PowerShell find files by extension on remote machines

Challenge

Powershell find files by extension on remote machines

I mentioned in previous post “Force WSUS server to download patches once again” about fight with ransomware. In mentioned task I fixed WSUS content. Problem with the ransomware was that every share where source machine has access was infected. Encrypted files was changed also to *.payday extension. After disable the source of problem there was two possible method to check environment. First of all check network for all shares available. Second one, scan all disks on all machines to chek if any *.payday file exist. I performed second part. I created simple but useful script. Powershell find files by extension on remote machines.

Let’s start from the beginning

First of all see how to find files on local system. There is PowerShell command Get-ChildItem. Let’s check help and usage:

help Get-ChildItem
help Get-ChildItem -example

Now let’s add some stuff from both tips. We need:

• -Path to specify where script have to search,
• -Filter to include only *.payday files,
• -Recurse going into subfolders,
• -Name to write name.
• -Force to look also in hidden locations.

For now script looks like:

Get-ChildItem -Path C:\ -Filter *.payday -Recurse -Name -Force

Another thing is to add output file. We have to use pipeline and command Out-File with log path:

Get-ChildItem -Path C:\ -Filter *.payday -Recurse -Name -Force | Out-File .\Payday.txt

Script works fine for local machine. To use them on remote computers we can use few possibilities. For that case the best will be just type path as \\RemoteMachine\Disk$. Both variables (RemoteMachines and Disks) will be specified in input files. Let’s create a foreach loop and specify variables. It will be:

$Machines = get-content RemoteMachines.txt
$Disks = get-content Disks.txt
foreach ($Machine in $Machines) {
    foreach ($Disk in $Disks) {
        if (Test-Path \\$Machine\$Disk$) {
            Write-Host Checking $Machine Disk $Disk
            Get-ChildItem -Path \\$Machine\$Disk$\ -Filter *.payday -Recurse -Name -Force | Out-File .\OUTput\$Machine$Disk.txt
        }
    }
}

There is additional if (Test-Path \\$Machine\$Disk$){} command to check if current path exist. Only if yes script continue checking the correct location. If not just go further. Output is multiple txt files for every machine and separated disk.

 More information

Microsoft documentation about Get-ChildItem – LINK