Additional Data Collection

tasks task implement collector for smbios uuid description collect the system's unique smbios uuid schema target devices smbios uuid verified method wmi query select uuid from win32 computersystemproduct priority critical task diagnose and fix usb controller collection error & implement data gathering description investigate and fix the usb controller collection error collect details (name, manufacturer, status, pnpdeviceid) for usb host controllers and root hubs schema target devicehardware usb controllers (jsonb array) verified method debug existing method use wmi win32 usbcontroller, win32 usbhub and/or powershell get pnpdevice class usb priority high (fixes error) task implement collector for system chassis information description collect physical chassis information (manufacturer, type, serial number) schema target devicehardware chassis info (jsonb) verified method wmi query select manufacturer, chassistypes, serialnumber from win32 systemenclosure map chassistypes numbers priority high task implement collector for logical disk / volume information description collect details for logical volumes (mount point, label, file system, capacity, free space, volume guid/serial number, status) schema target devicelogicaldisks table verified method powershell get volume map properties priority high task implement collector for physical disk drive information (basic + smart) description collect key physical disk details (model, serial, interface, media type, capacity, status) and essential smart attributes (temperature, wear, errors, poweronhours) schema target physicaldisks table verified method powershell get physicaldisk and get physicaldisk | get storagereliabilitycounter requires storage module priority high task implement collector for local user accounts description enumerate and collect local user account details (name, sid, full name, status \[disabled/locked], password flags) schema target localuseraccounts table verified method powershell get localuser is admin requires task 8 priority high task implement collector for local groups description enumerate and collect local group details (name, description, sid) schema target localgroups table verified method powershell get localgroup priority high task implement collector for local group memberships (including admin check) description enumerate members of local groups specifically identify members of the 'administrators' group to populate localuseraccounts is admin schema target localgroupmemberships table verified method powershell get localgroupmember group \<groupname> or sid \<groupsid> parse member details update localuseraccounts is admin priority high task implement collector for active/disconnected user sessions description collect current user session information (console, rdp) including username, state, and logon time schema target devicesessions table verified method powershell get terminalsession cmdlet priority high task implement collector for installed printers (local and network) description enumerate configured printers and their basic status and configuration schema target deviceprinters table verified method wmi query select from win32 printer map status/state codes priority high task implement collector for static ip routes description collect non automatic static ip routes configured on the device schema target devicestaticroutes table verified method powershell get netroute | where object {$ protocol eq 'manual'} verify is persistent mapping priority high task implement collector for detailed microsoft defender configuration (get mppreference) description collect the comprehensive configuration settings for microsoft defender antivirus schema target devicedefenderconfiguration table verified method powershell get mppreference map properties carefully priority high task implement collector for detailed audit policy settings description collect effective advanced audit policy settings (success/failure) for all subcategories schema target detailedauditpolicysettings table verified method execute auditpol /get /category command and parse the output map settings strings priority high task implement collector for individual windows firewall rules description enumerate and collect details for all configured windows firewall rules schema target devicefirewallrules table verified method powershell get netfirewallrule handle arrays priority high task implement collector for device firewall profile settings description collect the configuration settings for the domain, private, and public windows firewall profiles schema target devicefirewallprofiles table (profile name, is enabled, default inbound action, default outbound action, etc ) verified method powershell get netfirewallprofile cmdlet iterate through profiles (domain, private, public) and map properties like enabled, defaultinboundaction, defaultoutboundaction priority high (completes firewall configuration) task implement collector for device drivers description collect information about installed device drivers (name, provider, version, date, signed status, pnp id) schema target devicedrivers table verified method wmi query select description, providername, driverversion, driverdate, issigned, pnpdeviceid from win32 pnpsigneddriver priority medium (standard inventory item) task implement collector for device scheduled tasks description collect information about scheduled tasks configured on the device schema target devicescheduledtasks table (task name \[taskpath+taskname], status \[state], is enabled \[state!=disabled], last run time \[lastruntime], last run result \[lasttaskresult], next run time \[nextruntime], actions \[actions], triggers \[triggers], run as user \[principal]) verified method powershell get scheduledtask cmdlet map properties actions and triggers are objects that might need serialization (e g , to json) or specific property extraction priority medium (os configuration visibility) task implement collector for general hardware sensor readings (temp/fan/volt) description collect readings from common hardware sensors like cpu/gpu temperature, fan speeds, and voltages schema target devicesensorreadings table (sensor type, sensor name, reading value, reading unit) verified method wmi namespace root\wmi classes like msacpi thermalzonetemperature or win32 fan alternatively, investigate root\librehardwaremonitor if librehardwaremonitor/openhardwaremonitor library/service is installed (requires external dependency) powershell get ciminstance namespace root/wmi classname msacpi thermalzonetemperature for temps fan/voltage may require the external library route for reliability across hardware priority medium (hardware health monitoring) notes focus on temperature first via wmi fan/voltage is more complex task implement collector for detailed physical ram module information description collect details for each installed physical ram module schema target devicehardware ram details (jsonb array) verified method wmi query select banklabel, capacity, formfactor, memorytype, speed, manufacturer, partnumber, serialnumber from win32 physicalmemory map memorytype codes priority medium task enhance network adapter collector for dhcp lease, wins, vswitch description add dhcp lease details, wins server config, and associated virtual switch name schema target devicenetworkadapters table verified method wmi win32 networkadapterconfiguration powershell get vmnetworkadapter managementos | where object macaddress for vswitch name priority medium task implement collector for disk encryption status (bitlocker) description collect bitlocker status (encryption status, protection status, percentage, lock status, key protector types) schema target devicediskencryptionstatus table verified method powershell get bitlockervolume map properties store key protector types priority medium task implement collector for battery status and health description collect battery information, if present schema target devicebattery table verified method wmi query select from win32 battery map codes handle absence priority medium task implement collector for basic os upgrade history (last upgrade) description collect information about the last os upgrade performed schema target osupgradehistory table verified method read registry keys under hklm\system\setup\source os estimate timestamp priority medium low task enhance startup items collector for publisher description add publisher information (from digital signature) to startup items schema target devicestartupitems table (add publisher) verified method powershell get authenticodesignature on executablepath handle errors/unsigned files efficiently priority medium task implement collector for local user profile details (basic path/status/last used) description collect basic user profile info (path, status flags, last used time) schema target localuserprofiles table verified method wmi query select sid, localpath, status, lastusetime from win32 userprofile map status flags priority medium task implement collector for installed browsers description identify installed web browsers (edge, chrome, firefox, etc ) and their versions/paths/default status schema target devicebrowsers table verified method check common registry locations (app paths, etc ) get version from file properties or specific browser keys priority medium task enhance endpoint protection collector for engine version description add the specific av engine version schema target endpointprotectionstatus table (engine version) verified method powershell (get mpcomputerstatus) antivirusengineversion for defender vendor specific methods for others priority medium task implement collector for sound device information description collect sound device details (name, manufacturer) schema target devicehardware sound devices (jsonb array) verified method wmi query select name, manufacturer from win32 sounddevice priority medium task implement collector for network shares hosted on device (basic info) description enumerate network shares hosted by the local device (name, path, type, description, max users) schema target networkshares table verified method wmi query select name, path, caption, type, maximumallowed from win32 share map numeric type codes priority medium low (permission collection is separate) task implement collector for hosted network share permissions description collect share level permissions (acls) for network shares hosted on the local device schema target sharepermissions table (network share id, account name, account sid, access type, permission) verified method for each share from task 29 (win32 share), get the associated win32 logicalsharesecuritysetting instance call its getsecuritydescriptor method parse the returned securitydescriptor iterate through the dacl (discretionary access control list) for each ace (access control entry), extract the trustee (sid/name), acetype (allow/deny), and accessmask map the accessmask bits to 'read', 'change', or 'fullcontrol' permissions priority medium low (complex security descriptor parsing) notes requires careful parsing of security descriptors focus on share permissions, not deeper ntfs permissions task implement collector for mapped network drives (registry