initial commit of SVN release repo

2018-05-07 10:51:08 -04:00
parent 2c25d5e577
commit 8c38a6cdb9
4369 changed files with 728576 additions and 0 deletions
--- a/Tools/Windows/Windows
+++ b/Tools/Windows/Windows
--- a/Tools/Windows/Windows
+++ b/Tools/Windows/Windows
--- a/Collection/DUMPSEC.exe
+++ b/Collection/DUMPSEC.exe
--- a/Tools/Windows/Windows
+++ b/Tools/Windows/Windows
--- a/Collection/files-to-version.txt
+++ b/Collection/files-to-version.txt
@ -0,0 +1,4 @@
+C:\Windows\system32\notepad.exe
+C:\Program Files (x86)\Notepad++\notepad++.exe
+c:\Windows\system32\EnPasFltV2x86.dll
+c:\Windows\system32\EnPasFltV2x64.dll
--- a/Collection/filever.vbs
+++ b/Collection/filever.vbs
@ -0,0 +1,10 @@
+Set fso = WScript.CreateObject("Scripting.FileSystemObject")
+Set objArgs = WScript.Arguments
+if objArgs.Count<>1 then WScript.Quit()
+if NOT fso.FileExists(objArgs(0)) then WScript.Echo("File " & objArgs(0) & " does not exist") & WScript.Quit()
+set f = fso.GetFile(objArgs(0))
+WScript.Echo objArgs(0) & "," & fso.GetFileVersion(objArgs(0)) & "," & f.DateLastModified
+
+rem to call the script just use
+rem cscript -nologo filever.vbs "c:\WINNT\system32\notepad.exe" 
+
--- a/Collection/reg-perms-to-check.txt
+++ b/Collection/reg-perms-to-check.txt
@ -0,0 +1,2 @@
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf
--- a/Collection/reg-values-to-check.txt
+++ b/Collection/reg-values-to-check.txt
@ -0,0 +1,175 @@
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa,RestrictAnonymous
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa,RestrictAnonymousSAM
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa,LmCompatibilityLevel
+HEKY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa,DisableDomainCreds
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa,ForceGuest
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy
+hkey_local_machine\system\CurrentControlSet\control\lsa,usemachineid
+hkey_local_machine\system\CurrentControlSet\control\lsa\msv1_0,allownullsessionfallback
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec
+hkey_local_machine\system\CurrentControlSet\Control\lsa\pku2u,AllowOnlineID
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager,SafeDllSearchMode
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security,WarningLevel
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC,NoDefaultExempt
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters,DisablePasswordChange
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters,MaximumPasswordAge
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionPipes
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters,RequireSecuritySignature
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters,Hidden
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters,SmbServerNameHardeningLevel
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters,AutoDisconnect
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP,LDAPClientIntegrity
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters,TcpMaxDataRetransmissions
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIpSourceRouting
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters,DisabledComponents
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon,AutoAdminLogon
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon,ScreenSaverGracePeriod
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole,SecurityLevel
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf,(Default)
+hkey_local_machine\Software\Policies\Microsoft\EMET\SysSettings,ASLR
+hkey_local_machine\Software\Policies\Microsoft\EMET\SysSettings,DEP
+hkey_local_machine\Software\Policies\Microsoft\EMET\SysSettings,SEHOP
+hkey_local_machine\Software\Policies\Microsoft\EMET\Defaults,IE
+hkey_local_machine\Software\Policies\Microsoft\EMET\Defaults
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client,CEIP
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SearchCompanion,DisableContentFileUpdates
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers,DisbleHTTPPrinting
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers,DisableWebPnPDownload
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc,RestrictRemoteClients
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc,EnableAuthEpResolution
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services,fAllowToGetHelp
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services,fAllowUnsolicited
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services,fPromptForPassword
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services,fDenyTSConnections
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services,fDisableCdm
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services,MinEncryptionLevel
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services,PerSessionTempDir
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services,DeleteTempDirsOnExit
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services,MaxDisconnectionTime
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services,MaxIdleTime
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services,DisablePasswordSaving
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\ErrorReporting,DoReport
