├── .DS_Store ├── README.md ├── WMIReg.sln └── WMIReg ├── ArgParser.cs ├── Helpers.cs ├── Program.cs ├── Properties └── AssemblyInfo.cs ├── StdRegProv ├── Binary.cs ├── CheckAccess.cs ├── CreateKey.cs ├── DeleteKey.cs ├── DeleteValue.cs ├── Dword.cs ├── EnumKey.cs ├── EnumValues.cs ├── ExString.cs ├── MultiString.cs ├── Qword.cs ├── SecurityDescriptor.cs └── String.cs └── WMIReg.csproj /.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/airzero24/WMIReg/d6ceb7eb37028b732883a554b1412050ccc4970a/.DS_Store -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # WMIReg 2 | 3 | This PoC was started from a code snippet of [@harmj0y](https://github.com/HarmJ0y)'s that I thought was pretty cool. Using the `StdRegProv` management class through WMI, you are able to read and write to local and remote registry keys. This doesn't seem very special, but the biggest advantage is that remote registry interaction is done through WMI, therefore it does not require the `Remote Registry` service to be enabled/started on the remote host! 4 | 5 | >Note: Disadvantage is that interaction with a remote HKCU registry key requires your user to have a `Interactive Logon` session on the remote host. However, this doesn't affect interacting with the HKLM of a remote host as long as you have appropriate permissions. 6 | 7 | ## How to use 8 | You will need to compile the project in Visual Studio. 9 | 10 | WMIReg can perform various actions to interact with local or remote registry hives. When given a action to perform, WMIReg will check that the current user (or user with specified credentials) has access to perform said action against the target registry key. If this check returns true, then the action will be performed. 11 | 12 | These actions can be any of the following: 13 | 14 | Query: query a value of a specified subkey 15 | 16 | Set: set the value of a specified subkey 17 | 18 | Create: create a new subkey 19 | 20 | DeleteKey: delete a specified subkey 21 | 22 | DeleteValue: delete a value of a specified subkey 23 | 24 | Enum: enumerate all subkeys from a specified registry key 25 | 26 | Here's the tool reference guide. 27 | 28 | ``` 29 | Usage: 30 | WMIReg.exe action=ACTION subkey=SUBKEY [username=USERNAME password=PASSWORD domain=DOMAIN computername=COMPUTERNAME hive=HIVE valuename=VALUENAME value=VALUE] 31 | Parameters: 32 | action Action to perform. Must be 'query', 'set', 'create', 'deletekey', 'deletevalue', or 'enum'. (Required) 33 | 34 | query: 35 | Query a specific value of a specified subkey 36 | set: 37 | Set a value for a subkey 38 | create: 39 | Create a new subkey 40 | deletekey: 41 | Delete the specified subkey 42 | deletevalue: 43 | Delete a specified value from a subkey 44 | enum: 45 | Enumerate subkeys for a specified registry key 46 | 47 | subkey Registry key to perform action on (Required) 48 | username Specify a username to perform action as. 49 | password Specify password for username to perform action as. 50 | domain Specify domain for user to perform action as. 51 | computername Computer to perform the action against. If not provided, localhost is used. 52 | hive Specify registry hive to target (HKLM, HKCU, HKCR, HKU, HKCC) 53 | valuename Name of specific subkey's value to target (Required for query, set, and deletevalue actions) 54 | value Use to set subkey value to a specified input (Required for set and deletevalue actions) 55 | 56 | Example: 57 | Query a subkey value: 58 | WMIReg.exe action=query subkey=SOFTWARE\Microsoft\Ole valuename=EnableDCOM 59 | 60 | Set a value for a subkey: 61 | WMIReg.exe action=set subkey=SOFTWARE\Microsoft\Ole valuename=EnableDCOM value=Y 62 | 63 | Create a subkey: 64 | WMIReg.exe action=create subkey=SOFTWARE\Microsoft\Ole\NewKey 65 | 66 | Delete a subkey: 67 | WMIReg.exe action=deletekey subkey=SOFTWARE\Microsoft\Ole\NewKey 68 | 69 | Delete a subkey's value: 70 | WMIReg.exe action=deletevalue subkey=SOFTWARE\Microsoft\Ole valuename=EnableDCOM 71 | 72 | Enumerate subkeys: 73 | WMIReg.exe action=enum subkey=SOFTWARE\Microsoft\Ole 74 | ``` 75 | 76 | >Note: When setting the value for a subkey as `Binary` data, pass as a base64 string to `value`. This will be converted but he .Net assembly. 77 | 78 | >Note: An `Index was outside the bounds of the array.` error typically means a key/value does not exist. 79 | 80 | ## Example Usage 81 | Here is an example of setting and disabling Resitricted Admin Mode on a remote host. 82 | 83 | Querying the value on remote system 84 | ``` 85 | WMIReg.exe action=query computername=DC.theshire.local subkey=SYSTEM\CurrentControlSet\Control\Lsa valuename=DisableRestrictedAdmin 86 | [+] Successfully checked permissions for key SYSTEM\CurrentControlSet\Control\Lsa 87 | [+] User has access permissions for key SYSTEM\CurrentControlSet\Control\Lsa 88 | [+] Successfully retrieved DisableRestrictedAdmin value for key SYSTEM\CurrentControlSet\Control\Lsa 89 | 90 | 0 91 | ``` 92 | 93 | Querying DisableRestrictedAdmin when value is cleared 94 | ``` 95 | WMIReg.exe action=query computername=DC.theshire.local subkey=SYSTEM\CurrentControlSet\Control\Lsa valuename=DisableRestrictedAdmin 96 | [+] Successfully checked permissions for key SYSTEM\CurrentControlSet\Control\Lsa 97 | [+] User has access permissions for key SYSTEM\CurrentControlSet\Control\Lsa 98 | [-] Error: Index was outside the bounds of the array. 99 | [-] Error: Do not have permissions to query SYSTEM\CurrentControlSet\Control\Lsa 100 | ``` 101 | 102 | Setting DisableRestrictedAdmin to enabled 103 | ``` 104 | WMIReg.exe action=set computername=DC.theshire.local subkey=SYSTEM\CurrentControlSet\Control\Lsa valuename=DisableRestrictedAdmin value=0 valuetype=dword 105 | [+] Successfully checked permissions for key SYSTEM\CurrentControlSet\Control\Lsa 106 | [+] User has access permissions for key SYSTEM\CurrentControlSet\Control\Lsa 107 | [+] Successfully set DisableRestricted 108 | ``` 109 | 110 | Setting DisableRestrictedAdmin to disabled 111 | ``` 112 | WMIReg.exe action=set computername=DC.theshire.local subkey=SYSTEM\CurrentControlSet\Control\Lsa valuename=DisableRestrictedAdmin value=1 valuetype=dword 113 | [+] Successfully checked permissions for key SYSTEM\CurrentControlSet\Control\Lsa 114 | [+] User has access permissions for key SYSTEM\CurrentControlSet\Control\Lsa 115 | [+] Successfully set DisableRestricted 116 | ``` 117 | 118 | ## Resources 119 | - [Microsoft](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov) 120 | - [MITRE](https://attack.mitre.org/techniques/T1047/) 121 | - THE [@harmj0y](https://github.com/HarmJ0y) 122 | -------------------------------------------------------------------------------- /WMIReg.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.28307.852 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "WMIReg", "WMIReg\WMIReg.csproj", "{DBFD21FC-0CB0-4CF4-9E2F-43A6D5A353F6}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {DBFD21FC-0CB0-4CF4-9E2F-43A6D5A353F6}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {DBFD21FC-0CB0-4CF4-9E2F-43A6D5A353F6}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {DBFD21FC-0CB0-4CF4-9E2F-43A6D5A353F6}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {DBFD21FC-0CB0-4CF4-9E2F-43A6D5A353F6}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {D23578EA-B4CF-449C-8093-DE7EEBFC97F3} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /WMIReg/ArgParser.