以下是一些脚本和方法,可以进行远程故障排除或在远程计算机上运行某些命令。我发现它们非常有用,特别是在企业环境中(如果您具有域管理员帐户)。
运行远程命令的先决条件:

  • 从\\ shareserver \ it \ $ Install \ Scripting prerequisites \ NDP452-KB2901907-x86-x64-AllOS-ENU.exe安装.NET Framework 4.5.2
    • or from //www.microsoft.com/en-ca/download/details.aspx?id=42642
  • 安装Windows管理框架
    5.1:
    •  复制文件夹 \\shareserver\it\$Install\Scripting prerequisite\Windows Management Framework 5.1 to your C drive or download from //docs.microsoft.com/en-us/powershell/wmf/5.1/install-configure
    •  以管理员身份打开PowerShell,
      导航到C驱动器上的目录,然后运行命令
      • 。\ Install-Wmf.ps1
  • 安装Microsoft Visual C ++ 2017可重新分发 \\ shareserver \ it \ $ Install \ Scriptingrequisite \ VC_redist.x64.exe
    • Download from //www.microsoft.com/en-us/download/details.aspx?id=52685
  • 在以管理员身份运行的PowerShell提示符中,运行以下命令
    • Set-ExecutionPolicy不受限制-强制
  • 从以
    管理员,运行命令
    • Winrm QuickConfig

Web浏览器中的Sysinternals:

以管理员身份运行Powershell

请点击
开始,然后输入
电源外壳 在搜索字段中。右键单击“ 视窗 PowerShell”,然后单击“运行”。
以管理员身份”,然后输入您的域管理员凭据。

你收到
与您的域管理员一起运行的提升的PowerShell命令提示符窗口
凭据,该凭据应对加入的任何计算机具有管理员权限
企业域。 

在这个
窗口,将目录更改为C:\ scripts
  

远程登录到PowerShell会话

PS C:\Scripting\PSTools>
PS C:\Scripting\PSTools> enter-pssession -ComputerName test-machine
[test-machine]: PS C:\Users\JADMIN\Documents>

收集远程安装的应用程序

1.    运行命令:
。\ 获取安装的应用
2.    系统将提示您输入计算机
名称。输入目标计算机的DNS名称(不带域),例如
测试机1
3.    该脚本需要以下内容
动作:
一种。     修改您的本地TrustedHosts
列表以允许您连接到目标计算机
b。    在目标计算机上启用WinRM
C。    在工具栏上运行Get-WmiObject命令
目标计算机并将已安装的应用程序列表输出到屏幕
4.    验证应用程序列表。

输出如下:

PS C:\Scripting> 。\ 获取安装的应用.ps1
。\ 获取安装的应用.ps1 : File C:\Scripting\Get-InstalledApps.ps1 cannot be loaded because running scripts is
disabled 上 this system. For more information, see about_Execution_Policies at
http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ 。\ 获取安装的应用.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : 安全Error: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccessPS C:\Scripting> Set-ExecutionPolicy不受限制-强制PS C:\Scripting> 。\ 获取安装的应用.ps1
Enter the target computer name: 测试机1

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com


WinRM already is set up to receive requests 上 this machine.
WinRM already is set up for remote management 上 this machine.
winrm.cmd exited 上 sarefeen-l with error code 0.

Gathering information 上 installed apps, please wait...

Name
----

 Tools for .Net 3.5
Adobe Acrobat Reader DC
Adobe Refresh Manager
Amazon Redshift ODBC Driver 64-bit
Check Point 虚拟专用网
Cisco AnyConnect Secure Mobility Client
Desktop Authority Computer Agent
Dolby Audio X2 视窗 API SDK
Google Chrome
Google Update Helper
Java 7 Update 55
Java 8 Update 161 (64-bit)
Java Auto Updater
...

