public override IEnumerable <CommandDTOBase?> Execute(string[] args)
{
// ref - @_RastaMouse https://rastamouse.me/2018/09/enumerating-applocker-config/
var wmiData = new ManagementObjectSearcher(@"root\cimv2", "SELECT Name, State FROM win32_service WHERE Name = 'AppIDSvc'");
var data = wmiData.Get();
string appIdSvcState = "Service not found";
var rules = new List <string>();
foreach (var o in data)
{
var result = (ManagementObject)o;
appIdSvcState = result["State"].ToString();
}
var keys = RegistryUtil.GetSubkeyNames(RegistryHive.LocalMachine, "Software\\Policies\\Microsoft\\Windows\\SrpV2");
if (keys != null && keys.Length != 0)
{
foreach (var key in keys)
{
var keyName = key;
var enforcementMode = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, $"Software\\Policies\\Microsoft\\Windows\\SrpV2\\{key}", "EnforcementMode");
var enforcementModeStr = enforcementMode switch
{
null => "not configured",
0 => "Audit Mode",
1 => "Enforce Mode",
_ => $"Unknown value {enforcementMode}"
};
var ids = RegistryUtil.GetSubkeyNames(RegistryHive.LocalMachine, "Software\\Policies\\Microsoft\\Windows\\SrpV2\\" + key);
foreach (var id in ids)
{
var rule = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, $"Software\\Policies\\Microsoft\\Windows\\SrpV2\\{key}\\{id}", "Value");
rules.Add(rule);
}
yield return(new AppLockerDTO(
configured: true,
appIdSvcState,
keyName,
enforcementModeStr,
rules
));
}
}
else
{
yield return(new AppLockerDTO(
configured: false,
appIdSvcState,
keyName: null,
enforcementMode: null,
rules: null
));
}
}
public WindowsDefenderSettings(string defenderKeyPath, Runtime runtime)
{
var pathExclusionData = runtime.GetValues(RegistryHive.LocalMachine, $"{ defenderKeyPath}\\Exclusions\\Paths");
PathExclusions = new List <string>();
foreach (var kvp in pathExclusionData)
{
PathExclusions.Add(kvp.Key);
}
PolicyManagerPathExclusions = new List <string>();
var excludedPaths = runtime.GetStringValue(RegistryHive.LocalMachine, $"{defenderKeyPath}\\Policy Manager", "ExcludedPaths");
if (excludedPaths != null)
{
foreach (var s in excludedPaths.Split('|'))
{
PolicyManagerPathExclusions.Add(s);
}
}
var processExclusionData = runtime.GetValues(RegistryHive.LocalMachine, $"{defenderKeyPath}\\Exclusions\\Processes");
ProcessExclusions = new List <string>();
foreach (var kvp in processExclusionData)
{
ProcessExclusions.Add(kvp.Key);
}
var extensionExclusionData = runtime.GetValues(RegistryHive.LocalMachine, $"{defenderKeyPath}\\Exclusions\\Extensions");
ExtensionExclusions = new List <string>();
foreach (var kvp in extensionExclusionData)
{
ExtensionExclusions.Add(kvp.Key);
}
var asrKeyPath = $"{defenderKeyPath}\\Windows Defender Exploit Guard\\ASR";
var asrEnabled = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, asrKeyPath, "ExploitGuard_ASR_Rules");
AsrSettings = new AsrSettings(
asrEnabled != null && (asrEnabled != 0)
);
foreach (var value in RegistryUtil.GetValues(RegistryHive.LocalMachine, $"{asrKeyPath}\\Rules"))
{
AsrSettings.Rules.Add(new AsrRule(
new Guid(value.Key),
int.Parse((string)value.Value)
));
}
foreach (var value in RegistryUtil.GetValues(RegistryHive.LocalMachine, $"{asrKeyPath}\\ASROnlyExclusions"))
{
AsrSettings.Exclusions.Add(value.Key);
}
}
public uint?GetDwordValue(RegistryHive hive, string path, string value)
{
if (!string.IsNullOrEmpty(ComputerName))
{
return(RegistryUtil.GetDwordValue(hive, path, value, wmiRegProv));
}
return(RegistryUtil.GetDwordValue(hive, path, value));
}
public override IEnumerable <CommandDTOBase?> Execute(string[] args)
{
// Client settings
var credDelegKey = @"Software\Policies\Microsoft\Windows\CredentialsDelegation";
var restrictedAdmin = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, credDelegKey,
"RestrictedRemoteAdministration");
var restrictedAdminType = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, credDelegKey,
"RestrictedRemoteAdministrationType");
var serverAuthLevel = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine,
@"HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "AuthenticationLevel");
var termServKey = @"SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services";