method) description attempt to enumerate mapped drives by reading logged on user registry hives schema target mappednetworkdrives table verified method iterate user sids (win32 userprofile) load hive (reg load) query hku\\\<sid>\network\\\<driveletter>\remotepath unload hive (reg unload) priority low (complex, potential errors) task implement collector for windows activation status description determine windows activation status and partial product key schema target devicesoftware table (linked os entry detected activation status, detected license key) verified method wmi query select licensestatus, partialproductkey from softwarelicensingproduct where applicationid = ' ' map licensestatus priority low task implement collector for browser policy configuration (registry method) description collect policy enforced browser settings (edge, chrome, firefox) from standard gpo registry locations schema target browserconfiguration table verified method query hklm/hkcu\software\policies for microsoft\edge, google\chrome, mozilla\firefox map registry value names priority low task implement collector for browser extensions (multi browser, user context aware) description enumerate installed extensions for edge, chrome, firefox across user profiles schema target browserextensions table verified method complex find user profile paths (task 21), find browser profile paths within them, parse manifests/files/registry keys per browser per user context priority low (high complexity, maintenance required) task collect process parent pid and start time requirement the agent shall collect the parent process identifier (parent pid) and the precise start time for each running process inventoried on the device description to provide better context for process analysis and troubleshooting, the agent must augment its standard process collection for every process captured, it needs to determine which process initiated it (the parent) and record the timestamp when the process began execution data points collected parentpid the numeric process id of the parent process starttime the date and time (utc, iso 8601 format) when the process started source/method utilize standard os apis, likely via powershell (get process for starttime) and wmi (win32 process for parentprocessid) target schema/output data intended for the deviceprocesses table/json structure, specifically populating the parentpid and starttime fields notes handle cases where parent pid or start time might not be available (e g , system idle process, very short lived processes, access limitations) by reporting null values task collect network connection snapshot with process id linkage requirement the agent shall capture a point in time snapshot of all current network connections (tcp) and listening endpoints (udp), associating each with the owning process id (pid) description to understand which applications are responsible for network activity, the agent must enumerate active tcp connections and udp listeners critically, it must identify the specific process id associated with each socket/endpoint at the time of the snapshot this provides more granular detail than simply listing open ports data points collected protocol tcp or udp localaddress local ip address bound to the socket localport local port number remoteaddress remote ip address (for tcp connections) remoteport remote port number (for tcp connections) state connection state (e g , 'established', 'listen', 'time wait' for tcp; 'listening' for udp) processid the numeric process id owning the socket/endpoint source/method utilize standard os apis, likely via powershell cmdlets (get nettcpconnection, get netudpendpoint) target schema/output data intended for a table like devicenetworkconnectionssnapshot or similar structure / json array output notes this provides a snapshot , not aggregated statistics (bytes/packets) per process over time it reflects the state at the moment of collection task collect aggregate network interface performance statistics requirement the agent shall collect aggregate network performance counters for each active physical or virtual network interface on the device description to monitor overall network throughput and health at the adapter level, the agent must query specific performance counters for each network interface that currently has an 'up' status this includes current data transfer rates and cumulative error/discard counts data points collected interface name identifier of the network interface (e g , description or name) bytes received per sec current receive rate bytes sent per sec current send rate packets received per sec current receive packet rate packets sent per sec current send packet rate packets received errors total cumulative count of inbound packet errors since last reset (usually boot) packets outbound errors total cumulative count of outbound packet errors since last reset packets received discarded total cumulative count of inbound discarded packets since last reset packets outbound discarded total cumulative count of outbound discarded packets since last reset source/method windows performance counters (specifically the \network interface( )\\ set) via powershell (get counter) target schema/output data intended for the networkportmetrics table (mapping interface to port concept) or similar aggregate metrics table / json array output notes the collected "per second" values represent the current rate at the time of sampling, not an average or total over the agent's collection interval cumulative counters represent totals since the counter was initialized (typically system boot) calculating interval totals/averages requires server side processing of multiple data points this data is per interface, not broken down per process prompts task 1 collect smbios uuid you are an expert windows system administrator and scripter your task is to create a powershell script that collects the system's smbios uuid instructions 1\ use a wmi query to retrieve the uuid 2\ the specific wmi class and property is `win32 computersystemproduct uuid` 3\ handle potential errors where the uuid might be null or inaccessible 4\ output the collected uuid as a single json object target schema `devices smbios uuid` output json format ```json { "smbios uuid" "\<collected uuid or null>" } error handling if the uuid cannot be retrieved, the smbios uuid value in the json should be null the script should not crash provide only the powershell script code block for collecting this data assume the script runs with sufficient privileges (e g , administrator or localsystem) task 2 collect usb controller details you are an expert windows system administrator and scripter your task is to create a powershell script to collect details about usb host controllers and root hubs note a previous attempt resulted in an error (`exit status 1`), so ensure the method is robust instructions 1\ use wmi queries to enumerate usb controllers and hubs 2\ primarily use `win32 usbcontroller` and `win32 usbhub` classes 3\ for each controller/hub found, collect its `name`, `manufacturer`, `status`, and `pnpdeviceid` 4\ handle potential errors during wmi querying gracefully 5\ output the collected data as a json array of objects, where each object represents one usb controller or hub target schema `devicehardware usb controllers` (jsonb array, storing combined controller/hub info) output json format (array) ```json \[ { "name" "\<name>", "manufacturer" "\<manufacturer>", "status" "\<status>", "pnp device id" "\<pnpdeviceid>" }, ] error handling if wmi queries fail or no controllers/hubs are found, output an empty json array \[] the script should not crash provide only the powershell script code block for collecting this data assume sufficient privileges task 3 collect system chassis information you are an expert windows system administrator and scripter your task is to create a powershell script to collect physical chassis information instructions 1\ use a wmi query to retrieve chassis details from the `win32 systemenclosure` class 2\ collect the `manufacturer`, `chassistypes`, and `serialnumber` 3\ map the numeric value(s) in the `chassistypes` array to a descriptive string for the `type` field in the output json use the first value in the array for mapping common mappings 3='desktop', 6='mini tower', 7='tower', 8='portable', 9='laptop', 10='notebook', 14='sub notebook', 30='blade', 31='blade enclosure' add others as needed or default to 'unknown' 4\ handle potential errors or missing data 5\ output the collected data as a single json object target schema `devicehardware chassis info` (jsonb object) output json format ```json { "manufacturer" "\<manufacturer or null>", "type" "\<mapped chassis type string or 'unknown'>", "serial number" "\<serialnumber or null>" } error handling if properties cannot be retrieved, return null for the corresponding json field the script should not crash provide only the powershell script code block for collecting this data assume sufficient privileges task 4 collect logical disk / volume information you are an expert windows system administrator and scripter your task is to create a powershell script to collect detailed information about logical volumes (disks like c , d , etc ) instructions 1\ use the `get volume` powershell cmdlet 2\ for each volume (excluding hidden/system partitions where possible, e g , filter by `driveletter` not null or check `filesystemtype`), collect the following properties `driveletter` `filesystemlabel` `uniqueid` (often includes volume guid) `filesystem` `size` `sizeremaining` `healthstatus` `operationalstatus` 3\ map the collected properties to the specified json output format fields 4\ map the numeric `operationalstatus` code to a descriptive string (e g , 0='unknown', 1='online', 2='no media', 3='failed', 4='offline', 5='critical failure') use 'unknown' if mapping isn't possible map `healthstatus` directly 5\ output the collected data as a json array of objects, where each object represents one logical volume target schema `devicelogicaldisks` table output json format (array) ```json \[ { "mount point" "\<driveletter 'c '>", "volume name" "\<filesystemlabel or null>", "volume guid" "\<uniqueid or null>", "filesystem type" "\<filesystem or null>", "capacity bytes" \<size as integer>, "free space bytes" \<sizeremaining as integer>, "status" "\<mapped operationalstatus string>" // add health status if needed from get volume output }, ] error handling if the cmdlet fails, output an empty json array \[] handle missing properties for individual volumes gracefully (use null or default values) the script should not crash provide only the powershell script code block for collecting this data assume sufficient privileges task 5 collect physical disk drive information you are an expert windows system administrator and scripter your task is to create a powershell script to collect key physical disk drive details, including essential smart attributes instructions 1\ use the `get physicaldisk` powershell cmdlet to get base disk information 2\ for each physical disk, use `get storagereliabilitycounter` piped from `get physicaldisk` to retrieve smart data ensure the storage module is available 3\ collect the