Everyday Powershell - Part 41 - Get Screen Resolution from remote PCs

Everyday powershell. It's not updated everyday, it's tools you could use daily.

You know sometimes you just need to know what resolution all your computers are running.

get-adcomputer -Filter {operatingsystem -like "Windows 7*"} -Properties operatingsystem | ForEach-Object {     $temp = "" | select computername, ScreenHeight, ScreenWidth, pcon     $temp.pcon = Test-Connection $_.name -Count 1 -Quiet     $temp.computername = $_.name     if($temp.pcon){         $resolution = Get-WmiObject -ComputerName $_.name -Class Win32_DesktopMonitor         $temp.ScreenHeight = $resolution.ScreenHeight         $temp.ScreenWidth  = $resolution.ScreenWidth     }     $temp     $temp | export-csv C:\temp\monitoraudit.csv -Append }

Check out the filter on the first line, that can be anything. We just needed Windows 7 machines.

It's a pretty easy foreach-object;

• sets up a temp object in my favorite manner,
• pings the machine to make sure it's up,
• pulls the info we need from WMI
• then bangs it out to the console and a CSV.

Hitting up each machine with a WMI query gets us fast results but it's not exactly complete. You could rejig this so that it ran as part of a login script or schedule it to run daily.

Why do we need this info? Well that's for next time when we'll do something useful with this data set we've created.

Everyday Powershell - Part 25 - Monitor for CryptoWall

So the bastards got us! Yup we got Cryptowalled!

We caught the infection before it did too much damage, isolated the PC, configured the firewall to block the IPs it was trying to get to and restored the pwnd files from backup. Business as usual really.

But what do we do to monitor for this in the future?

Whacked this together quickly;

$protectedpaths = "\\server1\someshare", "\\server2\someother" $filename = "-Canary-.txt" $foldername = "\-----AAA--TOP-----\" $canarystring = "If this can be read everything is ok" $logpath = "C:\scripts\cryptolockercanary.txt" $recipients = "someadmin@mail.com" $smtpserver = "somemailserver" $report = @() foreach ($path in $protectedpaths){     $temp = "" | select Time, Path, EncryptedStatus     $pathwithfolder =  $path + $foldername     $canarypath =  $pathwithfolder + $filename     $temp.time = get-date     $temp.path = $pathwithfolder     if (test-path $canarypath){         $test = Get-content $canarypath         if ($test -eq $canarystring){             $temp.EncryptedStatus = $false         }         else{             $temp.EncryptedStatus = $true             Send-MailMessage -to $recipients -From some@email.com  -Subject ("CryptoLockerCanary Has been changed! " + $temp.time) -BodyAsHtml ($temp | convertto-html | Out-String) -SmtpServer $smtpserver         }     }     else{         mkdir $pathwithfolder         out-file $canarypath -InputObject $canarystring         Set-ItemProperty -Path $canarypath -Name attributes -Value ((Get-ItemProperty $canarypath).attributes -BXOR ([io.fileattributes]::Hidden))         if (test-path $canarypath){             Send-MailMessage -to $recipients -From some@email.com  -Subject ("CryptoLockerCanary file is not present - creating new one " + $temp.time) -BodyAsHtml ($temp | convertto-html | Out-String) -SmtpServer $smtpserver         }         else{             Send-MailMessage -to $recipients -From some@email.com -Subject ("CryptoLockerCanary file is not present and COULD NOT CREATE new one - Recomend investigation " + $temp.time) -BodyAsHtml ($temp | convertto-html | Out-String) -SmtpServer $smtpserver         }     }     $report += $temp } $report | export-csv -Path $logpath -Append -NoTypeInformation $report

It'll take any folders defined in $protectedpaths and stick a "canary" file in there. If it sees a change to the canary file it'll send out emails to $recipients.

This is scheduled to run every five minutes so this way we'll get alerted really quickly if it get's through again.