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | 4 | namespace WMIReg 5 | { 6 | public class ArgParser 7 | { 8 | public static Dictionary ParseArgs(string[] args) 9 | { 10 | Dictionary results = new Dictionary(); 11 | foreach (string arg in args) 12 | { 13 | string[] parts = arg.Split('='); 14 | if (parts.Length != 2) 15 | { 16 | Console.WriteLine($"[-] Argument with bad format passed, skipping: {arg}"); 17 | continue; 18 | } 19 | results[parts[0].ToLower()] = parts[1]; 20 | } 21 | return results; 22 | } 23 | 24 | public static string Action = null; 25 | public static string Username = null; 26 | public static string Password = null; 27 | public static string Domain = null; 28 | public static string ComputerName = null; 29 | public static object Hive = null; 30 | public static string Subkey = null; 31 | public static string Valuename = null; 32 | public static string Value = null; 33 | public static string Type = null; 34 | 35 | public static void ValidateArgs(Dictionary programArgs) 36 | { 37 | if (!programArgs.ContainsKey("action")) 38 | { 39 | Console.WriteLine("[!] Error! Action argument required"); 40 | Helpers.Usage(); 41 | Environment.Exit(1); 42 | } 43 | 44 | if (!programArgs.ContainsKey("subkey")) 45 | { 46 | Console.WriteLine("[!] Error! Subkey argument required"); 47 | Helpers.Usage(); 48 | Environment.Exit(1); 49 | } 50 | 51 | if (programArgs["action"] != null) 52 | { 53 | Action = programArgs["action"]; 54 | } 55 | 56 | if (!programArgs.ContainsKey("username")) 57 | { 58 | Username = null; 59 | } 60 | 61 | else 62 | { 63 | Username = programArgs["username"]; 64 | } 65 | 66 | if (!programArgs.ContainsKey("password")) 67 | { 68 | Password = null; 69 | } 70 | 71 | else 72 | { 73 | Password = programArgs["password"]; 74 | } 75 | 76 | if (!programArgs.ContainsKey("domain")) 77 | { 78 | Domain = null; 79 | } 80 | 81 | else 82 | { 83 | Domain = programArgs["domain"]; 84 | } 85 | 86 | if (!programArgs.ContainsKey("computername")) 87 | { 88 | ComputerName = "."; 89 | } 90 | 91 | else 92 | { 93 | ComputerName = programArgs["computername"]; 94 | } 95 | 96 | if (programArgs["subkey"] != null) 97 | { 98 | Subkey = programArgs["subkey"]; 99 | } 100 | 101 | if (!programArgs.ContainsKey("valuename")) 102 | { 103 | Valuename = null; 104 | } 105 | 106 | else 107 | { 108 | Valuename = programArgs["valuename"]; 109 | } 110 | 111 | if (!programArgs.ContainsKey("value")) 112 | { 113 | Value = null; 114 | } 115 | 116 | else 117 | { 118 | Value = programArgs["value"]; 119 | } 120 | 121 | if (!programArgs.ContainsKey("valuetype")) 122 | { 123 | Type = null; 124 | } 125 | 126 | else 127 | { 128 | Type = programArgs["valuetype"]; 129 | } 130 | 131 | if (!programArgs.ContainsKey("hive")) 132 | { 133 | Hive = Helpers.Hive.HKEY_LOCAL_MACHINE; 134 | } 135 | 136 | else 137 | { 138 | switch (programArgs["hive"].ToLower()) 139 | { 140 | case ("hklm"): 141 | Hive = Helpers.Hive.HKEY_LOCAL_MACHINE; 142 | break; 143 | case ("hkey_local_machine"): 144 | Hive = Helpers.Hive.HKEY_LOCAL_MACHINE; 145 | break; 146 | case ("hkcr"): 147 | Hive = Helpers.Hive.HKEY_CLASSES_ROOT; 148 | break; 149 | case ("hkey_classes_root"): 150 | Hive = Helpers.Hive.HKEY_CLASSES_ROOT; 151 | break; 152 | case ("hkcu"): 153 | Hive = Helpers.Hive.HKEY_CURRENT_USER; 154 | break; 155 | case ("hkey_current_user"): 156 | Hive = Helpers.Hive.HKEY_CURRENT_USER; 157 | break; 158 | case ("hkcc"): 159 | Hive = Helpers.Hive.HKEY_CURRENT_CONFIG; 160 | break; 161 | case ("hkey_current_config"): 162 | Hive = Helpers.Hive.HKEY_CURRENT_CONFIG; 163 | break; 164 | case ("hku"): 165 | Hive = Helpers.Hive.HKEY_USERS; 166 | break; 167 | case ("hkey_users"): 168 | Hive = Helpers.Hive.HKEY_USERS; 169 | break; 170 | } 171 | } 172 | } 173 | } 174 | } 175 | -------------------------------------------------------------------------------- /WMIReg/Helpers.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using WMIReg.StdRegProv; 3 | 4 | namespace WMIReg 5 | { 6 | class Helpers 7 | { 8 | public enum Hive : UInt32 9 | { 10 | HKEY_CLASSES_ROOT = 2147483648, 11 | HKEY_CURRENT_USER = 2147483649, 12 | HKEY_LOCAL_MACHINE = 2147483650, 13 | HKEY_USERS = 2147483651, 14 | HKEY_CURRENT_CONFIG = 2147483653 15 | } 16 | 17 | public enum AccessPermission : UInt32 18 | { 19 | KEY_QUERY_VALUE = 1, 20 | KEY_SET_VALUE = 2, 21 | DEFAULT = 3, 22 | KEY_CREATE_SUB_KEY = 4, 23 | KEY_ENUMERATE_SUB_KEYS = 8, 24 | KEY_NOTIFY = 16, 25 | KEY_CREATE = 32, 26 | DELETE = 65536, 27 | READ_CONTROL = 131072, 28 | WRITE_DAC = 262144, 29 | WRITE_OWNER = 524288 30 | } 31 | 32 | public enum ValueType : Int32 33 | { 34 | String = 1, 35 | ExtendedString = 2, 36 | Binary = 3, 37 | DWORD = 4, 38 | MultiString = 7, 39 | QWORD = 11 40 | } 41 | 42 | public static void Usage() 43 | { 44 | string usageString = @" 45 | Usage: 46 | WMIReg.exe action=ACTION subkey=SUBKEY [username=USERNAME password=PASSWORD domain=DOMAIN computername=COMPUTERNAME hive=HIVE valuename=VALUENAME value=VALUE] 47 | Parameters: 48 | action Action to perform. Must be 'query', 'set', 'create', 'deletekey', 'deletevalue', or 'enum'. (Required) 49 | 50 | query: 51 | Query a specific value of a specified subkey 52 | set: 53 | Set a value for a subkey 54 | create: 55 | Create a new subkey 56 | deletekey: 57 | Delete the specified subkey 58 | deletevalue: 59 | Delete a specified value from a subkey 60 | enum: 61 | Enumerate subkeys for a specified registry key 62 | 63 | subkey Registry key to perform action on (Required) 64 | username Specify a username to perform action as. 65 | password Specify password for username to perform action as. 66 | domain Specify domain for user to perform action as. 67 | computername Computer to perform the action against. If not provided, localhost is used. 68 | hive Specify registry hive to target (HKLM, HKCU, HKCR, HKU, HKCC) 69 | valuename Name of specific subkey's value to target (Required for query, set, and deletevalue actions) 70 | value Use to set subkey value to a specified input (Required for set and deletevalue actions) 71 | 72 | Example: 73 | Query a subkey value: 74 | WMIReg.exe action=query subkey=SOFTWARE\Microsoft\Ole valuename=EnableDCOM 75 | 76 | Set a value for a subkey: 77 | WMIReg.exe action=set subkey=SOFTWARE\Microsoft\Ole valuename=EnableDCOM value=Y 78 | 79 | Create a subkey: 80 | WMIReg.exe action=create subkey=SOFTWARE\Microsoft\Ole\NewKey 81 | 82 | Delete a subkey: 83 | WMIReg.exe action=deletekey subkey=SOFTWARE\Microsoft\Ole\NewKey 84 | 85 | Delete a subkey's value: 86 | WMIReg.exe action=deletevalue subkey=SOFTWARE\Microsoft\Ole valuename=EnableDCOM 87 | 88 | Enumerate subkeys: 89 | WMIReg.exe action=enum subkey=SOFTWARE\Microsoft\Ole 90 | "; 91 | Console.WriteLine(usageString); 92 | } 93 | 94 | public static void Query(string Username, string Password, string Domain, string ComputerName, object Hive, string Subkey, string Valuename, string Value, object