WindowsAudit.ps1

Categories: Scripts
Function Get-OSCInstalledApplication
{
    [CmdletBinding(DefaultParameterSetName='SinglePoint')]
    Param
    (
        [Parameter(Mandatory=$true, Position=0, ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, ParameterSetName="SinglePoint")]
        [Alias('CName')][String[]]$ComputerName,
        [Parameter(Mandatory=$true, Position=0, ParameterSetName="MultiplePoint")]
        [Alias('CNPath')][String]$ComputerFilePath
    )
    
    If($ComputerName)
    {
        Foreach($CN in $ComputerName)
        {
            #test compter connectivity
            $PingResult = Test-Connection -ComputerName $CN -Count 1 -Quiet
            If($PingResult)
            {
                FindInstalledApplicationInfo -ComputerName $CN
            }
            Else
            {
                Write-Warning "Failed to connect to computer '$ComputerName'."
            }
        }
    }

    If($ComputerFilePath)
    {
        $ComputerName = (Import-Csv -Path $ComputerFilePath).ComputerName

        Foreach($CN in $ComputerName)
        {
            FindInstalledApplicationInfo -ComputerName $CN
        }
    }
}

Function FindInstalledApplicationInfo($ComputerName)
{
    $Objs = @()
    $RegKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*"
    
    $InstalledAppsInfos = Get-ItemProperty -Path $RegKey

    Foreach($InstalledAppsInfo in $InstalledAppsInfos)
    {
        $Obj = [PSCustomObject]@{Computer=$ComputerName;
                                 DisplayName = $InstalledAppsInfo.DisplayName;
                                 DisplayVersion = $InstalledAppsInfo.DisplayVersion;
                                 Publisher = $InstalledAppsInfo.Publisher}
        $Objs += $Obj
    }
    $Objs | Where-Object { $_.DisplayName } 
}

Function List-EndpointProtection {
    Write-Host "Searching for installed and configured endpoint protection products, this may take a minute..`n" -ForegroundColor Cyan
    Try {
        $EndPointProducts = Get-WmiObject -Namespace "root\SecurityCenter2" -Class AntiVirusProduct;        
        ForEach ($EPApp in $EndPointProducts) {
            $EndPoint_Name   = $EPApp.displayName;
            $EndPoint_Status = $EPApp.productState;
            Write-Host "Detected endpoint protection product '$EndPoint_Name'" -ForegroundColor Yellow					
            Switch ($EndPoint_Status) {
                "262144" {$EndPoint_Status_Definitions = "Up to date";  $EndPoint_Status_RealTimeProtection = "Disabled";}
                "262160" {$EndPoint_Status_Definitions = "Out of date"; $EndPoint_Status_RealTimeProtection = "Disabled";}
                "266240" {$EndPoint_Status_Definitions = "Up to date";  $EndPoint_Status_RealTimeProtection = "Enabled";}
                "266256" {$EndPoint_Status_Definitions = "Out of date"; $EndPoint_Status_RealTimeProtection = "Enabled";}
                "393216" {$EndPoint_Status_Definitions = "Up to date";  $EndPoint_Status_RealTimeProtection = "Disabled";}
                "393232" {$EndPoint_Status_Definitions = "Out of date"; $EndPoint_Status_RealTimeProtection = "Disabled";}
                "393472" {$EndPoint_Status_Definitions = "Up to date";  $EndPoint_Status_RealTimeProtection = "Disabled";}
                "393488" {$EndPoint_Status_Definitions = "Out of date"; $EndPoint_Status_RealTimeProtection = "Disabled";}
                "397312" {$EndPoint_Status_Definitions = "Up to date";  $EndPoint_Status_RealTimeProtection = "Enabled";}
                "397328" {$EndPoint_Status_Definitions = "Out of date"; $EndPoint_Status_RealTimeProtection = "Enabled";}
                "397568" {$EndPoint_Status_Definitions = "Up to date";  $EndPoint_Status_RealTimeProtection = "Enabled";}
                "397584" {$EndPoint_Status_Definitions = "Out of date"; $EndPoint_Status_RealTimeProtection = "Enabled";}
                Default {$EndPoint_Status_Definitions  = "Unknown";     $EndPoint_Status_RealTimeProtection = "Unknown";}
            }            
            If ($EndPoint_Status_Definitions -eq "Out of  date" -or $EndPoint_Status_Definitions -eq "Unknown") {
                Write-Host "`tProduct definitions        : $EndPoint_Status_Definitions" -ForegroundColor Red
            }
            else {
                Write-Host "`tProduct definitions        : $EndPoint_Status_Definitions" -ForegroundColor Green
            }
            If ($EndPoint_Status_RealTimeProtection -eq "Disabled" -or $EndPoint_Status_RealTimeProtection -eq "Unknown") {
                Write-Host "`tReal-time protection status: $EndPoint_Status_RealTimeProtection" -ForegroundColor Red
            }
            else
            {
                Write-Host "`tReal-time protection status: $EndPoint_Status_RealTimeProtection" -ForegroundColor Green
            }
            Write-Host ""
        }
    }
    finally { }
}

