public override IEnumerable <CommandDTOBase?> Execute(string[] args) { // ref - @_RastaMouse https://rastamouse.me/2018/09/enumerating-applocker-config/ var wmiData = new ManagementObjectSearcher(@"root\cimv2", "SELECT Name, State FROM win32_service WHERE Name = 'AppIDSvc'"); var data = wmiData.Get(); string appIdSvcState = "Service not found"; var rules = new List <string>(); foreach (var o in data) { var result = (ManagementObject)o; appIdSvcState = result["State"].ToString(); } var keys = RegistryUtil.GetSubkeyNames(RegistryHive.LocalMachine, "Software\\Policies\\Microsoft\\Windows\\SrpV2"); if (keys != null && keys.Length != 0) { foreach (var key in keys) { var keyName = key; var enforcementMode = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, $"Software\\Policies\\Microsoft\\Windows\\SrpV2\\{key}", "EnforcementMode"); var enforcementModeStr = enforcementMode switch { null => "not configured", 0 => "Audit Mode", 1 => "Enforce Mode", _ => $"Unknown value {enforcementMode}" }; var ids = RegistryUtil.GetSubkeyNames(RegistryHive.LocalMachine, "Software\\Policies\\Microsoft\\Windows\\SrpV2\\" + key); foreach (var id in ids) { var rule = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, $"Software\\Policies\\Microsoft\\Windows\\SrpV2\\{key}\\{id}", "Value"); rules.Add(rule); } yield return(new AppLockerDTO( configured: true, appIdSvcState, keyName, enforcementModeStr, rules )); } } else { yield return(new AppLockerDTO( configured: false, appIdSvcState, keyName: null, enforcementMode: null, rules: null )); } }
public WindowsDefenderSettings(string defenderKeyPath, Runtime runtime) { var pathExclusionData = runtime.GetValues(RegistryHive.LocalMachine, $"{ defenderKeyPath}\\Exclusions\\Paths"); PathExclusions = new List <string>(); foreach (var kvp in pathExclusionData) { PathExclusions.Add(kvp.Key); } PolicyManagerPathExclusions = new List <string>(); var excludedPaths = runtime.GetStringValue(RegistryHive.LocalMachine, $"{defenderKeyPath}\\Policy Manager", "ExcludedPaths"); if (excludedPaths != null) { foreach (var s in excludedPaths.Split('|')) { PolicyManagerPathExclusions.Add(s); } } var processExclusionData = runtime.GetValues(RegistryHive.LocalMachine, $"{defenderKeyPath}\\Exclusions\\Processes"); ProcessExclusions = new List <string>(); foreach (var kvp in processExclusionData) { ProcessExclusions.Add(kvp.Key); } var extensionExclusionData = runtime.GetValues(RegistryHive.LocalMachine, $"{defenderKeyPath}\\Exclusions\\Extensions"); ExtensionExclusions = new List <string>(); foreach (var kvp in extensionExclusionData) { ExtensionExclusions.Add(kvp.Key); } var asrKeyPath = $"{defenderKeyPath}\\Windows Defender Exploit Guard\\ASR"; var asrEnabled = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, asrKeyPath, "ExploitGuard_ASR_Rules"); AsrSettings = new AsrSettings( asrEnabled != null && (asrEnabled != 0) ); foreach (var value in RegistryUtil.GetValues(RegistryHive.LocalMachine, $"{asrKeyPath}\\Rules")) { AsrSettings.Rules.Add(new AsrRule( new Guid(value.Key), int.Parse((string)value.Value) )); } foreach (var value in RegistryUtil.GetValues(RegistryHive.LocalMachine, $"{asrKeyPath}\\ASROnlyExclusions")) { AsrSettings.Exclusions.Add(value.Key); } }
public uint?GetDwordValue(RegistryHive hive, string path, string value) { if (!string.IsNullOrEmpty(ComputerName)) { return(RegistryUtil.GetDwordValue(hive, path, value, wmiRegProv)); } return(RegistryUtil.GetDwordValue(hive, path, value)); }
public override IEnumerable <CommandDTOBase?