I have been dabbling with VBScripts over the past week or so and have put together a non-invasive and quick method to document the current state of a machine remotely over the network. To be absolutlely honest all I have done is taken the freely available scripts from Microsoft's Scripting Center and cobbled the useful ones together into a tool that will enumerate all the information you might want as to the current state of a remote machine.

You must have admin rights over the remote machine or it won't work and there are restrictions on it's use against certain older Windows OS's, (see the link above for what is required on systems older than Win2k)

It asks for the IP address of the remote machine, the complete filename of the output file, (eg: a:\computer27.txt), and your full name, (eg: Bill Smith).

The output contains the following:-

The OS and SP level
Installed Hotfixes
The role of the computer in the domain
The currently logged on user
All the local User accounts
The local group memberships
Ip address info
network adapter information
network protocols information
The start-up options
Boot config options
Start-up commands
Current shares
Running processes and their owners
Thread states for running processes
The status of all installed services

It carries a header that documents this as being non-invasive forensic information for computer xxx.xxx.xxx.xxx at xx:xx:xx hours on xx/xx/xx day by [Your name here]

Yes it is a vbs script...... Yes it could do nasty things if you run it..... No I do not work for the NSA, Federal Government, State Government, County Governement or Local Government for the benefit of the more suspicious amongst you...... OTOH, it does not do nasty things and you might even find it of use in an emergency.

I would appreciate someone who has a basic understanding of VBScript taking a quick look to verify here in the forum that it only pulls information to the file you designate and that it does nothing harmful, thanks to whoever.

To run it you need to unzip it on a machine capable of running vbscripts, (I use Win2k). Put it in a folder, (c:\scripts is good), open a cmd prompt in that folder and type:-

cscript currentstate.vbs

It will ask for the IP of the remote machine, (you can put the local machines IP in if you want), then the filename for the output and finally your name.

I think you would find it useful and quick to run at the start of an investigation and I have already started to baseline my machines using it so that I can document changes in case of a compromise.

I would appreciate any feedback and any suggestions as to other information that pwoplw would like gathered.

Have fun.......