If you ever wondered how to capture everything you type and run in Windows Command Line Interface ( CLI ) like you do in Linux with the script command, then you will like this post.
Just type Start-Transcript
Transcript started, output file is C:\Users\<IUD>\Documents\PowerShell_transcript.20140627204603.txt
Then, you can just type commands as you would normally do without worrying about taking notes on the commands or output of utilities.
$PSVersionTable
Name Value
---- ----
CLRVersion 2.0.50727.5477
BuildVersion 6.1.7601.17514
PSVersion 2.0
WSManStackVersion 2.0
PSCompatibleVersions {1.0, 2.0}
SerializationVersion 1.1.0.1
PSRemotingProtocolVersion 2.1
get-help out*
Name Category Synopsis
---- -------- --------
Out-Null Cmdlet Deletes output instead of sending it to the console.
Out-Default Cmdlet Sends the output to the default formatter and to the default output cmdlet.
Out-Host Cmdlet Sends output to the command line.
Out-File Cmdlet Sends output to a file.
Out-Printer Cmdlet Sends output to a printer.
Out-String Cmdlet Sends objects to the host as a series of strings.
Out-GridView Cmdlet Sends output to an interactive table in a separate window.
Get-ChildItem|out-file c:\temp.txt
When you are done, just type Stop-Transcript
Transcript stopped, output file is C:\Users\<UID>\Documents\PowerShell_transcript.20140627204603.txt
You can just type the file name and its path without any application to open the file, it will open the deafult application associated with the txt file extension.
C:\Users\<UID>\Documents\PowerShell_transcript.20140627204603.txt
The output will be all the same text that you typed and all the output of each command.
**********************
Windows PowerShell Transcript Start
Start time: 20140604110027
Username : FVTC\<UID>
Machine : APPA105B08 (Microsoft Windows NT 6.1.7601 Service Pack 1)
**********************
Transcript started, output file is C:\Users\<UID>\Documents\PowerShell_transcript.20140627204603.txt
PS C:\WINDOWS\system32> $PSVersionTable
Name Value
---- -----
CLRVersion 2.0.50727.5477
BuildVersion 6.1.7601.17514
PSVersion 2.0
WSManStackVersion 2.0
PSCompatibleVersions {1.0, 2.0}
SerializationVersion 1.1.0.1
PSRemotingProtocolVersion 2.1
PS C:\WINDOWS\system32> get-help out*
Name Category Synopsis
---- -------- --------
Out-Null Cmdlet Deletes output instead of sending it to the console.
Out-Default Cmdlet Sends the output to the default formatter and to the default output cmdlet.
Out-Host Cmdlet Sends output to the command line.
Out-File Cmdlet Sends output to a file.
Out-Printer Cmdlet Sends output to a printer.
Out-String Cmdlet Sends objects to the host as a series of strings.
Out-GridView Cmdlet Sends output to an interactive table in a separate window.
PS C:\WINDOWS\system32> Get-ChildItem|out-file c:\temp.txt
PS C:\WINDOWS\system32> Stop-Transcript
**********************
Windows PowerShell Transcript End
End time: 20140627204603
**********************
This method can help you in incident response or in live forensic collection when you have to document your interaction with the suspect's system. I hope, you will find this useful. Let me know if you do.
No comments:
Post a Comment