Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F4324469
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Size
53 KB
Referenced Files
None
Subscribers
None
View Options
diff --git a/trunk/report_templates/SAM_UserAccounts2.qs b/trunk/report_templates/SAM_UserAccounts2.qs
new file mode 100644
index 0000000..e06da1e
--- /dev/null
+++ b/trunk/report_templates/SAM_UserAccounts2.qs
@@ -0,0 +1,144 @@
+function fred_report_info() {
+ var info={report_cat : "SAM",
+ report_name : "User accounts as table",
+ report_author : "Gillen Daniel, Voncken Guy",
+ report_desc : "Dump Windows user accounts",
+ fred_api : 2,
+ hive : "SAM"
+ };
+ return info;
+}
+
+var table_style = "border-collapse:collapse; margin-left:20px; font-family:arial; font-size:12;";
+var cell_style = "border:1px solid #888888; padding:5; white-space:nowrap;";
+
+function IsValid(val) {
+ return (typeof val!=='undefined');
+}
+
+function PrintTableHeaderCell(str) {
+ println(" <th style=\"",cell_style,"\">",str,"</th>");
+}
+
+function PrintTableDataCell(alignment,str) {
+ var style=cell_style+" text-align:"+alignment+";";
+ println(" <td style=\"",style,"\">",str,"</td>");
+}
+
+
+function Get_v_info(v_key_value,str_off) {
+ var ret_str="";
+ var offset=Number(RegistryKeyValueToVariant(v_key_value,"uint16",str_off))+0x0cc;
+ var len=Number(RegistryKeyValueToVariant(v_key_value,"uint16",str_off+4));
+ if(len>0) ret_str=RegistryKeyValueToVariant(v_key_value,"utf16",offset,len)
+
+ return ret_str;
+}
+
+function fred_report_html() {
+ // See http://windowsir.blogspot.com/2006/08/getting-user-info-from-image.html
+ println(" <h2>User accounts</h2>");
+
+ // Iterate over all user names
+ var user_names=GetRegistryNodes("\\SAM\\Domains\\Account\\Users\\Names");
+ if(IsValid(user_names)) {
+ println(" <table style=\""+table_style+"\">");
+
+ println(" <tr>");
+ PrintTableHeaderCell("Name");
+ PrintTableHeaderCell("RID");
+ PrintTableHeaderCell("Full<br>name");
+ PrintTableHeaderCell("Last<br>login");
+ PrintTableHeaderCell("Last PW<br>change");
+ PrintTableHeaderCell("Last failed<br>login");
+ PrintTableHeaderCell("Account<br>expiry");
+ PrintTableHeaderCell("Total<br>logins");
+ PrintTableHeaderCell("Failed<br>logins");
+ PrintTableHeaderCell("Flags");
+ PrintTableHeaderCell("Password<br>hint");
+ PrintTableHeaderCell("Home drive<br>and dir");
+ PrintTableHeaderCell("Logon<br>script path");
+ PrintTableHeaderCell("Profile<br>path");
+ PrintTableHeaderCell("Comment");
+ println(" </tr>");
+
+ for(var i=0;i<user_names.length;i++) {
+ // Get user rid stored in "default" key
+ var user_rid=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\Names\\",user_names[i]),"");
+ user_rid=RegistryKeyTypeToString(user_rid.type);
+ user_rid_dec=Number(user_rid).toString(10);
+
+ // Get user's V key and print various infos
+ user_rid=String(user_rid).substr(2); // Remove "0x"
+ var v_key=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"V");
+ var full_name=Get_v_info(v_key.value,0x18);
+ var comment=Get_v_info(v_key.value,0x24);
+ var home_dir=Get_v_info(v_key.value,0x48);
+ var home_dir_drive=Get_v_info(v_key.value,0x54);
+ var logon_script_path=Get_v_info(v_key.value,0x60);
+ var profile_path=Get_v_info(v_key.value,0x6c);
+
+ // Get user's F key and print various infos
+ var f_key=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"F");
+ var last_login_time=RegistryKeyValueToVariant(f_key.value,"filetime",8);
+ var last_pw_change=RegistryKeyValueToVariant(f_key.value,"filetime",24);
+ var last_failed_login=RegistryKeyValueToVariant(f_key.value,"filetime",40);
+ var account_expires=RegistryKeyValueToVariant(f_key.value,"filetime",32);
+ var total_logins=RegistryKeyValueToVariant(f_key.value,"uint16",66);
+ var failed_logins=RegistryKeyValueToVariant(f_key.value,"uint16",64);
+
+ var acc_flags=Number(RegistryKeyValueToVariant(f_key.value,"uint16",56));
+ var acc_flags_str="";
+ if(acc_flags&0x0200) acc_flags_str+="NoPwExpiry ";
+ if(acc_flags&0x0001) acc_flags_str+="Disabled ";
+ if(acc_flags&0x0004) acc_flags_str+="PwNotReq ";
+ if(acc_flags&0x0002) acc_flags_str+="HomeDirReq ";
+ if(acc_flags&0x0008) acc_flags_str+="TempDupAcc ";
+// if(acc_flags&0x0010) acc_flags_str+="NormUserAcc "; // I don't think this would be useful to show
+ if(acc_flags&0x0020) acc_flags_str+="MnsAcc ";
+ if(acc_flags&0x0040) acc_flags_str+="DomTrustAcc ";
+ if(acc_flags&0x0080) acc_flags_str+="WksTrustAcc ";
+ if(acc_flags&0x0100) acc_flags_str+="SrvTrustAcc ";
+ if(acc_flags&0x0400) acc_flags_str+="AccAutoLock ";
