以下是一些脚本和方法,用于在远程计算机中进行远程故障排除或运行某些命令。如果您有域名管理员帐户,我发现它们非常有用。
运行远程命令的先决条件:

  • 安装.NET Framework 4.5.2来自\\ Shareserver \ IT \ $ Install \脚本前提条件\ NDP452-KB2901907-X86-X64-Allos-enu.exe
    • or from //www.microsoft.com/en-ca/download/details.aspx?id=42642
  • 安装Windows管理框架
    5.1:
    •  复制文件夹 \\shareserver\it\$Install\Scripting prerequisite\Windows Management Framework 5.1 to your C drive or download from //docs.microsoft.com/en-us/powershell/wmf/5.1/install-configure
    •  打开PowerShell作为管理员,
      导航到C驱动器上的目录,然后运行命令
      • 。\ \ install-wmf.ps1
  • 从\\ shareServer \ it \ $ install \脚本prerequisite \ vc_redist.x64.exe安装Microsoft Visual C ++ 2017
    • Download from //www.microsoft.com/en-us/download/details.aspx?id=52685
  • 从作为管理员身份运行的PowerShell提示符,运行命令
    • Set-ExecutionPolicy Unrestrite -Force
  • 来自PowerShell提示运行
    管理员,运行命令
    • Winrm QuickConfig

来自Web浏览器的Sysinternals:

以管理员身份运行PowerShell

点击
开始,然后键入
电源外壳 在搜索字段中。右键单击“Windows PowerShell”,然后单击“运行”
作为管理员“并输入您的域管理员凭据。

你收到
使用域管理员运行的升高的PowerShell命令提示符窗口
凭据,应该将管理员权限与加入的任何计算机
企业领域。 

在这内
窗口,将目录更改为C:\脚本
  

远程登录PowerShell会话

PS C:\Scripting\PSTools>
PS C:\Scripting\PSTools> enter-pssession -ComputerName test-machine
[test-machine]: PS C:\Users\JADMIN\Documents>

收集远程已安装的应用程序

1.    运行命令:
。\ get-installapps
2.    系统将提示您进行计算机
名称。例如,在没有域的情况下输入目标计算机的DNS名称。
testmachine1.
3.    脚本需要以下内容
行动:
一种。    修改您当地的Trustedhosts
列表允许您连接到目标计算机
    在目标计算机上启用WinRM
C。    运行一个get-wmiobject命令
目标计算机并将已安装的应用程序列表输出到屏幕上
4.    验证应用程序列表。

以下是输出:

PS C:\Scripting> 。\ get-installapps.ps1
。\ get-installapps.ps1 : File C:\Scripting\Get-InstalledApps.ps1 cannot be loaded because running scripts is
disabled on this system. For more information, see about_Execution_Policies at
http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ .\Get-InstalledApps.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccessPS C:\Scripting> Set-ExecutionPolicy Unrestrite -ForcePS C:\Scripting> 。\ get-installapps.ps1
Enter the target computer name: testmachine1

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com


WinRM already is set up to receive requests on this machine.
WinRM already is set up for remote management on this machine.
winrm.cmd exited on sarefeen-l with error code 0.

Gathering information on installed apps, please wait...

Name
----

 Tools for .Net 3.5
Adobe Acrobat Reader DC
Adobe Refresh Manager
Amazon Redshift ODBC Driver 64-bit
Check Point VPN
Cisco AnyConnect Secure Mobility Client
Desktop Authority Computer Agent
Dolby Audio X2 Windows API SDK
Google Chrome
Google Update Helper
Java 7 Update 55
Java 8 Update 161 (64-bit)
Java Auto Updater
...

剧本 get-installapps. 内容是:

#Prompt for target computer name
$Target = read-host "Enter the target computer name"

#Modify local TrustedHosts
set-item wsman:\localhost\Client\TrustedHosts -value "$Target" -Force

#Ensure WinRM is enabled
set-item wsman:\localhost\Client\TrustedHosts -value "$Target" -Force
.\PSTools\psexec \\$Target -s winrm.cmd quickconfig -q

#Create remote session
$session = New-PSSession -ComputerName $Target

#Run command in remote session
Write-Host " "
Write-Host "Gathering information on installed apps, please wait..." -foregroundcolor yellow
Invoke-Command -session $session -scriptblock{Get-WmiObject -Class Win32_Product | Sort-Object -Property Name | FT Name}

#Clean up sessions
Remove-PSSession *

赛门铁克 Endpoint Protection扫描远程计算机

1.    运行命令:
。\ Scan-RemoteComputer
2.    系统将提示您进行计算机
名称。例如,在没有域的情况下输入目标计算机的DNS名称。 testmachine1.
3.    脚本需要以下内容
行动:
一种。    修改您当地的Trustedhosts
列表允许您连接到目标计算机
    在目标计算机上启用WinRM
C。    运行psexec命令以启动一个
赛门铁克目标计算机的端点保护扫描
天。    扫描完成后,显示
远程计算机上的日志文件的位置
4.    连接到远程计算机
浏览目标计算机的C驱动器(例如
 \\ testmachine1 \ c $)在文件资源管理器中。提示凭据凭据时,请输入您的域名
管理员凭据。
5.    将日志文件复制到计算机
分析。
PS C:\Scripting> 。\ Scan-RemoteComputer.ps1
Enter the target computer name: testmachine1

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com


WinRM already is set up to receive requests on this machine.
WinRM already is set up for remote management on this machine.
winrm.cmd exited on testmachine1 with error code 0.
Scan is starting on testmachine1 (all drives, all files). This will take a while to complete! Do not close this window.

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com


剧本  扫描遥控器 内容是:

#Prompt for target computer name
$Target = read-host "Enter the target computer name"

#Modify local TrustedHosts
set-item wsman:\localhost\Client\TrustedHosts -value "$Target" -Force

#Ensure WinRM is enabled
set-item wsman:\localhost\Client\TrustedHosts -value "$Target" -Force
.\PSTools\psexec \\$Target -s winrm.cmd quickconfig -q

Write-Host "Scan is starting on $Target (all drives, all files). This will take a while to complete! Do not close this window." -foregroundcolor yellow

.\PSTools\psexec \\$Target -s "c:\Program Files (x86)\Symantec\Symantec Endpoint Protection\doscan.exe" /C /ScanAllDrives

Write-Host "Scan on $Target is complete. Check the log file at \\$Target\c$\ProgramData\Symantec\Symantec Endpoint Protection\(version number)\Data\Logs\AV for results." -foregroundcolor green

在a上运行任意命令
远程计算机

在这内
提升的PowerShell窗口,将目录更改为C:\ Scripting \ PStools:
     
光盘\
     
CD。\脚本\ pstools


PSTools can be downloaed from //docs.microsoft.com/en-us/sysinternals/downloads/pstools


跑过
命令:
。\ psexec \\(目标计算机名称)cmd (例如。: 。\ psexec \\ testmachine1 cmd)
注意
PowerShell窗口的标题栏更改以指示远程计算机
您ran的命令和命令的名称,并且命令提示符更改
来自ps c:to c:。
PS C:\Scripting> cd .\PSToolsPS C:\Scripting\PSTools> dir


    Directory: C:\Scripting\PSTools


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       29/09/2015  12:29 PM           7005 Eula.txt
-a----       20/06/2017  11:06 AM              0 psexec
-a----       29/09/2015  12:29 PM         396480 PsExec.exe
-a----       29/09/2015  12:29 PM         105264 psfile.exe
-a----       29/09/2015  12:29 PM         333176 PsGetsid.exe
-a----       29/09/2015  12:29 PM         390520 PsInfo.exe
-a----       29/09/2015  12:29 PM         468592 pskill.exe
-a----       29/09/2015  12:29 PM         232232 pslist.exe
-a----       29/09/2015  12:29 PM         183160 PsLoggedon.exe
-a----       29/09/2015  12:29 PM         178040 psloglist.exe
-a----       29/09/2015  12:29 PM         171608 pspasswd.exe
-a----       29/09/2015  12:29 PM         227520 psping.exe
-a----       29/09/2015  12:29 PM         169848 PsService.exe
-a----       29/09/2015  12:29 PM         207664 psshutdown.exe
-a----       29/09/2015  12:29 PM         187184 pssuspend.exe
-a----       29/09/2015  12:29 PM          66582 Pstools.chm
-a----       29/09/2015  12:29 PM             39 psversion.txt


