lithnet · ryannewington · Jan 22, 2025 · Jan 22, 2025
diff --git a/src/NativeUnitTests/NativeUnitTests.vcxproj b/src/NativeUnitTests/NativeUnitTests.vcxproj
@@ -164,9 +164,11 @@
     <ClCompile Include="HashTests.cpp" />
     <ClCompile Include="PasswordEvaluatorComplexityPointsTests.cpp" />
     <ClCompile Include="PasswordEvaluatorComplexityThresholdTests.cpp" />
+    <ClCompile Include="PasswordEvaluatorInScopeTests.cpp" />
     <ClCompile Include="PasswordEvaluatorNameTests.cpp" />
     <ClCompile Include="PasswordEvaluatorRegexApproveTests.cpp" />
     <ClCompile Include="PasswordEvaluatorLengthTests.cpp" />
+    <ClCompile Include="RegistryTests.cpp" />
     <ClCompile Include="stdafx.cpp">
       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>

diff --git a/src/NativeUnitTests/NativeUnitTests.vcxproj.filters b/src/NativeUnitTests/NativeUnitTests.vcxproj.filters
@@ -62,5 +62,11 @@
     <ClCompile Include="v3StoreTests.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="RegistryTests.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="PasswordEvaluatorInScopeTests.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
 </Project>
diff --git a/src/NativeUnitTests/PasswordEvaluatorInScopeTests.cpp b/src/NativeUnitTests/PasswordEvaluatorInScopeTests.cpp
@@ -0,0 +1,191 @@
+#include "stdafx.h"
+#include "CppUnitTest.h"
+#include "passwordevaluator.h"
+#include <windows.h>
+
+using namespace Microsoft::VisualStudio::CppUnitTestFramework;
+
+static void SetRegistryExcludedAccounts(const std::vector<std::wstring>& accounts)
+{
+    HKEY hKey;
+    LONG result = RegCreateKeyEx(HKEY_LOCAL_MACHINE, REG_BASE_SETTINGS_KEY, 0, NULL, 0, KEY_WRITE, NULL, &hKey, NULL);
+    if (result == ERROR_SUCCESS)
+    {
+        // Calculate the size of the MULTI_SZ string
+        size_t totalSize = 0;
+        for (const auto& account : accounts)
+        {
+            totalSize += (account.size() + 1) * sizeof(wchar_t);
+        }
+        totalSize += sizeof(wchar_t); // For the final null terminator
+
+        // Create the MULTI_SZ string
+        std::vector<wchar_t> multiSz(totalSize / sizeof(wchar_t));
+        wchar_t* ptr = multiSz.data();
+        for (const auto& account : accounts)
+        {
+            wcscpy_s(ptr, account.size() + 1, account.c_str());
+            ptr += account.size() + 1;
+        }
+        *ptr = L'\0'; // Final null terminator
+
+        // Set the registry value
+        RegSetValueEx(hKey, REG_VALUE_EXCLUDEDACCOUNTS, 0, REG_MULTI_SZ, (const BYTE*)multiSz.data(), totalSize);
+        RegCloseKey(hKey);
+    }
+}
+
+static void SetRegistryIncludedAccounts(const std::vector<std::wstring>& accounts)
+{
+    HKEY hKey;
+    LONG result = RegCreateKeyEx(HKEY_LOCAL_MACHINE, REG_BASE_SETTINGS_KEY, 0, NULL, 0, KEY_WRITE, NULL, &hKey, NULL);
+    if (result == ERROR_SUCCESS)
+    {
+        // Calculate the size of the MULTI_SZ string
+        size_t totalSize = 0;
+        for (const auto& account : accounts)
+        {
+            totalSize += (account.size() + 1) * sizeof(wchar_t);
+        }
+        totalSize += sizeof(wchar_t); // For the final null terminator
+
+        // Create the MULTI_SZ string
+        std::vector<wchar_t> multiSz(totalSize / sizeof(wchar_t));
+        wchar_t* ptr = multiSz.data();
+        for (const auto& account : accounts)