Access) 95 | { 96 | try 97 | { 98 | if (Valuename == null) 99 | { 100 | if (CheckAccess.Check(Username, Password, Domain, ComputerName, Hive, Subkey, Access)) 101 | { 102 | StdRegProv.EnumValues.Get(Username, Password, Domain, ComputerName, Hive, Subkey); 103 | } 104 | 105 | else 106 | { 107 | Console.WriteLine($"[-] Error: Do not have permissions to query {Subkey}"); 108 | Environment.Exit(1); 109 | } 110 | } 111 | 112 | else 113 | { 114 | if (CheckAccess.Check(Username, Password, Domain, ComputerName, Hive, Subkey, Access)) 115 | { 116 | object Valuetype = null; 117 | 118 | int val = EnumValues.GetValue(Username, Password, Domain, ComputerName, Hive, Subkey, Valuename); 119 | 120 | switch (val) 121 | { 122 | case (1): 123 | Valuetype = ValueType.String; 124 | break; 125 | case (2): 126 | Valuetype = ValueType.ExtendedString; 127 | break; 128 | case (3): 129 | Valuetype = ValueType.Binary; 130 | break; 131 | case (4): 132 | Valuetype = ValueType.DWORD; 133 | break; 134 | case (7): 135 | Valuetype = ValueType.MultiString; 136 | break; 137 | case (11): 138 | Valuetype = ValueType.QWORD; 139 | break; 140 | } 141 | 142 | switch (Valuetype) 143 | { 144 | case (ValueType.String): 145 | StdRegProv.String.Get(Username, Password, Domain, ComputerName, Hive, Subkey, Valuename); 146 | break; 147 | case (ValueType.ExtendedString): 148 | ExString.Get(Username, Password, Domain, ComputerName, Hive, Subkey, Valuename); 149 | break; 150 | case (ValueType.Binary): 151 | Binary.Get(Username, Password, Domain, ComputerName, Hive, Subkey, Valuename); 152 | break; 153 | case (ValueType.DWORD): 154 | Dword.Get(Username, Password, Domain, ComputerName, Hive, Subkey, Valuename); 155 | break; 156 | case (ValueType.MultiString): 157 | MultiString.Get(Username, Password, Domain, ComputerName, Hive, Subkey, Valuename); 158 | break; 159 | case (ValueType.QWORD): 160 | Qword.Get(Username, Password, Domain, ComputerName, Hive, Subkey, Valuename); 161 | break; 162 | default: 163 | Console.WriteLine($"[-] Error: Do not have permissions to query {Subkey}"); 164 | Environment.Exit(1); 165 | break; 166 | } 167 | } 168 | 169 | else 170 | { 171 | Console.WriteLine($"[-] Error: Do not have permissions to query {Subkey}"); 172 | Environment.Exit(1); 173 | } 174 | } 175 | } 176 | 177 | catch (Exception e) 178 | { 179 | Console.WriteLine($"[-] Error: {e.Message}"); 180 | } 181 | } 182 | 183 | public static void Write(string Username, string Password, string Domain, string ComputerName, object Hive, string Subkey, string Valuename, string Value, string Type,object Access) 184 | { 185 | try 186 | { 187 | if (CheckAccess.Check(Username, Password, Domain, ComputerName, Hive, Subkey, Access)) 188 | { 189 | object Valuetype = null; 190 | 191 | if (Type != null) 192 | { 193 | switch (Type.ToLower()) 194 | { 195 | case ("string"): 196 | Valuetype = ValueType.String; 197 | break; 198 | case ("exstring"): 199 | Valuetype = ValueType.ExtendedString; 200 | break; 201 | case ("binary"): 202 | Valuetype = ValueType.Binary; 203 | break; 204 | case ("dword"): 205 | Valuetype = ValueType.DWORD; 206 | break; 207 | case ("multistring"): 208 | Valuetype = ValueType.MultiString; 209 | break; 210 | case ("qword"): 211 | Valuetype = ValueType.QWORD; 212 | break; 213 | } 214 | } 215 | else 216 | { 217 | int val = EnumValues.GetValue(Username, Password, Domain, ComputerName, Hive, Subkey, Valuename); 218 | switch (val) 219 | { 220 | case (1): 221 | Valuetype = ValueType.String; 222 | break; 223 | case (2): 224 | Valuetype = ValueType.ExtendedString; 225 | break; 226 | case (3): 227 | Valuetype = ValueType.Binary; 228 | break; 229 | case (4): 230 | Valuetype = ValueType.DWORD; 231 | break; 232 | case (7): 233 | Valuetype = ValueType.MultiString; 234 | break; 235 | case (11): 236 | Valuetype = ValueType.QWORD; 237 | break; 238 | } 239 | } 240 | 241 | switch (Valuetype) 242 | { 243 | case (ValueType.String): 244 | StdRegProv.String.Set(Username, Password, Domain, ComputerName, Hive, Subkey, Valuename, Value); 245 | break; 246 | case (ValueType.ExtendedString): 247 | ExString.Set(Username, Password, Domain, ComputerName, Hive, Subkey, Valuename, Value); 248 | break; 249 | case (ValueType.Binary): 250 | Binary.Set(Username, Password, Domain, ComputerName, Hive, Subkey, Valuename, Convert.FromBase64String(Value)); 251 | break; 252 | case (ValueType.DWORD): 253 | Dword.Set(Username, Password, Domain, ComputerName, Hive, Subkey, Valuename, Convert.ToUInt32(Value)); 254 | break; 255 | case (ValueType.MultiString): 256 | MultiString.Set(Username, Password, Domain, ComputerName, Hive, Subkey, Valuename, Value.Split(',')); 257 | break; 258 | case (ValueType.QWORD): 259 | Qword.Set(Username, Password, Domain, ComputerName, Hive, Subkey, Valuename, Convert.ToUInt64(Value)); 260 | break; 261 | default: 262 | Console.WriteLine($"[-] Error: Do not have permissions to query {Subkey}"); 263 | Environment.Exit(1); 264 | break; 265 | } 266 | } 267 | 268 | else 269 | { 270 | Console.WriteLine($"[-] Error: Do not have permissions to set {Subkey}"); 271 | Environment.Exit(1); 272 | } 273 | } 274 | 275 | catch (Exception e) 276 | { 277 | Console.WriteLine($"[-] Error: {e.Message}"); 278 | } 279 | } 280 | 281 | public static void Create(string Username, string Password, string Domain, string ComputerName, object Hive, string Subkey, object Access) 282 | { 283 | try 284 | { 285 | if (CheckAccess.Check(Username, Password, Domain, ComputerName, Hive, Subkey, Access)) 286 | { 287 | CreateKey.Create(Username, Password, Domain, ComputerName, Hive, Subkey); 288 | } 289 | 290 | else 291 | { 292 | Console.WriteLine($"[-] Error: Do not have permissions to SubKeys keys for {Subkey}"); 293 | Environment.Exit(1); 294 | } 295 | } 296 | 297 | catch (Exception e) 298 | { 299 | Console.WriteLine($"[-] Error: {e.Message}"); 300 | } 301 | } 302 | 303 | public static void DeleteKey(string Username, string Password, string Domain, string ComputerName, object Hive, string Subkey, object Access) 304 | { 305 | try 306 | { 307 | if (CheckAccess.Check(Username, Password, Domain, ComputerName, Hive, Subkey, Access)) 308 | { 309 | StdRegProv.DeleteKey.Delete(Username, Password, Domain, ComputerName, Hive, Subkey); 310 | } 311 | 312 | else 313 | { 314 | Console.WriteLine($"[-] Error: Do not have permissions to delete subkey {Subkey}"); 315 | Environment.Exit(1); 316 | } 317 | } 318 | 319 | catch (Exception e) 320 | { 321 | Console.WriteLine($"[-] Error: {e.Message}"); 322 | } 323 | } 324 | 325 | public static void DeleteValue(string Username, string Password, string Domain, string ComputerName, object Hive, string Subkey, object Access, string ValueName) 326 | { 327 | try 328 | { 329 | if (CheckAccess.Check(Username, Password, Domain, ComputerName, Hive, Subkey, Access)) 330 | { 331 | StdRegProv.DeleteValue.Delete(Username, Password, Domain, ComputerName, Hive, Subkey, ValueName); 332 | } 333 | 334 | else 335 | { 336 | Console.WriteLine($"[-] Error: Do not have permissions to delete value for subkey {Subkey}"); 337 | Environment.Exit(1); 338 | } 339 | } 340 | 341 | catch (Exception e) 342 | { 343 | Console.WriteLine($"[-] Error: {e.Message}"); 344 | } 345 | } 346 | 347 | public static void Enum(string Username, string Password, string Domain, string ComputerName, object Hive, string Subkey, object Access) 348 | { 349 | try 350 | { 351 | if (CheckAccess.Check(Username, Password, Domain, ComputerName, Hive, Subkey, Access)) 352 | { 353 | EnumKey.Get(Username, Password, Domain, ComputerName, Hive, Subkey); 354 | } 355 | 356 | else 357 | { 358 | Console.WriteLine($"[-] Error: Do not have permissions to enumerate keys for {Subkey}"); 359 | Environment.Exit(1); 360 | } 361 | } 362 | 363 | catch (Exception e) 364 | { 365 | Console.WriteLine($"[-] Error: {e.Message}"); 366 | } 367 | } 368 | } 369 | } 370 | -------------------------------------------------------------------------------- /WMIReg/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | 4 | namespace WMIReg 5 | { 6 | class Program 7 | { 8 | public static void Main(string[] args) 9 | { 10 | try 11 | { 12 | Dictionary programArgs = ArgParser.ParseArgs(args); 13 | ArgParser.ValidateArgs(programArgs); 14 | switch (ArgParser.Action.ToLower()) 15 | { 16 | case ("query"): 17 | Helpers.Query(ArgParser.Username, ArgParser.Password, ArgParser.Domain, ArgParser.ComputerName, ArgParser.Hive, ArgParser.Subkey, ArgParser.Valuename, ArgParser.Value, Helpers.AccessPermission.KEY_QUERY_VALUE); 18 | break; 19 | case ("set"): 20 | Helpers.Write(ArgParser.Username, ArgParser.Password, ArgParser.Domain, ArgParser.ComputerName, ArgParser.Hive, ArgParser.Subkey, ArgParser.Valuename, ArgParser.Value, ArgParser.Type, Helpers.AccessPermission.KEY_SET_VALUE); 21 | break; 22 | case ("create"): 23 | Helpers.Create(ArgParser.Username, ArgParser.Password, ArgParser.Domain, ArgParser.ComputerName, ArgParser.Hive, ArgParser.Subkey, Helpers.AccessPermission.KEY_CREATE); 24 | break; 25 | case ("deletekey"): 26 | Helpers.DeleteKey(ArgParser.Username, ArgParser.Password, ArgParser.Domain, ArgParser.ComputerName, ArgParser.Hive, ArgParser.Subkey, Helpers.AccessPermission.DELETE); 27 | break; 28 | case ("deletevalue"): 29 | Helpers.DeleteValue(ArgParser.Username, ArgParser.Password, ArgParser.Domain, ArgParser.ComputerName, ArgParser.Hive, ArgParser.Subkey, Helpers.AccessPermission.DELETE, ArgParser.Valuename); 30 | break; 31 | case ("enum"): 32 | Helpers.Enum(ArgParser.Username, ArgParser.Password, ArgParser.Domain, ArgParser.ComputerName, ArgParser.Hive, ArgParser.Subkey, Helpers.AccessPermission.KEY_ENUMERATE_SUB_KEYS); 33 | break; 34 | default: 35 | Console.WriteLine(); 36 | Helpers.Usage(); 37 | break; 38 | } 39 | } 40 | 41 | catch (Exception e) 42 | { 43 | Console.WriteLine($"[-] Error: {e.Message}"); 44 | } 45 | } 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /WMIReg/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("WMIReg")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("WMIReg")] 13 | [assembly: AssemblyCopyright("Copyright © 2019")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("dbfd21fc-0cb0-4cf4-9e2f-43a6d5a353f6")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /WMIReg/StdRegProv/Binary.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Management; 3 | 4 | namespace WMIReg.StdRegProv 5 | { 6 | public class Binary 7 | { 8 | public static void Get(string UserName, string Password, string Domain, string ComputerName, object Hive, string SubKey, string ValueName) 9 | { 10 | ManagementScope scope = null; 11 | try 12 | { 13 | ConnectionOptions connection = new ConnectionOptions(); 14 | 15 | if (UserName != null) 16 | { 17 | try 18 | { 19 | connection.Username = UserName; 20 | connection.Password = Password; 21 | connection.Authority = $"NTLMDOMAIN:{Domain}"; 22 | } 23 | catch 24 | { 25 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 26 | } 27 | } 28 | else 29 | { 30 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 31 | } 32 | 33 | scope = new ManagementScope($"\\\\{ComputerName}\\root\\default", connection); 34 | scope.Connect(); 35 | 36 | ManagementClass registry = new ManagementClass(scope, new ManagementPath("StdRegProv"), null); 37 | 38 | ManagementBaseObject inParams = registry.GetMethodParameters("GetBinaryValue"); 39 | inParams["hDefKey"] = (UInt32)Hive; 40 | inParams["sSubKeyName"] = SubKey; 41 | inParams["sValueName"] = ValueName; 42 | ManagementBaseObject outParams = registry.InvokeMethod("GetBinaryValue", inParams, null); 43 | Console.WriteLine($"[+] Successfully retrieved {ValueName} value for key {SubKey}\n"); 44 | Console.WriteLine(Convert.ToBase64String((byte[])outParams["uValue"])); 45 | } 46 | catch (Exception e) 47 | { 48 | Console.WriteLine($"[-] Error: {e.Message}"); 49 | } 50 | } 51 | 52 | public static void Set(string UserName, string Password, string Domain, string ComputerName, object Hive, string SubKey, string ValueName, byte[] Value) 53 | { 54 | ManagementScope scope = null; 55 | try 56 | { 57 | ConnectionOptions connection = new ConnectionOptions(); 58 | 59 | if (UserName != null) 60 | { 61 | try 62 | { 63 | connection.Username = UserName; 64 | connection.Password = Password; 65 | connection.Authority = $"NTLMDOMAIN:{Domain}"; 66 | } 67 | catch 68 | { 69 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 70 | } 71 | } 72 | else 73 | { 74 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 75 | } 76 | 77 | scope = new ManagementScope($"\\\\{ComputerName}\\root\\default", connection); 78 | scope.Connect(); 79 | 80 | ManagementClass registry = new ManagementClass(scope, new ManagementPath("StdRegProv"), null); 81 | 82 | ManagementBaseObject inParams = registry.GetMethodParameters("SetBinaryValue"); 83 | inParams["hDefKey"] = (UInt32)Hive; 84 | inParams["sSubKeyName"] = SubKey; 85 | inParams["sValueName"] = ValueName; 86 | inParams["uValue"] = Value; 87 | ManagementBaseObject outParams = registry.InvokeMethod("SetBinaryValue", inParams, null); 88 | if (Convert.ToUInt32(outParams["ReturnValue"]) == 0) 89 | { 90 | Console.WriteLine($"[+] Successfully set {ValueName} value for key {SubKey} as {Value}"); 91 | } 92 | else 93 | { 94 | Console.WriteLine($"[-] Unable to set {ValueName} value for key {SubKey} as {Value}"); 95 | } 96 | } 97 | catch (Exception e) 98 | { 99 | Console.WriteLine($"[-] Error: {e.Message}"); 100 | } 101 | } 102 | } 103 | } 104 | -------------------------------------------------------------------------------- /WMIReg/StdRegProv/CheckAccess.