New
#911
The title and version number are your choice.
Event viewer and top errors or the above.
Please post a share link with the current script.
Post problem reports here for Batch files for use in BSOD debugging
-
-
New #912
The share link is already in my post #906.
Download it and rename it as you please. Just don't modify the content.Last edited by Matthew Wai; 16 Sep 2021 at 00:54.
-
New #913
Isn't that a bat file. How can the script be saved like LOGS PS1 (text file)?
So that it can be copied and pasted into administrative powershell.
-
New #914
Just double-click on the batch script, which will do the job automatically. You need not copy and paste anything.
-
New #915
I'm planning to upload the bat file.
Separately I'd like a copy and paste file.
This way there is a backup option.
-
New #916
The following PowerShell code will be run automatically when you double-click on the batch script.
I do not know whether it will work when you copy and paste it onto the "Administrator: Windows PowerShell" window.
Code:function wh { Param ( [parameter (Mandatory = $true)][string]$txt ) Write-Host $txt -ForegroundColor Green -BackgroundColor Black -NoNewline } function StartScript { ##Locating Temp Dir and writing Transcript $global:tempDir = [System.IO.Path]::GetTempPath() CMD /C "RD /s /q ""$tempDir\LOGS"" 2>Nul" MD $tempDir\LOGS -EA SilentlyContinue CD $tempDir\LOGS $txtCount = Get-Item $tempDir/LOGS/*.TXT -EA SilentlyContinue if((Get-Host).Version.Major -cge 5) ##WIN7 Not Supported {if($txtCount.Count -cge 1) {Start-Transcript -Append -Path $tempDir/LOGS/Event-Search.TXT} Else{Start-Transcript -Path $tempDir\LOGS\Event-Search.TXT} } $global:explore = $tempDir + "LOGS\" $global:Ver = "1.6.3" wh "`nLog Collection... (V$Ver)`n" Stop-Job * Remove-Job * } ## End function Start-Script function EventSearch { wh "`n Starting EventSearch Job-Function ...`n" ## Gathering Events from System using Get-WinEvent via Job $EventSearchJob = {$evtPaths = Get-Item C:\Windows\System32\Winevt\Logs\*.evtx -Exclude "*PowerShell*", "*known folders*" | Select-Object FullName $i = $evtPaths.Count $x = 0 ##For 1st Loop do Until x = i $events = @() $gatherEvents = @() $eventsArray = @() $searchResult = @() $MaxEvents = 99 do {$gatherEvents = Get-WinEvent -Path $evtPaths[$x].FullName -MaxEvents $MaxEvents -EA SilentlyContinue $events = $events + $gatherEvents $x++ } Until ($x -eq $i) $x = $x +1 ##Total Events Found! $eventsLength = $events.Length ##Total events catalogged! $xx = 0 do { $date = $events[$xx].TimeCreated | Get-Date -Format "yyyyMMdd".ToString() -EA SilentlyContinue ##EA SC for Blank Entries $eventRow = new-object PSObject -Property @{ Date = $date; Id = $events[$xx].Id; Level = $events[$xx].LevelDisplayName; Provider = $events[$xx].ProviderName; Message = $events[$xx].Message; } $cRow = $date + " " + "ID:" + $events[$xx].Id + " " + "Level:" + $events[$xx].LevelDisplayName + " " + "Provider:" + $events[$xx].ProviderName + " " + "Message:" + $events[$xx].Message $eventsArray += $cRow $xx++ $d++ } Until ($xx -eq $events.Length) ##Looking for patterns error or fail in $eventsArray $search = $eventsArray | Select-String -pattern ("error|fail") Return $search } ## End $EventSearchJob Start-Job -Name EventSearchJob -ScriptBlock $EventSearchJob } ## End function Event-Search function writeSearch ## { MD $tempDir\LOGS\EVTX\ -EA SilentlyContinue $search | Group-Object | Sort-Object Count -Descending | Format-Table Count, Name -Wrap > TOP-ERRORS.TXT $search > $tempDir\LOGS\SEARCH.TXT if($Global:eventOut -eq $True) { $search | Group-Object | Sort-Object Count -Descending | Select-Object -Property Count, Name | Out-GridView -Title "Top `"Errors`" via EVTX - V-$Ver"} wh "`n Collecting Matching EVTX Entries ...`n" #Collecting all prev matching EVTX #$evtx = Get-ChildItem C:\Windows\System32\Winevt\Logs\*.evtx $evv = 0 $providerName = (($search | Select-String "Provider:.