Skip to content
PowerShell - Rapid Response... For the incident responder in you!
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
Screenshots Add files via upload Dec 20, 2016
LICENSE Renamed folder Dec 20, 2016
PoSH_R2.ps1 Fixed event-log remoting Dec 21, 2017 Update Apr 3, 2017

PoSh-R2PowerShell - Rapid Response (PoSH-R2)... For the incident responder in you!

PoSH-R2 is a set of Windows Management Instrumentation interface (WMI) scripts that investigators and forensic analysts can use to retrieve information from a compromised (or potentially compromised) Windows system. The scripts use WMI to pull this information from the operating system. Therefore, this script will need to be executed with a user that has the necessary privileges.

In a single execution, PoSH-R2 will retrieve the following data from an individual machine or a group of systems:

    - Autorun entries
    - Disk info
    - Environment variables
    - Event logs (50 lastest)
    - Installed Software
    - Logon sessions
    - List of drivers
    - List of mapped network drives
    - List of running processes
    - Logged in user
    - Local groups
    - Local user accounts
    - Network configuration
    - Network connections
    - Patches
    - Scheduled tasks with AT command
    - Shares
    - Services
    - System Information


  1. Call upon the script from a PowerShell window with applicable rights for WMI and follow the prompts.
  2. Data will be saved to a new directory called "PoSH_R2--Results" within the same directory from which this script was executed from.

Additional Notes

  • This script will work with PowerShell version 2 and above


Running the script
Alt text

A listing of the results written to csv files
Alt text

Reading the data back into PowerShell using out-gridview (import-csv .<some_file.csv> | out-gridview)
Alt text

Filtering only on splunk.exe. From the screenshot, we see it is running on six systems
Alt text

You can’t perform that action at this time.