+        {
+            wcscpy_s(ptr, account.size() + 1, account.c_str());
+            ptr += account.size() + 1;
+        }
+        *ptr = L'\0'; // Final null terminator
+
+        // Set the registry value
+        RegSetValueEx(hKey, REG_VALUE_INCLUDEDACCOUNTS, 0, REG_MULTI_SZ, (const BYTE*)multiSz.data(), totalSize);
+        RegCloseKey(hKey);
+    }
+}
+
+static void DeleteRegistryValues()
+{
+    HKEY hKey;
+    LONG result = RegOpenKeyEx(HKEY_LOCAL_MACHINE, REG_BASE_SETTINGS_KEY, 0, KEY_WRITE, &hKey);
+    if (result == ERROR_SUCCESS)
+    {
+        RegDeleteValue(hKey, REG_VALUE_EXCLUDEDACCOUNTS);
+        RegDeleteValue(hKey, REG_VALUE_INCLUDEDACCOUNTS);
+        RegCloseKey(hKey);
+    }
+}
+
+namespace NativeUnitTests
+{
+    TEST_CLASS(PasswordEvaluatorInScopeTests)
+    {
+    public:
+
+        TEST_METHOD_INITIALIZE(CleanupRegistry)
+        {
+            DeleteRegistryValues();
+        }
+
+        TEST_METHOD(TestIsUserInScope_ExcludedAccount)
+        {
+            std::wstring accountName = L"krbtgt";
+            BOOLEAN result = IsUserInScope(accountName);
+            Assert::IsFalse(result);
+        }
+
+        TEST_METHOD(TestIsUserInScope_NotExcludedAccount)
+        {
+            std::wstring accountName = L"testuser";
+            BOOLEAN result = IsUserInScope(accountName);
+            Assert::IsTrue(result);
+        }
+
+        TEST_METHOD(TestIsUserInScope_ExcludedAccountFromRegistry)
+        {
+            std::vector<std::wstring> excludedAccounts = { L"excludeduser" };
+            SetRegistryExcludedAccounts(excludedAccounts);
+
+            std::wstring accountName = L"excludeduser";
+            BOOLEAN result = IsUserInScope(accountName);
+            Assert::IsFalse(result);
+        }
+
+        TEST_METHOD(TestIsUserInScope_MultipleExcludedAccountsFromRegistry)
+        {
+            std::vector<std::wstring> excludedAccounts = { L"excludeduser1", L"excludeduser2", L"excludeduser3" };
+            SetRegistryExcludedAccounts(excludedAccounts);
+
+            std::wstring accountName1 = L"excludeduser1";
+            BOOLEAN result1 = IsUserInScope(accountName1);
+            Assert::IsFalse(result1);
+
+            std::wstring accountName2 = L"excludeduser2";
+            BOOLEAN result2 = IsUserInScope(accountName2);
+            Assert::IsFalse(result2);
+
+            std::wstring accountName3 = L"excludeduser3";
+            BOOLEAN result3 = IsUserInScope(accountName3);
+            Assert::IsFalse(result3);
+
+            std::wstring accountName4 = L"includeduser";
+            BOOLEAN result4 = IsUserInScope(accountName4);
+            Assert::IsTrue(result4);
+        }
+
+        TEST_METHOD(TestIsUserInScope_NotExcludedAccountFromRegistry)
+        {
+            std::vector<std::wstring> excludedAccounts = { L"excludeduser1", L"excludeduser2", L"excludeduser3" };
+            SetRegistryExcludedAccounts(excludedAccounts);
+
+            std::wstring accountName = L"includeduser";
+            BOOLEAN result = IsUserInScope(accountName);
+            Assert::IsTrue(result);
+        }
+
+        // New test cases for 'included user' logic
+
+        TEST_METHOD(TestIsUserInScope_IncludedAccount)
+        {
+            std::vector<std::wstring> includedAccounts = { L"includeduser" };
