public static List <Dictionary <string, string> > GetWriteServiceRegs(List <string> NtAccountNames) { List <Dictionary <string, string> > results = new List <Dictionary <string, string> >(); try { RegistryKey regKey = Registry.LocalMachine.OpenSubKey(@"system\currentcontrolset\services"); foreach (string serviceRegName in regKey.GetSubKeyNames()) { RegistryKey key = Registry.LocalMachine.OpenSubKey(@"system\currentcontrolset\services\" + serviceRegName); List <string> perms = MyUtils.CheckAccessReg(key, NtAccountNames); if (perms.Count > 0) { results.Add(new Dictionary <string, string> { { "Path", @"HKLM\system\currentcontrolset\services\" + serviceRegName }, { "Permissions", string.Join(", ", perms) } }); } } } catch (Exception ex) { Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message)); } return(results); }
public static List <Dictionary <string, string> > GetRegistryAutoRuns(List <string> NtAccountNames) { List <Dictionary <string, string> > results = new List <Dictionary <string, string> >(); try { string[] autorunLocations = new string[] { "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunService", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceService", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunService", "SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnceService" }; foreach (string autorunLocation in autorunLocations) { Dictionary <string, object> settings = MyUtils.GetRegValues("HKLM", autorunLocation); if ((settings != null) && (settings.Count != 0)) { foreach (KeyValuePair <string, object> kvp in settings) { RegistryKey key = Registry.LocalMachine.OpenSubKey(autorunLocation); string filepath = Environment.ExpandEnvironmentVariables(String.Format("{0}", kvp.Value)); string folder = System.IO.Path.GetDirectoryName(filepath.Replace("'", "").Replace("\"", "")); results.Add(new Dictionary <string, string>() { { "Reg", "HKLM\\" + autorunLocation }, { "Folder", folder }, { "File", filepath }, { "RegPermissions", string.Join(", ", MyUtils.CheckAccessReg(key, NtAccountNames)) }, { "interestingFolderRights", String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.interestingUsersGroups)) }, { "interestingFileRights", String.Join(", ", MyUtils.GetPermissionsFile(filepath, Program.interestingUsersGroups)) }, { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(filepath).ToString() } }); } } } } catch (Exception ex) { Beaprint.GrayPrint(String.Format(" [X] Exception: {0}", ex.Message)); } return(results); }