Want more features on Pastebin? Sign Up, it's FREE!
Guest

PowerShell Data Collection Script

By: icanhazblog on Jan 14th, 2012  |  syntax: None  |  size: 7.73 KB  |  views: 607  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. <# Windows 7, Vista Super Quick PowerScript #>
  2. <# A lazy ladies way to find some badness   #>
  3. <# ------  A Sketchymoose Creation  ------  #>
  4. <# ----  icanhazblog[at]gmail[dot]com ----  #>
  5.  
  6.  
  7. <# get computer name, define variables #>
  8.     $computer = gc env:computername
  9.     $username = gc env:username
  10.     $directory = pwd
  11.     mkdir $directory\output
  12.     cd $directory\output
  13.     $stars = "*********************************************"
  14.    
  15. <# --NORMAL FILES FROM COMPUTER -- #>
  16. $filename = $computer + "_output_files.txt"
  17.  
  18.     <# Get location of TEMP directory #>
  19.     echo $stars >> $filename
  20.         echo "Grabbing Files in the TEMP Directory...." >> $filename
  21.     echo $stars >> $filename
  22.     Get-ChildItem "$env:Temp" >> $filename
  23.     echo " " >> $filename
  24.    
  25.     <# Check for C:\Temp #>
  26.     echo $stars >> $filename
  27.     If (Test-Path "C:\Temp\")
  28.     {
  29.         echo "C:\Temp exists... dumping file" >> $filename
  30.         Get-ChildItem C:\Temp\* -force >> $filename
  31.     }
  32.     Else
  33.     {
  34.         echo "C:\Temp does not exist!" >> $filename
  35.     }
  36.     echo $stars >> $filename
  37.     echo " " >> $filename
  38.    
  39.     <# Check for C:\Windows\Temp #>
  40.    echo $stars >> $filename
  41.     If (Test-Path "C:\Windows\Temp")
  42.     {
  43.         echo "C:\Windows\Temp exists... dumping file" >> $filename
  44.         echo $stars >> $filename
  45.         Get-ChildItem C:\Windows\Temp\* -force >> $filename
  46.     }
  47.      Else
  48.     {
  49.         echo "C:\Windows\Temp does not exist!" >> $filename
  50.         echo $stars >> $filename
  51.     }
  52.     echo " " >> $filename
  53.  
  54.     <#Get location of Application Data directory #>  
  55.     echo $stars >> $filename
  56.         echo "Grabbing files in the Application Data directory...."  >> $filename
  57.         echo $stars >> $filename
  58.     Get-ChildItem $env:AppData >> $filename
  59.     echo " " >> $filename
  60.    
  61.     <# check for weird created dates in System32 file #>
  62.         echo " " >> $filename
  63.     echo $stars >> $filename
  64.         echo "Grabbing dll, sys, and exe files, from System32 based on CreatedTime...." >> $filename
  65.     echo $stars >> $filename   
  66.     Get-ChildItem C:\Windows\System32\* -Include *.dll, *.sys, *.exe  -force | sort-object -property CreationTime | format-Table CreationTime,Mode,Length,Name -auto >> $filename
  67.    
  68.     <# check c:\ for .exe and .*z* files #>
  69.         echo $stars >> $filename
  70.         echo "Checking C:\ root drive for executables" >> $filename
  71.         echo $stars >> $filename
  72.     Get-ChildItem C:\*  -Include *.exe -force >> $filename
  73.     echo " " >> $filename    
  74.  
  75.     <# prefetch files #>
  76.     echo $stars >> $filename
  77.         echo "Pre-Fetch Files" >> $filename
  78.     echo $stars >> $filename
  79.    
  80.     <# first check to see if PreFetch file exists (does not in 2008) #>
  81.         If (Test-Path C:\Windows\Prefetch)
  82.             {
  83.                 echo "PreFetch Exists... dumping file" >> $filename
  84.                 Get-ChildItem C:\Windows\Prefetch\* -Include *.pf | sort-object -property CreationTime | format-Table CreationTime,Mode,Length,Name -auto >> $filename
  85.              }
  86.         Else
  87.             {
  88.                 echo "Prefetch files do not exist...." >> $filename
  89.             }
  90.         echo " " >> $filename
  91.        
  92. <# -- TEMPORARY INTERNET FILES -- #>
  93. $filename = $computer + "_output_internet_files.txt"
  94.  
  95.     <# Check for Temporary Internet Files for Mozilla and Firefox #>
  96.     echo $stars >> $filename
  97.     If (Test-Path "C:\Users\$username\AppData\Local\Microsoft\Windows\Temporary Internet Files")
  98.     {
  99.        echo "IE Temp History Files Found" >> $filename
  100.        echo $stars >> $filename
  101.        Get-ChildItem "C:\Users\$username\AppData\Local\Microsoft\Windows\Temporary Internet Files\*" -recurse -force >> $filename
  102.     }
  103.      Else
  104.     {
  105.         echo "Can't find IE History... Are you Using Mozilla?" >> $filename
  106.         echo $stars >> $filename
  107.     }
  108.    