+            SetRegistryIncludedAccounts(includedAccounts);
+
+            std::wstring accountName = L"includeduser";
+            BOOLEAN result = IsUserInScope(accountName);
+            Assert::IsTrue(result);
+        }
+
+        TEST_METHOD(TestIsUserInScope_IncludedAccountListEmpty)
+        {
+            std::vector<std::wstring> includedAccounts = {};
+            SetRegistryIncludedAccounts(includedAccounts);
+
+            std::wstring accountName = L"anyuser";
+            BOOLEAN result = IsUserInScope(accountName);
+            Assert::IsTrue(result);
+        }
+
+        TEST_METHOD(TestIsUserInScope_NotIncludedAccount)
+        {
+            std::vector<std::wstring> includedAccounts = { L"includeduser1", L"includeduser2" };
+            SetRegistryIncludedAccounts(includedAccounts);
+
+            std::wstring accountName = L"notincludeduser";
+            BOOLEAN result = IsUserInScope(accountName);
+            Assert::IsFalse(result);
+        }
+
+        TEST_METHOD(TestIsUserInScope_IncludedAndExcludedAccount)
+        {
+            std::vector<std::wstring> includedAccounts = { L"includeduser" };
+            std::vector<std::wstring> excludedAccounts = { L"includeduser" };
+            SetRegistryIncludedAccounts(includedAccounts);
+            SetRegistryExcludedAccounts(excludedAccounts);
+
+            std::wstring accountName = L"includeduser";
+            BOOLEAN result = IsUserInScope(accountName);
+            Assert::IsFalse(result);
+        }
+    };
+}
diff --git a/src/NativeUnitTests/RegistryTests.cpp b/src/NativeUnitTests/RegistryTests.cpp
@@ -0,0 +1,98 @@
+#include "stdafx.h"
+#include "CppUnitTest.h"
+#include "registry.h"
+#include <windows.h>
+
+using namespace Microsoft::VisualStudio::CppUnitTestFramework;
+
+namespace NativeUnitTests
+{
+	TEST_CLASS(RegistryTests)
+	{
+	public:
+
+		TEST_METHOD(TestGetRegValueString)
+		{
+			registry reg;
+			std::wstring defaultValue = L"default";
+			std::wstring value = reg.GetRegValue(L"NonExistentValue", defaultValue);
+			Assert::AreEqual(defaultValue, value);
+		}
+
+		TEST_METHOD(TestGetRegValueDWORD)
+		{
+			registry reg;
+			DWORD defaultValue = 1234;
+			DWORD value = reg.GetRegValue(L"NonExistentValue", defaultValue);
+			Assert::AreEqual(defaultValue, value);
+		}
+
+		TEST_METHOD(TestGetRegValueMultiString)
+		{
+			registry reg;
+			std::vector<std::wstring> defaultValue = { L"default1", L"default2" };
+			std::vector<std::wstring> value = reg.GetRegValue(L"NonExistentValue", REG_DEFAULT_MAX_ITEMS, defaultValue);
+			Assert::IsTrue(defaultValue == value);
+		}
+
+		TEST_METHOD(TestGetRegistryForUser)
+		{
+			registry reg = registry::GetRegistryForUser(L"testuser");
+			Assert::IsNotNull(&reg);
+		}
+
+		TEST_METHOD(TestSetAndGetRegValueString)
+		{
+			HKEY hKey;
+			LPCWSTR subKey = REG_BASE_SETTINGS_KEY;
+			LPCWSTR valueName = L"TestString";
+			std::wstring setValue = L"TestValue";
+
+			RegCreateKeyEx(HKEY_LOCAL_MACHINE, subKey, 0, NULL, 0, KEY_WRITE, NULL, &hKey, NULL);
+			RegSetValueEx(hKey, valueName, 0, REG_SZ, (const BYTE*)setValue.c_str(), (setValue.size() + 1) * sizeof(wchar_t));
+			RegCloseKey(hKey);
+
+			registry reg;
+			std::wstring getValue = reg.GetRegValue(valueName, L"");
+			Assert::AreEqual(setValue, getValue);
+		}
+
+		TEST_METHOD(TestSetAndGetRegValueDWORD)
+		{
+			HKEY hKey;
