#Whos running the script
$who = (whoami).split("\")[1]
$outFile = "C:\users\$who\Desktop\VulnApps.txt" 

#Unquoted paths
"UnQuoted Path Vulnerabilities" | Out-File $outFile
"" | Out-File $outFile -Append

$vulnSvc = gwmi win32_service | foreach{$_} | 
    where {($_.pathname -ne $null) -and ($_.pathname.trim() -ne "")} | 
    where {-not $_.pathname.startswith("`"")} | 
    where {($_.pathname.substring(0, $_.pathname.indexof(".exe") + 4 )) -match ".* .*" }

$vulnSvc.name | out-file $outFile -Append



#Registry Permissions
" " | Out-File $outFile -Append
"Registry Paths where User has Full Control" | Out-File $outFile -Append


$HKLMSvc = 'HKLM:\SYSTEM\CurrentControlSet\Services'
$HKLMSoft = 'HKLM:\Software'
$HKLMCheck = $HKLMSvc,$HKLMSoft

Foreach ($key in $HKLMCheck) {

#Get a list of key names and make a variable
cd hklm:
$SvcPath = Get-childItem $key

#Update HKEY_Local.... to HKLM:
$SvcList = $SvcPath.name.replace("HKEY_LOCAL_MACHINE","HKLM:")
    Foreach ($inhe in $SvcList)
    {
    $acl = Get-Acl $inhe 
    $acc = $acl.AccessToString
            foreach ($ac in $acc)
            {
            if ($ac | Select-String -SimpleMatch "BUILTIN\Users Allow  FullControl"){$acl.path | Out-File $outFile -Append} 
            if ($ac | Select-String -SimpleMatch "NT AUTHORITY\Authenticated Users Allow  FullControl"){$acl.path | Out-File $outFile -Append}
            }
    }
}


#Folder\Directory Permissions

" " | Out-File $outFile -Append
"Folders where the User has Mod or Full in Program Files" | Out-File $outFile -Append

$folders = Get-ChildItem  'C:\Program Files\','C:\Program Files (x86)'  | where {$_.PSIsContainer}

foreach ($fold in $folders)

{

$foldAcl = Get-Acl $fold.FullName
    foreach ($foldAcc in $foldAcl)

    {
    if ($foldAcc.AccessToString | Select-String -SimpleMatch "BUILTIN\Users Allow  FullControl"){$fold.FullName | Out-File $outFile -Append}
    if ($foldAcc.AccessToString | Select-String -SimpleMatch "BUILTIN\Users Allow  Modify, Synchronize"){$fold.FullName | Out-File $outFile -Append}
    if ($foldAcc.AccessToString | Select-String -SimpleMatch "NT AUTHORITY\Authenticated Users Allow  FullControl"){$fold.FullName | Out-File $outFile -Append}
    if ($foldAcc.AccessToString | Select-String -SimpleMatch "NT AUTHORITY\Authenticated Users Allow  Modify, Synchronize"){$fold.FullName | Out-File $outFile -Append}

    }
}

start notepad.exe $outFile