以下是一些脚本和方法,用于在远程计算机中进行远程故障排除或运行某些命令。如果您有域名管理员帐户,我发现它们非常有用。
运行远程命令的先决条件:
- 安装.NET Framework 4.5.2来自\\ Shareserver \ IT \ $ Install \脚本前提条件\ NDP452-KB2901907-X86-X64-Allos-enu.exe
- or from //www.microsoft.com/en-ca/download/details.aspx?id=42642
- 安装Windows管理框架
5.1: - 复制文件夹 \\shareserver\it\$Install\Scripting prerequisite\Windows Management Framework 5.1 to your C drive or download from //docs.microsoft.com/en-us/powershell/wmf/5.1/install-configure
- 打开PowerShell作为管理员,
导航到C驱动器上的目录,然后运行命令 - 。\ \ install-wmf.ps1
- 从\\ shareServer \ it \ $ install \脚本prerequisite \ vc_redist.x64.exe安装Microsoft Visual C ++ 2017
- Download from //www.microsoft.com/en-us/download/details.aspx?id=52685
- 从作为管理员身份运行的PowerShell提示符,运行命令
- Set-ExecutionPolicy Unrestrite -Force
- 来自PowerShell提示运行
管理员,运行命令 - Winrm QuickConfig
目录
来自Web浏览器的Sysinternals:
以管理员身份运行PowerShell
点击
开始,然后键入 电源外壳 在搜索字段中。右键单击“Windows PowerShell”,然后单击“运行”
作为管理员“并输入您的域管理员凭据。
开始,然后键入 电源外壳 在搜索字段中。右键单击“Windows PowerShell”,然后单击“运行”
作为管理员“并输入您的域管理员凭据。
你收到
使用域管理员运行的升高的PowerShell命令提示符窗口
凭据,应该将管理员权限与加入的任何计算机
企业领域。
使用域管理员运行的升高的PowerShell命令提示符窗口
凭据,应该将管理员权限与加入的任何计算机
企业领域。
在这内
窗口,将目录更改为C:\脚本
窗口,将目录更改为C:\脚本
–
远程登录PowerShell会话
PS C:\Scripting\PSTools>
PS C:\Scripting\PSTools> enter-pssession -ComputerName test-machine
[test-machine]: PS C:\Users\JADMIN\Documents>
收集远程已安装的应用程序
1. 运行命令:
。\ get-installapps
。\ get-installapps
2. 系统将提示您进行计算机
名称。例如,在没有域的情况下输入目标计算机的DNS名称。 testmachine1.
名称。例如,在没有域的情况下输入目标计算机的DNS名称。 testmachine1.
3. 脚本需要以下内容
行动:
行动:
一种。 修改您当地的Trustedhosts
列表允许您连接到目标计算机
列表允许您连接到目标计算机
湾 在目标计算机上启用WinRM
C。 运行一个get-wmiobject命令
目标计算机并将已安装的应用程序列表输出到屏幕上
目标计算机并将已安装的应用程序列表输出到屏幕上
4. 验证应用程序列表。
以下是输出:
PS C:\Scripting> 。\ get-installapps.ps1 。\ get-installapps.ps1 : File C:\Scripting\Get-InstalledApps.ps1 cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170. At line:1 char:1 + .\Get-InstalledApps.ps1 + ~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : SecurityError: (:) [], PSSecurityException + FullyQualifiedErrorId : UnauthorizedAccessPS C:\Scripting> Set-ExecutionPolicy Unrestrite -ForcePS C:\Scripting> 。\ get-installapps.ps1 Enter the target computer name: testmachine1 PsExec v2.11 - Execute processes remotely Copyright (C) 2001-2014 Mark Russinovich Sysinternals - www.sysinternals.com WinRM already is set up to receive requests on this machine. WinRM already is set up for remote management on this machine. winrm.cmd exited on sarefeen-l with error code 0. Gathering information on installed apps, please wait... Name ---- Tools for .Net 3.5 Adobe Acrobat Reader DC Adobe Refresh Manager Amazon Redshift ODBC Driver 64-bit Check Point VPN Cisco AnyConnect Secure Mobility Client Desktop Authority Computer Agent Dolby Audio X2 Windows API SDK Google Chrome Google Update Helper Java 7 Update 55 Java 8 Update 161 (64-bit) Java Auto Updater ...
