Hi, I've got something similar at work for years now.
You should split this into 2 main parts: 1. the script that will run on clients and that will query the registry 2. the script "engine" that will open sessions on remote computers with a foreach loop and do for each target computer: Invoke-command -ComputerName $target -FilePath .\myclientscript.ps1 -credentials $c Once you've done that and that it works, you can work on the performance of these two scripts. 1. for the client script, the fastest it executes, the better. Keep also in mind that the less output it has, the less it has to send data back through the remoting session, the fastest it will be. I'm using whitelists inside the script to filter known and exptected things. 2.I'm splitting operations in the engine to very atomic tasks to achieve great performances. I don't rely on built-in cmdlets to test if I can remote-in. What I'm using is explained in this post https://p0w3rsh3ll.wordpress.com/2012/11/26/revisiting-test-port-using-a-powershell-worflow/ I'd recommend to read all the articles written during the 2 weeks about security on PowerShell Magazine http://www.powershellmagazine.com/tag/security/ In my article there's a link to a private gist where the script scans for the same launch points as autoruns.exe from sysinternals does http://www.powershellmagazine.com/2014/07/17/live-incident-response-with-powershell/ /Emin On Fri, Mar 20, 2015 at 3:35 AM, Kurt Buff <[email protected]> wrote: > All, > > I'm cobbling together a script to pull registry entries from the > machines domain-wide (Run and RunOnce, including from the Wow6432node > tree). If someone can help with this, I'd much appreciate it. (FYI, I > got the idea from a SANS webcast on proactive security monitoring, but > the example script they showed used "reg query" statements, which > seems really out of date - I figured it would be good practice for me > to re-write in in PS.) > > I've got two problems: > > o- It seems really inefficient currently, as I poll each machine 4 > times. I'd like to be able to collapse it down to a single poll per > machine. > > o- I can't seem to pull data from either of the RunOnce keys. The > variables are empty, and I get a zero-length CSV file for each of them > at the end. I get no error message in the output, either. > > > Script is below - there are 4 main stanzas, each with 4 lines, each > line beginning with: > $variable > Set-Location > Get-Item > $variable > > Thanks, > > Kurt > > > ----------Begin Script---------- > Push-Location > > $Computers = get-adcomputer -filter { name -like "us-it*" } | select > -expandproperty dnshostname > > $RunValues = $Computers | foreach-object $_ { invoke-command > -computername $_ -scriptblock { > Set-Location 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Run' > Get-Item . | Select-Object -ExpandProperty property | ForEach-Object { > New-Object psobject -Property @{"property"=$_;"Value" = > (Get-ItemProperty -Path . -Name $_).$_} } } } > $RunValues | select pscomputername, property, value | export-csv > c:\temp\RunKey.csv > > $RunWowValues = $Computers | foreach-object $_ { invoke-command > -computername $_ -scriptblock { > Set-Location > 'HKLM:\Software\Wow6432node\Microsoft\Windows\CurrentVersion\Run' > Get-Item . | Select-Object -ExpandProperty property | ForEach-Object { > New-Object psobject -Property @{"property"=$_;"Value" = > (Get-ItemProperty -Path . -Name $_).$_} } } } > $RunWowValues | select pscomputername, property, value | export-csv > c:\temp\RunWowKey.csv > > $RunOnceValues = $Computers | foreach-object $_ { invoke-command > -computername $_ -scriptblock { > Set-Location 'HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce' > Get-Item . | Select-Object -ExpandProperty property | ForEach-Object { > New-Object psobject -Property @{"property"=$_;"Value" = > (Get-ItemProperty -Path . -Name $_).$_} } } } > $RunOnceValues | select pscomputername, property, value | export-csv > c:\temp\RunOnceKey.csv > > $RunOnceWowValues = $Computers | foreach-object $_ { invoke-command > -computername $_ -scriptblock { > Set-Location > 'HKLM:\Software\Wow6432node\Microsoft\Windows\CurrentVersion\RunOnce' > Get-Item . | Select-Object -ExpandProperty property | ForEach-Object { > New-Object psobject -Property @{"property"=$_;"Value" = > (Get-ItemProperty -Path . -Name $_).$_} } } } > $RunOnceWowValues | select pscomputername, property, value | > export-csv c:\temp\RunOnceWowKey.csv > > Pop-Location > ----------End Script--------- > > > ================================================ > Did you know you can also post and find answers on PowerShell in the > forums? > http://www.myitforum.com/forums/default.asp?catApp=1 > > ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1
