Im looking for some help with creating a script that can scan the Disk Drives on a Server or PC and search out a Zepto Virus infection and alert us in our Monitoring Dashboard.
We have used scripts to detect Cryptowall and Locky but these rely on searching for a very specific file name. The difference with Zepto is that its "Help" files are composed with a random number in each file:
_3_HELP_instructions.html, _21_HELP_instructions.html, _12_HELP_instructions.html etc.
Essentially im looking for a script that can maybe search for *_HELP_instructions.html or even just search for any filename with HELP_instructions.html contained in it.
The code we have used for Locky is as follows:
strComputer = "."
set objFSO = CreateObject("Scripting.FileSystemObject")
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colShares = objWMIService.ExecQuery("Select * from Win32_Share")
For each objShare in colShares
strInfected = False
If objFSO.fileexists(objShare.path & "\_Locky_recover_instructions.txt") then
strInfected = True
wscript.echo "Network Share " & objShare.Path & " is INFECTED!"
wscript.quit(2015)
End If
Next
If strInfected = False Then
wscript.echo "System Clear!"
wscript.quit(0)
End If
Is there anyone out there that can help me with this one? due to the way our Monitoring Dashboard works i need the script to be based on the above, with the:
If strInfected = False Then
wscript.echo "System Clear!"
wscript.quit(0)
End If
at the end of the script.
Many thanks in advance
Related
So I've been thrown in the deep end of the shark tank without even my arm floaters and I don't know how to swim (Translation - I don't know VBS).
So I find myself here because I keep hitting my scripts with the two sticks I have it still doesn't work. When I fix one issue another appears and when I fix that one the other returns (feel like I'm chasing my tail).
So below is the latest iteration of my code (I keep moving crap around thinking it might magically work).
'---- Set Constant for Reading
Const ForReading = 1
'----- Define at the Variables for the scripts
Set objDictionary = CreateObject("Scripting.Dictionary")
Set objFSO = CreateObject("Scripting.FileSystemObject")
'------ Path for File below is Explicit (meaning you need to enter the complete path)
Set objTextFile = objFSO.OpenTextFile("c:\users\me\documents\Small- ComputerList.txt", ForReading)
'---- Begin Loop for reading the Array
Do Until objTextFile.AtEndOfStream
strNextLine = objTextFile.Readline
arrServiceList = Split(strNextLine , ",")
' ------- strComputer = "usms-w-ksd68598" Commented out from original script
' ------- Reading from the Array
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & arrServiceList(0) & "\root\cimv2")
' ------- Running the Command to find all the printers
Set colPrinters = objWMIService.ExecQuery _
("Select * from Win32_Printer")
For Each objPrinter in colPrinters
objDictionary.RemoveAll
objDictionary.Add objPrinter.PortName, objPrinter.PortName
Next
' ------ Running the Command to find all the TCP/IP Printer Ports
Set colPorts = objWMIService.ExecQuery _
("Select * from Win32_TCPIPPrinterPort")
For Each objPort in colPorts
If objDictionary.Exists(objPort.Name) Then
strUsedPorts = strUsedPorts & _
objDictionary.Item(objPort.Name) & VbCrLf
Else
strFreePorts = strFreePorts & objPort.Name & vbCrLf
End If
Next
'----- Printing out the Results to the screen
For i = 1 to Ubound(arrServiceList)
& arrServiceList(i)
Next
Loop
Wscript.Echo "System Name: " & arrServiceList(0)
Wscript.Echo "The following ports are in use for: " & VbCrLf & strUsedPorts
Wscript.Echo "The following ports are not used for: " & VbCrLf & strFreePorts
If my crazy ducted taped scripts make no sense please don't be shocked. I've been stuck in a cave hitting the keyboard with two sticks and this is the result I've come up with. Not too bad for a caveman but it still doesn't work.
Any help, assistance, advice, comment, jokes, sarcasm, ranting appreciated. Any trolling will be swiftly dealt with a big mallet over the head.
Thank you,
Ed Medina
Lo and behold the gods of code have shine their light upon my path and provided me with an answer.
Anyway, Thanks to Big Chris and Mr. Roryap for their questions. I want to also thank the Academy, all of my fellow coders, my mom, coffee, the mailman, my wife, my cat and all the little people.
