Public/OS/Get-WindowsUserProfile.ps1
|
<#
Copyright © 2024 Integris. For internal company use only. All rights reserved. #> FUNCTION Get-WindowsUserProfile { <# .SYNOPSIS Retrieves user profiles from the C:\Users directory. .DESCRIPTION This function collects and returns information about user profiles, excluding certain system and service accounts, from the C:\Users directory. .PARAMETER None This function does not take any parameters. .EXAMPLE Get-WindowsUserProfile Retrieves and displays user profiles from the C:\Users directory. .NOTES The function excludes profiles for system and service accounts such as "Public", "Administrator", and others. #> [CmdletBinding()] param( ) $Results = @() $ProgressCount = 0 $ProfileKeys = Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" | Where-Object { $_.Name -notlike "*\S-1-5-18*" } $StartTime = (GET-Date) FOREACH ($ProfileKey in $ProfileKeys) { $ProgressCount++ $ProgressPercent = [math]::Round($ProgressCount / $ProfileKeys.Count * 100,0) $TimeLeft = New-TimeSpan -Seconds (((GET-Date) - $StartTime).TotalSeconds / $ProgressCount * ($ProfileKeys.Count - ($ProgressCount-1))) Write-Progress -ID 16 -Activity "Total Progress" -Status "$($ProgressPercent)% - $ProgressCount of $($ProfileKeys.Count) - Time Left: ~$($TimeLeft.Hours):$($TimeLeft.Minutes.ToString().Padleft(2,"0")):$($TimeLeft.Seconds.ToString().Padleft(2,"0"))" -PercentComplete $ProgressPercent $RegKey = Get-ItemProperty -Path $ProfileKey.Name.ToString().Replace("HKEY_LOCAL_MACHINE","HKLM:") $FolderInfo = Get-Item -Path $RegKey.ProfileImagePath -ErrorAction SilentlyContinue IF ($FolderInfo.Name -eq "Public") { continue } IF ($FolderInfo.Name -eq "admin") { continue } IF ($FolderInfo.Name -eq "administrator") { continue } IF ($FolderInfo.Name -eq "labtech") { continue } IF ($FolderInfo.Name -eq "cyberhawk") { continue } IF ($FolderInfo.Name -eq "defaultapppool") { continue } IF ($FolderInfo.Name -like "*.NET v4*") { continue } IF ($FolderInfo.Name -eq "localservice") { continue } IF ($FolderInfo.Name -eq "networkservice") { continue } IF ($FolderInfo.Name -eq "systemprofile") { continue } IF ($FolderInfo.Name -eq "UIFlowService") { continue } IF ($FolderInfo.Name -like "*MSSQL*") { continue } $FolderExists = $False IF (GET-Item $RegKey.ProfileImagePath -ErrorAction SilentlyContinue) { $FolderExists = $True } $Results += New-Object PSObject -WarningAction SilentlyContinue -Property @{ PSTypeName = 'IntegrisPowerShell.WindowsUserProfile' ProfileName = $FolderInfo.Name ProfilePath = $RegKey.ProfileImagePath CreationTime = $FolderInfo.CreationTime LastWriteTime = $FolderInfo.LastWriteTime ProfileFolderExists = $FolderExists RegistryEntryExists = $True SID = ($ProfileKey.Name.Split('\'))[$ProfileKey.Name.Split('\').Length-1] } } $Profiles = GET-ChildItem -Path C:\Users -Directory FOREACH ($Profile in $Profiles) { IF ($Results.ProfilePath -contains $Profile.FullName) { continue } IF ($Profile.Name -eq "Public") { continue } IF ($Profile.Name -eq "admin") { continue } IF ($Profile.Name -eq "administrator") { continue } IF ($Profile.Name -eq "labtech") { continue } IF ($Profile.Name -eq "cyberhawk") { continue } IF ($Profile.Name -eq "defaultapppool") { continue } IF ($Profile.Name -like "*.NET v4*") { continue } IF ($Profile.Name -eq "localservice") { continue } IF ($Profile.Name -eq "networkservice") { continue } IF ($Profile.Name -eq "systemprofile") { continue } IF ($Profile.Name -eq "UIFlowService") { continue } IF ($Profile.Name -like "*MSSQL*") { continue } $Results += New-Object PSObject -WarningAction SilentlyContinue -Property @{ PSTypeName = 'IntegrisPowerShell.WindowsUserProfile' ProfileName = $Profile.Name ProfilePath = $Profile.FullName CreationTime = $Profile.CreationTime LastWriteTime = $Profile.LastWriteTime ProfileFolderExists = $True RegistryEntryExists = $False SID = "Unknown" } } Write-Progress -ID 16 -Activity "Total Progress" -Status "Complete" -PercentComplete 100 -Completed RETURN $Results | Sort-Object LastWriteTime -Descending } |