Worked on Security Account Manager (SAM) script and documentation

docs/index.rst

@@ -21,7 +21,7 @@ The source code is available from the `project page <https://github.com/libyal/w
 .. toctree::
    :maxdepth: 2
 
-   Security Accounts Manager keys <sources/Security-accounts-manager-keys>
+   sources/security-accounts-manager-keys/index
 
 .. toctree::
    :maxdepth: 2

docs/sources/application-keys/Terminal-server-client.md

@@ -0,0 +1,21 @@
+# Terminal server client
+
+The most recent used (MRU) connnections of the Terminal server client can
+be found in the key:
+
+```
+HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default
+```
+
+Values:
+
+Name | Data type | Description
+--- | --- | ---
+MRU# | REG_SZ | The most recently used connection. <br> Where # is a string in the form: "[0-9]+"
+
+The contents of MRU# is either an IP address, e.g. 192.168.16.60, or a hostname, e.g. computer.domain.com.
+
+## External Links
+
+* [How to Remove Entries from the Remote Desktop Connection Computer Box](https://docs.microsoft.com/en-US/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer)
+

docs/sources/application-keys/index.rst

@@ -7,4 +7,5 @@ Application keys
 
    7-Zip <7-Zip>
    Microsoft Office <Microsoft-Office>
+   Terminal server client <Terminal-server-client>
    WinRAR <WinRAR>

docs/sources/internet-explorer-keys/Feature-controls.md → docs/sources/internet-explorer-keys/Policies.md

@@ -1,4 +1,6 @@
-# Feature controls
+# Policies
+
+The Internet Explorer polices are stored in multiple keys.
 
 Order of application:
 
@@ -24,7 +26,34 @@ WoW64:
 1. HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl
 1. HKEY_LOCAL_MACHINE\\Wow6432Node\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl
 
-## Security Zones
+## Policies
+
+```
+HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
+```
+
+Values:
+
+Value | Data type | Description
+--- | --- | ---
+Download Directory | REG_SZ | The user specific download directory
+
+### Download policies
+
+```
+HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Download
+```
+
+Values:
+
+Value | Data type | Description
+--- | --- | ---
+CheckExeSignatures | REG_SZ |
+RunInvalidSignatures | REG_DOWRD |
+
+## Feature controls
+
+### Security Zones
 
 Value | Description
 --- | ---
@@ -36,7 +65,7 @@ Value | Description
 
 Also stored in "Description" Registry value in zone-specific Registry key.
 
-## Local Machine Zone Lockdown
+### Local Machine Zone Lockdown
 
 Applies the Lockdown Zones instead of the Zones.
 
@@ -52,7 +81,7 @@ Add a REG_DWORD value to this key named for your application (for example,
 MyApplication.exe) and set it to 1. Any other setting for this value will 
 disable Local Machine Zone Lockdown for the application.
 
-## Network Protocol Lockdown
+### Network Protocol Lockdown
 
 ```
 HKEY_LOCAL_MACHINE\Software\(Policies)\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN 
@@ -62,19 +91,28 @@ HKEY_CURRENT_USER\Software\(Policies)\Microsoft\Internet Explorer\Main\FeatureCo
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
 ```
 
-## HTML from CD
+### HTML from CD
 
 ```
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings\LOCALMACHINE_CD_UNLOCK
 ```
 
+## Notes
+
+```
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy
+HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy
+```
+
 ## External Links
 
-* [Introduction to Feature Controls](https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537184(v=vs.85))
-* [Internet Feature Controls](https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/general-info/ee330720(v=vs.85))
 * [About URL Security Zones](https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537183(v=vs.85))
-* [Understanding and Working in Protected Mode Internet Explorer](https://docs.microsoft.com/en-US/troubleshoot/browsers/ie-security-zones-registry-entries)
-* [Internet Explorer security zones registry entries for advanced users](https://docs.microsoft.com/en-US/troubleshoot/browsers/ie-security-zones-registry-entries)
 * [Internet Explorer Local Machine Zone Lockdown](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc782928(v=ws.10))
 * [Internet Explorer Network Protocol Lockdown](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc737488(v=ws.10))
 * [Internet Explorer Protected Mode Elevation Policy and Administrative Templates](https://docs.microsoft.com/en-us/archive/blogs/juanand/internet-explorer-protected-mode-elevation-policy-and-administrative-templates)
+* [Internet Explorer security zones registry entries for advanced users](https://docs.microsoft.com/en-US/troubleshoot/browsers/ie-security-zones-registry-entries)
+* [Internet Feature Controls](https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/general-info/ee330720(v=vs.85))
+* [Introduction to Feature Controls](https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537184(v=vs.85))
+* [Understanding and Working in Protected Mode Internet Explorer](https://docs.microsoft.com/en-US/troubleshoot/browsers/ie-security-zones-registry-entries)
+* [Understanding user-agent strings](https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/ms537503(v=vs.85))
+

docs/sources/internet-explorer-keys/index.rst

@@ -6,5 +6,5 @@ Internet explorer keys
    :maxdepth: 1
 
    Browser helper objects <Browser-helper-objects>
-   Feature controls <Feature-controls>
+   Policies <Policies>
    Typed URLs <Typed-URLs>

docs/sources/Security-accounts-manager-keys.md → docs/sources/security-accounts-manager-keys/Domains.md

