public static List <Autorunpoints> StartAudit()
{
List <Autorunpoints> xlselements = new List <Autorunpoints>();
try
{
string sysdrv = Environment.GetEnvironmentVariable("SystemDrive");
List <string> ls = RegistryUtil.GetUserProfiles();
if (ls != null && ls.Count > 0)
{
for (int i = 0; i < ls.Count; i++)
{
try
{
RegistryKey officeKey = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\excel.exe");
if (officeKey != null)
{
string path = officeKey.GetValue(null).ToString();
string majorVersion = GetProductMajorVersion(path);
if (!majorVersion.EndsWith(".0"))
{
majorVersion += ".0";
}
string tempRegis = ls[i] + "\\Software\\Microsoft\\Office\\" + majorVersion + "\\Excel\\Security\\Trusted Locations\\";
RegistryKey trustedLocKey = Registry.Users.OpenSubKey(tempRegis);
if (trustedLocKey == null)
{
continue;
}
DateTime regMod = RegistryModified.lastWriteTime(trustedLocKey);
string[] trustedLocations = trustedLocKey.GetSubKeyNames();
foreach (var item in trustedLocations)
{
string slocation = tempRegis + item;
AddFiles(xlselements, slocation, regMod);
}
}
}
catch (Exception)
{
}
}
}
}
catch (Exception)
{
}
return(xlselements);
}
public static void GetCLSIDDetails(List <Autorunpoints> lstAutoRuns, string[] regdl, string owner, string type, string regModified)
{
if (regdl != null)
{
for (int i = 0; i < regdl.Length; i++)
{
Autorunpoints runPoint = new Autorunpoints();
runPoint.RegistryPath = "LocalMachine\\Software\\Classes\\CLSID\\" + regdl[i];
runPoint.RegistryValueName = "Default";
runPoint.RegistryValueString = RegistryUtil.GetStringSubValue("LocalMachine",
"Software\\Classes\\CLSID\\" + regdl[i], "", false);
runPoint.FilePath = RegistryUtil.GetStringSubValue("LocalMachine",
"Software\\Classes\\CLSID\\" + regdl[i] + "\\InprocServer32", "", false);
runPoint.IsRegistry = true;
runPoint.RegistryOwner = owner;
runPoint.RegistryModified = regModified;
runPoint.Type = type;
lstAutoRuns.Add(runPoint);
}
}
}
public static List <Autorunpoints> StartAudit()
{
var lstAutoRuns = new List <Autorunpoints>();
try
{
// DELAYLOAD
string regModified;
string[] regdl = RegistryUtil.GetSubValueNames("Software\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad", false);
string owner = RegistryUtil.GetMachineRegKeyOwner("Software\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad", false, out regModified);
GetCLSIDDetails(lstAutoRuns, regdl, owner, "ShellServiceObjectDelayLoad", regModified);
// DELAYLOAD 64
regdl = RegistryUtil.GetSubValueNames("Software\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad", true);
owner = RegistryUtil.GetMachineRegKeyOwner("Software\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad", true, out regModified);
GetCLSIDDetails(lstAutoRuns, regdl, owner, "ShellServiceObjectDelayLoad", regModified);
}
catch (Exception)
{
}
return(lstAutoRuns);
}
public static List <Autorunpoints> StartAudit()
{
var lstAutoRuns = new List <Autorunpoints>();
try
{
///// BHO
string regModified;
string[] regbhos = RegistryUtil.GetSubKeys("LocalMachine", "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects", false);
string owner = RegistryUtil.GetMachineRegKeyOwner("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects", false, out regModified);
DelayedLoad.GetCLSIDDetails(lstAutoRuns, regbhos, owner, "Browser Helper Objects", regModified);
///// BHO 64
regbhos = RegistryUtil.GetSubKeys("LocalMachine", "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects", true);
owner = RegistryUtil.GetMachineRegKeyOwner("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects", true, out regModified);
DelayedLoad.GetCLSIDDetails(lstAutoRuns, regbhos, owner, "Browser Helper Objects", regModified);
}
catch (Exception)
{
return(lstAutoRuns);
}
return(lstAutoRuns);
}
private static void ReadHiveValue(string hive, string key, string valname, char[] delim, bool is64, bool type, string runtype, List <Autorunpoints> lstAutoRuns)
{
try
{
RegistryKey basekey = null;
RegistryKey runkey = null;
if (hive == "LocalMachine")
{
basekey = RegistryKey.OpenBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, is64 == true ? RegistryView.Registry64 : RegistryView.Registry32);
runkey = basekey.OpenSubKey(key);
}
else
{
RegistryKey runhive = Registry.Users.OpenSubKey(hive);
if (runhive != null)
{
runkey = runhive.OpenSubKey(key);
}
}
string owner = RegistryUtil.GetRegKeyOwner(runkey);
if (runkey != null)
{
try
{
string keyValue = Convert.ToString(runkey.GetValue(valname));
if (!string.IsNullOrEmpty(keyValue))
{
string[] vals = keyValue.Split(delim);
foreach (var valstring in vals)
{
Autorunpoints runPoint = new Autorunpoints();
runPoint.Type = "AppInit_Dlls";
if (hive == "LocalMachine")
{
runPoint.RegistryPath = "LocalMachine\\" + key;
}
else
{
runPoint.RegistryPath = hive + "\\" + key;
}
runPoint.RegistryValueName = valname;
runPoint.RegistryValueString = valstring;
runPoint.FilePath = valstring;
runPoint.RegistryOwner = owner;
lstAutoRuns.Add(runPoint);
}
}
}
catch (Exception)
{
}
}
if (basekey != null)
{
basekey.Close();
}
if (runkey != null)
{
runkey.Close();
}
}
catch (Exception)
{
}
}
public static List <InstalledApp> StartAudit()
{
var reginstalllist = new List <InstalledApp>();
try
{
string[] subkeys_wow = RegistryUtil.GetSubKeys("LocalMachine", "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall", false);
if (subkeys_wow != null)
{
foreach (var sk in subkeys_wow)
{
InstalledApp rg = new InstalledApp();
string subk2_wow = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\" + sk.ToString();
rg.DisplayName = RegistryUtil.GetStringSubValue("LocalMachine", subk2_wow, "DisplayName", false);
if (string.IsNullOrEmpty(rg.DisplayName))
{
continue;
}
rg.Version = RegistryUtil.GetStringSubValue("LocalMachine", subk2_wow, "DisplayVersion", false);
rg.InstallDate = RegistryUtil.GetStringSubValue("LocalMachine", subk2_wow, "InstallDate", false);
rg.InstallDate = GetValidDate(rg.InstallDate);
rg.Key = "LocalMachine\\" + subk2_wow;
rg.Is64 = false;
reginstalllist.Add(rg);
}
}
////Proceed only for 64 bit
if (PlatformCheck.IsWow64())
{
string[] subkeys_64 = RegistryUtil.GetSubKeys("LocalMachine", "Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall", true);
if (subkeys_64 != null)
{
foreach (var sk in subkeys_64)
{
InstalledApp rg = new InstalledApp();
string subk2_64 = "Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\" + sk.ToString();
rg.DisplayName = RegistryUtil.GetStringSubValue("LocalMachine", subk2_64, "DisplayName", true);
if (string.IsNullOrEmpty(rg.DisplayName))
{
continue;
}
rg.Version = RegistryUtil.GetStringSubValue("LocalMachine", subk2_64, "DisplayVersion", true);
rg.InstallDate = RegistryUtil.GetStringSubValue("LocalMachine", subk2_64, "InstallDate", true);
rg.InstallDate = GetValidDate(rg.InstallDate);
rg.Key = "LocalMachine\\" + subk2_64;
rg.Is64 = true;
reginstalllist.Add(rg);
}
}
}
List <string> regprof = RegistryUtil.GetRegProfiles();
foreach (var prf in regprof)
{
string[] users = RegistryUtil.GetSubKeys(prf, "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall", true);
if (users != null)
{
foreach (var sk in users)
{
InstalledApp rg = new InstalledApp();
string innnerKey = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\" + sk.ToString();
rg.DisplayName = RegistryUtil.GetStringSubValue(prf, innnerKey, "DisplayName", true);
if (string.IsNullOrEmpty(rg.DisplayName))
{
continue;
}
rg.Version = RegistryUtil.GetStringSubValue(prf, innnerKey, "DisplayVersion", true);
rg.InstallDate = RegistryUtil.GetStringSubValue(prf, innnerKey, "InstallDate", true);
rg.InstallDate = GetValidDate(rg.InstallDate);
rg.Key = prf + "\\" + innnerKey;
reginstalllist.Add(rg);
}
}
}
}
catch (Exception)
{
}
return(reginstalllist);
}
private static void AuditHive(string hive, string run, bool is64, string runtype, List <Autorunpoints> regrunlist)
{
try
{
RegistryKey basekey = null;
RegistryKey runkey = null;
if (hive == "LocalMachine")
{
basekey = RegistryKey.OpenBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, is64 == true ? RegistryView.Registry64 : RegistryView.Registry32);
runkey = basekey.OpenSubKey(run);
}
else
{
RegistryKey runhive = Registry.Users.OpenSubKey(hive);
if (runhive != null)
{
runkey = runhive.OpenSubKey(run);
}
}
string owner = string.Empty;
if (runkey != null)
{
DateTime regModified = RegistryModified.lastWriteTime(runkey);
owner = RegistryUtil.GetRegKeyOwner(runkey);
foreach (var value in runkey.GetValueNames())
{
Autorunpoints autoruns = new Autorunpoints();
try
{
string keyValue = Convert.ToString(runkey.GetValue(value));
if (hive == "LocalMachine")
{
autoruns.RegistryPath = "LocalMachine\\" + run;
}
else
{
autoruns.RegistryPath = hive + "\\" + run;
}
autoruns.RegistryValueString = keyValue;
autoruns.RegistryValueName = value;
if (!string.IsNullOrEmpty(autoruns.RegistryValueString))
{
string[] pathAndArgument = autoruns.RegistryValueString.Split(new string[] { " -", " /", " \"" }, 2, StringSplitOptions.RemoveEmptyEntries);
if (pathAndArgument.Length > 0)
{
autoruns.RegistryValueString = pathAndArgument[0].Replace("\"", string.Empty);
autoruns.FilePath = autoruns.RegistryValueString;
}
}
autoruns.IsRegistry = true;
autoruns.RegistryOwner = owner;
autoruns.RegistryModified = regModified.ToString(DBManager.DateTimeFormat);
autoruns.Type = runtype;
regrunlist.Add(autoruns);
}
catch (Exception)
{
}
}
if (basekey != null)
{
basekey.Close();
}
runkey.Close();
}
}
catch (Exception)
{
}
}
public static List <User> StartAudit()
{
int EntriesRead;
int TotalEntries;
int Resume;
IntPtr bufPtr;
List <User> lstUser = new List <User>();
UserProfileAuditor.NetUserEnum(null, 2, 0,
out bufPtr, -1, out EntriesRead, out TotalEntries, out Resume);
int err = Marshal.GetLastWin32Error();
List <string> lstProfiles = RegistryUtil.GetUserProfiles();
if (EntriesRead > 0)
{
UserProfileAuditor.USER_INFO_2[] Users = new UserProfileAuditor.USER_INFO_2[EntriesRead];
IntPtr iter = bufPtr;
for (int i = 0; i < EntriesRead; i++)
{
Users[i] = (UserProfileAuditor.USER_INFO_2)Marshal.PtrToStructure(iter, typeof(UserProfileAuditor.USER_INFO_2));
iter = (IntPtr)((int)iter + Marshal.SizeOf(typeof(UserProfileAuditor.USER_INFO_2)));
User user = new User();
user.UserName = Users[i].usri2_name;
string localGroup = string.Empty;
foreach (var item in GetLocalGroups(user.UserName))
{
localGroup += item + ";";
}
user.Groups = localGroup.TrimEnd(new char[] { ';' });
user.FullName = Users[i].usri2_full_name;
user.PasswordAge = Users[i].usri2_password_age.ToString();
user.Description = Users[i].usri2_comment;
user.LastLogin = GetTimeFormElaspedSeconds((uint)Users[i].usri2_last_logon);
user.IsDisabled = CheckFlagIsEnabled(Users[i].usri2_flags, UF_ACCOUNTDISABLE);
user.IsLocked = CheckFlagIsEnabled(Users[i].usri2_flags, UF_LOCKOUT);
user.PasswordRequired = !CheckFlagIsEnabled(Users[i].usri2_flags, UF_PASSWD_NOTREQD);
GetSidDetails(user);
if (lstProfiles.Contains(user.SID))
{
lstProfiles.Remove(user.SID);
}
lstUser.Add(user);
}
}
string serverName = GetDCName();
foreach (string item in lstProfiles)
{
string userName = string.Empty;
try
{
userName = new SecurityIdentifier(item).Translate(typeof(NTAccount)).ToString();
User user = new User();
user.UserName = userName;
string localGroup = string.Empty;
foreach (var group in GetLocalGroups(user.UserName))
{
localGroup += group + ";";
}
user.Groups = localGroup.TrimEnd(new char[] { ';' });
string[] usersNme = user.UserName.Split(new char[] { '\\' }, StringSplitOptions.RemoveEmptyEntries);
GetSidDetails(user);
try
{
if (!string.IsNullOrEmpty(serverName))
{
USER_INFO_2 userInfo2 = GetDomainUserInfo(serverName, user.UserName);
user.FullName = userInfo2.usri2_full_name;
user.FullName = userInfo2.usri2_full_name;
user.PasswordAge = userInfo2.usri2_password_age.ToString();
user.Description = userInfo2.usri2_comment;
user.LastLogin = GetTimeFormElaspedSeconds((uint)userInfo2.usri2_last_logon);
user.IsDisabled = CheckFlagIsEnabled(userInfo2.usri2_flags, UF_ACCOUNTDISABLE);
user.IsLocked = CheckFlagIsEnabled(userInfo2.usri2_flags, UF_LOCKOUT);
user.PasswordRequired = !CheckFlagIsEnabled(userInfo2.usri2_flags, UF_PASSWD_NOTREQD);
}
}
catch (Exception)
{
}
lstUser.Add(user);
}
catch (Exception)
{
}
}
UserProfileAuditor.NetApiBufferFree(bufPtr);
return(lstUser);
}
