# Hashtable to store UserEmail values for each user SID
$userEmails = @{}

# Get the list of user SIDs under HKEY_USERS
$users = Get-ChildItem -Path "Registry::HKEY_USERS"

Write-Output "Starting search for UserEmails in the registry..."

# Loop through each user SID to find UserEmail
foreach ($user in $users) {
    $joinInfoBasePath = "Registry::HKEY_USERS\$($user.PSChildName)\Software\Microsoft\Windows NT\CurrentVersion\WorkplaceJoin\JoinInfo"

    # Check if the JoinInfo base key exists
    if (Test-Path -Path $joinInfoBasePath) {
        Write-Output "Found JoinInfo path for user SID: $($user.PSChildName)"
        
        # Get all GUID-based subkeys under JoinInfo
        $guidSubKeys = Get-ChildItem -Path $joinInfoBasePath

        foreach ($guidSubKey in $guidSubKeys) {
            $guidPath = "$joinInfoBasePath\$($guidSubKey.PSChildName)"
            Write-Output "Checking GUID subkey: $guidPath"

            # Get the registry key values for the specific GUID
            $keyValues = Get-ItemProperty -Path $guidPath

            # Check if the UserEmail key exists and add it to the hashtable
            if ($keyValues.PSObject.Properties['UserEmail']) {
                $userEmail = $keyValues.UserEmail
                Write-Output "UserEmail found: $userEmail for user SID: $($user.PSChildName)"
                
                # Add the UserEmail to the hashtable
                $userEmails[$user.PSChildName] = $userEmail
            } else {
                Write-Output "No UserEmail found in GUID: $($guidSubKey.PSChildName) for user SID: $($user.PSChildName)"
            }
        }
    } else {
        Write-Output "JoinInfo path not found for user SID: $($user.PSChildName)"
    }
}

Write-Output "UserEmail search process completed."

# Display the collected UserEmails
Write-Output "Collected UserEmails:"
$userEmails.GetEnumerator() | ForEach-Object { Write-Output "User SID: $($_.Key), UserEmail: $($_.Value)" }

# Define the base path for user profiles and the relative path where .tbacct files are stored
$basePath = "C:\Users"
$relativePath = "AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Accounts"

Write-Output "Starting the cleanup process for .tbacct files and corresponding registry keys..."

# Loop through each user profile in C:\Users
foreach ($userProfile in Get-ChildItem -Path $basePath -Directory) {
    $profileName = $userProfile.Name
    Write-Output "Checking profile: $profileName"

    # Construct the folder path where .tbacct files are stored
    $folderPath = Join-Path -Path $userProfile.FullName -ChildPath $relativePath

    # Check if the folder exists
    if (Test-Path -Path $folderPath) {
        Write-Output "Found .tbacct folder path for user profile: $profileName"

        # Get all .tbacct files in the folder
        $tbacctFiles = Get-ChildItem -Path $folderPath -Filter "*.tbacct"

        foreach ($file in $tbacctFiles) {
            Write-Output "Checking .tbacct file: $($file.FullName)"

            # Read the file content as bytes
            $fileContent = [System.IO.File]::ReadAllBytes($file.FullName)
            $textContent = -join ($fileContent | ForEach-Object { if ($_ -ge 0x20 -and $_ -le 0x7E) { [char]$_ } })

            # Loop through collected UserEmails from the registry to find matches
            foreach ($userSID in $userEmails.Keys) {
                $searchTerm = $userEmails[$userSID]
                Write-Output "Looking for UserEmail: $searchTerm in file: $($file.FullName)"

                if ($textContent -like "*$searchTerm*") {
                    Write-Output "Found and deleting '$searchTerm' in file: $($file.Name) under user profile: $profileName"

                    try {
                        # Delete the .tbacct file
                        Remove-Item -Path $file.FullName -Force
                        Write-Output "Deleted file: $($file.FullName)"
                        
                        # Define the JoinInfo registry path for the user SID
                        $joinInfoBasePath = "Registry::HKEY_USERS\$userSID\Software\Microsoft\Windows NT\CurrentVersion\WorkplaceJoin\JoinInfo"

                        if (Test-Path -Path $joinInfoBasePath) {
                            $guidSubKeys = Get-ChildItem -Path $joinInfoBasePath

                            foreach ($guidSubKey in $guidSubKeys) {
                                $guidPath = "$joinInfoBasePath\$($guidSubKey.PSChildName)"
                                $keyValues = Get-ItemProperty -Path $guidPath

                                if ($keyValues.UserEmail -eq $searchTerm) {
                                    Write-Output "Deleting registry GUID subkey: $guidPath"
                                    try {
                                        Remove-Item -Path $guidPath -Recurse -Force
                                        Write-Output "Deleted registry GUID subkey: $guidPath"
                                    } catch {
                                        Write-Output "Failed to delete registry GUID subkey: $guidPath. Error: $_"
                                    }
                                }
                            }
                        } else {
                            Write-Output "Registry path not found for user SID: $userSID"
                        }
                    } catch {
                        Write-Output "Failed to delete file: $($file.FullName). Error: $_"
                    }
                }
            }
        }
    } else {
        Write-Output "The path $folderPath does not exist for user profile: $profileName"
    }
}

Write-Output "Cleanup process completed."