SCENARIO: You want to be able to create, start, stop, and delete Performance Monitor data collector sets and collect logs from your computer using a menu. You can do all of these things manually, but this script will present you with a menu for performing these tasks.
NOTE: This will work in Windows 10. If you are running on an older version of PowerShell, you will need to change Get-CimInstance cmdlet along with the Get-GPResultantSetOfPolicy cmdlet.
UPDATE: 11-06-2017 - I just pasted a newer version of this script below.
Click Here to Download Script: Data Collection Utility
Folder Structure:
<#
This script is for diagnostic purposes. It will create, start, stop, delete Perfmon data collector sets.
It will also allow you to export logs, system information. It will also allow you to zip up all of the
collected data and upload it to a share.
All collected data will go into a the C:\Diagnostics folder unless you have specifically changed it.
Written by Matthew Graham 2017
*****USE AT YOUR OWN RISK*****
#>
# Create Data Folders - Resulting Data will be placed in the C:\Diagnostics folder.
New-Item C:\Diagnostics -ItemType Directory -Force | Out-Null
New-Item C:\Diagnostics\EventLogs -ItemType Directory -Force | Out-Null
New-Item C:\Diagnostics\OtherLogs -ItemType Directory -Force | Out-Null
New-Item C:\Diagnostics\SystemConfiguration -ItemType Directory -Force | Out-Null
New-Item C:\Diagnostics\Perfmon -ItemType Directory -Force | Out-Null
# Global Variables
$SourceDirectory = "C:\Diagnostics"
$EventLogs = "C:\Diagnostics\EventLogs"
$OtherLogs = "C:\Diagnostics\OtherLogs"
$SysConfig = "C:\Diagnostics\SystemConfiguration"
$Perfmon = "C:\Diagnostics\Perfmon"
# ***CHANGE THE $FileCopyDest PATH TO A SHARE WHERE YOU WANT THE FILES TO BE COPIED TO****
$FileCopyDest = "\\servername\share\"
$Date = Get-Date -UFormat %m-%d-%y
# Loop for presenting menu options
do {[int]$userMenuChoice = 0
while ( $userMenuChoice -lt 1 -or $userMenuChoice -gt 11) {
Clear-Host
Write-Host ""
Write-Host "DATA COLLECTION UTILITY"
Write-Host "============================================================================================="
Write-Host "1. PERFMON - CREATE Perfmon Data Collector Sets" -ForegroundColor Gray
Write-Host "2. PERFMON - START Perfmon Data Collector Sets" -ForegroundColor Gray
Write-Host "3. PERFMON - STOP Perfmon Data Collector Sets" -ForegroundColor Gray
Write-Host "4. PERFMON - DELETE Perfmon Data Collector Sets" -ForegroundColor Gray
Write-Host "5. PERFMON - VIEW currently existing Perfmon Data Collector Sets" -ForegroundColor Gray
Write-Host "--------------------------------------------------------------------------------------------"
Write-Host "6. DATA COLLECTION - Collect Application, Security, and System, Logs Only"
Write-Host "7. DATA COLLECTION - Collect System Information and Misc. Logs Only"
Write-Host "8. DATA COLLECTION - Collect Windows Logs and System Information"
Write-Host "9. Upload collected data to remote share" -ForegroundColor Green
Write-Host "10. Delete currently collected Data - DELETES ALL DIAGNOSTIC DATA!!" -ForegroundColor Red
Write-Host "11. Quit and Exit" -ForegroundColor Green
Write-Host "============================================================================================="
[int]$userMenuChoice = Read-Host "Please choose an option"
# Functions for data collection
function CreateDCS {
Logman.exe create counter PerfLog-LongInterval -o "$Perfmon\PerfLog-LongInterval.blg" -f bincirc -v mmddhhmm -max 500 -c "\LogicalDisk(*)\*" "\Memory\*" "\.NET CLR Memory(*)\*" "\Cache\*" "\Network Interface(*)\*" "\Netlogon(*)\*" "\Paging File(*)\*" "\PhysicalDisk(*)\*" "\Processor(*)\*" "\Processor Information(*)\*" "\Process(*)\*" "\Thread(*)\*" "\Redirector\*" "\Server\*" "\System\*" "\Server Work Queues(*)\*" "\Terminal Services\*" -si 00:03:00
Logman.exe create counter PerfLog-ShortInterval -o "$Perfmon\PerfLog-ShortInterval.blg" -f bincirc -v mmddhhmm -max 500 -c "\LogicalDisk(*)\*" "\Memory\*" "\.NET CLR Memory(*)\*" "\Cache\*" "\Network Interface(*)\*" "\Netlogon(*)\*" "\Paging File(*)\*" "\PhysicalDisk(*)\*" "\Processor(*)\*" "\Processor Information(*)\*" "\Process(*)\*" "\Thread(*)\*" "\Redirector\*" "\Server\*" "\System\*" "\Server Work Queues(*)\*" "\Terminal Services\*" -si 00:00:02
sleep 2
