-
Notifications
You must be signed in to change notification settings - Fork 0
/
pccheck.ps1
126 lines (110 loc) · 5.55 KB
/
pccheck.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
$ErrorActionPreference = "SilentlyContinue"
function Get-Signature {
[CmdletBinding()]
param (
[string[]]$FilePath
)
$Existence = Test-Path -PathType "Leaf" -Path $FilePath
$Authenticode = (Get-AuthenticodeSignature -FilePath $FilePath -ErrorAction SilentlyContinue).Status
$Signature = "Invalid Signature (UnknownError)"
if ($Existence) {
if ($Authenticode -eq "Valid") {
$Signature = "Valid Signature"
}
elseif ($Authenticode -eq "NotSigned") {
$Signature = "Invalid Signature (NotSigned)"
}
elseif ($Authenticode -eq "HashMismatch") {
$Signature = "Invalid Signature (HashMismatch)"
}
elseif ($Authenticode -eq "NotTrusted") {
$Signature = "Invalid Signature (NotTrusted)"
}
elseif ($Authenticode -eq "UnknownError") {
$Signature = "Invalid Signature (UnknownError)"
}
return $Signature
} else {
$Signature = "File Was Not Found"
return $Signature
}
}
Clear-Host
Write-Host "";
Write-Host "";
Write-Host -ForegroundColor Blue "SunV - PC Checking Software";
Write-Host "";
Write-Host -ForegroundColor Blue " Made By Emma for SunV - " -NoNewLine
Write-Host -ForegroundColor Red "discord.gg/sunv";
Write-Host "";
function Test-Admin {;$currentUser = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent());$currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator);}
if (!(Test-Admin)) {
Write-Warning "Please Run This Script as Admin."
Start-Sleep 10
Exit
}
$sw = [Diagnostics.Stopwatch]::StartNew()
if (!(Get-PSDrive -Name HKLM -PSProvider Registry)){
Try{New-PSDrive -Name HKLM -PSProvider Registry -Root HKEY_LOCAL_MACHINE}
Catch{Write-Warning "Error Mounting HKEY_Local_Machine"}
}
$bv = ("bam", "bam\State")
Try{$Users = foreach($ii in $bv){Get-ChildItem -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$($ii)\UserSettings\" | Select-Object -ExpandProperty PSChildName}}
Catch{
Write-Warning "Error Parsing BAM Key. Likely unsupported Windows Version"
Exit
}
$rpath = @("HKLM:\SYSTEM\CurrentControlSet\Services\bam\","HKLM:\SYSTEM\CurrentControlSet\Services\bam\state\")
$UserTime = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\TimeZoneInformation").TimeZoneKeyName
$UserBias = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\TimeZoneInformation").ActiveTimeBias
$UserDay = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\TimeZoneInformation").DaylightBias
$Bam = Foreach ($Sid in $Users){$u++
foreach($rp in $rpath){
$BamItems = Get-Item -Path "$($rp)UserSettings\$Sid" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Property
Write-Host -ForegroundColor Red "Extracting " -NoNewLine
Write-Host -ForegroundColor Blue "$($rp)UserSettings\$SID"
$bi = 0
Try{
$objSID = New-Object System.Security.Principal.SecurityIdentifier($Sid)
$User = $objSID.Translate( [System.Security.Principal.NTAccount])
$User = $User.Value
}
Catch{$User=""}
$i=0
ForEach ($Item in $BamItems){$i++
$Key = Get-ItemProperty -Path "$($rp)UserSettings\$Sid" -ErrorAction SilentlyContinue| Select-Object -ExpandProperty $Item
If($key.length -eq 24){
$Hex=[System.BitConverter]::ToString($key[7..0]) -replace "-",""
$TimeLocal = Get-Date ([DateTime]::FromFileTime([Convert]::ToInt64($Hex, 16))) -Format "yyyy-MM-dd HH:mm:ss"
$TimeUTC = Get-Date ([DateTime]::FromFileTimeUtc([Convert]::ToInt64($Hex, 16))) -Format "yyyy-MM-dd HH:mm:ss"
$Bias = -([convert]::ToInt32([Convert]::ToString($UserBias,2),2))
$Day = -([convert]::ToInt32([Convert]::ToString($UserDay,2),2))
$Biasd = $Bias/60
$Dayd = $Day/60
$TImeUser = (Get-Date ([DateTime]::FromFileTimeUtc([Convert]::ToInt64($Hex, 16))).addminutes($Bias) -Format "yyyy-MM-dd HH:mm:ss")
$d = if((((split-path -path $item) | ConvertFrom-String -Delimiter "\\").P3)-match '\d{1}')
{((split-path -path $item).Remove(23)).trimstart("\Device\HarddiskVolume")} else {$d = ""}
$f = if((((split-path -path $item) | ConvertFrom-String -Delimiter "\\").P3)-match '\d{1}')
{Split-path -leaf ($item).TrimStart()} else {$item}
$cp = if((((split-path -path $item) | ConvertFrom-String -Delimiter "\\").P3)-match '\d{1}')
{($item).Remove(1,23)} else {$cp = ""}
$path = if((((split-path -path $item) | ConvertFrom-String -Delimiter "\\").P3)-match '\d{1}')
{Join-Path -Path "C:" -ChildPath $cp} else {$path = ""}
$sig = if((((split-path -path $item) | ConvertFrom-String -Delimiter "\\").P3)-match '\d{1}')
{Get-Signature -FilePath $path} else {$sig = ""}
[PSCustomObject]@{
'Examiner Time' = $TimeLocal
'Last Execution Time (UTC)'= $TimeUTC
'Last Execution User Time' = $TimeUser
Application = $f
Path = $path
Signature = $Sig
User = $User
SID = $Sid
Regpath = $rp
}}}}}
$Bam | Out-GridView -PassThru -Title "BAM key entries $($Bam.count) - User TimeZone: ($UserTime) -> ActiveBias: ( $Bias) - DayLightTime: ($Day)"
$sw.stop()
$t = $sw.Elapsed.TotalMinutes
Write-Host ""
Write-Host "Elapsed Time $t Minutes" -ForegroundColor Yellow