static void UnLoadHive(string sid)
{
if (sid.StartsWith("S-123456789-"))
{
RegistryInterop.UnLoad(sid);
}
}
private static Dictionary <string, string> LocalizarPastasRegistro(string origem, string usuarioOrigem, bool p)
{
const string currentUserPaths = @"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders";
Dictionary <string, string> retorno = new Dictionary <string, string>();
if (p)
{
string wimHivePath = Path.Combine(usuarioOrigem, "ntuser.dat");
string loadedHiveKey = RegistryInterop.Load(wimHivePath);
const string regKeyFolders = @"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders";
RegistryKey rk = Registry.Users.OpenSubKey(loadedHiveKey);
if (rk != null)
{
string abc = regKeyFolders.Replace("<SID>", "Test");
RegistryKey srk = rk.OpenSubKey(regKeyFolders);
if (srk != null)
{
foreach (string nome in Lib.Configuracoes.NomeDeChavesDoRegistroComAsPastasAExcluir)
{
string valor = srk.GetValue(nome).ToString();
if (valor == "")
{
}
else
{
retorno.Add(nome, valor.Replace("C:\\", origem));
}
}
}
rk.Close();
}
RegistryInterop.Unload();
}
else
{
RegistryKey rk = Registry.CurrentUser.OpenSubKey(currentUserPaths);
if (rk != null)
{
foreach (string nome in Lib.Configuracoes.NomeDeChavesDoRegistroComAsPastasAExcluir)
{
string valor = rk.GetValue(nome).ToString();
if (valor == "")
{
}
else
{
retorno.Add(nome, valor.Replace("C:\\", origem));
}
}
rk.Close();
}
}
return(retorno);
}
static void ListRDPOutConnections()
{
Console.WriteLine("RDP外连:");
List <string> sids = new List <string>(Registry.Users.GetSubKeyNames());
// Load NTUSER.DAT
foreach (string dic in Directory.GetDirectories(prefix))
{
try
{
string subkey = "S-123456789-" + dic.Replace(prefix, "");
string sid = RegistryInterop.Load(subkey, $@"{dic}\NTUSER.DAT");
sids.Add(sid);
}
catch
{
continue;
}
}
// Dump RDP Connection History From Registry
foreach (string sid in sids)
{
if (!sid.StartsWith("S-") || sid.EndsWith("Classes") || sid.Length < 10)
{
continue;
}
Dictionary <string, Out> history = GetRegistryValues(sid);
PrintRDPOutHistory(history, sid);
if (sid.StartsWith("S-123456789-"))
{
UnLoadHive(sid);
}
}
// Dump RDP Connection History From RDP Files
foreach (string dic in Directory.GetDirectories(prefix))
{
try
{
foreach (string file in Directory.GetFiles($@"{dic}\Documents\", "*.rdp"))
{
Dictionary <string, Out> history = GetRdpFileValues(file);
PrintRDPOutHistory(history, file);
}
}
catch
{
continue;
}
}
}
static void ListRDPOutConnections()
{
Console.WriteLine("RDP外连:");
List <string> sids = new List <string>(Registry.Users.GetSubKeyNames());
// Load NTUSER.DAT
foreach (string dic in Directory.GetDirectories(prefix))
{
try
{
string subkey = "S-123456789-" + dic.Replace(prefix, "");
string sid = RegistryInterop.Load(subkey, $@"{dic}\NTUSER.DAT");
sids.Add(sid);
}
catch
{
continue;
}
}
// Dump RDP Connection History
foreach (string sid in sids)
{
if (!sid.StartsWith("S-") || sid.EndsWith("Classes") || sid.Length < 10)
{
continue;
}
Dictionary <string, string> history = GetRegistryValues(sid);
if (history.Count != 0)
{
Console.WriteLine($"{sid}:");
foreach (var item in history)
{
Console.WriteLine($"{item.Key}\t{item.Value}");
}
Console.WriteLine();
}
if (sid.StartsWith("S-123456789-"))
{
UnLoadHive(sid);
}
}
}
