It works well, but I'm going to have to modify it slightly. The Value of some of the values (?!? - heh) uses a comma, so the standard CSV format isn't working well. I think I'll work on it to use a semi-colon instead.
Shouldn't be too hard. Thanks again. Kurt On Fri, Mar 20, 2015 at 1:25 PM, Kelley, Matthew <kelle...@med.umich.edu> wrote: > That was the first version I sent, but it looks like the email added in extra > line breaks! Glad to hear you got it working. > > -----Original Message----- > From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] > On Behalf Of Kurt Buff > Sent: Friday, March 20, 2015 4:11 PM > To: powershell@lists.myitforum.com > Subject: Re: [powershell] Scripting registry queries > > Matt, > > I took this, and formatted it so that the statements that begin with foreach > are a single line - got rid of the backticks. > > It worked like a champ. > > That's really nice - thank you very much. > > Kurt > > On Fri, Mar 20, 2015 at 12:48 PM, Kelley, Matthew <kelle...@med.umich.edu> > wrote: >> No, that didn't work. Here, I put in some line breaks and this works. >> Hopefully this is chopped up enough for you: >> >> $Computers = get-adcomputer -filter { name -like "us-it*" } | select >> Name >> >> #put column names on csv file >> Out-File c:\windows\temp\RegValues.csv -InputObject >> "ComputerName,RegistryKey,Name,Value" -Append >> >> foreach($computer in $Computers.Name) >> { >> >> $wmi=[wmiclass]"\\$($computer)\root\default:stdRegProv" >> foreach($name in >> ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion >> \Run")).sNames) >> {"$($computer),Run,$($name)," + ` >> >> $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows\ >> CurrentVersion\Run",$name)).sValue) ` | Out-File >> c:\temp\RegValues.csv -Append} foreach($name in >> ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\Cu >> rrentVersion\Run")).sNames) >> {"$($computer),x64Run,$($name)," + ` >> >> $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micros >> oft\Windows\CurrentVersion\Run",$name)).sValue) ` | Out-File >> c:\temp\RegValues.csv -Append} foreach($name in >> ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion >> \RunOnce")).sNames) {"$($computer),RunOnce,$($name)," + ` >> >> $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows\ >> CurrentVersion\RunOnce",$name)).sValue) ` | Out-File >> c:\temp\RegValues.csv -Append} foreach($name in >> ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\Cu >> rrentVersion\RunOnce")).sNames) {"$($computer),x64RunOnce,$($name)," >> + ` >> >> $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micros >> oft\Windows\CurrentVersion\RunOnce",$name)).sValue) ` | Out-File >> c:\temp\RegValues.csv -Append} >> >> } >> >> >> -----Original Message----- >> From: listsad...@lists.myitforum.com >> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kelley, Matthew >> Sent: Friday, March 20, 2015 3:39 PM >> To: 'powershell@lists.myitforum.com' >> Subject: RE: [powershell] Scripting registry queries >> >> Try this. You need the escape character to break lines.. ` >> >> $Computers = get-adcomputer -filter { name -like "us-it*" } | select >> Name >> >> #put column names on csv file >> Out-File c:\temp\RegValues.csv -InputObject >> "ComputerName,RegistryKey,Name,Value" -Append >> >> foreach($computer in $Computers.Name) >> { >> $wmi=[wmiclass]"\\$($computer)\root\default:stdRegProv" >> >> foreach($name in ` >> ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion >> \Run")).sNames){"$($computer),Run,$($name)," ` + >> $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows\ >> ` >> CurrentVersion\Run",$name)).sValue) ` >> | Out-File c:\windows\temp\RegValues.csv -Append} >> >> foreach($name in ` >> ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\Cu >> rrentVersion\Run")).sNames){"$($computer),x64Run,$($name)," ` >> + $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micr >> + os >> + ` >> oft\Windows\CurrentVersion\Run",$name)).sValue) ` >> | Out-File c:\windows\temp\RegValues.csv -Append} >> >> foreach($name in ` >> ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion >> \RunOnce")).sNames){"$($computer),RunOnce,$($name)," ` >> + $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Window >> + s\ >> + ` >> CurrentVersion\RunOnce",$name)).sValue) ` >> | Out-File c:\windows\temp\RegValues.csv -Append} >> >> foreach($name in ` >> ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\Cu >> rrentVersion\RunOnce")).sNames){"$($computer),x64RunOnce,$($name)," ` >> + $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micr >> + os >> + ` >> oft\Windows\CurrentVersion\RunOnce",$name)).sValue) ` >> | Out-File c:\windows\temp\RegValues.csv -Append} >> } >> >> -----Original Message----- >> From: listsad...