API tools faq
paste
Advertisement
cephurs

live ir via powershell ty sans

cephurs
Oct 16th, 2013
785
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PowerShell 19.09 KB | None | 0 0
raw download clone embed print report
  1. <#
  2. Live Response Script Desktop
  3. Author: Sajeev.Nair - [email protected]
  4. Version : 2.0 for PowerShell V2
  5. #>
  6. write-host ""
  7. Write-host "**** Script Started ****"
  8. # Global Variables used in this script
  9. $CompName = (gi env:\Computername).Value
  10. $UserDirectory = (gi env:\userprofile).value
  11. $User = (gi env:\USERNAME).value
  12. $Date = (Get-Date).ToString('MM.dd.yyyy')
  13. $head = '<style> BODY{font-family:caibri; background-color:Aliceblue;}
  14. TABLE{border-width: 1px;border-style: solid;border-color: black;bordercollapse:
  15. collapse;} TH{font-size:1.1em; border-width: 1px;padding: 2px;borderstyle:
  16. solid;border-color: black;background-color:PowderBlue} TD{border-width:
  17. 1px;padding: 2px;border-style: solid;border-color: black;backgroundcolor:
  18. white} </style>'
  19.  
  20. $OutLevel1 = "$UserDirectory\desktop\$CompName-$User-$Date-Level1.html"
  21.  
  22. $TList = @(tasklist /V /FO CSV | ConvertFrom-Csv)
  23.  
  24. $ExecutableFiles = @("*.EXE","*.COM","*.BAT","*.BIN","*.JOB","*.WS",".WSF","*.PS1",".PAF","*.MSI","*.CGI","*.CMD","*.JAR","*.JSE","*.SCR","*.SCRIPT","*.VB","*.VBE","*.VBS","*.VBSCRIPT","*.DLL")
  25.  
  26. # Setting HTML report format
  27.  
  28. ConvertTo-Html -Head $head -Title "Live Response script for $CompName.$User" -Body "<h1> Live Forensics Script <p> Computer Name : $CompName &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp User ID : $User </p> </h1>" > $OutLevel1
  29.  
  30. # Main Routine
  31.  
  32. # Record start time of collection
  33.  
  34. date | select DateTime | ConvertTo-html -Body "<H2> Current Date and Time
  35. </H2>" >> $OutLevel1
  36.  
  37. openfiles /local on
  38.  
  39. systeminfo /FO CSV | ConvertFrom-Csv | select-object * -ExcludeProperty 'Hotfix(s)','Network Card(s)' | ConvertTo-html -Body "<H2> System Information </H2>" >> $OutLevel1
  40.  
  41. gwmi -ea 0 Win32_UserProfile | select LocalPath, SID,@{NAME='last used';EXPRESSION={$_.ConvertToDateTime($_.lastusetime)}} | ConvertTo-html -Body "<H2> User accounts and current login Information </H2>" >> $OutLevel1
  42.  
  43. gwmi -ea 0 Win32_NetworkAdapterConfiguration |where{$_.IPEnabled -eq 'True'} | select DHCPEnabled,@{Name='IpAddress';Expression={$_.IpAddress -join '; '}},@{Name='DefaultIPgateway';Expression={$_.DefaultIPgateway -join '; '}},DNSDomain | ConvertTo-html -Body "<H2> Network Configuration Information </H2>" >> $OutLevel1
  44.  
  45. gwmi -ea 0 Win32_StartupCommand | select command,user,caption | ConvertTo-html -Body "<H2> Startup Applications </H2>" >> $OutLevel1
  46.  
  47. gp -ea 0 'hklm:\software\wow6432node\microsoft\windows\currentversion\run' | select * -ExcludeProperty PS* | ConvertTo-html -Body "<H2> Startup Applications - Additional for 64 bit Systems </H2>" >> $OutLevel1
  48.  
  49. gp -ea 0 'hklm:\software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' | select * -ExcludeProperty PS* | ConvertTo-html -Body "<H2> Startup Applications - Additional for 64 bit Systems </H2>" >> $OutLevel1
  50.  
  51. gp -ea 0 'hklm:\software\wow6432node\microsoft\windows\currentversion\runonce'| select * -ExcludeProperty PS* | ConvertTo-html -Body "<H2> Startup Applications - Additional for 64 bit Systems </H2>" >> $OutLevel1
  52.  