}
function StartDCS {
Logman.exe start PerfLog-LongInterval
Logman.exe start PerfLog-ShortInterval
sleep 2
}
function StopDCS {
Logman.exe stop PerfLog-LongInterval
Logman.exe stop PerfLog-ShortInterval
sleep 2
}
function DeleteDCS {
Logman.exe delete PerfLog-LongInterval
Logman.exe delete PerfLog-ShortInterval
sleep 2
}
function ViewExistingDCS {
Logman.exe query
sleep 5
}
function CollectEventLogs {
# Variables
$Time = (Get-Date).AddDays(-14)
# Export Security Log
Get-EventLog -LogName Security -After $Time -ErrorAction SilentlyContinue |
Select EventID, InstanceId, EntryType, Source, TimeGenerated, Message, MachineName |
Export-Csv $EventLogs\SecurityLog.csv -NoTypeInformation
# Export System Log
Get-EventLog -LogName System -After $Time -ErrorAction SilentlyContinue |
Select TimeGenerated, EventID, CategoryNumber, EntryType, UserName, Source, Message, MachineName |
Export-Csv $EventLogs\SystemLog.csv -NoTypeInformation
# Export Application Log
Get-EventLog -LogName Application -After $Time -ErrorAction SilentlyContinue |
Select TimeGenerated, EventID, CategoryNumber, EntryType, UserName, Source, Message, MachineName |
Export-Csv $EventLogs\ApplicationLog.csv -NoTypeInformation
# Export Setup Log
Get-WinEvent -LogName Setup |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\Setup.csv -NoTypeInformation
# Export Server Management Log Log
Get-WinEvent -LogName Microsoft-ServerManagementExperience |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\ServerMgmtExperience.csv -NoTypeInformation
# Export Powershell Log
Get-WinEvent -LogName "Windows PowerShell" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\Powershell.csv -NoTypeInformation
# Export Diagnostics-Performance Log
Get-WinEvent -LogName "Microsoft-Windows-Diagnostics-Performance/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\Performance.csv -NoTypeInformation
# Export Group POlicy Log
Get-WinEvent -LogName "Microsoft-Windows-GroupPolicy/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\GroupPolicy.csv -NoTypeInformation
# Export Kernel-PnP Log
Get-WinEvent -LogName "Microsoft-Windows-Kernel-PnP/Configuration" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\PlugandPlay.csv -NoTypeInformation
# Export Network Profile Log
Get-WinEvent -LogName "Microsoft-Windows-NetworkProfile/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\NetworkProfile.csv -NoTypeInformation
# Export NlaSvc Log
Get-WinEvent -LogName "Microsoft-Windows-NlaSvc/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\LDAPAuth.csv -NoTypeInformation
# Export NTFS Operational Log
Get-WinEvent -LogName "Microsoft-Windows-Ntfs/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\NTFSOperational.csv -NoTypeInformation
# Export Print Service Admin Log
Get-WinEvent -LogName "Microsoft-Windows-PrintService/Admin" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\PrintServiceAdmin.csv -NoTypeInformation
# Export RDS RDPCoreTS Log
Get-WinEvent -LogName "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\RDS_RDPCoreTS.csv -NoTypeInformation
# Export SMB Client Connectivity Log
Get-WinEvent -LogName "Microsoft-Windows-SmbClient/Connectivity" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\SMBClientConnectivity.csv -NoTypeInformation
# Export SMB Client Security Log
Get-WinEvent -LogName "Microsoft-Windows-SmbClient/Security" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\SMBClientSecurity.csv -NoTypeInformation
# Export SMB Server Operational Log
Get-WinEvent -LogName "Microsoft-Windows-SMBServer/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\SMBServerOperational.csv -NoTypeInformation
# Export SMB Witness Client Admin Log
Get-WinEvent -LogName "Microsoft-Windows-SMBWitnessClient/Admin" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\SMBWitnessClientAdmin.csv -NoTypeInformation
# Export SMB Witness Client Informational Log
Get-WinEvent -LogName "Microsoft-Windows-SMBWitnessClient/Informational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\SMBWitnessClientInfo.csv -NoTypeInformation
# Export TaskScheduler Operational Log
Get-WinEvent -LogName "Microsoft-Windows-TaskScheduler/Operational" -MaxEvents 3000 |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\TaskSchedulerOperational.csv -NoTypeInformation