剧本 获取安装的应用 内容是:

#Prompt for target computer name
$Target = read-host "Enter the target computer name"

#Modify local TrustedHosts
set-item wsman:\localhost\Client\TrustedHosts -value "$Target" -Force

#Ensure WinRM is enabled
set-item wsman:\localhost\Client\TrustedHosts -value "$Target" -Force
.\PSTools\psexec \\$Target -s winrm.cmd quickconfig -q

#Create remote session
$session = New-PSSession -ComputerName $Target

#Run command in remote session
Write-Host " "
Write-Host "Gathering information 上 installed apps, please wait..." -foregroundcolor yellow
Invoke-Command -session $session -scriptblock{Get-WmiObject -Class Win32_Product | Sort-Object -Property Name | FT Name}

#Clean up sessions
Remove-PSSession *

通过Symantec Endpoint Protection扫描远程计算机

1.    运行命令:
。\ 扫描远程计算机
2.    系统将提示您输入计算机
名称。输入目标计算机的DNS名称(不带域),例如 测试机1
3.    该脚本需要以下内容
动作:
一种。     修改您的本地TrustedHosts
列表以允许您连接到目标计算机
b。    在目标计算机上启用WinRM
C。    运行psexec命令以启动
赛门铁克 Endpoint Protection扫描目标计算机
d。    扫描完成后,显示
日志文件在远程计算机上的位置
4.    通过连接到远程计算机
浏览到目标计算机的C驱动器(例如
 \\ 测试机1 \ c $)。当提示您输入凭据时,输入您的域
管理员凭据。
5.    将日志文件复制到您的计算机
进行分析。
PS C:\Scripting> 。\ 扫描远程计算机.ps1
Enter the target computer name: 测试机1

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com


WinRM already is set up to receive requests 上 this machine.
WinRM already is set up for remote management 上 this machine.
winrm.cmd exited 上 测试机1 with error code 0.
Scan is starting 上 测试机1 (all drives, all files). This will take a while to complete! Do not close this window.

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com


剧本  扫描远程计算机 内容是:

#Prompt for target computer name
$Target = read-host "Enter the target computer name"

#Modify local TrustedHosts
set-item wsman:\localhost\Client\TrustedHosts -value "$Target" -Force

#Ensure WinRM is enabled
set-item wsman:\localhost\Client\TrustedHosts -value "$Target" -Force
.\PSTools\psexec \\$Target -s winrm.cmd quickconfig -q

Write-Host "Scan is starting 上 $Target (all drives, all files). This will take a while to complete! Do not close this window." -foregroundcolor yellow

.\PSTools\psexec \\$Target -s "c:\Program Files (x86)\Symantec\Symantec Endpoint Protection\doscan.exe" /C /ScanAllDrives

Write-Host "Scan 上 $Target is complete. Check the log file at \\$Target\c$\ProgramData\Symantec\Symantec Endpoint Protection\(version number)\Data\Logs\AV for results." -foregroundcolor green

在一个上运行任意命令
远端电脑


提升的PowerShell窗口,将目录更改为C:\ Scripting \ PSTools:
     
光盘\
     
cd。\ Scripting \ PSTools


PSTools can be downloaed from //docs.microsoft.com/en-us/sysinternals/downloads/pstools


跑过
命令:
。\ psexec \\(目标计算机名称)cmd (例如。: 。\ psexec \\ 测试机1 cmd)
注意
PowerShell窗口的标题栏更改为指示远程计算机
名称和您运行的命令的名称,并且命令提示符更改
from PS C: to C:.
PS C:\Scripting> cd .\PSToolsPS C:\Scripting\PSTools> dir


    Directory: C:\Scripting\PSTools


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       29/09/2015  12:29 PM           7005 Eula.txt
-a----       20/06/2017  11:06 AM              0 psexec
-a----       29/09/2015  12:29 PM         396480 PsExec.exe
-a----       29/09/2015  12:29 PM         105264 psfile.exe
-a----       29/09/2015  12:29 PM         333176 PsGetsid.exe
-a----       29/09/2015  12:29 PM         390520 PsInfo.exe
-a----       29/09/2015  12:29 PM         468592 pskill.exe
-a----       29/09/2015  12:29 PM         232232 pslist.exe
-a----       29/09/2015  12:29 PM         183160 PsLoggedon.exe
-a----       29/09/2015  12:29 PM         178040 psloglist.exe
-a----       29/09/2015  12:29 PM         171608 pspasswd.exe
-a----       29/09/2015  12:29 PM         227520 psping.exe
-a----       29/09/2015  12:29 PM         169848 PsService.exe
-a----       29/09/2015  12:29 PM         207664 psshutdown.exe
-a----       29/09/2015  12:29 PM         187184 pssuspend.exe
-a----       29/09/2015  12:29 PM          66582 Pstools.chm
-a----       29/09/2015  12:29 PM             39 psversion.txt


