Merge branch 'next'

Modules/Disk/Get-File.ps1

@@ -1,7 +1,22 @@
 # OUTPUT Default
-# Get-File.ps1 retrieves the user specified file.
-# How does the user specify the file? By editing
-# the $targetFile value below with a full path.
+<# 
+.SYNOPSIS
+Get-File.ps1 retrieves the user specified file.
+.PARAMETER File
+A recommended parameter, a sensible default is provided, that points to
+the file you want to acquire from remote systems.
+
+When used with Kansa.ps1, parameters must be positional. Named params
+are not supported.
+.EXAMPLE
+Get-File.ps1 C:\Users\Administrator\NTUser.dat
+.NOTES
+When passing specific modules with parameters via Kansa.ps1's
+-ModulePath parameter, be sure to quote the entire string, like shown
+here:
+.\kansa.ps1 -Target localhost -ModulePath ".\Modules\Disk\Get-File.ps1 C:\boot.log"
+#>
+
 
 [CmdletBinding()]
 Param(

Modules/Disk/Get-FlsBodyfile.ps1

@@ -16,6 +16,12 @@ $env:SystemDrive (typically C:\). This can take a long time for large drives.
 !! This takes time for an entire drive !!
 #>
 
+[CmdletBinding()]
+Param(
+    [Parameter(Mandatory=$False,Position=0)]
+        [String]$Drive="$env:SystemDrive"
+)
+
 Function Expand-Zip ($zipfile, $destination) {
     $shell = New-Object -ComObject shell.application
     $zip = $shell.Namespace($zipfile)
@@ -31,8 +37,8 @@ if (Test-Path ($flspath)) {
     $flsdest = ($env:Temp + "\fls\")
     Expand-Zip $flspath $flsdest
     if (Test-Path($flsdest + "\fls.exe")) {
-        $sd = $env:SystemDrive
-        & $flsdest\fls.exe -r -m ($sd) \\.\$sd
+        # $sd = $env:SystemDrive
+        & $flsdest\fls.exe -r -m ($Drive) \\.\$Drive
         $suppress = Remove-Item $flsdest -Force -Recurse
     } else {
         "Fls.zip found, but not unzipped."

Modules/Log/Get-LogWinEvent.ps1

@@ -0,0 +1,27 @@
+# OUTPUT TSV
+<# 
+.SYNOPSIS
+Get-LogWinEvent
+.PARAMETER LogName
+A required parameter, that names the event log to acquire data from.
+To see a list of common lognames run:
+Get-WinEvent -ListLog | Select LogName
+
+When used with Kansa.ps1, parameters must be positional. Named params
+are not supported.
+.EXAMPLE
+Get-LogWinEvent.ps1 Security
+.NOTES
+When passing specific modules with parameters via Kansa.ps1's
+-ModulePath parameter, be sure to quote the entire string, like shown
+here:
+.\kansa.ps1 -Target localhost -ModulePath ".\Modules\Log\Get-LogWinEvent.ps1 Security"
+#>
+
+[CmdletBinding()]
+Param(
+    [Parameter(Mandatory=$True,Position=0)]
+        [String]$LogName
+)
+
+Get-WinEvent -LogName $LogName