# Export TS-ClientActiveXCore Log
Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-RDPClient/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\TS-ClientActiveXCore.csv -NoTypeInformation
# Export TS-LocalSessionManager Operational Log
Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\TS-LocalSessionManagerOperational.csv -NoTypeInformation
# Export TS-LocalSessionManager Operational Log
Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\TS-LocalSessionManagerOperational.csv -NoTypeInformation
# Export User Profile Service Log
Get-WinEvent -LogName "Microsoft-Windows-User Profile Service/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\UserProfileService.csv -NoTypeInformation
# Export WFP Log
Get-WinEvent -LogName "Microsoft-Windows-WFP/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\WFP.csv -NoTypeInformation
# Export Windows Defender Operational Log
Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\WindowsDefenderOperational.csv -NoTypeInformation
# Export Windows Update Client Log
Get-WinEvent -LogName "Microsoft-Windows-WindowsUpdateClient/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\WindowsUpdateClient.csv -NoTypeInformation
# Export Wired Auto Config Log
Get-WinEvent -LogName "Microsoft-Windows-Wired-AutoConfig/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\WiredAutoConfig.csv -NoTypeInformation
# Export WLAN Auto Config Log
Get-WinEvent -LogName "Microsoft-Windows-WLAN-AutoConfig/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\WLANAutoConfig.csv -NoTypeInformation
# Export WMI Activity Log
Get-WinEvent -LogName "Microsoft-Windows-WMI-Activity/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\WMIActivity.csv -NoTypeInformation
Write-Host "***********************************************"
Write-Host "Check C:\Diagnostics for exported logs."
Write-Host "***********************************************"
Sleep 2
}
# Collect System Info Function
function CollectSystemInfo {
systeminfo >$SysConfig\systeminfo.txt
netstat -ano >$SysConfig\netstat_ano.txt
netstat -bna >$SysConfig\netstat_bna.txt
route print >$SysConfig\routeprint.txt
wmic qfe >$SysConfig\windowsupdates.txt
wmic product get name,version >$SysConfig\installedsoftware.txt
driverquery /FO table >$SysConfig\drivers.txt
tasklist /svc >$SysConfig\tasklist.txt
ipconfig -all >$SysConfig\ipconfig.txt
klist >$SysConfig\klist.txt
klist sessions >$SysConfig\klistsessions.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting" >$SysConfig\localdumps.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" >$SysConfig\memoryconfig.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers" >$SysConfig\printers.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors" >>$SysConfig\printers.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" >$SysConfig\tcpipparameters.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" >$SysConfig\hardware.txt
gpresult /h $SysConfig\gpresult.html
#Disk Info
$Fs=@{Label='Free Space (GB)'; expression={($_.freespace)/1gb};formatstring='n2'}
$Sz=@{Label='Size (GB)'; expression={($_.Size)/1gb};formatstring='n2'}
Get-WMIObject win32_LogicalDisk| Format-Table Name, $fs, $Sz -a | Out-File $SysConfig\systeminfo.txt -Append
#Copy Logs
Copy-Item $env:SystemRoot\Logs\CBS\CBS.log $OtherLogs\ -ErrorAction SilentlyContinue
Copy-Item $env:SystemRoot\Logs\DISM\DISM.log $OtherLogs\ -ErrorAction SilentlyContinue
Copy-Item $env:SystemRoot\Logs\DirectX.log $OtherLogs\ -ErrorAction SilentlyContinue
Copy-Item $env:SystemRoot\CCM\Logs $OtherLogs\CCM -Recurse -ErrorAction SilentlyContinue
Copy-Item $env:SystemRoot\Panther\setupact.log $OtherLogs\ -ErrorAction SilentlyContinue
Copy-Item $env:SystemRoot\Panther\setuperr.log $OtherLogs\ -ErrorAction SilentlyContinue
Copy-Item $env:SystemRoot\INF\setupapi.dev.log $OtherLogs\ -ErrorAction SilentlyContinue
Copy-Item $env:SystemRoot\INF\setupapi.setup.log $OtherLogs\ -ErrorAction SilentlyContinue
Copy-Item $env:SystemRoot\INF\setupapi.app.log $OtherLogs\ -ErrorAction SilentlyContinue
Copy-Item $env:SystemRoot\INF\setupapi.offline.log $OtherLogs\ -ErrorAction SilentlyContinue
Get-WindowsUpdateLog -LogPath $OtherLogs\WindowsUpdateLog.log -ErrorAction SilentlyContinue
Write-Host "***********************************************"
Write-Host "Check C:\Diagnostics for exported logs."
