Last active
October 17, 2015 21:18
-
-
Save dstaulcu/e6abbf95d1fd515b8e4e to your computer and use it in GitHub Desktop.
get-remoteprocmon
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @echo off | |
| echo. | |
| REM check usage | |
| if not exist .\procmon.exe goto ERR_RES | |
| if not exist .\psexec.exe goto ERR_RES | |
| set HOSTNAME=%1 | |
| if not defined HOSTNAME goto USAGE | |
| REM check to see if remote host is online | |
| echo -Checking remote host availability | |
| ping -n 1 -w 300 %HOSTNAME% | find /i "REPLY" >NUL | |
| if errorlevel 1 goto ERR_OFFLINE | |
| REM check that you have remote admin access | |
| echo -Checking remote host access level | |
| dir \\%HOSTNAME%\C$ >nul | |
| if errorlevel 1 goto ERR_ACCESS | |
| REM copy resource files to remote directory | |
| echo -Copying resources to remote host | |
| if not exist "\\%HOSTNAME%\C$\LocalApps" md "\\%HOSTNAME%\C$\LocalApps" | |
| if not exist "\\%HOSTNAME%\C$\LocalApps\ProcMonCapture" md "\\%HOSTNAME%\C$\LocalApps\ProcMonCapture" | |
| copy .\procmon.exe "\\%HOSTNAME%\C$\LocalApps\ProcMonCapture" /y >nul | |
| REM start remote resource (do not wait for completion) | |
| echo -Launching procmon remotely | |
| psexec.exe -d -s \\%HOSTNAME% "C:\LocalApps\ProcMonCapture\procmon.exe" /AcceptEula /Nofilter /BackingFile C:\LocalApps\ProcMonCapture\Capture.PML >nul 2>&1 | |
| REM prompt user for go-ahead to stop remote resource | |
| echo. | |
| echo Capture in progress. Press any key to stop... | |
| echo. | |
| pause >nul | |
| REM stop remote resource (wait for completion) | |
| echo -Terminating capture | |
| psexec.exe -s \\%HOSTNAME% "c:\LocalApps\ProcMonCapture\procmon.exe" /AcceptEula /Quiet /Terminate >nul 2>&1 | |
| REM copy logfiles created by remote resource | |
| echo -Copying trace logs | |
| if not exist ".\Captures" md ".\Captures" | |
| if not exist ".\Captures\%HOSTNAME%" md ".\Captures\%HOSTNAME%" | |
| copy "\\%HOSTNAME%\C$\LocalApps\ProcMonCapture\*.PML" ".\Captures\%HOSTNAME%\*.PML" /y >nul | |
| REM remove remote resource files | |
| echo -Cleaning up remote resource files | |
| rmdir /s /q "\\%HOSTNAME%\C$\LocalApps\ProcMonCapture" | |
| REM print out the take | |
| echo -Operation complete! Captures available in .\Captures\%HOSTNAME%\*.PML | |
| echo. | |
| CHOICE /C YN /M "Review capture file now? " | |
| if errorlevel 2 goto EOF | |
| if errorlevel 1 goto CAP_OPEN | |
| :CAP_OPEN | |
| ".\procmon.exe" /AcceptEula /Quiet /OpenLog ".\Captures\%HOSTNAME%\Capture.PML" | |
| goto EOF | |
| :ERR_RES | |
| echo ERROR: script resoures not available | |
| echo please ensure psexec.exe and procmon.exe are in same directory as script. | |
| goto EOF | |
| :USAGE | |
| echo ERROR: missing argument ^<target_hostname^> | |
| goto EOF | |
| :ERR_OFFLINE | |
| echo ERROR: specified host is not available (%HOSTNAME%) | |
| goto EOF | |
| :ERR_ACCESS | |
| echo ERROR: unable to access system volume on remote resource (%HOSTNAME%) | |
| goto EOF | |
| :EOF | |
| echo. | |
Author
dstaulcu
commented
Oct 17, 2015
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment