public static IEnumerable <LastLoggedOnUser> Get_WMIRegLastLoggedOn(Args_Get_WMIRegLastLoggedOn args = null)
{
if (args == null)
{
args = new Args_Get_WMIRegLastLoggedOn();
}
var LastLoggedOnUsers = new List <LastLoggedOnUser>();
foreach (var Computer in args.ComputerName)
{
// HKEY_LOCAL_MACHINE
var HKLM = 2147483650;
// try to open up the remote registry key to grab the last logged on user
try
{
var Reg = WmiWrapper.GetClass($@"\\{Computer}\ROOT\DEFAULT", "StdRegProv", args.Credential);
var Key = @"SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI";
var Value = "LastLoggedOnUser";
var outParams = WmiWrapper.CallMethod(Reg, "GetStringValue", new Dictionary <string, object> {
{ "hDefKey", HKLM }, { "sSubKeyName", Key }, { "sValueName", Value }
}) as System.Management.ManagementBaseObject;
var LastUser = outParams["sValue"] as string;
var LastLoggedOn = new LastLoggedOnUser
{
ComputerName = Computer,
LastLoggedOn = LastUser
};
LastLoggedOnUsers.Add(LastLoggedOn);
}
catch
{
Logger.Write_Warning("[Get-WMIRegLastLoggedOn] Error opening remote registry on $Computer. Remote registry likely not enabled.");
}
}
return(LastLoggedOnUsers);
}
public static IEnumerable <UserProcess> Get_WMIProcess(Args_Get_WMIProcess args = null)
{
if (args == null)
{
args = new Args_Get_WMIProcess();
}
var UserProcesses = new List <UserProcess>();
foreach (var Computer in args.ComputerName)
{
try
{
var cls = WmiWrapper.GetClass($@"\\{Computer}\ROOT\CIMV2", "Win32_process", args.Credential);
var procs = WmiWrapper.GetInstances(cls);
foreach (var proc in procs)
{
var owner = WmiWrapper.CallMethod(proc, "GetOwner");
var UserProcess = new UserProcess
{
ComputerName = Computer,
ProcessName = proc.Properties["Caption"].Value.ToString(),
ProcessID = proc.Properties["ProcessId"].Value.ToString(),
Domain = $@"{owner["Domain"]}",
User = $@"{owner["User"]}",
};
UserProcesses.Add(UserProcess);
}
}
catch (Exception e)
{
Logger.Write_Verbose($@"[Get-WMIProcess] Error enumerating remote processes on '{Computer}', access likely denied: {e}");
}
}
return(UserProcesses);
}
public static IEnumerable <RegMountedDrive> Get_WMIRegMountedDrive(Args_Get_WMIRegMountedDrive args = null)
{
if (args == null)
{
args = new Args_Get_WMIRegMountedDrive();
}
var MountedDrives = new List <RegMountedDrive>();
foreach (var Computer in args.ComputerName)
{
// HKEY_USERS
var HKU = 2147483651;
try
{
var Reg = WmiWrapper.GetClass($@"\\{Computer}\ROOT\DEFAULT", "StdRegProv", args.Credential);
// extract out the SIDs of domain users in this hive
var outParams = WmiWrapper.CallMethod(Reg, "EnumKey", new Dictionary <string, object> {
{ "hDefKey", HKU }, { "sSubKeyName", "" }
}) as System.Management.ManagementBaseObject;
var names = outParams["sNames"] as IEnumerable <string>;
if (names == null)
{
continue;
}
var UserSIDs = names.Where(x => x.IsRegexMatch($@"S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$"));
foreach (var UserSID in UserSIDs)
{
try
{
var UserName = ConvertFromSID.ConvertFrom_SID(new Args_ConvertFrom_SID {
ObjectSID = new[] { UserSID }, Credential = args.Credential
}).FirstOrDefault();
outParams = WmiWrapper.CallMethod(Reg, "EnumKey", new Dictionary <string, object> {
{ "hDefKey", HKU }, { "sSubKeyName", $@"{UserSID}\Network" }
}) as System.Management.ManagementBaseObject;
var DriveLetters = outParams["sNames"] as IEnumerable <string>;
