# System Snapshot and Configuration Utility

To Whom It May Concern,

We need to take a current inventory snapshot of our current systems and some standard user and network information for all of the machines on our network. This will help in comparing consistenty across the organization as well as creating a standard baseline security configuration for our infrastructure.

We need you to create a script that we can use to run on other machines on the network to collect necessary information and provide some standard configuration for Windows machines specifically.

Please ensure your script covers all requirements as specified by our beloved CISO.

### General Requirements
1. Your script should be able to be callable via the command line interface
1. Your script should take a **single optional parameter** as input which will prefix all stdout lines with the given prefix. If this parameter is not passed as a command line argument you should set a reasonable default value that will be used instead
1. Your script should exit upon completion
1. Your script should have meaningful comments throughout for other people to understand what it is doing

### Standard Information
We need to collect some standard information about our users and the basic configurations of the machine. 

Please provide a deliverable file that contains all of the following information in the format of: *WindowsDiagnosticsReport_MACHINENAME_YYYYMMDDHHMMSS.txt*

1. Use a command that ensures any changes made to environment variables within your script are only set during the execution of that script...or set locally

1. Use the `REM`, `COMMENT` and `ENDCOMMENT` command(s) to enable comments if someone were to use `ECHO ON`

1. Document the current version of Windows and the processor type and processor architecture. Title the section `System OS & Processor`.

1. Document all environment variables with the variable name and value. Title the section `Environment Variables`. Document each variable on it's own line with the default prefix.

1. Document all current networking configuration settings. Title the section `Network Configuration`.

1. Document any programs in the startup directory of the version of Windows that is currently being evaluated. This may differ from different versions of Windows. Title the section `Startup Programs`. Common locations are:
    - Windows 7: 
        - %userprofile%\Start Menu\Programs\Startup
    - Windows 10: 
        - %appdata%\Microsoft\Windows\Start Menu\Programs\Startup
        - %appdata%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
        
1. Document any current running processes. Title the section `Running Processes`.

1. Document any scheduled tasks. Title the section `Scheduled Tasks`.

**NOTE:** Any previous version of this file should be overwritten when this script is run.

### Registry Settings and Information
Your script should also ensure that the following Windows Registry settings are in place:


1. Document all current settings in the following autorun registry sections and label each section appropriately:
    - HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce
    - HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    - HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    - HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
    - HKCU\Software\Microsoft\Windows\CurrentVersion\Run 
    - HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    
1. Document recent usage of MRU or most recently used commands:
    - HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
    
1. Document all subkeys of the UserAssist key:
    - HCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
    
1. Document all of the wireless networks and settings that have been visited from this machine:
    - HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces
    - HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\
    
1. Document the list of other LAN devices this computer has had access to:
    - HKCU\Software\Microsoft\ Windows\CurrentVersion\Explorer\ComputerDescriptions
    
1. Document any USB devices that have been connected to this computer:
    - HKLM\SYSTEM\ControlSet00x\Enum\USBSTOR
    
1. Document any user settings in Internet Explorer:
    - HKCU\Software\Microsoft\ Internet Explorer\Main
    
1. Document any types URL's a user has visited:
    - HKCU\Software\Microsoft\ Internet Explorer\TypedURLs

1. Document the same information from any other popular browsers (Stretch Goal)

1. Backup the following registry sections before modifying

1. Make sure the following registry settings are set with the proper values:
    - User Account Control(UAC) is enabled
    - Disable the Run command
    - Disable cmd from being run

1. Make sure the following registry settings do not exist:
    - HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAUAsDefaultShutdownOption
    - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
    - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives



### User File Reporting/Removal
We need to ensure that all files in the `C:\Users` directories are in compliance with corporate policy. We will need to generate a list of existing files and directories in each user account as well as remove any files not allowed on user machines. 

1. Add a section to your deliverable file that logs all user files including hidden files. Do NOT log all files on the computer, just the files for each user on the system. Title the section `File System Statistics` and label the sections appropriately for each user.

1. Add a section that details any files that are removed/quarantined. Title the section `Removed/Quarantined Files` and label the sections appropriately for each user and the administrator action taken.

**NOTE:** For any blacklisted file types we will give the administrator the option to quarantine or delete the file that was found. You will need to document the action taken for each file. You will also need to specify a quarantine location in your script to archive the files found.