+			LPCWSTR subKey = REG_BASE_SETTINGS_KEY;
+			LPCWSTR valueName = L"TestDWORD";
+			DWORD setValue = 5678;
+
+			RegCreateKeyEx(HKEY_LOCAL_MACHINE, subKey, 0, NULL, 0, KEY_WRITE, NULL, &hKey, NULL);
+			RegSetValueEx(hKey, valueName, 0, REG_DWORD, (const BYTE*)&setValue, sizeof(setValue));
+			RegCloseKey(hKey);
+
+			registry reg;
+			DWORD getValue = reg.GetRegValue(valueName, 0);
+			Assert::AreEqual(setValue, getValue);
+		}
+
+		TEST_METHOD(TestSetAndGetRegValueMultiString)
+		{
+			HKEY hKey;
+			LPCWSTR subKey = REG_BASE_SETTINGS_KEY;
+			LPCWSTR valueName = L"TestMultiString";
+			std::vector<std::wstring> setValue = { L"Value1", L"Value2" };
+			std::wstring multiString;
+			for (const auto& str : setValue)
+			{
+				multiString.append(str).append(1, L'\0');
+			}
+			multiString.append(1, L'\0');
+
+			RegCreateKeyEx(HKEY_LOCAL_MACHINE, subKey, 0, NULL, 0, KEY_WRITE, NULL, &hKey, NULL);
+			RegSetValueEx(hKey, valueName, 0, REG_MULTI_SZ, (const BYTE*)multiString.c_str(), (multiString.size() + 1) * sizeof(wchar_t));
+			RegCloseKey(hKey);
+
+			registry reg;
+			std::vector<std::wstring> getValue = reg.GetRegValue(valueName, REG_DEFAULT_MAX_ITEMS,  std::vector<std::wstring>());
+            Assert::IsTrue(std::equal(setValue.begin(), setValue.end(), getValue.begin(), getValue.end()));
+		}
+	};
+}
diff --git a/src/PasswordFilter/filter.cpp b/src/PasswordFilter/filter.cpp
@@ -64,6 +64,12 @@ extern "C" __declspec(dllexport) BOOLEAN __stdcall PasswordFilter(
 		simulate = reg.GetRegValue(REG_VALUE_AUDITONLY, 0) != 0;
 
 		std::wstring accountName(AccountName->Buffer, AccountName->Length / sizeof(WCHAR));
+
+		if (!IsUserInScope(accountName))
+		{
+			return TRUE;
+		}
+
 		std::wstring fullName(FullName->Buffer, FullName->Length / sizeof(WCHAR));
 
 		SecureArrayT<WCHAR> password = UnicodeStringToWcharArray(*Password);
@@ -146,6 +152,12 @@ extern "C" __declspec(dllexport) int __stdcall PasswordFilterEx(
 		}
 
 		std::wstring accountName = AccountName;
+
+		if (!IsUserInScope(accountName))
+		{
+			return PASSWORD_APPROVED;
+		}
+
 		std::wstring fullName = FullName;
 		SecureArrayT<WCHAR> password = StringToWcharArray(Password);
 

diff --git a/src/PasswordFilter/messages.h b/src/PasswordFilter/messages.h
@@ -105,12 +105,43 @@
 //
 // MessageText:
 //
-// There was a problem opening the store file. Check that the store folder exists and is accessible.\n
+// There was a problem opening the store file. Check that the store folder exists and is accessible.
 // Error code: %1
 // Path: %2
 //
 #define MSG_STOREERROR                   ((DWORD)0xC0020009L)
 
+//
+// MessageId: MSG_USEREXCLUDED
+//
+// MessageText:
+//
+// The user %1 was in the exclusion list and was not evaluated by the password filter.
+//
+#define MSG_USEREXCLUDED                 ((DWORD)0x4002000AL)
+
+//
+// MessageId: MSG_USERNOTINCLUDED
+//
+// MessageText:
+//
+// The user %1 was not in the inclusion list and was not evaluated by the password filter.
+//
+#define MSG_USERNOTINCLUDED              ((DWORD)0x4002000BL)
+
+//
+// MessageId: MSG_REG_READ_ERROR
+//
+// MessageText:
+//
+// A registry read error occurred.
+// Error code: %1
+// Key: %2
+// Value: %3
+// Type: %4
+//
+#define MSG_REG_READ_ERROR               ((DWORD)0xC002000CL)
+
 //
 // MessageId: MSG_PASSWORD_REJECTED_ON_ERROR
 //