以下是一些脚本和方法,可以进行远程故障排除或在远程计算机上运行某些命令。我发现它们非常有用,特别是在企业环境中(如果您具有域管理员帐户)。
运行远程命令的先决条件:
- 从\\ shareserver \ it \ $ Install \ Scripting prerequisites \ NDP452-KB2901907-x86-x64-AllOS-ENU.exe安装.NET Framework 4.5.2
- or from //www.microsoft.com/en-ca/download/details.aspx?id=42642
- 安装Windows管理框架
5.1: - 复制文件夹 \\shareserver\it\$Install\Scripting prerequisite\Windows Management Framework 5.1 to your C drive or download from //docs.microsoft.com/en-us/powershell/wmf/5.1/install-configure
- 以管理员身份打开PowerShell,
导航到C驱动器上的目录,然后运行命令 - 。\ Install-Wmf.ps1
- 安装Microsoft Visual C ++ 2017可重新分发 \\ shareserver \ it \ $ Install \ Scriptingrequisite \ VC_redist.x64.exe
- Download from //www.microsoft.com/en-us/download/details.aspx?id=52685
- 在以管理员身份运行的PowerShell提示符中,运行以下命令
- Set-ExecutionPolicy不受限制-强制
- 从以
管理员,运行命令 - Winrm QuickConfig
Web浏览器中的Sysinternals:
以管理员身份运行Powershell
请点击
开始,然后输入 电源外壳 在搜索字段中。右键单击“ 视窗 PowerShell”,然后单击“运行”。
以管理员身份”,然后输入您的域管理员凭据。
开始,然后输入 电源外壳 在搜索字段中。右键单击“ 视窗 PowerShell”,然后单击“运行”。
以管理员身份”,然后输入您的域管理员凭据。
你收到
与您的域管理员一起运行的提升的PowerShell命令提示符窗口
凭据,该凭据应对加入的任何计算机具有管理员权限
企业域。
与您的域管理员一起运行的提升的PowerShell命令提示符窗口
凭据,该凭据应对加入的任何计算机具有管理员权限
企业域。
在这个
窗口,将目录更改为C:\ scripts
窗口,将目录更改为C:\ scripts
–
远程登录到PowerShell会话
PS C:\Scripting\PSTools>
PS C:\Scripting\PSTools> enter-pssession -ComputerName test-machine
[test-machine]: PS C:\Users\JADMIN\Documents>
收集远程安装的应用程序
1. 运行命令:
。\ 获取安装的应用
。\ 获取安装的应用
2. 系统将提示您输入计算机
名称。输入目标计算机的DNS名称(不带域),例如 测试机1
名称。输入目标计算机的DNS名称(不带域),例如 测试机1
3. 该脚本需要以下内容
动作:
动作:
一种。 修改您的本地TrustedHosts
列表以允许您连接到目标计算机
列表以允许您连接到目标计算机
b。 在目标计算机上启用WinRM
C。 在工具栏上运行Get-WmiObject命令
目标计算机并将已安装的应用程序列表输出到屏幕
目标计算机并将已安装的应用程序列表输出到屏幕
4. 验证应用程序列表。
输出如下:
PS C:\Scripting> 。\ 获取安装的应用.ps1 。\ 获取安装的应用.ps1 : File C:\Scripting\Get-InstalledApps.ps1 cannot be loaded because running scripts is disabled 上 this system. For more information, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170. At line:1 char:1 + 。\ 获取安装的应用.ps1 + ~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : 安全Error: (:) [], PSSecurityException + FullyQualifiedErrorId : UnauthorizedAccessPS C:\Scripting> Set-ExecutionPolicy不受限制-强制PS C:\Scripting> 。\ 获取安装的应用.ps1 Enter the target computer name: 测试机1 PsExec v2.11 - Execute processes remotely Copyright (C) 2001-2014 Mark Russinovich Sysinternals - www.sysinternals.com WinRM already is set up to receive requests 上 this machine. WinRM already is set up for remote management 上 this machine. winrm.cmd exited 上 sarefeen-l with error code 0. Gathering information 上 installed apps, please wait... Name ---- Tools for .Net 3.5 Adobe Acrobat Reader DC Adobe Refresh Manager Amazon Redshift ODBC Driver 64-bit Check Point 虚拟专用网 Cisco AnyConnect Secure Mobility Client Desktop Authority Computer Agent Dolby Audio X2 视窗 API SDK Google Chrome Google Update Helper Java 7 Update 55 Java 8 Update 161 (64-bit) Java Auto Updater ...