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Peernet,Disabled
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings,AllowRemoteRPC
+hkey_local_machine\Software\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention
+hkey_local_machine\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize
+hkey_local_machine\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize
+hkey_local_machine\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize
+hkey_local_machine\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD,AllowLLTDIOONdomain
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD,AllowLLTDIOOnPublicNet
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD,EnableLLTDIO
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD,ProhibitLLTDIOOnPrivateNet
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD,AllowRspndrOndomain
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD,AllowRspndrOnPublicNet
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD,EnableRspndr
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD,ProhibitRspndrOnPrivateNet
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections,NC_AllowNetBridge_NLA
+hkey_local_machine\Software\Policies\Microsoft\Windows\TCPIP\v6Transition,6to4_State
+hkey_local_machine\Software\Policies\Microsoft\Windows\TCPIP\v6Transition,ISATAP_State
+hkey_local_machine\Software\Policies\Microsoft\Windows\TCPIP\v6Transition,Teredo_State
+hkey_local_machine\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface,IPHTTPS_ClientState
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars,DisableFlashConfigRegistrar
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars,DisableInBand802DOT11Registrar
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars,DisableUPnPRegistrar
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\Registrars,EnableRegistrars
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2},NoGPOListChanges
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer,DisableAutoupdate
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer,NoDriveTypeAutorun
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoPublishingWizard
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoWebServices
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoInternetOpenWith
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoOnlinePrintsWizard
+hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior
+hkey_local_machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun
+hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\WAU,Disabled
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System,EnableSecurityUIAPaths
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System,ValidateAdminCodeSignatures
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system,DisableBkGndGroupPolicy
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system,LogonType
+hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\Policies\System,ReportControllerMissing
+hkey_local_machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy
+HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes
+hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar,TurnOffUnsignedGadgets
+hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar,OverrideMoreGadgetsLink
+hkey_local_machine\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar,TurnOffUserInstalledGadgets
+hkey_local_machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon,AllocateCDRoms
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components
+HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EventViewer,MicrosoftEventVwrDisableLinks
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds,DisableEnclosureDownload
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,DCSettingIndex
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,ACSettingIndex
+hkey_local_machine\Software\Policies\Microsoft\SQMClient\Windows,CEIPEnable
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot,DisableRootAutoUpdate
+hkey_local_machine\Software\Policies\Microsoft\WMDRM,DisableOnline
+hkey_local_machine\Software\Policies\Microsoft\Windows\AppCompat,DisableInventory
+HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings,WarnOnBadCertRecving
+HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3,1E05
+HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4,1E05
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching,DontSearchWindowsUpdate
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching,DontPromptForWindowsUpdate
+hkey_local_machine\Software\Policies\Microsoft\Windows\DriverSearching,SearchOrderConfig
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings,DisableSystemRestore
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings,DisableSendGenericDriverNotFoundToWER
+hkey_local_machine\Software\Policies\Microsoft\Windows\Device Metadata,PreventDeviceMetadataFromNetwork
+hkey_local_machine\Software\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption
+hkey_local_machine\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\GameUX,DownloadGameInfo
+hkey_local_machine\Software\Policies\Microsoft\Windows\GameUX,GameUpdateOptions
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports,PreventHandwritingErrorReports