if (DriveLetters == null)
{
continue;
}
foreach (var DriveLetter in DriveLetters)
{
outParams = WmiWrapper.CallMethod(Reg, "GetStringValue", new Dictionary <string, object> {
{ "hDefKey", HKU }, { "sSubKeyName", $@"{UserSID}\Network\{DriveLetter}" }, { "sValueName", "ProviderName" }
}) as System.Management.ManagementBaseObject;
var ProviderName = outParams["sValue"] as string;
outParams = WmiWrapper.CallMethod(Reg, "GetStringValue", new Dictionary <string, object> {
{ "hDefKey", HKU }, { "sSubKeyName", $@"{UserSID}\Network\{DriveLetter}" }, { "sValueName", "RemotePath" }
}) as System.Management.ManagementBaseObject;
var RemotePath = outParams["sValue"] as string;
outParams = WmiWrapper.CallMethod(Reg, "GetStringValue", new Dictionary <string, object> {
{ "hDefKey", HKU }, { "sSubKeyName", $@"{UserSID}\Network\{DriveLetter}" }, { "sValueName", "UserName" }
}) as System.Management.ManagementBaseObject;
var DriveUserName = outParams["sValue"] as string;
if (UserName == null)
{
UserName = "";
}
if (RemotePath != null && (RemotePath != ""))
{
var MountedDrive = new RegMountedDrive
{
ComputerName = Computer,
UserName = UserName,
UserSID = UserSID,
DriveLetter = DriveLetter,
ProviderName = ProviderName,
RemotePath = RemotePath,
DriveUserName = DriveUserName
};
MountedDrives.Add(MountedDrive);
}
}
}
catch (Exception e)
{
Logger.Write_Verbose($@"[Get-WMIRegMountedDrive] Error: {e}");
}
}
}
catch (Exception e)
{
Logger.Write_Warning($@"[Get-WMIRegMountedDrive] Error accessing {Computer}, likely insufficient permissions or firewall rules on host: {e}");
}
}
return(MountedDrives);
}
public static IEnumerable <CachedRDPConnection> Get_WMIRegCachedRDPConnection(Args_Get_WMIRegCachedRDPConnection args = null)
{
if (args == null)
{
args = new Args_Get_WMIRegCachedRDPConnection();
}
var FoundConnections = new List <CachedRDPConnection>();
foreach (var Computer in args.ComputerName)
{
// HKEY_USERS
var HKU = 2147483651;
try
{
var Reg = WmiWrapper.GetClass($@"\\{Computer}\ROOT\DEFAULT", "StdRegProv", args.Credential);
// extract out the SIDs of domain users in this hive
var outParams = WmiWrapper.CallMethod(Reg, "EnumKey", new Dictionary <string, object> {
{ "hDefKey", HKU }, { "sSubKeyName", "" }
}) as System.Management.ManagementBaseObject;
var names = outParams["sNames"] as IEnumerable <string>;
if (names == null)
{
continue;
}
var UserSIDs = names.Where(x => x.IsRegexMatch($@"S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$"));
foreach (var UserSID in UserSIDs)
{
try
{
var UserName = ConvertFromSID.ConvertFrom_SID(new Args_ConvertFrom_SID {
ObjectSID = new[] { UserSID }, Credential = args.Credential
}).FirstOrDefault();
// pull out all the cached RDP connections
outParams = WmiWrapper.CallMethod(Reg, "EnumValues", new Dictionary <string, object> {
{ "hDefKey", HKU }, { "sSubKeyName", $@"{UserSID}\Software\Microsoft\Terminal Server Client\Default" }
}) as System.Management.ManagementBaseObject;
var ConnectionKeys = outParams["sNames"] as IEnumerable <string>;
if (ConnectionKeys != null)
{
foreach (var Connection in ConnectionKeys)
{
// make sure this key is a cached connection
if (Connection.IsRegexMatch(@"MRU.*"))
{
outParams = WmiWrapper.CallMethod(Reg, "GetStringValue", new Dictionary <string, object> {
{ "hDefKey", HKU }, { "sSubKeyName", $@"{UserSID}\Software\Microsoft\Terminal Server Client\Default" }, { "sValueName", Connection }