+
+ // Get password hint if available
+ var hint=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"UserPasswordHint");
+ if(IsValid(hint)) {
+ // Append missing trailing utf16 zero byte
+ hint.value.appendByte(0);
+ hint.value.appendByte(0);
+ hint=RegistryKeyValueToVariant(hint.value,"utf16");
+ } else {
+ hint="";
+ }
+
+ // TODO: User group membership
+
+ println (" <tr>");
+ PrintTableDataCell("left",user_names[i]);
+ PrintTableDataCell("right",String(user_rid_dec)+" (0x"+user_rid+")");
+ PrintTableDataCell("left",full_name);
+ PrintTableDataCell("right",last_login_time);
+ PrintTableDataCell("right",last_pw_change);
+ PrintTableDataCell("right",last_failed_login);
+ PrintTableDataCell("left",account_expires);
+ PrintTableDataCell("right",total_logins);
+ PrintTableDataCell("right",failed_logins);
+ PrintTableDataCell("left",acc_flags_str);
+ PrintTableDataCell("left",hint);
+ PrintTableDataCell("left",home_dir_drive+" "+home_dir);
+ PrintTableDataCell("left",logon_script_path);
+ PrintTableDataCell("left",profile_path);
+ PrintTableDataCell("left",comment);
+
+ println (" </tr>")
+ }
+ println(" </table>");
+ println("</p>");
+ } else {
+ println("<p><font color='red'>");
+ println(" Unable to enumerate users!<br />");
+ println(" Are you sure you are running this report against the correct registry hive?");
+ println("</font></p>");
+ }
+}
diff --git a/trunk/report_templates/SOFTWARE_Autoruns.qs b/trunk/report_templates/SOFTWARE_Autoruns.qs
index 053e63d..2717b72 100644
--- a/trunk/report_templates/SOFTWARE_Autoruns.qs
+++ b/trunk/report_templates/SOFTWARE_Autoruns.qs
@@ -1,56 +1,83 @@
function fred_report_info() {
var info={report_cat : "SOFTWARE",
report_name : "Autoruns",
report_author : "Gillen Daniel",
report_desc : "Dump autoruns",
fred_api : 2,
hive : "SOFTWARE"
};
return info;
}
+var table_style = "border-collapse:collapse; margin-left:20px; font-family:arial; font-size:12";
+var cell_style = "border:1px solid #888888; padding:5; white-space:nowrap;";
+
function IsValid(val) {
- if(typeof val !== 'undefined') return true;
- else return false;
+ return (typeof val!=='undefined');
+}
+
+function PrintTableHeaderCell(str) {
+ println(" <th style=\"",cell_style,"\">",str,"</th>");
+}
+
+function PrintTableDataCell(alignment,str) {
+ var style=cell_style+" text-align:"+alignment+";";
+ println(" <td style=\"",style,"\">",str,"</td>");
+}
+
+function PrintTableDataRowSpanCell(alignment,rows,str) {
+ var style=cell_style+" text-align: "+alignment+";";
+ println(" <td rowspan=\"",rows,"\" style=\"",style,"\">",str,"</td>");
}
-function print_table_row(cell01,cell02) {
- println(" <tr><td>",cell01,"</td><td>",cell02,"</td></tr>");
+function PrintTableDataColSpanCell(alignment,columns,str) {
+ var style=cell_style+" text-align: "+alignment+";";
+ println(" <td colspan=\"",columns,"\" style=\"",style,"\">",str,"</td>");
}
function ListAutoruns(autorun_path,autorun_key) {
- println(" <p style=\"font-size:12; white-space:nowrap\">");
- println(" <u>"+autorun_key+"</u><br />");
var run_keys=GetRegistryKeys(autorun_path+autorun_key);
if(IsValid(run_keys) && run_keys.length>0) {
- println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
- print_table_row("<b>Name</b>","<b>Executable</b>");
-
for(var i=0;i<run_keys.length;i++) {
var val=GetRegistryKeyValue(autorun_path+autorun_key,run_keys[i]);
- print_table_row(run_keys[i],RegistryKeyValueToString(val.value,val.type));
+ println(" <tr>");
+ if(i==0) PrintTableDataRowSpanCell("left",run_keys.length,autorun_key);
+ PrintTableDataCell("left",run_keys[i]);
+ PrintTableDataCell("left",RegistryKeyValueToString(val.value,val.type));
+ println(" </tr>");
}
-
- println(" </table>");
} else {
- println(" None");
+ println(" <tr>");
+ PrintTableDataCell("left",autorun_key);
+ PrintTableDataColSpanCell("center",2,"None");
+ println(" </tr>");
}
- println(" </p>");
}
function fred_report_html() {
var val;
println(" <h2>System Autoruns</h2>");
+ println(" <p style=\"font-size:12; white-space:nowrap\">");
+ println(" <table style=\""+table_style+"\">");
+
+ println(" <tr>");
+ PrintTableHeaderCell("Registry key");
+ PrintTableHeaderCell("Name");
+ PrintTableHeaderCell("Executable");
+ println(" </tr>");
// Run
ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","Run");
// RunOnce
ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","RunOnce");
// RunOnceEx
ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","RunOnceEx");
// TODO: There might be a Run under WindowsNT\CurrentVersion\Run too!