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Management; 3 | 4 | namespace WMIReg.StdRegProv 5 | { 6 | public class CheckAccess 7 | { 8 | public static bool Check(string UserName, string Password, string Domain, string ComputerName, object Hive, string SubKey, object Access) 9 | { 10 | ManagementScope scope = null; 11 | try 12 | { 13 | ConnectionOptions connection = new ConnectionOptions(); 14 | 15 | if (UserName != null) 16 | { 17 | try 18 | { 19 | connection.Username = UserName; 20 | connection.Password = Password; 21 | connection.Authority = $"NTLMDOMAIN:{Domain}"; 22 | } 23 | catch 24 | { 25 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 26 | } 27 | } 28 | else 29 | { 30 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 31 | } 32 | 33 | scope = new ManagementScope($"\\\\{ComputerName}\\root\\default", connection); 34 | scope.Connect(); 35 | 36 | ManagementClass registry = new ManagementClass(scope, new ManagementPath("StdRegProv"), null); 37 | 38 | ManagementBaseObject inParams = registry.GetMethodParameters("CheckAccess"); 39 | inParams["hDefKey"] = (UInt32)Hive; 40 | inParams["sSubKeyName"] = SubKey; 41 | inParams["uRequired"] = (UInt32)Access; 42 | ManagementBaseObject outParams = registry.InvokeMethod("CheckAccess", inParams, null); 43 | Console.WriteLine($"[+] Successfully checked permissions for key {SubKey}"); 44 | if (Convert.ToString(outParams["bGranted"]) == "True") 45 | { 46 | Console.WriteLine($"[+] User has access permissions for key {SubKey}"); 47 | return true; 48 | } 49 | else 50 | { 51 | return false; 52 | } 53 | } 54 | catch (Exception e) 55 | { 56 | Console.WriteLine($"[-] Error: {e.Message}"); 57 | return false; 58 | } 59 | } 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /WMIReg/StdRegProv/CreateKey.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Management; 3 | 4 | namespace WMIReg.StdRegProv 5 | { 6 | public class CreateKey 7 | { 8 | public static void Create(string UserName, string Password, string Domain, string ComputerName, object Hive, string SubKey) 9 | { 10 | ManagementScope scope = null; 11 | try 12 | { 13 | ConnectionOptions connection = new ConnectionOptions(); 14 | 15 | if (UserName != null) 16 | { 17 | try 18 | { 19 | connection.Username = UserName; 20 | connection.Password = Password; 21 | connection.Authority = $"NTLMDOMAIN:{Domain}"; 22 | } 23 | catch 24 | { 25 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 26 | } 27 | } 28 | else 29 | { 30 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 31 | } 32 | 33 | scope = new ManagementScope($"\\\\{ComputerName}\\root\\default", connection); 34 | scope.Connect(); 35 | 36 | ManagementClass registry = new ManagementClass(scope, new ManagementPath("StdRegProv"), null); 37 | 38 | ManagementBaseObject inParams = registry.GetMethodParameters("CreateKey"); 39 | inParams["hDefKey"] = (UInt32)Hive; 40 | inParams["sSubKeyName"] = SubKey; 41 | ManagementBaseObject outParams = registry.InvokeMethod("CreateKey", inParams, null); 42 | if (Convert.ToUInt32(outParams["ReturnValue"]) == 0) 43 | { 44 | Console.WriteLine($"[+] Successfully created SubKey {SubKey}"); 45 | } 46 | else 47 | { 48 | Console.WriteLine($"[-] Unable to create SubKey {SubKey}"); 49 | } 50 | } 51 | catch (Exception e) 52 | { 53 | Console.WriteLine($"[-] Error: {e.Message}"); 54 | } 55 | } 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /WMIReg/StdRegProv/DeleteKey.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Management; 3 | 4 | namespace WMIReg.StdRegProv 5 | { 6 | public class DeleteKey 7 | { 8 | public static void Delete(string UserName, string Password, string Domain, string ComputerName, object Hive, string SubKey) 9 | { 10 | ManagementScope scope = null; 11 | try 12 | { 13 | ConnectionOptions connection = new ConnectionOptions(); 14 | 15 | if (UserName != null) 16 | { 17 | try 18 | { 19 | connection.Username = UserName; 20 | connection.Password = Password; 21 | connection.Authority = $"NTLMDOMAIN:{Domain}"; 22 | } 23 | catch 24 | { 25 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 26 | } 27 | } 28 | else 29 | { 30 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 31 | } 32 | 33 | scope = new ManagementScope($"\\\\{ComputerName}\\root\\default", connection); 34 | scope.Connect(); 35 | 36 | ManagementClass registry = new ManagementClass(scope, new ManagementPath("StdRegProv"), null); 37 | 38 | ManagementBaseObject inParams = registry.GetMethodParameters("DeleteKey"); 39 | inParams["hDefKey"] = (UInt32)Hive; 40 | inParams["sSubKeyName"] = SubKey; 41 | ManagementBaseObject outParams = registry.InvokeMethod("DeleteKey", inParams, null); 42 | if (Convert.ToUInt32(outParams["ReturnValue"]) == 0) 43 | { 44 | Console.WriteLine($"[+] Successfully deleted SubKey {SubKey}"); 45 | } 46 | else 47 | { 48 | Console.WriteLine($"[-] Unable to deleted SubKey {SubKey}"); 49 | } 50 | } 51 | catch (Exception e) 52 | { 53 | Console.WriteLine($"[-] Error: {e.Message}"); 54 | } 55 | } 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /WMIReg/StdRegProv/DeleteValue.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Management; 3 | 4 | namespace WMIReg.StdRegProv 5 | { 6 | public class DeleteValue 7 | { 8 | public static void Delete(string UserName, string Password, string Domain, string ComputerName, object Hive, string SubKey, string ValueName) 9 | { 10 | ManagementScope scope = null; 11 | try 12 | { 13 | ConnectionOptions connection = new ConnectionOptions(); 14 | 15 | if (UserName != null) 16 | { 17 | try 18 | { 19 | connection.Username = UserName; 20 | connection.Password = Password; 21 | connection.Authority = $"NTLMDOMAIN:{Domain}"; 22 | } 23 | catch 24 | { 25 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 26 | } 27 | } 28 | else 29 | { 30 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 31 | } 32 | 33 | scope = new ManagementScope($"\\\\{ComputerName}\\root\\default", connection); 34 | scope.Connect(); 35 | 36 | ManagementClass registry = new ManagementClass(scope, new ManagementPath("StdRegProv"), null); 37 | 38 | ManagementBaseObject inParams = registry.GetMethodParameters("DeleteValue"); 39 | inParams["hDefKey"] = (UInt32)Hive; 40 | inParams["sSubKeyName"] = SubKey; 41 | inParams["sValueName"] = ValueName; 42 | ManagementBaseObject outParams = registry.InvokeMethod("DeleteValue", inParams, null); 43 | if (Convert.ToUInt32(outParams["ReturnValue"]) == 0) 44 | { 45 | Console.WriteLine($"[+] Successfully deleted value {ValueName} for SubKey {SubKey}"); 46 | } 47 | else 48 | { 49 | Console.WriteLine($"[-] Unable to delete value {ValueName} for SubKey {SubKey}"); 50 | } 51 | } 52 | catch (Exception e) 53 | { 54 | Console.WriteLine($"[-] Error: {e.Message}"); 55 | } 56 | } 57 | } 58 | } 59 | -------------------------------------------------------------------------------- /WMIReg/StdRegProv/Dword.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Management; 3 | 4 | namespace WMIReg.StdRegProv 5 | { 6 | public class Dword 7 | { 8 | public static void Get(string UserName, string Password, string Domain, string ComputerName, object Hive, string SubKey, string ValueName) 9 | { 10 | ManagementScope scope = null; 11 | try 12 | { 13 | ConnectionOptions connection = new ConnectionOptions(); 14 | 15 | if (UserName != null) 16 | { 17 | try 18 | { 19 | connection.Username = UserName; 20 | connection.Password = Password; 21 | connection.Authority = $"NTLMDOMAIN:{Domain}"; 22 | } 23 | catch 24 | { 25 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 26 | } 27 | } 28 | else 29 | { 30 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 31 | } 32 | 33 | scope = new ManagementScope($"\\\\{ComputerName}\\root\\default", connection); 34 | scope.Connect(); 35 | 36 | ManagementClass registry = new ManagementClass(scope, new ManagementPath("StdRegProv"), null); 37 | 38 | ManagementBaseObject inParams = registry.GetMethodParameters("GetDWORDValue"); 39 | inParams["hDefKey"] = (UInt32)Hive; 