-
Notifications
You must be signed in to change notification settings - Fork 0
/
日志收集工具.bat
104 lines (77 loc) · 3.2 KB
/
日志收集工具.bat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
@echo off
title 应急响应信息采集工具V1.4
@echo ================================
@echo * 应急响应信息采集工具 *
@echo By:Ahi
@echo http://blog.rip2.vip
@echo ================================
color 0a
cd %~dp0
set "filename=%date:~0,4%%date:~5,2%%date:~8,2%"
mkdir .\%filename%\
echo "开始收集进程列表"
wmic process get name,processid,executablepath /format:htable > ./%filename%/tasklist.html
echo "进程列表收集完毕"
@echo ================================
echo "开始收集系统服务"
wmic service get Name,Description,Caption,DisplayName,ProcessId,started,StartMode,StartName,State,Status,AcceptPause,AcceptStop,PathName /format:htable > ./%filename%/service.html
echo "系统服务收集完毕"
@echo ================================
echo "开始收集系统日志"
xcopy C:\Windows\System32\winevt\Logs .\%filename%\logs\ /Y >nul
echo "系统日志收集完毕"
@echo ================================
echo "开始收集网络链接"
netstat -ano > ./%filename%/netstat.txt
echo "网络链接收集完毕"
@echo ================================
echo "开始收集账户信息"
wmic USERACCOUNT list /format:htable > ./%filename%/account.html
echo "账户信息收集完毕"
@echo ================================
echo "开始收集共享信息"
wmic share list /format:htable > ./%filename%/netshare.html
echo "共享信息收集完毕"
@echo ================================
echo "开始收集路由表"
route print > ./%filename%/route.txt
echo "路由表收集完毕"
@echo ================================
echo "开始收集HOSTS"
xcopy C:\Windows\System32\drivers\etc .\%filename%\etc\ /Y >nul
echo "HOSTS收集完毕"
@echo ================================
echo "开始收集mstsc"
reg export "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" ".\%filename%\mstsc.txt" /y >nul
echo "mstsc收集完毕"
@echo ================================
echo "开始收集注册表启动项"
reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" ".\%filename%\autorun.txt" /y >nul
echo "注册表启动项收集完毕"
@echo ================================
echo "开始收集已安装软件信息"
reg export "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" ".\%filename%\software.txt" /y >nul
echo "已安装软件信息收集完毕"
@echo ================================
echo "开始收集计划任务"
schtasks /query /v /fo list > ./%filename%/schtasks.txt
echo "计划任务收集完毕"
@echo ================================
echo "开始ARP绑定"
arp -a > ./%filename%/arp.txt
echo "计划任务收集完毕"
@echo ================================
echo "开始收集系统信息"
systeminfo > ./%filename%/systeminfo.txt
echo "系统信息收集完毕"
@echo ================================
echo "开始收集补丁信息"
wmic qfe list /format:htable > ./%filename%/hotfix.html
echo "补丁信息收集完毕"
@echo ================================
echo "开始收集powershell历史命令"
copy %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt .\%filename%\ConsoleHost_history.txt /Y >nul
copy %appdata%\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt .\%filename%\ConsoleHost_history_1.txt /Y >nul
echo "开始powershell收集完毕"
echo "信息采集完毕,数据存放在当前目录%filename%中"
pause>nul