PS C:\Scripting\PSTools> 。\ psexec \\ 测试机1 cmd

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com


Microsoft 视窗 [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\windows\system32>hostname测试机1

PS C:\windows\system32> enter-pssession -ComputerName 测试机1 -Credential admin
[testmachine1]: PS C:\Users\ADMIN\Documents>


您还可以使用以下命令远程启动PowerShell会话:

enter-pssession -ComputerName 测试机1 -Credential admin

其他一些有用的PowerShell命令


获取Windows DLL文件信息/版本

PS C:\windows\system32> (get-item .\zipfldr.dll).versioninfo

ProductVersion   FileVersion      FileName
--------------   -----------      --------
6.1.7600.16385   6.1.7600.1638... C:\windows\system32\zipfldr.dll


PS C:\windows\system32>
PS C:\windows\system32> get-item .\zipfldr.dll


    Directory: C:\windows\system32


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       08/06/2018  12:21 PM         369664 zipfldr.dll

或使用vbs脚本:

PS C:\windows\system32> cscript .\versioninfo.vbs .\zipfldr.dll
Microsoft (R) 视窗 Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

6.1.7601.24168PS C:\windows\system32> cscript //nologo .\versioninfo.vbs .\zipfldr.dll
6.1.7601.24168
PS C:\windows\system32>
PS C:\windows\system32> type .\versioninfo.vbs
set args = WScript.Arguments
Set fso = CreateObject("Scripting.FileSystemObject")
WScript.Echo fso.GetFileVersion(args(0))
Wscript.Quit
PS C:\windows\system32> cscript //nologo .\versioninfo.vbs .\xolehlp.dll
2001.12.8530.16385
PS C:\windows\system32> (get-item .\xolehlp.dll).versioninfo

ProductVersion   FileVersion      FileName
--------------   -----------      --------
6.1.7600.16385   2001.12.8530.... C:\windows\system32\xolehlp.dll
PS C:\windows\system32>


看起来这两种方式之间存在差异。 vbs脚本将为您提供FileVersion,而get-item将同时列出ProductVersion和FileVersion。

PS C:\ISOScripting\PSTools>tasklist

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
System Idle Process              0 Services                   0         24 K
System                           4 Services                   0      7,316 K
smss.exe                       368 Services                   0        492 K
csrss.exe                      596 Services                   0      2,828 K
wininit.exe                    684 Services                   0      1,396 K
csrss.exe                      704 Console                    1    122,460 K
cmd.exe                       7956 Console                    1      4,528 K
....
C:\ISOScripting\PSTools>taskkill /pid 7956

使用PSEXEC的一些示例:

  • PSEXEC \\ workstation64 CMD

执行一个已在远程系统上安装的程序:

  • PSEXEC \\ workstation64“ c:\ Program Files \ test.exe”

连接到Workstation64并运行 IP配置 显示远程PC的IP地址:

  • PSEXEC \\ workstation64 ipconfig

连接到workstation64并列出目录:

  • PSEXEC \\ workstation64 -s cmd / c目录c:\ work

连接到workstation64并从另一台服务器复制文件:

  • PSEXEC \\ workstation64 -s cmd / c复制\\ server21 \ share45 \ file.ext c:\ localpath

在远程系统上执行IpConfig,并在本地显示输出:

  • PSEXEC \\ workstation64 ipconfig /全部

将程序test.exe复制到远程系统并以DannyGlover帐户运行以交互方式执行该程序:

