PEASS

winPEAS/winPEASexe/README.md

@@ -0,0 +1,147 @@
+# Windows Privilege Escalation Awsome Script (.exe)
+
+**WinPEAS is a script that searh for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation)**
+
+Check also the **Local Windows Privilege Escalation checklist** from [book.hacktricks.xyz](https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation)
+
+## Quick Start
+
+Download the **[latest version from here](https://github.com/carlospolop/privilege-escalation-awsome-scripts-suite/winpeas/winpeasexe/winpeas/bin/Release)** or **compile it yourself**.
+```bash
+winpeas.exe ansii #ANSII color for linux consoles (reverse shell)
+winpeas.exe #Will execute all checks except the ones that execute MD commands
+winpeas.exe cmd #All checks
+winpeas.exe cmd fast #All except the one that search for files
+winpeas.exe systeminfo userinfo #Only systeminfo and userinfo checks executed 
+```
+
+## Basic information
+
+The goal of this project is to search for possible **Privilege Escalation Paths** in Windows environments.
+
+It should take only a **few seconds** to execute almost all the checks and **some minutes searching in the whole main drive** for known files that could contain passwords (the time depened on the number of files in your drive). Get rif of that time consuming check using the parameter `fast`.
+
+The **ouput will be colored**. Below you have some indications about what does each color means exacty, but keep in mind that **Red** is for something interesting (from a pentester perspective) and **Green** is something good (from a defender perspective).
+
+The tool is heavily based in **[SeatBelt](https://github.com/GhostPack/Seatbelt)**.
+
+**IMPORTANT TO NOTICE:** By default WinPEAS will use colord for Windows terminals (without ANSII characters). If execute winpeas.exe from a reverse shell without any option **no color will be printed**. To see color in a linux terminal you need to use the **ansii** parameter.
+
+## Help
+
+![](https://github.com/carlospolop/privilege-escalation-awsome-scripts-suite/blob/master/winpeas/winpeasexe/images/help.png)
+
+## Colors
+
+<details>
+  <summary>Details</summary>
+    ![](https://github.com/carlospolop/privilege-escalation-awsome-scripts-suite/blob/master/winpeas/winpeasexe/images/colors.png)
+
+</details>
+
+## Checks
+
+<details>
+  <summary>Details</summary>
+    
+- **System Information**
+  - [x] Basic System info information
+  - [x] Use Watson to search for vulnerabilities
+  - [x] PS, Audit, WEF and LAPS Settings
+  - [x] Environment Variables
+  - [x] Internet Settings
+  - [x] Current drives information
+  - [x] AV?
+  - [x] UAC configuration
+
+- **Users Information**
+  - [x] Users information
+  - [x] Current token privileges
+  - [x] Clipboard text
+  - [x] Current logged users
+  - [x] RDP sessions
+  - [x] Ever logged users
+  - [x] Autologin credentials
+  - [x] Home folders
+  - [x] Password policies
+
+- **Processes Information**
+  - [x] Interesting processes (non Microsoft)
+
+- **Services Information**
+  - [x] Interesting services (non Microsoft) information
+  - [x] Writable service registry
+  - [x] PATH Dll Hijacking
+
+- **Applications Information**
+  - [x] Current Active Window
+  - [x] Installed software
+  - [x] AutoRuns
+  - [x] Scheduled tasks
+
+- **Network Information**
+  - [x] Current net shares
+  - [x] hosts file
+  - [x] Network Interfaces
+  - [x] Listening ports
+  - [x] Firewall rules
+  - [x] DNS Cache (limit 70)
+
+- **Windows Credentials**
+  - [x] Windows Vault
+  - [x] Credential Manager
+  - [x] Saved RDO connections
+  - [x] Recently run commands
+  - [x] DPAPI Masterkeys
+  - [x] DPAPI Credential files
+  - [x] Remote Desktop Connection Manager credentials
+  - [x] Kerberos Tickets
+  - [x] Wifi
+  - [x] AppCmd.exe
+  - [x] SSClient.exe
+  - [x] AlwaysInstallElevated
+  - [x] WSUS
+  
+- **Browser Information**
+  - [x] Firefox DBs
+  - [x] Credentials in firefox history
+  - [x] Chrome DBs
+  - [x] Credentials in chrome history
+  - [x] Current IE tabs
+  - [x] Credentials in IE history
+  - [x] IE Favorites
+
+- **Interesting Files and registry**
+  - [x] Putty sessions
+  - [x] Putty SSH host keys
+  - [x] Cloud credentials
+  - [x] Possible registries with credentials
+  - [x] Possible credentials files in users homes
+  - [x] Possible password files inside the Recycle bin
+  - [x] Possible files containing credentials (this take some minutes)
+  - [x] User documents (limit 100)
+
+</details>
+
+## Do not fork it!!
+
+If you want to **add something** and have **any cool idea** related to this project, please let me know it using the [github issues](https://github.com/carlospolop/privilege-escalation-awsome-scripts-suite/issues) and we will update the master version.
+
+## TODO
+
+- Add more checks
+- Mantain updated Watson
+- List wifi networks without using CMD
+- List credentials inside the Credential Manager without using CMD
+
+If you want to help with any of this, you can do it using [github issues](https://github.com/carlospolop/privilege-escalation-awsome-scripts-suite/issues) or you can submit a pull request.
+
+If you find any issue, please report it using [github issues](https://github.com/carlospolop/privilege-escalation-awsome-scripts-suite/issues).
+
+**WinPEAS** is being **updated** every time I find something that could be useful to escalate privileges.
+
+## License
+
+MIT License
+
+By Polop<sup>(TM)</sup>

