public static IEnumerable <LastLoggedOnUser> Get_WMIRegLastLoggedOn(Args_Get_WMIRegLastLoggedOn args = null) { if (args == null) { args = new Args_Get_WMIRegLastLoggedOn(); } var LastLoggedOnUsers = new List <LastLoggedOnUser>(); foreach (var Computer in args.ComputerName) { // HKEY_LOCAL_MACHINE var HKLM = 2147483650; // try to open up the remote registry key to grab the last logged on user try { var Reg = WmiWrapper.GetClass($@"\\{Computer}\ROOT\DEFAULT", "StdRegProv", args.Credential); var Key = @"SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI"; var Value = "LastLoggedOnUser"; var outParams = WmiWrapper.CallMethod(Reg, "GetStringValue", new Dictionary <string, object> { { "hDefKey", HKLM }, { "sSubKeyName", Key }, { "sValueName", Value } }) as System.Management.ManagementBaseObject; var LastUser = outParams["sValue"] as string; var LastLoggedOn = new LastLoggedOnUser { ComputerName = Computer, LastLoggedOn = LastUser }; LastLoggedOnUsers.Add(LastLoggedOn); } catch { Logger.Write_Warning("[Get-WMIRegLastLoggedOn] Error opening remote registry on $Computer. Remote registry likely not enabled."); } } return(LastLoggedOnUsers); }
public static IEnumerable <UserProcess> Get_WMIProcess(Args_Get_WMIProcess args = null) { if (args == null) { args = new Args_Get_WMIProcess(); } var UserProcesses = new List <UserProcess>(); foreach (var Computer in args.ComputerName) { try { var cls = WmiWrapper.GetClass($@"\\{Computer}\ROOT\CIMV2", "Win32_process", args.Credential); var procs = WmiWrapper.GetInstances(cls); foreach (var proc in procs) { var owner = WmiWrapper.CallMethod(proc, "GetOwner"); var UserProcess = new UserProcess { ComputerName = Computer, ProcessName = proc.Properties["Caption"].Value.ToString(), ProcessID = proc.Properties["ProcessId"].Value.ToString(), Domain = $@"{owner["Domain"]}", User = $@"{owner["User"]}", }; UserProcesses.Add(UserProcess); } } catch (Exception e) { Logger.Write_Verbose($@"[Get-WMIProcess] Error enumerating remote processes on '{Computer}', access likely denied: {e}"); } } return(UserProcesses); }
public static IEnumerable <RegMountedDrive> Get_WMIRegMountedDrive(Args_Get_WMIRegMountedDrive args = null) { if (args == null) { args = new Args_Get_WMIRegMountedDrive(); } var MountedDrives = new List <RegMountedDrive>(); foreach (var Computer in args.ComputerName) { // HKEY_USERS var HKU = 2147483651; try { var Reg = WmiWrapper.GetClass($@"\\{Computer}\ROOT\DEFAULT", "StdRegProv", args.Credential); // extract out the SIDs of domain users in this hive var outParams = WmiWrapper.CallMethod(Reg, "EnumKey", new Dictionary <string, object> { { "hDefKey", HKU }, { "sSubKeyName", "" } }) as System.Management.ManagementBaseObject; var names = outParams["sNames"] as IEnumerable <string>; if (names == null) { continue; } var UserSIDs = names.Where(x => x.IsRegexMatch($@"S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$")); foreach (var UserSID in UserSIDs) { try { var UserName = ConvertFromSID.ConvertFrom_SID(new Args_ConvertFrom_SID { ObjectSID = new[] { UserSID }, Credential = args.Credential }).FirstOrDefault(); outParams = WmiWrapper.CallMethod(Reg, "EnumKey", new Dictionary <string, object> { { "hDefKey", HKU }, { "sSubKeyName", $@"{UserSID}\Network" } }) as System.Management.ManagementBaseObject; var DriveLetters = outParams["sNames"] as IEnumerable <string>; if (DriveLetters == null) { continue; } foreach (var DriveLetter in DriveLetters) { outParams = WmiWrapper.CallMethod(Reg, "GetStringValue", new Dictionary <string, object> { { "hDefKey", HKU }, { "sSubKeyName", $@"{UserSID}\Network\{DriveLetter}" }, { "sValueName", "ProviderName" } }) as System.Management.ManagementBaseObject; var ProviderName = outParams["sValue"] as string; outParams = WmiWrapper.CallMethod(Reg, "GetStringValue", new Dictionary <string, object> { { "hDefKey", HKU }, { "sSubKeyName", $@"{UserSID}\Network\{DriveLetter}" }, { "sValueName", "RemotePath" } }) as System.Management.ManagementBaseObject; var RemotePath = outParams["sValue"] as string; outParams = WmiWrapper.CallMethod(Reg, "GetStringValue", new Dictionary <string, object> { { "hDefKey", HKU }, { "sSubKeyName", $@"{UserSID}\Network\{DriveLetter}" }, { "sValueName", "UserName" } }) as System.Management.ManagementBaseObject; var DriveUserName = outParams["sValue"] as string; if (UserName == null) { UserName = ""; } if (RemotePath != null && (RemotePath != "")) { var MountedDrive = new RegMountedDrive { ComputerName = Computer, UserName = UserName, UserSID = UserSID, DriveLetter = DriveLetter, ProviderName = ProviderName, RemotePath = RemotePath, DriveUserName = DriveUserName }; MountedDrives.Add(MountedDrive); } } } catch (Exception e) { Logger.Write_Verbose($@"[Get-WMIRegMountedDrive] Error: {e}"); } } } catch (Exception e) { Logger.Write_Warning($@"[Get-WMIRegMountedDrive] Error accessing {Computer}, likely insufficient permissions or firewall rules on host: {e}"); } } return(MountedDrives); }
public static IEnumerable <CachedRDPConnection> Get_WMIRegCachedRDPConnection(Args_Get_WMIRegCachedRDPConnection args = null) { if (args == null) { args = new Args_Get_WMIRegCachedRDPConnection(); } var FoundConnections = new List <CachedRDPConnection>(); foreach (var Computer in args.ComputerName) { // HKEY_USERS var HKU = 2147483651; try { var Reg = WmiWrapper.GetClass($@"\\{Computer}\ROOT\DEFAULT", "StdRegProv", args.Credential); // extract out the SIDs of domain users in this hive var outParams = WmiWrapper.CallMethod(Reg, "EnumKey", new Dictionary <string, object> { { "hDefKey", HKU }, { "sSubKeyName", "" } }) as System.Management.ManagementBaseObject; var names = outParams["sNames"] as IEnumerable <string>; if (names == null) { continue; } var UserSIDs = names.Where(x => x.IsRegexMatch($@"S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$")); foreach (var UserSID in UserSIDs) { try { var UserName = ConvertFromSID.ConvertFrom_SID(new Args_ConvertFrom_SID { ObjectSID = new[] { UserSID }, Credential = args.Credential }).FirstOrDefault(); // pull out all the cached RDP connections outParams = WmiWrapper.CallMethod(Reg, "EnumValues", new Dictionary <string, object> { { "hDefKey", HKU }, { "sSubKeyName", $@"{UserSID}\Software\Microsoft\Terminal Server Client\Default" } }) as System.Management.ManagementBaseObject; var ConnectionKeys = outParams["sNames"] as IEnumerable <string>; if (ConnectionKeys != null) { foreach (var Connection in ConnectionKeys) { // make sure this key is a cached connection if (Connection.IsRegexMatch(@"MRU.*")) { outParams = WmiWrapper.CallMethod(Reg, "GetStringValue", new Dictionary <string, object> { { "hDefKey", HKU }, { "sSubKeyName", $@"{UserSID}\Software\Microsoft\Terminal Server Client\Default" }, { "sValueName", Connection } }) as System.Management.ManagementBaseObject; var TargetServer = outParams["sValue"] as string; var FoundConnection = new CachedRDPConnection { ComputerName = Computer, UserName = UserName, UserSID = UserSID, TargetServer = TargetServer, UsernameHint = null }; FoundConnections.Add(FoundConnection); } } } // pull out all the cached server info with username hints outParams = WmiWrapper.CallMethod(Reg, "EnumKey", new Dictionary <string, object> { { "hDefKey", HKU }, { "sSubKeyName", $@"{UserSID}\Software\Microsoft\Terminal Server Client\Servers" } }) as System.Management.ManagementBaseObject; var ServerKeys = outParams["sNames"] as IEnumerable <string>; if (ServerKeys != null) { foreach (var Server in ServerKeys) { outParams = WmiWrapper.CallMethod(Reg, "GetStringValue", new Dictionary <string, object> { { "hDefKey", HKU }, { "sSubKeyName", $@"{UserSID}\Software\Microsoft\Terminal Server Client\Servers\{Server}" }, { "sValueName", "UsernameHint" } }) as System.Management.ManagementBaseObject; var UsernameHint = outParams["sValue"] as string; var FoundConnection = new CachedRDPConnection { ComputerName = Computer, UserName = UserName, UserSID = UserSID, TargetServer = Server, UsernameHint = UsernameHint }; FoundConnections.Add(FoundConnection); } } } catch (Exception e) { Logger.Write_Verbose($@"[Get-WMIRegCachedRDPConnection] Error: {e}"); } } } catch (Exception e) { Logger.Write_Warning($@"[Get-WMIRegCachedRDPConnection] Error accessing {Computer}, likely insufficient permissions or firewall rules on host: {e}"); } } return(FoundConnections); }
public static IEnumerable <ProxySettings> Get_WMIRegProxy(Args_Get_WMIRegProxy args = null) { if (args == null) { args = new Args_Get_WMIRegProxy(); } var ProxySettings = new List <ProxySettings>(); foreach (var Computer in args.ComputerName) { try { var RegProvider = WmiWrapper.GetClass($@"\\{Computer}\ROOT\DEFAULT", "StdRegProv", args.Credential); var Key = @"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"; // HKEY_CURRENT_USER var HKCU = 2147483649; var outParams = WmiWrapper.CallMethod(RegProvider, "GetStringValue", new Dictionary <string, object> { { "hDefKey", HKCU }, { "sSubKeyName", Key }, { "sValueName", "ProxyServer" } }) as System.Management.ManagementBaseObject; var ProxyServer = outParams["sValue"] as string; outParams = WmiWrapper.CallMethod(RegProvider, "GetStringValue", new Dictionary <string, object> { { "hDefKey", HKCU }, { "sSubKeyName", Key }, { "sValueName", "AutoConfigURL" } }) as System.Management.ManagementBaseObject; var AutoConfigURL = outParams["sValue"] as string; var Wpad = ""; if (AutoConfigURL != null && AutoConfigURL != "") { try { Wpad = (new System.Net.WebClient()).DownloadString(AutoConfigURL); } catch { Logger.Write_Warning($@"[Get-WMIRegProxy] Error connecting to AutoConfigURL : {AutoConfigURL}"); } } if (ProxyServer != null || AutoConfigURL != null) { var Out = new ProxySettings { ComputerName = Computer, ProxyServer = ProxyServer, AutoConfigURL = AutoConfigURL, Wpad = Wpad }; ProxySettings.Add(Out); } else { Logger.Write_Warning($@"[Get-WMIRegProxy] No proxy settings found for {Computer}"); } } catch (Exception e) { Logger.Write_Warning($@"[Get-WMIRegProxy] Error enumerating proxy settings for {Computer} : {e}"); } } return(ProxySettings); }