  • PSEXEC \\ workstation64 -c test.exe -u DannyGlover -p Pa55w0rd

在本地计算机上运行Internet Explorer,但要使用受限用户权限:

  • PSEXEC -l -d“ c:\ program files \ internet explorer \ iexplore.exe”

使用SYSTEM特权在本地计算机上运行Regedit:

  • PSEXEC -s ​​-i regedit.exe

在PowerShell中,在远程工作站上运行VBscript并传递一些参数:

  • PS C:>$ script =“ C:\ Program Files \ demo.vbs”
  • PS C:>$ args =“更多文字”
  • PS C:>PSEXEC -s ​​\\ workstation64 c:\ windows \ system32 \ cscript.exe $ script $ args

其他一些有用的命令:

  • 任务列表-s RemoteMachineName
  •  .\pslist -accepteula

注意:

-accepteula Suppress the display of the license dialog.

列出/停止/禁用/启用/启动远程服务

列出远程计算机的服务并生成一个htm文件以显示

<# 
.SYNOPSIS
Shows a list of services 上 remote operating system.
 
.DESCRIPTION
Function to retrieve a list of services.
 
.EXAMPLE
PS> .\Get-Remote-Services.ps1
#> 

Get-Service * -computername test1.51sec.org | Select-Object Status, Name, DisplayName | ConvertTo-HTML | Out-File C:\temp\Test.htm
Invoke-Expression C:\temp\Test.htm

列出本地机器的服务

<# 
.SYNOPSIS
Shows a list of services 上 your operating system.
 
.DESCRIPTION
Function to retrieve a list of services.
 
.EXAMPLE
PS> .\Get-Services.ps1
#> 

Get-WmiObject win32_service | Select Name, DisplayName, State, StartMode | Sort State, Name

禁用并停止远程计算机的服务
。\ Disable-Remote-Service.ps1 test1.51sec.org RemoteRegistry

[cmdletbinding()]            
param(            
 [string[]]$ComputerName = $env:ComputerName,            
 [parameter(Mandatory=$true)]            
 [string[]]$ServiceName            
)            
            
foreach($Computer in $ComputerName) {            
 Write-Host "Working 上 $Computer"            
 if(!(Test-Connection -ComputerName $Computer -Count 1 -quiet)) {            
  Write-Warning "$computer : Offline"            
  Continue            
 }            
             
 foreach($service in $ServiceName) {            
  try {            
   $ServiceObject = Get-WMIObject -Class Win32_Service -ComputerName $Computer -Filter "Name='$service'" -EA Stop            
   if(!$ServiceObject) {            
    Write-Warning "$Computer : No service found with the name $service"            
    Continue            
   }            
   if($ServiceObject.StartMode -eq "Disabled") {            
    Write-Warning "$Computer : Service with the name $service already in disabled state"            
    Continue            
   }            
               
   Set-Service -ComputerName $Computer -Name $service -EA Stop -StartMode Disabled            
   Write-Host "$Computer : Successfully disabled the service $service. Trying to stop it"            
   if($ServiceObject.Status -eq "Running") {            
    Write-Warning "$Computer : $service already in stopped state"            
    Continue            
   }            
   $retval = $ServiceObject.StopService()            
            
   if($retval.ReturnValue -ne 0) {            
    Write-Warning "$Computer : Failed to stop service. Return value is $($retval.ReturnValue)"            
    Continue            
   }            
               
   Write-Host "$Computer : Stopped service successfully"            
               
  } catch {            
   Write-Warning "$computer : Failed to query $service. Details : $_"            
   Continue            
  }            
             
 }            
            
}

PS C:\ISOScripting> .\Disable-remote-service.ps1 10.1.1.5 RemoteRegistry
Working 上 10.1.1.5
10.1.1.5 : Successfully disabled the service RemoteRegistry. Trying to stop it
10.1.1.5 : Stopped service successfully

启用/启动远程服务

Set-Service -Name RemoteRegistry -ComputerName 10.1.1.12 -StartupType Manual -ErrorAction Stop
Start-Service -InputObject (Get-Service -Name RemoteRegistry -ComputerName 10.1.1.12) -ErrorAction Stop

