Is this a one-time data capture, or something you need to do on a recurring 
basis? Do you have any systems management software, like SCCM, in your 
environment? If not, do your machines run a startup script through Group 
Policies? The best solution would be SCCM or something similar, where you can 
easily inventory registry keys and wmi data. Second best would be a logon or 
shutdown script that mines this data and writes it to a network share that your 
computer accounts (domain computers in AD) have write permissions on. Then you 
would just need  a script to compile all these results into whatever format you 
want for viewing, like an excel spreadsheet. Having one machine open 
connections to all other machines in your environment is cumbersome, but it 
will work if some of the other options are unavailable, or if this is just a 
one-time event.

Matt

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Emin
Sent: Friday, March 20, 2015 4:41 AM
To: powershell@lists.myitforum.com
Subject: Re: [powershell] Scripting registry queries

Hi,
I've got something similar at work for years now.

You should split this into 2 main parts:
1. the script that will run on clients and that will query the registry
2. the script "engine" that will open sessions on remote computers with a 
foreach loop and do for each target computer:
Invoke-command -ComputerName $target -FilePath .\myclientscript.ps1 
-credentials $c
Once you've done that and that it works, you can work on the performance of 
these two scripts.
1. for the client script, the fastest it executes, the better. Keep also in 
mind that the less output it has, the less it has to send data back through the 
remoting session, the fastest it will be. I'm using whitelists inside the 
script to filter known and exptected things.
2.I'm splitting operations in the engine to very atomic tasks to achieve great 
performances. I don't rely on built-in cmdlets to test if I can remote-in. What 
I'm using is explained in this post 
https://p0w3rsh3ll.wordpress.com/2012/11/26/revisiting-test-port-using-a-powershell-worflow/
I'd recommend to read all the articles written during the 2 weeks about 
security on PowerShell Magazine
http://www.powershellmagazine.com/tag/security/
In my article there's a link to a private gist where the script scans for the 
same launch points as autoruns.exe from sysinternals does
http://www.powershellmagazine.com/2014/07/17/live-incident-response-with-powershell/

/Emin

On Fri, Mar 20, 2015 at 3:35 AM, Kurt Buff 
<kurt.b...@gmail.com<mailto:kurt.b...@gmail.com>> wrote:
All,

I'm cobbling together a script to pull registry entries from the
machines domain-wide (Run and RunOnce, including from the Wow6432node
tree). If someone can help with this, I'd much appreciate it. (FYI, I
got the idea from a SANS webcast on proactive security monitoring, but
the example script they showed used "reg query" statements, which
seems really out of date - I figured it would be good practice for me
to re-write in in PS.)

I've got two problems:

o- It seems really inefficient currently, as I poll each machine 4
times. I'd like to be able to collapse it down to a single poll per
machine.

o- I can't seem to pull data from either of the RunOnce keys. The
variables are empty, and I get a zero-length CSV file for each of them
at the end. I get no error message in the output, either.


Script is below - there are 4 main stanzas, each with 4 lines, each
line beginning with:
$variable
Set-Location
Get-Item
$variable

Thanks,

Kurt


----------Begin Script----------
Push-Location

$Computers = get-adcomputer -filter { name -like "us-it*" } | select
-expandproperty dnshostname

$RunValues = $Computers | foreach-object $_ { invoke-command
-computername $_ -scriptblock {
Set-Location 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Run'
Get-Item . | Select-Object -ExpandProperty property | ForEach-Object {
New-Object psobject -Property @{"property"=$_;"Value" =
(Get-ItemProperty -Path . -Name $_).$_} }  } }
$RunValues | select pscomputername, property, value | export-csv
c:\temp\RunKey.csv

$RunWowValues = $Computers | foreach-object $_ { invoke-command
-computername $_ -scriptblock {
Set-Location 'HKLM:\Software\Wow6432node\Microsoft\Windows\CurrentVersion\Run'
Get-Item . | Select-Object -ExpandProperty property | ForEach-Object {
New-Object psobject -Property @{"property"=$_;"Value" =
(Get-ItemProperty -Path . -Name $_).$_} }  } }
$RunWowValues | select pscomputername, property, value | export-csv
c:\temp\RunWowKey.csv

$RunOnceValues = $Computers | foreach-object $_ { invoke-command
-computername $_ -scriptblock {
Set-Location 'HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce'
Get-Item . | Select-Object -ExpandProperty property | ForEach-Object {
New-Object psobject -Property @{"property"=$_;"Value" =
(Get-ItemProperty -Path . -Name $_).$_} }  } }
$RunOnceValues | select pscomputername, property, value | export-csv
c:\temp\RunOnceKey.csv

$RunOnceWowValues = $Computers | foreach-object $_ { invoke-command
-computername $_ -scriptblock {
Set-Location 
'HKLM:\Software\Wow6432node\Microsoft\Windows\CurrentVersion\RunOnce'
Get-Item . | Select-Object -ExpandProperty property | ForEach-Object {
New-Object psobject -Property @{"property"=$_;"Value" =
(Get-ItemProperty -Path . -Name $_).$_} }  } }
$RunOnceWowValues | select pscomputername, property, value |
export-csv c:\temp\RunOnceWowKey.csv

Pop-Location
----------End Script---------


================================================
Did you know you can also post and find answers on PowerShell in the forums?
http://www.myitforum.com/forums/default.asp?catApp=1


================================================
Did you know you can also post and find answers on PowerShell in the forums?
http://www.myitforum.com/forums/default.asp?catApp=1
**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be 
used for urgent or sensitive issues 

================================================
Did you know you can also post and find answers on PowerShell in the forums?
http://www.myitforum.com/forums/default.asp?catApp=1

Reply via email to