winPEAS/winPEASexe/packages/Costura.Fody.4.1.0/build/Costura.Fody.props

@@ -0,0 +1,5 @@
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <WeaverFiles Include="$(MsBuildThisFileDirectory)..\weaver\$(MSBuildThisFileName).dll" />
+  </ItemGroup>
+</Project>

winPEAS/winPEASexe/packages/Costura.Fody.4.1.0/lib/net40/Costura.xml

@@ -0,0 +1,18 @@
+<?xml version="1.0"?>
+<doc>
+    <assembly>
+        <name>Costura</name>
+    </assembly>
+    <members>
+        <member name="T:CosturaUtility">
+            <summary>
+            Contains methods for interacting with the Costura system.
+            </summary>
+        </member>
+        <member name="M:CosturaUtility.Initialize">
+            <summary>
+            Call this to Initialize the Costura system.
+            </summary>
+        </member>
+    </members>
+</doc>

winPEAS/winPEASexe/packages/Costura.Fody.4.1.0/weaver/Costura.Fody.xcf

@@ -0,0 +1,85 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<xs:complexType xmlns:xs="http://www.w3.org/2001/XMLSchema">
+  <xs:all>
+    <xs:element  minOccurs="0" maxOccurs="1" name="ExcludeAssemblies" type="xs:string">
+      <xs:annotation>
+        <xs:documentation>A list of assembly names to exclude from the default action of "embed all Copy Local references", delimited with line breaks</xs:documentation>
+      </xs:annotation>
+    </xs:element>
+    <xs:element  minOccurs="0" maxOccurs="1" name="IncludeAssemblies" type="xs:string">
+      <xs:annotation>
+        <xs:documentation>A list of assembly names to include from the default action of "embed all Copy Local references", delimited with line breaks.</xs:documentation>
+      </xs:annotation>
+    </xs:element>
+    <xs:element  minOccurs="0" maxOccurs="1" name="Unmanaged32Assemblies" type="xs:string">
+      <xs:annotation>
+        <xs:documentation>A list of unmanaged 32 bit assembly names to include, delimited with line breaks.</xs:documentation>
+      </xs:annotation>
+    </xs:element>
+    <xs:element  minOccurs="0" maxOccurs="1" name="Unmanaged64Assemblies" type="xs:string">
+      <xs:annotation>
+        <xs:documentation>A list of unmanaged 64 bit assembly names to include, delimited with line breaks.</xs:documentation>
+      </xs:annotation>
+    </xs:element>
+    <xs:element  minOccurs="0" maxOccurs="1" name="PreloadOrder" type="xs:string">
+      <xs:annotation>
+        <xs:documentation>The order of preloaded assemblies, delimited with line breaks.</xs:documentation>
+      </xs:annotation>
+    </xs:element>
+  </xs:all>
+  <xs:attribute name="CreateTemporaryAssemblies" type="xs:boolean">
+    <xs:annotation>
+      <xs:documentation>This will copy embedded files to disk before loading them into memory. This is helpful for some scenarios that expected an assembly to be loaded from a physical file.</xs:documentation>
+    </xs:annotation>
+  </xs:attribute>
+  <xs:attribute name="IncludeDebugSymbols" type="xs:boolean">
+    <xs:annotation>
+      <xs:documentation>Controls if .pdbs for reference assemblies are also embedded.</xs:documentation>
+    </xs:annotation>
+  </xs:attribute>
+  <xs:attribute name="DisableCompression" type="xs:boolean">
+    <xs:annotation>
+      <xs:documentation>Embedded assemblies are compressed by default, and uncompressed when they are loaded. You can turn compression off with this option.</xs:documentation>
+    </xs:annotation>
+  </xs:attribute>
+  <xs:attribute name="DisableCleanup" type="xs:boolean">
+    <xs:annotation>
+      <xs:documentation>As part of Costura, embedded assemblies are no longer included as part of the build. This cleanup can be turned off.</xs:documentation>
+    </xs:annotation>
+  </xs:attribute>
+  <xs:attribute name="LoadAtModuleInit" type="xs:boolean">
+    <xs:annotation>
+      <xs:documentation>Costura by default will load as part of the module initialization. This flag disables that behavior. Make sure you call CosturaUtility.Initialize() somewhere in your code.</xs:documentation>
+    </xs:annotation>
+  </xs:attribute>
+  <xs:attribute name="IgnoreSatelliteAssemblies" type="xs:boolean">
+    <xs:annotation>
+      <xs:documentation>Costura will by default use assemblies with a name like 'resources.dll' as a satellite resource and prepend the output path. This flag disables that behavior.</xs:documentation>
+    </xs:annotation>
+  </xs:attribute>
+  <xs:attribute name="ExcludeAssemblies" type="xs:string">
+    <xs:annotation>
+      <xs:documentation>A list of assembly names to exclude from the default action of "embed all Copy Local references", delimited with |</xs:documentation>
+    </xs:annotation>
+  </xs:attribute>
+  <xs:attribute name="IncludeAssemblies" type="xs:string">
+    <xs:annotation>
+      <xs:documentation>A list of assembly names to include from the default action of "embed all Copy Local references", delimited with |.</xs:documentation>
+    </xs:annotation>
+  </xs:attribute>
+  <xs:attribute name="Unmanaged32Assemblies" type="xs:string">
+    <xs:annotation>
+      <xs:documentation>A list of unmanaged 32 bit assembly names to include, delimited with |.</xs:documentation>
+    </xs:annotation>
+  </xs:attribute>
+  <xs:attribute name="Unmanaged64Assemblies" type="xs:string">
+    <xs:annotation>
+      <xs:documentation>A list of unmanaged 64 bit assembly names to include, delimited with |.</xs:documentation>
+    </xs:annotation>
+  </xs:attribute>
+  <xs:attribute name="PreloadOrder" type="xs:string">
+    <xs:annotation>
+      <xs:documentation>The order of preloaded assemblies, delimited with |.</xs:documentation>
+    </xs:annotation>
+  </xs:attribute>
+</xs:complexType>

