mirror of
https://github.com/overcuriousity/autopsy-flatpak.git
synced 2025-07-17 02:07:42 +00:00
161 lines
5.1 KiB
Perl
Executable File
161 lines
5.1 KiB
Perl
Executable File
#-----------------------------------------------------------
|
||
# uac.pl
|
||
# Gets the User Account Configuration settings from the SOFTWARE hive file
|
||
#
|
||
# Change history
|
||
# 20130213 Created
|
||
#
|
||
# References
|
||
#
|
||
# UAC Group Policy Settings and Registry Key Settings http://technet.microsoft.com/en-us/library/dd835564(v=ws.10).aspx
|
||
#
|
||
# Plugin was created from the banner plugin authored by Special Agent Brook William Minnick
|
||
# Written By:
|
||
#
|
||
# Corey Harrell (Journey Into IR)
|
||
# Plugin was created from the banner plugin authored by Special Agent Brook William Minnick
|
||
#-----------------------------------------------------------
|
||
package uac;
|
||
use strict;
|
||
|
||
my %config = (hive => "Software",
|
||
osmask => 22,
|
||
hasShortDescr => 1,
|
||
hasDescr => 0,
|
||
hasRefs => 0,
|
||
version => 20130213);
|
||
|
||
sub getConfig{return %config}
|
||
|
||
sub getShortDescr {
|
||
return "Get Select User Account Control (UAC) Values from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System";
|
||
}
|
||
sub getDescr{}
|
||
sub getRefs {}
|
||
sub getHive {return $config{hive};}
|
||
sub getVersion {return $config{version};}
|
||
|
||
my $VERSION = getVersion();
|
||
|
||
sub pluginmain {
|
||
my $class = shift;
|
||
my $hive = shift;
|
||
::logMsg("Launching uac v.".$VERSION);
|
||
::rptMsg("uac v.".$VERSION); # banner
|
||
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
|
||
my $reg = Parse::Win32Registry->new($hive);
|
||
my $root_key = $reg->get_root_key;
|
||
|
||
my $key_path = "Microsoft\\Windows\\CurrentVersion\\policies\\system";
|
||
my $key;
|
||
if ($key = $root_key->get_subkey($key_path)) {
|
||
::rptMsg("UAC Information");
|
||
::rptMsg($key_path);
|
||
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
|
||
::rptMsg("");
|
||
|
||
# GET EnableLUA –
|
||
|
||
my $enablelua;
|
||
eval {
|
||
$enablelua = $key->get_value("EnableLUA")->get_data();
|
||
};
|
||
if ($@) {
|
||
::rptMsg("EnableLUA value not found.");
|
||
}
|
||
else {
|
||
::rptMsg("EnableLUA value = ".$enablelua);
|
||
::rptMsg("");
|
||
::rptMsg("User Account Control: Run all administrators in Admin Approval Mode");
|
||
::rptMsg("0 = Disabled");
|
||
::rptMsg("1 = Enabled (Default)");
|
||
}
|
||
::rptMsg("");
|
||
|
||
# GET EnableVirtualization –
|
||
|
||
my $enablevirtualization;
|
||
eval {
|
||
$enablevirtualization = $key->get_value("EnableVirtualization")->get_data();
|
||
};
|
||
if ($@) {
|
||
::rptMsg("EnableVirtualization value not found.");
|
||
}
|
||
else {
|
||
::rptMsg("EnableVirtualization value = ".$enablevirtualization);
|
||
::rptMsg("");
|
||
::rptMsg("User Account Control: Virtualize file and registry write failures to per-user locations");
|
||
::rptMsg("0 = Disabled");
|
||
::rptMsg("1 = Enabled (Default)");
|
||
}
|
||
::rptMsg("");
|
||
|
||
# GET FilterAdministratorToken –
|
||
|
||
my $filteradministratortoken;
|
||
eval {
|
||
$filteradministratortoken = $key->get_value("FilterAdministratorToken")->get_data();
|
||
};
|
||
if ($@) {
|
||
::rptMsg("FilterAdministratorToken value not found.");
|
||
}
|
||
else {
|
||
::rptMsg("FilterAdministratorToken value = ".$filteradministratortoken);
|
||
::rptMsg("");
|
||
::rptMsg("User Account Control: Admin Approval Mode for the built-in Administrator account");
|
||
::rptMsg("0 = Disabled (Default)");
|
||
::rptMsg("1 = Enabled");
|
||
}
|
||
::rptMsg("");
|
||
|
||
# GET ConsentPromptBehaviorAdmin –
|
||
|
||
my $consentpromptbehavioradmin;
|
||
eval {
|
||
$consentpromptbehavioradmin = $key->get_value("ConsentPromptBehaviorAdmin")->get_data();
|
||
};
|
||
if ($@) {
|
||
::rptMsg("ConsentPromptBehaviorAdmin value not found.");
|
||
}
|
||
else {
|
||
::rptMsg("ConsentPromptBehaviorAdmin value = ".$consentpromptbehavioradmin);
|
||
::rptMsg("");
|
||
::rptMsg("User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode");
|
||
::rptMsg("0 = Elevate without prompting");
|
||
::rptMsg("1 = Prompt for credentials on the secure desktop");
|
||
::rptMsg("2 = Prompt for consent on the secure desktop");
|
||
::rptMsg("3 = Prompt for credentials");
|
||
::rptMsg("4 = Prompt for consent");
|
||
::rptMsg("5 = Prompt for consent for non-Windows binaries (Default)");
|
||
}
|
||
::rptMsg("");
|
||
|
||
# GET ConsentPromptBehaviorUser –
|
||
|
||
my $consentpromptbehavioruser;
|
||
eval {
|
||
$consentpromptbehavioruser = $key->get_value("ConsentPromptBehaviorUser")->get_data();
|
||
};
|
||
if ($@) {
|
||
::rptMsg("ConsentPromptBehaviorUser value not found.");
|
||
}
|
||
else {
|
||
::rptMsg("ConsentPromptBehaviorUser value = ".$consentpromptbehavioruser);
|
||
::rptMsg("");
|
||
::rptMsg("User Account Control: Behavior of the elevation prompt for standard users");
|
||
::rptMsg("0 = Automatically deny elevation requests");
|
||
::rptMsg("1 = Prompt for consent on the secure desktop");
|
||
::rptMsg("3 = Prompt for consent on the secure desktop (Default)");
|
||
}
|
||
::rptMsg("");
|
||
|
||
}
|
||
else {
|
||
::rptMsg($key_path." not found.");
|
||
::logMsg($key_path." not found.");
|
||
}
|
||
|
||
}
|
||
|
||
1;
|