public static IEnumerable <CachedRDPConnection> Get_WMIRegCachedRDPConnection(Args_Get_WMIRegCachedRDPConnection args = null)
{
if (args == null)
{
args = new Args_Get_WMIRegCachedRDPConnection();
}
var FoundConnections = new List <CachedRDPConnection>();
foreach (var Computer in args.ComputerName)
{
// HKEY_USERS
var HKU = 2147483651;
try
{
var Reg = WmiWrapper.GetClass($@"\\{Computer}\ROOT\DEFAULT", "StdRegProv", args.Credential);
// extract out the SIDs of domain users in this hive
var outParams = WmiWrapper.CallMethod(Reg, "EnumKey", new Dictionary <string, object> {
{ "hDefKey", HKU }, { "sSubKeyName", "" }
}) as System.Management.ManagementBaseObject;
var names = outParams["sNames"] as IEnumerable <string>;
if (names == null)
{
continue;
}
var UserSIDs = names.Where(x => x.IsRegexMatch($@"S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$"));
foreach (var UserSID in UserSIDs)
{
try
{
var UserName = ConvertFromSID.ConvertFrom_SID(new Args_ConvertFrom_SID {
ObjectSID = new[] { UserSID }, Credential = args.Credential
}).FirstOrDefault();
// pull out all the cached RDP connections
outParams = WmiWrapper.CallMethod(Reg, "EnumValues", new Dictionary <string, object> {
{ "hDefKey", HKU }, { "sSubKeyName", $@"{UserSID}\Software\Microsoft\Terminal Server Client\Default" }
}) as System.Management.ManagementBaseObject;
var ConnectionKeys = outParams["sNames"] as IEnumerable <string>;
if (ConnectionKeys != null)
{
foreach (var Connection in ConnectionKeys)
{
// make sure this key is a cached connection
if (Connection.IsRegexMatch(@"MRU.*"))
{
outParams = WmiWrapper.CallMethod(Reg, "GetStringValue", new Dictionary <string, object> {
{ "hDefKey", HKU }, { "sSubKeyName", $@"{UserSID}\Software\Microsoft\Terminal Server Client\Default" }, { "sValueName", Connection }
}) as System.Management.ManagementBaseObject;
var TargetServer = outParams["sValue"] as string;
var FoundConnection = new CachedRDPConnection
{
ComputerName = Computer,
UserName = UserName,
UserSID = UserSID,
TargetServer = TargetServer,
UsernameHint = null
};
FoundConnections.Add(FoundConnection);
}
}
}
// pull out all the cached server info with username hints
outParams = WmiWrapper.CallMethod(Reg, "EnumKey", new Dictionary <string, object> {
{ "hDefKey", HKU }, { "sSubKeyName", $@"{UserSID}\Software\Microsoft\Terminal Server Client\Servers" }
}) as System.Management.ManagementBaseObject;
var ServerKeys = outParams["sNames"] as IEnumerable <string>;
if (ServerKeys != null)
{
foreach (var Server in ServerKeys)
{
outParams = WmiWrapper.CallMethod(Reg, "GetStringValue", new Dictionary <string, object> {
{ "hDefKey", HKU }, { "sSubKeyName", $@"{UserSID}\Software\Microsoft\Terminal Server Client\Servers\{Server}" }, { "sValueName", "UsernameHint" }
}) as System.Management.ManagementBaseObject;
var UsernameHint = outParams["sValue"] as string;
var FoundConnection = new CachedRDPConnection
{
ComputerName = Computer,
UserName = UserName,
UserSID = UserSID,
TargetServer = Server,
UsernameHint = UsernameHint
};
FoundConnections.Add(FoundConnection);
}
}
}
catch (Exception e)
{
Logger.Write_Verbose($@"[Get-WMIRegCachedRDPConnection] Error: {e}");
}
}
}
catch (Exception e)
{
Logger.Write_Warning($@"[Get-WMIRegCachedRDPConnection] Error accessing {Computer}, likely insufficient permissions or firewall rules on host: {e}");
}
}
return(FoundConnections);
}
public static IEnumerable <CachedRDPConnection> Get_CachedRDPConnection(Args_Get_WMIRegCachedRDPConnection args = null)
{
return(GetWMIRegCachedRDPConnection.Get_WMIRegCachedRDPConnection(args));
}
