/// <summary>
/// apply registry security settings to user profiles
/// </summary>
/// <param name="where"></param>
/// <param name="keyname"></param>
/// <param name="username"></param>
/// <returns></returns>
public static Boolean RegSec(pInvokes.structenums.RegistryLocation where, string keyname, string username)
{
try
{
IdentityReference UserIRef = new NTAccount(String.Format("{0}\\{1}", Environment.MachineName, username));
SecurityIdentifier UserSid = (SecurityIdentifier)UserIRef.Translate(typeof(SecurityIdentifier));
using (RegistryKey key = pInvokes.GetRegistryLocation(where).OpenSubKey(keyname, true))
{
RegistrySecurity keySecurity = key.GetAccessControl(AccessControlSections.Access);
string SDDL = keySecurity.GetSecurityDescriptorSddlForm(AccessControlSections.All);
//LibraryLogging.Info(SDDL);
foreach (RegistryAccessRule user in keySecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)))
{
//LibraryLogging.Info("registry ACE user: {0} {1} {2}", key.Name, user.InheritanceFlags.ToString(), user.IdentityReference.Value);
if (user.IdentityReference.Value.StartsWith("S-1-5-21-") && !user.IdentityReference.Value.Equals(UserIRef.Value))
{
//LibraryLogging.Info("mod registry ACE:{0} from unknown user:{1} to {2} {3} {4}", key.Name, user.IdentityReference.Value, username, user.RegistryRights.ToString(), user.AccessControlType.ToString());
SDDL = SDDL.Replace(user.IdentityReference.Value, UserSid.Value);
//LibraryLogging.Info(SDDL);
keySecurity.SetSecurityDescriptorSddlForm(SDDL);
key.SetAccessControl(keySecurity);
break;
}
}
foreach (string subkey in key.GetSubKeyNames())
{
if (!RegSec(where, keyname + "\\" + subkey, username))
{
return(false);
}
}
}
}
catch (SystemException ex)
{
LibraryLogging.Warn("RegSec:{0} Warning {1}", keyname, ex.Message);
}
catch (Exception ex)
{
LibraryLogging.Error("RegSec:{0} Error:{1}", keyname, ex.Message);
return(false);
}
return(true);
}
public void ReplaceRegistry(string rootKey, bool recursive)
{
ActionObserver.NotifyAction("Search/Replace SID", "Registry", rootKey, Hostname);
try {
RegistryKey key = Tools.WinTool.OpenKey(Hostname, rootKey);
try {
RegistrySecurity security = key.GetAccessControl(AccessControlSections.All);
string sddl = security.GetSecurityDescriptorSddlForm(AccessControlSections.All);
foreach (Tuple <SecurityIdentifier, SecurityIdentifier> item in ReplaceList)
{
string searchItem = item.Item1.ToString();
string replaceItem = item.Item2.ToString();
string newSddl = sddl.Replace(searchItem, replaceItem);
if (newSddl != sddl)
{
ActionObserver.NotifyInformation(
"RegistryKey '{0}' replaced '{1}' with '{2}'",
rootKey, searchItem, replaceItem
);
}
sddl = newSddl;
}
security.SetSecurityDescriptorSddlForm(sddl, AccessControlSections.All);
key.SetAccessControl(security);
} catch (Exception error) {
ActionObserver.NotifyError("Unable to search SIDs on registry key '{0}' due to error '{1}'", rootKey, error.Message);
}
if (recursive)
{
foreach (string subKey in Tools.WinTool.GetSubKeys(Hostname, rootKey))
{
if (Tools.WinTool.KeyExists(Hostname, subKey))
{
ReplaceRegistry(subKey, recursive);
}
else
{
ActionObserver.NotifyWarning("Unable to access key '{0}'", subKey);
}
}
}
} catch (Exception error) {
ActionObserver.NotifyError("Unable to search/replace SIDs on registry key '{0}' due to error='{1}'", rootKey, error.Message);
}
}
/// <summary>
/// apply registry security settings to user profiles
/// </summary>
public static bool RegSec(Abstractions.WindowsApi.pInvokes.structenums.RegistryLocation where, string keyname, SecurityIdentifier userSid)
{
try
{
using (RegistryKey key = Abstractions.WindowsApi.pInvokes.GetRegistryLocation(where).OpenSubKey(keyname, true))
{
RegistrySecurity keySecurity = key.GetAccessControl(AccessControlSections.Access);
string sddl = keySecurity.GetSecurityDescriptorSddlForm(AccessControlSections.All);
foreach (RegistryAccessRule user in keySecurity.GetAccessRules(true, true, typeof(SecurityIdentifier)))
{
if (user.IdentityReference.Value.StartsWith("S-1-5-21-") && !user.IdentityReference.Value.Equals(userSid.Value))
{
sddl = sddl.Replace(user.IdentityReference.Value, userSid.Value);
keySecurity.SetSecurityDescriptorSddlForm(sddl);
key.SetAccessControl(keySecurity);
break;
}
}
foreach (string subkey in key.GetSubKeyNames())
{
if (!RegSec(where, keyname + "\\" + subkey, userSid))
{
return(false);
}
}
}
}
catch (SystemException ex)
{
Log.WarnFormat("RegSec:{0} Warning {1}", keyname, ex.Message);
}
catch (Exception ex)
{
Log.ErrorFormat("RegSec:{0} Error:{1}", keyname, ex.Message);
return(false);
}