+
+ println(" </table>");
+ println(" </p>");
}
diff --git a/trunk/report_templates/SOFTWARE_ProfileList.qs b/trunk/report_templates/SOFTWARE_ProfileList.qs
index 3f00709..87b50eb 100644
--- a/trunk/report_templates/SOFTWARE_ProfileList.qs
+++ b/trunk/report_templates/SOFTWARE_ProfileList.qs
@@ -1,51 +1,68 @@
function fred_report_info() {
var info={report_cat : "SOFTWARE",
report_name : "Profile list",
report_author : "Gillen Daniel",
report_desc : "Dump profile list",
fred_api : 2,
hive : "SOFTWARE"
};
return info;
}
+var table_style = "border-collapse:collapse; margin-left:20px; font-family:arial; font-size:12";
+var cell_style = "border:1px solid #888888; padding:5; white-space:nowrap;";
+
function IsValid(val) {
- if(typeof val !== 'undefined') return true;
- else return false;
+ return (typeof val!=='undefined');
+}
+
+function PrintTableHeaderCell(str) {
+ println(" <th style=\"",cell_style,"\">",str,"</th>");
}
-function print_table_row(cell01,cell02) {
- println(" <tr><td>",cell01,"</td><td>",cell02,"</td></tr>");
+function PrintTableDataCell(alignment,str) {
+ var style=cell_style+" text-align:"+alignment+";";
+ println(" <td style=\"",style,"\">",str,"</td>");
}
function fred_report_html() {
var val;
println(" <h2>Profile List</h2>");
var profile_list=GetRegistryNodes("\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList");
if(IsValid(profile_list) && profile_list.length>0) {
- for(var i=0;i<profile_list.length;i++) {
- println(" <p style=\"font-size:12; white-space:nowrap\">");
- println(" <u>"+profile_list[i]+"</u><br />");
- println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
+ println(" <p style=\"font-size:12; white-space:nowrap\">");
+ println(" <table style=\""+table_style+"\">");
+ println(" <tr>");
+ PrintTableHeaderCell("Profile ID");
+ PrintTableHeaderCell("Last load time");
+ PrintTableHeaderCell("Image path");
+ println(" </tr>");
+
+ for(var i=0;i<profile_list.length;i++) {
// Get profile image path
val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\"+profile_list[i],"ProfileImagePath");
- print_table_row("Profile image path:",IsValid(val) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
+ var image_path=IsValid(val) ? RegistryKeyValueToString(val.value,val.type) : "n/a";
// Get last load time (Saved as 2 dwords. Another "good" idea of M$ ;-))
var loadtime_low=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\"+profile_list[i],"ProfileLoadTimeLow");
var loadtime_high=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\"+profile_list[i],"ProfileLoadTimeHigh");
- print_table_row("Profile load time:",(IsValid(loadtime_low) && IsValid(loadtime_high)) ? RegistryKeyValueToVariant(loadtime_low.value.append(loadtime_high.value),"filetime",0) : "n/a");
+ var load_time=(IsValid(loadtime_low) && IsValid(loadtime_high)) ? RegistryKeyValueToVariant(loadtime_low.value.append(loadtime_high.value),"filetime",0) : "n/a";
// TODO: There is more to decode under \\Microsoft\\Windows NT\\CurrentVersion\\ProfileList
- println(" </table>");
- println(" </p>");
+ println(" <tr>");
+ PrintTableDataCell("left",profile_list[i]);
+ PrintTableDataCell("left",load_time);
+ PrintTableDataCell("left",image_path);
+ println(" </tr>");
}
+
println(" </table>");
+ println(" </p>");
} else {
println(" None");
}
}
diff --git a/trunk/report_templates/SYSTEM_BackupRestore.qs b/trunk/report_templates/SYSTEM_BackupRestore.qs
index 3992726..ea77769 100644
--- a/trunk/report_templates/SYSTEM_BackupRestore.qs
+++ b/trunk/report_templates/SYSTEM_BackupRestore.qs
@@ -1,72 +1,104 @@
function fred_report_info() {
var info={report_cat : "SYSTEM",
report_name : "Backup / Restore settings",
report_author : "Gillen Daniel",
report_desc : "Dump files / directories not to snapshot / backup and registry keys not to restore",
fred_api : 2,
hive : "SYSTEM"
};
return info;
}
+var table_style = "border-collapse:collapse; margin-left:20px; font-family:arial; font-size:12";
+var cell_style = "border:1px solid #888888; padding:5; white-space:nowrap;";
+
function IsValid(val) {
- if(typeof val !== 'undefined') return true;
- else return false;
+ return (typeof val!=='undefined');
+}
+
+function PrintTableHeaderCell(str) {
+ println(" <th style=\"",cell_style,"\">",str,"</th>");
}
-function print_table_row(cell01,cell02) {
- println(" <tr><td>",cell01,"</td><td>",cell02,"</td></tr>");
+function PrintTableDataCell(alignment,str) {
+ var style=cell_style+" text-align:"+alignment+";";
+ println(" <td style=\"",style,"\">",str,"</td>");
+}
+
+function PrintTableDataRowSpanCell(alignment,rows,str) {
+ var style=cell_style+" text-align: "+alignment+";";
+ println(" <td rowspan=\"",rows,"\" style=\"",style,"\">",str,"</td>");
}
function ListValues(root_key) {
var values=GetRegistryKeys(root_key);
if(IsValid(values)) {
println(" <p style=\"font-size:12; white-space:nowrap\">");
- println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
+ println(" <table style=\""+table_style+"\">");
+ println(" <tr>");
+ PrintTableHeaderCell("Name");
+ PrintTableHeaderCell("Directory(ies) / File(s)");
+ println(" </tr>");
for(var i=0;i<values.length;i++) {
var val=GetRegistryKeyValue(root_key,values[i]);
if(IsValid(val)) {
- println(" <tr>");
- println(" <td>",values[i],"</td>");
- println(" <td>");
var strings=RegistryKeyValueToStringList(val.value);
- for(var ii=0;ii<strings.length;ii++) {
- println(" ",strings[ii],"<br />");
+ if(strings.length>1) {
+ println(" <tr>");
+ PrintTableDataRowSpanCell("left",strings.length,values[i]);
+ PrintTableDataCell("left",strings[0]);
+ println(" </tr>");
+ for(var ii=1;ii<strings.length;ii++) {
+ println(" <tr>");
+ PrintTableDataCell("left",strings[ii]);
+ println(" </tr>");
+ }
+ } else {
+ println(" <tr>");
+ PrintTableDataCell("left",values[i]);
+ PrintTableDataCell("left",strings.length!=0 ? strings[0] : "");
+ println(" </tr>");
}
- println(" </td>");
- println(" </tr>");
}
}
println(" </table>");
println(" </p>");
} else {
- println(" None");
+ println(" <p style=\"font-size:12; white-space:nowrap; margin-left:20px;\">");
+ println(" None");
+ println(" </p>");
}
}
function fred_report_html() {
var val;
println(" <h2>Backup / Restore settings</h2>");
// Get current controlset
var cur_controlset=GetRegistryKeyValue("\\Select","Current");
if(IsValid(cur_controlset)) {
cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type);
// Current holds a DWORD value, thus we get a string like 0x00000000, but
// control sets are referenced only with the last 3 digits.