winPEAS/winPEASexe/packages/Fody.6.0.0/build/Fody.targets

@@ -0,0 +1,110 @@
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+
+  <PropertyGroup>
+    <ProjectWeaverXml Condition="$(ProjectWeaverXml) == ''">$(ProjectDir)FodyWeavers.xml</ProjectWeaverXml>
+    <FodyPath Condition="$(FodyPath) == ''">$(MSBuildThisFileDirectory)..\</FodyPath>
+    <FodyAssemblyDirectory Condition="$(MSBuildRuntimeType) == 'Core'">$(FodyPath)netstandardtask</FodyAssemblyDirectory>
+    <FodyAssemblyDirectory Condition="$(MSBuildRuntimeType) != 'Core'">$(FodyPath)netclassictask</FodyAssemblyDirectory>
+    <FodyAssembly Condition="$(FodyAssembly) == ''">$(FodyAssemblyDirectory)\Fody.dll</FodyAssembly>
+    <DefaultItemExcludes>$(DefaultItemExcludes);FodyWeavers.xsd</DefaultItemExcludes>
+    <FodyGenerateXsd Condition="$(FodyGenerateXsd) == ''">true</FodyGenerateXsd>
+    <MsBuildMajorVersion>15</MsBuildMajorVersion>
+    <MsBuildMajorVersion Condition="'$(MSBuildVersion)' != ''">$([System.Version]::Parse($(MSBuildVersion)).Major)</MsBuildMajorVersion>
+  </PropertyGroup>
+
+  <ItemGroup Condition="Exists($(ProjectWeaverXml))">
+    <UpToDateCheckInput Include="$(ProjectWeaverXml)" />
+    <CustomAdditionalCompileInputs Include="$(ProjectWeaverXml)" />
+  </ItemGroup>
+
+  <!-- Support for NCrunch -->
+  <ItemGroup Condition="'$(NCrunch)' == '1' and '$(TargetFramework)' == '' and '$(TargetFrameworks)' == ''">
+    <None Include="$(FodyAssemblyDirectory)\*.*" />
+    <None Include="@(WeaverFiles)" />
+  </ItemGroup>
+
+  <UsingTask TaskName="Fody.WeavingTask" AssemblyFile="$(FodyAssembly)" />
+  <UsingTask TaskName="Fody.UpdateReferenceCopyLocalTask" AssemblyFile="$(FodyAssembly)" />
+  <UsingTask TaskName="Fody.VerifyTask" AssemblyFile="$(FodyAssembly)" />
+
+  <Target
+      Name="FodyTarget"
+      AfterTargets="AfterCompile"
+      Condition="Exists(@(IntermediateAssembly)) And $(DesignTimeBuild) != true And $(DisableFody) != true"
+      DependsOnTargets="$(FodyDependsOnTargets)"
+      Inputs="@(IntermediateAssembly);$(ProjectWeaverXml)"
+      Outputs="$(IntermediateOutputPath)$(MSBuildProjectFile).Fody.CopyLocal.cache">
+
+    <Error Condition="($(MsBuildMajorVersion) &lt; 16)"
+           Text="Fody is only supported on MSBuild 16 and above. Current version: $(MsBuildMajorVersion)." />
+    <Fody.WeavingTask
+        AssemblyFile="@(IntermediateAssembly)"
+        IntermediateDirectory="$(ProjectDir)$(IntermediateOutputPath)"
+        KeyOriginatorFile="$(KeyOriginatorFile)"
+        AssemblyOriginatorKeyFile="$(AssemblyOriginatorKeyFile)"
+        ProjectDirectory="$(MSBuildProjectDirectory)"
+        ProjectFile="$(MSBuildProjectFullPath)"
+        SolutionDirectory="$(SolutionDir)"
+        References="@(ReferencePath)"
+        SignAssembly="$(SignAssembly)"
+        ReferenceCopyLocalFiles="@(ReferenceCopyLocalPaths)"
+        DefineConstants="$(DefineConstants)"
+        DebugType="$(DebugType)"
+        DocumentationFile="@(DocFileItem->'%(FullPath)')"
+        WeaverFiles="@(WeaverFiles)"
+        NCrunchOriginalSolutionDirectory="$(NCrunchOriginalSolutionDir)"
+        IntermediateCopyLocalFilesCache="$(IntermediateOutputPath)$(MSBuildProjectFile).Fody.CopyLocal.cache"
+        GenerateXsd="$(FodyGenerateXsd)"
+      >
+
+      <Output
+        TaskParameter="ExecutedWeavers"
+        PropertyName="FodyExecutedWeavers" />
+
+    </Fody.WeavingTask>
+
+    <ItemGroup>
+      <FileWrites Include="$(IntermediateOutputPath)$(MSBuildProjectFile).Fody.CopyLocal.cache" />
+    </ItemGroup>
+
+  </Target>
+
+  <Target
+      Name="FodyUpdateCopyLocalFilesTarget"
+      AfterTargets="FodyTarget"
+    >
+
+    <Fody.UpdateReferenceCopyLocalTask
+        ReferenceCopyLocalFiles="@(ReferenceCopyLocalPaths)"
+        IntermediateCopyLocalFilesCache="$(IntermediateOutputPath)$(MSBuildProjectFile).Fody.CopyLocal.cache"
+      >
+
+      <Output
+        TaskParameter="UpdatedReferenceCopyLocalFiles"
+        ItemName="FodyUpdatedReferenceCopyLocalPaths" />
+
+    </Fody.UpdateReferenceCopyLocalTask>
+
+    <ItemGroup>
+      <ReferenceCopyLocalPaths Remove="@(ReferenceCopyLocalPaths)" />
+      <ReferenceCopyLocalPaths Include="@(FodyUpdatedReferenceCopyLocalPaths)" />
+    </ItemGroup>
+
+  </Target>
+
+  <Target
+      Name="FodyVerifyTarget"
+      AfterTargets="AfterBuild"
+      Condition="'$(NCrunch)' != '1' And $(FodyExecutedWeavers) != '' And $(DisableFody) != true"
+      DependsOnTargets="$(FodyVerifyDependsOnTargets)">
+
+    <Fody.VerifyTask
+        ProjectDirectory="$(MSBuildProjectDirectory)"
+        TargetPath="$(TargetPath)"
+        SolutionDirectory="$(SolutionDir)"
+        DefineConstants="$(DefineConstants)"
+        NCrunchOriginalSolutionDirectory="$(NCrunchOriginalSolutionDir)"
+      />
+  </Target>
+
+</Project>

