public static IEnumerable <RegLoggedOnUser> Get_RegLoggedOn(Args_Get_RegLoggedOn args = null)
{
if (args == null)
{
args = new Args_Get_RegLoggedOn();
}
IntPtr LogonToken = IntPtr.Zero;
if (args.Credential != null)
{
LogonToken = InvokeUserImpersonation.Invoke_UserImpersonation(new Args_Invoke_UserImpersonation {
Credential = args.Credential
});
}
var RegLoggedOnUsers = new List <RegLoggedOnUser>();
foreach (var Computer in args.ComputerName)
{
try
{
// retrieve HKU remote registry values
var Reg = Microsoft.Win32.RegistryKey.OpenRemoteBaseKey(Microsoft.Win32.RegistryHive.Users, $@"{Computer}");
// sort out bogus sid's like _class
var subkeys = Reg.GetSubKeyNames()?.Where(x => x.IsRegexMatch(@"S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$"));
foreach (var subkey in subkeys)
{
var UserName = ConvertFromSID.ConvertFrom_SID(new Args_ConvertFrom_SID {
ObjectSID = new[] { subkey }
}).FirstOrDefault();
string UserDomain;
if (UserName != null)
{
UserName = UserName.Split('@')[0];
UserDomain = UserName.Split('@')[1];
}
else
{
UserName = subkey;
UserDomain = null;
}
var RegLoggedOnUser = new RegLoggedOnUser
{
ComputerName = $@"{Computer}",
UserDomain = UserDomain,
UserName = UserName,
UserSID = subkey
};
RegLoggedOnUsers.Add(RegLoggedOnUser);
}
}
catch (Exception e)
{
Logger.Write_Verbose($@"[Get-RegLoggedOn] Error opening remote registry on '{Computer}' : {e}");
}
}
if (LogonToken != IntPtr.Zero)
{
InvokeRevertToSelf.Invoke_RevertToSelf(LogonToken);
}
return(RegLoggedOnUsers);
}
public static IEnumerable <RegLoggedOnUser> Get_LoggedOnLocal(Args_Get_RegLoggedOn args = null)
{
return(GetRegLoggedOn.Get_RegLoggedOn(args));
}
