mnerv
878d19f917
Add PowerShell scripts for collecting forensic artifacts: - USB/storage devices, mounted drives, portable devices - Network history and hotspot connections - Recent documents (OpenSavePidlMRU with PIDL parsing) - System info and user enumeration with multiple output modes Includes TODO.md for planned artifacts and updated README.
175 lines
7.4 KiB
PowerShell
175 lines
7.4 KiB
PowerShell
# Get-Users.ps1
|
|
# Lists all users on the system with detailed information
|
|
|
|
param(
|
|
[Parameter(Position=0)]
|
|
[ValidateSet("simple", "detailed", "full")]
|
|
[string]$Mode = "simple"
|
|
)
|
|
|
|
Write-Host "=== System Users ===" -ForegroundColor Cyan
|
|
|
|
if ($Mode -eq "simple") {
|
|
Write-Host "Mode: Simple (use -Mode detailed or -Mode full for more info)`n" -ForegroundColor Yellow
|
|
} elseif ($Mode -eq "detailed") {
|
|
Write-Host "Mode: Detailed`n" -ForegroundColor Yellow
|
|
} else {
|
|
Write-Host "Mode: Full`n" -ForegroundColor Yellow
|
|
}
|
|
|
|
# Local Users
|
|
Write-Host "--- Local User Accounts ---" -ForegroundColor Yellow
|
|
try {
|
|
$localUsers = Get-LocalUser
|
|
|
|
if ($Mode -eq "simple") {
|
|
# Simple mode: just list usernames
|
|
foreach ($user in $localUsers) {
|
|
$status = if ($user.Enabled) { "" } else { " (Disabled)" }
|
|
Write-Host "$($user.Name)$status" -ForegroundColor Green
|
|
}
|
|
|
|
} elseif ($Mode -eq "detailed") {
|
|
# Detailed mode: username, enabled status, last logon
|
|
foreach ($user in $localUsers) {
|
|
Write-Host "`n$($user.Name)" -ForegroundColor Green
|
|
Write-Host " Enabled: $($user.Enabled)" -ForegroundColor Cyan
|
|
Write-Host " Last Logon: $(if ($user.LastLogon) { $user.LastLogon.ToString('yyyy-MM-dd HH:mm:ss') } else { 'Never' })" -ForegroundColor Cyan
|
|
Write-Host " Password Last Set: $(if ($user.PasswordLastSet) { $user.PasswordLastSet.ToString('yyyy-MM-dd HH:mm:ss') } else { 'Never' })" -ForegroundColor Cyan
|
|
}
|
|
|
|
} else {
|
|
# Full mode: all details
|
|
foreach ($user in $localUsers) {
|
|
Write-Host "`nUsername: $($user.Name)" -ForegroundColor Green
|
|
Write-Host " Full Name: $($user.FullName)" -ForegroundColor Cyan
|
|
Write-Host " Description: $($user.Description)" -ForegroundColor Cyan
|
|
Write-Host " Enabled: $($user.Enabled)" -ForegroundColor Cyan
|
|
Write-Host " Account Expires: $(if ($user.AccountExpires) { $user.AccountExpires } else { 'Never' })" -ForegroundColor Cyan
|
|
Write-Host " Password Last Set: $(if ($user.PasswordLastSet) { $user.PasswordLastSet.ToString('yyyy-MM-dd HH:mm:ss') } else { 'Never' })" -ForegroundColor Cyan
|
|
Write-Host " Password Expires: $(if ($user.PasswordExpires) { $user.PasswordExpires } else { 'Never' })" -ForegroundColor Cyan
|
|
Write-Host " Last Logon: $(if ($user.LastLogon) { $user.LastLogon.ToString('yyyy-MM-dd HH:mm:ss') } else { 'Never' })" -ForegroundColor Cyan
|
|
Write-Host " Password Required: $($user.PasswordRequired)" -ForegroundColor Cyan
|
|
Write-Host " User May Change Password: $($user.UserMayChangePassword)" -ForegroundColor Cyan
|
|
Write-Host " SID: $($user.SID)" -ForegroundColor Gray
|
|
}
|
|
}
|
|
|
|
Write-Host "`nTotal Local Users: $($localUsers.Count)" -ForegroundColor Green
|
|
|
|
} catch {
|
|
Write-Host "Error getting local users: $_" -ForegroundColor Red
|
|
}
|
|
|
|
# Only show profile paths in detailed and full modes
|
|
if ($Mode -ne "simple") {
|
|
Write-Host "`n--- User Profiles (from Registry) ---" -ForegroundColor Yellow
|
|
try {
|
|
$profileListPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