var disablePwSaving =
RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, termServKey, "DisablePasswordSaving");
// Server settings
var nla = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, termServKey, "UserAuthentication");
var blockClipboard = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, termServKey, "fDisableClip");
var blockComPort = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, termServKey, "fDisableCcm");
var blockDrives = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, termServKey, "fDisableCdm");
var blockLptPort = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, termServKey, "fDisableLPT");
var blockSmartCard = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, termServKey, "fEnableSmartCard");
var blockPnp = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, termServKey, "fDisablePNPRedir");
var blockPrinters = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, termServKey, "fDisableCpm");
yield return(new RDPSettingsDTO(
new RDPClientSettings(
restrictedAdmin != null && restrictedAdmin != 0,
restrictedAdminType,
serverAuthLevel,
disablePwSaving == null || disablePwSaving == 1),
new RDPServerSettings(
nla,
blockClipboard,
blockComPort,
blockDrives,
blockLptPort,
blockSmartCard,
blockPnp,
blockPrinters
)
));
}
public override IEnumerable <CommandDTOBase?> Execute(string[] args)
{
WriteHost(" Hive Key : Value\n");
// lists user/system internet settings, including default proxy info
var proxySettings = RegistryUtil.GetValues(RegistryHive.CurrentUser, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings");
if ((proxySettings != null) && (proxySettings.Count != 0))
{
foreach (var kvp in proxySettings)
{
yield return(new InternetSettingsDTO()
{
Hive = "HKCU",
Key = kvp.Key,
Value = kvp.Value.ToString()
});
}
}
WriteHost();
var proxySettings2 = RegistryUtil.GetValues(RegistryHive.LocalMachine, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings");
if ((proxySettings2 != null) && (proxySettings2.Count != 0))
{
foreach (var kvp in proxySettings2)
{
yield return(new InternetSettingsDTO()
{
Hive = "HKLM",
Key = kvp.Key,
Value = kvp.Value.ToString()
});
}
}
WriteHost("");
// List user/system internet settings for zonemapkey (local, trusted, etc.) :
// 1 = Intranet zone – sites on your local network.
// 2 = Trusted Sites zone – sites that have been added to your trusted sites.
// 3 = Internet zone – sites that are on the Internet.
// 4 = Restricted Sites zone – sites that have been specifically added to your restricted sites.
WriteHost(" Hive Key : Value\n");
IDictionary <string, string> zoneMapKeys = new Dictionary <string, string>()
{
{ "0", "My Computer" },
{ "1", "Local Intranet Zone" },
{ "2", "Trusted sites Zone" },
{ "3", "Internet Zone" },
{ "4", "Restricted Sites Zone" }
};
var zoneMapKey = RegistryUtil.GetValues(RegistryHive.LocalMachine, @"Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey");
if ((zoneMapKey != null) && (zoneMapKey.Count != 0))
{
foreach (var kvp in zoneMapKey)
{
yield return(new InternetSettingsDTO()
{
Hive = "HKLM",
Key = kvp.Key,
Value = zoneMapKeys.AsEnumerable().Single(l => l.Key == kvp.Value.ToString()).Value
});
}
}
WriteHost("");
var zoneMapKey2 = RegistryUtil.GetValues(RegistryHive.CurrentUser, @"Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey");
if ((zoneMapKey2 != null) && (zoneMapKey2.Count != 0))
{
foreach (var kvp in zoneMapKey2)
{
yield return(new InternetSettingsDTO()
{
Hive = "HKCU",
Key = kvp.Key,
Value = zoneMapKeys.AsEnumerable().Single(l => l.Key == kvp.Value.ToString()).Value
});
}
}
WriteHost("");
// List Zones settings with automatic logons
/**
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\{0..4}\1A00
* Logon setting (1A00) may have any one of the following values (hexadecimal):
* Value Setting
* ---------------------------------------------------------------
* 0x00000000 Automatically logon with current username and password
* 0x00010000 Prompt for user name and password
* 0x00020000 Automatic logon only in the Intranet zone
* 0x00030000 Anonymous logon
