Pastebin.com - Printed Paste ID: https://pastebin.com/

1. <# Windows 7, Vista Super Quick PowerScript #>
2. <# A lazy ladies way to find some badness #>
3. <# ------ A Sketchymoose Creation ------ #>
4. <# ---- icanhazblog[at]gmail[dot]com ---- #>
5.  
6.  
7. <# get computer name, define variables #>
8. $computer = gc env:computername
9. $username = gc env:username
10. $directory = pwd
11. mkdir $directory\output
12. cd $directory\output
13. $stars = "*********************************************"
14.  
15. <# --NORMAL FILES FROM COMPUTER -- #>
16. $filename = $computer + "_output_files.txt"
17.  
18. <# Get location of TEMP directory #>
19. echo $stars >> $filename
20. echo "Grabbing Files in the TEMP Directory...." >> $filename
21. echo $stars >> $filename
22. Get-ChildItem "$env:Temp" >> $filename
23. echo " " >> $filename
24.  
25. <# Check for C:\Temp #>
26. echo $stars >> $filename
27. If (Test-Path "C:\Temp\")
28. {
29. echo "C:\Temp exists... dumping file" >> $filename
30. Get-ChildItem C:\Temp\* -force >> $filename
31. }
32. Else
33. {
34. echo "C:\Temp does not exist!" >> $filename
35. }
36. echo $stars >> $filename
37. echo " " >> $filename
38.  
39. <# Check for C:\Windows\Temp #>
40. echo $stars >> $filename
41. If (Test-Path "C:\Windows\Temp")
42. {
43. echo "C:\Windows\Temp exists... dumping file" >> $filename
44. echo $stars >> $filename
45. Get-ChildItem C:\Windows\Temp\* -force >> $filename
46. }
47. Else
48. {
49. echo "C:\Windows\Temp does not exist!" >> $filename
50. echo $stars >> $filename
51. }
52. echo " " >> $filename
53.  
54. <#Get location of Application Data directory #>
55. echo $stars >> $filename
56. echo "Grabbing files in the Application Data directory...." >> $filename
57. echo $stars >> $filename
58. Get-ChildItem $env:AppData >> $filename
59. echo " " >> $filename
60.  
61. <# check for weird created dates in System32 file #>
62. echo " " >> $filename
63. echo $stars >> $filename
64. echo "Grabbing dll, sys, and exe files, from System32 based on CreatedTime...." >> $filename
65. echo $stars >> $filename
66. Get-ChildItem C:\Windows\System32\* -Include *.dll, *.sys, *.exe -force | sort-object -property CreationTime | format-Table CreationTime,Mode,Length,Name -auto >> $filename
67.  
68. <# check c:\ for .exe and .*z* files #>
69. echo $stars >> $filename
70. echo "Checking C:\ root drive for executables" >> $filename
71. echo $stars >> $filename
72. Get-ChildItem C:\* -Include *.exe -force >> $filename
73. echo " " >> $filename
74.  
75. <# prefetch files #>
76. echo $stars >> $filename
77. echo "Pre-Fetch Files" >> $filename
78. echo $stars >> $filename
79.  
80. <# first check to see if PreFetch file exists (does not in 2008) #>
81. If (Test-Path C:\Windows\Prefetch)
82. {
83. echo "PreFetch Exists... dumping file" >> $filename
84. Get-ChildItem C:\Windows\Prefetch\* -Include *.pf | sort-object -property CreationTime | format-Table CreationTime,Mode,Length,Name -auto >> $filename
85. }
86. Else
87. {
88. echo "Prefetch files do not exist...." >> $filename
89. }
90. echo " " >> $filename
91.  
92. <# -- TEMPORARY INTERNET FILES -- #>
93. $filename = $computer + "_output_internet_files.txt"
94.  
95. <# Check for Temporary Internet Files for Mozilla and Firefox #>
96. echo $stars >> $filename
97. If (Test-Path "C:\Users\$username\AppData\Local\Microsoft\Windows\Temporary Internet Files")
98. {
99. echo "IE Temp History Files Found" >> $filename
100. echo $stars >> $filename
101. Get-ChildItem "C:\Users\$username\AppData\Local\Microsoft\Windows\Temporary Internet Files\*" -recurse -force >> $filename
102. }
103. Else
104. {
105. echo "Can't find IE History... Are you Using Mozilla?" >> $filename
106. echo $stars >> $filename
107. }
108.  
