paradizelost

On my machine, the registry export was >200MB, i'm running vista. That is also what took the bulk of the time to run. As far as a machine that may need to be turned over to the authorities, they'll generally take the hard drive and do their own analysis rather than trust what you tell them, also if it is a situation like that, you've already compromised the data if you modify the hard drive. Also, i'm not terribly concerned with the size, officemax has 8GB drives available for $30 right now, so size really should be an issue other than for cheap admins... ;)

Let me throw this possibility at you. One issue with running any of these tools from within a running windows installation is that it some of the rootkits and etc... can prevent you from seeing the files that it has modified or installed. This is however not possible if you boot to the thumb drive and run the utilities from a USB Live environment. One could create a modified BART environment or Ubuntu environment etc... to back up the necessary registry .DAT files and do a check on the system, etc... without any active windows processes. This would allow one to get a more complete and more accurate configuration, however some of the utilities would need to be figured out how to run to get the info from a non-running system.

i would imagine that in most cases where this is intended for use, would be business environments, that most likely will be running pro, however i have no home machines to test on.

Also, with some of the info like pslist, it could be accomplished by using some of the command line options available with tasklist, i.e. if you pay attention to the options on the /FO switch.

that could be accomplished by doing a NET START VSS first, assuming you have admin rights on the machine you are running this on.

The other option may be, as this wouldn't TECHNICALLY be distribution:

Most of the information gathered by the 3rd party tools is gathered via WMI i would guess. If there are some creative scripters out there, we could write our own WMI scripts to pull a lot of the information ourselves. as far as the licensing goes, from the sysinternals website:

matessim again, the problem with that is we do not have redistribution rights to the 3rd party tools. one gets in a fair bit of legal trouble redistributing without permission. That's why you have to go download the tools yourself.

The issue there is that some of the software would require redistribution licenses. and a .bat file is easy enough to copy/paste

Here's an updated piece of code that incorporates a lot of the info gathering ideas that were put forth. The changes are as follows: uses the START command to run many commands in parallel rather than all in series. This shortens the amount of time that this takes to run considerably, at a performance hit on the machines while running. Creates a folder output\%computername% to put the files in, rather than cluttering up one output directory, useful if running on an entire network. xcopy's the contents of %windir%\system32\drivers\etc uses microsoft's print server migration tool from http://tinyurl.com/2ab4lz to save all printers, ports, and drivers from the system to a cab file. this can be restored later. Simply download the printmig.exe from MS and put in the U3ir Folder on the thumbdrive. NOTE: PRINTMIG.exe does not work on vista. fixed the %WINDIR%\System32\Printing_Admin_Scripts\en-US\Prnmngr.vbs pointing to just %windir%\system32 used the dos TREE command to save an output of non-hidden, non-system files to a text file. used the SET command and exported the entirety of system variables to a text file. REM Set log file location IF NOT EXIST %1\output ( MD %1\output ) IF NOT EXIST %1\output\%computername% ( MD %1\output\%computername% ) CD u3ir REM enumerate local accounts and currently logged on users net users >> %1\output\%computername%\localaccts-%computername%.txt psloggedon /accepteula >> %1\output\%computername%\localaccts-%computername%.txt REM Grab network info, arp tables, open connections, and firewall status START ipconfig /all >> %1\output\%computername%\localnet-%computername%.txt START ipconfig /displaydns >> %1\output\%computername%\localnet-%computername%.txt START arp -a >> %1\output\%computername%\localnet-%computername%.txt START netstat -ano >> %1\output\%computername%\localnet-%computername%.txt START route print >> %1\output\%computername%\localnet-%computername%.txt START type %systemroot%\system32\drivers\etc\hosts >> %1\output\%computername%\localnet-%computername%.txt START netsh firewall show state >> %1\output\%computername%\localnet-%computername%.txt START netsh firewall show service >> %1\output\%computername%\localnet-%computername%.txt START net use >> %1\output\%computername%\localnet-%computername%.txt START gpresult >> %1\output\%computername%\%computername%_GPO.txt START driverquery >> %1\output\%computername%\%computername%_drivers.txt START netsh show alias >> %1\output\%computername%\%computername%_alias.txt START netsh show helper >> %1\output\%computername%\%computername%_helper.txt START systeminfo /FO LIST >> %1\output\%computername%\%computername%_systeminfo.txt START tasklist /FO LIST >> %1\output\%computername%\%computername%_tasklist.txt set >> %1\output\%computername%\%computername%_variables.txt tree /F /A %systemdrive%\ >> %1\output\%computername%\%computername%_dirtree.txt START printmig.exe -b %1\output\%computername%\%computername_printers.cab MD %1\output\%computername%\etc START xcopy /q /e %windir%\system32\drivers\etc %1\output\%computername%\etc REM Grab a list of installed software and running processes START psinfo /accepteula /h /s >> %1\output\%computername%\sysinfo-%computername%.txt START pslist -t /accepteula >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab state of all services on the machine START sc query state= all >> %1\output\%computername%\sysinfo-%computername%.txt REM Grab a list of the printers on the machine and properties cscript %WINDIR%\System32\Printing_Admin_Scripts\en-US\Prnmngr.vbs -l >> %1\output\%computername%\sysinfo-%computername%.txt REM Export the registry of the machine REM HKEY_LOCAL_MACHINE START reg export HKLM %1\output\%computername%\hklm-%computername%.reg REM HKEY_CURRENT_USER START reg export HKCU %1\output\%computername%\hkcu-%computername%.reg REM HKEY_CLASSES_ROOT START reg export HKCR %1\output\%computername%\hkcr-%computername%.reg REM HKEY_USERS START reg export HKU %1\output\%computername%\hku-%computername%.reg REM HKEY_CURRENT_CONFIG START reg export HKCC %1\output\%computername%\hkcc-%computername%.reg REM calculate MD5 hashes of the system directory START md5sums %systemroot% >> %1\output\%computername%\osmd5-%computername%.txt START md5sums %systemroot%\system >> %1\output\%computername%\osmd5-%computername%.txt START md5sums %systemroot%\system32 >> %1\output\%computername%\osmd5-%computername%.txt Let me know if you see any issues.