Here is a code that will work which will read from a file in your Temp Folder (file is named Computers.txt) and then against that file it will run and test to find all the printers ports in that computer in your Domain (Network).
The output is a simple Echo out giving it to you in the window. I just kept hitting the keyboard with my two sticks in my dark, smelly cave and out came out the code.
The only caveat is that if you have a wrong computer name or a computer turned off the script will fail at that point and won't continue (yeah, yeah, working on it).
'---- Set Constant for Reading
Const ForReading = 1
'----- Define at the Variables for the scripts
Set objDictionary = CreateObject("Scripting.Dictionary")
Set objFSO = CreateObject("Scripting.FileSystemObject")
'------ Path for File below is Explicit (meaning you need to enter the complete path)
Set objFile = objFSO.OpenTextFile("c:\Temp\Computers.txt", ForReading)
'---- Begin Loop for reading the Array
Do Until objFile.AtEndOfStream
strComputer = objFile.ReadLine
' ------- Reading from the Array
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
' ------- Running the Command to find all the printers
Set colPrinters = objWMIService.ExecQuery _
("Select * from Win32_Printer")
For Each objPrinter in colPrinters
objDictionary.RemoveAll
objDictionary.Add objPrinter.PortName, objPrinter.PortName
Next
' ------ Running the Command to find all the TCP/IP Printer Ports
Set colPorts = objWMIService.ExecQuery _
("Select * from Win32_TCPIPPrinterPort")
For Each objPort in colPorts
If objDictionary.Exists(objPort.Name) Then
strUsedPorts = strUsedPorts & _
objDictionary.Item(objPort.Name) & VbCrLf
Else
strFreePorts = strFreePorts & objPort.Name & vbCrLf
End If
Next
'---- Output to Screen
Wscript.Echo "System Name: " & strComputer
Wscript.Echo "The following ports are in use for: " & VbCrLf & strUsedPorts
Wscript.Echo "The following ports are not used for: " & VbCrLf & strFreePorts
Loop
Thank you.
BTW if anyone know how to throw an error and keep working give feel free to post. Thanks again everyone.
Newbie question - I have here a VBScript that looks for an Upgrade Code, and based on that finds the Product Codes for the specified Upgrade Code. The Upgrade Code is always the same, but Product Code changes from version to version, and that can make uninstalling software troublesome. And no, I didn't make this script myself.
This script works very well, but I'd like to make it output all the product codes it found to a text file. I've looked on Google for hours, found some clues, but I've not been able to make it work. Always turns up with a blank text file.
Here's the code:
strComputer = "."
Set WshShell = CreateObject("Wscript.Shell")
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
On Error Resume Next
Set colSoftware = objWMIService.ExecQuery _
("Select * from Win32_Property Where Property = 'UpgradeCode'")
For Each objSoftware in colSoftware
If objSoftware.Value = "{BCCCB25E-C6A6-4340-9018-DA0FB34AF226}" Then
strCMD = "MsiExec.exe /x " & objSoftware.ProductCode & " /qn"
objExec = WshShell.Run(strCMD,1,True)
If objExec <> 0 Then
WScript.Quit objExec
End If
End If
Next
WScript.Quit 0
How do I output objSoftware.ProductCode to a text file? Or do I need to output something else to get the Product Codes I'm looking for?
The easy way to write text to a file is to WScript.Echo the desired info and run the script like cscript x.vbs > output.txt.
If that seems to pedestrian, start your research here.
Played around with it, Googled it, and I found a solution that works for me. This prints out all the Product Codes on your computer based on the specificed Upgrade Code. Here's the script:
strComputer = "."
Set WshShell = CreateObject("Wscript.Shell")
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
On Error Resume Next
Set colSoftware = objWMIService.ExecQuery _
("Select * from Win32_Property Where Property = 'UpgradeCode'")
For Each objSoftware in colSoftware
If objSoftware.Value = "{BCCCB25E-C6A6-4340-9018-DA0FB34AF226}" Then
Wscript.Echo objSoftware.ProductCode
strCMD = "MsiExec.exe /x " & objSoftware.ProductCode & " /qn"
objExec = WshShell.Run(strCMD,1,True)
If objExec <> 0 Then
WScript.Quit objExec
End If
End If
Next
WScript.Quit 0
Running //NoLogo scriptname.vbs > log.txt in command prompt, gives me a txt file with all the product codes for the upgrade code specified.
