public static List <Autorunpoints> StartAudit() { List <Autorunpoints> xlselements = new List <Autorunpoints>(); try { string sysdrv = Environment.GetEnvironmentVariable("SystemDrive"); List <string> ls = RegistryUtil.GetUserProfiles(); if (ls != null && ls.Count > 0) { for (int i = 0; i < ls.Count; i++) { try { RegistryKey officeKey = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\excel.exe"); if (officeKey != null) { string path = officeKey.GetValue(null).ToString(); string majorVersion = GetProductMajorVersion(path); if (!majorVersion.EndsWith(".0")) { majorVersion += ".0"; } string tempRegis = ls[i] + "\\Software\\Microsoft\\Office\\" + majorVersion + "\\Excel\\Security\\Trusted Locations\\"; RegistryKey trustedLocKey = Registry.Users.OpenSubKey(tempRegis); if (trustedLocKey == null) { continue; } DateTime regMod = RegistryModified.lastWriteTime(trustedLocKey); string[] trustedLocations = trustedLocKey.GetSubKeyNames(); foreach (var item in trustedLocations) { string slocation = tempRegis + item; AddFiles(xlselements, slocation, regMod); } } } catch (Exception) { } } } } catch (Exception) { } return(xlselements); }
public static void GetCLSIDDetails(List <Autorunpoints> lstAutoRuns, string[] regdl, string owner, string type, string regModified) { if (regdl != null) { for (int i = 0; i < regdl.Length; i++) { Autorunpoints runPoint = new Autorunpoints(); runPoint.RegistryPath = "LocalMachine\\Software\\Classes\\CLSID\\" + regdl[i]; runPoint.RegistryValueName = "Default"; runPoint.RegistryValueString = RegistryUtil.GetStringSubValue("LocalMachine", "Software\\Classes\\CLSID\\" + regdl[i], "", false); runPoint.FilePath = RegistryUtil.GetStringSubValue("LocalMachine", "Software\\Classes\\CLSID\\" + regdl[i] + "\\InprocServer32", "", false); runPoint.IsRegistry = true; runPoint.RegistryOwner = owner; runPoint.RegistryModified = regModified; runPoint.Type = type; lstAutoRuns.Add(runPoint); } } }
public static List <Autorunpoints> StartAudit() { var lstAutoRuns = new List <Autorunpoints>(); try { // DELAYLOAD string regModified; string[] regdl = RegistryUtil.GetSubValueNames("Software\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad", false); string owner = RegistryUtil.GetMachineRegKeyOwner("Software\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad", false, out regModified); GetCLSIDDetails(lstAutoRuns, regdl, owner, "ShellServiceObjectDelayLoad", regModified); // DELAYLOAD 64 regdl = RegistryUtil.GetSubValueNames("Software\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad", true); owner = RegistryUtil.GetMachineRegKeyOwner("Software\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad", true, out regModified); GetCLSIDDetails(lstAutoRuns, regdl, owner, "ShellServiceObjectDelayLoad", regModified); } catch (Exception) { } return(lstAutoRuns); }
public static List <Autorunpoints> StartAudit() { var lstAutoRuns = new List <Autorunpoints>(); try { ///// BHO string regModified; string[] regbhos = RegistryUtil.GetSubKeys("LocalMachine", "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects", false); string owner = RegistryUtil.GetMachineRegKeyOwner("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects", false, out regModified); DelayedLoad.GetCLSIDDetails(lstAutoRuns, regbhos, owner, "Browser Helper Objects", regModified); ///// BHO 64 regbhos = RegistryUtil.GetSubKeys("LocalMachine", "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects", true); owner = RegistryUtil.GetMachineRegKeyOwner("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects", true, out regModified); DelayedLoad.GetCLSIDDetails(lstAutoRuns, regbhos, owner, "Browser Helper Objects", regModified); } catch (Exception) { return(lstAutoRuns); } return(lstAutoRuns); }
