For some reason outlook got rid of the line breaks right before the pipe. When you paste this in to the ISE just add in the line breaks between the ` and |
-----Original Message----- From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Kelley, Matthew Sent: Friday, March 20, 2015 3:52 PM To: 'powershell@lists.myitforum.com' Subject: RE: [powershell] Scripting registry queries This works too: $Computers = get-adcomputer -filter { name -like "us-it*" } | select Name #put column names on csv file Out-File c:\windows\temp\RegValues.csv -InputObject "ComputerName,RegistryKey,Name,Value" -Append foreach($computer in $Computers.Name) { $wmi=[wmiclass]"\\$($computer)\root\default:stdRegProv" foreach($name in ($wmi.EnumValues(2147483650, ` "Software\Microsoft\Windows\CurrentVersion\Run")).sNames) {"$($computer),Run,$($name)," + ` $(($wmi.GetExpandedStringValue(2147483650, ` "Software\Microsoft\Windows\CurrentVersion\Run",$name)).sValue) ` | Out-File c:\temp\RegValues.csv -Append} foreach($name in ($wmi.EnumValues(2147483650, ` "Software\Wow6432node\Microsoft\Windows\CurrentVersion\Run")).sNames) {"$($computer),x64Run,$($name)," + ` $(($wmi.GetExpandedStringValue(2147483650, ` "Software\Wow6432node\Microsoft\Windows\CurrentVersion\Run",$name)).sValue) ` | Out-File c:\temp\RegValues.csv -Append} foreach($name in ($wmi.EnumValues(2147483650, ` "Software\Microsoft\Windows\CurrentVersion\RunOnce")).sNames) {"$($computer),RunOnce,$($name)," + ` $(($wmi.GetExpandedStringValue(2147483650, ` "Software\Microsoft\Windows\CurrentVersion\RunOnce",$name)).sValue) ` | Out-File c:\temp\RegValues.csv -Append} foreach($name in ($wmi.EnumValues(2147483650, ` "Software\Wow6432node\Microsoft\Windows\CurrentVersion\RunOnce")).sNames) {"$($computer),x64RunOnce,$($name)," + ` $(($wmi.GetExpandedStringValue(2147483650,` "Software\Wow6432node\Microsoft\Windows\CurrentVersion\RunOnce",$name)).sValue) ` | Out-File c:\temp\RegValues.csv -Append} } -----Original Message----- From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Kelley, Matthew Sent: Friday, March 20, 2015 3:48 PM To: 'powershell@lists.myitforum.com' Subject: RE: [powershell] Scripting registry queries No, that didn't work. Here, I put in some line breaks and this works. Hopefully this is chopped up enough for you: $Computers = get-adcomputer -filter { name -like "us-it*" } | select Name #put column names on csv file Out-File c:\windows\temp\RegValues.csv -InputObject "ComputerName,RegistryKey,Name,Value" -Append foreach($computer in $Computers.Name) { $wmi=[wmiclass]"\\$($computer)\root\default:stdRegProv" foreach($name in ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion\Run")).sNames) {"$($computer),Run,$($name)," + ` $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows\CurrentVersion\Run",$name)).sValue) ` | Out-File c:\temp\RegValues.csv -Append} foreach($name in ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\CurrentVersion\Run")).sNames) {"$($computer),x64Run,$($name)," + ` $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Microsoft\Windows\CurrentVersion\Run",$name)).sValue) ` | Out-File c:\temp\RegValues.csv -Append} foreach($name in ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion\RunOnce")).sNames) {"$($computer),RunOnce,$($name)," + ` $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows\CurrentVersion\RunOnce",$name)).sValue) ` | Out-File c:\temp\RegValues.csv -Append} foreach($name in ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\CurrentVersion\RunOnce")).sNames) {"$($computer),x64RunOnce,$($name)," + ` $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Microsoft\Windows\CurrentVersion\RunOnce",$name)).sValue) ` | Out-File c:\temp\RegValues.csv -Append} } -----Original Message----- From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Kelley, Matthew Sent: Friday, March 20, 2015 3:39 PM To: 'powershell@lists.myitforum.com' Subject: RE: [powershell] Scripting registry queries Try this. You need the escape character to break lines.. ` $Computers = get-adcomputer -filter { name -like "us-it*" } | select Name #put column names on csv file Out-File c:\temp\RegValues.csv -InputObject "ComputerName,RegistryKey,Name,Value" -Append foreach($computer in $Computers.Name) { $wmi=[wmiclass]"\\$($computer)\root\default:stdRegProv" foreach($name in ` ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion\Run")).sNames){"$($computer),Run,$($name)," ` + $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows\ ` CurrentVersion\Run",$name)).sValue) ` | Out-File c:\windows\temp\RegValues.csv -Append} foreach($name in ` ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\CurrentVersion\Run")).sNames){"$($computer),x64Run,$($name)," ` + $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micros + ` oft\Windows\CurrentVersion\Run",$name)).sValue) ` | Out-File c:\windows\temp\RegValues.csv -Append} foreach($name in ` ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion\RunOnce")).sNames){"$($computer),RunOnce,$($name)," ` + $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows\ + ` CurrentVersion\RunOnce",$name)).sValue) ` | Out-File c:\windows\temp\RegValues.csv -Append} foreach($name in ` ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\CurrentVersion\RunOnce")).sNames){"$($computer),x64RunOnce,$($name)," ` + $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micros + ` oft\Windows\CurrentVersion\RunOnce",$name)).sValue) ` | Out-File c:\windows\temp\RegValues.csv -Append} } -----Original Message----- From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff Sent: Friday, March 20, 2015 3:32 PM To: powershell@lists.myitforum.com Subject: Re: [powershell] Scripting registry queries Matt, The only output I get from your script is the column headers, and no errors. I've copied it below, reformatted slightly, for my own comprehension - so I might have munged it somehow in the copying to my PS ISE session. (Of course, I changed it to C:\temp instead of C:\Windows\Temp). $Computers = get-adcomputer -filter { name -like "us-it*" } | select Name #put column names on csv file Out-File c:\temp\RegValues.csv -InputObject "ComputerName,RegistryKey,Name,Value" -Append foreach($computer in $Computers.Name) { $wmi=[wmiclass]"\\$($computer)\root\default:stdRegProv" foreach($name in ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion\Run")).sNames){"$($computer),Run,$($name)," + $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows\ + CurrentVersion\Run",$name)).sValue) | Out-File c:\windows\temp\RegValues.csv -Append} foreach($name in ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\CurrentVersion\Run")).sNames){"$($computer),x64Run,$($name)," + $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micros + oft\Windows\CurrentVersion\Run",$name)).sValue) | Out-File c:\windows\temp\RegValues.csv -Append} foreach($name in ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion\RunOnce")).sNames){"$($computer),RunOnce,$($name)," + $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows\ + CurrentVersion\RunOnce",$name)).sValue) | Out-File c:\windows\temp\RegValues.csv -Append} foreach($name in ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\CurrentVersion\RunOnce")).sNames){"$($computer),x64RunOnce,$($name)," + $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micros + oft\Windows\CurrentVersion\RunOnce",$name)).sValue) | Out-File c:\windows\temp\RegValues.csv -Append} } On Fri, Mar 20, 2015 at 9:53 AM, Kelley, Matthew <kelle...@med.umich.edu> wrote: > I understand. Give this a shot: > > > $Computers = get-adcomputer -filter { name -like "us-it*" } | select > Name > > #put column names on csv file > Out-File c:\windows\temp\RegValues.csv -InputObject > "ComputerName,RegistryKey,Name,Value" -Append > > foreach($computer in $Computers.Name) > { > > $wmi=[wmiclass]"\\$($computer)\root\default:stdRegProv" > foreach($name in > ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion > \Run")).sNames){"$($computer),Run,$($name)," + > $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows\ > CurrentVersion\Run",$name)).sValue) | Out-File > c:\windows\temp\RegValues.csv -Append} foreach($name in > ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\Cu > rrentVersion\Run")).sNames){"$($computer),x64Run,$($name)," + > $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micros > oft\Windows\CurrentVersion\Run",$name)).sValue) | Out-File > c:\windows\temp\RegValues.csv -Append} foreach($name in > ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion > \RunOnce")).sNames){"$($computer),RunOnce,$($name)," + > $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows\ > CurrentVersion\RunOnce",$name)).sValue) | Out-File > c:\windows\temp\RegValues.csv -Append} foreach($name in > ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\Cu > rrentVersion\RunOnce")).sNames){"$($computer),x64RunOnce,$($name)," + > $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micros > oft\Windows\CurrentVersion\RunOnce",$name)).sValue) | Out-File > c:\windows\temp\RegValues.csv -Append} } > > When you open the csv with excel you will have to use the text to columns > tool on the ribbon... > > I also changed the output path to windows\temp - just for testing on my > machine. Works decent. Good luck! > > Matt > > -----Original Message----- > From: listsad...@lists.myitforum.com > [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff > Sent: Friday, March 20, 2015 12:04 PM > To: powershell@lists.myitforum.com > Subject: Re: [powershell] Scripting registry queries > > Responses in-line... > > On Fri, Mar 20, 2015 at 5:37 AM, Kelley, Matthew <kelle...@med.umich.edu> > wrote: >> Is this a one-time data capture, or something you need to do on a >> recurring basis? > > Recurring, minimum once a week. > >> Do you have any systems management software, like SCCM, in your >> environment? > > We have no systems management software, though we have an EA agreement > (my manager doesn't like SCCM - I have no experience with it, though > I'd love to get my hands dirty with it, and with SCOM, but we do have > PRTG, which would get very expensive if we tried to monitor > workstations with it.) > >> If not, do your machines run a startup script through Group Policies? >> The best solution would be SCCM or something similar, where you can >> easily inventory registry keys and wmi data. Second best would be a >> logon or shutdown script that mines this data and writes it to a >> network share that your computer accounts (domain computers in AD) >> have write permissions on. > > We have lots of people who never log off or shut down their machines, except > when we patch (me included!). It will be better (IMHO) to have all of this > gathered and processed in a more controlled fashion. > >> Then you would just need a script to compile all these results into >> whatever format you want for viewing, like an excel spreadsheet. >> Having one machine open connections to all other machines in your >> environment is cumbersome, but it will work if some of the other >> options are unavailable, or if this is just a one-time event. > > I'm intent on building a management station, as a counterpart to our > SecurityOnion installation. It'll be performing some other tasks as well - > this is just the first step. > > BTW - if you're interested, the SANS webcast (which requires free > registration) is here: > https://www.sans.org/webcasts/seamless-continuous-monitoring-defend-or > ganization-cyber-attacks-99472 > > Kurt > > > ================================================ > Did you know you can also post and find answers on PowerShell in the forums? > http://www.myitforum.com/forums/default.asp?catApp=1 > > ********************************************************** > Electronic Mail is not secure, may not be read every day, and should > not be used for urgent or sensitive issues > > ================================================ > Did you know you can also post and find answers on PowerShell in the forums? > http://www.myitforum.com/forums/default.asp?catApp=1 ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1
