public static List <Autorunpoints> StartAudit()
{
List <Autorunpoints> xlselements = new List <Autorunpoints>();
try
{
string sysdrv = Environment.GetEnvironmentVariable("SystemDrive");
List <string> ls = RegistryUtil.GetUserProfiles();
if (ls != null && ls.Count > 0)
{
for (int i = 0; i < ls.Count; i++)
{
try
{
RegistryKey officeKey = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\excel.exe");
if (officeKey != null)
{
string path = officeKey.GetValue(null).ToString();
string majorVersion = GetProductMajorVersion(path);
if (!majorVersion.EndsWith(".0"))
{
majorVersion += ".0";
}
string tempRegis = ls[i] + "\\Software\\Microsoft\\Office\\" + majorVersion + "\\Excel\\Security\\Trusted Locations\\";
RegistryKey trustedLocKey = Registry.Users.OpenSubKey(tempRegis);
if (trustedLocKey == null)
{
continue;
}
DateTime regMod = RegistryModified.lastWriteTime(trustedLocKey);
string[] trustedLocations = trustedLocKey.GetSubKeyNames();
foreach (var item in trustedLocations)
{
string slocation = tempRegis + item;
AddFiles(xlselements, slocation, regMod);
}
}
}
catch (Exception)
{
}
}
}
}
catch (Exception)
{
}
return(xlselements);
}
public static string GetMachineRegKeyOwner(string runkey, bool is64, out string regModified)
{
regModified = string.Empty;
RegistryKey basekey = RegistryKey.OpenBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, is64 == true ? RegistryView.Registry64 : RegistryView.Registry32);
RegistryKey subkey = basekey.OpenSubKey(runkey);
string owner = string.Empty;
try
{
if (subkey != null)
{
System.Security.AccessControl.RegistrySecurity regSec = subkey.GetAccessControl();
owner = regSec.GetOwner(typeof(NTAccount)).ToString();
try
{
DateTime regMod = RegistryModified.lastWriteTime(subkey);
regModified = regMod.ToUniversalTime().ToString(DBManager.DateTimeFormat);
}
catch (Exception)
{
}
}
}
catch (Exception)
{
}
finally
{
if (basekey != null)
{
basekey.Close();
}
if (subkey != null)
{
subkey.Close();
}
}
return(owner);
}
private static void AuditHive(string hive, string run, bool is64, string runtype, List <Autorunpoints> regrunlist)
{
try
{
RegistryKey basekey = null;
RegistryKey runkey = null;
if (hive == "LocalMachine")
{
basekey = RegistryKey.OpenBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, is64 == true ? RegistryView.Registry64 : RegistryView.Registry32);
runkey = basekey.OpenSubKey(run);
}
else
{
RegistryKey runhive = Registry.Users.OpenSubKey(hive);
if (runhive != null)
{
runkey = runhive.OpenSubKey(run);
}
}
string owner = string.Empty;
if (runkey != null)
{
DateTime regModified = RegistryModified.lastWriteTime(runkey);
owner = RegistryUtil.GetRegKeyOwner(runkey);
foreach (var value in runkey.GetValueNames())
{
Autorunpoints autoruns = new Autorunpoints();
try
{
string keyValue = Convert.ToString(runkey.GetValue(value));
if (hive == "LocalMachine")
{
autoruns.RegistryPath = "LocalMachine\\" + run;
}
else
{
autoruns.RegistryPath = hive + "\\" + run;
}
autoruns.RegistryValueString = keyValue;
autoruns.RegistryValueName = value;
if (!string.IsNullOrEmpty(autoruns.RegistryValueString))
{
string[] pathAndArgument = autoruns.RegistryValueString.Split(new string[] { " -", " /", " \"" }, 2, StringSplitOptions.RemoveEmptyEntries);
if (pathAndArgument.Length > 0)
{
autoruns.RegistryValueString = pathAndArgument[0].Replace("\"", string.Empty);
autoruns.FilePath = autoruns.RegistryValueString;
}
}
autoruns.IsRegistry = true;
autoruns.RegistryOwner = owner;
autoruns.RegistryModified = regModified.ToString(DBManager.DateTimeFormat);
autoruns.Type = runtype;
regrunlist.Add(autoruns);
}
catch (Exception)
{
}
}
if (basekey != null)
{
basekey.Close();
}
runkey.Close();
}
}
catch (Exception)
{
}
}