Write-Host "***********************************************"
sleep 2
}
# Delete Data Function
function DeleteData {
Remove-Item $SourceDirectory -Force
Write-Host "Local copy of diagnostics data has been removed from this computer."
sleep 2
}
# Data Copy Function
function DataCopy {
Copy-Item $SourceDirectory ("$FileCopyDest" + $env:Username + "-" + $Date) -Recurse
Write-Host "Copying files to share... please wait..."
sleep 2
}
# Switch used to select which function you want to run.
switch ($userMenuChoice) {
1{CreateDCS}
2{StartDCS}
3{StopDCS}
4{DeleteDCS}
5{ViewExistingDCS}
6{CollectEventLogs}
7{CollectSystemInfo}
8{CollectEventLogs; CollectSystemInfo}
9{StopDCS; DataCopy}
10{StopDCS; DeleteData}
default {Write-Host "Exiting Diagnostics Utility..." -ForegroundColor Green}
}
}
} while ( $userMenuChoice -ne 11 )
This script is for diagnostic purposes. It will create, start, stop, delete Perfmon data collector sets.
It will also allow you to export logs, system information. It will also allow you to zip up all of the
collected data and upload it to a share.
All collected data will go into a the C:\Diagnostics folder unless you have specifically changed it.
Written by Matthew Graham 2017
*****USE AT YOUR OWN RISK*****
#>
# Create Data Folders - Resulting Data will be placed in the C:\Diagnostics folder.
New-Item C:\Diagnostics -ItemType Directory -Force | Out-Null
New-Item C:\Diagnostics\EventLogs -ItemType Directory -Force | Out-Null
New-Item C:\Diagnostics\OtherLogs -ItemType Directory -Force | Out-Null
New-Item C:\Diagnostics\SystemConfiguration -ItemType Directory -Force | Out-Null
New-Item C:\Diagnostics\Perfmon -ItemType Directory -Force | Out-Null
# Global Variables
$SourceDirectory = "C:\Diagnostics"
$EventLogs = "C:\Diagnostics\EventLogs"
$OtherLogs = "C:\Diagnostics\OtherLogs"
$SysConfig = "C:\Diagnostics\SystemConfiguration"
$Perfmon = "C:\Diagnostics\Perfmon"
# ***CHANGE THE $FileCopyDest PATH TO A SHARE WHERE YOU WANT THE FILES TO BE COPIED TO****
$FileCopyDest = "\\servername\share\"
$Date = Get-Date -UFormat %m-%d-%y
# Loop for presenting menu options
do {[int]$userMenuChoice = 0
while ( $userMenuChoice -lt 1 -or $userMenuChoice -gt 11) {
Clear-Host
Write-Host ""
Write-Host "DATA COLLECTION UTILITY"
Write-Host "============================================================================================="
Write-Host "1. PERFMON - CREATE Perfmon Data Collector Sets" -ForegroundColor Gray
Write-Host "2. PERFMON - START Perfmon Data Collector Sets" -ForegroundColor Gray
Write-Host "3. PERFMON - STOP Perfmon Data Collector Sets" -ForegroundColor Gray
Write-Host "4. PERFMON - DELETE Perfmon Data Collector Sets" -ForegroundColor Gray
Write-Host "5. PERFMON - VIEW currently existing Perfmon Data Collector Sets" -ForegroundColor Gray
Write-Host "--------------------------------------------------------------------------------------------"
Write-Host "6. DATA COLLECTION - Collect Application, Security, and System, Logs Only"
Write-Host "7. DATA COLLECTION - Collect System Information and Misc. Logs Only"
Write-Host "8. DATA COLLECTION - Collect Windows Logs and System Information"
Write-Host "9. Upload collected data to remote share" -ForegroundColor Green
Write-Host "10. Delete currently collected Data - DELETES ALL DIAGNOSTIC DATA!!" -ForegroundColor Red
Write-Host "11. Quit and Exit" -ForegroundColor Green
Write-Host "============================================================================================="
[int]$userMenuChoice = Read-Host "Please choose an option"
# Functions for data collection
function CreateDCS {
Logman.exe create counter PerfLog-LongInterval -o "$Perfmon\PerfLog-LongInterval.blg" -f bincirc -v mmddhhmm -max 500 -c "\LogicalDisk(*)\*" "\Memory\*" "\.NET CLR Memory(*)\*" "\Cache\*" "\Network Interface(*)\*" "\Netlogon(*)\*" "\Paging File(*)\*" "\PhysicalDisk(*)\*" "\Processor(*)\*" "\Processor Information(*)\*" "\Process(*)\*" "\Thread(*)\*" "\Redirector\*" "\Server\*" "\System\*" "\Server Work Queues(*)\*" "\Terminal Services\*" -si 00:03:00
Logman.exe create counter PerfLog-ShortInterval -o "$Perfmon\PerfLog-ShortInterval.blg" -f bincirc -v mmddhhmm -max 500 -c "\LogicalDisk(*)\*" "\Memory\*" "\.NET CLR Memory(*)\*" "\Cache\*" "\Network Interface(*)\*" "\Netlogon(*)\*" "\Paging File(*)\*" "\PhysicalDisk(*)\*" "\Processor(*)\*" "\Processor Information(*)\*" "\Process(*)\*" "\Thread(*)\*" "\Redirector\*" "\Server\*" "\System\*" "\Server Work Queues(*)\*" "\Terminal Services\*" -si 00:00:02
sleep 2
}
function StartDCS {
Logman.exe start PerfLog-LongInterval
Logman.exe start PerfLog-ShortInterval
sleep 2
}
function StopDCS {
Logman.exe stop PerfLog-LongInterval
Logman.exe stop PerfLog-ShortInterval
sleep 2
}
function DeleteDCS {
Logman.exe delete PerfLog-LongInterval
Logman.exe delete PerfLog-ShortInterval
sleep 2
}
function ViewExistingDCS {
Logman.exe query
sleep 5
}
function CollectEventLogs {
# Variables
$Time = (Get-Date).AddDays(-14)
# Export Security Log
Get-EventLog -LogName Security -After $Time -ErrorAction SilentlyContinue |
Select EventID, InstanceId, EntryType, Source, TimeGenerated, Message, MachineName |
Export-Csv $EventLogs\SecurityLog.csv -NoTypeInformation
# Export System Log
Get-EventLog -LogName System -After $Time -ErrorAction SilentlyContinue |
Select TimeGenerated, EventID, CategoryNumber, EntryType, UserName, Source, Message, MachineName |
Export-Csv $EventLogs\SystemLog.csv -NoTypeInformation
# Export Application Log
Get-EventLog -LogName Application -After $Time -ErrorAction SilentlyContinue |
Select TimeGenerated, EventID, CategoryNumber, EntryType, UserName, Source, Message, MachineName |
Export-Csv $EventLogs\ApplicationLog.csv -NoTypeInformation
# Export Setup Log
Get-WinEvent -LogName Setup |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\Setup.csv -NoTypeInformation
# Export Server Management Log Log
Get-WinEvent -LogName Microsoft-ServerManagementExperience |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\ServerMgmtExperience.csv -NoTypeInformation
# Export Powershell Log
Get-WinEvent -LogName "Windows PowerShell" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\Powershell.csv -NoTypeInformation
# Export Diagnostics-Performance Log
Get-WinEvent -LogName "Microsoft-Windows-Diagnostics-Performance/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\Performance.csv -NoTypeInformation
# Export Group POlicy Log
Get-WinEvent -LogName "Microsoft-Windows-GroupPolicy/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\GroupPolicy.csv -NoTypeInformation
# Export Kernel-PnP Log
Get-WinEvent -LogName "Microsoft-Windows-Kernel-PnP/Configuration" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\PlugandPlay.csv -NoTypeInformation
# Export Network Profile Log
Get-WinEvent -LogName "Microsoft-Windows-NetworkProfile/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\NetworkProfile.csv -NoTypeInformation
# Export NlaSvc Log
Get-WinEvent -LogName "Microsoft-Windows-NlaSvc/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\LDAPAuth.csv -NoTypeInformation