cur_controlset="ControlSet"+String(cur_controlset).substr(7,3);
- println(" <u>Directories / files not to back up in Volume Shadow Copies</u>");
+ println(" <p style=\"font-size:12; white-space:nowrap\">");
+ println(" <u>Directories / files not to back up in Volume Shadow Copies</u>");
+ println(" </p>");
ListValues(cur_controlset+"\\Control\\BackupRestore\\FilesNotToSnapshot");
- println(" <u>Directories / files not to back up or restore by backup apps</u>");
+ println(" <p style=\"font-size:12; white-space:nowrap\">");
+ println(" <u>Directories / files not to back up or restore by backup apps</u>");
+ println(" </p>");
ListValues(cur_controlset+"\\Control\\BackupRestore\\FilesNotToBackup");
- println(" <u>Registry nodes or values not to restore by backup apps</u>");
+ println(" <p style=\"font-size:12; white-space:nowrap\">");
+ println(" <u>Registry nodes or values not to restore by backup apps</u>");
+ println(" </p>");
ListValues(cur_controlset+"\\Control\\BackupRestore\\KeysNotToRestore");
} else {
println(" <p><font color='red'>");
println(" Unable to determine current control set!<br />");
println(" Are you sure you are running this report against the correct registry hive?");
println(" </font></p>");
}
}
diff --git a/trunk/report_templates/SYSTEM_CurrentNetworkSettings.qs b/trunk/report_templates/SYSTEM_CurrentNetworkSettings.qs
index 6a0a940..19eea09 100644
--- a/trunk/report_templates/SYSTEM_CurrentNetworkSettings.qs
+++ b/trunk/report_templates/SYSTEM_CurrentNetworkSettings.qs
@@ -1,136 +1,169 @@
function fred_report_info() {
var info={report_cat : "SYSTEM",
report_name : "Current network settings",
report_author : "Gillen Daniel",
report_desc : "Dump current network settings",
fred_api : 2,
hive : "SYSTEM"
};
return info;
}
+var table_style = "border-collapse:collapse; margin-left:20px; font-family:arial; font-size:12";
+var cell_style = "border:1px solid #888888; padding:5; white-space:nowrap;";
+
function IsValid(val) {
- if(typeof val !== 'undefined') return true;
- else return false;
+ return (typeof val!=='undefined');
+}
+
+function PrintTableHeaderCell(str) {
+ println(" <th style=\"",cell_style,"\">",str,"</th>");
}
-function print_table_row(cell01,cell02) {
- println(" <tr><td>",cell01,"</td><td>",cell02,"</td></tr>");
+function PrintTableDataCell(alignment,str) {
+ var style=cell_style+" text-align:"+alignment+";";
+ println(" <td style=\"",style,"\">",str,"</td>");
}
function ZeroPad(number,padlen) {
var ret=number.toString(10);
if(!padlen || ret.length>=padlen) return ret;
return Math.pow(10,padlen-ret.length).toString().slice(1)+ret;
}
function fred_report_html() {
// See Appendix A: TCP/IP Configuration Parameters:
// http://technet.microsoft.com/de-de/library/cc739819%28v=WS.10%29.aspx
var val;
println(" <h2>Current network settings (Tcp/Ip)</h2>");
// Get current controlset
var cur_controlset=GetRegistryKeyValue("\\Select","Current");
if(IsValid(cur_controlset)) {
cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type);
// Current holds a DWORD value, thus we get a string like 0x00000000, but
// control sets are referenced by its decimal representation.
cur_controlset="ControlSet"+ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3)
- println(" <p style=\"font-size:12; white-space:nowrap\">");
- println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
- print_table_row("Active control set:",cur_controlset);
-
// Computer name
val=GetRegistryKeyValue(cur_controlset+"\\Control\\ComputerName\\ComputerName","ComputerName");
- print_table_row("Computer name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
+ println(" <p style=\"font-size:12; white-space:nowrap\">");
+ println(" <table style=\""+table_style+"\">");
+ println(" <tr><td>Active control set:</td><td>",cur_controlset,"</td></tr>");
+ println(" <tr><td>Computer name:</td><td>",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "","</td></tr>");
println(" </table>");
println(" <br />");
+ println(" <table style=\""+table_style+"\">");
+ println(" <tr>");
+ PrintTableHeaderCell("Adapter");
+ PrintTableHeaderCell("Configuration");
+ PrintTableHeaderCell("IP address");
+ PrintTableHeaderCell("Subnet mask");
+ PrintTableHeaderCell("Nameserver(s)");
+ PrintTableHeaderCell("Domain");
+ PrintTableHeaderCell("Default gateway");
+ PrintTableHeaderCell("DHCP server");
+ PrintTableHeaderCell("DHCP lease optained");
+ PrintTableHeaderCell("DHCP lease terminates");
+ println(" </tr>");
// Iterate over all available network adapters
var adapters=GetRegistryNodes(cur_controlset+"\\Services\\Tcpip\\Parameters\\Adapters");
for(var i=0;i<adapters.length;i++) {
// Try to get a human readable name
// According to http://technet.microsoft.com/de-de/library/cc780532%28v=ws.10%29.aspx
// the {4D36E972-E325-11CE-BFC1-08002BE10318} key name might be (and hopefully is) static :)
val=GetRegistryKeyValue(cur_controlset+"\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\"+adapters[i]+"\\Connection","Name");
- if(IsValid(val)) {
- println(" <u>",RegistryKeyValueToString(val.value,val.type),"</u>");
- } else {
- println(" <u>",adapters[i],"</u>");
- }
+ var adapter_name=IsValid(val) ? RegistryKeyValueToString(val.value,val.type) : adapters[i];
// Get settings node
- var adapter_settings_node=GetRegistryKeyValue(cur_controlset+"\\Services\\Tcpip\\Parameters\\Adapters\\"+adapters[i],"IpConfig");
- adapter_settings_node=RegistryKeyValueToVariant(adapter_settings_node.value,"utf16",0);
-
- println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
- //print_table_row("Adapter id:",adapters[i]);
+ val=GetRegistryKeyValue(cur_controlset+"\\Services\\Tcpip\\Parameters\\Adapters\\"+adapters[i],"IpConfig");
+ var adapter_settings_node=RegistryKeyValueToVariant(val.value,"utf16",0);
// Get configuration mode
val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"EnableDHCP");
- val=Number(RegistryKeyValueToString(val.value,val.type));
- if(val) {
- // DHCP enabled
- print_table_row("Configuration mode:","DHCP");
+ var dhcp_enabled=Number(RegistryKeyValueToString(val.value,val.type));
+
+ var ip_address="";
+ var subnet_mask="";
+ var nameservers="";
+ var domain="";
+ var default_gateway="";
+ var dhcp_server="";
+ var lease_obtained="";
+ var lease_terminates="";
+
+ if(dhcp_enabled) {
// DHCP server
val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpServer");
- print_table_row("Last used DHCP server:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
+ dhcp_server=(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "";
// IP address
val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpIPAddress");
- print_table_row("IP address:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
+ ip_address=(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "";
// Subnet mask
val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpSubnetMask");
- print_table_row("Subnet mask:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
+ subnet_mask=(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "";
// Nameserver(s)
val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpNameServer");
- print_table_row("Nameserver(s):",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
+ nameservers=(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "";
// Domain
val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpDomain");
- print_table_row("Domain:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
+ domain=(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "";
// Default gw
val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpDefaultGateway");
- print_table_row("Default gateway:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : "");
+ default_gateway=(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : "";
// Lease obtained
val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"LeaseObtainedTime");
- print_table_row("Lease obtained:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"unixtime",0) : "");
+ lease_obtained=(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"unixtime",0) : "";
// Lease valid until
val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"LeaseTerminatesTime");
- print_table_row("Lease terminates:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"unixtime",0) : "");
+ lease_terminates=(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"unixtime",0) : "";
} else {
- print_table_row("Configuration mode:","Manual");
// IP address
val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"IPAddress");
- print_table_row("IP address:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : "");
+ ip_address=(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : "";
// Subnet mask
val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"SubnetMask");
- print_table_row("Subnet mask:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : "");
+ subnet_mask=(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : "";
// Nameserver
val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"NameServer");
- print_table_row("Nameserver:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : "");
+ nameservers=(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : "";
// Domain
val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"Domain");
- print_table_row("Domain:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
+ domain=(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "";
// Default gw
val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DefaultGateway");
- print_table_row("Default gateway:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : "");
+ default_gateway=(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : "";
+ dhcp_server="n/a";
+ lease_obtained="n/a";
+ lease_terminates="n/a";
}
- // TODO: Check for EnableSecurityFilters, TCPAllowedPorts and UDPAllowedPorts to get firewall status.