Please note this code also uninstalls the software afterwards.
I am trying to write a script to delete unneeded temporary files. I am wanting to specifically target .tmp's, though. At least for now. So I am trying to write a WQL query to return a collection with which I can use a FOR EACH statement to delete all of the .tmp's in C:\Users\\AppData\Local\Temp. I've only recently started learning VBScript. But I have experience writing programs in C/C++ (mainly "math-y" programs).
Cscript seems to have no problem with the query itself. But when I try to use the Count method on the resulting collection, cscript returns an error: (17,1) Microsoft VBVScript runtime error: Object doesn't support this property or method: 'colTempFiles.Count'.
I've read up on WQL a little bit, thinking that maybe I'm not getting a collection returned for some reason. But I can't seem to find anything wrong with the query. I'm thinking that maybe I shouldn't be selecting from FileSystemObject. But I've read what I can find about it, and it seems to be the right thing to do (although there really isn't a lot of helpful info on MSDN).
Anyway, here's the script I currently have, without comments. The second line is something I am not currently using, but am going to try to use later, so that I can define a variable as the local computer's username and not have to point to the local Temp folder's path specifically. Any help would be greatly appreciated:
strComputer = "."
strUser="adam"
Set objFSO=CreateObject("Scripting.FileSystemObject")
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colTempFiles = objWMIService.ExecQuery _
("SELECT * FROM FileSystemObject WHERE Name = '*.tmp' AND "_
& "NOT Name LIKE 'Prf%' AND Path LIKE 'C:\Users\adam\AppData\Local\Temp\%'")
colTempFiles.Count
For Each objFile in colTempFiles
Wscript.Echo objFile.Name
'Set objF=objFSO.GetFile("objFile.Path")
'objF.Delete(True)
Next
I think you're confusing two different technologies. A FileSystemObject is a COM class that needs to be instantiated using CreateObject() in VBScript. For WQL, you need to use a WMI class in your query. Here is a core list of WMI classes. For your purposes, you'll want to use the CIM_DataFile class to work with files.
You can use either technology. The FileSystemObject is the preferred method if you're working with the local file system. If you need to work with files on a remote machine, use WMI and WQL.
Here's an example using a FileSystemObject:
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFolder = objFSO.GetFolder("C:\Users\adam\AppData\Local\Temp")
For Each objFile In objFolder.Files
If StrComp(objFSO.GetExtensionName(objFile.Path), "tmp", vbTextCompare) = 0 Then
objFile.Delete ' This is the Delete() method of the FSO's "File" class
End If
Next
And here's an example using WQL:
strComputer = "."
' Connect to the WMI service on the specified computer...
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
' Build our WQL query...
strQuery = "select * from CIM_DataFile "
strQuery = strQuery & "where Drive='C:' "
strQuery = strQuery & "and Path='\\Users\\adam\\AppData\\Local\\Temp\\' "
strQuery = strQuery & "and Name like '%.tmp'"
' Run the query...
Set colTempFiles = objWMIService.ExecQuery(strQuery)
' Delete each file...
For Each objFile In colTempFiles
objFile.Delete ' This is the Delete() method of the WMI "CIM_DataFile" class
Next
I am trying to have this script take a text file running and stopped services before a reboot and start any services that did not automatically start after the machine starts back up. The script that gets the list of service names, state and startmode and creates a comma separated text file line by line works fine. Here it is for reference (taken from the interwebs, lost the link in my travels. Modified slightly.):
Const ForAppending = 2
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objLogFile = objFSO.CreateTextFile("service_list.txt", _
ForWriting, True)
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery("Select * from Win32_Service")
For Each objService in colListOfServices
objLogFile.Write objService.Name & ","
objLogFile.Write objService.StartMode & ","
objLogFile.Write objService.State
objLogFile.Writeline
Next
objLogFile.Close
This next bit reads the file line by line, compares the state of all of the services with the state of the services that were recorded before the machine was shut down. If they match, do nothing, if they are different, start the service:
Const ForReading = 1
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objServiceName = objWMIService.get("Win32_Service.Name='" & ServiceName & "'")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile("\\some path\service_list.txt",ForReading,True,-2)
Do Until objFile.AtEndOfStream
fLine = Split(objFile.ReadLine,",")
'wscript.echo fLine(2)
if InStr(fLine(2),"Running") then
'wscript.echo "it was running!"