# Export NTFS Operational Log
Get-WinEvent -LogName "Microsoft-Windows-Ntfs/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\NTFSOperational.csv -NoTypeInformation
# Export Print Service Admin Log
Get-WinEvent -LogName "Microsoft-Windows-PrintService/Admin" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\PrintServiceAdmin.csv -NoTypeInformation
# Export RDS RDPCoreTS Log
Get-WinEvent -LogName "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\RDS_RDPCoreTS.csv -NoTypeInformation
# Export SMB Client Connectivity Log
Get-WinEvent -LogName "Microsoft-Windows-SmbClient/Connectivity" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\SMBClientConnectivity.csv -NoTypeInformation
# Export SMB Client Security Log
Get-WinEvent -LogName "Microsoft-Windows-SmbClient/Security" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\SMBClientSecurity.csv -NoTypeInformation
# Export SMB Server Operational Log
Get-WinEvent -LogName "Microsoft-Windows-SMBServer/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\SMBServerOperational.csv -NoTypeInformation
# Export SMB Witness Client Admin Log
Get-WinEvent -LogName "Microsoft-Windows-SMBWitnessClient/Admin" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\SMBWitnessClientAdmin.csv -NoTypeInformation
# Export SMB Witness Client Informational Log
Get-WinEvent -LogName "Microsoft-Windows-SMBWitnessClient/Informational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\SMBWitnessClientInfo.csv -NoTypeInformation
# Export TaskScheduler Operational Log
Get-WinEvent -LogName "Microsoft-Windows-TaskScheduler/Operational" -MaxEvents 3000 |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\TaskSchedulerOperational.csv -NoTypeInformation
# Export TS-ClientActiveXCore Log
Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-RDPClient/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\TS-ClientActiveXCore.csv -NoTypeInformation
# Export TS-LocalSessionManager Operational Log
Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\TS-LocalSessionManagerOperational.csv -NoTypeInformation
# Export TS-LocalSessionManager Operational Log
Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\TS-LocalSessionManagerOperational.csv -NoTypeInformation
# Export User Profile Service Log
Get-WinEvent -LogName "Microsoft-Windows-User Profile Service/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\UserProfileService.csv -NoTypeInformation
# Export WFP Log
Get-WinEvent -LogName "Microsoft-Windows-WFP/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\WFP.csv -NoTypeInformation
# Export Windows Defender Operational Log
Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\WindowsDefenderOperational.csv -NoTypeInformation
# Export Windows Update Client Log
Get-WinEvent -LogName "Microsoft-Windows-WindowsUpdateClient/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\WindowsUpdateClient.csv -NoTypeInformation
# Export Wired Auto Config Log
Get-WinEvent -LogName "Microsoft-Windows-Wired-AutoConfig/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\WiredAutoConfig.csv -NoTypeInformation
# Export WLAN Auto Config Log
Get-WinEvent -LogName "Microsoft-Windows-WLAN-AutoConfig/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\WLANAutoConfig.csv -NoTypeInformation
# Export WMI Activity Log
Get-WinEvent -LogName "Microsoft-Windows-WMI-Activity/Operational" |
Select TimeCreated,LevelDisplayName,ID,ProcessId,Message,MachineName |
Export-Csv $EventLogs\WMIActivity.csv -NoTypeInformation
Write-Host "***********************************************"
Write-Host "Check C:\Diagnostics for exported logs."