+hkey_local_machine\Software\Policies\Microsoft\Windows\Homegroup,DisableHomeGroup
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Internet Connection Wizard,ExitOnMSICW
+HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated
+hkey_local_machine\Software\Policies\Microsoft\Windows\Installer,SafeForScripting
+hkey_local_machine\Software\Policies\Microsoft\Windows\Installer,EnableUserControl
+hkey_local_machine\Software\Policies\Microsoft\Windows\Installer,DisableLUAPatching
+hkey_local_machine\Software\Policies\Microsoft\Windows\Network Connections,NC_StdDomainUserSetInstaller
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Registration Wizard Control,NoRegistration
+hkey_local_machine\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy,DisableQueryRemoteServer
+hkey_local_machine\Software\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy,EnableQueryRemoteServer
+hkey_local_machine\Software\Policies\Microsoft\Windows\TabletPC,PreventHandwritingDataSharing
+hkey_local_machine\Software\Policies\Microsoft\Windows\TCPIP\v6Transition,Force_Tunneling
+hkey_local_machine\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d},ScenarioExecutionEnabled
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting,LoggingDisabled
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting,Disabled
+hkey_local_machine\Software\Policies\Microsoft\Windows\Windows Error Reporting,DontSendAdditionalData
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Search,AllowIndexingEncryptedStoresOrItems
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Search,PreventIndexingUncachedExchangeFolders
+HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU,NoAutoUpdate
+HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,WUServer
+hkey_local_machine\Software\Policies\Microsoft\WindowsMediaPlayer,GroupPrivacyAcceptance
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet,SpyNetReporting
+hkey_local_machine\Software\Policies\Microsoft\Windows NT\Printers,DoNotInstallCompatibleDriverFromWindowsUpdate
+HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services,LoggingEnabled
+HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\Parameters,Type
+HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\Parameters,NTPServer
+HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main,Use FormSuggest
+HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions,NoExternalBranding
+HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main,FormSuggest Passwords
+HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop,ScreenSaveActive
+HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop,ScreenSaverIsSecure
+HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop,ScreenSaveTimeOut
+HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0,NoImplicitFeedback
+HKEY_CURRENT_USER\Software\Policies\Microsoft\Assistance\Client\1.0,NoExplicitFeedback
+HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
+HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,SaveZoneInformation
+HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,HideZoneInfoOnProperties
+HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,ScanWithAntiVirus
+HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoInPlaceSharing
+HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings,SecureProtocols
--- a/Tools/Windows/Windows
+++ b/Tools/Windows/Windows
@ -0,0 +1,27 @@
+::tee.cmd, by Ken Henderson
+:: http://blogs.msdn.com/khen1234/archive/2005/10/27/486031.aspx
+:: modified to append the file rather than over-write
+@echo off
+
+IF (%1)==() GOTO help
+
+::Overwrite the file (W2K/XP require /Y)
+:: SET slash_y=
+:: ver <20> find "Windows NT" >nul
+:: if ERRORLEVEL 1 set slash_y=/Y
+
+:: ::Overwrite the file
+:: copy %slash_y% nul %1 >nul 2>&1
+
+for /f "tokens=1* delims=]" %%A in ('find /V /N ""') do (
+ >con echo.%%B
+ >>%1 echo.%%B
+)
+
+GOTO :eof
+
+:help
+ECHO.
+ECHO Pipe text to the console and redirect to a file simultaneously
+ECHO.
+ECHO Usage:  command | tee filename
--- a/Collection/windows-data-collection.bat
+++ b/Collection/windows-data-collection.bat
@ -0,0 +1,299 @@
+@echo off
+REM ########################################################################
+REM windows-data-collection.bat - collects ST&E relevant data
+REM Jeff A. Odegard, CISSP  15 May 13
+REM 
+REM ########################################################################
+
+HOSTNAME >HOSTNAME.txt
+for /F "eol=; tokens=1* delims= " %%i in (HOSTNAME.txt) do @set HOSTNAME=%%i
+set OUTDIR=C:\temp\%HOSTNAME%
+mkdir %OUTDIR% >nul 2>&1
+set originaldir=%cd%
+echo.
+echo Results will be in %OUTDIR%
+echo.
+echo  Admin privilege required.  Checking access
+net session >nul 2>&1
+if %errorlevel% NEQ 0 (
+	echo.
+	echo.     ERROR:  Script must run with administrative privileges!
+	goto end_of_script
+) 
+echo.   - Success
+echo.
+set VERSION="0.1, 15 May 13"
+echo. | date /t >C:\temp\%HOSTNAME%\date.txt
+echo. | time /t >C:\temp\%HOSTNAME%\time.txt
+set dt=
+set tm=
+for /F "eol=; tokens=* delims= " %%i in (C:\temp\%HOSTNAME%\date.txt) do @set dt=%%i
+for /F "eol=; tokens=5 delims= " %%i in (C:\temp\%HOSTNAME%\time.txt) do @set tm=%%i
+rem This is the way you do string substitution in Batch...
