Saturday, July 4, 2015

More artifacts through PowerShell - Part 4

Typed URLs - alternate location.

The main script LRUP already contain many IE related artifacts; here is one more that we can add to the list.
Under APPDATA, the system keeps a log of the URLs typed into the address bar to provide auto suggestion of the URLs that are being typed in. This log can be viewed using the Get-Content CmdLet.
     gc $env:LOCALAPPDATA\temp\structuredquery.log

DLLs and vendor information.

If you need to filter out the DLLs identified in the system that are non-Microsoft related, use the below one liner. For more information, check Trevor Sullivan's article.

$ProcExes = Get-WmiObject -Class CIM_ProcessExecutable; foreach ($item in $ProcExes) {[wmi]"$($item.Antecedent)" | ? { $_.Manufacturer -ne 'Microsoft Corporation' } | select FileName,Extension,Manufacturer,Version |ft -auto -wrap}

Application Compatibility related.

Application compatibility is a feature that can make older programs that have compatibility problems work better in Windows 7 and Windows 2008 operating systems.

System tracks the programs installed under the below registry key. Note that it "stores the list of all programs for which it came up under the following key for each user, even if no compatibility modes were applied (e.g. in the case where the user reported that the program worked correctly)"  - MSDN link 

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted

In PowerShell, this can be gathered through the following one liner:

gp hkcu:'\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted' | select * -ExcludeProperty PS*

Since it is taken from HKCU location, it is an indication that the particular user ran these programs.