PS C:\Scripting\PSTools> 。\ psexec \\ testmachine1 cmd

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com


Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\windows\system32>hostnametestmachine1.

PS C:\windows\system32> enter-pssession -ComputerName testmachine1 -Credential admin
[testmachine1]: PS C:\Users\ADMIN\Documents>


您还可以使用命令远程启动PowerShell会话:

enter-pssession -ComputerName testmachine1 -Credential admin

其他一些有用的powershell命令


获取Windows DLL文件信息/版本

PS C:\windows\system32> (get-item .\zipfldr.dll).versioninfo

ProductVersion   FileVersion      FileName
--------------   -----------      --------
6.1.7600.16385   6.1.7600.1638... C:\windows\system32\zipfldr.dll


PS C:\windows\system32>
PS C:\windows\system32> get-item .\zipfldr.dll


    Directory: C:\windows\system32


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       08/06/2018  12:21 PM         369664 zipfldr.dll

或使用VBS脚本:

PS C:\windows\system32> cscript .\versioninfo.vbs .\zipfldr.dll
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

6.1.7601.24168PS C:\windows\system32> cscript //nologo .\versioninfo.vbs .\zipfldr.dll
6.1.7601.24168
PS C:\windows\system32>
PS C:\windows\system32> type .\versioninfo.vbs
set args = WScript.Arguments
Set fso = CreateObject("Scripting.FileSystemObject")
WScript.Echo fso.GetFileVersion(args(0))
Wscript.Quit
PS C:\windows\system32> cscript //nologo .\versioninfo.vbs .\xolehlp.dll
2001.12.8530.16385
PS C:\windows\system32> (get-item .\xolehlp.dll).versioninfo

ProductVersion   FileVersion      FileName
--------------   -----------      --------
6.1.7600.16385   2001.12.8530.... C:\windows\system32\xolehlp.dll
PS C:\windows\system32>


看起来这两种方式之间存在差异。 VBS脚本将收到FileVersion,Get-Item将列出Production和FileVersion。

PS C:\ISOScripting\PSTools>tasklist

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
System Idle Process              0 Services                   0         24 K
System                           4 Services                   0      7,316 K
smss.exe                       368 Services                   0        492 K
csrss.exe                      596 Services                   0      2,828 K
wininit.exe                    684 Services                   0      1,396 K
csrss.exe                      704 Console                    1    122,460 K
cmd.exe                       7956 Console                    1      4,528 K
....
C:\ISOScripting\PSTools>taskkill /pid 7956

使用psexec的一些示例:

  • psexec \\ workstation64 cmd

执行已安装在远程系统上的程序:

  • psexec \\ Workstation64“C:\ Program Files \ Test.exe”

连接到工作站64并运行 ipconfig. 要显示远程PC的IP地址:

  • psexec \\ workstation64 ipconfig

连接到Workstation64并列出目录:

  • psexec \\ workstation64 -s cmd / c dir c:\ work

连接到Workstation64并从另一台服务器复制文件:

  • psexec \\ workstation64-s cmd / c copy \\ server21 \ share45 \ file.ext c:\ localPath

在远程系统上执行ipconfig,并在本地显示输出:

  • psexec \\ workstation64 ipconfig /全部

将程序TEST.EXE复制到远程系统并交互方式执行,在帐户DANNYGLOVER下运行:

  • psexec \\ workstation64 -c test.exe -u dannyglover -p pa55w0rd

在本地计算机上运行Internet Explorer,但具有有限的用户权限:

  • PSEXEC -L -D“C:\ Program Files \ Internet Explorer \ Iexplore.exe”

在具有系统特权的本地计算机上运行Regedit:

  • psexec -s -i regedit.exe

来自PowerShell,在远程工作站上运行VBScript并传递一些参数:

  • PS C:>$ script ='c:\ program files \ demo.vbs'
  • PS C:>$ args =“更多文字”
  • PS C:>psexec -s \\ workstation64 c:\ windows \ system32 \ cscript.exe $ scipt $ args

其他一些有用的命令:

  • tasklist -s remotemachinename.
  •  .\pslist -accepteula

笔记:

-accepteula Suppress the display of the license dialog.

列表/停止/禁用/启用/启动远程服务

列出远程计算机的服务并生成HTM文件以显示

<# 
.SYNOPSIS
Shows a list of services on remote operating system.
 
.DESCRIPTION
Function to retrieve a list of services.
 
.EXAMPLE
PS> .\Get-Remote-Services.ps1
#> 

Get-Service * -computername test1.51sec.org | Select-Object Status, Name, DisplayName | ConvertTo-HTML | Out-File C:\temp\Test.htm
Invoke-Expression C:\temp\Test.htm

列出本地机器的服务

<# 
.SYNOPSIS
Shows a list of services on your operating system.
 
.DESCRIPTION
Function to retrieve a list of services.
 
.EXAMPLE
PS> .\Get-Services.ps1
#> 

Get-WmiObject win32_service | Select Name, DisplayName, State, StartMode | Sort State, Name

禁用远程计算机的服务并停止它
。\ disable-remote-service.ps1 test1.51sec.org remotergistry

[cmdletbinding()]            
param(            
 [string[]]$ComputerName = $env:ComputerName,            
 [parameter(Mandatory=$true)]            
 [string[]]$ServiceName            
)            
            
foreach($Computer in $ComputerName) {            
 Write-Host "Working on $Computer"            
 if(!(Test-Connection -ComputerName $Computer -Count 1 -quiet)) {            
  Write-Warning "$computer : Offline"            
  Continue            
 }            
             
 foreach($service in $ServiceName) {            
  try {            
   $ServiceObject = Get-WMIObject -Class Win32_Service -ComputerName $Computer -Filter "Name='$service'" -EA Stop            
   if(!$ServiceObject) {            
    Write-Warning "$Computer : No service found with the name $service"            
    Continue            
   }            
   if($ServiceObject.StartMode -eq "Disabled") {            
    Write-Warning "$Computer : Service with the name $service already in disabled state"            
    Continue            
   }            
               
   Set-Service -ComputerName $Computer -Name $service -EA Stop -StartMode Disabled            
   Write-Host "$Computer : Successfully disabled the service $service. Trying to stop it"            
   if($ServiceObject.Status -eq "Running") {            
    Write-Warning "$Computer : $service already in stopped state"            
    Continue            
   }            
   $retval = $ServiceObject.StopService()            
            
   if($retval.ReturnValue -ne 0) {            
    Write-Warning "$Computer : Failed to stop service. Return value is $($retval.ReturnValue)"            
    Continue            
   }            
               
   Write-Host "$Computer : Stopped service successfully"            
               
  } catch {            
   Write-Warning "$computer : Failed to query $service. Details : $_"            
   Continue            
  }            
             
 }            
            
}

PS C:\ISOScripting> .\Disable-remote-service.ps1 10.1.1.5 RemoteRegistry
Working on 10.1.1.5
10.1.1.5 : Successfully disabled the service RemoteRegistry. Trying to stop it
10.1.1.5 : Stopped service successfully

启用/启动远程服务

Set-Service -Name RemoteRegistry -ComputerName 10.1.1.12 -StartupType Manual -ErrorAction Stop
Start-Service -InputObject (Get-Service -Name RemoteRegistry -ComputerName 10.1.1.12) -ErrorAction Stop