109. If (Test-Path "C:\Users\$username\AppData\Local\Mozilla\Firefox\Profiles\")
110. {
111. echo " " >> $filename
112. echo $stars >> $filename
113. echo "Mozilla cache found on the system... type about:cache in Mozilla to view its contents" >> $filename
114. echo $stars >> $filename
115. }
116. Else
117. {
118. echo " " >> $filename
119. echo $stars >> $filename
120. echo "Mozilla cache not found... are you using IE?" >> $filename
121. }
122. echo " " >> $filename
123.  
124. <# -- SYSTEM INFORMATION --#>
125. $filename = $computer + "_output_servicesNprocesses.txt"
126.  
127. <#Grabinng Services #>
128. echo $stars >> $filename
129. $services = get-wmiobject -query 'select * from win32_service'
130. echo "Grabbing Services... " >> $filename
131. echo $stars >> $filename
132. $services | Sort-object State| format-Table Name,State,StartMode,PathName -auto >> $filename
133. echo " " >> $filename
134.  
135. <# Can't seem to figure out how to grab DLL's with a service, so I figure the next best thing is to check processes#
136. <# What process are associated with a service? #>
137.  
138. echo $stars >> $filename
139. echo "Grabbing Processes and Their Associated Services... " >> $filename
140. echo $stars >> $filename
141. tasklist /svc >> $filename
142. echo " " >> $filename
143.  
144. <#What dll's are assoicated with Processes? #>
145.  
146. echo $stars >> $filename
147. echo "Grabbing DLLs associated with Processes... " >> $filename
148. echo $stars >> $filename
149. tasklist /m >> $filename
150. echo " " >> $filename
151.  
152. <# --REGISTRY -- #>
153. $filename = $computer + "_output_registry.txt"
154.  
155. echo $stars >> $filename
156. echo "-------Run, RunOnce------" >> $filename
157. echo $stars >> $filename
158. reg query hklm\software\microsoft\windows\currentversion\run /s >> $filename
159. reg query hklm\software\microsoft\windows\currentversion\runonce /s >> $filename
160. reg query hkcu\SOFTWARE\Microsoft\Windows\CurrentVersion\run /s >> $filename
161. reg query hkcu\SOFTWARE\Microsoft\Windows\CurrentVersion\runonce /s >> $filename
162.  
163. echo $stars >> $filename
164. echo "-------Winlogon------" >> $filename
165. echo $stars >> $filename
166. reg query "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /s >> $filename
167. echo " " >> $filename
168.  
169. echo $stars >> $filename
170. echo "-------Run Locations Under Policies FOR Users running Windows ME, 2000 or XP------" >> $filename
171. echo $stars >> $filename
172. <#Testing for the existence of these#>
173.  
174. If (Test-Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run")
175. {
176. reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /s
177. }
178. Else
179. {
180. echo "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run does not exist!" >> $filename
181. }
182.  
183.  
184. If (Test-Path HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run)
185. {
186. reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /s
187. }
188. Else
189. {
190. echo "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run does not exist!" >> $filename
191. }
192.  
193. echo " " >> $filename
194. echo $stars >> $filename
195. echo "-------Auto-Start Locations for Installed Components, Look for Stub Path Keys!------" >> $filename
196. reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /s >> $filename
197. echo $stars >> $filename
198. echo " " >> $filename
199.  
200. <# Network Information #>
201. $filename = $computer + "_output_network.txt"
202.  
203. echo $stars >> $filename
204. echo "Network Information" >> $filename
205. echo $stars >> $filename
206.  
207. echo $stars >> $filename
208. echo "DNS Cache" >> $filename
209. echo $stars >> $filename
210. ipconfig /displaydns >> $filename
211. echo " " >> $filename
212.  
213. echo $stars >> $filename
214. echo "Open Network Connections" >> $filename
215. echo $stars >> $filename
216. netstat -anob >> $filename