> Execute(string[] args) { // Client settings var credDelegKey = @"Software\Policies\Microsoft\Windows\CredentialsDelegation"; var restrictedAdmin = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, credDelegKey, "RestrictedRemoteAdministration"); var restrictedAdminType = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, credDelegKey, "RestrictedRemoteAdministrationType"); var serverAuthLevel = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, @"HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "AuthenticationLevel"); var termServKey = @"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"; var disablePwSaving = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, termServKey, "DisablePasswordSaving"); // Server settings var nla = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, termServKey, "UserAuthentication"); var blockClipboard = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, termServKey, "fDisableClip"); var blockComPort = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, termServKey, "fDisableCcm"); var blockDrives = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, termServKey, "fDisableCdm"); var blockLptPort = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, termServKey, "fDisableLPT"); var blockSmartCard = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, termServKey, "fEnableSmartCard"); var blockPnp = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, termServKey, "fDisablePNPRedir"); var blockPrinters = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, termServKey, "fDisableCpm"); yield return(new RDPSettingsDTO( new RDPClientSettings( restrictedAdmin != null && restrictedAdmin != 0, restrictedAdminType, serverAuthLevel, disablePwSaving == null || disablePwSaving == 1), new RDPServerSettings( nla, blockClipboard, blockComPort, blockDrives, blockLptPort, blockSmartCard, blockPnp, blockPrinters ) )); }
public override IEnumerable <CommandDTOBase?> Execute(string[] args) { WriteHost(" Hive Key : Value\n"); // lists user/system internet settings, including default proxy info var proxySettings = RegistryUtil.GetValues(RegistryHive.CurrentUser, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"); if ((proxySettings != null) && (proxySettings.Count != 0)) { foreach (var kvp in proxySettings) { yield return(new InternetSettingsDTO() { Hive = "HKCU", Key = kvp.Key, Value = kvp.Value.ToString() }); } } WriteHost(); var proxySettings2 = RegistryUtil.GetValues(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"); if ((proxySettings2 != null) && (proxySettings2.Count != 0)) { foreach (var kvp in proxySettings2) { yield return(new InternetSettingsDTO() { Hive = "HKLM", Key = kvp.Key, Value = kvp.Value.ToString() }); } } WriteHost(""); // List user/system internet settings for zonemapkey (local, trusted, etc.) : // 1 = Intranet zone – sites on your local network. // 2 = Trusted Sites zone – sites that have been added to your trusted sites. // 3 = Internet zone – sites that are on the Internet. // 4 = Restricted Sites zone – sites that have been specifically added to your restricted sites. WriteHost(" Hive Key : Value\n"); IDictionary <string, string> zoneMapKeys = new Dictionary <string, string>() { { "0", "My Computer" }, { "1", "Local Intranet Zone" }, { "2", "Trusted sites Zone" }, { "3", "Internet Zone" }, { "4", "Restricted Sites Zone" } }; var zoneMapKey = RegistryUtil.GetValues(RegistryHive.LocalMachine, @"Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey"); if ((zoneMapKey != null) && (zoneMapKey.Count != 0)) { foreach (var kvp in zoneMapKey) { yield return(new InternetSettingsDTO() { Hive = "HKLM", Key = kvp.Key, Value = zoneMapKeys.AsEnumerable().Single(l => l.Key == kvp.Value.ToString()).Value }); } } WriteHost(""); var zoneMapKey2 = RegistryUtil.GetValues(RegistryHive.CurrentUser, @"Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey"); if ((zoneMapKey2 != null) && (zoneMapKey2.Count != 0)) { foreach (var kvp in zoneMapKey2) { yield return(new InternetSettingsDTO() { Hive = "HKCU", Key = kvp.Key, Value = zoneMapKeys.AsEnumerable().Single(l => l.Key == kvp.Value.ToString()).Value }); } } WriteHost(""); // List Zones settings with automatic logons /** * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\{0..4}\1A00 * Logon setting (1A00) may have any one of the following values (hexadecimal): * Value Setting * --------------------------------------------------------------- * 0x00000000 Automatically logon with current username and password * 0x00010000 Prompt for user name and password * 0x00020000 Automatic logon only in the Intranet zone * 0x00030000 Anonymous logon **/ WriteHost("Zone