*Message:").Matches.Value -Replace " Message:", "" -Replace "Provider:", "" | Group-Object ).Name #Converting Provider Name to Log Name $providerName = (($providerName | ForEach-Object {Get-WinEvent -ProviderName $_ -MaxEvents 1 -EA SilentlyContinue}).LogName | Group-Object).Name $providerName = $providerName -replace "Microsoft.", "" $providerName = $providerName -replace "Windows.", "" $providerName = $providerName -replace "`/.*$", "" $evtx = $providerName | foreach{Get-ChildItem "C:\Windows\System32\winevt\logs\*$_*"} Do{ COPY $evtx[$evv].PSPath $tempDir\LOGS\EVTX\ $evv++ } Until($evv -eq $evtx.Count) } #End function writeSearch StartScript EventSearch wh "`nWaiting for EventSearchJob to complete...`n" Receive-Job -Name EventSearchJob -OutVariable eventSearch -Wait $search = $eventSearch.Line writeSearch #============================================================================ $REG = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" $Desktop = (GP -Path $REG -Name "Desktop").Desktop $Date = Get-Date -format "yyyy-MM-dd_HH-mm-ss" $Logs = "$Desktop\Event_logs-($Date)" $Folder = "$tempDir\LOGS" $System32 = Join-Path -Path $env:SystemRoot -ChildPath "System32" $WevtUtilPath = Join-Path -Path $System32 -ChildPath "wevtutil.exe" $AppEvents = Join-Path -Path "$Folder" -ChildPath "application-events.txt" $SystemEvents = Join-Path -Path "$Folder" -ChildPath "system-events.txt" $PnPEvents = Join-Path -Path "$Folder" -ChildPath "pnp-events.txt" $TimeLimit = "2592000000" $TimeString = "*[System[TimeCreated[timediff(@SystemTime) <= " + $TimeLimit + "]]]" Echo "";Echo "Exporting Application event Log..." &$WevtUtilPath query-events Application /q:"$TimeString" /f:text > "$AppEvents" Echo "";Echo "Exporting System event log..." &$WevtUtilPath query-events System /q:"$TimeString" /f:text > $SystemEvents Echo "";Echo "Exporting Kernel PnP event log..." &$WevtUtilPath query-events Microsoft-Windows-Kernel-PnP/Configuration /q:"$TimeString" /f:text > $PnPEvents If (Test-Path "$Folder\Event-Search.txt" -PathType Leaf ) {CP "$Folder\Event-Search.txt" -Destination "$Folder\Event_Search.txt"} If (Test-Path "$Folder\EVTX" -PathType Container) {Compress-Archive -Path "$Folder\EVTX" -Update -DestinationPath "$Logs"} If (Test-Path "$Folder\SEARCH.txt" -PathType Leaf) {Compress-Archive -Path "$Folder\SEARCH.txt" -Update -DestinationPath "$Logs"} If (Test-Path "$Folder\TOP-ERRORS.txt" -PathType Leaf) {Compress-Archive -Path "$Folder\TOP-ERRORS.txt" -Update -DestinationPath "$Logs"} If (Test-Path "$Folder\Event_Search.txt" -PathType Leaf) {Compress-Archive -Path "$Folder\Event_Search.txt" -Update -DestinationPath "$Logs"} Compress-Archive -Path "$AppEvents" -Update -DestinationPath "$Logs" Compress-Archive -Path "$SystemEvents" -Update -DestinationPath "$Logs" Compress-Archive -Path "$PnPEvents" -Update -DestinationPath "$Logs" Start "$Logs.zip" ; CMD /C "RD /s /q ""$Folder"" 2>Nul" Echo "";Echo " The following ZIP file has been created on the desktop." Echo "";Echo " $Logs.zip";Echo "" Echo " Please upload it as an attachment to your post on TenForums." Switch(Read-Host ' You may press [Enter] to close this window.'){""{Exit}} #============================================================================
-
New #917
Running the script created folders and files dated today 9/16 with one exception.
The Event_Search displayed 9/14.
Code:Directory: C:\Users\a\AppData\Local\Temp\LOGS Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 9/14/2021 7:38 AM EVTX Exporting Application event Log... Exporting System event log... Exporting Kernel PnP event log... The following ZIP file has been created on the desktop. C:\Users\a\Desktop\Event_logs-(2021-09-14_07-38-23).zip Please upload it as an attachment to your post on TenForums.
-
New #918
-
-
New #919
or,Code:icacls "D:\path\to\file.bat" /inheritance:r /grant %username%:F /grant everyone:RX
obfuscate.bat
-
New #920
If a bat script is posted in resources on either WQ or EF can someone modify (add, subtract, or replace parts of the scrip)?
For example any malware?
Quote
Related Discussions
