improve search of user install software

Modules/Ruleset.ProgramInfo/Public/Get-UserSoftware.ps1

@@ -231,10 +231,26 @@ function Get-UserSoftware
 			{
 				Write-Warning -Message "[$($MyInvocation.InvocationName)] Failed to read registry entry $HKUSubKey\InstallLocation"
 
-				# NOTE: each key accessed after 'reg load' has to be closed to release handle, if not 'reg unload' fails with "Access is denied"
-				# TODO: Other functions in ProgramInfo module should implement closing keys to release handles.
-				$SubKey.Close()
-				continue
+				# In some instances if key name is GUID, InstallLocation might exist in HKEY_CURRENT_USER\Software\GUID
+				$KeyGUID = Split-Path $SubKey.Name -Leaf
+				$Match = [regex]::Match($KeyGUID, "[({]?(^([0-9A-Fa-f]{8}[-]?[0-9A-Fa-f]{4}[-]?[0-9A-Fa-f]{4}[-]?[0-9A-Fa-f]{4}[-]?[0-9A-Fa-f]{12})$)[})]?")
+				if ($Match.Success)
+				{
+					$SoftwareKey = $RemoteKey.OpenSubkey("$UserSID\Software\$KeyGUID", $RegistryPermission, $RegistryRights)
+					if ($SoftwareKey)
+					{
+						$InstallLocation = $SoftwareKey.GetValue("InstallLocation")
+						$SoftwareKey.Close()
+					}
+				}
+
+				if ([string]::IsNullOrEmpty($InstallLocation))
+				{
+					# NOTE: each key accessed after 'reg load' has to be closed to release handle, if not 'reg unload' fails with "Access is denied"
+					# TODO: Other functions in ProgramInfo module should implement closing keys to release handles.
+					$SubKey.Close()
+					continue
+				}
 			}
 
 			Write-Debug -Message "[$($MyInvocation.InvocationName)] Processing key '$HKUSubKey'"

Modules/Ruleset.ProgramInfo/Public/Search-Installation.ps1

@@ -709,12 +709,12 @@ function Search-Installation
 		}
 		"Motrix"
 		{
-			# NOTE: ask user for standalone installation directory of SteamCMD
+			Update-Table -Search "Motrix" -UserProfile
 			break
 		}
 		"ytdlp"
 		{
-			# NOTE: ask user for standalone installation directory of SteamCMD
+			# NOTE: ask user for standalone installation directory of yt-dlp
 			break
 		}
 		"calibre"

Modules/Ruleset.ProgramInfo/Public/Test-ExecutableFile.ps1

@@ -243,9 +243,12 @@ function Test-ExecutableFile
 				# NOTE: StatusMessage seems to be unrelated to problem
 				# Write-Information -Tags $MyInvocation.InvocationName -MessageData "INFO: $($Signature.StatusMessage)"
 
-				if (!$SkipVirusTotalCheck -and (Test-VirusTotal -LiteralPath $LiteralPath -SigcheckLocation $SigcheckLocation -TimeOut $TimeOut @SessionParams))
+				if (!$SkipVirusTotalCheck)
 				{
-					return $false
+					if (Test-VirusTotal -LiteralPath $LiteralPath -SigcheckLocation $SigcheckLocation -TimeOut $TimeOut @SessionParams)
+					{
+						return $false
+					}
 				}
 			}
 			else

Modules/Ruleset.ProgramInfo/Public/Test-VirusTotal.ps1

@@ -382,7 +382,8 @@ function Test-VirusTotal
 									if ([int32] $TotalDetections.Value -gt 0)
 									{
 										$FileIsMalware = $true
-										Write-Warning -Message "[$InvocationName] '$Executable' is infected with malware"
+										# TODO: Write-ColorMessage does not work here, should be red text
+										Write-Warning -Message "[$InvocationName] '$Executable' was reported as malware"
 									}
 								}
 								# May happen if ie there is no firewall rule for sigcheck.exe, we ignore

docs/CHANGELOG.md

@@ -43,6 +43,8 @@ To see unreleased changes please do so on `develop` branch [HERE][changelog]\
   - Added rules for Audacity
   - Updated rules for Epic Games
   - Added rules for logitech software
+  - Updated rules for store apps and pokerstars
+  - Added rules for Motrix, yt-dlp and calibre
 
 - Modules
 
@@ -53,6 +55,7 @@ To see unreleased changes please do so on `develop` branch [HERE][changelog]\
     - `Get-GroupPrincipal` added `-Unique` switch to get unique principals
     - `Get-SystemSoftware` improved program search
     - `Set-NetworkProfile` added missing default parameter set name
+    - `Get-UserSoftware` improved search algorithm
 
   - Implemented remoting for the following functions and scripts
 

docs/Regex.md

@@ -52,6 +52,7 @@ Reserved regex characters that must be escaped: `[ ] ( ) . \ ^ $ | ? * + { }`
     - [IPv4 validation](#ipv4-validation)
     - [Match comment block in script](#match-comment-block-in-script)
     - [SHA1 thumbprint validation](#sha1-thumbprint-validation)
+    - [GUID validation](#guid-validation)
 
 ## Filterline
 
@@ -502,10 +503,19 @@ Match in string:
 \b[0-9a-f]{40}\b
 ```
 
+### GUID validation
+
+For regex below all credits to [Regex for Guid][GUID regex]
+
+```regex
+[({]?(^([0-9A-Fa-f]{8}[-]?[0-9A-Fa-f]{4}[-]?[0-9A-Fa-f]{4}[-]?[0-9A-Fa-f]{4}[-]?[0-9A-Fa-f]{12})$)[})]?
+```
+
 [Table of Contents](#table-of-contents)
 
 [multicursor]: https://code.visualstudio.com/docs/getstarted/tips-and-tricks#_multi-cursor-selection "Visit VSCode docs"
 [msemail]: https://docs.microsoft.com/en-us/dotnet/standard/base-types/how-to-verify-that-strings-are-in-valid-email-format?redirectedfrom=MSDN "Visit Microsoft docs"
 [stackemail]: https://stackoverflow.com/questions/5342375/regex-email-validation "Visit stackoverflow"
 [ipv4 regex]: https://stackoverflow.com/questions/5284147/validating-ipv4-addresses-with-regexp "Visit stackoverflow"
 [ipv6 regex]: https://stackoverflow.com/questions/53497/regular-expression-that-matches-valid-ipv6-addresses "Visit stackoverflow"
+[GUID regex]: https://stackoverflow.com/a/35648213/12091999 "Visit stackoverflow"