+ println(" <tr>");
+ PrintTableDataCell("left",adapter_name);
+ PrintTableDataCell("left",dhcp_enabled ? "DHCP" : "Static");
+ PrintTableDataCell("left",ip_address);
+ PrintTableDataCell("left",subnet_mask);
+ PrintTableDataCell("left",nameservers);
+ PrintTableDataCell("left",domain);
+ PrintTableDataCell("left",default_gateway);
+ PrintTableDataCell("left",dhcp_server);
+ PrintTableDataCell("left",lease_obtained);
+ PrintTableDataCell("left",lease_terminates);
+ println(" </tr>");
- println(" </table>");
- println(" <br />");
+ // TODO: Check for EnableSecurityFilters, TCPAllowedPorts and UDPAllowedPorts to get firewall status.
// TODO: Get persistent routes from \ControlSet001\Services\Tcpip\Parameters\PersistentRoutes
}
+ println(" </table>");
println(" </p>");
} else {
println(" <p><font color='red'>");
println(" Unable to determine current control set!<br />");
println(" Are you sure you are running this report against the correct registry hive?");
println(" </font></p>");
}
}
diff --git a/trunk/report_templates/SYSTEM_Services.qs b/trunk/report_templates/SYSTEM_Services.qs
index 64c2748..408ed29 100644
--- a/trunk/report_templates/SYSTEM_Services.qs
+++ b/trunk/report_templates/SYSTEM_Services.qs
@@ -1,106 +1,131 @@
function fred_report_info() {
var info={report_cat : "SYSTEM",
report_name : "Services",
report_author : "Gillen Daniel",
report_desc : "Dump services",
fred_api : 2,
hive : "SYSTEM"
};
return info;
}
+var table_style = "border-collapse:collapse; margin-left:20px; font-family:arial; font-size:12";
+var cell_style = "border:1px solid #888888; padding:5; white-space:nowrap;";
+
function IsValid(val) {
- if(typeof val !== 'undefined') return true;
- else return false;
+ return (typeof val!=='undefined');
+}
+
+function PrintTableHeaderCell(str) {
+ println(" <th style=\"",cell_style,"\">",str,"</th>");
+}
+
+function PrintTableDataCell(alignment,str) {
+ var style=cell_style+" text-align:"+alignment+";";
+ println(" <td style=\"",style,"\">",str,"</td>");
}
function ZeroPad(number,padlen) {
var ret=number.toString(10);
if(!padlen || ret.length>=padlen) return ret;
return Math.pow(10,padlen-ret.length).toString().slice(1)+ret;
}
function PrintTableRow(cell01,cell02,cell03,cell04,cell05) {
- println(" <tr><td style=\"padding:2px\">",cell01,"</td><td style=\"padding:2px\">",cell02,"</td><td style=\"padding:2px\">",cell03,"</td><td style=\"padding:2px\">",cell04,"</td><td style=\"padding:2px\">",cell05,"</td></tr>");
+ println(" <tr>");
+ PrintTableDataCell("left",cell01);
+ PrintTableDataCell("left",cell02);
+ PrintTableDataCell("left",cell03);
+ PrintTableDataCell("left",cell04);
+ PrintTableDataCell("left",cell05);
+ println(" </tr>");
}
function ListService(service_node) {
// Service name
var name=GetRegistryKeyValue(service_node,"DisplayName");
name=(IsValid(name)) ? RegistryKeyValueToString(name.value,name.type) : "Unknwon";
// Service group
var group=GetRegistryKeyValue(service_node,"Group");
group=(IsValid(group)) ? RegistryKeyValueToString(group.value,group.type) : "";
// Service exe
var image=GetRegistryKeyValue(service_node,"ImagePath");
image=(IsValid(image)) ? RegistryKeyValueToString(image.value,image.type) : "Unknwon";
// Start
var start=GetRegistryKeyValue(service_node,"Start");
start=(IsValid(start)) ? RegistryKeyValueToString(start.value,start.type) : -1;
switch(Number(start)) {
case 0:
start="Boot";
break;
case 1:
start="System";
break;
case 2:
start="Automatic";
break;
case 3:
start="Manual";
break;
case 4:
start="Disabled";
break;
default:
start="Unknown";
}
// Description
var desc=GetRegistryKeyValue(service_node,"Description");
desc=(IsValid(desc)) ? RegistryKeyValueToString(desc.value,desc.type) : "";
PrintTableRow(name,group,start,image,desc)
}
function fred_report_html() {
var val;
println(" <h2>Services</h2>");
// Get current controlset
var cur_controlset=GetRegistryKeyValue("\\Select","Current");
if(IsValid(cur_controlset)) {
cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type);
// Current holds a DWORD value, thus we get a string like 0x00000000, but
// control sets are referenced by its decimal representation.