The following file types are not allowed(blacklisted):
- .avi
- .mov
- .wav
- .flv
- .mp4
- .wmv
- .mpg
- .mpeg
- .mp3
- .wav
- .wma
- .mid
- .ogg

### Mandatory Software Check
We need to make sure that we have the following software installed on all systems and configured properly.

- Windows Update
- AVG Anti-virus
- Malwarebytes

### Custom Configuration 
- Ensure that the firewall is enabled
- Ensure that the FTP service is disabled
- Ensure that the Telnet service is disabled
- Create a website blacklist and update the HOSTS file to block these sites

### Data Collector Sets (Perfmon Automation)
In addition to the previous settings we need to configure ongoing monitoring of the systems and alerts for certain situations. Please ensure the following User Defined Data Collector Sets are enabled and that the given scenarios trigger the necessary alerts.

- Run the default System Health Report using the `perfmon` utility
- Create a configuration file of the counters that you are going to monitor named `baseline.cfg`
- Use the `logman` utility to create a User Defined Data Collector Set named `Baseline System` that monitors the following counters:
    - \Memory\Available MBytes
    - \Memory\Pool Nonpaged Bytes
    - \Memory\Pool Paged Bytes
    - \PhysicalDisk(*)\Current Disk Queue Length
    - \PhysicalDisk(*)\Disk Reads/sec
    - \PhysicalDisk(*)\Disk Reads Bytes/sec
    - \PhysicalDisk(*)\Disk Writes/sec
    - \PhysicalDisk(*)\Disk Writes Bytes/sec
    - \Process(*)\% Processor Time
    - \Process(*)\Private Bytes
    - \Process(*)\Virtual Bytes
    
- The Data Collector Set should have the following characteristics:
    - Binary Circular File type
    - Max size of 200MB
    - Output to the current user profile TEMP directory
    
- Use the `logman` utility to create a User Defined Data Collector Set named `High CPU Performance` that monitors the following counters:
    - \LogicalDisk(*)\*
    - \Memory\*
    - \Network Interface(*)\*
    - \Paging File(*)\*
    - \PhysicalDisk(*)\*
    - \Process(*)\*
    - \Redirector\*
    - \Server\*
    - \System\*
    
- The Data Collector Set should have the following characteristics:
    - Binary Circular File type
    - Max size of 200MB
    - Capture interval of 10 minutes
    - Output results to the current user profile TEMP directory
    
- Use the `logman` utility to issue the following alerts:
    - Memory over 95% use
    - PhysicalDisk over 80% full
    - Set to repeat every 5 minutes
    
- Use the `logman` utility to start the created User Defined Data Collector Set


### Script Backup
After fine tuning your report and validating it on more than one machine, we require that you commit your script to source control so that we can share with other members of the team and update it over time.

We'd like to see your progress as you go. Please commit your changes and push your changes often with a standard best practices workflow.

### Stretch Goals
1. Can you output the decoded values from the UserAssist keys logged above?
1. We are in the progress of upgrading our systems and staff skillsets. We will soon be looking into the specifics of Powershell. If you can write the above script in Powershell, it could be a good opportunity for you to move up the ranks.

### Required Reading
- https://www.sans.org/reading-room/whitepapers/auditing/simple-windows-batch-scripting-intrusion-discovery-33193

#### Resources
- https://steve-jansen.github.io/guides/windows-batch-scripting/index.html
- http://www.instructables.com/id/Some-Cool-Batch-Applications/
- https://en.wikibooks.org/wiki/Windows_Batch_Scripting#How_a_command_line_is_interpreted
- http://www.robvanderwoude.com/batexamples.php
- https://amithacker.blogspot.com/p/some-more-dangerous-bat-files.html
- http://www.dostips.com/DtTutoFunctions.php#FunctionTutorial.ExampleCallingAFunction
- http://www.ithacks.com/2009/01/17/disable-user-account-control-uac-in-windows-7/
- http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry
- http://www.accessdata.com/media/en_US/print/papers/wp.Registry_Quick_Find_Chart.en_us.pdf
- https://blogs.technet.microsoft.com/askperf/2008/05/13/two-minute-drill-logman-exe/


```
REM create a log file named [script].YYYYMMDDHHMMSS.txt
SET log=%TEMP%\%me%.%DATE:~10,4%_%DATE:~4,2%_%DATE:~7,2%%TIME:~0,2%_%TIME:~3,2%_%TIME:~6,2%.txt
```