Friday, September 14, 2018

Windows 7 / 10 Remote Troubleshooting Methods with Scripts

Here are some scripts and methods to do remote troubleshooting or running some commands in remote machines. I found they are very useful especially in a enterprise environment if you have your domain admin account.

Prerequisites to run remote commands

  • Install .NET Framework 4.5.2 from \\shareserver\it\$Install\Scripting prerequisites\NDP452-KB2901907-x86-x64-AllOS-ENU.exe
    • or from https://www.microsoft.com/en-ca/download/details.aspx?id=42642
  • Install Windows Management Framework 5.1:
    •  copy the folder \\shareserver\it\$Install\Scripting prerequisite\Windows Management Framework 5.1 to your C drive or download from https://docs.microsoft.com/en-us/powershell/wmf/5.1/install-configure
    •  Open PowerShell as an administrator, navigate into the directory on your C drive, and run the command
      • .\Install-Wmf.ps1
  • Install Microsoft Visual C++ 2017 redistributable from \\shareserver\it\$Install\Scripting prerequisite\VC_redist.x64.exe
    • Download from https://www.microsoft.com/en-us/download/details.aspx?id=52685
  • From a PowerShell prompt running as an administrator, run the command
    • Set-ExecutionPolicy Unrestricted -Force
  • From a PowerShell prompt running as an administrator, run the command
    • winrm quickconfig

Run Powershell as Administrator

Click Start, then type powershell in the search field. Right-click “Windows PowerShell”, then click “Run as Administrator” and enter your Domain Admin credentials.

You receive an elevated PowerShell command prompt window running with your Domain Admin credentials, which should have Administrator rights to any computer joined to the enterpriese domain. 

Within this window, change directory to C:\scripts
-  

Collect remote installed apps

1.    Run the command:
.\Get-InstalledApps
2.    You will be prompted for a computer name. Enter the target computer’s DNS name without the domain, e.g. testmachine1
3.    The script takes the following actions:
a.    Modifies your local TrustedHosts list to allow you to connect to the target computer
b.    Enables WinRM on the target computer
c.    Runs a Get-WmiObject command on the target computer and outputs a list of installed applications to the screen

4.    Verify the list of applications.

Here is output:



PS C:\Scripting> .\Get-InstalledApps.ps1
.\Get-InstalledApps.ps1 : File C:\Scripting\Get-InstalledApps.ps1 cannot be loaded because running scripts is
disabled on this system. For more information, see about_Execution_Policies at
http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ .\Get-InstalledApps.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess
PS C:\Scripting> Set-ExecutionPolicy Unrestricted -Force
PS C:\Scripting> .\Get-InstalledApps.ps1
Enter the target computer name: testmachine1

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com


WinRM already is set up to receive requests on this machine.
WinRM already is set up for remote management on this machine.
winrm.cmd exited on sarefeen-l with error code 0.

Gathering information on installed apps, please wait...

Name
----

 Tools for .Net 3.5
Adobe Acrobat Reader DC
Adobe Refresh Manager
Amazon Redshift ODBC Driver 64-bit
Check Point VPN
Cisco AnyConnect Secure Mobility Client
Desktop Authority Computer Agent
Dolby Audio X2 Windows API SDK
Google Chrome
Google Update Helper
Java 7 Update 55
Java 8 Update 161 (64-bit)
Java Auto Updater
...



The script Get-InstalledApps content is:
#Prompt for target computer name
$Target = read-host "Enter the target computer name"

#Modify local TrustedHosts
set-item wsman:\localhost\Client\TrustedHosts -value "$Target" -Force

#Ensure WinRM is enabled
set-item wsman:\localhost\Client\TrustedHosts -value "$Target" -Force
.\PSTools\psexec \\$Target -s winrm.cmd quickconfig -q

#Create remote session
$session = New-PSSession -ComputerName $Target

#Run command in remote session
Write-Host " "
Write-Host "Gathering information on installed apps, please wait..." -foregroundcolor yellow
Invoke-Command -session $session -scriptblock{Get-WmiObject -Class Win32_Product | Sort-Object -Property Name | FT Name}

#Clean up sessions
Remove-PSSession *



Scan Remote Computer by Symantec Endpoint Protection

1.    Run the command:
.\Scan-RemoteComputer
2.    You will be prompted for a computer name. Enter the target computer’s DNS name without the domain, e.g. testmachine1
3.    The script takes the following actions:
a.    Modifies your local TrustedHosts list to allow you to connect to the target computer
b.    Enables WinRM on the target computer
c.    Runs a psexec command to start a Symantec Endpoint Protection scan of the target computer
d.    When the scan is complete, displays the location of the log file(s) on the remote computer
4.    Connect to the remote computer by browsing to the target computer’s C drive (e.g. \\testmachine1\c$) in File Explorer. When prompted for credentials, enter your Domain Admin credentials.

