[U3 Incident Response Payload]

On my machine, the registry export was >200MB, i'm running vista. That is also what took the bulk of the time to run.

As far as a machine that may need to be turned over to the authorities, they'll generally take the hard drive and do their own analysis rather than trust what you tell them, also if it is a situation like that, you've already compromised the data if you modify the hard drive.

Also, i'm not terribly concerned with the size, officemax has 8GB drives available for $30 right now, so size really should be an issue other than for cheap admins... ;)

[U3 Incident Response Payload]

Let me throw this possibility at you. One issue with running any of these tools from within a running windows installation is that it some of the rootkits and etc... can prevent you from seeing the files that it has modified or installed. This is however not possible if you boot to the thumb drive and run the utilities from a USB Live environment. One could create a modified BART environment or Ubuntu environment etc... to back up the necessary registry .DAT files and do a check on the system, etc... without any active windows processes. This would allow one to get a more complete and more accurate configuration, however some of the utilities would need to be figured out how to run to get the info from a non-running system.

[U3 Incident Response Payload]

i would imagine that in most cases where this is intended for use, would be business environments, that most likely will be running pro, however i have no home machines to test on.

[U3 Incident Response Payload]

Also, with some of the info like pslist, it could be accomplished by using some of the command line options available with tasklist, i.e. if you pay attention to the options on the /FO switch.

[U3 Incident Response Payload]

that could be accomplished by doing a NET START VSS first, assuming you have admin rights on the machine you are running this on.

[U3 Incident Response Payload]

The other option may be, as this wouldn't TECHNICALLY be distribution:

Sysinternals Live is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool’s Sysinternals Live path into Windows Explorer or a command prompt as http://live.sysinternals.com/<toolname> or \\live.sysinternals.com\tools\<toolname>.

You can view the entire Sysinternals Live tools directory in a browser at http://live.sysinternals.com.

[U3 Incident Response Payload]

Most of the information gathered by the 3rd party tools is gathered via WMI i would guess. If there are some creative scripters out there, we could write our own WMI scripts to pull a lot of the information ourselves.

as far as the licensing goes, from the sysinternals website:

Q: May I distribute Sysinternals utilities in my software, on my website, or with my magazine?

A: No. We are not offering any distribution licenses, even if the 3rd party is distributing them for free. We encourage people to download the utilities from our download center where they can be assured to get the most recent version of the utility.

[U3 Incident Response Payload]

matessim again, the problem with that is we do not have redistribution rights to the 3rd party tools. one gets in a fair bit of legal trouble redistributing without permission. That's why you have to go download the tools yourself.

[U3 Incident Response Payload]

The issue there is that some of the software would require redistribution licenses. and a .bat file is easy enough to copy/paste

[U3 Incident Response Payload]

Here's an updated piece of code that incorporates a lot of the info gathering ideas that were put forth.

The changes are as follows:

uses the START command to run many commands in parallel rather than all in series. This shortens the amount of time that this takes to run considerably, at a performance hit on the machines while running.

Creates a folder output\%computername% to put the files in, rather than cluttering up one output directory, useful if running on an entire network.

xcopy's the contents of %windir%\system32\drivers\etc

uses microsoft's print server migration tool from http://tinyurl.com/2ab4lz to save all printers, ports, and drivers from the system to a cab file. this can be restored later. Simply download the printmig.exe from MS and put in the U3ir Folder on the thumbdrive. NOTE: PRINTMIG.exe does not work on vista.

fixed the %WINDIR%\System32\Printing_Admin_Scripts\en-US\Prnmngr.vbs pointing to just %windir%\system32

used the dos TREE command to save an output of non-hidden, non-system files to a text file.

used the SET command and exported the entirety of system variables to a text file.

REM Set log file location

IF NOT EXIST %1\output (
        MD %1\output
        )
IF NOT EXIST %1\output\%computername% (
    MD %1\output\%computername%
    )
CD u3ir

REM enumerate local accounts and currently logged on users
net users >> %1\output\%computername%\localaccts-%computername%.txt
psloggedon /accepteula >> %1\output\%computername%\localaccts-%computername%.txt

REM Grab network info, arp tables, open connections, and firewall status
START ipconfig /all >> %1\output\%computername%\localnet-%computername%.txt
START ipconfig /displaydns >> %1\output\%computername%\localnet-%computername%.txt
START arp -a >> %1\output\%computername%\localnet-%computername%.txt
START netstat -ano >> %1\output\%computername%\localnet-%computername%.txt
START route print >> %1\output\%computername%\localnet-%computername%.txt
START type %systemroot%\system32\drivers\etc\hosts >> %1\output\%computername%\localnet-%computername%.txt
START netsh firewall show state >> %1\output\%computername%\localnet-%computername%.txt
START netsh firewall show service >> %1\output\%computername%\localnet-%computername%.txt
START net use >> %1\output\%computername%\localnet-%computername%.txt
START gpresult >> %1\output\%computername%\%computername%_GPO.txt
START driverquery >> %1\output\%computername%\%computername%_drivers.txt
START netsh show alias >> %1\output\%computername%\%computername%_alias.txt
START netsh show helper >> %1\output\%computername%\%computername%_helper.txt
START systeminfo /FO LIST >> %1\output\%computername%\%computername%_systeminfo.txt
START tasklist /FO LIST >> %1\output\%computername%\%computername%_tasklist.txt
set >> %1\output\%computername%\%computername%_variables.txt
tree /F /A %systemdrive%\ >> %1\output\%computername%\%computername%_dirtree.txt
START printmig.exe -b %1\output\%computername%\%computername_printers.cab
MD %1\output\%computername%\etc
START xcopy /q /e %windir%\system32\drivers\etc %1\output\%computername%\etc
REM Grab a list of installed software and running processes
START psinfo /accepteula /h /s >> %1\output\%computername%\sysinfo-%computername%.txt
START pslist -t /accepteula >> %1\output\%computername%\sysinfo-%computername%.txt
REM Grab state of all services on the machine
START sc query state= all >> %1\output\%computername%\sysinfo-%computername%.txt
REM Grab a list of the printers on the machine and properties
cscript  %WINDIR%\System32\Printing_Admin_Scripts\en-US\Prnmngr.vbs -l >> %1\output\%computername%\sysinfo-%computername%.txt

REM Export the registry of the machine
REM HKEY_LOCAL_MACHINE
START reg export HKLM %1\output\%computername%\hklm-%computername%.reg
REM HKEY_CURRENT_USER
START reg export HKCU %1\output\%computername%\hkcu-%computername%.reg
REM HKEY_CLASSES_ROOT
START reg export HKCR %1\output\%computername%\hkcr-%computername%.reg
REM HKEY_USERS
START reg export HKU %1\output\%computername%\hku-%computername%.reg
REM HKEY_CURRENT_CONFIG
START reg export HKCC %1\output\%computername%\hkcc-%computername%.reg

REM calculate MD5 hashes of the system directory
START md5sums %systemroot% >> %1\output\%computername%\osmd5-%computername%.txt
START md5sums %systemroot%\system >> %1\output\%computername%\osmd5-%computername%.txt
START md5sums %systemroot%\system32 >> %1\output\%computername%\osmd5-%computername%.txt

Let me know if you see any issues.