+set dt=%dt:/=-%
+set dt=%dt: =%
+REM set tm=%tm =%
+REM set tm=%tm: =%
+
+del /F C:\temp\%HOSTNAME%\date.txt C:\temp\%HOSTNAME%\time.txt HOSTNAME.txt
+set OUTBASE=%HOSTNAME%.txt
+set SUMMARYFILE=%OUTDIR%\%HOSTNAME%-data-collection-summary-%dt%.txt
+set CHECKSUMS=%OUTDIR%\%HOSTNAME%-checksums-%dt%.txt
+setlocal enableextensions enabledelayedexpansion
+REM ########################################################################
+REM Data Gathering Starts Here
+REM ########################################################################
+
+del /f /q c:\temp\%HOSTNAME%\*
+
+echo User List  | tee.cmd %SUMMARYFILE%
+wmic useraccount get name,sid 2>&1 > %OUTDIR%\user_list.txt
+
+echo Windows Registry Permissions
+REM This produces a 60Meg file.  Need to modify to only pull perms required for STIG
+echo   * DUMPSEC.exe /rpt=registry=HKEY_LOCAL_MACHINE /outfile=%OUTDIR%\HKLM-permissions.csv /saveas=csv >> %SUMMARYFILE%
+echo   * dumpsec.exe HKEY_LOCAL_MACHINE to HKLM-permissions.csv
+DUMPSEC.exe /rpt=registry=HKEY_LOCAL_MACHINE /outfile=%OUTDIR%\HKLM-permissions.csv /saveas=csv
+echo   * DUMPSEC.exe /rpt=registry=HKEY_USERS /outfile=%OUTDIR%\HKU-permissions.csv /saveas=csv >> %SUMMARYFILE%
+echo   * dumpsec.exe HKEY_USERS to HKU-permissions.csv
+DUMPSEC.exe /rpt=registry=HKEY_USERS /outfile=%OUTDIR%\HKU-permissions.csv /saveas=csv
+echo.
+
+echo   * 1.006, net localgroup "Administrators" | tee.cmd %OUTDIR%\admin_group.txt
+echo     -- net localgroup "Administrators" | tee.cmd %SUMMARYFILE%
+net localgroup "Administrators" > %OUTDIR%\admin_group.txt
+echo.
+
+echo   * 1.007, Backup Operators Group | tee.cmd %OUTDIR%\backup_group.txt
+echo     -- net localgroup "Backup Operators" | tee.cmd %SUMMARYFILE%
+net localgroup "Backup Operators" > %OUTDIR%\backup_group.txt
+echo.
+
+echo   * 2.001, Log File Permissions | tee.cmd %OUTDIR%\log_permissions.txt
+echo     -- icacls C:\Windows\System32\winevt\Logs\Application.evtx | tee.cmd %SUMMARYFILE%
+icacls C:\Windows\System32\winevt\Logs\Application.evtx > %OUTDIR%\log_permissions.txt
+echo     -- icacls C:\Windows\System32\winevt\Logs\Security.evtx | tee.cmd %SUMMARYFILE%
+icacls C:\Windows\System32\winevt\Logs\Security.evtx >> %OUTDIR%\log_permissions.txt
+echo     -- icacls C:\Windows\System32\winevt\Logs\System.evtx | tee.cmd %SUMMARYFILE%
+icacls C:\Windows\System32\winevt\Logs\System.evtx >> %OUTDIR%\log_permissions.txt
+echo.
+
+echo   * 2.008 NTFS Requirement | tee.cmd %OUTDIR%\disk_partitions.txt
+echo list volume > listvol.scr
+echo     -- diskpart /s listvol.scr | tee.cmd %SUMMARYFILE%
+diskpart /s listvol.scr > %OUTDIR%\disk_partitions.txt
+del listvol.scr
+
+echo   * 2.015 File Share ACLs | tee.cmd %OUTDIR%\net_shares.txt
+echo     -- net share | tee.cmd %SUMMARYFILE%
+net share > %OUTDIR%\net_shares.txt
+for /F "eol=; tokens=1 delims= " %%i in (%OUTDIR%\net_shares.txt) do (
+	set mytest=foo
+	if %%i == "2.015" set mytest=bar 
+	if "%%i" == "Share" set mytest=bar
+	if "%%i" == "The" set mytest=bar
+	if "%%i" == "-------------------------------------------------------------------------------" set mytest=bar
+	if '%%i' == '*' set mytest =bar
+	if "!mytest!"=="foo" (
+		echo.    - Permissions for %%i
+		echo    - net share %%i >> %SUMMARYFILE%
+		net share %%i >> %OUTDIR%\net_shares.txt 2>&1
+	)
+)
+echo.
