none
script to search for IP addresses within files and registry

    Question

  • Hi everyone I am looking for a script perfer Windows PowerShell if possible to search Windows clients file system and registry for a hard coded IP Address and display the results showing location of file and IP address found.

    I need to search for addresses on a particular subnet like 192.168.xxx.xxx etc

     in file types 

    .ini

    .txt

    .config

    .bat

    any help much appreciated

    Saturday, January 12, 2013 5:38 PM

Answers

  • Using reg query will be much faster for this, since you've got a straightforward search pattern. Something like this:

    reg query HKLM /f 192.168.*.* /s
    reg query HKCU /f 192.168.*.* /s

    for the file search, the PowerShell code shown below may do most of what you want; I dredged up a script I wrote to do a somewhat similar task a while back. I suggest trimming the list of searched extensions down; for user searches, searching the profile folder as shown or possibly just $env:appdata might be sufficient.

    $FilesOfInterest = (
    	"*.ini","*.txt","*.config","*.bat","*.cmd","*.ps1",
    	"*.psm1","*.hta","*.vbs","*.wsf","*.xml","*.cfg",
    	"*.json","*.py","*.pl","*.website","*.prefs","*.lua",
    	"*.js","*.htm","*.html","*.url"
    )
    
    $pattern = "(192\.168\.\d+\.\d+)"
    
    
    function FindFilesWithContent($Root, $Include, $Pattern){
    	# recursively search for all files match the $searchExtensions list;
    	# force the search and suppress standard access errors.
    	try{
    		Get-ChildItem -Path:$Root -Include:$Include `
    			-Recurse -Force -ErrorAction:SilentlyContinue |
    			?{!$_.PSIsContainer} |
    		ForEach-Object{
    			Write-Progress $_.FullName;
    			$item = $_;
    			Get-Content $_ -ErrorAction SilentlyContinue |
    			ForEach-Object {
    				if($_ -match $Pattern){
    					#create synthetic type - there are better ways
    					"" | select filename,match | %{
    						$_.filename = $item.FullName;
    						$_.match = $matches[0]; #fill value
    						return $_ #emit it to pipeline
    					}
    				}
    	
    			}
    		}
    	}
    	catch{
    		## generally suppressing errors likely to occur with volatile files in user paths
    	}
    }
    
    #$env:homedrive\$env:homepath
    #$env:appdata
    FindFilesWithContent -Root $env:homedrive\$env:homepath -Include $FilesOfInterest -Pattern $pattern
    

    For the shortcut cleanup, there are ways that it could be automated almost completely using Powershell and a couple of standard COM objects, but a tool like that would take a couple of hours to write. A quick-and-dirty solution is to use dir from a cmd.exe shell and the tzworks free link parser, lp ( http://www.tzworks.net/prototype_page.php?proto_id=11 ).

    Here's a simple example; the output blob for the shortcut files will include the actual targets

    dir /s /b c:\users\%username\*.lnk | lp -pipe

    Sunday, January 13, 2013 6:31 PM

All replies

  • Are you sure you want to solve whatever problem you're trying to solve with this particular technique? Doing something along these lines will take a very long time to complete. Based on your wording, I suspect you're going to want to do even more searching than you imply - e.g., if you're looking in bat and config files, you probably also want cmd files, maybe xml files, and a few others.

    It might be better to describe the problem you're trying to resolve. Here's a quick example of doing what you ask for the specific files you ask about on the C drive; on a system with more than a handful of files, you'll find it can take a very long time to run. It also won't have access to any files/directories you don't already explicitly control.

    gci c:\ -Recurse -Include:*.ini,*.txt,*.config,*.bat,.*.cmd -Force -ea SilentlyContinue | ?{!$_.PSIsContainer} | %{
    	$item = $_; gc $item | ?{$_ -match ".*(192\.168\.[0-9]+.[0-9]+).*"} | %{"found $($matches[1]) in $($_.FullName)"}}

    Saturday, January 12, 2013 8:01 PM
  • I completely agree with what you saying this is going to be a slow process but I do not see any other option. I am relocating some servers and at the same time 're-ip- ing them. because little is known about the application running on them we need to find out if any hard coded ip addresses have been configured hence I need a way to search for a range of ip addresses.