  53. gp -ea 0 'hkcu:\software\wow6432node\microsoft\windows\currentversion\run' | select * -ExcludeProperty PS* | ConvertTo-html -Body "<H2> Startup Applications - Additional for 64 bit Systems </H2>" >> $OutLevel1
  54.  
  55. gp -ea 0 'hkcu:\software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' | select * -ExcludeProperty PS* | ConvertTo-html -Body "<H2> Startup Applications - Additional for 64 bit Systems </H2>" >> $OutLevel1
  56.  
  57. gp -ea 0 'hkcu:\software\wow6432node\microsoft\windows\currentversion\runonce'| select * -ExcludeProperty PS* | ConvertTo-html -Body "<H2> Startup Applications - Additional for 64 bit Systems </H2>" >> $OutLevel1
  58.  
  59. $cmd = netstat -nao | select-string "ESTA"
  60. foreach ($element in $cmd)
  61. {$data = $element -split ' ' | where {$_ -ne ''}
  62.  
  63. New-Object -TypeName psobject -Property @{
  64. 'Local IP : Port#'=$data[1];
  65. 'Remote IP : Port#'=$data[2];
  66. 'Process ID'= $data[4];
  67. 'Process Name'=((Get-process |where {$_.ID -eq $data[4]})).Name
  68. 'Process File Path'=((Get-process |where {$_.ID -eq $data[4]})).path
  69. 'Process Start Time'=((Get-process |where {$_.ID -eq $data[4]})).starttime
  70. #'Process File Version'=((Get-process |where {$_.ID -eq $data[4]})).FileVersion
  71. 'Associated DLLs and File Path'=((Get-process |where {$_.ID -eq $data[4]})).Modules |select @{Name='Module';Expression={$_.filename -join '; '} } |out-string} | ConvertTo-html -Property 'Local IP : Port#', 'Remote IP : Port#','Process ID','Process Name','Process Start Time','Process File Path','Associated DLLs and File Path' -Body "<H2> </H2>" >> $OutLevel1}
  72.  
  73. #gwmi -ea 0 win32_process | select processname,@{NAME='CreationDate';EXPRESSION={$_.ConvertToDateTime($_.CreationDate)}},ProcessId,ParentProcessId,CommandLine,sessionID |sort ParentProcessId - desc | ConvertTo-html -Body "<H2> Running Processes sorted by ParentProcessID </H2>" >> $OutLevel1
  74. gwmi -ea 0 win32_process | select processname,
  75. @{NAME='CreationDate';EXPRESSION={$_.ConvertToDateTime($_.CreationDate)}},ProcessId,ParentProcessId,CommandLine,sessionID | sort ParentProcessId -desc | ConvertTo-html -Body "<H2> Running Processes sorted by ParentProcessID </H2>" >> $OutLevel1
  76.  
  77. gwmi -ea 0 win32_process | where {$_.name -eq 'svchost.exe'} | select ProcessId |foreach-object {$P = $_.ProcessID ;gwmi win32_service |where {$_.processId -eq $P} | select processID,name,DisplayName,state,startmode,PathName} | ConvertTo-html -Body "<H2> Running SVCHOST and associated Processes </H2>" >> $OutLevel1
  78.  
  79. gwmi -ea 0 win32_Service | select Name,ProcessId,State,DisplayName,PathName | sort state | ConvertTo-html -Body "<H2> Running Services - Sorted by State </H2>" >> $OutLevel1
  80.  
  81. driverquery.exe /v /FO CSV | ConvertFrom-CSV | Select 'Display Name','Start Mode', Path | sort Path | ConvertTo-html -Body "<H2> Drivers running, Startup mode and Path - Sorted by Path </H2>" >> $OutLevel1
  82.  
  83. gci -r -ea 0 c:\ -include *.dll | select Name,CreationTime,LastAccessTime,Directory | sort CreationTime -desc | select -first 50 | ConvertTo-html -Body "<H2> Last 50 DLLs created - Sorted by CreationTime </H2>" >> $OutLevel1
  84.  
  85. openfiles /query > "$UserDirectory\desktop\$CompName-$User-$Date-OpenFiles.txt"
  86.  
  87. gwmi -ea 0 Win32_Share | select name,path,description | ConvertTo-html -Body "<H2> Open Shares </H2>" >> $OutLevel1
  88.  
