List Offline Files (PowerShell)
Log In or Register to download the BES file, and more.

0 Votes

Collections (part of 1 collection)

PowerShell

Description

List Offline Files

This is considered a brute force search since it recursively looks at every file. 

Be careful to try and be specific with which folder to start your search.  If you start at the "c:\" folder, the scan is likely to take a very long time... and this task waits for that search to complete... thus your client will be stalled until this search is finished.

The results file is saved in the "parent folder of the client" and named "OfflineFiles.csv".


Property Details

ID644
TitleList Offline Files (PowerShell)
DomainBESC
CategorySearch
Download Size0
Sourcedanielheth@bigfix.me
Source ID<Unspecified>
Source Severity<Unspecified>
Source Release Date10/26/2012 12:00:00 AM
Keywordsmicrosoft offline files
Is TaskTrue
Added by on 10/26/2012 4:07:08 PM
Last Modified by on 10/26/2012 4:07:08 PM
Counters 5283 Views / 39 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 9 fixlets and 4 analyses   * Results in a true/false
Show indented relevance
name of operating system as string contains "Win"
Used in 11 fixlets and 5 analyses   * Results in a true/false
Show indented relevance
exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1" whose (value "Install" of it as integer = 1) of registry
Used in 3 fixlets   * Results in a true/false
Show indented relevance
exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" whose (value "PowerShellVersion" of it as string as version >= "2.0") of registry

Actions

Action 1 (default)

Action Link Click  here  to search for offline folders/files.
Script Type BigFix Action Script
action parameter query "startDir" with description "Specify the root folder path you want to scan recursively through:" and with default value "c:\users"
//============================================================================
//PowerShell Script...
//
//1. Save old ExecutionPolicy value
parameter "PolicyExisted"="{exists value "ExecutionPolicy" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of (if exists x64 registry then x64 registry else registry)}"
parameter "oldExecutionPolicy"="{if (parameter "PolicyExisted" as boolean) then (value "ExecutionPolicy" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of (if exists x64 registry then x64 registry else registry) as string) else ""}"
//2. set to ExecutionPolicy=Unrestricted and Pull PowerShell exe from registry... if 64bit then pull PowerShell x64
if {x64 of operating system}
    regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"="Unrestricted"
    parameter "PowerShellexe"="{value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of x64 registry}"
else
//we need to determine what the current execution policy is so we can put it back when we're done.
    regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"="Unrestricted"
    parameter "PowerShellexe"="{value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of registry}"
endif
//3. Create PowerShell script and save to a ps1 file
delete __appendfile
delete script.ps1
appendfile Get-ChildItem "{parameter "startDir"}" -recurse | Where-Object {$_.Attributes -eq 'offline'} | Export-Csv "{pathname of parent folder of client}\OfflineFiles.csv"
move __appendfile script.ps1
//4. Execute PowerShell with ps1 script file
action uses wow64 redirection false
waithidden "{parameter "PowerShellexe"}" -file "{pathname of client folder of current site}\script.ps1"
action uses wow64 redirection {x64 of operating system}
//5. Restore ExecutionPolicy back
if {x64 of operating system}
    if {parameter "PolicyExisted" as boolean}
        regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"="{parameter "oldExecutionPolicy"}"
    else
        regdelete64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"
    endif
else
    if {parameter "PolicyExisted" as boolean}
        regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"="{parameter "oldExecutionPolicy"}"
    else
        regdelete "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"
    endif
endif
//============================================================================
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.

Action 2

Action Link Click here to learn about Ben Shorehill's research into the powershell command we're using.
Script Type URL
http://www.symantec.com/connect/downloads/csv-report-all-offline-files-powershell
    

Action 3

Action Link Click here to learn about Microsoft's Offline Files features.
Script Type URL
http://windows.microsoft.com/en-US/windows-vista/Understanding-offline-files
    

Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!