following properties and map them to the json fields from `get physicaldisk` `friendlyname` (for manufacturer/model), `model`, `serialnumber`, `firmwareversion`, `mediatype`, `size`, `healthstatus`, `operationalstatus`, `bustype` (for interfacetype) from `get storagereliabilitycounter` `temperature`, `wear`, `readerrorstotal`, `writeerrorstotal`, `poweronhours` 4\ map `bustype` enum to interface type strings (e g , 'sata', 'nvme', 'sas', 'usb') map `mediatype` enum (e g , 'ssd', 'hdd') map `healthstatus`/`operationalstatus` to a general `status` string ('online', 'failed', 'warning', 'unknown') 5\ map the collected smart counters to the specific schema fields (`smart temperature celsius`, `smart reallocated sector count` \[use `wear`? needs verification/mapping based on counter meaning], `smart uncorrectable error count` \[use read/write errors?], `power on hours`) record the current timestamp as `smart last check time` 6\ output the collected data as a json array of objects, one per physical disk target schema `physicaldisks` table output json format (array) ```json \[ { "manufacturer" "\<manufacturer from friendlyname or null>", "model" "\<model>", "serial number" "\<serialnumber>", "firmware version" "\<firmwareversion or null>", "interface type" "\<mapped bustype string>", "media type" "\<mapped mediatype string>", "capacity bytes" \<size as integer>, "status" "\<mapped status string>", "power on hours" \<poweronhours as integer or null>, "smart reallocated sector count" \<mapped wear/reallocated counter or null>, "smart pending sector count" null, // often not directly available, set to null "smart uncorrectable error count" \<mapped read/write error counter or null>, "smart temperature celsius" \<temperature as integer or null>, "smart last check time" "\<current timestamp iso8601 format>" }, ] error handling if get storagereliabilitycounter fails for a disk (e g , not supported), populate smart fields with null if get physicaldisk fails, output an empty array \[] the script should not crash provide only the powershell script code block for collecting this data assume sufficient privileges and storage module availability task 6 collect local user accounts you are an expert windows system administrator and scripter your task is to create a powershell script to enumerate and collect details for all local user accounts instructions 1\ use the `get localuser` powershell cmdlet 2\ for each local user account, collect the following properties `name`, `fullname`, `description`, `sid`, `enabled`, `lockedout`, `passwordchangeableuser`, `passwordexpires`, `passwordrequired`, `status` 3\ map the collected properties to the specified json output fields note that `is disabled` is the inverse of the `enabled` property 4\ output the data as a json array of objects, one per local user (the `is admin` field will be populated by task 8) target schema `localuseraccounts` table output json format (array) ```json \[ { "account name" "\<name>", "full name" "\<fullname or null>", "description" "\<description or null>", "sid" "\<sid>", "is disabled" <(!enabled) as boolean>, "is locked out" \<lockedout as boolean or null>, "is admin" null, // to be populated later "password changeable" \<passwordchangeableuser as boolean or null>, "password expires" \<passwordexpires as boolean or null>, "password required" \<passwordrequired as boolean or null>, "status" "\<status string or null>" }, ] error handling if the cmdlet fails, output an empty json array \[] handle missing properties for individual users gracefully (use null) the script should not crash provide only the powershell script code block for collecting this data assume sufficient privileges task 7 collect local groups you are an expert windows system administrator and scripter your task is to create a powershell script to enumerate and collect details for all local groups instructions 1\ use the `get localgroup` powershell cmdlet 2\ for each local group, collect the `name`, `description`, and `sid` properties 3\ map the collected properties to the specified json output fields 4\ output the data as a json array of objects, one per local group target schema `localgroups` table output json format (array) ```json \[ { "group name" "\<name>", "description" "\<description or null>", "sid" "\<sid>" }, ] error handling if the cmdlet fails, output an empty json array \[] handle missing properties for individual groups gracefully (use null) the script should not crash provide only the powershell script code block for collecting this data assume sufficient privileges task 8 collect local group memberships you are an expert windows system administrator and scripter your task is to create a powershell script to enumerate the members of each local group and determine which local users are administrators this task depends on having local group sids (from task 7) and local user sids (from task 6) instructions 1\ first, retrieve all local groups (similar to task 7) to get their sids 2\ for each local group sid, use `get localgroupmember sid \<groupsid>` to get its members 3\ for each member, collect their `sid`, `name`, `principalsource` (e g , 'local', 'activedirectory'), and `objectclass` ('user', 'group') 4\ map these details to the `localgroupmemberships` json structure 5\ while processing members of the group where `name` is 'administrators' (or the localized equivalent, or well known sid 's 1 5 32 544'), identify members where `objectclass` is 'user' and `principalsource` is 'local' for these local user sids, you will need a mechanism (outside this specific script's output, but conceptually related) to update the corresponding `localuseraccounts is admin` flag to `true` this script only outputs the membership list 6\ output the group membership data as a json array of objects, one per member per group target schema `localgroupmemberships` table also informs `localuseraccounts is admin` output json format (array) ```json \[ { "group sid" "\<sid of the group>", "member sid" "\<sid of the member>", "member name" "\<name of the member>", "member domain" "\<principalsource>", "member type" "\<objectclass>" }, // repeat for every member in every group ] error handling if get localgroupmember fails for a group, skip that group and continue if no groups are found, output an empty array \[] handle errors gracefully the script should not crash provide only the powershell script code block for collecting the membership data assume sufficient privileges the update to localuseraccounts is admin happens conceptually based on this data task 9 collect active/disconnected user sessions you are an expert windows system administrator and scripter your task is to create a powershell script to collect information about current user sessions (console, rdp, etc ) instructions 1\ use the `get terminalsession` powershell cmdlet you might need to use `import module remotedesktopservices erroraction silentlycontinue` first 2\ filter the results to include relevant sessions (e g , filter out sessionid 0 or specific states if needed) 3\ for each session, collect `username`, `sessionname` (like 'console' or 'rdp tcp#0'), `state` (like 'active', 'disconnected'), and `logontime` 4\ attempt to determine the `userdomain` (e g , query the user object based on `username` if it contains a domain, otherwise assume local) this might be complex; output null if difficult 5\ convert `logontime` to utc iso8601 format 6\ map the collected properties to the specified json output fields 7\ output the data as a json array of objects, one per session target schema `devicesessions` table output json format (array) ```json \[ { "user name" "\<username>", "user domain" "\<domainname or null>", "winstation name" "\<sessionname>", "session state" "\<state string>", "logon time utc" "\<logontime utc iso8601>" }, ] error handling if the cmdlet fails or the module isn't available, output an empty json array \[] if domain lookup fails, output null for user domain the script should not crash provide only the powershell script code block for collecting this data assume sufficient privileges task 10 collect installed printers (local and network) you are an expert windows system administrator and scripter your task is to create a powershell script to enumerate configured printers instructions 1\ use a wmi query to retrieve printer details from the `win32 printer` class 2\ collect `name`, `drivername`, `portname`, `network` (boolean), `shared` (boolean), `servername`, `sharename`, `location`, `default` (boolean), `printerstatus`, `printerstate`, `detectederrorstate` 3\ map the numeric `printerstatus` and `printerstate` codes to descriptive strings (e g , status 1='other', 2='unknown', 3='idle', 4='printing', 5='warmup'; state 0='paused', 1='error', 2='pending deletion', etc ) use 'unknown' if mapping unknown use `detectederrorstate` for a more detailed error description string if available 4\ map the collected properties to the specified json output fields 5\ output the data as a json array of objects, one per printer target schema `deviceprinters` table output json format (array) ```json \[ { "name" "\<name>", "device id string" null, // win32 printer doesn't have deviceid directly "driver name" "\<drivername or null>", "manufacturer" null, // not directly available in win32 printer "model" null, // not directly available in win32 printer "port name" "\<portname or null>", "is network printer" \<network as boolean>, "is shared" \<shared as boolean>, "server name" "\<servername or null>", "share name" "\<sharename or null>", "location" "\<location or null>", "is default" \<default as boolean>, "status" "\<mapped printerstatus string>", "detected error state" "\<detectederrorstate string or null>", "error description" "\<mapped printerstate string>" }, ]``` error handling if the wmi query fails, output an empty json array `\[]` handle missing properties gracefully (use `null`) the script should not crash provide only the powershell script code block for collecting this data assume sufficient privileges task 11 collect static ip routes you are an expert windows system administrator and scripter your task is to create a powershell script to collect non automatic static ip routes instructions 1\ use the `get netroute` powershell cmdlet 2\ filter the results to include only routes where the `protocol` is 'manual' (verify this is correct for static routes, might also need 'local' with extra filtering) exclude loopback interface routes 3\ for each matching route, collect `destinationprefix`, `nexthop`, `routemetric`, `interfaceindex` 4\ determine if the route is persistent by checking the `store` property map `store = 'persistentstore'` to `is persistent = true`, otherwise `false` 5\ map the collected properties to the specified json output fields 6\ output the data as a json array of objects, one per static route target schema `devicestaticroutes` table output json format (array) ```json \[ { "destination cidr" "\<destinationprefix>", "gateway ip" "\<nexthop>", "metric" \<routemetric as integer or null>, "interface index" \<interfaceindex as integer or null>, "interface name" null, // requires separate lookup via get netipconfiguration interfaceindex if needed "is persistent" \<mapped store value as boolean> }, ]``` error handling if the cmdlet fails or no static routes are found, output an empty json array `\[]` handle errors gracefully the script should not crash provide only the powershell script code block for collecting this data assume sufficient privileges task 12 collect detailed microsoft defender configuration (get mppreference) you are an expert windows system administrator and scripter your task is to create a powershell script to collect detailed microsoft defender antivirus configuration settings instructions 1\ use the `get mppreference` powershell cmdlet 2\ collect a comprehensive set of properties relevant to the `devicedefenderconfiguration` schema key properties include (but are not limited to) `uilockdown`, `disablerealtimemonitoring`, `disablebehaviormonitoring`, `disableioavprotection`, `disablescriptscanning`, `disablescanonrealtimeaccess`, `mapsreporting`, `cloudextendedtimeout`, `submitsamplesconsent`, `puaprotection`, `scanonlyifidleenabled`, `disableemailscanning`, `disableremovabledrivescanning`, `disablerestorepoint`, `disablescanningnetworkfiles`, `disablearchivescanning`, `checkforsignaturesbeforescan`, `disablecatchupfullscan`, `disablecatchupquickscan`, `scanavgcpuloadfactor`, `quarantinepurgeitemsafterdelay`, `scheduledscanday`, `scheduledscantime`, `scanparameters` (scheduledscantype), `randomizescheduletasktimes`, `threatiddefaultaction ids`, `attacksurfacereductionrules ids`, `enablenetworkprotection`, `enablecontrolledfolderaccess`, `excludedprocesses`, `excludedpaths`, `excludedextensions`, `signatureupdateinterval` 3\ carefully map the collected powershell property values to the corresponding `devicedefenderconfiguration` schema fields pay attention to boolean inversions (e g , `disablerealtimemonitoring` maps to `is realtime monitoring enabled = !$true`) enum mappings (e g , `mapsreporting` codes map to `cloud block level`, `puaprotection` codes map to `is pua protection enabled`, `submitsamplesconsent` codes) data type conversions (e g , `scheduledscantime` is timespan, convert to `time`) complex types (`threatiddefaultaction ids`, `attacksurfacereductionrules ids` might need to be stored as json strings or processed arrays) 4\ output the data as a single json object representing the device's defender configuration target schema `devicedefenderconfiguration` table output json format (single object) ```json { "ui lockdown enabled" \<uilockdown as boolean or null>, "is realtime monitoring enabled" <(!disablerealtimemonitoring) as boolean or null>, "is behavior monitoring enabled" <(!disablebehaviormonitoring) as boolean or null>, "is ioav protection enabled" <(!disableioavprotection) as boolean or null>, "is script scanning enabled" <(!disablescriptscanning) as boolean or null>, "scan on realtime access enabled" <(!disablescanonrealtimeaccess) as boolean or null>, "cloud block level" "\<mapped mapsreporting string or null>", "cloud extended timeout" \<cloudextendedtimeout as integer or null>, "is cloud protection enabled" <(mapsreporting > 0) as boolean or null>, "submit samples consent" "\<mapped submitsamplesconsent string or null>", "is pua protection enabled" "\<mapped puaprotection string or null>", "scan only if idle enabled" \<scanonlyifidleenabled as boolean or null>, "scan email enabled" <(!disableemailscanning) as boolean or null>, "scan removable drives enabled" <(!disableremovabledrivescanning) as boolean or null>, "scan restore points enabled" <(!disablerestorepoint) as boolean or null>, "scan network files enabled" <(!disablescanningnetworkfiles) as boolean or null>, "scan archives enabled" <(!disablearchivescanning) as boolean or null>, "check for signatures before scan" \<checkforsignaturesbeforescan as boolean or null>, "catchup full scan enabled" <(!disablecatchupfullscan) as boolean or null>, "catchup quick scan enabled" <(!disablecatchupquickscan) as boolean or null>, "avg cpu load factor" \<scanavgcpuloadfactor as integer or null>, "quarantine purge days" \<quarantinepurgeitemsafterdelay as integer or null>, "scheduled scan day" "\<mapped scheduledscanday string or null>", "scheduled scan time of day" "\<scheduledscantime converted to hh\ mm\ ss or null>", "scheduled scan type" "\<mapped scanparameters string or null>", "randomize schedule task times" \<randomizescheduletasktimes as boolean or null>, "low threat action" "\<action string from threatiddefaultaction ids\[2] or null>", "moderate threat action" "\<action string from threatiddefaultaction ids\[3] or null>", "high threat action" "\<action string from threatiddefaultaction ids\[4] or null>", "severe threat action" "\<action string from threatiddefaultaction ids\[5] or null>", "asr rules state" { // example json object structure "\<ruleguid1>" "\<state 'enabled'/'audit'/'disabled'>", "\<ruleguid2>" "\<state>" }, "network protection level" "\<mapped enablenetworkprotection string or null>", "controlled folder access state" "\<mapped enablecontrolledfolderaccess string or null>", "controlled folder access protected folders" \["\<path1>", "\<path2>", ], // from get mppreference controlledfolderaccessprotectedfolders "controlled folder access allowed apps" \["\<path1>", "\<path2>", ], // from get mppreference controlledfolderaccessallowedapplications "excluded processes" \["\<path1>", "\<path2>", ], // from excludedprocesses property "excluded paths" \["\<path1>", "\<path2>", ], // from excludedpaths property "excluded extensions" \[" ext1", " ext2", ], // from excludedextensions property "signature update interval hours" \<signatureupdateinterval as integer or null> } error handling if get mppreference fails, output an empty json object {} handle errors retrieving individual properties gracefully (use null) the script should not crash provide only the powershell script code block for collecting this data assume sufficient privileges task 13 collect detailed audit policy settings you are an expert windows system administrator and scripter your task is to create a powershell script to collect effective advanced audit policy settings per subcategory instructions 1\ execute the command `auditpol /get /category ` 2\ capture the standard output of this command 3\ parse the text output identify the major category lines and the subsequent subcategory lines for each subcategory, extract the current auditing setting (e g , 'no auditing', 'success', 'failure', 'success and failure') 4\ map the parsed settings to the schema fields map the setting strings to the schema enum ('none', 'success', 'failure', 'success and failure', 'unknown') 5\ output the data as a json array of objects, one per subcategory target schema `detailedauditpolicysettings` table output json format (array) ```json \[ { "policy category" "\<parsed category name>", "policy subcategory" "\<parsed subcategory name>", "auditing flags" "\<mapped auditing setting enum ('none', 'success', 'failure', 'success and failure', 'unknown')>" }, ] error handling if the auditpol command fails or output cannot be parsed, output an empty json array \[] handle parsing errors robustly the script should not crash provide only the powershell script code block for collecting this data assume sufficient privileges task 14 collect individual windows firewall rules you are an expert windows system administrator and scripter your task is to create a powershell script to enumerate and collect details for all configured windows firewall rules instructions 1\ use the `get netfirewallrule` powershell cmdlet 2\ for each rule, collect the following properties `displayname`, `group`, `profile`, `enabled`, `direction`, `action`, `protocol`, `localport`, `remoteport`, `localaddress`, `remoteaddress`, `program`, `service`, `description` 3\ map the collected properties directly to the corresponding json fields note that `profile`, `localport`, `remoteport`, `localaddress`, `remoteaddress`, `program`, `service` can contain arrays or specific string values like 'any' represent arrays as json arrays of strings 4\ output the data as a json array of objects, one per firewall rule target schema `devicefirewallrules` table output json format (array) ```json \[ { "rule name" "\<displayname>", "group name" "\<group or null>", "profile names" \["\<profile1>", "\<profile2>", or null], // array from profile property "is enabled" \<enabled as boolean>, "direction" "\<direction string>", "action" "\<action string>", "protocol" "\<protocol string or null>", "local ports" "\<localport string or array or null>", "remote ports" "\<remoteport string or array or null>", "local addresses" "\<localaddress string or array or null>", "remote addresses" "\<remoteaddress string or array or null>", "program path" "\<program string or null>", "service name" "\<service string or null>", "description" "\<description or null>" }, ] error handling if the cmdlet fails, output an empty json array \[] handle missing properties for individual rules gracefully (use null) the script should not crash provide only the powershell script code block for collecting this data assume sufficient privileges task 15 collect device firewall profile settings you are an expert windows system administrator and scripter your task is to create a powershell script to collect the configuration settings for the standard windows firewall profiles (domain, private, public) instructions 1\ use the `get netfirewallprofile` powershell cmdlet 2\ by default, this cmdlet returns objects for domain, private, and public profiles iterate through these profiles 3\ for each profile, collect its `name`, `enabled` status, `defaultinboundaction`, `defaultoutboundaction`, `allowunicastresponsetomulticast`, `notifyonlisten`, `blockallinboundtraffic` 4\ map the collected properties to the specified json output fields map the `enabled` enum to a boolean `is enabled` map `defaultinboundaction` and `defaultoutboundaction` enums directly to strings ('allow', 'block') 5\ output the data as a json array of objects, one object per profile target schema `devicefirewallprofiles` table output json format (array) ```json \[ { "profile name" "\<name 'domain'/'private'/'public'>", "is enabled" \<mapped enabled enum as boolean or null>, "default inbound action" "\<defaultinboundaction string or null>", "default outbound action" "\<defaultoutboundaction string or null>", "allow unicast response" \<allowunicastresponsetomulticast as boolean or null>, "notify on listen" \<notifyonlisten as boolean or null>, "block all inbound" \<blockallinboundtraffic as boolean or null> }, // one object for each profile (domain, private, public) ] error handling if the cmdlet fails, output an empty json array \[] handle missing properties for individual profiles gracefully (use null) the script should not crash provide only the powershell script code block for collecting this data assume sufficient privileges task 16 collect device drivers you are an expert windows system administrator and scripter your task is to create a powershell script to collect information about installed device drivers instructions 1\ use a wmi query to retrieve driver details from the `win32 pnpsigneddriver` class 2\ for each driver, collect `description`, `manufacturer` (maps to `driver