@lists.myitforum.com >> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff >> Sent: Friday, March 20, 2015 3:32 PM >> To: powershell@lists.myitforum.com >> Subject: Re: [powershell] Scripting registry queries >> >> Matt, >> >> The only output I get from your script is the column headers, and no errors. >> I've copied it below, reformatted slightly, for my own comprehension - so I >> might have munged it somehow in the copying to my PS ISE session. (Of >> course, I changed it to C:\temp instead of C:\Windows\Temp). >> >> $Computers = get-adcomputer -filter { name -like "us-it*" } | select >> Name >> >> #put column names on csv file >> Out-File c:\temp\RegValues.csv -InputObject >> "ComputerName,RegistryKey,Name,Value" -Append >> >> foreach($computer in $Computers.Name) >> { >> $wmi=[wmiclass]"\\$($computer)\root\default:stdRegProv" >> >> foreach($name in >> ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion\Run")).sNames){"$($computer),Run,$($name)," >> + $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Window >> + s\ >> + CurrentVersion\Run",$name)).sValue) >> | Out-File c:\windows\temp\RegValues.csv -Append} >> >> foreach($name in >> ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\CurrentVersion\Run")).sNames){"$($computer),x64Run,$($name)," >> + $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micr >> + os >> + oft\Windows\CurrentVersion\Run",$name)).sValue) >> | Out-File c:\windows\temp\RegValues.csv -Append} >> >> foreach($name in >> ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion\RunOnce")).sNames){"$($computer),RunOnce,$($name)," >> + $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Window >> + s\ >> + CurrentVersion\RunOnce",$name)).sValue) >> | Out-File c:\windows\temp\RegValues.csv -Append} >> >> foreach($name in >> ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\CurrentVersion\RunOnce")).sNames){"$($computer),x64RunOnce,$($name)," >> + $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micr >> + os >> + oft\Windows\CurrentVersion\RunOnce",$name)).sValue) >> | Out-File c:\windows\temp\RegValues.csv -Append} >> } >> >> On Fri, Mar 20, 2015 at 9:53 AM, Kelley, Matthew <kelle...@med.umich.edu> >> wrote: >>> I understand. Give this a shot: >>> >>> >>> $Computers = get-adcomputer -filter { name -like "us-it*" } | select >>> Name >>> >>> #put column names on csv file >>> Out-File c:\windows\temp\RegValues.csv -InputObject >>> "ComputerName,RegistryKey,Name,Value" -Append >>> >>> foreach($computer in $Computers.Name) { >>> >>> $wmi=[wmiclass]"\\$($computer)\root\default:stdRegProv" >>> foreach($name in >>> ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersio >>> n \Run")).sNames){"$($computer),Run,$($name)," + >>> $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows >>> \ >>> CurrentVersion\Run",$name)).sValue) | Out-File >>> c:\windows\temp\RegValues.csv -Append} foreach($name in >>> ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\C >>> u rrentVersion\Run")).sNames){"$($computer),x64Run,$($name)," + >>> $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micro >>> s >>> oft\Windows\CurrentVersion\Run",$name)).sValue) | Out-File >>> c:\windows\temp\RegValues.csv -Append} foreach($name in >>> ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersio >>> n \RunOnce")).sNames){"$($computer),RunOnce,$($name)," + >>> $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows >>> \ >>> CurrentVersion\RunOnce",$name)).sValue) | Out-File >>> c:\windows\temp\RegValues.csv -Append} foreach($name in >>> ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\C >>> u rrentVersion\RunOnce")).sNames){"$($computer),x64RunOnce,$($name)," >>> + >>> $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micro >>> s >>> oft\Windows\CurrentVersion\RunOnce",$name)).sValue) | Out-File >>> c:\windows\temp\RegValues.csv -Append} } >>> >>> When you open the csv with excel you will have to use the text to columns >>> tool on the ribbon... >>> >>> I also changed the output path to windows\temp - just for testing on my >>> machine. Works decent. Good luck! >>> >>> Matt >>> >>> -----Original Message----- >>> From: listsad...