winPEAS/winPEASexe/winPEAS.sln

@@ -0,0 +1,37 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.29326.143
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "winPEAS", "winPEAS\winPEAS.csproj", "{D934058E-A7DB-493F-A741-AE8E3DF867F4}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|Any CPU = Release|Any CPU
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{D934058E-A7DB-493F-A741-AE8E3DF867F4}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{D934058E-A7DB-493F-A741-AE8E3DF867F4}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{D934058E-A7DB-493F-A741-AE8E3DF867F4}.Debug|x64.ActiveCfg = Debug|x64
+		{D934058E-A7DB-493F-A741-AE8E3DF867F4}.Debug|x64.Build.0 = Debug|x64
+		{D934058E-A7DB-493F-A741-AE8E3DF867F4}.Debug|x86.ActiveCfg = Debug|x86
+		{D934058E-A7DB-493F-A741-AE8E3DF867F4}.Debug|x86.Build.0 = Debug|x86
+		{D934058E-A7DB-493F-A741-AE8E3DF867F4}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{D934058E-A7DB-493F-A741-AE8E3DF867F4}.Release|Any CPU.Build.0 = Release|Any CPU
+		{D934058E-A7DB-493F-A741-AE8E3DF867F4}.Release|x64.ActiveCfg = Release|x64
+		{D934058E-A7DB-493F-A741-AE8E3DF867F4}.Release|x64.Build.0 = Release|x64
+		{D934058E-A7DB-493F-A741-AE8E3DF867F4}.Release|x86.ActiveCfg = Release|x86
+		{D934058E-A7DB-493F-A741-AE8E3DF867F4}.Release|x86.Build.0 = Release|x86
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {D5215BC3-80A2-4E63-B560-A8F78A763B7C}
+	EndGlobalSection
+EndGlobal

winPEAS/winPEASexe/winPEAS/App.config

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+    <startup> 
+        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>
+    </startup>
+</configuration>