provider`), `driverversion`, `driverdate`, `issigned`, `deviceid` (maps to `pnp device id`), `infname`, `devicename` 3\ convert `driverdate` (which is in wmi datetime format) to a standard date format (e g , yyyy mm dd) 4\ map the collected properties to the specified json output fields 5\ output the data as a json array of objects, one per driver instance target schema `devicedrivers` table output json format (array) ```json \[ { "device name" "\<devicename or null>", "pnp device id" "\<deviceid>", "driver provider" "\<manufacturer or null>", "driver version" "\<driverversion or null>", "driver date" "\<converted driverdate yyyy mm dd or null>", "is signed" \<issigned as boolean or null>, "inf name" "\<infname or null>", "driver path" null // not directly available in win32 pnpsigneddriver }, ] error handling if the wmi query fails, output an empty json array \[] handle errors during date conversion or missing properties gracefully (use null) the script should not crash provide only the powershell script code block for collecting this data assume sufficient privileges task 17 collect device scheduled tasks you are an expert windows system administrator and scripter your task is to create a powershell script to collect information about scheduled tasks configured on the device instructions 1\ use the `get scheduledtask` powershell cmdlet to retrieve all tasks 2\ for each task, collect the following properties `taskpath`, `taskname`, `state`, `lastruntime`, `lasttaskresult`, `nextruntime`, `actions`, `triggers`, `principal` (for `run as user`) 3\ combine `taskpath` and `taskname` to form the full `task name` field 4\ map the `state` enum to the `status` field (e g , 'ready', 'running', 'disabled') set `is enabled` based on `state` not being 'disabled' 5\ extract the `userid` from the `principal` object for the `run as user` field 6\ serialize the `actions` and `triggers` objects into json strings or extract key information (like executable path from `actions`, schedule details from `triggers`) to store in the respective json fields choose a consistent format for the json 7\ output the data as a json array of objects, one per scheduled task target schema `devicescheduledtasks` table output json format (array) ```json \[ { "task name" "\<taskpath + taskname>", "status" "\<mapped state string>", "is enabled" <(state != 'disabled') as boolean>, "last run time" "\<lastruntime utc iso8601 or null>", "last run result" \<lasttaskresult as integer or null>, "next run time" "\<nextruntime utc iso8601 or null>", "actions" \[{ "type" "exec", "path" "\<action execute>", "arguments" "\<action arguments>" }, ], // example structure for actions json "triggers" \[{ "type" "time", "starttime" " ", "interval" " " }, ], // example structure for triggers json "run as user" "\<principal userid or null>" }, ] error handling if the cmdlet fails, output an empty json array \[] handle errors accessing properties or serializing objects gracefully (use null or empty structures) the script should not crash provide only the powershell script code block for collecting this data assume sufficient privileges task 18 implement collector for general hardware sensor readings (temp/fan/volt) you are an expert windows system administrator and scripter your task is to create a powershell script to collect readings from common hardware sensors like temperatures, fan speeds, and voltages instructions 1\ attempt to collect temperature readings using wmi `get ciminstance namespace root/wmi classname msacpi thermalzonetemperature` extract `currenttemperature` (convert from kelvin to celsius `($ currenttemperature / 10) 273 15`) and `instancename` (for `sensor name`) set `sensor type` to 'temperature' and `reading unit` to 'c' 2\ note reliable collection of fan speed and voltage often requires external libraries/tools like librehardwaremonitor/openhardwaremonitor or vendor specific wmi providers which are not assumed here this script should focus only on the wmi temperature method if additional sensors are needed later, a separate task involving external dependencies would be required 3\ format the collected temperature data into the specified json array format 4\ output the data as a json array of objects target schema `devicesensorreadings` table output json format (array) ```json \[ { "sensor type" "temperature", "sensor name" "\<instancename from wmi>", "reading value" \<converted temperature in celsius as float>, "reading unit" "c", "status" null // wmi temp class doesn't provide status }, // one object per thermal zone found ] error handling if the wmi query fails or no sensors are found, output an empty json array \[] handle temperature conversion errors gracefully the script should not crash provide only the powershell script code block for collecting temperature data via wmi assume sufficient privileges task 19 implement collector for detailed physical ram module information you are an expert windows system administrator and scripter your task is to create a powershell script to collect detailed information for each installed physical ram module (memory stick) instructions 1\ use a wmi query to retrieve details from the `win32 physicalmemory` class 2\ for each memory module instance found, collect the following properties `banklabel` (for slot designation), `capacity`, `formfactor`, `memorytype`, `speed`, `manufacturer`, `partnumber`, `serialnumber` 3\ map the numeric `memorytype` code to a descriptive string (common values 20=ddr, 21=ddr2, 22=ddr2 fb dimm, 24=ddr3, 26=ddr4, other values exist) use 'unknown' if the code is unmapped 4\ map the numeric `formfactor` code to a descriptive string (e g , 8=dimm, 9=sodimm, 12=minidimm) use 'unknown' if unmapped 5\ format the collected data into a json array, where each object represents one ram module target schema `devicehardware ram details` (jsonb array) output json format (array) ```json \[ { "slot" "\<banklabel or null>", "capacity" \<capacity as integer or null>, "type" "\<mapped memorytype string or null>", // ddr3, ddr4 etc "formfactor" "\<mapped formfactor string or null>", // dimm, sodimm etc "speed" \<speed as integer or null>, // speed in mhz "manufacturer" "\<manufacturer or null>", "partnumber" "\<partnumber or null>", "serialnumber" "\<serialnumber or null>" }, ] error handling if the wmi query fails or no memory modules are found, output an empty json array \[] handle missing properties for individual modules gracefully (use null) handle numeric code mapping errors using 'unknown' the script should not crash provide only the powershell script code block for collecting this data assume sufficient privileges task 20 enhance network adapter collector for dhcp lease, wins, vswitch you are an expert windows system administrator and scripter your task is to create a powershell script that enhances network adapter collection by adding dhcp lease details, wins server configuration, and associated virtual switch name (if applicable) this builds upon collecting basic ip configuration instructions 1\ identify relevant network adapters (e g , those that are ip enabled, using wmi `win32 networkadapter` or powershell `get netadapter`) 2\ for each relevant adapter (identified by its `interfaceindex` or `macaddress`) query wmi `win32 networkadapterconfiguration` using the adapter's `index` property (`where index = \<adapter index>`) collect `dhcpserver`, `dhcpleaseobtained`, `dhcpleaseexpires`, `winsprimaryserver`, `winssecondaryserver` convert wmi datetime strings (`dhcpleaseobtained`, `dhcpleaseexpires`) to utc iso8601 format combine `winsprimaryserver` and `winssecondaryserver` into a string array attempt to identify the associated virtual switch name using powershell `get vmnetworkadapter managementos | where object {$ macaddress eq '\<adapter mac address>'} | select object expandproperty switchname` this only applies if the host is a hyper v server and the adapter is associated with a vswitch handle errors if the cmdlet/module is not available or if no match is found 3\ merge these collected details with the basic adapter information (name, mac, ips, etc , assumed collected separately) based on the adapter identifier (e g , mac address or interface index) 4\ output the enhanced data as a json array of objects, one per network adapter, including the new fields target schema `devicenetworkadapters` table (adding `dhcp server`, `dhcp lease obtained`, `dhcp lease expires`, `wins servers`, `virtual switch name`) output json format (array showing only added fields for clarity) ```json \[ { // existing adapter fields (name, macaddress, ipaddresses etc ) "dhcp server" "\<dhcpserver ip or null>", "dhcp lease obtained" "\<lease obtained utc iso8601 or null>", "dhcp lease expires" "\<lease expires utc iso8601 or null>", "wins servers" \["\<winsprimaryserver or null>", "\<winssecondaryserver or null>"], // filter out nulls if desired "virtual switch name" "\<switchname from get vmnetworkadapter or null>" // other adapter fields }, ] error handling handle wmi query failures gracefully handle errors if get vmnetworkadapter fails or returns no result (set virtual switch name to null) if dhcp is not enabled, dhcp fields will likely be null or empty from wmi; handle this if wins is not configured, wins fields will be null if base adapter collection fails, output \[] provide only the powershell script code block for collecting only the additional dhcp, wins, and vswitch data, assuming basic adapter info is collected elsewhere assume sufficient privileges and potential need for hyper v/remotedesktopservices modules task 21 implement collector for disk encryption status (bitlocker) you are an expert windows system administrator and scripter your task is to create a powershell script to collect the encryption status for logical volumes managed by bitlocker instructions 1\ use the `get bitlockervolume` powershell cmdlet 2\ iterate through each volume returned by the cmdlet 3\ for each volume, collect the following properties `mountpoint`, `volumestatus` (enum), `protectionstatus` (enum), `encryptionpercentage`, `lockstatus` (enum), `keyprotector` (array of objects) 4\ map the `volumestatus` enum to the schema `encryption status` string ('fullyencrypted', 'fullydecrypted', 'encryptioninprogress', 'decryptioninprogress', etc ) default to 'unknown' 5\ map the `protectionstatus` enum to the schema `protection status` string ('on', 'off', 'unknown') 6\ extract the type string (e g , 'tpm', 'recoverypassword', 'passwordprotector', 'startupkey') from each object in the `keyprotector` array and store these strings in the `protector types` array 7\ set `encryption method` to 'bitlocker' 8\ output the data as a json array of objects, one per volume managed by bitlocker include the `mountpoint` for server side linking to the `devicelogicaldisks` table do not attempt to collect or output recovery keys target schema `devicediskencryptionstatus` table output json format (array) ```json \[ { "mountpoint" "\<volume mountpoint e g , 'c '>", // for server side linking "encryption method" "bitlocker", "encryption status" "\<mapped volumestatus string>", "protection status" "\<mapped protectionstatus string>", "percent encrypted" \<encryptionpercentage as integer or null>, "lock status" "\<mapped