Tuesday, 16 August 2016

File Search - Using Powershell

How to search a file located in Local\Remote System using PowerShell

As you can see,  this is about a simple WMI query + Powershell for searching a file with the file extension. In this script we are connecting to the wmi service of a Local\Remote computer and executing the query to get the file details. After getting the details we setup a foreach loop for the collection to extract the details.

Below is the two important WMI query which we are executing through powershell. I am searching a files with bmp extension.

1
2
$SearchObject = Get-Wmiobject -namespace "root\CIMV2" -computername $System -Query "Select * from CIM_DataFile Where Extension = 'bmp'"
$query = "ASSOCIATORS OF {Win32_LogicalFileSecuritySetting='" + $filepath + "'} WHERE AssocClass=Win32_LogicalFileOwner ResultRole=Owner"

Note : As per the below script, we are running the query against entire file system which will take long time to get the details based on the number of files present on the targeted machine. Also you can search multiple extension as well by adding AND or OR  operator.

Below is the information which we are additionally getting from the script.
1
2
3
4
5
6
7
8
MACHINE_NAME
PING_STATUS
FILE_PATH
USER_NAME
FILE_SIZE
LAST_MODIFIED
SYSTEM_MAKE
SYSTEM_MODEL

Below is script which is created based on a  project requirement. In this script I have copied the system hostnames in a .TXT file for searching from multiple system. ( This is required only if you are searching the files in multiple systems.)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
$details = @()
$PCList = Get-Content C:\temp\PC.TXT

foreach ($System in $PCList)
{
$pstsize = ""
$modified = ""
$Make = ""
$model = ""
$SearchObject = $null

If(!(Test-Connection -Cn $System -BufferSize 16 -Count 1 -ea 0 -quiet))
{
    $Result = @{
    MACHINE_NAME     = "$System"
    PING_STATUS      = "FAILED"
    FILE_PATH        = "N/A"
    USER_NAME        = "N/A"
    FILE_SIZE         = "N/A"
    LAST_MODIFIED    = "N/A"
    SYSTEM_MAKE = "N/A"
    SYSTEM_MODEL = "N/A"
                        }
    $Details += New-Object PSObject -Property $Result
}
Else
{

    $MakeDetails = Get-WmiObject -Class win32_computersystem -ComputerName $System
    $Make = $MakeDetails.Manufacturer
    $Model = $MakeDetails.Model
      
    $SearchObject = Get-Wmiobject -namespace "root\CIMV2" -computername $System -Query "Select * from CIM_DataFile Where Extension = 'bmp'"
    #$SearchObject = Get-WmiObject CIM_Datafile -ComputerName $System | Where-Object {$_.Extension -eq 'txt'}

if($SearchObject)
{

    foreach ($ObjectFile in $SearchObject)
    {

        $filepath = $ObjectFile.Drive + $ObjectFile.Path + $ObjectFile.FileName + "." + $ObjectFile.Extension
        $query = "ASSOCIATORS OF {Win32_LogicalFileSecuritySetting='" + $filepath + "'} WHERE AssocClass=Win32_LogicalFileOwner ResultRole=Owner"
        $FileOwner = Get-Wmiobject -namespace "root\CIMV2" -computername $System -Query $query

        $FileOwnerName = $FileOwner.AccountName

        $output = $System + "," + $filepath + "," + $filepath + "," + $ObjectFile.FileSize/1KB + "," + $ObjectFile.LastModified
        $modified = $ObjectFile.LastModified
        $pstsize  =    $ObjectFile.FileSize/1KB

        $Result = @{
        MACHINE_NAME     = "$System"
        PING_STATUS      = "SUCCESS"
        FILE_PATH        = "$filepath"
        USER_NAME        = "$FileOwnerName"
        FILE_SIZE         = "$pstsize"
        LAST_MODIFIED    = "$modified"
        SYSTEM_MAKE      = "$Make"
        SYSTEM_MODEL     = "$model"
                            }
        $Details += New-Object PSObject -Property $Result
        }
    }
    else
    {    
        $Result = @{
        MACHINE_NAME     = "$System"
        PING_STATUS      = "SUCCESS"
        FILE_PATH        = "NO PST FILE FOUND"
        USER_NAME        = "N/A"
        FILE_SIZE         = "N/A"
        LAST_MODIFIED    = "N/A"
        SYSTEM_MAKE = "$Make"
        SYSTEM_MODEL = "$model"
                            }
        $Details += New-Object PSObject -Property $Result
    }
}
}

$pathofcsv = "C:\TEMP\" + "FILE_DETAILS" + "$date" + ".csv"
$Details | export-csv -Path $pathofcsv -Append -NoTypeInformation

The output of the script will be as given below.



No comments:

Post a Comment