  89. gp -ea 0 'hkcu:\Software\Microsoft\Windows\CurrentVersion\explorer\Map Network Drive MRU' | select * -ExcludeProperty PS* | ConvertTo-html -Body "<H2> Mapped Drives </H2>" >> $OutLevel1
  90.  
  91. gwmi -ea 0 Win32_ScheduledJob | ConvertTo-html -Body "<H2> Scheduled Jobs </H2>" >> $OutLevel1
  92.  
  93. get-winevent -ea 0 -logname Microsoft-Windows-TaskScheduler/Operational | select TimeCreated,ID,Message | ConvertTo-html -Body "<H2> Scheduled task events </H2>" >> $OutLevel1
  94.  
  95. Get-HotFix -ea 0| Select HotfixID, Description, InstalledBy, InstalledOn | Sort-Object InstalledOn -Descending | ConvertTo-html -Body "<H2> HotFixes applied - Sorted by Installed Date </H2>" >> $OutLevel1
  96.  
  97. gp -ea 0 HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select DisplayName,DisplayVersion,Publisher,InstallDate,InstallLocation | Sort InstallDate -Desc | ConvertTo-html -Body "<H2> Installed Applications - Sorted by Installed Date </H2>" >> $OutLevel1
  98.  
  99. gwmi -ea 0 Win32_ShortcutFile | select FileName,caption,@{NAME='CreationDate';EXPRESSION={$_.ConvertToDateTime($_.CreationDate)}},@{NAME=’LastAccessed’;EXPRESSION={$_.ConvertToDateTime($_.LastAccessed)}},@{NAME=’LastModified’;EXPRESSION={$_.ConvertToDateTime($_.LastModified)}},Target | Where-Object {$_.lastModified -gt ((Get-Date).addDays(-5)) }| sort LastModified -Descending | ConvertTo-html -Body "<H2> Link File Analysis - Last 5 days </H2>" >> $OutLevel1
  100.  
  101. gci -Path C:\ -r -ea 0 -include $ExecutableFiles |Where {$_.Attributes -band [IO.FileAttributes]::Compressed} | ConvertTo-html -Body "<H2> Compressed files </H2>" >> $OutLevel1
  102.  
  103. gci -Path C:\ -r -force -ea 0 -include $ExecutableFiles |Where {$_.Attributes -band [IO.FileAttributes]::Encrypted} | ConvertTo-html -Body "<H2> Encrypted files </H2>" >> $OutLevel1
  104.  
  105. gwmi -ea 0 Win32_ShadowCopy | select DeviceObject,@{NAME='CreationDate';EXPRESSION={$_.ConvertToDateTime($_.InstallDate)}} | ConvertTo-html -Body "<H2> ShadowCopy List </H2>" >> $OutLevel1
  106.  
  107. gci -path C:\windows\prefetch\*.pf -ea 0 | select Name, LastAccessTime,CreationTime | sort LastAccessTime | ConvertTo-html -Body "<H2> Prefetch Files </H2>" >> $OutLevel1
  108.  
  109. ipconfig /displaydns | select-string 'Record Name' | Sort | ConvertTo-html -Body "<H2> DNS Cache </H2>" >> $OutLevel1
  110.  
  111. Get-WinEvent -max 50 -ea 0 -FilterHashtable @{Logname='system';ID=1014} | select TimeCreated,ID,Message | ConvertTo-html -Body "<H2> Event log – DNS – failed resolution events </H2>" >> $OutLevel1
  112.  
  113. Get-WinEvent -ea 0 -ListLog * | Where-Object {$_.IsEnabled} | Sort-Object -Property LastWriteTime -Descending | select LogName, FileSize, LastWriteTime | ConvertTo-html -Body "<H2> List of available logs </H2>" >> $OutLevel1
  114.  
  115. $la = $env:LOCALAPPDATA ;gci -r -ea 0 $la\Microsoft\Windows\'Temporary Internet Files' | select Name, LastWriteTime, CreationTime,Directory| Where-Object {$_.lastwritetime -gt ((Get-Date).addDays(-5)) }| Sort creationtime -Desc | ConvertTo-html -Body "<H2> Temporary Internet Files - Last 5 days - Sorted by CreationTime </H2>" >> $OutLevel1
  116.  
