API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 21st, 2018
69
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PowerShell 2.20 KB | None | 0 0
raw download clone embed print report
  1. #Function for checking the registry key recursively
  2. Function Get-AllItemsFromRegistry($RegItem)
  3. {
  4.     #First we print the RegItem name into file, so we know what is coming
  5.     $RegItem >> $fileName
  6.     #Call Get-Item funciton with the parameter passed, send output to the file
  7.     Get-Item $RegItem -ErrorAction SilentlyContinue >> $fileName
  8.     #Call Get-ChildItem funciton with the parameter passed and with the Recurse option, send output to the file
  9.     Get-ChildItem $RegItem -Recurse -ErrorAction SilentlyContinue >> $fileName
  10. }
  11.  
  12. #Get the output file's name from user
  13. [string]$fileName = Read-Host -Prompt "Output file: "
  14. #Overwrite file with the current date and time, if file exsists
  15. Get-Date > $fileName
  16. #Map HKU drive, just in case it is not mapped
  17. New-PSDrive -Name HKU -PSProvider Registry HKEY_USERS -ErrorAction SilentlyContinue > $null
  18. #Call function (defined above) to log the registry entries
  19. Get-AllItemsFromRegistry -RegItem HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  20. Get-AllItemsFromRegistry -RegItem HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  21. Get-AllItemsFromRegistry -RegItem 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks'
  22. Get-AllItemsFromRegistry -RegItem HKLM:\SYSTEM\CurrentControlSet\Services
  23. Get-AllItemsFromRegistry -RegItem HKLM:\SYSTEM\CurrentControlSet\Enum\
  24. Get-AllItemsFromRegistry -RegItem 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles'
  25.  
  26. #Get all the items from HKU where the name starts with S-1-5-21 and ends with 4 any numbers
  27. Get-ChildItem HKU: | Where-Object {$_.Name -match "S-1-5-21-.*\d{4}$"} | ForEach-Object -Process {
  28.     #Assign .Name's value to SIDI variable
  29.     $SIDI = $($_.name)
  30.     #Replace HKEY_USERS to HKU: in SIDI variable
  31.     $SIDI = $SIDI -replace "HKEY_USERS","HKU:"
  32.     #Call our function with the following parameters
  33.     Get-AllItemsFromRegistry -RegItem "$SIDI\Software\Microsoft\Windows\CurrentVersion\Run"
  34.     Get-AllItemsFromRegistry -RegItem "$SIDI\Software\Microsoft\Windows\CurrentVersion\RunOnce"
  35.     Get-AllItemsFromRegistry -RegItem "$SIDI\Software\Microsoft\Internet Explorer\TypedURLs"
  36. }
  37. #We print !DONE! Because we want to now when we are done
  38. Write-Output "!DONE!"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!