检查远程计算机防火墙状态

PS C:\ISOScripting\pstools> .\psexec.exe \\test1.51sec.ca netsh fir sh config

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com



Domain profile configuration:
-------------------------------------------------------------------
Operational mode                  = Enable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable

Service configuration for Domain profile:
Mode     Customized  Name
-------------------------------------------------------------------
Enable   No          File and Printer Sharing

Allowed programs configuration for Domain profile:
Mode     Traffic direction    Name / Program
-------------------------------------------------------------------
Enable   Inbound              VMware Workstation VMX / C:\program files (x86)\vmware\vmware workstation\x64\vmware-vmx.e
xe
Enable   Inbound              g2viewer.exe / C:\users\andywong\appdata\local\temp\g2_1470\g2viewer.exe
Enable   Inbound              SNAC Service / C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013
.105\Bin64\snac64.exe
Enable   Inbound              SMC Service / C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.
105\Bin64\Smc.exe
Enable   Inbound              Nuance Pdf Converter Professional / C:\Program Files (x86)\Nuance\PDF Professional 8\bin\G
aaihoDoc.exe
Enable   Inbound              Nuance Pdf Create Assistant / C:\Program Files (x86)\Nuance\PDF Professional 8\bin\GPDFDir
ect.exe
Enable   Inbound              Nuance Activation / C:\Program Files (x86)\Nuance\PDF Professional 8\PdfPro8Hook.exe
Enable   Inbound              Nuance Pdf Converter Assistant / C:\Program Files (x86)\Nuance\PDF Professional 8\PDFRoute
r.exe

Port configuration for Domain profile:
Port   Protocol  Mode    Traffic direction     Name
-------------------------------------------------------------------
8298   TCP       Enable  Inbound               TechSmith Snagit
56789  TCP       Enable  Inbound               VMware vCenter Converter Standalone - Server
9089   TCP       Enable  Inbound               VMware vCenter Converter Standalone - Agent
2799   TCP       Enable  Inbound               Altova License Metering Port (TCP)
2799   UDP       Enable  Inbound               Altova License Metering Port (UDP)

ICMP configuration for Domain profile:
Mode     Type  Description
-------------------------------------------------------------------
Enable   2     Allow outbound packet too big
Enable   8     Allow inbound echo request

Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode                  = Enable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable

Service configuration for Standard profile:
Mode     Customized  Name
-------------------------------------------------------------------
Enable   No          网络 Discovery

Allowed programs configuration for Standard profile:
Mode     Traffic direction    Name / Program
-------------------------------------------------------------------
Enable   Inbound              Firefox (C:\Program Files (x86)\Mozilla Firefox) / C:\Program Files (x86)\Mozilla Firefox\
firefox.exe
Enable   Inbound              SNAC Service / C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013
.105\Bin64\snac64.exe
Enable   Inbound              SMC Service / C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.
105\Bin64\Smc.exe
Enable   Inbound              Microsoft OneNote / C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE

Port configuration for Standard profile:
Port   Protocol  Mode    Traffic direction     Name
-------------------------------------------------------------------
8298   TCP       Enable  Inbound               TechSmith Snagit
56789  TCP       Enable  Inbound               VMware vCenter Converter Standalone - Server
9089   TCP       Enable  Inbound               VMware vCenter Converter Standalone - Agent
2799   TCP       Enable  Inbound               Altova License Metering Port (TCP)
2799   UDP       Enable  Inbound               Altova License Metering Port (UDP)

ICMP configuration for Standard profile:
Mode     Type  Description
-------------------------------------------------------------------
Enable   2     Allow outbound packet too big

Log configuration:
-------------------------------------------------------------------
File location   = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size   = 4096 KB
Dropped packets = Disable
Connections     = Disable

IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information 上 using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB 文章 947709
at http://go.microsoft.com/fwlink/?linkid=121488 .

netsh exited 上 test1.51sec.ca with error code 0.
PS C:\ISOScripting\pstools>



通过 约翰扬

发表评论