All,
I'm cobbling together a script to pull registry entries from the
machines domain-wide (Run and RunOnce, including from the Wow6432node
tree). If someone can help with this, I'd much appreciate it. (FYI, I
got the idea from a SANS webcast on proactive security monitoring, but
the example script they showed used "reg query" statements, which
seems really out of date - I figured it would be good practice for me
to re-write in in PS.)
I've got two problems:
o- It seems really inefficient currently, as I poll each machine 4
times. I'd like to be able to collapse it down to a single poll per
machine.
o- I can't seem to pull data from either of the RunOnce keys. The
variables are empty, and I get a zero-length CSV file for each of them
at the end. I get no error message in the output, either.
Script is below - there are 4 main stanzas, each with 4 lines, each
line beginning with:
$variable
Set-Location
Get-Item
$variable
Thanks,
Kurt
----------Begin Script----------
Push-Location
$Computers = get-adcomputer -filter { name -like "us-it*" } | select
-expandproperty dnshostname
$RunValues = $Computers | foreach-object $_ { invoke-command
-computername $_ -scriptblock {
Set-Location 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Run'
Get-Item . | Select-Object -ExpandProperty property | ForEach-Object {
New-Object psobject -Property @{"property"=$_;"Value" =
(Get-ItemProperty -Path . -Name $_).$_} } } }
$RunValues | select pscomputername, property, value | export-csv
c:\temp\RunKey.csv
$RunWowValues = $Computers | foreach-object $_ { invoke-command
-computername $_ -scriptblock {
Set-Location 'HKLM:\Software\Wow6432node\Microsoft\Windows\CurrentVersion\Run'
Get-Item . | Select-Object -ExpandProperty property | ForEach-Object {
New-Object psobject -Property @{"property"=$_;"Value" =
(Get-ItemProperty -Path . -Name $_).$_} } } }
$RunWowValues | select pscomputername, property, value | export-csv
c:\temp\RunWowKey.csv
$RunOnceValues = $Computers | foreach-object $_ { invoke-command
-computername $_ -scriptblock {
Set-Location 'HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce'
Get-Item . | Select-Object -ExpandProperty property | ForEach-Object {
New-Object psobject -Property @{"property"=$_;"Value" =
(Get-ItemProperty -Path . -Name $_).$_} } } }
$RunOnceValues | select pscomputername, property, value | export-csv
c:\temp\RunOnceKey.csv
$RunOnceWowValues = $Computers | foreach-object $_ { invoke-command
-computername $_ -scriptblock {
Set-Location
'HKLM:\Software\Wow6432node\Microsoft\Windows\CurrentVersion\RunOnce'
Get-Item . | Select-Object -ExpandProperty property | ForEach-Object {
New-Object psobject -Property @{"property"=$_;"Value" =
(Get-ItemProperty -Path . -Name $_).$_} } } }
$RunOnceWowValues | select pscomputername, property, value |
export-csv c:\temp\RunOnceWowKey.csv
Pop-Location
----------End Script---------
================================================
Did you know you can also post and find answers on PowerShell in the forums?
http://www.myitforum.com/forums/default.asp?catApp=1