  109.      If (Test-Path "C:\Users\$username\AppData\Local\Mozilla\Firefox\Profiles\")
  110.     {
  111.        echo " " >> $filename
  112.        echo $stars >> $filename
  113.        echo "Mozilla cache found on the system... type about:cache in Mozilla to view its contents" >> $filename
  114.        echo $stars >> $filename
  115.     }
  116.      Else
  117.     {
  118.         echo " " >> $filename
  119.         echo $stars >> $filename
  120.         echo "Mozilla cache not found... are you using IE?" >> $filename
  121.     }
  122.     echo " " >> $filename  
  123.      
  124. <# -- SYSTEM INFORMATION --#>      
  125. $filename = $computer + "_output_servicesNprocesses.txt"
  126.  
  127.     <#Grabinng Services #>
  128.     echo $stars >> $filename
  129.     $services = get-wmiobject -query 'select * from win32_service'
  130.     echo "Grabbing Services... " >> $filename
  131.     echo $stars >> $filename
  132.     $services | Sort-object State| format-Table Name,State,StartMode,PathName -auto >> $filename
  133.     echo " " >> $filename
  134.    
  135.     <# Can't seem to figure out how to grab DLL's with a service, so I figure the next best thing is to check processes#
  136.     <# What process are associated with a service? #>
  137.  
  138.     echo $stars >> $filename
  139.     echo "Grabbing Processes and Their Associated Services... " >> $filename
  140.     echo $stars >> $filename
  141.     tasklist /svc >> $filename
  142.     echo " " >> $filename
  143.    
  144.     <#What dll's are assoicated with Processes? #>
  145.  
  146.     echo $stars >> $filename
  147.     echo "Grabbing DLLs associated with Processes... " >> $filename
  148.     echo $stars >> $filename
  149.     tasklist /m >> $filename
  150.     echo " " >> $filename
  151.        
  152. <# --REGISTRY -- #>
  153. $filename = $computer + "_output_registry.txt"
  154.  
  155.         echo $stars >> $filename
  156.     echo "-------Run, RunOnce------" >> $filename
  157.     echo $stars >> $filename
  158.         reg query hklm\software\microsoft\windows\currentversion\run /s >> $filename
  159.         reg query hklm\software\microsoft\windows\currentversion\runonce /s >> $filename
  160.         reg query hkcu\SOFTWARE\Microsoft\Windows\CurrentVersion\run /s >> $filename
  161.         reg query hkcu\SOFTWARE\Microsoft\Windows\CurrentVersion\runonce /s >> $filename
  162.    
  163.     echo $stars >> $filename
  164.         echo "-------Winlogon------" >> $filename
  165.     echo $stars >> $filename
  166.         reg query "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /s >> $filename
  167.     echo " " >> $filename
  168.    
  169.     echo $stars >> $filename
  170.     echo "-------Run Locations Under Policies FOR Users running Windows ME, 2000 or XP------" >> $filename
  171.         echo $stars >> $filename
  172.     <#Testing for the existence of these#>
  173.    
  174.     If (Test-Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")
  175.         {
  176.             reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /s
  177.         }
  178.     Else
  179.         {
  180.             echo "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run does not exist!" >> $filename
  181.         }
  182.        
  183.    
  184.     If (Test-Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run)
  185.         {
  186.             reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /s
  187.         }
  188.     Else
  189.         {
  190.             echo "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run does not exist!" >> $filename
  191.         }  
  192.        
  193.         echo " " >> $filename
  194.     echo $stars >> $filename
  195.         echo "-------Auto-Start Locations for Installed Components, Look for Stub Path Keys!------" >> $filename
  196.         reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /s >> $filename
  197.     echo $stars >> $filename
  198.     echo " " >> $filename
  199.    
  200. <# Network Information #>
  201. $filename = $computer + "_output_network.txt"
  202.  
  203.     echo $stars >> $filename
  204.         echo "Network Information" >> $filename
  205.     echo $stars >> $filename
  206.    
  207.     echo $stars >> $filename
  208.     echo "DNS Cache" >> $filename
  209.     echo $stars >> $filename
  210.     ipconfig /displaydns >> $filename
  211.     echo " " >> $filename
  212.    
  213.     echo $stars >> $filename
  214.     echo "Open Network Connections" >> $filename
  215.     echo $stars >> $filename
  216.     netstat -anob >> $filename
clone this paste RAW Paste Data