cur_controlset="ControlSet"+ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3)
// Get list of possible services
var services=GetRegistryNodes(cur_controlset+"\\Services");
if(IsValid(services)) {
println(" <p style=\"font-size:12; white-space:nowrap\">");
- println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
- println(" <tr><td style=\"padding:2px\"><b>Name</b></td><td style=\"padding:2px\"><b>Group</b></td><td><b>Startup</b></td><td style=\"padding:2px\"><b>Image path</b></td><td style=\"padding:2px\"><b>Description</b></td></tr>");
+ println(" <table style=\""+table_style+"\">");
+ println(" <tr>");
+ PrintTableHeaderCell("Name");
+ PrintTableHeaderCell("Group");
+ PrintTableHeaderCell("Startup");
+ PrintTableHeaderCell("Image path");
+ PrintTableHeaderCell("Description");
+ println(" </tr>");
+
for(var i=0;i<services.length;i++) {
// Get service type
val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+services[i],"Type");
if(!IsValid(val)) continue;
val=RegistryKeyValueToString(val.value,val.type);
if(Number(val)!=16 && Number(val)!=32) continue;
ListService(cur_controlset+"\\Services\\"+services[i]);
}
+
println(" </table>");
println(" </p>");
} else {
println(" <p><font color='red'>");
println(" This registry hive does not contain any services!<br />");
println(" </font></p>");
}
} else {
println(" <p><font color='red'>");
println(" Unable to determine current control set!<br />");
println(" Are you sure you are running this report against the correct registry hive?");
println(" </font></p>");
}
}
diff --git a/trunk/report_templates/SYSTEM_SystemTimeInfo.qs b/trunk/report_templates/SYSTEM_SystemTimeInfo.qs
index 0f7ae70..b9880ec 100644
--- a/trunk/report_templates/SYSTEM_SystemTimeInfo.qs
+++ b/trunk/report_templates/SYSTEM_SystemTimeInfo.qs
@@ -1,117 +1,141 @@
function fred_report_info() {
var info={report_cat : "SYSTEM",
report_name : "System time info",
report_author : "Gillen Daniel",
report_desc : "Dump system time info",
fred_api : 2,
hive : "SYSTEM"
};
return info;
}
+var table_style = "border-collapse:collapse; margin-left:20px; font-family:arial; font-size:12";
+var cell_style = "border:1px solid #888888; padding:5; white-space:nowrap;";
+
function IsValid(val) {
- if(typeof val !== 'undefined') return true;
- else return false;
+ return (typeof val!=='undefined');
+}
+
+function PrintTableHeaderCell(str) {
+ println(" <th style=\"",cell_style,"\">",str,"</th>");
}
-function print_table_row(cell01,cell02) {
- println(" <tr><td>",cell01,"</td><td>",cell02,"</td></tr>");
+function PrintTableDataCell(alignment,str) {
+ var style=cell_style+" text-align:"+alignment+";";
+ println(" <td style=\"",style,"\">",str,"</td>");
}
function ToUTC(num) {
var retnum=new Number(num);
if(retnum&0x80000000) {
retnum=((0xFFFFFFFF-retnum)+1)/60;
return "UTC+"+Number(retnum).toString(10);
} else {
retnum=retnum/60;
if(retnum!=0) return "UTC-"+Number(retnum).toString(10);
else return "UTC+"+Number(retnum).toString(10);
}
}
function ZeroPad(number,padlen) {
var ret=number.toString(10);
if(!padlen || ret.length>=padlen) return ret;
return Math.pow(10,padlen-ret.length).toString().slice(1)+ret;
}
function fred_report_html() {
var val;
println(" <h2>System time info</h2>");
// Get current controlset
var cur_controlset=GetRegistryKeyValue("\\Select","Current");
if(IsValid(cur_controlset)) {
cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type);
// Current holds a DWORD value, thus we get a string like 0x00000000, but
// control sets are referenced by its decimal representation.
cur_controlset="ControlSet"+ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3)
- println(" <p style=\"font-size:12; white-space:nowrap\">");
- println(" <u>Time zone info</u>");
- println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
-
- // Active time bias
- val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","ActiveTimeBias");
- print_table_row("Active time bias:",(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a");
-
- // Std. tz name and bias
- val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","StandardName");
- print_table_row("Std. time zone name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
- val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","StandardBias");
- print_table_row("Std. time bias:",(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a");
-
- // Daylight tz name and bias
- val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","DaylightName");
- print_table_row("Daylight time zone name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
- val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","DaylightBias");
- print_table_row("Daylight time bias:",(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a");
-
- println(" </table>");
- println(" <br />");
- println(" <u>W32Time service info</u>");
- println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
-
// Get W32Time service settings
+ var w32time_startup_method="n/a";
+ var w32time_time_servers="n/a";
val=GetRegistryKeyValue(cur_controlset+"\\Services\\W32Time","Start");
if(IsValid(val)) {
- print(" <tr><td>Startup method:</td><td>");
val=RegistryKeyValueToString(val.value,val.type);
switch(Number(val)) {
case 0:
- print("Boot");
+ w32time_startup_method="Boot";
break;
case 1:
- print("System");
+ w32time_startup_method="System";
break;
case 2:
- print("Automatic");
+ w32time_startup_method="Automatic";
break;
case 3:
- print("Manual");
+ w32time_startup_method="Manual";
break;
case 4:
- print("Disabled");
+ w32time_startup_method="Disabled";
break;
default:
- print("Unknown");
+ w32time_startup_method="Unknown";
}
- println("</td></tr>");
// If service is enabled, get ntp server
if(Number(val)<4) {
