1

I am working on a project where I need to fetch a specific registry value from remote computers and publish the report in excel file. I tried working with the PsExec tool but that is not fulfilling my requirement. I have more than 20000 systems from which I need to fetch the reg value. I am trying to fetch those systems reg values which are alive in the network per subnet where I have several different subnets. My intention is to run the script from a central server and collect the values in an excel file with hostname, reg value. Any help would be highly appreciated. Please help me to sort it out. Thank you in advance. Below is the script which I tried to create.

psexec @c:\ips.txt -u domain\id -p 12345 reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion" /v PRODUCTVERSION >> c:\version.xlsx

Regards, Pinaki

Pinaki Bhadra
  • 23
  • 2
  • 8
  • Could you explain to anyone who may feel that this type of request may have ties to security vulnerability exploitation is wrong. – Compo Aug 02 '17 at 22:07
  • You cannot create Excel workbooks by redirecting text output to a file, even if you give that file the extension .xlsx. Also, why are you using `psexec` instead of `reg query \\1.2.3.4\HKLM\...`? – Ansgar Wiechers Aug 02 '17 at 22:13
  • Also, with 20000 systems to check you may want to run the queries with some degree of parallelism. PowerShell [jobs](https://stackoverflow.com/a/18193195/1630171) are one possible approach. – Ansgar Wiechers Aug 02 '17 at 22:29
  • @Compo..This script will run internally on subnet basis and will not change any registry values. The intention is to fetch the reg value which is set there and to check which systems are up to date with the AV whether those systems are reachable or not reachable meaning it will check the remote systems first if alive or not then fetch the reg value. – Pinaki Bhadra Aug 03 '17 at 04:46
  • @Ansgar..actually I am a newbie in the world of powershell and dont know powershell that much. PsExec can call the list of IPs if I list the IPs in a text file per subnet basis and thats why I am using that tool here. I tried giving the extension as .xlsx but it failed to open. I want to store the report in that server from where I will run that script. – Pinaki Bhadra Aug 03 '17 at 04:53
  • Of course it failed to open. Again, you cannot create .xlsx files by redirecting text output to a file. .xmlx files are zip archives containing a number of XML (and optionally other) files defining the structure and data of the workbook. Create a CSV instead and import that. Also, note that PsExec processes the hosts sequentially. Running a command against 20000 hosts without some kind of parallelism is going to take a while. (And by "a while" I mean "a really long time". Just in case that wasn't clear.) – Ansgar Wiechers Aug 03 '17 at 08:22
  • @Pinaki Bhadra, I would wager that if you just pushed out the latest Endpoint update to every machine, that those already carrying the latest version would be completely unaffected and those without will be updated. All you would need was to capture those machines which were not accessible at update time. – Compo Aug 03 '17 at 10:23
  • yes Ansgar this is true that PsExec is too slow to respond over the network and also I am trying to create the report in .csv format instead of .xlsx. – Pinaki Bhadra Aug 03 '17 at 10:28
  • Yes Compo you are correct but due to some issue we are not able to find the complete list of not accessible systems because there are few issues and challenges we face internally and for that this step has been taken. but our main intention is to find out which systems are not upgraded and are not showing/accessible through the console. – Pinaki Bhadra Aug 03 '17 at 10:47

1 Answers1

1

Firstly, don't output straight to an .xlsx file. That file format consists of a collection of XML data in a zip compressed container. Use .csv instead.

Next, if your domain allows remote registry queries, you can use

reg query \\remotemachine\HKLM\etc.

to query registry values over the network. In a cmd console, enter reg query /? for full details.

If your domain does not allow remote registry queries, as an alternative to psexec, you could try using wmic with its remote switches, querying the StdRegProv class. Assuming the "PRODUCTVERSION" value is held in a string value, it would look something like this:

wmic /node:computername /user:domain\admin /password:adminpass /namespace:\\root\default class stdregprov call GetStringValue hDefKey="&H80000002" sSubkeyName="SOFTWARE\\Symantec\\Symantec Endpoint Protection\\CurrentVersion" sValueName="PRODUCTVERSION" | findstr "sValue"

Or with variables to make it more readable:

@echo off & setlocal

set "user=domain\admin"
set "pass=adminPass"

set "creds=/user:%user% /password:%pass%"
set "GetStringValue=/namespace:\\root\default class stdregprov call GetStringValue"
set hive=hDefKey^^^="^&H80000002"
set key=sSubkeyName^^^="SOFTWARE\\Symantec\\Symantec Endpoint Protection\\CurrentVersion"
set valname=sValueName^^^="PRODUCTVERSION"
set "args=%creds% %GetStringValue% %hive% %key% %valname%"

rem // output to c:\versions.csv
> "c:\versions.csv" (

    rem // loop through ips.txt
    for /f "usebackq delims=" %%I in ("c:\ips.txt") do (

        rem // capture output of wmic command
        for /f "tokens=2*" %%x in ('wmic /node:%%I %args% ^| find "sValue"') do (

            rem // normalize encoding of response and output to csv file
            for /f "delims=" %%# in ("%%~y") do echo %%~I,%%~#
        )
    )
)

Note: I haven't performed extensive testing of this script, as I'm not currently in a domain environment. If it doesn't work as expected, you're probably on your own to figure out what's wrong and fix it. As far as I could, I did test the evaluation of the caret escapes, and was able to query the registry on my local machine without the /node, /user, and /password switches. And I have successfully used similar methods to query remote machines on a domain in the past where more traditional remote registry queries are blocked.

rojo
  • 24,000
  • 5
  • 55
  • 101
  • I understood the script and will check this script in my office domain environment and let you know if anything happens. One more query, in the ips.txt if I put all the IPs list vertically will that be ok because for PsExec we put as same. – Pinaki Bhadra Aug 03 '17 at 05:04
  • 1
    Thanks a lot Rojo..this script works for me and it saves time too as it runs and fetch the values from remote systems registry so fast. Thank you once again. – Pinaki Bhadra Aug 03 '17 at 12:27