-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathUserAssist.ps1
More file actions
118 lines (85 loc) · 4.29 KB
/
UserAssist.ps1
File metadata and controls
118 lines (85 loc) · 4.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
function Get-CSUserAssist {
<#
.SYNOPSIS
Retrieves and parses user assist entries.
Author: Jesse Davis (@secabstraction)
License: BSD 3-Clause
.DESCRIPTION
Get-CSUserAssist retrieves and parses user assist entry information stored in the registry.
.PARAMETER CimSession
Specifies the CIM session to use for this cmdlet. Enter a variable that contains the CIM session or a command that creates or gets the CIM session, such as the New-CimSession or Get-CimSession cmdlets. For more information, see about_CimSessions.
.EXAMPLE
Get-CSUserAssist
.EXAMPLE
Get-CSUserAssist -CimSession $CimSession
.OUTPUTS
CimSweep.UserAssistEntry
Outputs objects consisting of relevant user assist information. Note: the LastExecutedTime of this object is a UTC datetime string in Round-trip format.
#>
[CmdletBinding()]
[OutputType('CimSweep.UserAssistEntry')]
param (
[Alias('Session')]
[ValidateNotNullOrEmpty()]
[Microsoft.Management.Infrastructure.CimSession[]]
$CimSession
)
begin {
# If a CIM session is not provided, trick the function into thinking there is one.
if (-not $PSBoundParameters['CimSession']) {
$CimSession = ''
$CIMSessionCount = 1
} else {
$CIMSessionCount = $CimSession.Count
}
$CurrentCIMSession = 0
}
process {
foreach ($Session in $CimSession) {
$ComputerName = $Session.ComputerName
if (-not $Session.ComputerName) { $ComputerName = 'localhost' }
# Display a progress activity for each CIM session
Write-Progress -Id 1 -Activity 'CimSweep - UserAssist sweep' -Status "($($CurrentCIMSession+1)/$($CIMSessionCount)) Current computer: $ComputerName" -PercentComplete (($CurrentCIMSession / $CIMSessionCount) * 100)
$CurrentCIMSession++
$CommonArgs = @{}
if ($Session.Id) { $CommonArgs['CimSession'] = $Session }
$UserSids = Get-HKUSID @CommonArgs
foreach ($Sid in $UserSids) {
$Parameters = @{
Hive = 'HKU'
SubKey = "$Sid\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist"
Recurse = $true
}
Get-CSRegistryKey @Parameters @CommonArgs | Where-Object { $_.SubKey -like "*Count" } | Get-CSRegistryValue @CommonArgs | ForEach-Object {
# Decrypt Rot13 from https://github.com/StackCrash/PoshCiphers
# truncated && streamlined algorithm a little
$PlainCharList = New-Object Collections.Generic.List[char]
foreach ($CipherChar in $_.ValueName.ToCharArray()) {
switch ($CipherChar) {
{ $_ -ge 65 -and $_ -le 90 } { $PlainCharList.Add((((($_ - 65 - 13) % 26 + 26) % 26) + 65)) } # Uppercase characters
{ $_ -ge 97 -and $_ -le 122 } { $PlainCharList.Add((((($_ - 97 - 13) % 26 + 26) % 26) + 97)) } # Lowercase characters
default { $PlainCharList.Add($CipherChar) } # Pass through symbols and numbers
}
}
$ValueContent = $_.ValueContent
# Parse LastExecutedTime from binary data
$FileTime = switch ($ValueContent.Count) {
8 { [datetime]::FromFileTime(0) }
16 { [datetime]::FromFileTime([BitConverter]::ToInt64($ValueContent[8..15],0)) }
default { [datetime]::FromFileTime([BitConverter]::ToInt64($ValueContent[60..67],0)) }
}
$ObjectProperties = [ordered] @{
PSTypeName = 'CimSweep.UserAssistEntry'
Name = -join $PlainCharList
UserSid = $Sid
LastExecutedTime = $FileTime.ToUniversalTime().ToString('o')
}
if ($_.PSComputerName) { $ObjectProperties['PSComputerName'] = $_.PSComputerName }
[PSCustomObject]$ObjectProperties
}
}
}
}
end {}
}
Export-ModuleMember -Function Get-CSUserAssist