lockstatus string or null>", "protector types" \["\<type1>", "\<type2>", ] // array of strings like 'tpm', 'recoverypassword' }, ] error handling if get bitlockervolume fails (e g , bitlocker feature not installed or service stopped), output an empty json array \[] handle errors mapping enum values gracefully (use 'unknown' or null) the script should not crash provide only the powershell script code block for collecting this data assume sufficient privileges task 22 implement collector for battery status and health you are an expert windows system administrator and scripter your task is to create a powershell script to collect information about the device's battery, if one is present instructions 1\ use a wmi query to retrieve battery details from the `win32 battery` class check if any instances are returned 2\ if a battery is found (typically only one primary battery), collect the following properties `name` (for caption), `description`, `batterystatus` (numeric code), `estimatedchargeremaining`, `estimatedruntime`, `fullchargecapacity` (mwh), `designcapacity` (mwh), `chemistry` (numeric code) 3\ map the numeric `batterystatus` code to a descriptive string (e g , 1='discharging', 2='ac power/unknown', 3='fully charged', 4='low', 5='critical', 6='charging', 7='charging/high', 8='charging/low', 9='charging/critical', 10='undefined', 11='partially charged') use 'unknown' if unmapped 4\ map the numeric `chemistry` code to a descriptive string (e g , 1='other', 2='unknown', 3='lead acid', 4='nickel cadmium', 5='nickel metal hydride', 6='lithium ion', 7='zinc air', 8='lithium polymer') use 'unknown' if unmapped 5\ calculate a basic `health status` string based on the ratio of `fullchargecapacity` to `designcapacity` (e g , >80% = 'good', 50 80% = 'fair', <50% = 'poor'), if both values are present and positive otherwise, set to `null` 6\ output the data as a json array containing a single object if a battery is found, or an empty array if no battery is detected target schema `devicebattery` table output json format (array with zero or one object) ```json \[ // empty array \[] if no battery detected { "caption" "\<name or null>", "description" "\<description or null>", "battery status enum" "\<mapped batterystatus string>", "charge remaining percent" \<estimatedchargeremaining as integer or null>, "estimated runtime minutes" \<estimatedruntime as integer or null>, "full charge capacity mwh" \<fullchargecapacity as integer or null>, "design capacity mwh" \<designcapacity as integer or null>, "chemistry" "\<mapped chemistry string>", "health status" "\<calculated 'good'/'fair'/'poor' or null>" // other wmi fields like timeonbattery can be added if needed by schema } ] error handling if the wmi query fails or returns no instances, output \[] handle missing properties or calculation errors gracefully (use null) the script should not crash provide only the powershell script code block for collecting this data assume sufficient privileges task 23 implement collector for basic os upgrade history you are an expert windows system administrator and scripter your task is to create a powershell script to collect information about the last operating system upgrade by reading specific registry keys this provides limited historical data instructions 1\ define the registry key path `hklm \system\setup\source os` 2\ use `test path` to check if the key exists 3\ if the key exists, use `get itemproperty path \<keypath>` to read the values `productname`, `editionid`, `releaseid` (check existence), `currentbuildnumber` 4\ attempt to get an approximate timestamp by reading the last write time of the parent `hklm \system\setup` key `(get item 'registry hklm\system\setup') lastwritetimeutc` convert this to utc iso8601 format note this is only an approximation of the upgrade time 5\ map the collected data to the specified json fields set `install type` to 'upgrade' 6\ output the data as a single json object if the `source os` key does not exist, output an empty json object `{}` target schema `osupgradehistory` table (this represents one potential entry) output json format (single object) ```json { "product name" "\<productname value or null>", "edition" "\<editionid value or null>", "release id" "\<releaseid value or null>", // handle if value doesn't exist "install timestamp utc" "\<approximated timestamp utc iso8601 or null>", "install type" "upgrade", "system root" null // not available here } // output {} if hklm \system\setup\source os does not exist error handling use test path and handle get itemproperty errors gracefully (e g , if a value doesn't exist) if the primary key doesn't exist, output {} the script should not crash provide only the powershell script code block for collecting this data assume sufficient privileges task 24 enhance startup items collector for publisher you are an expert windows system administrator and scripter your task is to enhance the collection of startup items by adding the publisher information derived from the executable's digital signature instructions 1\ first, collect the basic startup item information (name, executable path/command, location, user context) from standard locations (registry run/runonce keys for hklm/hkcu, all users/current user startup folders) focus on hklm and all users locations when running as system 2\ for each startup item found identify the `executablepath` (may need parsing from the command string) use `get authenticodesignature filepath \<executablepath>` within a `try/catch` block this command checks the digital signature if successful and a signature exists (`status eq 'valid'`), access the `signercertificate` extract the subject name string parse the subject name string to find the organization (`o= `) or common name (`cn= `) field use this value as the `publisher` prioritize `o=` if available handle variations in subject format if `get authenticodesignature` fails, the file is unsigned (`status ne 'valid'`), or the subject name cannot be parsed effectively, set `publisher` to `null` 3\ combine the collected publisher information with the basic startup item details 4\ output the data as a json array of objects, one per startup item, including the new `publisher` field target schema `devicestartupitems` table (adding `publisher`) output json format (array) ```json \[ { "item name" "\<name>", "command line" "\<executable path or command>", "startup type" "\<source location string>", "user context" "<'system' or user sid/name>", "publisher" "\<extracted publisher name or null>" // other fields like status, is running deferred }, ] error handling implement try/catch for get authenticodesignature as it can fail for various reasons (file not found, no signature, access denied, slow network access for crl checks) ensure failure for one item doesn't stop collection for others output \[] if no startup items are found provide only the powershell script code block for collecting startup items with the added publisher check assume sufficient privileges task 25 implement collector for local user profile details you are an expert windows system administrator and scripter your task is to create a powershell script to collect basic information about local user profiles, focusing on path, status, and last use time instructions 1\ use a wmi query to retrieve profile details from the `win32 userprofile` class 2\ for each profile instance returned, collect the `sid`, `localpath`, `status` (numeric flags), and `lastusetime` 3\ map the numeric `status` flags to a descriptive string key flags 1=temporary, 2=roaming, 4=mandatory, 8=corrupt if multiple flags are set, combine descriptions (e g , 'roaming, mandatory') or prioritize if status is 0, use 'ok' default to 'unknown' if mapping fails or status is unexpected 4\ convert the `lastusetime` property (wmi datetime format) to utc iso8601 format string 5\ map the collected and processed data to the specified json fields set deferred fields to `null` 6\ output the data as a json array of objects, one per user profile target schema `localuserprofiles` table output json format (array) ```json \[ { "account sid" "\<sid string>", "profile path" "\<localpath or null>", "size bytes" null, // deferred "status" "\<mapped status string (e g , 'ok', 'roaming', 'temporary')>", "last used time utc" "\<lastusetime utc iso8601 or null>", "last logon" null, // deferred "logon count" null, // deferred "bad password count" null, // deferred "password age seconds" null, // deferred "account expires" null // deferred }, ] error handling if the wmi query fails, output an empty json array \[] handle errors converting dates or mapping status codes gracefully (use null or 'unknown') the script should not crash provide only the powershell script code block for collecting this data assume sufficient privileges task 26 implement collector for installed browsers you are an expert windows system administrator and scripter your task is to create a powershell script to identify installed instances of microsoft edge, google chrome, and mozilla firefox, including their version and installation path instructions 1\ define the target browsers and their potential registry keys or executable names (e g , 'microsoft edge'/'msedge exe', 'google chrome'/'chrome exe', 'mozilla firefox'/'firefox exe') 2\ check standard installation paths (`program files`, `program files (x86)`) and potentially user specific paths (`%localappdata%`) for browser executables 3\ check registry `hklm \software\microsoft\windows\currentversion\app paths\\` for browser executables to find their paths 4\ for each potentially found browser executable verify the file exists use `(get item \<path>) versioninfo productversion` or `fileversion` to get the `version` record the `browser name` based on the executable/path found record the full `install path` to the executable 5\ attempt to determine the system `is default` http/https handler by querying `hkcr\httpshell\open\command` and `hkcu\software\microsoft\windows\shell\associations\urlassociations\httpuserchoice` (requires careful parsing and may be limited running as system) set to `null` if uncertain 6\ deduplicate findings (e g , based on install path) 7\ output the data as a json array of objects, one per unique browser installation detected target schema `devicebrowsers` table output json format (array) ```json \[ { "browser name" "<'microsoft edge'/'google chrome'/'mozilla firefox'>", "version" "\<file version string or null>", "install path" "\<full path to main executable or null>", "is default" \<boolean or null> }, ] error handling handle errors accessing file system or registry if version info cannot be retrieved, use null if default status is uncertain, use null output \[] if no supported browsers are found provide only the powershell script code block for collecting this data assume sufficient privileges task 27 enhance endpoint protection collector for engine version you are an expert windows system administrator and scripter your task is to create a powershell script to collect the specific antivirus engine version, enhancing basic av status collection instructions 1\ assume basic av product info (name, vendor, etc ) is collected via wmi `antivirusproduct` class (as in previous