检查远程计算机防火墙状态

PS C:\ISOScripting\pstools> .\psexec.exe \\test1.51sec.ca netsh fir sh config

PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com



Domain profile configuration:
-------------------------------------------------------------------
Operational mode                  = Enable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable

Service configuration for Domain profile:
Mode     Customized  Name
-------------------------------------------------------------------
Enable   No          File and Printer Sharing

Allowed programs configuration for Domain profile:
Mode     Traffic direction    Name / Program
-------------------------------------------------------------------
Enable   Inbound              VMware Workstation VMX / C:\program files (x86)\vmware\vmware workstation\x64\vmware-vmx.e
xe
Enable   Inbound              g2viewer.exe / C:\users\andywong\appdata\local\temp\g2_1470\g2viewer.exe
Enable   Inbound              SNAC Service / C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013
.105\Bin64\snac64.exe
Enable   Inbound              SMC Service / C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.
105\Bin64\Smc.exe
Enable   Inbound              Nuance Pdf Converter Professional / C:\Program Files (x86)\Nuance\PDF Professional 8\bin\G
aaihoDoc.exe
Enable   Inbound              Nuance Pdf Create Assistant / C:\Program Files (x86)\Nuance\PDF Professional 8\bin\GPDFDir
ect.exe
Enable   Inbound              Nuance Activation / C:\Program Files (x86)\Nuance\PDF Professional 8\PdfPro8Hook.exe
Enable   Inbound              Nuance Pdf Converter Assistant / C:\Program Files (x86)\Nuance\PDF Professional 8\PDFRoute
r.exe

Port configuration for Domain profile:
Port   Protocol  Mode    Traffic direction     Name
-------------------------------------------------------------------
8298   TCP       Enable  Inbound               TechSmith Snagit
56789  TCP       Enable  Inbound               VMware vCenter Converter Standalone - Server
9089   TCP       Enable  Inbound               VMware vCenter Converter Standalone - Agent
2799   TCP       Enable  Inbound               Altova License Metering Port (TCP)
2799   UDP       Enable  Inbound               Altova License Metering Port (UDP)

ICMP configuration for Domain profile:
Mode     Type  Description
-------------------------------------------------------------------
Enable   2     Allow outbound packet too big
Enable   8     Allow inbound echo request

Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode                  = Enable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Enable

Service configuration for Standard profile:
Mode     Customized  Name
-------------------------------------------------------------------
Enable   No          Network Discovery

Allowed programs configuration for Standard profile:
Mode     Traffic direction    Name / Program
-------------------------------------------------------------------
Enable   Inbound              Firefox (C:\Program Files (x86)\Mozilla Firefox) / C:\Program Files (x86)\Mozilla Firefox\
firefox.exe
Enable   Inbound              SNAC Service / C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013
.105\Bin64\snac64.exe
Enable   Inbound              SMC Service / C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.
105\Bin64\Smc.exe
Enable   Inbound              Microsoft OneNote / C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE

Port configuration for Standard profile:
Port   Protocol  Mode    Traffic direction     Name
-------------------------------------------------------------------
8298   TCP       Enable  Inbound               TechSmith Snagit
56789  TCP       Enable  Inbound               VMware vCenter Converter Standalone - Server
9089   TCP       Enable  Inbound               VMware vCenter Converter Standalone - Agent
2799   TCP       Enable  Inbound               Altova License Metering Port (TCP)
2799   UDP       Enable  Inbound               Altova License Metering Port (UDP)

ICMP configuration for Standard profile:
Mode     Type  Description
-------------------------------------------------------------------
Enable   2     Allow outbound packet too big

Log configuration:
-------------------------------------------------------------------
File location   = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size   = 4096 KB
Dropped packets = Disable
Connections     = Disable

IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at http://go.microsoft.com/fwlink/?linkid=121488 .

netsh exited on test1.51sec.ca with error code 0.
PS C:\ISOScripting\pstools>



经过 jonny.

发表评论