RalphDesmangles/GetLoggedOnUsersRegistry.cs

## GetLoggedOnUsersRegistry.cs
using System;
using System.Collections.Generic;
using System.Security.Principal;
using System.Text.RegularExpressions;

/*
PoC To enumerate logged on users on a remote system using the winreg named pipe.
Based on the work of Rohan Vazarkar (@cptjesus) and Antonio Cocomazzi (@splinter_code).

RemoteRegistry service must be enabled (default) for this to work.

https://twitter.com/splinter_code/status/1715876413474025704
https://blog.compass-security.com/2022/05/bloodhound-inner-workings-part-3/
https://github.com/BloodHoundAD/SharpHound3/blob/master/SharpHound3/Tasks/LoggedOnTasks.cs#L150
https://twitter.com/an0n_r0/status/1728580102760358296
 */

namespace GetLoggedOnUsersRegistry
{
    internal class Program
    {
        static void Main(string[] args)
        {
            string hostname = args.Length > 0 && !string.IsNullOrWhiteSpace(args[0]) ? args[0] : Environment.MachineName;
            Console.WriteLine($"[*] Attempting to enumerate logged on users on {hostname}");

            var users = new Dictionary<string, string>();

            //Connect to winreg named pipe and trigger RemoteRegistry Service to start.
            var reg = Microsoft.Win32.RegistryKey.OpenRemoteBaseKey(Microsoft.Win32.RegistryHive.Users, hostname);
            var sidRegex = new Regex(@"S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$", RegexOptions.Compiled);

            foreach (var subkey in reg.GetSubKeyNames())
            {
                if (sidRegex.IsMatch(subkey))
                {
                    var sid = new SecurityIdentifier(subkey);
                    var ntAccount = (NTAccount)sid.Translate(typeof(NTAccount));
                    users.Add(subkey, ntAccount.Value);
                }
            }

            Console.WriteLine(users.Count == 0 ? "[!] No users found!" : $"[*] Successfully enumerated {users.Count} users!");
            foreach (var user in users)
            {
                Console.WriteLine($"[+] SID: {user.Key}, User: {user.Value}");
            }
        }
    }
}
	using System;
	using System.Collections.Generic;
	using System.Security.Principal;
	using System.Text.RegularExpressions;

	/*
	PoC To enumerate logged on users on a remote system using the winreg named pipe.
	Based on the work of Rohan Vazarkar (@cptjesus) and Antonio Cocomazzi (@splinter_code).

	RemoteRegistry service must be enabled (default) for this to work.

	https://twitter.com/splinter_code/status/1715876413474025704
	https://blog.compass-security.com/2022/05/bloodhound-inner-workings-part-3/
	https://github.com/BloodHoundAD/SharpHound3/blob/master/SharpHound3/Tasks/LoggedOnTasks.cs#L150
	https://twitter.com/an0n_r0/status/1728580102760358296
	*/

	namespace GetLoggedOnUsersRegistry
	{
	internal class Program
	{
	static void Main(string[] args)
	{
	string hostname = args.Length > 0 && !string.IsNullOrWhiteSpace(args[0]) ? args[0] : Environment.MachineName;
	Console.WriteLine($"[*] Attempting to enumerate logged on users on {hostname}");

	var users = new Dictionary<string, string>();

	//Connect to winreg named pipe and trigger RemoteRegistry Service to start.
	var reg = Microsoft.Win32.RegistryKey.OpenRemoteBaseKey(Microsoft.Win32.RegistryHive.Users, hostname);
	var sidRegex = new Regex(@"S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$", RegexOptions.Compiled);

	foreach (var subkey in reg.GetSubKeyNames())
	{
	if (sidRegex.IsMatch(subkey))
	{
	var sid = new SecurityIdentifier(subkey);
	var ntAccount = (NTAccount)sid.Translate(typeof(NTAccount));
	users.Add(subkey, ntAccount.Value);
	}
	}

	Console.WriteLine(users.Count == 0 ? "[!] No users found!" : $"[*] Successfully enumerated {users.Count} users!");
	foreach (var user in users)
	{
	Console.WriteLine($"[+] SID: {user.Key}, User: {user.Value}");
	}
	}
	}
	}