When I run into an unknown issue with one or more workstations or servers, I often run through the same set of steps. Eventually, I find a tidbit of information that ideally identifies the root cause of the issue, or at worst points me in a direction to find more information.
I decided to script out this basic first step. Get-VolatileInfo will run a number of queries against one or more remote computers. It returns the info it collects in global variables you can then manipulate to find what you need; alternatively, it provides searchable sortable HTM files thanks to a method I borrowed from Douglas Finke.
Head over to the Script Center repository for the function code or ps1 file. This link includes details on installation and dependencies. Once you have the function loaded, Get-Help Get-VolatileInfo –Full will provide help with parameters and examples.
How does it work?
At a high level, I define dependency functions, run through each computer listed to collect certain info, and read that information. Here’s what it might look like if I heard there was trouble with c-is-hyperv-1:
I now have a number of variables populated with troubleshooting information for c-is-hyperv-1. The text below tells me the command I can run to list these again, or I could pipe the command to remove-variable and get rid of the variables. An explorer windows also popped up with the HTM files created due to the –View command.
Perhaps I want to see what server lsass.exe is talking with. I pull up the c-is-hyperv-1netstat.htm file and search for lsass:
Alternatively, I can do the same via PowerShell (Note: I’m enclosing the variable name in curly brackets as it has dashes in it – tab completion will do this for you!):
What information does this provide?
Here’s what I’m collecting thus far, all of which is in object form (or in the handy HTM files):
- AutoRuns: This is a full list of everything from AutoRunsC.exe. You can sort or filter by category to weed out anything you don’t need. It shows a comprehensive list of items that auto start or affect auto start.
- ComputerInfo: A bunch of info from WMI – hostname, OS, SP, CPU, RAM, Free Space for C:\, last reboot time, system time, and the difference between system time and the system time from the computer you ran the query on.
- CurrentUsers: Users from win32_loggedonuser
- InstalledSoftware: Software listed in the registry
- LogApp: -eventCount events from Application event log (Default is 250)
- LogSec: -eventCount events from Security event log (Default is 250)
- LogSys: -eventCount events from System event log (Default is 250)
- NetStat: From Get-NetworkStatistics – Netstat –ano results with hostnames and process names resolved, in object form
- NetworkAdapter#: A variety of configuration info for each IPenabled network adapter, starting with NetworkAdapter0, NetworkAdapter1 …
- OpenFiles: Info on open files
- Processes: Info from Get-Process
- Profiles: List of profiles and the date ntuser.dat was last written to.
- Reboots: Any instances of eventID 6009 from event logs, indicative of system starting up
- Services: Info from Get-Service
- ServicesNotStarted: Services set to autostart, but not running
- Shares: Info on shares
If you have any suggestions on information to collect or not to collect, or any other insight, it would be greatly appreciated!