@lists.myitforum.com >>> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff >>> Sent: Friday, March 20, 2015 12:04 PM >>> To: powershell@lists.myitforum.com >>> Subject: Re: [powershell] Scripting registry queries >>> >>> Responses in-line... >>> >>> On Fri, Mar 20, 2015 at 5:37 AM, Kelley, Matthew <kelle...@med.umich.edu> >>> wrote: >>>> Is this a one-time data capture, or something you need to do on a >>>> recurring basis? >>> >>> Recurring, minimum once a week. >>> >>>> Do you have any systems management software, like SCCM, in your >>>> environment? >>> >>> We have no systems management software, though we have an EA >>> agreement (my manager doesn't like SCCM - I have no experience with >>> it, though I'd love to get my hands dirty with it, and with SCOM, but >>> we do have PRTG, which would get very expensive if we tried to >>> monitor workstations with it.) >>> >>>> If not, do your machines run a startup script through Group Policies? >>>> The best solution would be SCCM or something similar, where you can >>>> easily inventory registry keys and wmi data. Second best would be a >>>> logon or shutdown script that mines this data and writes it to a >>>> network share that your computer accounts (domain computers in AD) >>>> have write permissions on. >>> >>> We have lots of people who never log off or shut down their machines, >>> except when we patch (me included!). It will be better (IMHO) to have all >>> of this gathered and processed in a more controlled fashion. >>> >>>> Then you would just need a script to compile all these results into >>>> whatever format you want for viewing, like an excel spreadsheet. >>>> Having one machine open connections to all other machines in your >>>> environment is cumbersome, but it will work if some of the other >>>> options are unavailable, or if this is just a one-time event. >>> >>> I'm intent on building a management station, as a counterpart to our >>> SecurityOnion installation. It'll be performing some other tasks as well - >>> this is just the first step. >>> >>> BTW - if you're interested, the SANS webcast (which requires free >>> registration) is here: >>> https://www.sans.org/webcasts/seamless-continuous-monitoring-defend-o >>> r >>> ganization-cyber-attacks-99472 >>> >>> Kurt >>> >>> >>> ================================================ >>> Did you know you can also post and find answers on PowerShell in the forums? >>> http://www.myitforum.com/forums/default.asp?catApp=1 >>> >>> ********************************************************** >>> Electronic Mail is not secure, may not be read every day, and should >>> not be used for urgent or sensitive issues >>> >>> ================================================ >>> Did you know you can also post and find answers on PowerShell in the forums? >>> http://www.myitforum.com/forums/default.asp?catApp=1 >> >> >> ================================================ >> Did you know you can also post and find answers on PowerShell in the forums? >> http://www.myitforum.com/forums/default.asp?catApp=1 >> >> ********************************************************** >> Electronic Mail is not secure, may not be read every day, and should >> not be used for urgent or sensitive issues >> >> ================================================ >> Did you know you can also post and find answers on PowerShell in the forums? >> http://www.myitforum.com/forums/default.asp?catApp=1 >> ********************************************************** >> Electronic Mail is not secure, may not be read every day, and should >> not be used for urgent or sensitive issues >> >> ================================================ >> Did you know you can also post and find answers on PowerShell in the forums? >> http://www.myitforum.com/forums/default.asp?catApp=1 > > > ================================================ > Did you know you can also post and find answers on PowerShell in the forums? > http://www.myitforum.com/forums/default.asp?catApp=1 > > ********************************************************** > Electronic Mail is not secure, may not be read every day, and should not be > used for urgent or sensitive issues > > ================================================ > Did you know you can also post and find answers on PowerShell in the forums? > http://www.myitforum.com/forums/default.asp?catApp=1 ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1