winPEAS/winPEASexe/winPEAS/ApplicationInfo.cs

@@ -0,0 +1,171 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Runtime.InteropServices;
+using System.Text;
+using Microsoft.Win32;
+using Microsoft.Win32.TaskScheduler;
+
+namespace winPEAS
+{
+    class ApplicationInfo
+    {
+        // https://stackoverflow.com/questions/115868/how-do-i-get-the-title-of-the-current-active-window-using-c
+        [DllImport("user32.dll")]
+        static extern IntPtr GetForegroundWindow();
+
+        [DllImport("user32.dll")]
+        static extern int GetWindowText(IntPtr hWnd, StringBuilder text, int count);
+
+        public static string GetActiveWindowTitle()
+        {
+            const int nChars = 256;
+            StringBuilder Buff = new StringBuilder(nChars);
+            IntPtr handle = GetForegroundWindow();
+
+            if (GetWindowText(handle, Buff, nChars) > 0)
+            {
+                return Buff.ToString();
+            }
+            return null;
+        }
+
+        public static List<string> GetAppsRegistry()
+        {
+            List<string> retList = new List<string>();
+            try
+            {
+                RegistryKey softwareKey = Registry.LocalMachine.OpenSubKey("SOFTWARE");
+                foreach (string subKeyName in softwareKey.GetSubKeyNames())
+                {
+                    retList.Add(subKeyName);
+                }
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine(ex);
+            }
+            return retList;
+        }
+
+        public static Dictionary<string, Dictionary<string, string>> GetInstalledAppsPermsPath(string fpath)
+        {
+            Dictionary<string, Dictionary<string, string>> results = new Dictionary<string, Dictionary<string, string>>();
+            try
+            {
+                foreach (string f in Directory.GetFiles(fpath))
+                {
+                    results[f] = new Dictionary<string, string>(){
+                            { f, String.Join(", ", MyUtils.GetPermissionsFile(f, Program.interestingUsersGroups)) }
+                        };
+                }
+                foreach (string d in Directory.GetDirectories(fpath))
+                {
+                    results[d] = MyUtils.GecRecursivePrivs(d);
+                }
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine(ex);
+            }
+            return results;
+        }
+
+        public static Dictionary<string, Dictionary<string, string>> GetInstalledAppsPerms()
+        {
+            Dictionary<string, Dictionary<string, string>> results1 = GetInstalledAppsPermsPath(@Path.GetPathRoot(Environment.SystemDirectory) + "Program Files");
+            Dictionary<string, Dictionary<string, string>> results2 = GetInstalledAppsPermsPath(@Path.GetPathRoot(Environment.SystemDirectory) + "Program Files (x86)");
+            results1.Concat(results2).ToDictionary(kvp => kvp.Key, kvp => kvp.Value);
+            return results1;
+        }
+
+        public static List<Dictionary<string, string>> GetAutoRunsFolder()
+        {
+            List<Dictionary<string, string>> results = new List<Dictionary<string, string>>();
+            List<string> autorunLocations = new List<string>();
+            autorunLocations.Add(Environment.ExpandEnvironmentVariables(@"%appdata%\Microsoft\Windows\Start Menu\Programs\Startup"));
+            autorunLocations.Add(Environment.ExpandEnvironmentVariables(@"%programdata%\Microsoft\Windows\Start Menu\Programs\Startup"));
+
+            foreach (string path in autorunLocations)
+            {
+                /*results.Add(new Dictionary<string, string>() {
+                            { "Reg", "" },
+                            { "Folder", path },