剧本 获取安装的应用 内容是:
#Prompt for target computer name $Target = read-host "Enter the target computer name" #Modify local TrustedHosts set-item wsman:\localhost\Client\TrustedHosts -value "$Target" -Force #Ensure WinRM is enabled set-item wsman:\localhost\Client\TrustedHosts -value "$Target" -Force .\PSTools\psexec \\$Target -s winrm.cmd quickconfig -q #Create remote session $session = New-PSSession -ComputerName $Target #Run command in remote session Write-Host " " Write-Host "Gathering information 上 installed apps, please wait..." -foregroundcolor yellow Invoke-Command -session $session -scriptblock{Get-WmiObject -Class Win32_Product | Sort-Object -Property Name | FT Name} #Clean up sessions Remove-PSSession *
通过Symantec Endpoint Protection扫描远程计算机
1. 运行命令:
。\ 扫描远程计算机
。\ 扫描远程计算机
2. 系统将提示您输入计算机
名称。输入目标计算机的DNS名称(不带域),例如 测试机1
名称。输入目标计算机的DNS名称(不带域),例如 测试机1
3. 该脚本需要以下内容
动作:
动作:
一种。 修改您的本地TrustedHosts
列表以允许您连接到目标计算机
列表以允许您连接到目标计算机
b。 在目标计算机上启用WinRM
C。 运行psexec命令以启动
赛门铁克 Endpoint Protection扫描目标计算机
赛门铁克 Endpoint Protection扫描目标计算机
d。 扫描完成后,显示
日志文件在远程计算机上的位置
日志文件在远程计算机上的位置
4. 通过连接到远程计算机
浏览到目标计算机的C驱动器(例如 \\ 测试机1 \ c $)。当提示您输入凭据时,输入您的域
管理员凭据。
浏览到目标计算机的C驱动器(例如 \\ 测试机1 \ c $)。当提示您输入凭据时,输入您的域
管理员凭据。
5. 将日志文件复制到您的计算机
进行分析。
进行分析。
PS C:\Scripting> 。\ 扫描远程计算机.ps1
Enter the target computer name: 测试机1
PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com
WinRM already is set up to receive requests 上 this machine.
WinRM already is set up for remote management 上 this machine.
winrm.cmd exited 上 测试机1 with error code 0.
Scan is starting 上 测试机1 (all drives, all files). This will take a while to complete! Do not close this window.
PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com
剧本 扫描远程计算机 内容是:
#Prompt for target computer name $Target = read-host "Enter the target computer name" #Modify local TrustedHosts set-item wsman:\localhost\Client\TrustedHosts -value "$Target" -Force #Ensure WinRM is enabled set-item wsman:\localhost\Client\TrustedHosts -value "$Target" -Force .\PSTools\psexec \\$Target -s winrm.cmd quickconfig -q Write-Host "Scan is starting 上 $Target (all drives, all files). This will take a while to complete! Do not close this window." -foregroundcolor yellow .\PSTools\psexec \\$Target -s "c:\Program Files (x86)\Symantec\Symantec Endpoint Protection\doscan.exe" /C /ScanAllDrives Write-Host "Scan 上 $Target is complete. Check the log file at \\$Target\c$\ProgramData\Symantec\Symantec Endpoint Protection\(version number)\Data\Logs\AV for results." -foregroundcolor green
在一个上运行任意命令
远端电脑
内
提升的PowerShell窗口,将目录更改为C:\ Scripting \ PSTools:
提升的PowerShell窗口,将目录更改为C:\ Scripting \ PSTools:
–
光盘\
光盘\
–
cd。\ Scripting \ PSTools
cd。\ Scripting \ PSTools
PSTools can be downloaed from //docs.microsoft.com/en-us/sysinternals/downloads/pstools
跑过
命令:
。\ psexec \\(目标计算机名称)cmd (例如。: 。\ psexec \\ 测试机1 cmd)
注意
PowerShell窗口的标题栏更改为指示远程计算机
名称和您运行的命令的名称,并且命令提示符更改
from PS C: to C:.