5.    Copy the log file to your computer for analysis.


PS C:\Scripting> .\Scan-RemoteComputer.ps1
Enter the target computer name: testmachine1

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com


WinRM already is set up to receive requests on this machine.
WinRM already is set up for remote management on this machine.
winrm.cmd exited on testmachine1 with error code 0.
Scan is starting on testmachine1 (all drives, all files). This will take a while to complete! Do not close this window.

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com







The script  Scan-RemoteComputer content is:

#Prompt for target computer name
$Target = read-host "Enter the target computer name"

#Modify local TrustedHosts
set-item wsman:\localhost\Client\TrustedHosts -value "$Target" -Force

#Ensure WinRM is enabled
set-item wsman:\localhost\Client\TrustedHosts -value "$Target" -Force
.\PSTools\psexec \\$Target -s winrm.cmd quickconfig -q

Write-Host "Scan is starting on $Target (all drives, all files). This will take a while to complete! Do not close this window." -foregroundcolor yellow

.\PSTools\psexec \\$Target -s "c:\Program Files (x86)\Symantec\Symantec Endpoint Protection\doscan.exe" /C /ScanAllDrives

Write-Host "Scan on $Target is complete. Check the log file at \\$Target\c$\ProgramData\Symantec\Symantec Endpoint Protection\(version number)\Data\Logs\AV for results." -foregroundcolor green




Run arbitrary commands on a remote computer

Within the elevated PowerShell window, change directory to C:\Scripting\PSTools:
-      cd\
-      cd .\Scripting\PSTools

PSTools can be downloaed from https://docs.microsoft.com/en-us/sysinternals/downloads/pstools

Run the command:
.\psexec \\(target computer name) cmd (e.g.: .\psexec \\testmachine1 cmd)

Note that the title bar of the PowerShell window changes to indicate the remote computer name and the name of the command you ran, and that the command prompt changes from PS C: to C:.

PS C:\Scripting> cd .\PSTools
PS C:\Scripting\PSTools> dir


    Directory: C:\Scripting\PSTools


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       29/09/2015  12:29 PM           7005 Eula.txt
-a----       20/06/2017  11:06 AM              0 psexec
-a----       29/09/2015  12:29 PM         396480 PsExec.exe
-a----       29/09/2015  12:29 PM         105264 psfile.exe
-a----       29/09/2015  12:29 PM         333176 PsGetsid.exe
-a----       29/09/2015  12:29 PM         390520 PsInfo.exe
-a----       29/09/2015  12:29 PM         468592 pskill.exe
-a----       29/09/2015  12:29 PM         232232 pslist.exe
-a----       29/09/2015  12:29 PM         183160 PsLoggedon.exe
-a----       29/09/2015  12:29 PM         178040 psloglist.exe
-a----       29/09/2015  12:29 PM         171608 pspasswd.exe
-a----       29/09/2015  12:29 PM         227520 psping.exe
-a----       29/09/2015  12:29 PM         169848 PsService.exe
-a----       29/09/2015  12:29 PM         207664 psshutdown.exe
-a----       29/09/2015  12:29 PM         187184 pssuspend.exe
-a----       29/09/2015  12:29 PM          66582 Pstools.chm
-a----       29/09/2015  12:29 PM             39 psversion.txt


PS C:\Scripting\PSTools> .\psexec \\testmachine1 cmd

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com


Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\windows\system32>hostname
testmachine1

C:\windows\system32>



Some other useful PowerShell commands
Get Windows DLL File Information / Version

PS C:\windows\system32> (get-item .\zipfldr.dll).versioninfo

ProductVersion   FileVersion      FileName
--------------   -----------      --------
6.1.7600.16385   6.1.7600.1638... C:\windows\system32\zipfldr.dll


PS C:\windows\system32>
PS C:\windows\system32> get-item .\zipfldr.dll


    Directory: C:\windows\system32


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       08/06/2018  12:21 PM         369664 zipfldr.dll


Or using vbs script:

PS C:\windows\system32> cscript .\versioninfo.vbs .\zipfldr.dll
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

6.1.7601.24168
PS C:\windows\system32> cscript //nologo .\versioninfo.vbs .\zipfldr.dll
6.1.7601.24168
PS C:\windows\system32>
PS C:\windows\system32> type .\versioninfo.vbs
set args = WScript.Arguments
Set fso = CreateObject("Scripting.FileSystemObject")
WScript.Echo fso.GetFileVersion(args(0))
Wscript.Quit

PS C:\windows\system32> cscript //nologo .\versioninfo.vbs .\xolehlp.dll
2001.12.8530.16385
PS C:\windows\system32> (get-item .\xolehlp.dll).versioninfo

ProductVersion   FileVersion      FileName
--------------   -----------      --------
6.1.7600.16385   2001.12.8530.... C:\windows\system32\xolehlp.dll
PS C:\windows\system32>


It looks like there are difference between those two ways. vbs script will get you FileVersion, and get-item will list both ProductVersion and FileVersion.


No comments:

Post a Comment