outputs) 2\ for each detected av product if 'windows defender' execute `(get mpcomputerstatus) antivirusengineversion` capture the output if other av define logic for known major avs if possible (e g , check specific registry keys like `hklm\software\\\<vendor>\\\<product>\engineversion`) if no specific logic exists for a vendor, set engine version to `null` 3\ merge the collected `engine version` with the basic av product information based on the product name 4\ output the complete data for each av product (including the new engine version) as a json array target schema `endpointprotectionstatus` table (adding `engine version`) output json format (array showing structure) ```json \[ { "name" "\<productname>", // other existing av fields "engineversion" "\<collected engine version or null>" // added field }, ] error handling wrap get mpcomputerstatus and any vendor specific checks in try/catch if engine version collection fails for a product, set its engineversion field to null if base av collection fails, output \[] provide only the powershell script code block specifically for getting the engine version and merging it with assumed base av data assume sufficient privileges task 28 implement collector for sound device information you are an expert windows system administrator and scripter your task is to create a powershell script to collect basic information about installed sound devices instructions 1\ use a wmi query to retrieve sound device details from the `win32 sounddevice` class 2\ for each device found, collect `name` and `manufacturer` 3\ output the data as a json array of objects, one object per sound device target schema `devicehardware sound devices` (jsonb array) output json format (array) ```json \[ { "name" "\<name>", "manufacturer" "\<manufacturer or null>" }, ] error handling if the wmi query fails or no devices are found, output an empty array \[] handle missing properties using null provide only the powershell script code block for collecting this data assume sufficient privileges task 29 implement collector for network shares hosted on device (basic info) you are an expert windows system administrator and scripter your task is to create a powershell script to enumerate network shares hosted by this local machine and collect basic details instructions 1\ use a wmi query to retrieve share details from the `win32 share` class 2\ for each share instance, collect `name`, `path`, `caption` (map to description), `type` (numeric), and `maximumallowed` 3\ map the numeric `type` code to a descriptive string 0='disk', 1='printer', 2='device', 3='ipc', 2147483651='special' use 'unknown' if unmapped 4\ map `maximumallowed` to `max users` a value of 1 typically means unlimited; represent as `null` or keep 1 based on schema preference (using null here) 5\ output the data as a json array of objects, one per hosted share target schema `networkshares` table output json format (array) ```json \[ { "share name" "\<name>", "path" "\<path>", "description" "\<caption or null>", "share type" "\<mapped type string>", "max users" \<maximumallowed as integer or null if 1> }, ] error handling if the wmi query fails, output an empty json array \[] handle type mapping errors using 'unknown' handle missing properties using null provide only the powershell script code block for collecting this data assume sufficient privileges task 30 implement collector for hosted network share permissions you are an expert windows system administrator and scripter your task is to create a powershell script to collect share level permissions (acls) for network shares hosted on the local device this script depends on identifying shares using wmi (`win32 share`) instructions 1\ use wmi to get all instances of `win32 share` 2\ for each `win32 share` instance, retrieve its `name` 3\ use the share `name` to get the corresponding `win32 logicalsharesecuritysetting` instance (e g , `get ciminstance classname win32 logicalsharesecuritysetting filter "name='\<sharename>'" `) 4\ invoke the `getsecuritydescriptor` method on the `win32 logicalsharesecuritysetting` object 5\ parse the `descriptor dacl` property from the returned security descriptor object this dacl is an array of aces (access control entries) 6\ for each ace (access control entry) in the dacl extract the trustee's `sid` string extract the trustee's `name` (requires resolving the sid, potentially using `(new object system security principal securityidentifier($ trustee sid)) translate(\[system security principal ntaccount]) value`) handle errors during resolution determine the `access type` 'allow' if `acetype` is 0, 'deny' if `acetype` is 1 determine the basic `permission` based on `accessmask` bits common values 2032127 = fullcontrol, 1245631 = change, 1179817 = read create a mapping for these standard permissions if the mask doesn't match these, use 'custom' or skip 7\ map the collected details for each ace to the `sharepermissions` json structure, linking it back to the `network share id` (which will be generated server side based on device id and share name) for the output, use the `share name` as a temporary identifier 8\ output the data as a json array of objects, one object per ace per share target schema `sharepermissions` table output json format (array) ```json \[ { "share name" "\<name of the share>", // temporary identifier for server side linking "account name" "\<resolved trustee name or sid if resolution failed>", "account sid" "\<trustee sid string>", "access type" "<'allow' or 'deny'>", "permission" "<'read' or 'change' or 'fullcontrol' or 'custom'>" }, // repeat for every ace on every share ] error handling if wmi queries fail, getsecuritydescriptor fails, or sid resolution fails, log the error internally or skip the problematic item gracefully output an empty array \[] if no shares or permissions can be retrieved the script should not crash security descriptor parsing is complex; handle potential variations and errors robustly provide only the powershell script code block for collecting this data assume sufficient privileges (admin required for security descriptors) task 31 implement collector for mapped network drives (registry method) you are an expert windows system administrator and scripter your task is to create a powershell script to enumerate mapped network drives by reading user registry hives this is an advanced task requiring careful registry manipulation instructions 1\ identify loaded user profiles/sids, for example using wmi `select sid, localpath from win32 userprofile where loaded = true` 2\ for each loaded user profile sid attempt to load the user's registry hive (`ntuser dat` located within the `localpath`) into a temporary registry key (e g , `hku\\\<sid> temp`) using `reg load hku\\\<sid> temp "\<pathtontuserdat>"` this requires administrator privileges handle potential errors (e g , hive already loaded, permissions issues, locked file) if the hive loads successfully, query the `network` subkey under the loaded hive (e g , `registry hkey users\\\<sid> temp\network`) iterate through the subkeys named after drive letters (e g , 'f', 'g', 'z') for each drive letter subkey, read the `remotepath` value, which contains the unc path store the user sid, drive letter (append ' '), and remotepath (unc) crucially , ensure the temporary hive is unloaded using `reg unload hku\\\<sid> temp` in a `finally` block or similar construct to prevent registry corruption 3\ map the collected data to the specified json format 4\ output the data as a json array of objects, one per mapped drive per user session target schema `mappednetworkdrives` table output json format (array) ```json \[ { "user sid" "\<user sid string>", "drive letter" "\<driveletter e g , 'z '>", "provider name" "\<remotepath (unc)>" // other fields like size/filesystem are not available via this method }, ] error handling this method is prone to errors (permissions, locked hives) implement robust try/catch blocks for loading/unloading hives and reading registry values if errors occur for a specific user, skip that user and continue if no drives are found, output an empty array \[] the script must ensure hives are unloaded even if errors occur provide only the powershell script code block for collecting this data assume administrator privileges task 32 implement collector for windows activation status you are an expert windows system administrator and scripter your task is to create a powershell script to determine the windows activation status and retrieve the partial product key instructions 1\ use a wmi query against the `softwarelicensingproduct` class 2\ filter for the windows product using its application id `where applicationid = '55c92734 d682 4d71 983e d6ec3f16059f'` also filter `where partialproductkey is not null` to target the relevant license instance 3\ collect the `licensestatus` and `partialproductkey` properties 4\ map the numeric `licensestatus` code to a descriptive string enum ('unlicensed'=0, 'licensed'=1, 'oobgrace'=2, 'ootgrace'=3, 'nongenuinegrace'=4, 'notification'=5, 'extendedgrace'=6, default 'unknown') 5\ output the data as a single json object target schema `devicesoftware` table (these fields will be linked server side to the specific windows software entry based on the device) output json format (single object) ```json { "detected activation status" "\<mapped licensestatus string or 'unknown'>", "detected license key" "\<partialproductkey or null>" } error handling if the wmi query fails or returns no results matching the filter, output a json object with null values {"detected activation status" null, "detected license key" null} the script should not crash provide only the powershell script code block for collecting this data assume sufficient privileges task 33 implement collector for browser policy configuration (registry method) you are an expert windows system administrator and scripter your task is to create a powershell script to collect policy enforced configuration settings for microsoft edge, google chrome, and mozilla firefox from standard group policy registry locations instructions 1\ define the base registry paths for policies edge machine `hklm \software\policies\microsoft\edge` edge user `hkcu \software\policies\microsoft\edge` chrome machine `hklm \software\policies\google\chrome` chrome user `hkcu \software\policies\google\chrome` firefox machine `hklm \software\policies\mozilla\firefox` firefox user `hkcu \software\policies\mozilla\firefox` 2\ for each path check if the path exists using `test path` if it exists, use `get itemproperty path \<path>` to retrieve all registry values (settings) directly under that key iterate through the retrieved property names and values (excluding ps properties) determine the `browser name` ('edge', 'chrome', 'firefox') and `user context` ('machinepolicy' for hklm, 'userpolicy' for hkcu) based on the path being processed map the registry value name to a standardized `setting name` (initially, just use the registry value name; server side mapping might be needed later) store the registry value data as a string in `setting value` set `source` to 'policy' 3\ aggregate all found settings into a single json array 4\ output the data as a json array of