剧本 get-installapps. 内容是:
#Prompt for target computer name $Target = read-host "Enter the target computer name" #Modify local TrustedHosts set-item wsman:\localhost\Client\TrustedHosts -value "$Target" -Force #Ensure WinRM is enabled set-item wsman:\localhost\Client\TrustedHosts -value "$Target" -Force .\PSTools\psexec \\$Target -s winrm.cmd quickconfig -q #Create remote session $session = New-PSSession -ComputerName $Target #Run command in remote session Write-Host " " Write-Host "Gathering information on installed apps, please wait..." -foregroundcolor yellow Invoke-Command -session $session -scriptblock{Get-WmiObject -Class Win32_Product | Sort-Object -Property Name | FT Name} #Clean up sessions Remove-PSSession *
赛门铁克 Endpoint Protection扫描远程计算机
1. 运行命令:
。\ Scan-RemoteComputer
。\ Scan-RemoteComputer
2. 系统将提示您进行计算机
名称。例如,在没有域的情况下输入目标计算机的DNS名称。 testmachine1.
名称。例如,在没有域的情况下输入目标计算机的DNS名称。 testmachine1.
3. 脚本需要以下内容
行动:
行动:
一种。 修改您当地的Trustedhosts
列表允许您连接到目标计算机
列表允许您连接到目标计算机
湾 在目标计算机上启用WinRM
C。 运行psexec命令以启动一个
赛门铁克目标计算机的端点保护扫描
赛门铁克目标计算机的端点保护扫描
天。 扫描完成后,显示
远程计算机上的日志文件的位置
远程计算机上的日志文件的位置
4. 连接到远程计算机
浏览目标计算机的C驱动器(例如 \\ testmachine1 \ c $)在文件资源管理器中。提示凭据凭据时,请输入您的域名
管理员凭据。
浏览目标计算机的C驱动器(例如 \\ testmachine1 \ c $)在文件资源管理器中。提示凭据凭据时,请输入您的域名
管理员凭据。
5. 将日志文件复制到计算机
分析。
分析。
PS C:\Scripting> 。\ Scan-RemoteComputer.ps1
Enter the target computer name: testmachine1
PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com
WinRM already is set up to receive requests on this machine.
WinRM already is set up for remote management on this machine.
winrm.cmd exited on testmachine1 with error code 0.
Scan is starting on testmachine1 (all drives, all files). This will take a while to complete! Do not close this window.
PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com
剧本 扫描遥控器 内容是:
#Prompt for target computer name $Target = read-host "Enter the target computer name" #Modify local TrustedHosts set-item wsman:\localhost\Client\TrustedHosts -value "$Target" -Force #Ensure WinRM is enabled set-item wsman:\localhost\Client\TrustedHosts -value "$Target" -Force .\PSTools\psexec \\$Target -s winrm.cmd quickconfig -q Write-Host "Scan is starting on $Target (all drives, all files). This will take a while to complete! Do not close this window." -foregroundcolor yellow .\PSTools\psexec \\$Target -s "c:\Program Files (x86)\Symantec\Symantec Endpoint Protection\doscan.exe" /C /ScanAllDrives Write-Host "Scan on $Target is complete. Check the log file at \\$Target\c$\ProgramData\Symantec\Symantec Endpoint Protection\(version number)\Data\Logs\AV for results." -foregroundcolor green
在a上运行任意命令
远程计算机
在这内
提升的PowerShell窗口,将目录更改为C:\ Scripting \ PStools:
提升的PowerShell窗口,将目录更改为C:\ Scripting \ PStools:
–
光盘\
光盘\
–
CD。\脚本\ pstools
CD。\脚本\ pstools
PSTools can be downloaed from //docs.microsoft.com/en-us/sysinternals/downloads/pstools
跑过
命令:
。\ psexec \\(目标计算机名称)cmd (例如。: 。\ psexec \\ testmachine1 cmd)
注意
PowerShell窗口的标题栏更改以指示远程计算机
您ran的命令和命令的名称,并且命令提示符更改
来自ps c:to c:。
PowerShell窗口的标题栏更改以指示远程计算机
您ran的命令和命令的名称,并且命令提示符更改
来自ps c:to c:。
PS C:\Scripting> cd .\PSToolsPS C:\Scripting\PSTools> dir Directory: C:\Scripting\PSTools Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 29/09/2015 12:29 PM 7005 Eula.txt -a---- 20/06/2017 11:06 AM 0 psexec -a---- 29/09/2015 12:29 PM 396480 PsExec.exe -a---- 29/09/2015 12:29 PM 105264 psfile.exe -a---- 29/09/2015 12:29 PM 333176 PsGetsid.exe -a---- 29/09/2015 12:29 PM 390520 PsInfo.exe -a---- 29/09/2015 12:29 PM 468592 pskill.exe -a---- 29/09/2015 12:29 PM 232232 pslist.exe -a---- 29/09/2015 12:29 PM 183160 PsLoggedon.exe -a---- 29/09/2015 12:29 PM 178040 psloglist.exe -a---- 29/09/2015 12:29 PM 171608 pspasswd.exe -a---- 29/09/2015 12:29 PM 227520 psping.exe -a---- 29/09/2015 12:29 PM 169848 PsService.exe -a---- 29/09/2015 12:29 PM 207664 psshutdown.exe -a---- 29/09/2015 12:29 PM 187184 pssuspend.exe -a---- 29/09/2015 12:29 PM 66582 Pstools.chm -a---- 29/09/2015 12:29 PM 39 psversion.txt PS C:\Scripting\PSTools> 。\ psexec \\ testmachine1 cmd PsExec v2.11 - Execute processes remotely Copyright (C) 2001-2014 Mark Russinovich Sysinternals - www.sysinternals.com Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\windows\system32>hostnametestmachine1. PS C:\windows\system32> enter-pssession -ComputerName testmachine1 -Credential admin [testmachine1]: PS C:\Users\ADMIN\Documents>
您还可以使用命令远程启动PowerShell会话:
enter-pssession -ComputerName testmachine1 -Credential admin
其他一些有用的powershell命令
获取Windows DLL文件信息/版本
PS C:\windows\system32> (get-item .\zipfldr.dll).versioninfo
ProductVersion FileVersion FileName
-------------- ----------- --------
6.1.7600.16385 6.1.7600.1638... C:\windows\system32\zipfldr.dll
PS C:\windows\system32>
PS C:\windows\system32> get-item .\zipfldr.dll
Directory: C:\windows\system32
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 08/06/2018 12:21 PM 369664 zipfldr.dll
或使用VBS脚本:
PS C:\windows\system32> cscript .\versioninfo.vbs .\zipfldr.dll
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
6.1.7601.24168PS C:\windows\system32> cscript //nologo .\versioninfo.vbs .\zipfldr.dll
6.1.7601.24168
PS C:\windows\system32>
PS C:\windows\system32> type .\versioninfo.vbs set args = WScript.Arguments Set fso = CreateObject("Scripting.FileSystemObject") WScript.Echo fso.GetFileVersion(args(0)) Wscript.Quit
PS C:\windows\system32> cscript //nologo .\versioninfo.vbs .\xolehlp.dll
2001.12.8530.16385
PS C:\windows\system32> (get-item .\xolehlp.dll).versioninfo
ProductVersion FileVersion FileName
-------------- ----------- --------
6.1.7600.16385 2001.12.8530.... C:\windows\system32\xolehlp.dll
PS C:\windows\system32>
看起来这两种方式之间存在差异。 VBS脚本将收到FileVersion,Get-Item将列出Production和FileVersion。
PS C:\ISOScripting\PSTools>tasklist Image Name PID Session Name Session# Mem Usage ========================= ======== ================ =========== ============ System Idle Process 0 Services 0 24 K System 4 Services 0 7,316 K smss.exe 368 Services 0 492 K csrss.exe 596 Services 0 2,828 K wininit.exe 684 Services 0 1,396 K csrss.exe 704 Console 1 122,460 K
cmd.exe 7956 Console 1 4,528 K
....
C:\ISOScripting\PSTools>taskkill /pid 7956
使用psexec的一些示例:
- psexec \\ workstation64 cmd
执行已安装在远程系统上的程序:
- psexec \\ Workstation64“C:\ Program Files \ Test.exe”
连接到工作站64并运行 ipconfig. 要显示远程PC的IP地址:
- psexec \\ workstation64 ipconfig
连接到Workstation64并列出目录:
- psexec \\ workstation64 -s cmd / c dir c:\ work
连接到Workstation64并从另一台服务器复制文件:
- psexec \\ workstation64-s cmd / c copy \\ server21 \ share45 \ file.ext c:\ localPath
在远程系统上执行ipconfig,并在本地显示输出:
- psexec \\ workstation64 ipconfig /全部
将程序TEST.EXE复制到远程系统并交互方式执行,在帐户DANNYGLOVER下运行:
- psexec \\ workstation64 -c test.exe -u dannyglover -p pa55w0rd
在本地计算机上运行Internet Explorer,但具有有限的用户权限:
- PSEXEC -L -D“C:\ Program Files \ Internet Explorer \ Iexplore.exe”
在具有系统特权的本地计算机上运行Regedit:
- psexec -s -i regedit.exe
来自PowerShell,在远程工作站上运行VBScript并传递一些参数:
- PS C:>$ script ='c:\ program files \ demo.vbs'
- PS C:>$ args =“更多文字”
- PS C:>psexec -s \\ workstation64 c:\ windows \ system32 \ cscript.exe $ scipt $ args
其他一些有用的命令:
- tasklist -s remotemachinename.
- .\pslist -accepteula
笔记:
-accepteula Suppress the display of the license dialog.
列表/停止/禁用/启用/启动远程服务
列出远程计算机的服务并生成HTM文件以显示
<# .SYNOPSIS Shows a list of services on remote operating system. .DESCRIPTION Function to retrieve a list of services. .EXAMPLE PS> .\Get-Remote-Services.ps1 #> Get-Service * -computername test1.51sec.org | Select-Object Status, Name, DisplayName | ConvertTo-HTML | Out-File C:\temp\Test.htm Invoke-Expression C:\temp\Test.htm
列出本地机器的服务
<# .SYNOPSIS Shows a list of services on your operating system. .DESCRIPTION Function to retrieve a list of services. .EXAMPLE PS> .\Get-Services.ps1 #> Get-WmiObject win32_service | Select Name, DisplayName, State, StartMode | Sort State, Name
禁用远程计算机的服务并停止它
。\ disable-remote-service.ps1 test1.51sec.org remotergistry
[cmdletbinding()] param( [string[]]$ComputerName = $env:ComputerName, [parameter(Mandatory=$true)] [string[]]$ServiceName ) foreach($Computer in $ComputerName) { Write-Host "Working on $Computer" if(!(Test-Connection -ComputerName $Computer -Count 1 -quiet)) { Write-Warning "$computer : Offline" Continue } foreach($service in $ServiceName) { try { $ServiceObject = Get-WMIObject -Class Win32_Service -ComputerName $Computer -Filter "Name='$service'" -EA Stop if(!$ServiceObject) { Write-Warning "$Computer : No service found with the name $service" Continue } if($ServiceObject.StartMode -eq "Disabled") { Write-Warning "$Computer : Service with the name $service already in disabled state" Continue } Set-Service -ComputerName $Computer -Name $service -EA Stop -StartMode Disabled Write-Host "$Computer : Successfully disabled the service $service. Trying to stop it" if($ServiceObject.Status -eq "Running") { Write-Warning "$Computer : $service already in stopped state" Continue } $retval = $ServiceObject.StopService() if($retval.ReturnValue -ne 0) { Write-Warning "$Computer : Failed to stop service. Return value is $($retval.ReturnValue)" Continue } Write-Host "$Computer : Stopped service successfully" } catch { Write-Warning "$computer : Failed to query $service. Details : $_" Continue } } }