Write-Host "***********************************************"
Sleep 2
}
# Collect System Info Function
function CollectSystemInfo {
systeminfo >$SysConfig\systeminfo.txt
netstat -ano >$SysConfig\netstat_ano.txt
netstat -bna >$SysConfig\netstat_bna.txt
route print >$SysConfig\routeprint.txt
wmic qfe >$SysConfig\windowsupdates.txt
wmic product get name,version >$SysConfig\installedsoftware.txt
driverquery /FO table >$SysConfig\drivers.txt
tasklist /svc >$SysConfig\tasklist.txt
ipconfig -all >$SysConfig\ipconfig.txt
klist >$SysConfig\klist.txt
klist sessions >$SysConfig\klistsessions.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting" >$SysConfig\localdumps.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" >$SysConfig\memoryconfig.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers" >$SysConfig\printers.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors" >>$SysConfig\printers.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" >$SysConfig\tcpipparameters.txt
reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" >$SysConfig\hardware.txt
gpresult /h $SysConfig\gpresult.html
#Disk Info
$Fs=@{Label='Free Space (GB)'; expression={($_.freespace)/1gb};formatstring='n2'}
$Sz=@{Label='Size (GB)'; expression={($_.Size)/1gb};formatstring='n2'}
Get-WMIObject win32_LogicalDisk| Format-Table Name, $fs, $Sz -a | Out-File $SysConfig\systeminfo.txt -Append
#Copy Logs
Copy-Item $env:SystemRoot\Logs\CBS\CBS.log $OtherLogs\ -ErrorAction SilentlyContinue
Copy-Item $env:SystemRoot\Logs\DISM\DISM.log $OtherLogs\ -ErrorAction SilentlyContinue
Copy-Item $env:SystemRoot\Logs\DirectX.log $OtherLogs\ -ErrorAction SilentlyContinue
Copy-Item $env:SystemRoot\CCM\Logs $OtherLogs\CCM -Recurse -ErrorAction SilentlyContinue
Copy-Item $env:SystemRoot\Panther\setupact.log $OtherLogs\ -ErrorAction SilentlyContinue
Copy-Item $env:SystemRoot\Panther\setuperr.log $OtherLogs\ -ErrorAction SilentlyContinue
Copy-Item $env:SystemRoot\INF\setupapi.dev.log $OtherLogs\ -ErrorAction SilentlyContinue
Copy-Item $env:SystemRoot\INF\setupapi.setup.log $OtherLogs\ -ErrorAction SilentlyContinue
Copy-Item $env:SystemRoot\INF\setupapi.app.log $OtherLogs\ -ErrorAction SilentlyContinue
Copy-Item $env:SystemRoot\INF\setupapi.offline.log $OtherLogs\ -ErrorAction SilentlyContinue
Get-WindowsUpdateLog -LogPath $OtherLogs\WindowsUpdateLog.log -ErrorAction SilentlyContinue
Write-Host "***********************************************"
Write-Host "Check C:\Diagnostics for exported logs."
Write-Host "***********************************************"
sleep 2
}
# Delete Data Function
function DeleteData {
Remove-Item $SourceDirectory -Force
Write-Host "Local copy of diagnostics data has been removed from this computer."
sleep 2
}
# Data Copy Function
function DataCopy {
Copy-Item $SourceDirectory ("$FileCopyDest" + $env:Username + "-" + $Date) -Recurse
Write-Host "Copying files to share... please wait..."
sleep 2
}
# Switch used to select which function you want to run.
switch ($userMenuChoice) {
1{CreateDCS}
2{StartDCS}
3{StopDCS}
4{DeleteDCS}
5{ViewExistingDCS}
6{CollectEventLogs}
7{CollectSystemInfo}
8{CollectEventLogs; CollectSystemInfo}
9{StopDCS; DataCopy}
10{StopDCS; DeleteData}
default {Write-Host "Exiting Diagnostics Utility..." -ForegroundColor Green}
}
}
} while ( $userMenuChoice -ne 11 )
Enjoy and use at your own risk. I'll be tweaking this to get it to gather more data and to make it format it in better ways.
No comments:
Post a Comment