public override IEnumerable <CommandDTOBase?> Execute(string[] args)
{
// ref - @_RastaMouse https://rastamouse.me/2018/09/enumerating-applocker-config/
var wmiData = new ManagementObjectSearcher(@"root\cimv2", "SELECT Name, State FROM win32_service WHERE Name = 'AppIDSvc'");
var data = wmiData.Get();
string appIdSvcState = "Service not found";
var rules = new List <string>();
foreach (var o in data)
{
var result = (ManagementObject)o;
appIdSvcState = result["State"].ToString();
}
var keys = RegistryUtil.GetSubkeyNames(RegistryHive.LocalMachine, "Software\\Policies\\Microsoft\\Windows\\SrpV2");
if (keys != null && keys.Length != 0)
{
foreach (var key in keys)
{
var keyName = key;
var enforcementMode = RegistryUtil.GetDwordValue(RegistryHive.LocalMachine, $"Software\\Policies\\Microsoft\\Windows\\SrpV2\\{key}", "EnforcementMode");
var enforcementModeStr = enforcementMode switch
{
null => "not configured",
0 => "Audit Mode",
1 => "Enforce Mode",
_ => $"Unknown value {enforcementMode}"
};
var ids = RegistryUtil.GetSubkeyNames(RegistryHive.LocalMachine, "Software\\Policies\\Microsoft\\Windows\\SrpV2\\" + key);
foreach (var id in ids)
{
var rule = RegistryUtil.GetStringValue(RegistryHive.LocalMachine, $"Software\\Policies\\Microsoft\\Windows\\SrpV2\\{key}\\{id}", "Value");
rules.Add(rule);
}
yield return(new AppLockerDTO(
configured: true,
appIdSvcState,
keyName,
enforcementModeStr,
rules
));
}
}
else
{
yield return(new AppLockerDTO(
configured: false,
appIdSvcState,
keyName: null,
enforcementMode: null,
rules: null
));
}
}
public string[]? GetSubkeyNames(RegistryHive hive, string path)
{
if (!string.IsNullOrEmpty(ComputerName))
{
return(RegistryUtil.GetSubkeyNames(hive, path, wmiRegProv));
}
return(RegistryUtil.GetSubkeyNames(hive, path));
}
private IEnumerable <CommandDTOBase> EnumRecentOfficeFiles(int lastDays)
{
foreach (var sid in Registry.Users.GetSubKeyNames())
{
if (!sid.StartsWith("S-1") || sid.EndsWith("_Classes"))
{
continue;
}
string userName = null;
try
{
userName = Advapi32.TranslateSid(sid);
}
catch
{
userName = sid;
}
var officeVersion =
RegistryUtil.GetSubkeyNames(RegistryHive.Users, $"{sid}\\Software\\Microsoft\\Office")
?.Where(k => float.TryParse(k, NumberStyles.AllowDecimalPoint, new CultureInfo("en-GB"), out _));
if (officeVersion is null)
{
continue;
}
foreach (var version in officeVersion)
{
foreach (OfficeRecentFilesDTO mru in GetMRUsFromVersionKey($"{sid}\\Software\\Microsoft\\Office\\{version}"))
{
if (mru.LastAccessDate <= DateTime.Now.AddDays(-lastDays))
{
continue;
}
mru.User = userName;
yield return(mru);
}
}
}
}
private IEnumerable <CommandDTOBase> GetMRUsFromVersionKey(string officeVersionSubkeyPath)
{
var officeApplications = RegistryUtil.GetSubkeyNames(RegistryHive.Users, officeVersionSubkeyPath);
if (officeApplications == null)
{
yield break;
}
foreach (var app in officeApplications)
{
// 1) HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\<OFFICE APP>\File MRU
foreach (var mru in GetMRUsValues($"{officeVersionSubkeyPath}\\{app}\\File MRU"))
{
yield return(mru);
}
// 2) HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\User MRU\ADAL_B7C22499E768F03875FA6C268E771D1493149B23934326A96F6CDFEEEE7F68DA72\File MRU
// or HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\User MRU\LiveId_CC4B824314B318B42E93BE93C46A61575D25608BBACDEEEA1D2919BCC2CF51FF\File MRU
var logonAapps = RegistryUtil.GetSubkeyNames(RegistryHive.Users, $"{officeVersionSubkeyPath}\\{app}\\User MRU");
if (logonAapps == null)
{
continue;
}
foreach (var logonApp in logonAapps)
{
foreach (var mru in GetMRUsValues($"{officeVersionSubkeyPath}\\{app}\\User MRU\\{logonApp}\\File MRU"))
{
((OfficeRecentFilesDTO)mru).Application = app;
yield return(mru);
}
}
}
}
public override IEnumerable <CommandDTOBase?> Execute(string[] args)
{
// reference - https://specopssoft.com/blog/things-work-group-policy-caching/
// local machine GPOs
var basePath = @"SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0";
var machineIDs = RegistryUtil.GetSubkeyNames(RegistryHive.LocalMachine, basePath) ?? new string[] {};
foreach (var ID in machineIDs)
{
var settings = RegistryUtil.GetValues(RegistryHive.LocalMachine, $"{basePath}\\{ID}");
yield return(new LocalGPODTO(
settings["GPOName"],
"machine",
settings["DisplayName"],
settings["Link"],
settings["FileSysPath"],
(GPOOptions)settings["Options"],
(GPOLink)settings["GPOLink"],
settings["Extensions"]
));
}
// local user GPOs
var userGpOs = new Dictionary <string, Dictionary <string, object> >();
var sids = Registry.Users.GetSubKeyNames();
foreach (var sid in sids)
{
if (!sid.StartsWith("S-1-5") || sid.EndsWith("_Classes"))
{
continue;
}
var extensions = RegistryUtil.GetSubkeyNames(RegistryHive.Users, $"{sid}\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History");
if ((extensions == null) || (extensions.Length == 0))
{
continue;
}
foreach (var extension in extensions)
{
var path =
$"{sid}\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\\{extension}";
var UserIDs = RegistryUtil.GetSubkeyNames(RegistryHive.Users, path) ?? new string[] { };
foreach (var ID in UserIDs)
{
var settings = RegistryUtil.GetValues(RegistryHive.Users, $"{path}\\{ID}");
if (userGpOs.ContainsKey($"{settings["GPOName"]}"))
{
continue;
}
userGpOs.Add($"{settings["GPOName"]}", settings);
}
}
}
foreach (var UserGPO in userGpOs)
{
yield return(new LocalGPODTO(
UserGPO.Value["GPOName"],
"user",
UserGPO.Value["DisplayName"],
UserGPO.Value["Link"],
UserGPO.Value["FileSysPath"],
(GPOOptions)UserGPO.Value["Options"],
(GPOLink)UserGPO.Value["GPOLink"],
UserGPO.Value["Extensions"]
));
}
}