Function Get-MissingWindowsUpdates
{
    [CmdletBinding(DefaultParameterSetName='SinglePoint')]
    Param
    (
        [Parameter(Mandatory=$true, Position=0, ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, ParameterSetName="SinglePoint")]
        [Alias('CName')][String[]]$ComputerName,
        [Parameter(Mandatory=$true, Position=0, ParameterSetName="MultiplePoint")]
        [Alias('CNPath')][String]$ComputerFilePath
    )
    
    If($ComputerName)
    {
        Foreach($CN in $ComputerName)
        {
            #test compter connectivity
            $PingResult = Test-Connection -ComputerName $CN -Count 1 -Quiet
            If($PingResult)
            {
                FindMissingUpdates -ComputerName $CN
            }
            Else
            {
                Write-Warning "Failed to connect to computer '$ComputerName'."
            }
        }
    }

    If($ComputerFilePath)
    {
        $ComputerName = (Import-Csv -Path $ComputerFilePath).ComputerName

        Foreach($CN in $ComputerName)
        {
            FindMissingUpdates -ComputerName $CN
        }
    }
}

Function FindMissingUpdates($ComputerName)
{
    $UpdateSession = New-Object -ComObject Microsoft.Update.Session
    $UpdateSearcher = $UpdateSession.CreateupdateSearcher()
    $Updates = @($UpdateSearcher.Search("IsHidden=0 and IsInstalled=0").Updates)
    $Updates | Select-Object Title 
}

echo "----------------------------------------------------" | Out-File -FilePath ./audit-log.txt
echo " Getting System Information" | Out-File -FilePath ./audit-log.txt -Append
echo "----------------------------------------------------" | Out-File -FilePath ./audit-log.txt -Append
Get-CimInstance -ClassName Win32_BIOS | Out-File -FilePath ./audit-log.txt -Append

Get-CimInstance -ClassName Win32_ComputerSystem  | Out-File -FilePath ./audit-log.txt -Append
Get-CimInstance -ClassName Win32_OperatingSystem | Select-Object -Property Build*,OSType,ServicePack* | Out-File -FilePath ./audit-log.txt -Append

echo "----------------------------------------------------" | Out-File -FilePath ./audit-log.txt -Append
echo " Installed Hotfixes" | Out-File -FilePath ./audit-log.txt -Append
echo "----------------------------------------------------" | Out-File -FilePath ./audit-log.txt -Append
Get-CimInstance -ClassName Win32_QuickFixEngineering | Out-File -FilePath ./audit-log.txt -Append

echo "----------------------------------------------------" | Out-File -FilePath ./audit-log.txt -Append
echo " Current Endpoint Protection" | Out-File -FilePath ./audit-log.txt -Append
echo "----------------------------------------------------" | Out-File -FilePath ./audit-log.txt -Append
List-EndpointProtection | Out-File -FilePath ./audit-log.txt -Append

echo "----------------------------------------------------" | Out-File -FilePath ./audit-log.txt -Append
echo " Missing Windows Updates" | Out-File -FilePath ./audit-log.txt -Append
echo "----------------------------------------------------" | Out-File -FilePath ./audit-log.txt -Append
Get-MissingWindowsUpdates -ComputerName localhost | Out-File -FilePath ./audit-log.txt -Append

echo "----------------------------------------------------" | Out-File -FilePath ./audit-log.txt -Append
echo " Listing Installed Applications" | Out-File -FilePath ./audit-log.txt -Append
echo "----------------------------------------------------" | Out-File -FilePath ./audit-log.txt -Append
Get-OSCInstalledApplication -ComputerName localhost | Out-File -FilePath ./audit-log.txt -Append

echo "----------------------------------------------------" | Out-File -FilePath ./audit-log.txt -Append
echo " Firewall Status" | Out-File -FilePath ./audit-log.txt -Append
echo "----------------------------------------------------" | Out-File -FilePath ./audit-log.txt -Append
Get-NetFirewallProfile | Out-File -FilePath ./audit-log.txt -Append
«
»