Is this a one-time data capture, or something you need to do on a recurring basis? Do you have any systems management software, like SCCM, in your environment? If not, do your machines run a startup script through Group Policies? The best solution would be SCCM or something similar, where you can easily inventory registry keys and wmi data. Second best would be a logon or shutdown script that mines this data and writes it to a network share that your computer accounts (domain computers in AD) have write permissions on. Then you would just need a script to compile all these results into whatever format you want for viewing, like an excel spreadsheet. Having one machine open connections to all other machines in your environment is cumbersome, but it will work if some of the other options are unavailable, or if this is just a one-time event.
Matt From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Emin Sent: Friday, March 20, 2015 4:41 AM To: powershell@lists.myitforum.com Subject: Re: [powershell] Scripting registry queries Hi, I've got something similar at work for years now. You should split this into 2 main parts: 1. the script that will run on clients and that will query the registry 2. the script "engine" that will open sessions on remote computers with a foreach loop and do for each target computer: Invoke-command -ComputerName $target -FilePath .\myclientscript.ps1 -credentials $c Once you've done that and that it works, you can work on the performance of these two scripts. 1. for the client script, the fastest it executes, the better. Keep also in mind that the less output it has, the less it has to send data back through the remoting session, the fastest it will be. I'm using whitelists inside the script to filter known and exptected things. 2.I'm splitting operations in the engine to very atomic tasks to achieve great performances. I don't rely on built-in cmdlets to test if I can remote-in. What I'm using is explained in this post https://p0w3rsh3ll.wordpress.com/2012/11/26/revisiting-test-port-using-a-powershell-worflow/ I'd recommend to read all the articles written during the 2 weeks about security on PowerShell Magazine http://www.powershellmagazine.com/tag/security/ In my article there's a link to a private gist where the script scans for the same launch points as autoruns.exe from sysinternals does http://www.powershellmagazine.com/2014/07/17/live-incident-response-with-powershell/ /Emin On Fri, Mar 20, 2015 at 3:35 AM, Kurt Buff <kurt.b...@gmail.com<mailto:kurt.b...@gmail.com>> wrote: All, I'm cobbling together a script to pull registry entries from the machines domain-wide (Run and RunOnce, including from the Wow6432node tree). If someone can help with this, I'd much appreciate it. (FYI, I got the idea from a SANS webcast on proactive security monitoring, but the example script they showed used "reg query" statements, which seems really out of date - I figured it would be good practice for me to re-write in in PS.) I've got two problems: o- It seems really inefficient currently, as I poll each machine 4 times. I'd like to be able to collapse it down to a single poll per machine. o- I can't seem to pull data from either of the RunOnce keys. The variables are empty, and I get a zero-length CSV file for each of them at the end. I get no error message in the output, either. Script is below - there are 4 main stanzas, each with 4 lines, each line beginning with: $variable Set-Location Get-Item $variable Thanks, Kurt ----------Begin Script---------- Push-Location $Computers = get-adcomputer -filter { name -like "us-it*" } | select -expandproperty dnshostname $RunValues = $Computers | foreach-object $_ { invoke-command -computername $_ -scriptblock { Set-Location 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Run' Get-Item . | Select-Object -ExpandProperty property | ForEach-Object { New-Object psobject -Property @{"property"=$_;"Value" = (Get-ItemProperty -Path . -Name $_).$_} } } } $RunValues | select pscomputername, property, value | export-csv c:\temp\RunKey.csv $RunWowValues = $Computers | foreach-object $_ { invoke-command -computername $_ -scriptblock { Set-Location 'HKLM:\Software\Wow6432node\Microsoft\Windows\CurrentVersion\Run' Get-Item . | Select-Object -ExpandProperty property | ForEach-Object { New-Object psobject -Property @{"property"=$_;"Value" = (Get-ItemProperty -Path . -Name $_).$_} } } } $RunWowValues | select pscomputername, property, value | export-csv c:\temp\RunWowKey.csv $RunOnceValues = $Computers | foreach-object $_ { invoke-command -computername $_ -scriptblock { Set-Location 'HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce' Get-Item . | Select-Object -ExpandProperty property | ForEach-Object { New-Object psobject -Property @{"property"=$_;"Value" = (Get-ItemProperty -Path . -Name $_).$_} } } } $RunOnceValues | select pscomputername, property, value | export-csv c:\temp\RunOnceKey.csv $RunOnceWowValues = $Computers | foreach-object $_ { invoke-command -computername $_ -scriptblock { Set-Location 'HKLM:\Software\Wow6432node\Microsoft\Windows\CurrentVersion\RunOnce' Get-Item . | Select-Object -ExpandProperty property | ForEach-Object { New-Object psobject -Property @{"property"=$_;"Value" = (Get-ItemProperty -Path . -Name $_).$_} } } } $RunOnceWowValues | select pscomputername, property, value | export-csv c:\temp\RunOnceWowKey.csv Pop-Location ----------End Script--------- ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1