objects, one per discovered policy setting target schema `browserconfiguration` table output json format (array) ```json \[ { "browser name" "<'edge'/'chrome'/'firefox'>", "user context" "<'machinepolicy'/'userpolicy'>", "setting name" "\<registry value name>", "setting value" "\<registry value data as string>", "source" "policy" }, // one object per setting found in any policy location ] error handling use test path to avoid errors for non existent keys handle potential errors during registry access gracefully if no policy settings are found, output an empty json array \[] the script should not crash provide only the powershell script code block for collecting this data assume sufficient privileges (including access to hklm and potentially hkcu if running as system needs to access specific user hives, though typically gpo user policies apply directly to hkcu accessible by system) task 34 implement collector for browser extensions (multi browser, user context aware) you are an expert windows system administrator and scripter your task is to create a powershell script to enumerate installed extensions for microsoft edge, google chrome, and mozilla firefox across all available user profiles on the device this is a complex task requiring interaction with user profile data instructions 1\ identify user profiles on the system, focusing on their sids and local profile paths (e g , via wmi `win32 userprofile`) 2\ for each user profile construct the expected paths to the extensions directories or preference files for edge, chrome, and firefox within that user's profile (e g , `c \users\\\<user>\appdata\local\microsoft\edge\user data\default\extensions`, ` \google\chrome\user data\default\extensions`, ` \mozilla\firefox\profiles\\\<profilename>\extensions json`) note there can be multiple browser profiles (`profile 1`, `profile 2`, etc ) within `user data` the script should attempt to check 'default' and potentially other numbered profiles if feasible edge/chrome (manifest v3) enumerate subdirectories within the `extensions` folder each subdirectory name is the `extension id` within each extension's versioned subdirectory, locate and parse the `manifest json` file extract `name`, `version`, `description` (if available) determine `is enabled` status by checking browser preference files (e g , 'preferences' or 'secure preferences' json file in the profile root) which store extension states (complex parsing required, might be difficult/unreliable; default to `null` if state cannot be reliably determined) firefox locate and parse the `extensions json` file within the firefox profile directory iterate through the `addons` array extract `id` (extension id), `name`, `version`, `active` (is enabled), `defaultlocale description` store the user sid as the `user context` link back to the appropriate browser instance collected in task 22 using the browser name/path (requires server side linking logic) for this script's output, include the browser name 3\ aggregate results from all found browsers and user profiles 4\ output the data as a json array of objects, one per discovered extension instance per user profile per browser target schema `browserextensions` table output json format (array) ```json \[ { "browser name" "<'edge'/'chrome'/'firefox'>", // for server side linking "user context" "\<user sid string>", "extension id" "\<extension id>", "name" "\<extension name or null>", "version" "\<extension version or null>", "is enabled" \<boolean or null if cannot determine>, "install path" "\<full path to extension folder or null>" }, ] error handling this task is highly complex and prone to errors due to varying profile locations, browser updates changing structures, file access permissions (especially if not running as the user), and complex json parsing for state implement extensive try/catch blocks if a profile or browser path doesn't exist, skip it if parsing fails for an extension, skip it if no extensions are found, output an empty array \[] the script must be robust against these issues and not crash provide only the powershell script code block for collecting this data assume administrator privileges are available to access user profile directories the reliability of determining the 'enabled' state, especially for chrome/edge, might be limited when running as system task 35 enhance process collector for parent pid and start time you are an expert windows system administrator and scripter your task is to enhance the collection of running processes to include the parent process id and the process start time instructions 1\ use the `get process` powershell cmdlet include the ` includeusername` parameter 2\ for each process, collect `id` (processid) `processname` (name) `path` (executablepath handle access denied errors) `commandline` (requires wmi `win32 process` query using the process id `get ciminstance classname win32 process filter "processid = $($process id)" | select object expandproperty commandline`) `username` `responding` status (for state) `starttime` (convert to utc iso8601 format) cpu usage (`cpu` property from get process) working set memory (`workingset64` for memorybytes) parent process id use a calculated property or a separate wmi query `(get ciminstance classname win32 process filter "processid = $($process id)") parentprocessid` 3\ map these details to the `processes` json structure 4\ output the data as a json array of objects, one per running process target schema `deviceprocesses` table (assumes schema exists or fields added to existing process collector) output json format (array) ```json \[ { "processid" \<id as integer>, "name" "\<processname>", "executablepath" "\<path or null>", "commandline" "\<commandline from wmi or null>", "username" "\<username or null>", "cpupercent" \<cpu as float or null>, "memorybytes" \<workingset64 as integer or null>, "state" "<'running' if responding, 'not responding' if not>", "starttime" "\<starttime utc iso8601 or null>", "parentpid" \<parentprocessid from wmi or null> }, ] error handling handle errors getting path, commandline, or parentprocessid (e g , for system idle process, access denied) using null handle starttime errors if get process fails, output \[] provide only the powershell script code block assume sufficient privileges task 36 (replaces original open ports task) collect network connections snapshot per process you are an expert windows system administrator and scripter your task is to create a powershell script to collect a snapshot of current tcp and udp network connections, linking them to the owning process id this replaces simple open port listening instructions 1\ use the `get nettcpconnection` powershell cmdlet to get tcp connection details 2\ use the `get netudpendpoint` powershell cmdlet to get udp listening endpoints 3\ for each tcp connection collect `localaddress`, `localport`, `remoteaddress`, `remoteport`, `state`, `owningprocess` (pid) set `protocol` to 'tcp' 4\ for each udp endpoint collect `localaddress`, `localport` set `remoteaddress`, `remoteport` to representative values (e g , ' ', 0 or ' ', ) set `state` to 'listening' (or similar appropriate term) collect `owningprocess` (pid) set `protocol` to 'udp' 5\ combine tcp and udp results 6\ format the data into the specified json array, ensuring the `processid` is included target schema potentially a new table like `devicenetworkconnectionssnapshot` or adapt `deviceopenports` includes pid linkage does not include aggregated bytes/packets output json format (array) ```json \[ { "protocol" "<'tcp' or 'udp'>", "localaddress" "\<local ip address>", "localport" \<local port as integer>, "remoteaddress" "\<remote ip address or ' '>", "remoteport" \<remote port as integer or 0>, "state" "\<tcp state string or 'listening'>", "processid" \<owningprocess pid as integer> }, // one object per tcp connection and udp endpoint ] error handling if get nettcpconnection or get netudpendpoint fail, output an empty json array \[] handle errors getting properties for individual connections/endpoints gracefully provide only the powershell script code block assume sufficient privileges task 37 collect aggregate network interface statistics you are an expert windows system administrator and scripter your task is to create a powershell script to collect aggregate network statistics (bytes/packets in/out, errors, discards) per network interface over a defined interval (the interval itself is managed externally, this script just collects current counter values) instructions 1\ identify active network interfaces using `get netadapter | where object {$ status eq 'up'}` note their `interfacedescription` or `name` 2\ use the `get counter` cmdlet to retrieve the current values of relevant performance counters for each active interface from the `\network interface( )` performance object set 3\ target counters (use interface name/description from step 1 in the path) `\network interface(\<interface name/desc>)\bytes received/sec` `\network interface(\<interface name/desc>)\bytes sent/sec` `\network interface(\<interface name/desc>)\packets received/sec` `\network interface(\<interface name/desc>)\packets sent/sec` `\network interface(\<interface name/desc>)\packets received errors` `\network interface(\<interface name/desc>)\packets outbound errors` `\network interface(\<interface name/desc>)\packets received discarded` `\network interface(\<interface name/desc>)\packets outbound discarded` (optional but related `\network interface(\<interface name/desc>)\output queue length`) 4\ collect the `cookedvalue` for each counter note that the "/sec" counters provide a rate, not a total count since boot for interval totals, the server side would need to calculate the delta between two collections this script reports the current counter value or rate 5\ format the collected data into a json array, one object per interface include the interface name/description for identification target schema `networkportmetrics` (or similar aggregate table) note the schema expects totals , while counters often provide rates or cumulative totals this script provides the current counter value server side logic is needed for deltas/interval totals output json format (array) ```json \[ { "interface name" "\<interface name or description>", "bytes received per sec" \<cookedvalue as float or null>, "bytes sent per sec" \<cookedvalue as float or null>, "packets received per sec" \<cookedvalue as float or null>, "packets sent per sec" \<cookedvalue as float or null>, "packets received errors total" \<cookedvalue as integer or null>, // this is cumulative "packets outbound errors total" \<cookedvalue as integer or null>, // this is cumulative "packets received discarded total" \<cookedvalue as integer or null>, // this is cumulative "packets outbound discarded total" \<cookedvalue as integer or null> // this is cumulative }, // one object per active network interface ] error handling if get counter fails or specific counters are unavailable for an interface, report null for those values if no active interfaces are found, output \[] provide only the powershell script code block assume sufficient privileges emphasize that this collects current counter values/rates, not interval totals