@@ -1,40 +1,17 @@
-# Security Accounts Manager (SAM) keys
+# Domains
 
-The Security Accounts Manager (SAM) is stored in the key:
+The Security Accounts Manager (SAM) domains are stored in the key:
 
 ```
-HKEY_LOCAL_MACHINE\SAM
+HKEY_LOCAL_MACHINE\SAM\SAM\Domains
 ```
 
-## SAM key
-
 Sub keys:
 
 Name | Description
 --- | ---
-Domains |
-RXACT |
-
-Values:
-
-Name | Data type | Description
---- | --- | ---
-C | REG_BINARY |
-
-### C value data
-
-Offset | Size | Value | Description
---- | --- | --- | ---
-0 | ... | | *TODO*
-
-## Domains key
-
-Sub keys:
-
-Name | Description
---- | ---
-Account |
-Builtin |
+Account | user, group, and local group accounts.
+Builtin | (built-in) default local groups, such as the Administrators and Users groups, that are established when the operating system is installed.
 
 Values:
 
@@ -344,13 +321,14 @@ Value | Identifier | Description
 
 ## External Links
 
-* [userAccountControl Mapping Table](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/8a193181-a7a2-49df-a8b1-f689aaa6987c)
-* [Security Account Manager (SAM)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10))
 * [ACCOUNT_TYPE Values](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/e742be45-665d-4576-b872-0bc99d1e1fbe)
-* [SAMPR_USER_ALL_INFORMATION](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/dc966b81-da27-4dae-a28c-ec16534f1cb9)
+* [Built-in and Account Domains](https://docs.microsoft.com/en-us/windows/win32/secmgmt/built-in-and-account-domains)
 * [Predefined RIDs](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/565a6584-3061-4ede-a531-f5c53826504b)
-* [USER_ALL_INFORMATION structure](https://docs.microsoft.com/en-us/windows/win32/api/subauth/ns-subauth-user_all_information)
+* [SAMPR_USER_ALL_INFORMATION](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/dc966b81-da27-4dae-a28c-ec16534f1cb9)
+* [Security Account Manager (SAM)](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc756748(v=ws.10))
+* [SysKey and the SAM](http://moyix.blogspot.com/2008/02/syskey-and-sam.html), by Brendan Dolan-Gavitt, February 21, 2008
 * [USER_ACCOUNT Codes](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec)
+* [userAccountControl Mapping Table](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/8a193181-a7a2-49df-a8b1-f689aaa6987c)
+* [USER_ALL_INFORMATION structure](https://docs.microsoft.com/en-us/windows/win32/api/subauth/ns-subauth-user_all_information)
 * [Well-known SIDs](https://docs.microsoft.com/en-us/windows/win32/secauthz/well-known-sids)
-* [SysKey and the SAM](http://moyix.blogspot.com/2008/02/syskey-and-sam.html), by Brendan Dolan-Gavitt, February 21, 2008
 

docs/sources/security-accounts-manager-keys/Security-accounts-manager.md

@@ -0,0 +1,46 @@
+# Security Accounts Manager (SAM)
+
+The Security Accounts Manager (SAM) is stored in the key:
+
+```
+HKEY_LOCAL_MACHINE\SAM\SAM
+```
+
+Sub keys:
+
+Name | Description
+--- | ---
+Domains | Built-in and account domains
+RXACT |
+
+Values:
+
+Name | Data type | Description
+--- | --- | ---
+C | REG_BINARY |
+
+### C value data
+
+The C value data is variable of size and consists of:
+
+Offset | Size | Value | Description
+--- | --- | --- | ---
+0 | 2 | | <mark style="background-color: yellow">**Unknown (Format version?)**</mark>
+2 | 2 | | <mark style="background-color: yellow">**Unknown**</mark>
+4 | 4 | | <mark style="background-color: yellow">**Unknown (empty?)**</mark>
+8 | 4 | | <mark style="background-color: yellow">**Unknown data size**</mark>
+12 | 2 | | <mark style="background-color: yellow">**Unknown**</mark>
+14 | 2 | | <mark style="background-color: yellow">**Unknown**</mark>
+16 | ... | | <mark style="background-color: yellow">**Unknown data (security descriptor?)**</mark>
+
+#### Format version
+
+Value | Description
+--- | ---
+1 | Used in Windows NT 3.1
+2 | Used in Windows NT 3.5
+3 | Used in Windows NT 4
+6 | Used in Windows 2000
+7 | Used in Windows XP and later
+9 | Used in Windows Windows 11
+

docs/sources/security-accounts-manager-keys/index.rst

@@ -0,0 +1,9 @@
+##############################
+Security accounts manager keys
+##############################
+
+.. toctree::
+   :maxdepth: 1
+
+   Security accounts manager <Security-accounts-manager>
+   Domains <Domains>