public void ProcessValues(RegistryKey key)
{
_values.Clear();
Errors.Clear();
var namesKey = key.SubKeys.SingleOrDefault(t => t.KeyName == "Names");
var nameMap = new Dictionary<int, DateTimeOffset>();
if (namesKey == null)
{
return;
}
foreach (var registryKey in namesKey.SubKeys)
{
if (nameMap.ContainsKey((int) registryKey.Values.First().VKRecord.DataTypeRaw))
{
continue;
}
nameMap.Add((int) registryKey.Values.First().VKRecord.DataTypeRaw, registryKey.LastWriteTime.Value);
}
foreach (var key1 in key.SubKeys)
{
if (key1.KeyName == "Names")
{
continue;
}
try
{
var fVal = key1.Values.SingleOrDefault(t => t.ValueName == "F");
var userId = 0;
var invalidLogins = 0;
var totalLogins = 0;
DateTimeOffset? lastLoginTime = null;
DateTimeOffset? lastPwChangeTime = null;
DateTimeOffset? acctExpiresTime = null;
DateTimeOffset? lastIncorrectPwTime = null;
if (fVal != null)
{
userId = BitConverter.ToInt32(fVal.ValueDataRaw, 0x30);
invalidLogins = BitConverter.ToInt16(fVal.ValueDataRaw, 0x40);
totalLogins = BitConverter.ToInt16(fVal.ValueDataRaw, 0x42);
var tempTime = DateTimeOffset.FromFileTime(BitConverter.ToInt64(fVal.ValueDataRaw, 0x8));
if (tempTime.Year > 1700)
{
lastLoginTime = tempTime.ToUniversalTime();
}
tempTime = DateTimeOffset.FromFileTime(BitConverter.ToInt64(fVal.ValueDataRaw, 0x18));
if (tempTime.Year > 1700)
{
lastPwChangeTime = tempTime.ToUniversalTime();
}
tempTime = DateTimeOffset.MinValue;
try
{
tempTime = DateTimeOffset.FromFileTime(BitConverter.ToInt64(fVal.ValueDataRaw, 0x20));
}
catch (Exception)
{
}
if (tempTime.Year > 1700)
{
acctExpiresTime = tempTime.ToUniversalTime();
}
tempTime = DateTimeOffset.FromFileTime(BitConverter.ToInt64(fVal.ValueDataRaw, 0x28));
if (tempTime.Year > 1700)
{
lastIncorrectPwTime = tempTime.ToUniversalTime();
}
}
var vVal = key1.Values.SingleOrDefault(t => t.ValueName == "V");
var offToName = BitConverter.ToInt32(vVal.ValueDataRaw, 0xc) + 0xCC;
var nameLen = BitConverter.ToInt32(vVal.ValueDataRaw, 0xc + 4);
var name1 = Encoding.Unicode.GetString(vVal.ValueDataRaw, offToName, nameLen);
var offToFull = BitConverter.ToInt32(vVal.ValueDataRaw, 0x18) + 0xCC;
var fullLen = BitConverter.ToInt32(vVal.ValueDataRaw, 0x18 + 4);
var full1 = Encoding.Unicode.GetString(vVal.ValueDataRaw, offToFull, fullLen);
var offToComment = BitConverter.ToInt32(vVal.ValueDataRaw, 0x24) + 0xCC;
var commentLen = BitConverter.ToInt32(vVal.ValueDataRaw, 0x24 + 4);
var comment = Encoding.Unicode.GetString(vVal.ValueDataRaw, offToComment, commentLen);
var offToUserComment = BitConverter.ToInt32(vVal.ValueDataRaw, 0x30) + 0xCC;
var userCommentLen = BitConverter.ToInt32(vVal.ValueDataRaw, 0x30 + 4);
var userComment = Encoding.Unicode.GetString(vVal.ValueDataRaw, offToUserComment, userCommentLen);
var offHomeDir = BitConverter.ToInt32(vVal.ValueDataRaw, 0x48) + 0xCC;
var homeDirLen = BitConverter.ToInt32(vVal.ValueDataRaw, 0x48 + 4);
var homeDir = Encoding.Unicode.GetString(vVal.ValueDataRaw, offHomeDir, homeDirLen);
var createdOn = nameMap[userId];
var u = new UserOut(userId, invalidLogins, totalLogins, lastLoginTime, lastPwChangeTime,
lastIncorrectPwTime, acctExpiresTime, name1, full1, comment, userComment, homeDir, createdOn);
_values.Add(u);
}
catch (Exception ex)
{
Errors.Add($"Error processing user account: {ex.Message}");
}
if (Errors.Count > 0)
{
AlertMessage = "Errors detected. See Errors information in lower right corner of plugin window";
}
}
}
public void ProcessValues(RegistryKey key)
{
_values.Clear();
Errors.Clear();
Groups.Clear();
var namesKey = key.SubKeys.SingleOrDefault(t => t.KeyName == "Names");
var nameMap = new Dictionary <int, DateTimeOffset>();
if (namesKey == null)
{
return;
}
GetGroups(key);
foreach (var registryKey in namesKey.SubKeys)