}) as System.Management.ManagementBaseObject;
var TargetServer = outParams["sValue"] as string;
var FoundConnection = new CachedRDPConnection
{
ComputerName = Computer,
UserName = UserName,
UserSID = UserSID,
TargetServer = TargetServer,
UsernameHint = null
};
FoundConnections.Add(FoundConnection);
}
}
}
// pull out all the cached server info with username hints
outParams = WmiWrapper.CallMethod(Reg, "EnumKey", new Dictionary <string, object> {
{ "hDefKey", HKU }, { "sSubKeyName", $@"{UserSID}\Software\Microsoft\Terminal Server Client\Servers" }
}) as System.Management.ManagementBaseObject;
var ServerKeys = outParams["sNames"] as IEnumerable <string>;
if (ServerKeys != null)
{
foreach (var Server in ServerKeys)
{
outParams = WmiWrapper.CallMethod(Reg, "GetStringValue", new Dictionary <string, object> {
{ "hDefKey", HKU }, { "sSubKeyName", $@"{UserSID}\Software\Microsoft\Terminal Server Client\Servers\{Server}" }, { "sValueName", "UsernameHint" }
}) as System.Management.ManagementBaseObject;
var UsernameHint = outParams["sValue"] as string;
var FoundConnection = new CachedRDPConnection
{
ComputerName = Computer,
UserName = UserName,
UserSID = UserSID,
TargetServer = Server,
UsernameHint = UsernameHint
};
FoundConnections.Add(FoundConnection);
}
}
}
catch (Exception e)
{
Logger.Write_Verbose($@"[Get-WMIRegCachedRDPConnection] Error: {e}");
}
}
}
catch (Exception e)
{
Logger.Write_Warning($@"[Get-WMIRegCachedRDPConnection] Error accessing {Computer}, likely insufficient permissions or firewall rules on host: {e}");
}
}
return(FoundConnections);
}
public static IEnumerable <ProxySettings> Get_WMIRegProxy(Args_Get_WMIRegProxy args = null)
{
if (args == null)
{
args = new Args_Get_WMIRegProxy();
}
var ProxySettings = new List <ProxySettings>();
foreach (var Computer in args.ComputerName)
{
try
{
var RegProvider = WmiWrapper.GetClass($@"\\{Computer}\ROOT\DEFAULT", "StdRegProv", args.Credential);
var Key = @"SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings";
// HKEY_CURRENT_USER
var HKCU = 2147483649;
var outParams = WmiWrapper.CallMethod(RegProvider, "GetStringValue", new Dictionary <string, object> {
{ "hDefKey", HKCU }, { "sSubKeyName", Key }, { "sValueName", "ProxyServer" }
}) as System.Management.ManagementBaseObject;
var ProxyServer = outParams["sValue"] as string;
outParams = WmiWrapper.CallMethod(RegProvider, "GetStringValue", new Dictionary <string, object> {
{ "hDefKey", HKCU }, { "sSubKeyName", Key }, { "sValueName", "AutoConfigURL" }
}) as System.Management.ManagementBaseObject;
var AutoConfigURL = outParams["sValue"] as string;
var Wpad = "";
if (AutoConfigURL != null && AutoConfigURL != "")
{
try
{
Wpad = (new System.Net.WebClient()).DownloadString(AutoConfigURL);
}
catch
{
Logger.Write_Warning($@"[Get-WMIRegProxy] Error connecting to AutoConfigURL : {AutoConfigURL}");
}
}
if (ProxyServer != null || AutoConfigURL != null)
{
var Out = new ProxySettings
{
ComputerName = Computer,
ProxyServer = ProxyServer,
AutoConfigURL = AutoConfigURL,
Wpad = Wpad
};
ProxySettings.Add(Out);
}
else
{
Logger.Write_Warning($@"[Get-WMIRegProxy] No proxy settings found for {Computer}");
}
}
catch (Exception e)
{
Logger.Write_Warning($@"[Get-WMIRegProxy] Error enumerating proxy settings for {Computer} : {e}");
}
}
return(ProxySettings);
}