|
|
|
|
if (Test-Path $profileListPath) {
|
|
$profiles = Get-ChildItem -Path $profileListPath -ErrorAction SilentlyContinue
|
|
|
|
foreach ($profile in $profiles) {
|
|
$props = Get-ItemProperty -Path $profile.PSPath -ErrorAction SilentlyContinue
|
|
|
|
if ($props.ProfileImagePath) {
|
|
$sid = $profile.PSChildName
|
|
|
|
# Try to resolve SID to username
|
|
try {
|
|
$objSID = New-Object System.Security.Principal.SecurityIdentifier($sid)
|
|
$objUser = $objSID.Translate([System.Security.Principal.NTAccount])
|
|
$username = $objUser.Value
|
|
} catch {
|
|
$username = "Unknown"
|
|
}
|
|
|
|
Write-Host "`n$username" -ForegroundColor Green
|
|
Write-Host " Profile Path: $($props.ProfileImagePath)" -ForegroundColor Cyan
|
|
|
|
if ($Mode -eq "full") {
|
|
Write-Host " SID: $sid" -ForegroundColor Gray
|
|
|
|
if ($props.LocalProfileLoadTimeHigh -and $props.LocalProfileLoadTimeLow) {
|
|
$loadTime = [DateTime]::FromFileTime(([Int64]$props.LocalProfileLoadTimeHigh -shl 32) -bor $props.LocalProfileLoadTimeLow)
|
|
Write-Host " Profile Load Time: $($loadTime.ToString('yyyy-MM-dd HH:mm:ss'))" -ForegroundColor Cyan
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
} catch {
|
|
Write-Host "Error reading profile list: $_" -ForegroundColor Red
|
|
}
|
|
}
|
|
|
|
# Currently Logged In Users
|
|
Write-Host "`n--- Currently Logged In Users ---" -ForegroundColor Yellow
|
|
try {
|
|
$loggedInUsers = quser 2>$null
|
|
|
|
if ($loggedInUsers) {
|
|
$loggedInUsers | ForEach-Object {
|
|
Write-Host $_ -ForegroundColor Green
|
|
}
|
|
} else {
|
|
# Alternative method using WMI
|
|
$sessions = Get-CimInstance -ClassName Win32_ComputerSystem
|
|
if ($sessions.UserName) {
|
|
Write-Host "$($sessions.UserName)" -ForegroundColor Green
|
|
} else {
|
|
Write-Host "No users currently logged in" -ForegroundColor Gray
|
|
}
|
|
}
|
|
} catch {
|
|
Write-Host "Error getting logged in users: $_" -ForegroundColor Red
|
|
}
|
|
|
|
# Only show groups in full mode
|
|
if ($Mode -eq "full") {
|
|
Write-Host "`n--- Local Groups ---" -ForegroundColor Yellow
|
|
try {
|
|
$groups = Get-LocalGroup
|
|
|
|
foreach ($group in $groups) {
|
|
Write-Host "`n$($group.Name)" -ForegroundColor Green
|
|
Write-Host " Description: $($group.Description)" -ForegroundColor Cyan
|
|
Write-Host " SID: $($group.SID)" -ForegroundColor Gray
|
|
|
|
# Get group members
|
|
try {
|
|
$members = Get-LocalGroupMember -Group $group.Name -ErrorAction SilentlyContinue
|
|
if ($members) {
|
|
Write-Host " Members:" -ForegroundColor Cyan
|
|
foreach ($member in $members) {
|
|
Write-Host " - $($member.Name) ($($member.ObjectClass))" -ForegroundColor Yellow
|
|
}
|
|
} else {
|
|
Write-Host " Members: None" -ForegroundColor Gray
|
|
}
|
|
} catch {
|
|
Write-Host " Members: Unable to retrieve" -ForegroundColor Gray
|
|
}
|
|
}
|
|
} catch {
|
|
Write-Host "Error getting local groups: $_" -ForegroundColor Red
|
|
}
|
|
}
|
|
|
|
# Summary
|
|
if ($Mode -ne "simple") {
|
|
Write-Host "`n=== Summary ===" -ForegroundColor Cyan
|
|
try {
|
|
$enabledUsers = (Get-LocalUser | Where-Object { $_.Enabled -eq $true }).Count
|
|
$disabledUsers = (Get-LocalUser | Where-Object { $_.Enabled -eq $false }).Count
|
|
$totalGroups = (Get-LocalGroup).Count
|
|
|
|
Write-Host "Enabled Users: $enabledUsers" -ForegroundColor Green
|
|
Write-Host "Disabled Users: $disabledUsers" -ForegroundColor Green
|
|
Write-Host "Total Groups: $totalGroups" -ForegroundColor Green
|
|
} catch {
|
|
Write-Host "Error generating summary" -ForegroundColor Red
|
|
}
|
|
}
|