40 | inParams["sSubKeyName"] = SubKey; 41 | inParams["sValueName"] = ValueName; 42 | ManagementBaseObject outParams = registry.InvokeMethod("GetDWORDValue", inParams, null); 43 | Console.WriteLine($"[+] Successfully retrieved {ValueName} value for key {SubKey}\n"); 44 | Console.WriteLine((UInt32)outParams["uValue"]); 45 | } 46 | catch (Exception e) 47 | { 48 | Console.WriteLine($"[-] Error: {e.Message}"); 49 | } 50 | } 51 | 52 | public static void Set(string UserName, string Password, string Domain, string ComputerName, object Hive, string SubKey, string ValueName, UInt32 Value) 53 | { 54 | ManagementScope scope = null; 55 | try 56 | { 57 | ConnectionOptions connection = new ConnectionOptions(); 58 | 59 | if (UserName != null) 60 | { 61 | try 62 | { 63 | connection.Username = UserName; 64 | connection.Password = Password; 65 | connection.Authority = $"NTLMDOMAIN:{Domain}"; 66 | } 67 | catch 68 | { 69 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 70 | } 71 | } 72 | else 73 | { 74 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 75 | } 76 | 77 | scope = new ManagementScope($"\\\\{ComputerName}\\root\\default", connection); 78 | scope.Connect(); 79 | 80 | ManagementClass registry = new ManagementClass(scope, new ManagementPath("StdRegProv"), null); 81 | 82 | ManagementBaseObject inParams = registry.GetMethodParameters("SetDWORDValue"); 83 | inParams["hDefKey"] = (UInt32)Hive; 84 | inParams["sSubKeyName"] = SubKey; 85 | inParams["sValueName"] = ValueName; 86 | inParams["uValue"] = Value; 87 | ManagementBaseObject outParams = registry.InvokeMethod("SetDWORDValue", inParams, null); 88 | if (Convert.ToUInt32(outParams["ReturnValue"]) == 0) 89 | { 90 | Console.WriteLine($"[+] Successfully set {ValueName} value for key {SubKey} as {Value}"); 91 | } 92 | else 93 | { 94 | Console.WriteLine($"[-] Unable to set {ValueName} value for key {SubKey} as {Value}"); 95 | } 96 | } 97 | catch (Exception e) 98 | { 99 | Console.WriteLine($"[-] Error: {e.Message}"); 100 | } 101 | } 102 | } 103 | } 104 | -------------------------------------------------------------------------------- /WMIReg/StdRegProv/EnumKey.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Management; 3 | 4 | namespace WMIReg.StdRegProv 5 | { 6 | public class EnumKey 7 | { 8 | public static void Get(string UserName, string Password, string Domain, string ComputerName, object Hive, string SubKey) 9 | { 10 | ManagementScope scope = null; 11 | try 12 | { 13 | ConnectionOptions connection = new ConnectionOptions(); 14 | 15 | if (UserName != null) 16 | { 17 | try 18 | { 19 | connection.Username = UserName; 20 | connection.Password = Password; 21 | connection.Authority = $"NTLMDOMAIN:{Domain}"; 22 | } 23 | catch 24 | { 25 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 26 | } 27 | } 28 | else 29 | { 30 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 31 | } 32 | 33 | scope = new ManagementScope($"\\\\{ComputerName}\\root\\default", connection); 34 | scope.Connect(); 35 | 36 | ManagementClass registry = new ManagementClass(scope, new ManagementPath("StdRegProv"), null); 37 | 38 | ManagementBaseObject inParams = registry.GetMethodParameters("EnumKey"); 39 | inParams["hDefKey"] = (UInt32)Hive; 40 | inParams["sSubKeyName"] = SubKey; 41 | ManagementBaseObject outParams = registry.InvokeMethod("EnumKey", inParams, null); 42 | Console.WriteLine($"[+] Successfully retrieved SubKeys for key {SubKey}\n"); 43 | foreach (string Name in (string[])outParams["sNames"]) 44 | { 45 | Console.WriteLine(Name); 46 | } 47 | } 48 | catch (Exception e) 49 | { 50 | Console.WriteLine($"[-] Error: {e.Message}"); 51 | } 52 | } 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /WMIReg/StdRegProv/EnumValues.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Management; 3 | 4 | namespace WMIReg.StdRegProv 5 | { 6 | public class EnumValues 7 | { 8 | public static void Get(string UserName, string Password, string Domain, string ComputerName, object Hive, string SubKey) 9 | { 10 | ManagementScope scope = null; 11 | try 12 | { 13 | ConnectionOptions connection = new ConnectionOptions(); 14 | 15 | if (UserName != null) 16 | { 17 | try 18 | { 19 | connection.Username = UserName; 20 | connection.Password = Password; 21 | connection.Authority = $"NTLMDOMAIN:{Domain}"; 22 | } 23 | catch 24 | { 25 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 26 | } 27 | } 28 | else 29 | { 30 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 31 | } 32 | 33 | scope = new ManagementScope($"\\\\{ComputerName}\\root\\default", connection); 34 | scope.Connect(); 35 | 36 | ManagementClass registry = new ManagementClass(scope, new ManagementPath("StdRegProv"), null); 37 | 38 | ManagementBaseObject inParams = registry.GetMethodParameters("EnumValues"); 39 | inParams["hDefKey"] = (UInt32)Hive; 40 | inParams["sSubKeyName"] = SubKey; 41 | ManagementBaseObject outParams = registry.InvokeMethod("EnumValues", inParams, null); 42 | int i = 0; 43 | Console.WriteLine($"[+] Successfully retrieved Values for key {SubKey}\n"); 44 | Console.WriteLine("Type\tValue\n----\t-----"); 45 | int[] Types = (int[])outParams["Types"]; 46 | foreach (string Name in (string[])outParams["sNames"]) 47 | { 48 | switch (Types[i]) 49 | { 50 | case (int)Helpers.ValueType.String: 51 | Console.WriteLine("String\t" + Name); 52 | break; 53 | case (int)Helpers.ValueType.ExtendedString: 54 | Console.WriteLine("ExString\t" + Name); 55 | break; 56 | case (int)Helpers.ValueType.Binary: 57 | Console.WriteLine("Binary\t" + Name); 58 | break; 59 | case (int)Helpers.ValueType.DWORD: 60 | Console.WriteLine("DWORD\t" + Name); 61 | break; 62 | case (int)Helpers.ValueType.MultiString: 63 | Console.WriteLine("MultiString\t" + Name); 64 | break; 65 | case (int)Helpers.ValueType.QWORD: 66 | Console.WriteLine("QWORD\t" + Name); 67 | break; 68 | default: 69 | Console.WriteLine("NULL\t" + Name); 70 | break; 71 | } 72 | i++; 73 | } 74 | } 75 | catch (Exception e) 76 | { 77 | Console.WriteLine($"[-] Error: {e.Message}"); 78 | } 79 | } 80 | 81 | public static int GetValue(string UserName, string Password, string Domain, string ComputerName, object Hive, string SubKey, string ValueName) 82 | { 83 | ManagementScope scope = null; 84 | try 85 | { 86 | ConnectionOptions connection = new ConnectionOptions(); 87 | 88 | if (UserName != null) 89 | { 90 | try 91 | { 92 | connection.Username = UserName; 93 | connection.Password = Password; 94 | connection.Authority = $"NTLMDOMAIN:{Domain}"; 95 | } 96 | catch 97 | { 98 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 99 | } 100 | } 101 | else 102 | { 103 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 104 | } 105 | 106 | scope = new ManagementScope($"\\\\{ComputerName}\\root\\default", connection); 107 | scope.Connect(); 108 | 109 | ManagementClass registry = new ManagementClass(scope, new ManagementPath("StdRegProv"), null); 110 | 111 | ManagementBaseObject inParams = registry.GetMethodParameters("EnumValues"); 112 | inParams["hDefKey"] = (UInt32)Hive; 113 | inParams["sSubKeyName"] = SubKey; 114 | ManagementBaseObject outParams = registry.InvokeMethod("EnumValues", inParams, null); 115 | int[] Types = (int[])outParams["Types"]; 116 | string[] Names = (string[])outParams["sNames"]; 117 | int i = Array.IndexOf(Names, ValueName); 118 | return Types[i]; 119 | } 120 | catch (Exception e) 121 | { 122 | Console.WriteLine($"[-] Error: {e.Message}"); 123 | return 0; 124 | } 125 | } 126 | } 127 | } 128 | -------------------------------------------------------------------------------- /WMIReg/StdRegProv/ExString.