMIGgBgsqhkiG9w0BCRACDDGB # kDCBjTCBijCBhwQUPsdm1dTUcuIbHyFDUhwxt5DZS2gwbzBfpF0wWzELMAkGA1UE # BhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExMTAvBgNVBAMTKEdsb2Jh # bFNpZ24gVGltZXN0YW1waW5nIENBIC0gU0hBMjU2IC0gRzICDCRUuH8eFFOtN/qh -# eDANBgkqhkiG9w0BAQEFAASCAQCfRIETWgNncGpDX+B4nXzdR3iwKXdDcjIDxfzU -# slHob4TxgXrYU0MxNCA18vUobOoj5VSDB091SYz1Jq/VNVg15xfgHm9z9dO4wgBI -# blHtYSAW6BoRfu9dQTs5qB+GNNxg7C+y56uHpKX9CzYkksnu0yjdJzFX8F83xmjB -# elfk2XG1820zcnc6EsG2mECSh7sMluopWHPoPVd89DF5N+FCJu0O81r4P7URY3dy -# J6fm0wcG9vwpO/pp3PPpI2ZCz1TeXcLqRfrV+JfxkrgFE6xKj3DGrBgkXtXfQmbd -# Fe79oN+iv4k2HRjKYuomwQdLv7kEGwZuZ3jGMvMZiK0xuYFF +# eDANBgkqhkiG9w0BAQEFAASCAQB2Yc6WL4Z4fCs1agR0dHskIT2+VNv1OEKOxW7p +# U4RA/3fIcoFDseZJeIAl5Nfi8PLQaTnKBBDNOsKLkpuJYgygh5qXQLOaj35/KrNV +# mP71kXEuxiqMMcfMGwMLEbtm9g902UihPgtNVYuTAJIW6C8U+R0qhr0oTSKJHVWW +# jDTqCj72qYxHkRRtn6hy6/0z18ts+hbToUBWz7+VlvhxnvdSaSAGaGqPkw0tswV9 +# BHC+3ijfHMCQR2nypIqlKOWOdo/FTTTt3wirQ8lhdOqwnva6mfFRcEvnPecnvmaG +# UVoleThWjv6u6DMH99GBWzY/LpFwXkALycIsKbNnC40GbY+i # SIG # End signature block