-
Notifications
You must be signed in to change notification settings - Fork 15
/
RegScanner.ps1
88 lines (80 loc) · 2.53 KB
/
RegScanner.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
$csharpCode = @"
using System;
using System.IO;
using System.Security;
using System.Security.Principal;
using Microsoft.Win32;
using System.Collections.Generic;
public class RegistryScanner
{
public static void ScanRegistryForKeyword(string keyword)
{
string logPath = @"C:\windows\temp\registry_scan_results.log";
using (StreamWriter writer = new StreamWriter(logPath, true))
{
writer.WriteLine("[+] Scanning Registry for keyword: " + keyword);
var principal = new WindowsPrincipal(WindowsIdentity.GetCurrent());
bool isAdmin = principal.IsInRole(WindowsBuiltInRole.Administrator);
if (!isAdmin)
{
writer.WriteLine("[INFO] Running Scanner with limited privileges. This may restrict the scan results. Please run as administrator.");
}
var keysToScan = new List<RegistryKey> { Registry.LocalMachine, Registry.Users };
foreach(var key in keysToScan)
{
ScanRegistryKey(key, keyword, writer);
}
}
}
private static void ScanRegistryKey(RegistryKey root, string keyword, StreamWriter writer)
{
if (root == null) return;
try
{
foreach (string subKeyName in root.GetSubKeyNames())
{
// Skips SAM to avoid issues lol
if (subKeyName.Equals("SAM", StringComparison.OrdinalIgnoreCase))
{
continue;
}
try
{
using (RegistryKey subKey = root.OpenSubKey(subKeyName))
{
if (subKey != null)
{
if (subKey.Name.Contains(keyword))
{
writer.WriteLine("[+] Found keyword in key: " + subKey.Name);
}
foreach (var valueName in subKey.GetValueNames())
{
var value = subKey.GetValue(valueName);
if (value != null)
{
if (valueName.Contains(keyword) || value.ToString().Contains(keyword))
{
writer.WriteLine("[+] Found keyword in value: " + subKey.Name + "\\" + valueName);
}
}
}
ScanRegistryKey(subKey, keyword, writer);
}
}
}
catch (SecurityException) { }
catch (UnauthorizedAccessException) { }
catch (IOException) { }
}
}
catch (SecurityException) { }
catch (UnauthorizedAccessException) { }
catch (IOException) { }
}
}
"@
Add-Type -TypeDefinition $csharpCode -Language CSharp
# Please make sure to enter the keyword reg keyword you are searching for.
[RegistryScanner]::ScanRegistryForKeyword("KEYWORD_HERE")
# The log file is written to C:\windows\temp\registry_scan_results.log