val=GetRegistryKeyValue(cur_controlset+"\\Services\\W32Time\\Parameters","NtpServer");
- print_table_row("NTP server(s):",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a");
+ if(IsValid(val)) w32time_time_servers=RegistryKeyValueToString(val.value,val.type);
}
- } else print_table_row("Startup method:","n/a");
+ }
+
+ println(" <p style=\"font-size:12; white-space:nowrap\">");
+ println(" <table style=\""+table_style+"\">");
+ println(" <tr><td>Active control set:</td><td>",cur_controlset,"</td></tr>");
+ println(" <tr><td>W32Time startup method:</td><td>",w32time_startup_method,"</td></tr>");
+ println(" <tr><td>W32Time NTP servers:</td><td>",w32time_time_servers,"</td></tr>");
+ println(" </table>");
+ println(" <br />");
+ println(" <table style=\""+table_style+"\">");
+ println(" <tr>");
+ PrintTableHeaderCell("XXX");
+ PrintTableHeaderCell("Time zone");
+ println(" </tr>");
+
+ // Active time bias
+ val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","ActiveTimeBias");
+ var active_bias=(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a"
+
+ // Std. tz name and bias
+ val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","StandardName");
+ var std_name=(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a";
+ val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","StandardBias");
+ var std_bias=(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a";
+
+ // Daylight tz name and bias
+ val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","DaylightName");
+ var daylight_name=(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a";
+ val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","DaylightBias");
+ var daylight_bias=(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a";
+
+ println(" <tr>");
+ PrintTableDataCell("left","Active");
+ PrintTableDataCell("left",active_bias);
+ println(" </tr>");
+ println(" <tr>");
+ PrintTableDataCell("left","Standard");
+ PrintTableDataCell("left",std_bias+" ("+std_name+")");
+ println(" </tr>");
+ println(" <tr>");
+ PrintTableDataCell("left","Daylight");
+ PrintTableDataCell("left",daylight_bias+" ("+daylight_name+")");
+ println(" </tr>");
println(" </table>");
println(" </p>");
} else {
println(" <p><font color='red'>");
println(" Unable to determine current control set!<br />");
println(" Are you sure you are running this report against the correct registry hive?");
println(" </font></p>");
}
}
diff --git a/trunk/report_templates/SYSTEM_UsbStorageDevices2.qs b/trunk/report_templates/SYSTEM_UsbStorageDevices2.qs
index 0b11e6a..8fe3652 100644
--- a/trunk/report_templates/SYSTEM_UsbStorageDevices2.qs
+++ b/trunk/report_templates/SYSTEM_UsbStorageDevices2.qs
@@ -1,181 +1,190 @@
function fred_report_info() {
var info={report_cat : "SYSTEM",
report_name : "USB storage devices as table",
report_author : "Gillen Daniel, Voncken Guy",
report_desc : "Dump USB storage devices",
fred_api : 2,
hive : "SYSTEM"
};
return info;
}
+var table_style = "border-collapse:collapse; margin-left:20px; font-family:arial; font-size:12";
+var cell_style = "border:1px solid #888888; padding:5; white-space:nowrap;";
+
function IsValid(val) {
- if(typeof val !== 'undefined') return true;
- else return false;
+ return (typeof val!=='undefined');
+}
+
+function PrintTableHeaderCell(str) {
+ println(" <th style=\"",cell_style,"\">",str,"</th>");
}
-function print_table_row(cell01,cell02) {
- println(" <tr><td>",cell01,"</td><td>",cell02,"</td></tr>");
+function PrintTableDataCell(alignment,str) {
+ var style=cell_style+" text-align:"+alignment+";";
+ println(" <td style=\"",style,"\">",str,"</td>");
}
-function print_dev_table_row(VendorProd,
- ID,
- Class,
- Name,
- MountPoint,
- ParentId,
- Desc)
-{
- println(" <tr>");
- println(" <td>",VendorProd,"</td>");
- println(" <td>",ID,"</td>");
- println(" <td>",Class,"</td>");
- println(" <td>",Name,"</td>");
- println(" <td>",MountPoint,"</td>");
- println(" <td>",ParentId,"</td>");
- println(" <td>",Desc,"</td>");
- println(" </tr>");
+function PrintTableDataRowSpanCell(alignment,rows,str) {
+ var style=cell_style+" text-align: "+alignment+";";
+ println(" <td rowspan=\"",rows,"\" style=\"",style,"\">",str,"</td>");
}
function ZeroPad(number,padlen) {
var ret=number.toString(10);
if(!padlen || ret.length>=padlen) return ret;
return Math.pow(10,padlen-ret.length).toString().slice(1)+ret;
}
function GetKeyVal(path, key) {
var val=GetRegistryKeyValue(path, key);
return (IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "";
}
function fred_report_html() {
// TODO: There is more here.
// Check http://www.forensicswiki.org/wiki/USB_History_Viewing
var val;
println(" <h2>USB storage devices</h2>");
// Preload MountedDevices to possibly identify mount points of USB storage
// devices
var mnt_keys=GetRegistryKeys("\\MountedDevices");
var mnt_values=new Array();
if(IsValid(mnt_keys)) {
for(var i=0;i<mnt_keys.length;i++) {
val=GetRegistryKeyValue("\\MountedDevices",mnt_keys[i]);
mnt_values[i]=RegistryKeyValueToVariant(val.value,"utf16");
}
}
// Get current controlset
var cur_controlset=GetRegistryKeyValue("\\Select","Current");
if(IsValid(cur_controlset)) {
cur_controlset=RegistryKeyValueToString(cur_controlset.value,
cur_controlset.type);
// Current holds a DWORD value, thus we get a string like 0x00000000, but
// control sets are referenced by its decimal representation.
cur_controlset="ControlSet"+
ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3);
println(" <p style=\"font-size:12; white-space:nowrap\">");
- println(" <u>Settings</u><br />");
- println(" <table style=\"margin-left:20px; ",
- "font-size:12; white-space:nowrap\">");
+ println(" <table style=\""+table_style+"\">");
// Are USB storage devices enabled?