private static void ReadHiveValue(string hive, string key, string valname, char[] delim, bool is64, bool type, string runtype, List <Autorunpoints> lstAutoRuns) { try { RegistryKey basekey = null; RegistryKey runkey = null; if (hive == "LocalMachine") { basekey = RegistryKey.OpenBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, is64 == true ? RegistryView.Registry64 : RegistryView.Registry32); runkey = basekey.OpenSubKey(key); } else { RegistryKey runhive = Registry.Users.OpenSubKey(hive); if (runhive != null) { runkey = runhive.OpenSubKey(key); } } string owner = RegistryUtil.GetRegKeyOwner(runkey); if (runkey != null) { try { string keyValue = Convert.ToString(runkey.GetValue(valname)); if (!string.IsNullOrEmpty(keyValue)) { string[] vals = keyValue.Split(delim); foreach (var valstring in vals) { Autorunpoints runPoint = new Autorunpoints(); runPoint.Type = "AppInit_Dlls"; if (hive == "LocalMachine") { runPoint.RegistryPath = "LocalMachine\\" + key; } else { runPoint.RegistryPath = hive + "\\" + key; } runPoint.RegistryValueName = valname; runPoint.RegistryValueString = valstring; runPoint.FilePath = valstring; runPoint.RegistryOwner = owner; lstAutoRuns.Add(runPoint); } } } catch (Exception) { } } if (basekey != null) { basekey.Close(); } if (runkey != null) { runkey.Close(); } } catch (Exception) { } }
public static List <InstalledApp> StartAudit() { var reginstalllist = new List <InstalledApp>(); try { string[] subkeys_wow = RegistryUtil.GetSubKeys("LocalMachine", "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall", false); if (subkeys_wow != null) { foreach (var sk in subkeys_wow) { InstalledApp rg = new InstalledApp(); string subk2_wow = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\" + sk.ToString(); rg.DisplayName = RegistryUtil.GetStringSubValue("LocalMachine", subk2_wow, "DisplayName", false); if (string.IsNullOrEmpty(rg.DisplayName)) { continue; } rg.Version = RegistryUtil.GetStringSubValue("LocalMachine", subk2_wow, "DisplayVersion", false); rg.InstallDate = RegistryUtil.GetStringSubValue("LocalMachine", subk2_wow, "InstallDate", false); rg.InstallDate = GetValidDate(rg.InstallDate); rg.Key = "LocalMachine\\" + subk2_wow; rg.Is64 = false; reginstalllist.Add(rg); } } ////Proceed only for 64 bit if (PlatformCheck.IsWow64()) { string[] subkeys_64 = RegistryUtil.GetSubKeys("LocalMachine", "Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall", true); if (subkeys_64 != null) { foreach (var sk in subkeys_64) { InstalledApp rg = new InstalledApp(); string subk2_64 = "Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\" + sk.ToString(); rg.DisplayName = RegistryUtil.GetStringSubValue("LocalMachine", subk2_64, "DisplayName", true); if (string.IsNullOrEmpty(rg.DisplayName)) { continue; } rg.Version = RegistryUtil.GetStringSubValue("LocalMachine", subk2_64, "DisplayVersion", true); rg.InstallDate = RegistryUtil.GetStringSubValue("LocalMachine", subk2_64, "InstallDate", true); rg.InstallDate = GetValidDate(rg.InstallDate); rg.Key = "LocalMachine\\" + subk2_64; rg.Is64 = true; reginstalllist.Add(rg); } } } List <string> regprof = RegistryUtil.GetRegProfiles(); foreach (var prf in regprof) { string[] users = RegistryUtil.GetSubKeys(prf, "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall", true); if (users != null) { foreach (var sk in users) { InstalledApp rg = new InstalledApp(); string innnerKey = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\" + sk.ToString(); rg.DisplayName = RegistryUtil.GetStringSubValue(prf, innnerKey, "DisplayName", true); if (string.IsNullOrEmpty(rg.DisplayName)) { continue; } rg.Version = RegistryUtil.GetStringSubValue(prf, innnerKey, "DisplayVersion", true); rg.InstallDate = RegistryUtil.GetStringSubValue(prf, innnerKey, "InstallDate", true); rg.InstallDate = GetValidDate(rg.InstallDate); rg.Key = prf + "\\" + innnerKey; reginstalllist.Add(rg); } } } } catch (Exception) { } return(reginstalllist); }