  117. $a = $env:APPDATA ;gci -r -ea 0 $a\Microsoft\Windows\cookies | select Name |foreach-object {$N = $_.Name ;get-content -ea 0 $a\Microsoft\Windows\cookies\$N | select-string '/'} | ConvertTo-html -Body "<H2> Cookies </H2>" >> $OutLevel1
  118.  
  119. gp -ea 0 'hkcu:\Software\Microsoft\Internet Explorer\TypedUrls' | select * -ExcludeProperty PS* | ConvertTo-html -Body "<H2> Typed URLs </H2>" >> $OutLevel1
  120.  
  121. write-host ""
  122.  
  123. Write-host "**** Script is running please wait ****"
  124.  
  125. gp -ea 0 'hkcu:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' | select * -ExcludeProperty PS* | ConvertTo-html -Body "<H2> Important Registry keys - Internet Settings </H2>" >> $OutLevel1
  126.  
  127. gci -ea 0 "hkcu:SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains" | select PSChildName | ConvertTo-html -Body "<H2> Important Registry keys - Internet Trusted Domains </H2>" >> $OutLevel1
  128.  
  129. gp -ea 0 'hklm:\Software\Microsoft\Windows NT\CurrentVersion\Windows' | select AppInit_DLLs | ConvertTo-html -Body "<H2> Important Registry keys - AppInit_DLLs </H2>" >> $OutLevel1
  130.  
  131. gp -ea 0 hklm:\Software\Microsoft\Windows\CurrentVersion\policies\system | select * -ExcludeProperty PS* | ConvertTo-html -Body "<H2> Important Registry keys - UAC Group Policy Settings </H2>" >> $OutLevel1
  132.  
  133. gp -ea 0 'HKLM:\Software\Microsoft\Active Setup\Installed Components\*' | select ComponentID,'(default)',StubPath | ConvertTo-html -Body "<H2> Important Registry keys - Active setup Installs </H2>" >> $OutLevel1
  134.  
  135. gp -ea 0 'hklm:\Software\Microsoft\Windows\CurrentVersion\App Paths\*' | select PSChildName, '(default)' | ConvertTo-html -Body "<H2> Important Registry keys - APP Paths keys </H2>" >> $OutLevel1
  136.  
  137. gp -ea 0 'hklm:\software\microsoft\windows nt\CurrentVersion\winlogon\*\*' | select '(default)',DllName | ConvertTo-html -Body "<H2> Important Registry keys - DLLs loaded by Explorer.exe shell </H2>" >> $OutLevel1
  138.  
  139. gp -ea 0 'hklm:\software\microsoft\windows nt\CurrentVersion\winlogon' | select * -ExcludeProperty PS* | ConvertTo-html -Body "<H2> Important Registry keys - shell and UserInit values </H2>" >> $OutLevel1
  140.  
  141. gp -ea 0 'hklm:\software\microsoft\security center\svc' | select * -ExcludeProperty PS* | ConvertTo-html -Body "<H2> Important Registry Keys - Security center SVC values </H2>" >> $OutLevel1
  142.  
  143. gp -ea 0 'hkcu:\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths' | select * -ExcludeProperty PS* | ConvertTo-html -Body "<H2> Important Registry keys - Desktop Address bar history </H2>" >> $OutLevel1
  144.  
  145. gp -ea 0 'hkcu:\Software\Microsoft\Windows\CurrentVersion\explorer\RunMru' | select * -ExcludeProperty PS* | ConvertTo-html -Body "<H2> Important Registry keys - RunMRU keys </H2>" >> $OutLevel1
  146.  
  147. gp -ea 0 'hklm:\Software\Microsoft\Windows\CurrentVersion\explorer\Startmenu' | select * -ExcludeProperty PS* | ConvertTo-html -Body "<H2> Important Registry keys - Start Menu </H2>" >> $OutLevel1
  148.  
  149. gp -ea 0 'hklm:\SYSTEM\CurrentControlSet\Control\Session Manager' | select * -ExcludeProperty PS* | ConvertTo-html -Body "<H2> Important Registry keys - Programs Executed By Session Manager </H2>" >> $OutLevel1
  150.  
  151. gp -ea 0 'hklm:\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders' | select * -ExcludeProperty PS* | ConvertTo-html -Body "<H2> Important Registry keys - Shell Folders </H2>" >> $OutLevel1
  152.  
  153. gp -ea 0 'hkcu:\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders' | select startup | ConvertTo-html -Body "<H2> Important Registry keys - User Shell Folders 'Startup' </H2>" >> $OutLevel1
  154.  