return(true);
}
static void Query(string Computer, string KeyName, string ValueName, string SearchTeam)
{
try
{
RegistryKey hive;
if (Computer.ToUpper() != "LOCAL")
{
hive = RegistryKey.OpenRemoteBaseKey(RegistryHive.LocalMachine, Computer, RegistryView.Default);
}
else
{
hive = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Default);
}
var key = hive.OpenSubKey(KeyName);
if (ValueName.ToUpper() == "COUNT")
{
try
{
Console.WriteLine("\nThere are {0} subkeys under {1}.", key.SubKeyCount.ToString(), key.Name);
hive.Close();
return;
}
catch { } // Used to ignore exceptions
}
else if (ValueName.ToUpper() == "PERMS")
{
try
{
RegistrySecurity registrySecurity = key.GetAccessControl();
Console.WriteLine("\n{0}\n", key.Name);
Console.WriteLine("[*] None:\n{0}\n", registrySecurity.GetSecurityDescriptorSddlForm(AccessControlSections.None));
Console.WriteLine("[*] Audit:\n{0}\n", registrySecurity.GetSecurityDescriptorSddlForm(AccessControlSections.Audit));
Console.WriteLine("[*] Access:\n{0}\n", registrySecurity.GetSecurityDescriptorSddlForm(AccessControlSections.Access));
Console.WriteLine("[*] Group:\n{0}\n", registrySecurity.GetSecurityDescriptorSddlForm(AccessControlSections.Group));
var rules = registrySecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
foreach (var rule in rules.Cast <AuthorizationRule>())
{
Console.WriteLine("{0}", rule.IdentityReference.Value);
}
hive.Close();
return;
}
catch { } // Used to ignore exceptions
}
else if (ValueName.ToUpper() == "ALL")
{
Console.WriteLine();
foreach (string oVal in key.GetValueNames())
{
Console.WriteLine(" {0} REG_{1} {2}", oVal, key.GetValueKind(oVal).ToString().ToUpper(), key.GetValue(oVal).ToString());
}
Console.WriteLine();
foreach (string oSubKey in key.GetSubKeyNames())
{
Console.WriteLine("{0}\\{1}", KeyName, oSubKey);
}
hive.Close();
return;
}
else if (ValueName.ToUpper() == "RECURSE")
{
Console.WriteLine();
foreach (string oVal in key.GetValueNames())
{
Console.WriteLine(" {0} REG_{1} {2}", oVal, key.GetValueKind(oVal).ToString().ToUpper(), key.GetValue(oVal).ToString());
}
Console.WriteLine();
foreach (string oSubKey in key.GetSubKeyNames())
{
Console.WriteLine("{0}\\{1}", KeyName, oSubKey);
Console.WriteLine();
var skey = hive.OpenSubKey(KeyName + "\\" + oSubKey);
foreach (string osVal in skey.GetValueNames())
{
Console.WriteLine(" {0} REG_{1} {2}", osVal, skey.GetValueKind(osVal).ToString().ToUpper(), skey.GetValue(osVal).ToString());
}
Console.WriteLine();
}
hive.Close();
return;
}
else if (ValueName.ToUpper() == "GREP")
{
Console.WriteLine();
foreach (string oVal in key.GetValueNames())
{
if (oVal.Contains(SearchTeam))
{
try
{
Console.WriteLine(" {0} REG_{1} {2}", oVal, key.GetValueKind(oVal).ToString().ToUpper(), key.GetValue(oVal).ToString());
}
catch { } // Used to ignore exceptions
}
}
Console.WriteLine();
foreach (string oSubKey in key.GetSubKeyNames())
{
if (oSubKey.Contains(SearchTeam))
{
Console.WriteLine("{0}\\{1}", KeyName, oSubKey);
}
try
{
var skey = hive.OpenSubKey(KeyName + "\\" + oSubKey);
foreach (string osVal in skey.GetValueNames())
{
try
{
if (osVal.Contains(SearchTeam) || skey.GetValue(osVal).ToString().Contains(SearchTeam))
{
Console.WriteLine("\n{0}\\{1}", KeyName, oSubKey);
Console.WriteLine("\n {0} REG_{1} {2}", osVal, skey.GetValueKind(osVal).ToString().ToUpper(), skey.GetValue(osVal).ToString());
}
}
catch { } // Used to ignore exceptions
}
}
catch { } // Used to ignore exceptions
}
Console.WriteLine();
hive.Close();
return;
}
else
{
if (key.GetValueKind(ValueName).ToString().ToUpper() == "BINARY")
{
byte[] BinData = (byte[])key.GetValue(ValueName);
string BinString = BitConverter.ToString(BinData).Replace("-", "");;
Console.WriteLine("\n {0} REG_{1} {2}", ValueName, key.GetValueKind(ValueName).ToString().ToUpper(), BinString.ToString());
}
else if (key.GetValueKind(ValueName).ToString().ToUpper() == "MULTISTRING")
{
Console.WriteLine();
string[] tArray = (string[])key.GetValue(ValueName);
for (int i = 0; i < tArray.Length; i++)
{
Console.WriteLine(" {0} REG_{1} {2}", ValueName, key.GetValueKind(ValueName).ToString().ToUpper(), tArray[i]);
}
}
else
{
Console.WriteLine("\n {0} REG_{1} {2}", ValueName, key.GetValueKind(ValueName).ToString().ToUpper(), key.GetValue(ValueName).ToString());
}
hive.Close();
return;
}
}
catch (Exception e)
{
Console.WriteLine("\n [!] {0}: {1}", e.GetType().Name, e.Message);
return;
}
}
public override string ToString()
{
return("SecDesc:" + _secDesc.GetSecurityDescriptorSddlForm(AccessControlSections.All) + " (refCount:" + _usageCount + ")");
}