Modules/Modules.conf

@@ -16,30 +16,30 @@ Net\Get-Netstat.ps1
 # Process\Get-Tasklistv.ps1
 # Process\Get-Handle.ps1
 # Process\Get-RekalPslist.ps1
-# Process\Get-ProcsWMI.ps1
+Process\Get-ProcsWMI.ps1
 # Process\Get-ProcDump.ps1
 # Net\Get-NetRoutes.ps1
 # Net\Get-NetIPInterfaces.ps1
-# Log\Get-LogUserAssist.ps1
-# Log\Get-LogShellCoreOperational.ps1
-# Log\Get-LogAppLockerPackagedAppDeployment.ps1
-# Log\Get-LogAppLockerMSIScript.ps1
-# Log\Get-LogAppLockerExeDll.ps1
-# Log\Get-LogAppExperienceProgTelemetry.ps1
-# Log\Get-LogAppExperienceProgInventory.ps1
+Log\Get-LogUserAssist.ps1
+# Log\Get-LogWinEvent.ps1 Security
+# Log\Get-LogWinEvent.ps1 Microsoft-Windows-Application-Experience/Program-Inventory
+# Log\Get-LogWinEvent.ps1 Microsoft-Windows-Application-Experience/Program-Telemetry
+# Log\Get-LogWinEvent.ps1 Microsoft-Windows-AppLocker/EXE and DLL
+# Log\Get-LogWinEvent.ps1 Microsoft-Windows-AppLocker/MSI and Script
+# Log\Get-LogWinEvent.ps1 Microsoft-Windows-AppLocker/Packaged app-Deployment
+# Log\Get-LogWinEvent.ps1 Microsoft-Windows-Shell-Core/Operational
+# Log\Get-LogWinEvent.ps1 Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
+# Log\Get-LogWinEvent.ps1 Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
 # Log\Get-LogCBS.ps1
-# Log\Get-LogTermSrvcsLocalSessionMgrOperational.ps1
-# Log\Get-LogTermSrvcsRemoteConnMgrOperational.ps1
-# Log\Get-LogSecurity.ps1
 # ASEP\Get-SvcAll.ps1
-# ASEP\Get-SvcFail.ps1
-# ASEP\Get-SvcTrigs.ps1
-# ASEP\Get-WMIEvtFilter.ps1
-# ASEP\Get-WMIFltConBind.ps1
-# ASEP\Get-WMIEvtConsumer.ps1
-ASEP\Get-Autorunsc.ps1
-# ASEP\Get-PSProfiles.ps1
-# Disk\Get-FlsBodyFile.ps1
+ASEP\Get-SvcFail.ps1
+ASEP\Get-SvcTrigs.ps1
+ASEP\Get-WMIEvtFilter.ps1
+ASEP\Get-WMIFltConBind.ps1
+ASEP\Get-WMIEvtConsumer.ps1
+# ASEP\Get-Autorunsc.ps1
+ASEP\Get-PSProfiles.ps1
+# Disk\Get-FlsBodyFile.ps1 C:
 # Disk\Get-TempDirListing.ps1
 Disk\Get-File.ps1 C:\Windows\WindowsUpdate.log
 # Config\Get-LocalAdmins.ps1

Modules/Process/Get-ProcDump.ps1

@@ -1,20 +1,35 @@
 # OUTPUT bin
 # BINDEP .\Modules\bin\Procdump.exe
 <#
-Get-ProcDump
-Acquires a Sysinternal procdump of the specified process
+.SYNOPSIS
+Get-ProcDump.ps1 acquires a Sysinternal procdump of the specified 
+process
+.PARAMETER ProcId
+A required parameter, the process id of the process you want to dump.
+.NOTES
+When used with Kansa.ps1, parameters must be positional. Named params
+are not supported.
+.EXAMPLE
+Get-ProcDump.ps1 104
 
-If you have procdump.exe in your Modules\bin\ path and run Kansa with the -Pushbin
-flag, Kansa will attempt to copy the binary to the ADMIN$. Binaries are not removed, so
-subsequent runs won't require -Pushbin.
+When passing specific modules with parameters via Kansa.ps1's
+-ModulePath parameter, be sure to quote the entire string, like 
+shown here:
+.\kansa.ps1 -Target localhost -ModulePath ".\Modules\Process\Get-ProcDumpe.ps1 104"
 
-Also, you should configure this to dump the process you're 
-interested in. By default it dumps itself, which is probably
-not what you want.
+If you have procdump.exe in your Modules\bin\ path and run Kansa with 
+the -Pushbin flag, Kansa will attempt to copy the binary to the ADMIN$.
+Binaries are not removed, so subsequent runs won't require -Pushbin.
+
+Also, you should configure this to dump the process you're interested
+in. By default it dumps itself, which is probably not what you want.
 #>
 