{
if (registryKey.Values.Count == 0)
{
continue;
}
if (nameMap.ContainsKey((int)registryKey.Values.First().VkRecord.DataTypeRaw))
{
continue;
}
nameMap.Add((int)registryKey.Values.First().VkRecord.DataTypeRaw, registryKey.LastWriteTime.Value);
}
foreach (var key1 in key.SubKeys)
{
if (key1.KeyName == "Names")
{
continue;
}
try
{
var fVal = key1.Values.SingleOrDefault(t => t.ValueName == "F");
var userId = 0;
var invalidLogins = 0;
var totalLogins = 0;
DateTimeOffset?lastLoginTime = null;
DateTimeOffset?lastPwChangeTime = null;
DateTimeOffset?acctExpiresTime = null;
DateTimeOffset?lastIncorrectPwTime = null;
var parsedAccountFlags = AccountFlags.None;
if (fVal != null)
{
userId = BitConverter.ToInt32(fVal.ValueDataRaw, 0x30);
invalidLogins = BitConverter.ToInt16(fVal.ValueDataRaw, 0x40);
totalLogins = BitConverter.ToInt16(fVal.ValueDataRaw, 0x42);
var tempTime = DateTimeOffset.FromFileTime(BitConverter.ToInt64(fVal.ValueDataRaw, 0x8));
if (tempTime.Year > 1700)
{
lastLoginTime = tempTime.ToUniversalTime();
}
tempTime = DateTimeOffset.FromFileTime(BitConverter.ToInt64(fVal.ValueDataRaw, 0x18));
if (tempTime.Year > 1700)
{
lastPwChangeTime = tempTime.ToUniversalTime();
}
tempTime = DateTimeOffset.MinValue;
try
{
tempTime = DateTimeOffset.FromFileTime(BitConverter.ToInt64(fVal.ValueDataRaw, 0x20));
}
catch (Exception)
{
}
if (tempTime.Year > 1700)
{
acctExpiresTime = tempTime.ToUniversalTime();
}
tempTime = DateTimeOffset.FromFileTime(BitConverter.ToInt64(fVal.ValueDataRaw, 0x28));
if (tempTime.Year > 1700)
{
lastIncorrectPwTime = tempTime.ToUniversalTime();
}
if (fVal.ValueDataRaw.Length >= 0x38)
{
parsedAccountFlags = (AccountFlags)BitConverter.ToInt16(fVal.ValueDataRaw, 0x38);
}
}
var vVal = key1.Values.SingleOrDefault(t => t.ValueName == "V");
if (vVal != null)
{
var offToName = BitConverter.ToInt32(vVal.ValueDataRaw, 0xc) + 0xCC;
var nameLen = BitConverter.ToInt32(vVal.ValueDataRaw, 0xc + 4);
var name1 = Encoding.Unicode.GetString(vVal.ValueDataRaw, offToName, nameLen);
var offToFull = BitConverter.ToInt32(vVal.ValueDataRaw, 0x18) + 0xCC;
var fullLen = BitConverter.ToInt32(vVal.ValueDataRaw, 0x18 + 4);
var full1 = Encoding.Unicode.GetString(vVal.ValueDataRaw, offToFull, fullLen);
var offToComment = BitConverter.ToInt32(vVal.ValueDataRaw, 0x24) + 0xCC;
var commentLen = BitConverter.ToInt32(vVal.ValueDataRaw, 0x24 + 4);
var comment = Encoding.Unicode.GetString(vVal.ValueDataRaw, offToComment, commentLen);
var offToUserComment = BitConverter.ToInt32(vVal.ValueDataRaw, 0x30) + 0xCC;
var userCommentLen = BitConverter.ToInt32(vVal.ValueDataRaw, 0x30 + 4);
var userComment =
Encoding.Unicode.GetString(vVal.ValueDataRaw, offToUserComment, userCommentLen);
var offHomeDir = BitConverter.ToInt32(vVal.ValueDataRaw, 0x48) + 0xCC;
var homeDirLen = BitConverter.ToInt32(vVal.ValueDataRaw, 0x48 + 4);
var homeDir = Encoding.Unicode.GetString(vVal.ValueDataRaw, offHomeDir, homeDirLen);
var createdOn = nameMap[userId];
var groups = GetGroupsForUser(userId);
var hint = string.Empty;
var hintVal = key1.Values.SingleOrDefault(t => t.ValueName == "UserPasswordHint");
if (hintVal != null)
{
hint = Encoding.Unicode.GetString(hintVal.ValueDataRaw);
}
var u = new UserOut(userId, invalidLogins, totalLogins, lastLoginTime, lastPwChangeTime,
lastIncorrectPwTime, acctExpiresTime, name1, full1, comment, userComment, homeDir,
createdOn, groups, hint, parsedAccountFlags);
u.BatchValueName = vVal.ValueName;
u.BatchKeyPath = key1.KeyPath;
_values.Add(u);
}
}
catch (Exception ex)
{
Errors.Add($"Error processing user account: {ex.Message}");
}
if (Errors.Count > 0)
{
AlertMessage = "Errors detected. See Errors information in lower right corner of plugin window";
}
}
}
