forked from davehull/Kansa
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request davehull#182 from DaveCrim/Update_and_Add_ASEP_Mod…
…ules Update and add new ASEP Modules
- Loading branch information
Showing
6 changed files
with
623 additions
and
27 deletions.
There are no files selected for viewing
33 changes: 33 additions & 0 deletions
33
Analysis/asep/Get-PersistenceFilesAndRegistryKeysStack.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| <# | ||
| .SYNOPSIS | ||
| Get-PersistenceFilesAndRegistryKeysStack.ps1 | ||
| Requires logparser.exe in path | ||
| Pulls stack rank of all Service Failures from acquired Service Failure data | ||
| This script expects files matching the pattern *SvcFail.tsv to be in | ||
| the current working directory. | ||
| .NOTES | ||
| DATADIR PersistanceFilesAndRegistryKeys | ||
| #> | ||
|
|
||
| if (Get-Command logparser.exe) { | ||
|
|
||
| $lpquery = @" | ||
| SELECT | ||
| COUNT(Type) as Quantity, | ||
| Type, Set, Path, Value | ||
| FROM | ||
| *PersistenceFilesAndRegistryKeys.csv | ||
| GROUP BY | ||
| Type, Set, Path, Value | ||
| ORDER BY | ||
| Quantity ASC | ||
| "@ | ||
|
|
||
| & logparser -stats:off -i:csv -o:csv $lpquery | ||
|
|
||
| } | ||
| else { | ||
| $ScriptName = [System.IO.Path]::GetFileName($MyInvocation.ScriptName) | ||
| "${ScriptName} requires logparser.exe in the path." | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| <# | ||
| .SYNOPSIS | ||
| Get-SchedTasksAllStack.ps1 | ||
| Requires logparser.exe in path | ||
| Pulls stack rank of all Service Failures from acquired Service Failure data | ||
| This script expects files matching the pattern *SvcFail.tsv to be in | ||
| the current working directory. | ||
| .NOTES | ||
| DATADIR SchedTasksAll | ||
| #> | ||
|
|
||
| if (Get-Command logparser.exe) { | ||
|
|
||
| $lpquery = @" | ||
| SELECT | ||
| COUNT(*) as Quantity, | ||
| Author, | ||
| [Task To Run], | ||
| BinaryPath, | ||
| dllPath, | ||
| BinaryHash, | ||
| dllHash | ||
| FROM | ||
| *SchedTasksAll.csv | ||
| GROUP BY | ||
| Author, | ||
| [Task To Run], | ||
| BinaryPath, | ||
| dllPath, | ||
| BinaryHash, | ||
| dllHash | ||
| ORDER BY | ||
| Quantity ASC | ||
| "@ | ||
|
|
||
| & logparser -stats:off -i:csv -o:csv $lpquery | ||
|
|
||
| } else { | ||
| $ScriptName = [System.IO.Path]::GetFileName($MyInvocation.ScriptName) | ||
| "${ScriptName} requires logparser.exe in the path." | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,30 +1,42 @@ | ||
| <# | ||
| <# | ||
| .SYNOPSIS | ||
| Get-SvcAllStack.ps1 | ||
| A basic stack for services aggregating on Caption and Pathname. | ||
| Out put is fairly ugly, it is sorted by Name, rather than count. | ||
| Sorting this way means that items with the same Caption, but | ||
| different Pathnames will be reported next to each other. Here's | ||
| an example: | ||
| Get-SvcFailStack.ps1 | ||
| Requires logparser.exe in path | ||
| Pulls stack rank of all Service Failures from acquired Service Failure data | ||
| 2 HP Version Control Age... {@{Caption=HP Version Control Agent; PathName="C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe"}, @{Caption=HP Version Control Agent; PathName="C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe"}} | ||
| 1 HP Version Control Age... {@{Caption=HP Version Control Agent; PathName=C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe}} | ||
| Here we have scan resunts from three systems. All three have a | ||
| service named "HP Version Control Agent,", but one of them has | ||
| a pathname without double-quotes. A superficial difference. | ||
| Get-Autorunsc.ps1 provides much of the same information, but | ||
| Get-SvcAll.ps1 shows Process Ids for running processes and tells | ||
| you which account the item is running under. | ||
| This script expects files matching the pattern *SvcFail.tsv to be in | ||
| the current working directory. | ||
| .NOTES | ||
| DATADIR SvcAll | ||
| #> | ||
|
|
||
| $data = $null | ||
| if (Get-Command logparser.exe) { | ||
|
|
||
| foreach ($file in (ls *svcall.xml)) { | ||
| $data += Import-Clixml $file | ||
| } | ||
| $lpquery = @" | ||
| SELECT | ||
| COUNT(Name) as Quantity, | ||
| Name, | ||
| DescriptiveName, | ||
| Path, | ||
| ServiceDLL, | ||
| PathMD5Sum, | ||
| ServiceDLLMd5Sum | ||
| FROM | ||
| *SvcAll.csv | ||
| GROUP BY | ||
| Name, | ||
| DescriptiveName, | ||
| Path, | ||
| ServiceDLL, | ||
| PathMD5Sum, | ||
| ServiceDLLMd5Sum | ||
| ORDER BY | ||
| Quantity ASC | ||
| "@ | ||
|
|
||
| $data | Select-Object Caption, Pathname | Sort-Object Caption, Pathname | Group-Object Caption, Pathname | Sort-Object Name | ||
| & logparser -stats:off -i:csv -o:csv $lpquery | ||
|
|
||
| } else { | ||
| $ScriptName = [System.IO.Path]::GetFileName($MyInvocation.ScriptName) | ||
| "${ScriptName} requires logparser.exe in the path." | ||
| } |
Oops, something went wrong.