PowerShell窗口的标题栏更改为指示远程计算机
名称和您运行的命令的名称,并且命令提示符更改
from PS C: to C:.
PS C:\Scripting> cd .\PSToolsPS C:\Scripting\PSTools> dir Directory: C:\Scripting\PSTools Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 29/09/2015 12:29 PM 7005 Eula.txt -a---- 20/06/2017 11:06 AM 0 psexec -a---- 29/09/2015 12:29 PM 396480 PsExec.exe -a---- 29/09/2015 12:29 PM 105264 psfile.exe -a---- 29/09/2015 12:29 PM 333176 PsGetsid.exe -a---- 29/09/2015 12:29 PM 390520 PsInfo.exe -a---- 29/09/2015 12:29 PM 468592 pskill.exe -a---- 29/09/2015 12:29 PM 232232 pslist.exe -a---- 29/09/2015 12:29 PM 183160 PsLoggedon.exe -a---- 29/09/2015 12:29 PM 178040 psloglist.exe -a---- 29/09/2015 12:29 PM 171608 pspasswd.exe -a---- 29/09/2015 12:29 PM 227520 psping.exe -a---- 29/09/2015 12:29 PM 169848 PsService.exe -a---- 29/09/2015 12:29 PM 207664 psshutdown.exe -a---- 29/09/2015 12:29 PM 187184 pssuspend.exe -a---- 29/09/2015 12:29 PM 66582 Pstools.chm -a---- 29/09/2015 12:29 PM 39 psversion.txt PS C:\Scripting\PSTools> 。\ psexec \\ 测试机1 cmd PsExec v2.11 - Execute processes remotely Copyright (C) 2001-2014 Mark Russinovich Sysinternals - www.sysinternals.com Microsoft 视窗 [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\windows\system32>hostname测试机1 PS C:\windows\system32> enter-pssession -ComputerName 测试机1 -Credential admin [testmachine1]: PS C:\Users\ADMIN\Documents>
您还可以使用以下命令远程启动PowerShell会话:
enter-pssession -ComputerName 测试机1 -Credential admin
其他一些有用的PowerShell命令
获取Windows DLL文件信息/版本
PS C:\windows\system32> (get-item .\zipfldr.dll).versioninfo
ProductVersion FileVersion FileName
-------------- ----------- --------
6.1.7600.16385 6.1.7600.1638... C:\windows\system32\zipfldr.dll
PS C:\windows\system32>
PS C:\windows\system32> get-item .\zipfldr.dll
Directory: C:\windows\system32
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 08/06/2018 12:21 PM 369664 zipfldr.dll
或使用vbs脚本:
PS C:\windows\system32> cscript .\versioninfo.vbs .\zipfldr.dll
Microsoft (R) 视窗 Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
6.1.7601.24168PS C:\windows\system32> cscript //nologo .\versioninfo.vbs .\zipfldr.dll
6.1.7601.24168
PS C:\windows\system32>
PS C:\windows\system32> type .\versioninfo.vbs set args = WScript.Arguments Set fso = CreateObject("Scripting.FileSystemObject") WScript.Echo fso.GetFileVersion(args(0)) Wscript.Quit
PS C:\windows\system32> cscript //nologo .\versioninfo.vbs .\xolehlp.dll
2001.12.8530.16385
PS C:\windows\system32> (get-item .\xolehlp.dll).versioninfo
ProductVersion FileVersion FileName
-------------- ----------- --------
6.1.7600.16385 2001.12.8530.... C:\windows\system32\xolehlp.dll
PS C:\windows\system32>
看起来这两种方式之间存在差异。 vbs脚本将为您提供FileVersion,而get-item将同时列出ProductVersion和FileVersion。
PS C:\ISOScripting\PSTools>tasklist Image Name PID Session Name Session# Mem Usage ========================= ======== ================ =========== ============ System Idle Process 0 Services 0 24 K System 4 Services 0 7,316 K smss.exe 368 Services 0 492 K csrss.exe 596 Services 0 2,828 K wininit.exe 684 Services 0 1,396 K csrss.exe 704 Console 1 122,460 K
cmd.exe 7956 Console 1 4,528 K
....