// http://www.forensicmag.com/article/windows-7-registry-forensics-part-5
// Is this true for WinXP etc.. ???
var val=GetRegistryKeyValue(cur_controlset+"\\services\\USBSTOR","Start");
if(IsValid(val)) {
val=RegistryKeyValueToString(val.value,val.type);
val=parseInt(String(val).substr(2,8),10);
switch(val) {
case 3:
- print_table_row("Storage driver enabled:","Yes");
+ println(" <tr><td>Storage driver enabled:</td><td>Yes</td></tr>");
break;
case 4:
- print_table_row("Storage driver enabled:","No");
+ println(" <tr><td>Storage driver enabled:</td><td>No</td></tr>");
break;
default:
- print_table_row("Storage driver enabled:","Unknown");
+ println(" <tr><td>Storage driver enabled:</td><td>Unknown</td></tr>");
}
} else {
- print_table_row("Storage driver enabled:","Unknown");
+ println(" <tr><td>Storage driver enabled:</td><td>Unknown</td></tr>");
}
println(" </table>");
println(" </p>");
println(" <p style=\"font-size:12; white-space:nowrap\">");
- println(" <u>Devices</u><br />");
var storage_roots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR");
if(IsValid(storage_roots)) {
- println(" <table style=\"margin-left:20px; font-size:12; ",
- "white-space:nowrap\">");
- print_dev_table_row("<b>Vendor Name</b>",
- "<b>Unique ID</b>",
- "<b>Class</b>",
- "<b>Friendly name</b>",
- "<b>Mount point(s)</b>",
- "<b>Parent ID</b>",
- "<b>Device description</b>");
- for(var i=0; i<storage_roots.length; i++) {
- var storage_subroots=
- GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]);
+ println(" <table style=\""+table_style+"\">");
+ println(" <tr>");
+ PrintTableHeaderCell("Vendor Name");
+ PrintTableHeaderCell("Unique ID");
+ PrintTableHeaderCell("Class");
+ PrintTableHeaderCell("Friendly name");
+ PrintTableHeaderCell("Mount point(s)");
+ PrintTableHeaderCell("Parent ID");
+ PrintTableHeaderCell("Device description");
+ println(" </tr>");
+
+ for(var i=0;i<storage_roots.length;i++) {
+ var storage_subroots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]);
for(var ii=0;ii<storage_subroots.length;ii++) {
- ID = storage_subroots[ii];
- if(String(ID).charAt(1)=="&") {
+ var device_id=storage_subroots[ii];
+ if(String(device_id).charAt(1)=="&") {
// If the second character of the unique instance ID is a '&', then
// the ID was generated by the system, as the device did not have a
// serial number.
- ID = ID + " (Generated by system)";
+ device_id=device_id+" (Generated by system)";
}
- Key = cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+
- "\\"+storage_subroots[ii];
- Class = GetKeyVal (Key,"Class");
- DeviceDesc = GetKeyVal (Key,"DeviceDesc");
- FriendlyName = GetKeyVal (Key,"FriendlyName");
- ParentID = GetKeyVal (Key,"ParentIdPrefix");
- MountPoints = ""
-
- var br=0;
- if(ParentID != "") {
+ var device_key=cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii];
+ var device_class=GetKeyVal(device_key,"Class");
+ var device_desc=GetKeyVal(device_key,"DeviceDesc");
+ var device_friendly_name=GetKeyVal(device_key,"FriendlyName");
+ var device_parent_id=GetKeyVal(device_key,"ParentIdPrefix");
+
+ var search_string="";
+ var device_mount_points=Array();
+ if(device_parent_id != "") {
// Windows XP uses the ParentId to link to MountedDevices
- SearchString = "#"+ParentID+"&";
+ search_string="#"+device_parent_id+"&";
} else {
// Since Vista, Unique IDs are used
- SearchString = "#"+storage_subroots[ii]+"#";
+ search_string="#"+storage_subroots[ii]+"#";
}
for(var iii=0; iii<mnt_keys.length; iii++) {
- if(String(mnt_values[iii]).indexOf(SearchString)!=-1) {
- if(br==1) MountPoints = MountPoints + "<br />";
- else br=1;
- MountPoints = MountPoints + mnt_keys[iii];
+ if(String(mnt_values[iii]).indexOf(search_string)!=-1) {
+ device_mount_points.push(mnt_keys[iii]);
+ }
+ }
+
+ var mount_points=device_mount_points.length;
+ if(mount_points>1) {
+ println(" <tr>");
+ PrintTableDataRowSpanCell("left",mount_points,storage_roots[i]);
+ PrintTableDataRowSpanCell("left",mount_points,device_id);
+ PrintTableDataRowSpanCell("left",mount_points,device_class);
+ PrintTableDataRowSpanCell("left",mount_points,device_friendly_name);
+ PrintTableDataCell("left",device_mount_points[0]);
+ PrintTableDataRowSpanCell("left",mount_points,device_parent_id);
+ PrintTableDataRowSpanCell("left",mount_points,device_desc);
+ println(" </tr>");
+ for(var iii=1;iii<device_mount_points.length;iii++) {
+ println(" <tr>");
+ PrintTableDataCell("left",device_mount_points[iii]);
+ println(" </tr>");
+ }
+ } else {
+ println(" <tr>");
+ PrintTableDataCell("left",storage_roots[i]);
+ PrintTableDataCell("left",device_id);
+ PrintTableDataCell("left",device_class);
+ PrintTableDataCell("left",device_friendly_name);
+ if(mount_points!=0) {
+ PrintTableDataCell("left",device_mount_points[0]);
+ } else {
+ PrintTableDataCell("left","n/a");
}
+ PrintTableDataCell("left",device_parent_id);
+ PrintTableDataCell("left",device_desc);
+ println(" </tr>");
}
- if(br==0) MountPoints = MountPoints + "n/a";
-
- print_dev_table_row(storage_roots[i],
- ID,
- Class,
- FriendlyName,
- MountPoints,
- ParentID,
- DeviceDesc);
}
}
println(" </table>");
println(" <br />");
} else {
- println(" <font color=\"red\">This registry hive does not contain a ",
- "list of attached USB storage devices!</font>");
+ println(" <font color=\"red\">This registry hive does not contain a list of attached USB storage devices!</font>");
}
println(" </p>");
} else {
println(" <p><font color=\"red\">");
println(" Unable to determine current control set!<br />");
- println(" Are you sure you are running this report against the correct ",
- "registry hive?");
+ println(" Are you sure you are running this report against the correct registry hive?");
println(" </font></p>");
}
}
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Mon, Dec 23, 11:34 AM (11 h, 45 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
1176926
Default Alt Text
(53 KB)
Attached To
Mode
rFRED fred
Attached
Detach File
Event Timeline
Log In to Comment