    Thanks for your response.

    Sunday, January 13, 2013 1:03 PM
  • Yeah, I can't see many other alternatives either, and it's more reasonable doing this as a one-time task anyway. A couple more comments and questions

    (1) You may have already thought through to this, but since it sounds like you're going to be trying to run this on every single client, I suggest you expect to be performing 2 phases to the scanning. The first and slowest part is the raw scan that tries to read every file and the machine hive of the registry. If most of your applications are modern and the LAN has been able to follow best practices, this will probably return mostly registry results. The second phase almost has to be done on a per-user basis, but it can restrict itself to the user folders and HKCU in the registry.

    (2) you probably need to scan all of the standard shortcut files as well, as a separate step since you need to "read" the shortcut. There are some demos of that floating around, and we can point you to a generic filtering tool for the shortcut scans if you can't find one yourself; I seem to recall writing a script for that 3-4 years ago.

    (3) What operating systems do the clients and servers use, and what version of PowerShell? It would be nice of they had at least PS2 on all of them. :)

    Sunday, January 13, 2013 5:02 PM
  • Thanks for your reply.

    most of the servers will be 2003 and I am guessing here but knowing my luck it will be v1 the rest will be 2008 therefore running version 2.

    which command would you recommend I use for the registry search? REG QUERY /s?

    any help with the shortcut search much appreciated.

    Sunday, January 13, 2013 5:33 PM
  • Using reg query will be much faster for this, since you've got a straightforward search pattern. Something like this:

    reg query HKLM /f 192.168.*.* /s
    reg query HKCU /f 192.168.*.* /s

    for the file search, the PowerShell code shown below may do most of what you want; I dredged up a script I wrote to do a somewhat similar task a while back. I suggest trimming the list of searched extensions down; for user searches, searching the profile folder as shown or possibly just $env:appdata might be sufficient.

    $FilesOfInterest = (
    	"*.ini","*.txt","*.config","*.bat","*.cmd","*.ps1",
    	"*.psm1","*.hta","*.vbs","*.wsf","*.xml","*.cfg",
    	"*.json","*.py","*.pl","*.website","*.prefs","*.lua",
    	"*.js","*.htm","*.html","*.url"
    )
    
    $pattern = "(192\.168\.\d+\.\d+)"
    
    
    function FindFilesWithContent($Root, $Include, $Pattern){
    	# recursively search for all files match the $searchExtensions list;
    	# force the search and suppress standard access errors.
    	try{
    		Get-ChildItem -Path:$Root -Include:$Include `
    			-Recurse -Force -ErrorAction:SilentlyContinue |
    			?{!$_.PSIsContainer} |
    		ForEach-Object{
    			Write-Progress $_.FullName;
    			$item = $_;
    			Get-Content $_ -ErrorAction SilentlyContinue |
    			ForEach-Object {
    				if($_ -match $Pattern){
    					#create synthetic type - there are better ways
    					"" | select filename,match | %{
    						$_.filename = $item.FullName;
    						$_.match = $matches[0]; #fill value
    						return $_ #emit it to pipeline
    					}
    				}
    	
    			}
    		}
    	}
    	catch{
    		## generally suppressing errors likely to occur with volatile files in user paths
    	}
    }
    
    #$env:homedrive\$env:homepath
    #$env:appdata
    FindFilesWithContent -Root $env:homedrive\$env:homepath -Include $FilesOfInterest -Pattern $pattern
    

    For the shortcut cleanup, there are ways that it could be automated almost completely using Powershell and a couple of standard COM objects, but a tool like that would take a couple of hours to write. A quick-and-dirty solution is to use dir from a cmd.exe shell and the tzworks free link parser, lp ( http://www.tzworks.net/prototype_page.php?proto_id=11 ).

    Here's a simple example; the output blob for the shortcut files will include the actual targets

    dir /s /b c:\users\%username\*.lnk | lp -pipe

    Sunday, January 13, 2013 6:31 PM
  • Thank you this will give me something to work from.
    Sunday, January 13, 2013 7:30 PM