+                            { "File", "" },
+                            { "isWritableReg", ""},
+                            { "interestingFolderRights", String.Join(", ", MyUtils.GetPermissionsFolder(path, Program.interestingUsersGroups))},
+                            { "interestingFileRights", ""},
+                            { "isUnquotedSpaced", "" }
+                    });*/
+                foreach (string filepath in Directory.GetFiles(path, "*", SearchOption.TopDirectoryOnly))
+                {
+                    string folder = Path.GetDirectoryName(filepath);
+                    results.Add(new Dictionary<string, string>() {
+                            { "Reg", "" },
+                            { "Folder", folder },
+                            { "File", filepath },
+                            { "isWritableReg", ""},
+                            { "interestingFolderRights", String.Join(", ", MyUtils.GetPermissionsFolder(folder, Program.interestingUsersGroups))},
+                            { "interestingFileRights", String.Join(", ", MyUtils.GetPermissionsFile(filepath, Program.interestingUsersGroups))},
+                            { "isUnquotedSpaced", "" }
+                    });
+                }
+            }
+            return results;
+        }
+
+        public static List<Dictionary<string, string>> GetAutoRuns()
+        {
+            List<Dictionary<string, string>> reg_autorus = ServicesInfo.GetRegistryAutoRuns();
+            List<Dictionary<string, string>> file_autorus = GetAutoRunsFolder();
+            reg_autorus.AddRange(file_autorus);
+            return reg_autorus;
+        }
+
+        public static List<Dictionary<string, string>> GetScheduledAppsNoMicrosoft()
+        {
+            List<Dictionary<string, string>> results = new List<Dictionary<string, string>>();
+            try
+            {
+                void EnumFolderTasks(TaskFolder fld)
+                {
+                    foreach (Microsoft.Win32.TaskScheduler.Task task in fld.Tasks)
+                        ActOnTask(task);
+                    //task.Name
+                    //task.Enabled
+                    //task.Definition.Actions
+                    //task.Definition
+                    foreach (TaskFolder sfld in fld.SubFolders)
+                        EnumFolderTasks(sfld);
+                }
+
+                void ActOnTask(Microsoft.Win32.TaskScheduler.Task t)
+                {
+                    if (t.Enabled && (!String.IsNullOrEmpty(t.Definition.RegistrationInfo.Author) && !t.Definition.RegistrationInfo.Author.Contains("Microsoft")))
+                    {
+                        List<string> f_trigger = new List<string>();
+                        foreach (Trigger trigger in t.Definition.Triggers)
+                            f_trigger.Add(String.Format("{0}", trigger));
+
+                        results.Add(new Dictionary<string, string>()
+                    {
+                        { "Name", t.Name },
+                        { "Action", Environment.ExpandEnvironmentVariables(String.Format("{0}", t.Definition.Actions)) },
+                        { "Trigger", String.Join("\n             ", f_trigger) },
+                        { "Author", String.Join(", ", t.Definition.RegistrationInfo.Author) },
+                        { "Description", String.Join(", ", t.Definition.RegistrationInfo.Description) },
+                    });
+                    }
+                }
+                EnumFolderTasks(TaskService.Instance.RootFolder);
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine(ex);
+            }
+            return results;
+        }
+
+    }
+}