Using PowerShell to collect additional information

Custom fields allow collecting and analyzing specific data points that are relevant to your unique auditing requirements. This page explains how to use PowerShell in custom fields and offers some ready-to-use script examples.

Here are the steps to create custom fields using PowerShell in AlloyScan:

1. Identify the data to collect.

   Determine the specific information you want to capture and associate with custom fields. This could include additional attributes, metadata, or calculated values that are relevant to your auditing needs.

2. Create a PowerShell script that encapsulates the request for creating the custom field.

3. Test the PowerShell script in a controlled environment to ensure it works as expected.

PowerShell script samples

To use a sample script, simply copy and paste it into your Script text box when configuring a custom field, and replace the placeholders with your actual parameters, if needed.

Collecting system information

You can use PowerShell scripting to gather system information, such as internal reference designators for port connectors. The following PowerShell script retrieves and captures this data on Windows computers, allowing AlloyScan to display this information in a custom field:

$Result = Get-WmiObject Win32_PortConnector | Select-Object InternalReferenceDesignator

This script comprises the following elements:

• The Get-WmiObject Win32_PortConnector cmdlet. This cmdlet retrieves information about port connectors on the Windows computer. It uses the Windows Management Instrumentation (WMI) class Win32_PortConnector to access this information.

• | Select-Object InternalReferenceDesignator: The pipe symbol "|" is used to pass the output of the previous cmdlet to the next one. In this case, it passes the result of the Get-WmiObject cmdlet. The Select-Object cmdlet is then used to choose and display only the InternalReferenceDesignator property of the retrieved port connectors. This property represents the internal reference or identifier associated with the port connector.

• $Result =: The "=" operator assigns the output of the previous piped cmdlet to the variable $Result. This allows you to store and manipulate the selected InternalReferenceDesignator values for further use within the PowerShell script.

When creating a custom audit field based on this code, you will need to select a Field type that best represents the nature of the data in the InternalReferenceDesignator property. Since in this case the InternalReferenceDesignator represents a list of specific identifiers or labels associated with each port connector, the Table field type is the most appropriate.

Capturing Registry keys

PowerShell can also be used to capture specific keys from the Windows Registry. For example, the following PowerShell script checks whether AppLocker Enforcement Mode is enabled on the local machine.

[bool] (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2' -Name 'EnforcementMode' -ErrorAction SilentlyContinue)

Output:

• $true: AppLocker Enforcement Mode is enabled (Enforce Rules).

• $false: AppLocker Enforcement Mode is disabled (Audit Only), not configured, or the registry key is missing.

The output is a logical value, so using this script would require a custom field of the Logical field type.

Checking file presence

PowerShell is also useful for verifying the existence of specific files on the system. The script below checks whether a file is present, returning a logical value of $true if it exists and $false if it does not. This can be particularly useful for confirming the presence of critical files, such as license files, configuration files, or log files, which may reflect the system’s state or configuration.

[bool] (Test-Path -Path 'C:\ProgramData\MyApp\license.lic')

The output is a logical value, so this script would require a custom field of the Logical type.