private static void AuditHive(string hive, string run, bool is64, string runtype, List <Autorunpoints> regrunlist) { try { RegistryKey basekey = null; RegistryKey runkey = null; if (hive == "LocalMachine") { basekey = RegistryKey.OpenBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, is64 == true ? RegistryView.Registry64 : RegistryView.Registry32); runkey = basekey.OpenSubKey(run); } else { RegistryKey runhive = Registry.Users.OpenSubKey(hive); if (runhive != null) { runkey = runhive.OpenSubKey(run); } } string owner = string.Empty; if (runkey != null) { DateTime regModified = RegistryModified.lastWriteTime(runkey); owner = RegistryUtil.GetRegKeyOwner(runkey); foreach (var value in runkey.GetValueNames()) { Autorunpoints autoruns = new Autorunpoints(); try { string keyValue = Convert.ToString(runkey.GetValue(value)); if (hive == "LocalMachine") { autoruns.RegistryPath = "LocalMachine\\" + run; } else { autoruns.RegistryPath = hive + "\\" + run; } autoruns.RegistryValueString = keyValue; autoruns.RegistryValueName = value; if (!string.IsNullOrEmpty(autoruns.RegistryValueString)) { string[] pathAndArgument = autoruns.RegistryValueString.Split(new string[] { " -", " /", " \"" }, 2, StringSplitOptions.RemoveEmptyEntries); if (pathAndArgument.Length > 0) { autoruns.RegistryValueString = pathAndArgument[0].Replace("\"", string.Empty); autoruns.FilePath = autoruns.RegistryValueString; } } autoruns.IsRegistry = true; autoruns.RegistryOwner = owner; autoruns.RegistryModified = regModified.ToString(DBManager.DateTimeFormat); autoruns.Type = runtype; regrunlist.Add(autoruns); } catch (Exception) { } } if (basekey != null) { basekey.Close(); } runkey.Close(); } } catch (Exception) { } }
public static List <User> StartAudit() { int EntriesRead; int TotalEntries; int Resume; IntPtr bufPtr; List <User> lstUser = new List <User>(); UserProfileAuditor.NetUserEnum(null, 2, 0, out bufPtr, -1, out EntriesRead, out TotalEntries, out Resume); int err = Marshal.GetLastWin32Error(); List <string> lstProfiles = RegistryUtil.GetUserProfiles(); if (EntriesRead > 0) { UserProfileAuditor.USER_INFO_2[] Users = new UserProfileAuditor.USER_INFO_2[EntriesRead]; IntPtr iter = bufPtr; for (int i = 0; i < EntriesRead; i++) { Users[i] = (UserProfileAuditor.USER_INFO_2)Marshal.PtrToStructure(iter, typeof(UserProfileAuditor.USER_INFO_2)); iter = (IntPtr)((int)iter + Marshal.SizeOf(typeof(UserProfileAuditor.USER_INFO_2))); User user = new User(); user.UserName = Users[i].usri2_name; string localGroup = string.Empty; foreach (var item in GetLocalGroups(user.UserName)) { localGroup += item + ";"; } user.Groups = localGroup.TrimEnd(new char[] { ';' }); user.FullName = Users[i].usri2_full_name; user.PasswordAge = Users[i].usri2_password_age.ToString(); user.Description = Users[i].usri2_comment; user.LastLogin = GetTimeFormElaspedSeconds((uint)Users[i].usri2_last_logon); user.IsDisabled = CheckFlagIsEnabled(Users[i].usri2_flags, UF_ACCOUNTDISABLE); user.IsLocked = CheckFlagIsEnabled(Users[i].usri2_flags, UF_LOCKOUT); user.PasswordRequired = !CheckFlagIsEnabled(Users[i].usri2_flags, UF_PASSWD_NOTREQD); GetSidDetails(user); if (lstProfiles.Contains(user.SID)) { lstProfiles.Remove(user.SID); } lstUser.Add(user); } } string serverName = GetDCName(); foreach (string item in lstProfiles) { string userName = string.Empty; try { userName = new SecurityIdentifier(item).Translate(typeof(NTAccount)).ToString(); User user = new User(); user.UserName = userName; string localGroup = string.Empty; foreach (var group in GetLocalGroups(user.UserName)) { localGroup += group + ";"; } user.Groups = localGroup.TrimEnd(new char[] { ';' }); string[] usersNme = user.UserName.Split(new char[] { '\\' }, StringSplitOptions.RemoveEmptyEntries); GetSidDetails(user); try { if (!string.IsNullOrEmpty(serverName)) { USER_INFO_2 userInfo2 = GetDomainUserInfo(serverName, user.UserName); user.FullName = userInfo2.usri2_full_name; user.FullName = userInfo2.usri2_full_name; user.PasswordAge = userInfo2.usri2_password_age.ToString(); user.Description = userInfo2.usri2_comment; user.LastLogin = GetTimeFormElaspedSeconds((uint)userInfo2.usri2_last_logon); user.IsDisabled = CheckFlagIsEnabled(userInfo2.usri2_flags, UF_ACCOUNTDISABLE); user.IsLocked = CheckFlagIsEnabled(userInfo2.usri2_flags, UF_LOCKOUT); user.PasswordRequired = !CheckFlagIsEnabled(userInfo2.usri2_flags, UF_PASSWD_NOTREQD); } } catch (Exception) { } lstUser.Add(user); } catch (Exception) { } } UserProfileAuditor.NetApiBufferFree(bufPtr); return(lstUser); }