-# Replace $pid with the process id you wish to capture.
-$ProcId = $pid
+[CmdletBinding()]
+Param(
+    [Parameter(Mandatory=$False,Position=0)]
+        [Int]$ProcId=$pid
+)
 
 if (Test-Path "$env:SystemRoot\Procdump.exe") {
     $PDOutput = & $env:SystemRoot\Procdump.exe /accepteula $ProcId 2> $null

kansa.ps1

@@ -361,6 +361,21 @@ Param(
     Write-Debug "Exiting $($MyInvocation.MyCommand)"
 }
 
+function Get-LegalFileName {
+<#
+.SYNOPSIS
+Returns argument with illegal filename characters removed.
+#>
+Param(
+    [Parameter(Mandatory=$True,Position=0)]
+        [String]$Argument
+)
+    Write-Debug "Entering ($MyInvocation.MyCommand)"
+    $Argument -replace [regex]::Escape("\") -replace [regex]::Escape("/") -replace [regex]::Escape(":") `
+        -replace [regex]::Escape("*") -replace [regex]::Escape("?") -replace "`"" -replace [regex]::Escape("<") `
+        -replace [regex]::Escape(">") -replace [regex]::Escape("|")
+}
+
 function Get-TargetData {
 <#
 .SYNOPSIS
@@ -370,7 +385,7 @@ Param(
     [Parameter(Mandatory=$True,Position=0)]
         [Array]$Targets,
     [Parameter(Mandatory=$True,Position=1)]
-        [HashTable]$Modules,
+        [System.Collections.Specialized.OrderedDictionary]$Modules,
     [Parameter(Mandatory=$False,Position=2)]
         [PSCredential]$Credential=$False,
     [Parameter(Mandatory=$False,Position=3)]
@@ -391,22 +406,25 @@ Param(
         }
 
         foreach($Module in $Modules.Keys) {
-            $ModuleName = $Module | Select-Object -ExpandProperty BaseName
+            $ModuleName  = $Module | Select-Object -ExpandProperty BaseName
+            $Argument    = $($Modules.Get_Item($Module))
+            if ($Argument) {
+                $ArgFileName = Get-LegalFileName $Argument
+            } else { $ArgFileName = "" }
             # we'll use $GetlessMod for the output folder
             $GetlessMod = $($ModuleName -replace "Get-") 
-            $Suppress = New-Item -Path $OutputPath -name $GetlessMod -ItemType Directory
+            $Suppress = New-Item -Path $OutputPath -name ($GetlessMod + $ArgFileName) -ItemType Directory
             # First line of each modules can specify how output should be handled
             $OutputMethod = Get-Content $Module -TotalCount 1 
-            # run the module on the targets
-            $Argument = $($Modules.Get_Item($Module))
+            # run the module on the targets            
             # "Invoke-Command -Session $PSSessions -FilePath $Module -ArgumentList `"$Argument`" -AsJob -ThrottleLimit $ThrottleLimit"
             $Job = Invoke-Command -Session $PSSessions -FilePath $Module -ArgumentList "$Argument" -AsJob -ThrottleLimit $ThrottleLimit
-            Write-Verbose "Waiting for $ModuleName to complete."
+            Write-Verbose "Waiting for $ModuleName $Argument to complete."
             # Wait-Job does return data to stdout, add $suppress = to start of next line, if needed
             Wait-Job $Job
             foreach($ChildJob in $Job.ChildJobs) { 
                 $Recpt = Receive-Job $ChildJob
-                $Outfile = $OutputPath + $GetlessMod + "\" + $ChildJob.Location + "-" + $GetlessMod
+                $Outfile = $OutputPath + $GetlessMod + $ArgFileName + "\" + $ChildJob.Location + "-" + $GetlessMod + $ArgFileName
                 # save the data
                 switch -Wildcard ($OutputMethod) {
                     "*csv" {
@@ -435,7 +453,7 @@ Param(
                     "*Default" {
                         # Default here means we let PowerShell figure out the output encoding
                         # Used by Get-File.ps1, which can grab arbitrary files
-                        $Outfile = $Outfile + ".default_encoding"
+                        $Outfile = $Outfile
                         $Recpt | Set-Content -Encoding Default $Outfile
                     }
                     default {