-
Notifications
You must be signed in to change notification settings - Fork 69
/
ListAllUsers.ps1
67 lines (67 loc) · 1.8 KB
/
ListAllUsers.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
<#
.SYNOPSIS
This script will list all users' RDP Connections History.
First use "reg load" to load hive.
Then read the RDP Connections History from HKEY_USERS.
Last you need to use "reg unload" to unload hive.
The script automatically implements the above operation,there is no need for a GUI. :)
Author: 3gstudent@3gstudent
License: BSD 3-Clause
#>
$AllUser = Get-WmiObject -Class Win32_UserAccount
foreach($User in $AllUser)
{
$RegPath = "Registry::HKEY_USERS\"+$User.SID+"\Software\Microsoft\Terminal Server Client\Servers\"
Write-Host "User:"$User.Name
Write-Host "SID:"$User.SID
Write-Host "Status:"$User.Status
$QueryPath = dir $RegPath -Name -ErrorAction SilentlyContinue
If(!$?)
{
Write-Host "[!]Not logged in"
Write-Host "[*]Try to load Hive"
$File = "C:\Documents and Settings\"+$User.Name+"\NTUSER.DAT"
$Path = "HKEY_USERS\"+$User.SID
Write-Host "[+]Path:"$Path
Write-Host "[+]File:"$File
Reg load $Path $File
If(!$?)
{
Write-Host "[!]Fail to load Hive"
Write-Host "[!]No RDP Connections History"
}
Else
{
$QueryPath = dir $RegPath -Name -ErrorAction SilentlyContinue
If(!$?)
{
Write-Host "[!]No RDP Connections History"
}
Else
{
foreach($Name in $QueryPath)
{
$User = (Get-ItemProperty -Path $RegPath$Name -ErrorAction Stop).UsernameHint
Write-Host "Server:"$Name
Write-Host "User:"$User
}
}
Write-Host "[*]Try to unload Hive"
Start-Process powershell.exe -WindowStyle Hidden -ArgumentList "Reg unload $Path"
}
}
foreach($Name in $QueryPath)
{
Try
{
$User = (Get-ItemProperty -Path $RegPath$Name -ErrorAction Stop).UsernameHint
Write-Host "Server:"$Name
Write-Host "User:"$User
}
Catch
{
Write-Host "[!]No RDP Connections History"
}
}
Write-Host "----------------------------------"
}