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Management; 3 | 4 | namespace WMIReg.StdRegProv 5 | { 6 | public class ExString 7 | { 8 | public static void Get(string UserName, string Password, string Domain, string ComputerName, object Hive, string SubKey, string ValueName) 9 | { 10 | ManagementScope scope = null; 11 | try 12 | { 13 | ConnectionOptions connection = new ConnectionOptions(); 14 | 15 | if (UserName != null) 16 | { 17 | try 18 | { 19 | connection.Username = UserName; 20 | connection.Password = Password; 21 | connection.Authority = $"NTLMDOMAIN:{Domain}"; 22 | } 23 | catch 24 | { 25 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 26 | } 27 | } 28 | else 29 | { 30 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 31 | } 32 | 33 | scope = new ManagementScope($"\\\\{ComputerName}\\root\\default", connection); 34 | scope.Connect(); 35 | 36 | ManagementClass registry = new ManagementClass(scope, new ManagementPath("StdRegProv"), null); 37 | 38 | ManagementBaseObject inParams = registry.GetMethodParameters("GetExpandedStringValue"); 39 | inParams["hDefKey"] = (UInt32)Hive; 40 | inParams["sSubKeyName"] = SubKey; 41 | inParams["sValueName"] = ValueName; 42 | ManagementBaseObject outParams = registry.InvokeMethod("GetExpandedStringValue", inParams, null); 43 | Console.WriteLine($"[+] Successfully retrieved {ValueName} value for key {SubKey}\n"); 44 | Console.WriteLine((string)outParams["sValue"]); 45 | } 46 | catch (Exception e) 47 | { 48 | Console.WriteLine($"[-] Error: {e.Message}"); 49 | } 50 | } 51 | 52 | public static void Set(string UserName, string Password, string Domain, string ComputerName, object Hive, string SubKey, string ValueName, string Value) 53 | { 54 | ManagementScope scope = null; 55 | try 56 | { 57 | ConnectionOptions connection = new ConnectionOptions(); 58 | 59 | if (UserName != null) 60 | { 61 | try 62 | { 63 | connection.Username = UserName; 64 | connection.Password = Password; 65 | connection.Authority = $"NTLMDOMAIN:{Domain}"; 66 | } 67 | catch 68 | { 69 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 70 | } 71 | } 72 | else 73 | { 74 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 75 | } 76 | 77 | scope = new ManagementScope($"\\\\{ComputerName}\\root\\default", connection); 78 | scope.Connect(); 79 | 80 | ManagementClass registry = new ManagementClass(scope, new ManagementPath("StdRegProv"), null); 81 | 82 | ManagementBaseObject inParams = registry.GetMethodParameters("SetExpandedStringValue"); 83 | inParams["hDefKey"] = (UInt32)Hive; 84 | inParams["sSubKeyName"] = SubKey; 85 | inParams["sValueName"] = ValueName; 86 | inParams["sValue"] = Value; 87 | ManagementBaseObject outParams = registry.InvokeMethod("SetExpandedStringValue", inParams, null); 88 | if (Convert.ToUInt32(outParams["ReturnValue"]) == 0) 89 | { 90 | Console.WriteLine($"[+] Successfully set {ValueName} value for key {SubKey} as {Value}"); 91 | } 92 | else 93 | { 94 | Console.WriteLine($"[-] Unable to set {ValueName} value for key {SubKey} as {Value}"); 95 | } 96 | } 97 | catch (Exception e) 98 | { 99 | Console.WriteLine($"[-] Error: {e.Message}"); 100 | } 101 | } 102 | } 103 | } 104 | -------------------------------------------------------------------------------- /WMIReg/StdRegProv/MultiString.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Management; 3 | 4 | namespace WMIReg.StdRegProv 5 | { 6 | public class MultiString 7 | { 8 | public static void Get(string UserName, string Password, string Domain, string ComputerName, object Hive, string SubKey, string ValueName) 9 | { 10 | ManagementScope scope = null; 11 | try 12 | { 13 | ConnectionOptions connection = new ConnectionOptions(); 14 | 15 | if (UserName != null) 16 | { 17 | try 18 | { 19 | connection.Username = UserName; 20 | connection.Password = Password; 21 | connection.Authority = $"NTLMDOMAIN:{Domain}"; 22 | } 23 | catch 24 | { 25 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 26 | } 27 | } 28 | else 29 | { 30 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 31 | } 32 | 33 | scope = new ManagementScope($"\\\\{ComputerName}\\root\\default", connection); 34 | scope.Connect(); 35 | 36 | ManagementClass registry = new ManagementClass(scope, new ManagementPath("StdRegProv"), null); 37 | 38 | ManagementBaseObject inParams = registry.GetMethodParameters("GetMultiStringValue"); 39 | inParams["hDefKey"] = (UInt32)Hive; 40 | inParams["sSubKeyName"] = SubKey; 41 | inParams["sValueName"] = ValueName; 42 | ManagementBaseObject outParams = registry.InvokeMethod("GetMultiStringValue", inParams, null); 43 | Console.WriteLine($"[+] Successfully retrieved {ValueName} value for key {SubKey}\n"); 44 | string[] result = (string[])outParams["sValue"]; 45 | foreach (string Line in result) 46 | { 47 | Console.WriteLine(Line); 48 | } 49 | } 50 | catch (Exception e) 51 | { 52 | Console.WriteLine($"[-] Error: {e.Message}"); 53 | } 54 | } 55 | 56 | public static void Set(string UserName, string Password, string Domain, string ComputerName, object Hive, string SubKey, string ValueName, string[] Value) 57 | { 58 | ManagementScope scope = null; 59 | try 60 | { 61 | ConnectionOptions connection = new ConnectionOptions(); 62 | 63 | if (UserName != null) 64 | { 65 | try 66 | { 67 | connection.Username = UserName; 68 | connection.Password = Password; 69 | connection.Authority = $"NTLMDOMAIN:{Domain}"; 70 | } 71 | catch 72 | { 73 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 74 | } 75 | } 76 | else 77 | { 78 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 79 | } 80 | 81 | scope = new ManagementScope($"\\\\{ComputerName}\\root\\default", connection); 82 | scope.Connect(); 83 | 84 | ManagementClass registry = new ManagementClass(scope, new ManagementPath("StdRegProv"), null); 85 | 86 | ManagementBaseObject inParams = registry.GetMethodParameters("SetMultiStringValue"); 87 | inParams["hDefKey"] = (UInt32)Hive; 88 | inParams["sSubKeyName"] = SubKey; 89 | inParams["sValueName"] = ValueName; 90 | inParams["sValue"] = Value; 91 | ManagementBaseObject outParams = registry.InvokeMethod("SetMultiStringValue", inParams, null); 92 | if (Convert.ToUInt32(outParams["ReturnValue"]) == 0) 93 | { 94 | Console.WriteLine($"[+] Successfully set {ValueName} value for key {SubKey} as {Value}"); 95 | } 96 | else 97 | { 98 | Console.WriteLine($"[-] Unable to set {ValueName} value for key {SubKey} as {Value}"); 99 | } 100 | } 101 | catch (Exception e) 102 | { 103 | Console.WriteLine($"[-] Error: {e.Message}"); 104 | } 105 | } 106 | } 107 | } 108 | -------------------------------------------------------------------------------- /WMIReg/StdRegProv/Qword.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Management; 3 | 4 | namespace WMIReg.StdRegProv 5 | { 6 | public class Qword 7 | { 8 | public static void Get(string UserName, string Password, string Domain, string ComputerName, object Hive, string SubKey, string ValueName) 9 | { 10 | ManagementScope scope = null; 11 | try 12 | { 13 | ConnectionOptions connection = new ConnectionOptions(); 14 | 15 | if (UserName != null) 16 | { 17 | try 18 | { 19 | connection.Username = UserName; 20 | connection.Password = Password; 21 | connection.Authority = $"NTLMDOMAIN:{Domain}"; 22 | } 23 | catch 24 | { 25 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 26 | } 27 | } 28 | else 29 | { 30 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 31 | } 32 | 33 | scope = new ManagementScope($"\\\\{ComputerName}\\root\\default", connection); 34 | scope.Connect(); 35 | 36 | ManagementClass registry = new ManagementClass(scope, new ManagementPath("StdRegProv"), null); 37 | 38 | ManagementBaseObject inParams = registry.GetMethodParameters("GetQWORDValue"); 39 | inParams["hDefKey"] = (UInt32)Hive; 40 | inParams["sSubKeyName"] = SubKey; 41 | inParams["sValueName"] = ValueName; 42 | ManagementBaseObject outParams = registry.InvokeMethod("GetQWORDValue", inParams, null); 43 | Console.WriteLine($"[+] Successfully retrieved {ValueName} value for key {SubKey}\n"); 44 | Console.WriteLine((UInt32)outParams["uValue"]); 45 | } 46 | catch (Exception e) 47 | { 48 | Console.WriteLine($"[-] Error: {e.Message}"); 49 | } 50 | } 51 | 52 | public static void Set(string UserName, string Password, string Domain, string ComputerName, object Hive, string SubKey, string ValueName, UInt64 Value) 53 | { 54 | ManagementScope scope = null; 55 | try 56 | { 57 | ConnectionOptions connection = new ConnectionOptions(); 58 | 59 | if (UserName != null) 60 | { 61 | try 62 | { 63 | connection.Username = UserName; 64 | connection.Password = Password; 65 | connection.Authority = $"NTLMDOMAIN:{Domain}"; 66 | } 67 | catch 68 | { 69 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 70 | } 71 | } 72 | else 73 | { 74 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 75 | } 76 | 77 | scope = new ManagementScope($"\\\\{ComputerName}\\root\\default", connection); 78 | scope.Connect(); 79 | 80 | ManagementClass registry = new ManagementClass(scope, new ManagementPath("StdRegProv"), null); 81 | 82 | ManagementBaseObject inParams = registry.GetMethodParameters("SetQWORDValue"); 83 | inParams["hDefKey"] = (UInt32)Hive; 84 | inParams["sSubKeyName"] = SubKey; 85 | inParams["sValueName"] = ValueName; 86 | inParams["uValue"] = Value; 87 | ManagementBaseObject outParams = registry.InvokeMethod("SetQWORDValue", inParams, null); 88 | if (Convert.ToUInt32(outParams["ReturnValue"]) == 0) 89 | { 90 | Console.WriteLine($"[+] Successfully set {ValueName} value for key {SubKey} as {Value}"); 91 | } 92 | else 93 | { 94 | Console.WriteLine($"[-] Unable to set {ValueName} value for key {SubKey} as {Value}"); 95 | } 96 | } 97 | catch (Exception e) 98 | { 99 | Console.WriteLine($"[-] Error: {e.Message}"); 100 | } 101 | } 102 | } 103 | } 104 | -------------------------------------------------------------------------------- /WMIReg/StdRegProv/SecurityDescriptor.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | 6 | namespace WMIReg.StdRegProv 7 | { 8 | public class SecurityDescriptor 9 | { 10 | //TODO 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /WMIReg/StdRegProv/String.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Management; 3 | 4 | namespace WMIReg.StdRegProv 5 | { 6 | public class String 7 | { 8 | public static void Get(string UserName, string Password, string Domain, string ComputerName, object Hive, string SubKey, string ValueName) 9 | { 10 | ManagementScope scope = null; 11 | try 12 | { 13 | ConnectionOptions connection = new ConnectionOptions(); 14 | 15 | if (UserName != null) 16 | { 17 | try 18 | { 19 | connection.Username = UserName; 20 | connection.Password = Password; 21 | connection.Authority = $"NTLMDOMAIN:{Domain}"; 22 | } 23 | catch 24 | { 25 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 26 | } 27 | } 28 | else 29 | { 30 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 31 | } 32 | 33 | scope = new ManagementScope($"\\\\{ComputerName}\\root\\default", connection); 34 | scope.Connect(); 35 | 36 | ManagementClass registry = new ManagementClass(scope, new ManagementPath("StdRegProv"), null); 37 | 38 | ManagementBaseObject inParams = registry.GetMethodParameters("GetStringValue"); 39 | inParams["hDefKey"] = (UInt32)Hive; 40 | inParams["sSubKeyName"] = SubKey; 41 | inParams["sValueName"] = ValueName; 42 | ManagementBaseObject outParams = registry.InvokeMethod("GetStringValue", inParams, null); 43 | Console.WriteLine($"[+] Successfully retrieved {ValueName} value for key {SubKey}\n"); 44 | Console.WriteLine((string)outParams["sValue"]); 45 | } 46 | catch (Exception e) 47 | { 48 | Console.WriteLine($"[-] Error: {e.Message}"); 49 | } 50 | } 51 | 52 | public static void Set(string UserName, string Password, string Domain, string ComputerName, object Hive, string SubKey, string ValueName, string Value) 53 | { 54 | ManagementScope scope = null; 55 | try 56 | { 57 | ConnectionOptions connection = new ConnectionOptions(); 58 | 59 | if (UserName != null) 60 | { 61 | try 62 | { 63 | connection.Username = UserName; 64 | connection.Password = Password; 65 | connection.Authority = $"NTLMDOMAIN:{Domain}"; 66 | } 67 | catch 68 | { 69 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 70 | } 71 | } 72 | else 73 | { 74 | connection.Impersonation = System.Management.ImpersonationLevel.Impersonate; 75 | } 76 | 77 | scope = new ManagementScope($"\\\\{ComputerName}\\root\\default", connection); 78 | scope.Connect(); 79 | 80 | ManagementClass registry = new ManagementClass(scope, new ManagementPath("StdRegProv"), null); 81 | 82 | ManagementBaseObject inParams = registry.GetMethodParameters("SetStringValue"); 83 | inParams["hDefKey"] = (UInt32)Hive; 84 | inParams["sSubKeyName"] = SubKey; 85 | inParams["sValueName"] = ValueName; 86 | inParams["sValue"] = Value; 87 | ManagementBaseObject outParams = registry.InvokeMethod("SetStringValue", inParams, null); 88 | if (Convert.ToUInt32(outParams["ReturnValue"]) == 0) 89 | { 90 | Console.WriteLine($"[+] Successfully set {ValueName} value for key {SubKey} as {Value}"); 91 | } 92 | else 93 | { 94 | Console.WriteLine($"[-] Unable to set {ValueName} value for key {SubKey} as {Value}"); 95 | } 96 | } 97 | catch (Exception e) 98 | { 99 | Console.WriteLine($"[-] Error: {e.Message}"); 100 | } 101 | } 102 | } 103 | } 104 | -------------------------------------------------------------------------------- /WMIReg/WMIReg.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {DBFD21FC-0CB0-4CF4-9E2F-43A6D5A353F6} 8 | Exe 9 | WMIReg 10 | WMIReg 11 | v4.0 12 | 512 13 | true 14 | 15 | 16 | AnyCPU 17 | true 18 | full 19 | false 20 | bin\Debug\ 21 | DEBUG;TRACE 22 | prompt 23 | 4 24 | 25 | 26 | AnyCPU 27 | none 28 | true 29 | bin\Release\ 30 | TRACE 31 | prompt 32 | 4 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | --------------------------------------------------------------------------------