settings"); IDictionary <uint, string> zoneAuthSettings = new Dictionary <uint, string>() { { 0x00000000, "Automatically logon with current username and password" }, { 0x00010000, "Prompt for user name and password" }, { 0x00020000, "Automatic logon only in the Intranet zone" }, { 0x00030000, "Anonymous logon" } }; for (int i = 0; i <= 4; i++) { var zoneSettings = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, @"Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\" + i.ToString(), "1A00"); if (zoneSettings != null) { WriteHost(zoneMapKeys.AsEnumerable().Single(l => l.Key == i.ToString()).Value + "\tSettings: " + zoneAuthSettings.AsEnumerable().Single(l => l.Key == zoneSettings).Value); } } }
public override IEnumerable <CommandDTOBase?> Execute(string[] args) { var result = new InternetSettingsDTO(); // lists user/system internet settings, including default proxy info var keyPath = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"; var proxySettings = RegistryUtil.GetValues(RegistryHive.CurrentUser, keyPath); foreach (var kvp in proxySettings) { result.GeneralSettings.Add(new InternetSettingsKey( "HKCU", keyPath, kvp.Key, kvp.Value.ToString(), null)); } keyPath = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"; var proxySettings2 = RegistryUtil.GetValues(RegistryHive.LocalMachine, keyPath); foreach (var kvp in proxySettings2) { result.GeneralSettings.Add(new InternetSettingsKey( "HKLM", keyPath, kvp.Key, kvp.Value.ToString(), null)); } // List user/system internet settings for zonemapkey (local, trusted, etc.) : // 1 = Intranet zone – sites on your local network. // 2 = Trusted Sites zone – sites that have been added to your trusted sites. // 3 = Internet zone – sites that are on the Internet. // 4 = Restricted Sites zone – sites that have been specifically added to your restricted sites. IDictionary <string, string> zoneMapKeys = new Dictionary <string, string>() { { "0", "My Computer" }, { "1", "Local Intranet Zone" }, { "2", "Trusted Sites Zone" }, { "3", "Internet Zone" }, { "4", "Restricted Sites Zone" } }; keyPath = @"Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey"; var zoneMapKey = RegistryUtil.GetValues(RegistryHive.LocalMachine, keyPath); foreach (var kvp in zoneMapKey.AsEnumerable()) { result.ZoneMaps.Add(new InternetSettingsKey( "HKLM", keyPath, kvp.Key, kvp.Value.ToString(), zoneMapKeys.AsEnumerable().Single(l => l.Key == kvp.Value.ToString()).Value )); } var zoneMapKey2 = RegistryUtil.GetValues(RegistryHive.CurrentUser, keyPath); foreach (var kvp in zoneMapKey2.AsQueryable()) { result.ZoneMaps.Add(new InternetSettingsKey( "HKCU", keyPath, kvp.Key, kvp.Value.ToString(), zoneMapKeys.AsEnumerable().Single(l => l.Key == kvp.Value.ToString()).Value )); } // List Zones settings with automatic logons /** * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\{0..4}\1A00 * Logon setting (1A00) may have any one of the following values (hexadecimal): * Value Setting * --------------------------------------------------------------- * 0x00000000 Automatically logon with current username and password * 0x00010000 Prompt for user name and password * 0x00020000 Automatic logon only in the Intranet zone * 0x00030000 Anonymous logon **/ IDictionary <uint, string> zoneAuthSettings = new Dictionary <uint, string>() { { 0x00000000, "Automatically logon with current username and password" }, { 0x00010000, "Prompt for user name and password" }, { 0x00020000, "Automatic logon only in the Intranet zone" }, { 0x00030000, "Anonymous logon" } }; for (int i = 0; i <= 4; i++) { keyPath = @"Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\" + i; var authSetting = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, keyPath, "1A00"); if (authSetting != null) { var zone = zoneMapKeys.AsEnumerable().Single(l => l.Key == i.ToString()).Value; var authSettingStr = zoneAuthSettings.AsEnumerable().Single(l => l.Key == authSetting).Value; result.ZoneAuthSettings.Add(new InternetSettingsKey( "HKLM", keyPath, "1A00", authSetting.ToString(), $"{zone} : {authSettingStr}" )); } } yield return(result); }