That was the first version I sent, but it looks like the email added in extra line breaks! Glad to hear you got it working.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kurt Buff Sent: Friday, March 20, 2015 4:11 PM To: [email protected] Subject: Re: [powershell] Scripting registry queries Matt, I took this, and formatted it so that the statements that begin with foreach are a single line - got rid of the backticks. It worked like a champ. That's really nice - thank you very much. Kurt On Fri, Mar 20, 2015 at 12:48 PM, Kelley, Matthew <[email protected]> wrote: > No, that didn't work. Here, I put in some line breaks and this works. > Hopefully this is chopped up enough for you: > > $Computers = get-adcomputer -filter { name -like "us-it*" } | select > Name > > #put column names on csv file > Out-File c:\windows\temp\RegValues.csv -InputObject > "ComputerName,RegistryKey,Name,Value" -Append > > foreach($computer in $Computers.Name) > { > > $wmi=[wmiclass]"\\$($computer)\root\default:stdRegProv" > foreach($name in > ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion > \Run")).sNames) > {"$($computer),Run,$($name)," + ` > > $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows\ > CurrentVersion\Run",$name)).sValue) ` | Out-File > c:\temp\RegValues.csv -Append} foreach($name in > ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\Cu > rrentVersion\Run")).sNames) > {"$($computer),x64Run,$($name)," + ` > > $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micros > oft\Windows\CurrentVersion\Run",$name)).sValue) ` | Out-File > c:\temp\RegValues.csv -Append} foreach($name in > ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion > \RunOnce")).sNames) {"$($computer),RunOnce,$($name)," + ` > > $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows\ > CurrentVersion\RunOnce",$name)).sValue) ` | Out-File > c:\temp\RegValues.csv -Append} foreach($name in > ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\Cu > rrentVersion\RunOnce")).sNames) {"$($computer),x64RunOnce,$($name)," > + ` > > $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micros > oft\Windows\CurrentVersion\RunOnce",$name)).sValue) ` | Out-File > c:\temp\RegValues.csv -Append} > > } > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Kelley, Matthew > Sent: Friday, March 20, 2015 3:39 PM > To: '[email protected]' > Subject: RE: [powershell] Scripting registry queries > > Try this. You need the escape character to break lines.. ` > > $Computers = get-adcomputer -filter { name -like "us-it*" } | select > Name > > #put column names on csv file > Out-File c:\temp\RegValues.csv -InputObject > "ComputerName,RegistryKey,Name,Value" -Append > > foreach($computer in $Computers.Name) > { > $wmi=[wmiclass]"\\$($computer)\root\default:stdRegProv" > > foreach($name in ` > ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion > \Run")).sNames){"$($computer),Run,$($name)," ` + > $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows\ > ` > CurrentVersion\Run",$name)).sValue) ` > | Out-File c:\windows\temp\RegValues.csv -Append} > > foreach($name in ` > ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\Cu > rrentVersion\Run")).sNames){"$($computer),x64Run,$($name)," ` > + $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micr > + os > + ` > oft\Windows\CurrentVersion\Run",$name)).sValue) ` > | Out-File c:\windows\temp\RegValues.csv -Append} > > foreach($name in ` > ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion > \RunOnce")).sNames){"$($computer),RunOnce,$($name)," ` > + $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Window > + s\ > + ` > CurrentVersion\RunOnce",$name)).sValue) ` > | Out-File c:\windows\temp\RegValues.csv -Append} > > foreach($name in ` > ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\Cu > rrentVersion\RunOnce")).sNames){"$($computer),x64RunOnce,$($name)," ` > + $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micr > + os > + ` > oft\Windows\CurrentVersion\RunOnce",$name)).sValue) ` > | Out-File c:\windows\temp\RegValues.csv -Append} > } > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Kurt Buff > Sent: Friday, March 20, 2015 3:32 PM > To: [email protected] > Subject: Re: [powershell] Scripting registry queries > > Matt, > > The only output I get from your script is the column headers, and no errors. > I've copied it below, reformatted slightly, for my own comprehension - so I > might have munged it somehow in the copying to my PS ISE session. (Of course, > I changed it to C:\temp instead of C:\Windows\Temp). > > $Computers = get-adcomputer -filter { name -like "us-it*" } | select > Name > > #put column names on csv file > Out-File c:\temp\RegValues.csv -InputObject > "ComputerName,RegistryKey,Name,Value" -Append > > foreach($computer in $Computers.Name) > { > $wmi=[wmiclass]"\\$($computer)\root\default:stdRegProv" > > foreach($name in > ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion\Run")).sNames){"$($computer),Run,$($name)," > + $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Window > + s\ > + CurrentVersion\Run",$name)).sValue) > | Out-File c:\windows\temp\RegValues.csv -Append} > > foreach($name in > ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\CurrentVersion\Run")).sNames){"$($computer),x64Run,$($name)," > + $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micr > + os > + oft\Windows\CurrentVersion\Run",$name)).sValue) > | Out-File c:\windows\temp\RegValues.csv -Append} > > foreach($name in > ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersion\RunOnce")).sNames){"$($computer),RunOnce,$($name)," > + $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Window > + s\ > + CurrentVersion\RunOnce",$name)).sValue) > | Out-File c:\windows\temp\RegValues.csv -Append} > > foreach($name in > ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\CurrentVersion\RunOnce")).sNames){"$($computer),x64RunOnce,$($name)," > + $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micr > + os > + oft\Windows\CurrentVersion\RunOnce",$name)).sValue) > | Out-File c:\windows\temp\RegValues.csv -Append} > } > > On Fri, Mar 20, 2015 at 9:53 AM, Kelley, Matthew <[email protected]> > wrote: >> I understand. Give this a shot: >> >> >> $Computers = get-adcomputer -filter { name -like "us-it*" } | select >> Name >> >> #put column names on csv file >> Out-File c:\windows\temp\RegValues.csv -InputObject >> "ComputerName,RegistryKey,Name,Value" -Append >> >> foreach($computer in $Computers.Name) { >> >> $wmi=[wmiclass]"\\$($computer)\root\default:stdRegProv" >> foreach($name in >> ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersio >> n \Run")).sNames){"$($computer),Run,$($name)," + >> $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows >> \ >> CurrentVersion\Run",$name)).sValue) | Out-File >> c:\windows\temp\RegValues.csv -Append} foreach($name in >> ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\C >> u rrentVersion\Run")).sNames){"$($computer),x64Run,$($name)," + >> $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micro >> s >> oft\Windows\CurrentVersion\Run",$name)).sValue) | Out-File >> c:\windows\temp\RegValues.csv -Append} foreach($name in >> ($wmi.EnumValues(2147483650,"Software\Microsoft\Windows\CurrentVersio >> n \RunOnce")).sNames){"$($computer),RunOnce,$($name)," + >> $(($wmi.GetExpandedStringValue(2147483650,"Software\Microsoft\Windows >> \ >> CurrentVersion\RunOnce",$name)).sValue) | Out-File >> c:\windows\temp\RegValues.csv -Append} foreach($name in >> ($wmi.EnumValues(2147483650,"Software\Wow6432node\Microsoft\Windows\C >> u rrentVersion\RunOnce")).sNames){"$($computer),x64RunOnce,$($name)," >> + >> $(($wmi.GetExpandedStringValue(2147483650,"Software\Wow6432node\Micro >> s >> oft\Windows\CurrentVersion\RunOnce",$name)).sValue) | Out-File >> c:\windows\temp\RegValues.csv -Append} } >> >> When you open the csv with excel you will have to use the text to columns >> tool on the ribbon... >> >> I also changed the output path to windows\temp - just for testing on my >> machine. Works decent. Good luck! >> >> Matt >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Kurt Buff >> Sent: Friday, March 20, 2015 12:04 PM >> To: [email protected] >> Subject: Re: [powershell] Scripting registry queries >> >> Responses in-line... >> >> On Fri, Mar 20, 2015 at 5:37 AM, Kelley, Matthew <[email protected]> >> wrote: >>> Is this a one-time data capture, or something you need to do on a >>> recurring basis? >> >> Recurring, minimum once a week. >> >>> Do you have any systems management software, like SCCM, in your >>> environment? >> >> We have no systems management software, though we have an EA >> agreement (my manager doesn't like SCCM - I have no experience with >> it, though I'd love to get my hands dirty with it, and with SCOM, but >> we do have PRTG, which would get very expensive if we tried to >> monitor workstations with it.) >> >>> If not, do your machines run a startup script through Group Policies? >>> The best solution would be SCCM or something similar, where you can >>> easily inventory registry keys and wmi data. Second best would be a >>> logon or shutdown script that mines this data and writes it to a >>> network share that your computer accounts (domain computers in AD) >>> have write permissions on. >> >> We have lots of people who never log off or shut down their machines, except >> when we patch (me included!). It will be better (IMHO) to have all of this >> gathered and processed in a more controlled fashion. >> >>> Then you would just need a script to compile all these results into >>> whatever format you want for viewing, like an excel spreadsheet. >>> Having one machine open connections to all other machines in your >>> environment is cumbersome, but it will work if some of the other >>> options are unavailable, or if this is just a one-time event. >> >> I'm intent on building a management station, as a counterpart to our >> SecurityOnion installation. It'll be performing some other tasks as well - >> this is just the first step. >> >> BTW - if you're interested, the SANS webcast (which requires free >> registration) is here: >> https://www.sans.org/webcasts/seamless-continuous-monitoring-defend-o >> r >> ganization-cyber-attacks-99472 >> >> Kurt >> >> >> ================================================ >> Did you know you can also post and find answers on PowerShell in the forums? >> http://www.myitforum.com/forums/default.asp?catApp=1 >> >> ********************************************************** >> Electronic Mail is not secure, may not be read every day, and should >> not be used for urgent or sensitive issues >> >> ================================================ >> Did you know you can also post and find answers on PowerShell in the forums? >> http://www.myitforum.com/forums/default.asp?catApp=1 > > > ================================================ > Did you know you can also post and find answers on PowerShell in the forums? > http://www.myitforum.com/forums/default.asp?catApp=1 > > ********************************************************** > Electronic Mail is not secure, may not be read every day, and should > not be used for urgent or sensitive issues > > ================================================ > Did you know you can also post and find answers on PowerShell in the forums? > http://www.myitforum.com/forums/default.asp?catApp=1 > ********************************************************** > Electronic Mail is not secure, may not be read every day, and should > not be used for urgent or sensitive issues > > ================================================ > Did you know you can also post and find answers on PowerShell in the forums? > http://www.myitforum.com/forums/default.asp?catApp=1 ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 ********************************************************** Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1
