#-----------------------------------------------------------
# pendingdelete.pl plug-in for RegRipper (http://regripper.net)
# MHL 2010
#-----------------------------------------------------------
package pendingdelete;
use strict;

my %config = (hive          => "System",
              hasShortDescr => 1,
              hasDescr      => 0,
              hasRefs       => 0,
              osmask        => 22,
              version       => 20100809);

sub getConfig{return %config}
sub getShortDescr {
	return "Gets contents of PendingFileRenameOperations value";	
}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}

my $VERSION = getVersion();

sub pluginmain {
	my $class = shift;
	my $hive = shift;
	::logMsg("Launching pendingdelete v.".$VERSION);
	my $reg = Parse::Win32Registry->new($hive);
	my $root_key = $reg->get_root_key;

	my $key_path = 'ControlSet001\Control\Session Manager';
	my $key;
	if ($key = $root_key->get_subkey($key_path)) {
		::rptMsg("PendingFileRenameOperations");
		::rptMsg($key_path);
		::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
		::rptMsg("");
		my $data = $key->get_value("PendingFileRenameOperations")->get_data();
        my @strings = split(/ /, $data);
        for my $s (0..(scalar(@strings)/2)-1) {
            my $src = $strings[$s*2];
            my $dst = $strings[($s*2)+1];
            $dst = "{delete}" if $dst eq "";
            ::rptMsg("[$s] $src => $dst");
        }
	}
	else {
		::rptMsg($key_path." not found.");
		::logMsg($key_path." not found.");
	}
}
1;