**/
WriteHost("Zone settings");
IDictionary <uint, string> zoneAuthSettings = new Dictionary <uint, string>()
{
{ 0x00000000, "Automatically logon with current username and password" },
{ 0x00010000, "Prompt for user name and password" },
{ 0x00020000, "Automatic logon only in the Intranet zone" },
{ 0x00030000, "Anonymous logon" }
};
for (int i = 0; i <= 4; i++)
{
var zoneSettings = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, @"Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\" + i.ToString(), "1A00");
if (zoneSettings != null)
{
WriteHost(zoneMapKeys.AsEnumerable().Single(l => l.Key == i.ToString()).Value + "\tSettings: " + zoneAuthSettings.AsEnumerable().Single(l => l.Key == zoneSettings).Value);
}
}
}
public override IEnumerable <CommandDTOBase?> Execute(string[] args)
{
var result = new InternetSettingsDTO();
// lists user/system internet settings, including default proxy info
var keyPath = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings";
var proxySettings = RegistryUtil.GetValues(RegistryHive.CurrentUser, keyPath);
foreach (var kvp in proxySettings)
{
result.GeneralSettings.Add(new InternetSettingsKey(
"HKCU",
keyPath,
kvp.Key,
kvp.Value.ToString(),
null));
}
keyPath = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings";
var proxySettings2 = RegistryUtil.GetValues(RegistryHive.LocalMachine, keyPath);
foreach (var kvp in proxySettings2)
{
result.GeneralSettings.Add(new InternetSettingsKey(
"HKLM",
keyPath,
kvp.Key,
kvp.Value.ToString(),
null));
}
// List user/system internet settings for zonemapkey (local, trusted, etc.) :
// 1 = Intranet zone – sites on your local network.
// 2 = Trusted Sites zone – sites that have been added to your trusted sites.
// 3 = Internet zone – sites that are on the Internet.
// 4 = Restricted Sites zone – sites that have been specifically added to your restricted sites.
IDictionary <string, string> zoneMapKeys = new Dictionary <string, string>()
{
{ "0", "My Computer" },
{ "1", "Local Intranet Zone" },
{ "2", "Trusted Sites Zone" },
{ "3", "Internet Zone" },
{ "4", "Restricted Sites Zone" }
};
keyPath = @"Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey";
var zoneMapKey = RegistryUtil.GetValues(RegistryHive.LocalMachine, keyPath);
foreach (var kvp in zoneMapKey.AsEnumerable())
{
result.ZoneMaps.Add(new InternetSettingsKey(
"HKLM",
keyPath,
kvp.Key,
kvp.Value.ToString(),
zoneMapKeys.AsEnumerable().Single(l => l.Key == kvp.Value.ToString()).Value
));
}
var zoneMapKey2 = RegistryUtil.GetValues(RegistryHive.CurrentUser, keyPath);
foreach (var kvp in zoneMapKey2.AsQueryable())
{
result.ZoneMaps.Add(new InternetSettingsKey(
"HKCU",
keyPath,
kvp.Key,
kvp.Value.ToString(),
zoneMapKeys.AsEnumerable().Single(l => l.Key == kvp.Value.ToString()).Value
));
}
// List Zones settings with automatic logons
/**
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\{0..4}\1A00
* Logon setting (1A00) may have any one of the following values (hexadecimal):
* Value Setting
* ---------------------------------------------------------------
* 0x00000000 Automatically logon with current username and password
* 0x00010000 Prompt for user name and password
* 0x00020000 Automatic logon only in the Intranet zone
* 0x00030000 Anonymous logon
**/
IDictionary <uint, string> zoneAuthSettings = new Dictionary <uint, string>()
{
{ 0x00000000, "Automatically logon with current username and password" },
{ 0x00010000, "Prompt for user name and password" },
{ 0x00020000, "Automatic logon only in the Intranet zone" },
{ 0x00030000, "Anonymous logon" }
};
for (int i = 0; i <= 4; i++)
{
keyPath = @"Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\" + i;
var authSetting = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, keyPath, "1A00");
if (authSetting != null)
{
var zone = zoneMapKeys.AsEnumerable().Single(l => l.Key == i.ToString()).Value;
var authSettingStr = zoneAuthSettings.AsEnumerable().Single(l => l.Key == authSetting).Value;
result.ZoneAuthSettings.Add(new InternetSettingsKey(
"HKLM",
keyPath,
"1A00",
authSetting.ToString(),
$"{zone} : {authSettingStr}"
));
}
}
yield return(result);
}