  155. gp -ea 0 'hklm:\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved' | select * -ExcludeProperty PS* | ConvertTo-html -Body "<H2> Important Registry keys - Approved Shell Extentions </H2>" >> $OutLevel1
  156.  
  157. gp -ea 0 'hklm:\System\CurrentControlSet\Control\Session Manager\AppCertDlls' | select * -ExcludeProperty PS* | ConvertTo-html -Body "<H2> Important Registry keys - AppCert DLLs </H2>" >> $OutLevel1
  158.  
  159. gp –ea 0 'hklm:\SOFTWARE\Classes\exefile\shell\open\command' | select * -ExcludeProperty PS* | ConvertTo-html -Body "<H2> Important Registry keys - EXE File Shell Command Configured </H2>" >> $OutLevel1
  160.  
  161. gp -ea 0 hklm:\SOFTWARE\Classes\HTTP\shell\open\command | select '(default)' | ConvertTo-html -Body "<H2> Important Registry keys - Shell Commands </H2>" >> $OutLevel1
  162.  
  163. gp -ea 0 hklm:\BCD00000000\*\*\*\* | select Element |select-string ‘exe’ | select Line | ConvertTo-html -Body "<H2> Important Registry keys - BCD Related </H2>" >> $OutLevel1
  164.  
  165. gp -ea 0 'hklm:\system\currentcontrolset\control\lsa' | select * -ExcludeProperty PS*| ConvertTo-html -Body "<H2> Important Registry keys - LSA Packages loaded </H2>" >> $OutLevel1
  166.  
  167. gp –ea 0 'hklm:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*' | select '(default)'| ConvertTo-html -Body "<H2> Important Registry keys - Browser Helper Objects </H2>" >> $OutLevel1
  168.  
  169. gp -ea 0 'HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*' | select '(default)' | ConvertTo-html -Body "<H2> Important Registry keys - Browser Helper Objects 64 Bit </H2>" >> $OutLevel1
  170.  
  171. gp -ea 0 'hkcu:\Software\Microsoft\Internet Explorer\Extensions\*' | select ButtonText, Icon | ConvertTo-html -Body "<H2> Important Registry keys - IE Extensions </H2>" >> $OutLevel1
  172.  
  173. gp -ea 0 'hklm:\Software\Microsoft\Internet Explorer\Extensions\*' | select ButtonText, Icon | ConvertTo-html -Body "<H2> Important Registry keys – IE Extensions </H2>" >> $OutLevel1
  174.  
  175. gp -ea 0 'hklm:\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\*' | select ButtonText, Icon | ConvertTo-html -Body "<H2> Important Registry keys - IE Extensions </H2>" >> $OutLevel1
  176.  
  177. write-host ""
  178.  
  179. Write-host "**** Script is running please wait ****"
  180.  
  181. gp -ea 0 hklm:\system\currentcontrolset\enum\usbstor\*\* | select FriendlyName,PSChildName,ContainerID | ConvertTo-html -Body "<H2> List of USB devices </H2>" >> $OutLevel1
  182.  
  183. gci -Path C:\ -r -force -ea 0 -include $ExecutableFiles | Where-Object {-not $_.PSIsContainer -and $_.lastwritetime -gt ((Get-Date).addDays(-30)) } | select fullname,lastwritetime,@{N='Owner';E={($_ | Get-ACL).Owner}} | sort lastwritetime -desc | ConvertTo-html -Body "<H2> File Timeline Executable Files - Past 30 days </H2>" >> $OutLevel1
  184.  
  185. gci c:\ -r -ea 0 -include $ExecutableFiles |foreach { $P = $_.fullname; get-item $P - Stream * } | where {$_.Stream -match "Zone.Identifier"} | select filename,stream, @{N='LastWriteTime';E={(dir $P).LastWriteTime}} | ConvertTo-html -Body "<H2> Downloaded executable files </H2>" >> $OutLevel1
  186.  
  187. Get-WinEvent -max 50 -ea 0 -FilterHashtable @{Logname='security';ID=4624} | select TimeCreated,ID,Message | ConvertTo-html -Body "<H2> Event log - Account logon </H2>" >> $OutLevel1
  188.  