PS C:\ISOScripting> .\Disable-remote-service.ps1 10.1.1.5 RemoteRegistry
Working on 10.1.1.5
10.1.1.5 : Successfully disabled the service RemoteRegistry. Trying to stop it
10.1.1.5 : Stopped service successfully
启用/启动远程服务
Set-Service -Name RemoteRegistry -ComputerName 10.1.1.12 -StartupType Manual -ErrorAction Stop Start-Service -InputObject (Get-Service -Name RemoteRegistry -ComputerName 10.1.1.12) -ErrorAction Stop
检查远程计算机防火墙状态
PS C:\ISOScripting\pstools> .\psexec.exe \\test1.51sec.ca netsh fir sh config
PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com
Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Service configuration for Domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Enable Inbound VMware Workstation VMX / C:\program files (x86)\vmware\vmware workstation\x64\vmware-vmx.e
xe
Enable Inbound g2viewer.exe / C:\users\andywong\appdata\local\temp\g2_1470\g2viewer.exe
Enable Inbound SNAC Service / C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013
.105\Bin64\snac64.exe
Enable Inbound SMC Service / C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.
105\Bin64\Smc.exe
Enable Inbound Nuance Pdf Converter Professional / C:\Program Files (x86)\Nuance\PDF Professional 8\bin\G
aaihoDoc.exe
Enable Inbound Nuance Pdf Create Assistant / C:\Program Files (x86)\Nuance\PDF Professional 8\bin\GPDFDir
ect.exe
Enable Inbound Nuance Activation / C:\Program Files (x86)\Nuance\PDF Professional 8\PdfPro8Hook.exe
Enable Inbound Nuance Pdf Converter Assistant / C:\Program Files (x86)\Nuance\PDF Professional 8\PDFRoute
r.exe
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
8298 TCP Enable Inbound TechSmith Snagit
56789 TCP Enable Inbound VMware vCenter Converter Standalone - Server
9089 TCP Enable Inbound VMware vCenter Converter Standalone - Agent
2799 TCP Enable Inbound Altova License Metering Port (TCP)
2799 UDP Enable Inbound Altova License Metering Port (UDP)
ICMP configuration for Domain profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Enable 8 Allow inbound echo request
Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No Network Discovery
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Enable Inbound Firefox (C:\Program Files (x86)\Mozilla Firefox) / C:\Program Files (x86)\Mozilla Firefox\
firefox.exe
Enable Inbound SNAC Service / C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013
.105\Bin64\snac64.exe
Enable Inbound SMC Service / C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.
105\Bin64\Smc.exe
Enable Inbound Microsoft OneNote / C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
8298 TCP Enable Inbound TechSmith Snagit
56789 TCP Enable Inbound VMware vCenter Converter Standalone - Server
9089 TCP Enable Inbound VMware vCenter Converter Standalone - Agent
2799 TCP Enable Inbound Altova License Metering Port (TCP)
2799 UDP Enable Inbound Altova License Metering Port (UDP)
ICMP configuration for Standard profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at http://go.microsoft.com/fwlink/?linkid=121488 .
netsh exited on test1.51sec.ca with error code 0.
PS C:\ISOScripting\pstools>