Scribd
Upload
2 views

Windows analysis steps

The document outlines a process for creating and baselining virtual machines (VMs) running various versions of Windows. It includes detailed steps for gathering information on user accounts, network connections, file systems, processes, registry, services, and installed software. Additionally, it describes cloning a VM, installing software, and documenting changes for systematic analysis.

Uploaded by

brandong98
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
2 views

Windows analysis steps

The document outlines a process for creating and baselining virtual machines (VMs) running various versions of Windows. It includes detailed steps for gathering information on user accounts, network connections, file systems, processes, registry, services, and installed software. Additionally, it describes cloning a VM, installing software, and documenting changes for systematic analysis.

Uploaded by

brandong98
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

1) Create barebones VMs

- Windows 7
- Windows 8
- Windows 10
- Windows 11
2) Create baselines of each VM
- Accounts:
$lu = glu
$wu = gwmi -Class Win32_UserAccount | ? { $_.LocalAccount -eq $true }

$wu | % {
# Use the correct name from the WMI user object for matching
$currentWmiUserName = $_.Name
$l = $lu | ? { $_.Name -eq $currentWmiUserName } | Select-Object -First 1

# Append Enabled and Description from Get-LocalUser


if ($l) {
"Enabled : $($l.Enabled)"
"Description : $($l.Description)"
} else {
"Enabled : Not found"
"Description : Not found"
}

# Output the WMI fields


$_
} > accounts.txt

- Connections:
Get-NetTCPConnection | ForEach-Object {
$proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[PSCustomObject]@{
LocalAddress = $_.LocalAddress
LocalPort = $_.LocalPort
RemoteAddress = $_.RemoteAddress
RemotePort = $_.RemotePort
State = $_.State
PID = $_.OwningProcess
ProcessName = $proc.Name
}
} | Format-Table -AutoSize > network.txt

- File system:
Use autopsy or HashMyFiles
Compare results using WinDiff

- Processes:
Get-Process | select Handles, NPM, PM, WS, CPU, Id, SI, ProcessName, @{Name='Path';
Expression={(Get-Process -Id $_.Id).Path}} | where { $_.Path -ne $null } | ft -
AutoSize > processes.txt

- Registry:
Export registry using built-in export functionality
Compare .reg files using WinDiff

- Services:
Get-CimInstance -ClassName Win32_Service | select State, StartMode, Name,
DisplayName | ft -AutoSize > services.txt
- Software:
# Get installed software from the registry
$installedSoftware = Get-ItemProperty "HKLM:\Software\Microsoft\Windows\
CurrentVersion\Uninstall\*" |
Select-Object DisplayName, DisplayVersion, Publisher, InstallDate,
InstallLocation

# Create a list to hold the final results


$softwareList = @()

foreach ($software in $installedSoftware) {


# Initialize executable path
$path = "N/A"

# Check if InstallLocation is available


if ($software.InstallLocation) {
# Look for the executable file directly in the install location
$exeFiles = Get-ChildItem -Path $software.InstallLocation -Filter "*.exe" -
ErrorAction SilentlyContinue
if ($exeFiles) {
$path = $exeFiles[0].FullName # Get the first executable found
}
}

# If no InstallLocation found or no executables found, check default locations


if ($path -eq "N/A") {
# Default installation paths
$defaultPaths = @(
"C:\Program Files\$($software.DisplayName)\$
($software.DisplayName).exe",
"C:\Program Files (x86)\$($software.DisplayName)\$
($software.DisplayName).exe",
"C:\Program Files\$($software.DisplayName)\$
($software.PSChildName).exe",
"C:\Program Files (x86)\$($software.DisplayName)\$
($software.PSChildName).exe"
)

foreach ($defaultPath in $defaultPaths) {


if (Test-Path $defaultPath) {
$path = $defaultPath
break
}
}
}

# Add the software details to the list


$softwareList += [PSCustomObject]@{
Name = $software.DisplayName
Version = $software.DisplayVersion
Vendor = $software.Publisher
InstallDate = $software.InstallDate
ExecutablePath = $path
}
}

# Output the results


$softwareList | Format-Table -AutoSize > software.txt
3) Clone a necessary VM and install a desired software
4) Perform baselining to determine changes
- Comparing files: diff (gc file1) (gc file2)
5) Document changes made to system
6) Systematically perform analysis of each change

You might also like