  189. Get-WinEvent -max 50 -ea 0 -FilterHashtable @{Logname='security';ID=4625} | select TimeCreated,ID,Message | ConvertTo-html -Body "<H2> Event log - An account failed to log on </H2>" >> $OutLevel1
  190.  
  191. Get-WinEvent -max 50 -ea 0 -FilterHashtable @{Logname='security';ID=4616} | select TimeCreated,ID,Message | ConvertTo-html -Body "<H2> Event log - The system time was changed </H2>" >> $OutLevel1
  192.  
  193. Get-WinEvent -max 50 -ea 0 -FilterHashtable @{Logname='application';ID=1002} | select TimeCreated,ID,Message | ConvertTo-html -Body "<H2> Event log – Application crashes </H2>" >> $OutLevel1
  194.  
  195. Get-WinEvent -max 50 -ea 0 -FilterHashtable @{Logname='security';ID=4688} | select TimeCreated,ID,Message | ConvertTo-html -Body "<H2> Event log - Process execution </H2>" >> $OutLevel1
  196.  
  197. Get-WinEvent -max 50 -ea 0 -FilterHashtable @{Logname='security';ID=4720} | select TimeCreated,ID,Message | ConvertTo-html -Body "<H2> Event log - A user account was created </H2>" >> $OutLevel1
  198.  
  199. Get-WinEvent -max 50 -ea 0 -FilterHashtable @{Logname='security';ID=4648} | select TimeCreated,ID,Message | ConvertTo-html -Body "<H2> Event log - A logon was attempted using explicit credentials </H2>" >> $OutLevel1
  200.  
  201. Get-WinEvent -max 50 -ea 0 -FilterHashtable @{Logname='security';ID=4672} | select TimeCreated,ID,Message | ConvertTo-html -Body "<H2> Event log – Privilege use 4672 </H2>" >> $OutLevel1
  202.  
  203. Get-WinEvent -max 50 -ea 0 -FilterHashtable @{Logname='security';ID=4673} | select TimeCreated,ID,Message | ConvertTo-html -Body "<H2> Event log – Privilege use 4673 </H2>" >> $OutLevel1
  204.  
  205. Get-WinEvent -max 50 -ea 0 -FilterHashtable @{Logname='security';ID=4674} | select TimeCreated,ID,Message | ConvertTo-html -Body "<H2> Event log – Privilege use 4674 </H2>" >> $OutLevel1
  206.  
  207. Get-WinEvent -max 50 -ea 0 -FilterHashtable @{Logname='system';ID=7036} | select TimeCreated,ID,Message | ConvertTo-html -Body "<H2> Event log – Service Control Manager events </H2>" >> $OutLevel1
  208.  
  209. Get-WinEvent -max 50 -ea 0 -FilterHashtable @{Logname='system';ID=64001} | select TimeCreated,ID,Message | ConvertTo-html -Body "<H2> Event log – WFP events </H2>" >> $OutLevel1
  210.  
  211. get-winevent -ea 0 -logname Microsoft-Windows-Application-Experience/Program-Inventory | select TimeCreated,ID,Message | ConvertTo-html -Body "<H2> Application inventory events </H2>" >> $OutLevel1
  212.  
  213. get-winevent -ea 0 -logname Microsoft-Windows-TerminalServices-LocalSessionManager | select TimeCreated,ID,Message | ConvertTo-html -Body "<H2> Terminal services events </H2>" >> $OutLevel1
  214.  
  215. # Record end time of collection
  216.  
  217. date | select DateTime | ConvertTo-html -Body "<H2> Current Date and Time </H2>" >> $OutLevel1
  218.  
  219. # Copying network connections
  220.  
  221. netstat -naob > "$UserDirectory\desktop\$CompName-$User-$Date-NetworkConnections.txt"
  222.  
  223. # Copying Hosts file
  224.  
  225. gc $env:windir\system32\drivers\etc\hosts > "$UserDirectory\desktop\$CompName-$User-$Date-HostsFile.txt"
  226.  
  227. # Audit Policy
  228. auditpol /get /category:* | select-string 'No Auditing' -notmatch > "$UserDirectory\desktop\$CompName-$User-$Date-AuditPolicy.txt"
  229.  
  230. # Firewall Config
  231. netsh firewall show config > "$UserDirectory\desktop\$CompName-$User-$Date-FirewallConfig.txt"
  232.  
  233. # Popup message upon completion
  234. (New-Object -ComObject wscript.shell).popup("Script Completed")
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!