Open RCPMAD opened 8 years ago
If I understand the issue correctly, then just enumerate the sub directories in the "Users" directory, then loop around the array returned:
string[] folders = System.IO.Directory.GetDirectories(@"C:\Users\", "*", System.IO.SearchOption.TopDirectoryOnly);
You can then choose to ignore user folders such as "Default", "All Users", if you wish.
As the original author of JumpListerl, I would also recommend using the JumpList parser here as it is a supported/maintain code base:
https://github.com/EricZimmerman/JumpList
With an application to use as an example of how to use the library:
Hi Mark,
Many thanks for the suggestions, I really appreciate. I liked your application a lot and it is great if you just do local artifact analysis. I needed it to be more lightweight and the ability to add it to triage tools.
I will give the above a try and see how it works. I was not aware of the one made by EricZimmerman until now. Will have a look.
Line https://github.com/RCPMAD/RCP_JLP/blob/master/RCP_JLP/Program.cs#L88
This only parses the local profiles and If domain profiles are present in the C:\Users\ folder it will skip them.
string args1 = @"(gwmi -query 'SELECT * FROM Win32_UserAccount WHERE LocalAccount=True').Name.get(" + index1 + ")";
This parses local and domain profiles, however if the machine is connected to the network it will try and fetch all the users from the AD on the DC causing delay when parsing.
string args1 = @"(gwmi -query 'SELECT * FROM Win32_UserAccount).Name.get(" + index1 + ")";
I need a solution that only looks in the C:\Users\ profiles.