C:\ISOScripting\PSTools>taskkill /pid 7956
使用PSEXEC的一些示例:
- PSEXEC \\ workstation64 CMD
执行一个已在远程系统上安装的程序:
- PSEXEC \\ workstation64“ c:\ Program Files \ test.exe”
连接到Workstation64并运行 IP配置 显示远程PC的IP地址:
- PSEXEC \\ workstation64 ipconfig
连接到workstation64并列出目录:
- PSEXEC \\ workstation64 -s cmd / c目录c:\ work
连接到workstation64并从另一台服务器复制文件:
- PSEXEC \\ workstation64 -s cmd / c复制\\ server21 \ share45 \ file.ext c:\ localpath
在远程系统上执行IpConfig,并在本地显示输出:
- PSEXEC \\ workstation64 ipconfig /全部
将程序test.exe复制到远程系统并以DannyGlover帐户运行以交互方式执行该程序:
- PSEXEC \\ workstation64 -c test.exe -u DannyGlover -p Pa55w0rd
在本地计算机上运行Internet Explorer,但要使用受限用户权限:
- PSEXEC -l -d“ c:\ program files \ internet explorer \ iexplore.exe”
使用SYSTEM特权在本地计算机上运行Regedit:
- PSEXEC -s -i regedit.exe
在PowerShell中,在远程工作站上运行VBscript并传递一些参数:
- PS C:>$ script =“ C:\ Program Files \ demo.vbs”
- PS C:>$ args =“更多文字”
- PS C:>PSEXEC -s \\ workstation64 c:\ windows \ system32 \ cscript.exe $ script $ args
其他一些有用的命令:
- 任务列表-s RemoteMachineName
- .\pslist -accepteula
注意:
-accepteula Suppress the display of the license dialog.
列出/停止/禁用/启用/启动远程服务
列出远程计算机的服务并生成一个htm文件以显示
<# .SYNOPSIS Shows a list of services 上 remote operating system. .DESCRIPTION Function to retrieve a list of services. .EXAMPLE PS> .\Get-Remote-Services.ps1 #> Get-Service * -computername test1.51sec.org | Select-Object Status, Name, DisplayName | ConvertTo-HTML | Out-File C:\temp\Test.htm Invoke-Expression C:\temp\Test.htm
列出本地机器的服务
<# .SYNOPSIS Shows a list of services 上 your operating system. .DESCRIPTION Function to retrieve a list of services. .EXAMPLE PS> .\Get-Services.ps1 #> Get-WmiObject win32_service | Select Name, DisplayName, State, StartMode | Sort State, Name
禁用并停止远程计算机的服务
。\ Disable-Remote-Service.ps1 test1.51sec.org RemoteRegistry
[cmdletbinding()] param( [string[]]$ComputerName = $env:ComputerName, [parameter(Mandatory=$true)] [string[]]$ServiceName ) foreach($Computer in $ComputerName) { Write-Host "Working 上 $Computer" if(!(Test-Connection -ComputerName $Computer -Count 1 -quiet)) { Write-Warning "$computer : Offline" Continue } foreach($service in $ServiceName) { try { $ServiceObject = Get-WMIObject -Class Win32_Service -ComputerName $Computer -Filter "Name='$service'" -EA Stop if(!$ServiceObject) { Write-Warning "$Computer : No service found with the name $service" Continue } if($ServiceObject.StartMode -eq "Disabled") { Write-Warning "$Computer : Service with the name $service already in disabled state" Continue } Set-Service -ComputerName $Computer -Name $service -EA Stop -StartMode Disabled Write-Host "$Computer : Successfully disabled the service $service. Trying to stop it" if($ServiceObject.Status -eq "Running") { Write-Warning "$Computer : $service already in stopped state" Continue } $retval = $ServiceObject.StopService() if($retval.ReturnValue -ne 0) { Write-Warning "$Computer : Failed to stop service. Return value is $($retval.ReturnValue)" Continue } Write-Host "$Computer : Stopped service successfully" } catch { Write-Warning "$computer : Failed to query $service. Details : $_" Continue } } }
PS C:\ISOScripting> .\Disable-remote-service.ps1 10.1.1.5 RemoteRegistry
Working 上 10.1.1.5
10.1.1.5 : Successfully disabled the service RemoteRegistry. Trying to stop it
10.1.1.5 : Stopped service successfully
启用/启动远程服务
Set-Service -Name RemoteRegistry -ComputerName 10.1.1.12 -StartupType Manual -ErrorAction Stop Start-Service -InputObject (Get-Service -Name RemoteRegistry -ComputerName 10.1.1.12) -ErrorAction Stop
检查远程计算机防火墙状态
PS C:\ISOScripting\pstools> .\psexec.exe \\test1.51sec.ca netsh fir sh config
PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com
Domain profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Service configuration for Domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Enable Inbound VMware Workstation VMX / C:\program files (x86)\vmware\vmware workstation\x64\vmware-vmx.e
xe
Enable Inbound g2viewer.exe / C:\users\andywong\appdata\local\temp\g2_1470\g2viewer.exe
Enable Inbound SNAC Service / C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013
.105\Bin64\snac64.exe
Enable Inbound SMC Service / C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.
105\Bin64\Smc.exe
Enable Inbound Nuance Pdf Converter Professional / C:\Program Files (x86)\Nuance\PDF Professional 8\bin\G
aaihoDoc.exe
Enable Inbound Nuance Pdf Create Assistant / C:\Program Files (x86)\Nuance\PDF Professional 8\bin\GPDFDir
ect.exe
Enable Inbound Nuance Activation / C:\Program Files (x86)\Nuance\PDF Professional 8\PdfPro8Hook.exe
Enable Inbound Nuance Pdf Converter Assistant / C:\Program Files (x86)\Nuance\PDF Professional 8\PDFRoute
r.exe
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
8298 TCP Enable Inbound TechSmith Snagit
56789 TCP Enable Inbound VMware vCenter Converter Standalone - Server
9089 TCP Enable Inbound VMware vCenter Converter Standalone - Agent
2799 TCP Enable Inbound Altova License Metering Port (TCP)
2799 UDP Enable Inbound Altova License Metering Port (UDP)
ICMP configuration for Domain profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Enable 8 Allow inbound echo request
Standard profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No 网络 Discovery
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Enable Inbound Firefox (C:\Program Files (x86)\Mozilla Firefox) / C:\Program Files (x86)\Mozilla Firefox\
firefox.exe
Enable Inbound SNAC Service / C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013
.105\Bin64\snac64.exe
Enable Inbound SMC Service / C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\12.1.4013.4013.
105\Bin64\Smc.exe
Enable Inbound Microsoft OneNote / C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
8298 TCP Enable Inbound TechSmith Snagit
56789 TCP Enable Inbound VMware vCenter Converter Standalone - Server
9089 TCP Enable Inbound VMware vCenter Converter Standalone - Agent
2799 TCP Enable Inbound Altova License Metering Port (TCP)
2799 UDP Enable Inbound Altova License Metering Port (UDP)
ICMP configuration for Standard profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information 上 using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB 文章 947709
at http://go.microsoft.com/fwlink/?linkid=121488 .
netsh exited 上 test1.51sec.ca with error code 0.
PS C:\ISOScripting\pstools>