if objServiceName.Started then
'do nothing
else
'Set servicetostart = objWMIService.ExecQuery ("Select " & ServiceName & " from Win32_Service Where Name ='Alerter'")
'servicetostart.StartService()
'Result = objServiceName.StartService
'If 0 <> Result Then
' wscript.echo "Start " & ServiceName & " error:" & Result
'End If
objServiceName.StartService
'wscript.echo Servicename & "could not start with error: " & Result
end if
end if
'wscript.echo objServiceName
Loop
As of right now I am recieving an error whenever it actually tries to start the service. I receive a "Provider Failure code:80041004 Source:SWbemObjectEX". I have been looking through the posts about this error and attempting the fixes suggested. Also, as you can see, I have been trying variations, but I am afraid I am merely guessing.
So to my question, what is causing the "Provider Failure"? I have looked up these information for the Win32_Service Class here:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa394418%28v=vs.85%29.aspx#methods
and looked up the method here:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa393660%28v=vs.85%29.aspx
But have been unable to work out where the I am going wrong.
Thanks,
Joe
on a side note, the service I am testing, ie. making sure the service is starting, creating the text file, then stopping the service and running the "start service" code is Windows Defender. The service name is "WinDefend".
FINAL WORKING CODE:
Const ForReading = 1
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile("\\vmware-host\Shared Folders\Documents\Biffduncan\Monthly Server Maintanence\service_list.txt",ForReading,True,-2)
Do Until objFile.AtEndOfStream
fLine = Split(objFile.ReadLine,",")
Set objService = objWMIService.get("Win32_Service.Name='" & fLine(0) & "'")
if InStr(fLine(2),"Running") then
'wscript.echo "it was running!"
if objService.Started then
'do nothing
else
Result = objService.StartService()
if Result <> 0 then
wscript.echo "The service: " & objService.Name & " did not start with error: " & Result
else
wscript.echo "Service " & objService.Name & " started"
end if
end if
end if
Loop
Error code 0x80041004 means that the WMI provider encountered an error after it was already initialized. The error code doesn't say anything about the cause of the error, though, nor does it provide any details. Try running WBEMTest or WMIDiag to track down the error. Also check the eventlog for related errors/warnings. If everything else fails, try rebuilding the WMI repository.
As for your code, the first thing I'd do is strip it down to the bare minimum, to avoid potential error sources:
Set wmi = GetObject("winmgmts://./root/cimv2")
Set svc = wmi.Get("Win32_Service.Name='WinDefend'")
rc = svc.StartService
WScript.Echo rc
Also, I wouldn't recommend writing the service status to a file at some random point in time, and then try starting services according to the contents of that file. There is no guarantee that the start mode hasn't been changed since the file was created, or that the service is even installed anymore.
Whether or not a service should be started is indicated by its StartMode property, so just check those services that are set to Auto. Services set to Manual will be started by the system on demand, so there's no need to launch them just because they were running when you took the snapshot.
qry = "SELECT * FROM Win32_Service WHERE StartMode='Auto'"
For Each svc In wmi.ExecQuery(qry)
If Not svc.Started Then svc.StartService
Next
This query runs fine on my local machine:
strComputer = "."
drive = "C:"
path = "\\path\\to\\local\\folder\\"
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Path = '"&path&"' and drive='"&drive&"'")
If colFiles.Count < 1 Then
Wscript.Echo "Folder does not exist"
Else
Wscript.Echo "Folder does exist"
End If
But when I try to query a mapped network drive, the program fails with 'Folders does not exist'. Yet I am sure it is the correct path to the file.
The only parts that change are:
drive = "Z:"
path = "\\path\\to\\mapped\\drive\\folder\\"
Any clues as to why this would not work?
Trying to map drives on a remote computer via WMI will fail, though there is a workaround. Thanks to Frank White's inspirational code, a fully fleshed process now exists to map a drive on a remote computer via WMI using a command prompt and passing explicit credentials.
https://stackoverflow.com/a/11948096/1569434
So to debug this I ran the following:
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colFiles = objWMIService.ExecQuery("Select * from CIM_Datafile Where Drive = 'Z:'")
For Each objFile in colFiles
Wscript.Echo objFile.Name
Next
This resulted in the error 'remote procedure call failed', which I understand means that the mapped drive does not support WMI.