+
+echo   * 2.005, Unsupported Service Packs | tee.cmd %OUTDIR%\os_info.txt
+echo     -- systeminfo OS Name, Version, Type, Domain, Logon Server | tee.cmd %SUMMARYFILE%
+systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Domain" /C:"Logon Server" > %OUTDIR%\os_info.txt
+echo.
+
+echo   * 2.019 Security Related Software Patches | tee.cmd %OUTDIR%\hotfixes.txt
+echo     -- wmic /output:hotfixes.txt qfe list | tee.cmd %SUMMARYFILE%
+wmic qfe list > %OUTDIR%\hotfixes.txt
+echo.
+
+echo   * 2.021, Software Certificate Installation Files | tee.cmd %OUTDIR%\hotfixes.txt
+echo     -- dir /s /b *.p12 *.pfs (C:\) | tee.cmd %SUMMARYFILE%
+cd C:\
+dir /s /b *.p12 *.pfs > %OUTDIR%\hotfixes.txt
+cd %originaldir%
+echo.
+
+REM Miscellaneous info
+echo Miscellaneous Information | tee.cmd %SUMMARYFILE%
+echo   * tasklist.exe - process list | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\tasklist.txt
+echo     -- tasklist.exe | tee.cmd %SUMMARYFILE%
+tasklist.exe > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * net.exe start - Running Windows Services | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\net-start.txt
+echo     -- net.exe start | tee.cmd %SUMMARYFILE%
+net.exe start > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * tasklist /svc - Services Associated with Processes | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\tasklist-svc.txt
+echo     -- tasklist.exe /svc | tee.cmd %SUMMARYFILE%
+tasklist.exe /svc > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * wmic process list full - detailed process information  | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\wmic-process-list-full.txt
+echo     -- wmic.exe process list full | tee.cmd %SUMMARYFILE%
+wmic.exe process list full > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * wmic startup list full - List all startup tasks | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\wmic-startup-list-full.txt
+echo     -- wmic.exe startup list full | tee.cmd %SUMMARYFILE%
+wmic.exe startup list full > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * reg query  - list contents of startup registry keys | tee.cmd %SUMMARYFILE%
+echo      - reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
+echo      - reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run >> %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\reg-query-Run.txt
+echo     -- reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Run | tee.cmd %SUMMARYFILE%
+reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Run  2>&1 > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo      - reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce | tee.cmd %SUMMARYFILE% 
+set OUTFILE=%OUTDIR%\reg-query-Runonce.txt
+echo     -- reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce | tee.cmd %SUMMARYFILE%
+reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce 2>&1 > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+ 
+echo      - reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\reg-query-Runonce-Ex.txt
+echo     -- reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx | tee.cmd %SUMMARYFILE%
+reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx 2>&1 > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * netstat -naob - list network services, connections and processes | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\netstat-naob.txt
+echo     -- netstat -naob | tee.cmd %SUMMARYFILE%
+netstat -naob > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+ 
+echo   * nbtstat -S - record active NetBIOS connections | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\nbtstat-S.txt
+echo     -- nbtstat -S | tee.cmd %SUMMARYFILE%
+nbtstat -S > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * nbtstat -c - record cached NetBIOS connections | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\nbtstat-c.txt
+echo     -- nbtstat -c | tee.cmd %SUMMARYFILE%
+nbtstat -c > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * arp -a - record Arp Table  | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\arp-a.txt
+echo     -- arp -a | tee.cmd %SUMMARYFILE%
+arp -a > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * ipconfig /all - List all network devices | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\ipconfig-all.txt
+echo     -- ipconfig /all | tee.cmd %SUMMARYFILE%
+ipconfig /all > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * net view \\127.0.0.1  - list file shares | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\file-shares.txt
+echo     -- net view \\127.0.0.1 | tee.cmd %SUMMARYFILE%
+net view \\127.0.0.1 > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * net sessions - list open NetBIOS sessions | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\net-sessions.txt
+echo     -- net sessions | tee.cmd %SUMMARYFILE%
+net sessions > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * netsh firewall show config - display firewall configuration | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\netsh-firewall-show-config.txt
+echo     -- netsh firewall show config | tee.cmd %SUMMARYFILE%
+netsh firewall show config > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * net user - list system users | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\system-users.txt
+echo     -- net user | tee.cmd %SUMMARYFILE%
+net user > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * net localgroup administrators - list local system administrator accounts | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\local-administrators.txt
+echo     -- net localgroup administrator | tee.cmd %SUMMARYFILE%
+net localgroup administrators > %OUTFILE%
+fciv.exe -both "%OUTFILE%" >> %CHECKSUMS%
+
+echo   * Installed Software | tee.cmd %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\installed-software.csv
+echo     -- wmic product /format:csv get name,version | tee.cmd %SUMMARYFILE%
+wmic product get /format:csv name,version > %OUTFILE%
+
+echo   * Query the registry for values | tee.cmd  %SUMMARYFILE%
+for /F "eol=; tokens=1,2 delims=," %%i in (reg-values-to-check.txt) do (
+	echo     - reg query "%%i" | tee.cmd  %SUMMARYFILE%
+	if "%%j" NEQ "" (
+		if "%%j" EQU "(Default)" (reg query "%%i" /v 2>&1 >> %OUTDIR%\registry-values.txt
+		) else (reg query "%%i" /v "%%j" 2>&1 >> %OUTDIR%\registry-values.txt)
+	) else (reg query "%%i" 2>&1 >> %OUTDIR%\registry-values.txt)
+)
+
+echo   * Gather file version information | tee.cmd  %SUMMARYFILE%
+for /F "eol=; tokens=* delims= " %%i in (files-to-version.txt) do (
+	echo     -- filever.vbs %%i | tee.cmd  %SUMMARYFILE%
+	cscript -nologo "%originaldir%\filever.vbs" "%%i" >> %OUTDIR%\file-version-results.txt
+)
+
+echo   * Gather auditing information | tee.cmd  %SUMMARYFILE%
+set OUTFILE=%OUTDIR%\audit_information.csv
+echo     -- auditpol /get /category:* /r
+auditpol /get /category:* /r > %OUTFILE%
+
+echo   * Gather Security Policy Information | tee.cmd %SUMMARYFILE%
+echo     -- secedit /export /cfg security_policy.inf /areas SECURITYPOLICY
+secedit /export /cfg %OUTDIR%\security_policy.inf /areas SECURITYPOLICY /quiet
+
+REM Do this last, so they can save off the policy, zip everything up and finish the script.
+REM echo Security Policy Checks | tee.cmd  %SUMMARYFILE%
+REM echo   gpedit.msc will open.
+REM echo      Expand: Computer Configuration 
+REM echo                       - Windows Settings 
+REM echo                                 -- Security Settings 
+REM echo                                             --- Local Policies
+REM echo.
+REM echo   * Audit Policy - single click, right click - export list, 
+REM echo      -- save as audit_policy.txt
+REM echo   * User Rights - single click, right click - export list, 
+REM echo      -- save as user_rights.txt
+REM echo   * Security Options - single click, right click - export list, 
+REM echo      -- save as security_options.txt
+REM echo   * Under Account Policies, save Password Policies and Account Lockout Policies
+REM echo      -- save as password_policy.txt
+REM echo      -- save as account_policy.txt
+REM echo.
+REM echo   Close the Policy editor when you're finished.
+REM echo   * gpedit.msc | tee.cmd %SUMMARYFILE%
+REM gpedit.msc 
+REM echo. 
+
+REM ########################################################################
+REM End Data Gathering
+REM ########################################################################
+
+echo Windows data collection complete.  Normality has been restored...
+REM echo Zip and copy %OUTDIR% to the PTL for further analysis.
+REM dir %OUTDIR%
+REM PAUSE
+
+7z u -y -tzip DataCollection.zip %OUTDIR%
+
+cd %originaldir%
+:end_of_script
+cd !originaldir!