Given the scenario where you have a number of computers at a site and in the same subnet, it may be possible to perform some remote diagnostics. Some example PowerShell commands are included below that could be used as-is or modified as needed.
Finding all other hosts that are replying to ping, for example:
workflow Sweep { foreach -parallel -throttlelimit 4 ($i in 1..255) {ping -n 1 -w 100 192.168.0.$i}}; Sweep | Select-String ttl
Adjust the IP as required, in the above case it will ping 192.168.1.1 - 192.168.1.255, showing a list of devices that reply. E.g.
Reply from 192.168.0.3: bytes=32 time=8ms TTL=64
Reply from 192.168.0.6: bytes=32 time=13ms TTL=64
Reply from 192.168.0.45: bytes=32 time=23ms TTL=64
Reply from 192.168.0.52: bytes=32 time<1ms TTL=128
Reply from 192.168.0.54: bytes=32 time=74ms TTL=64
Reply from 192.168.0.53: bytes=32 time=69ms TTL=64
Reply from 192.168.0.58: bytes=32 time=80ms TTL=64
To check open TCP ports for a particular device (192.168.0.3) on say the above list:
138,139,445,902,3389,4444 | % {$tcp= new-object system.net.sockets.tcpclient; $w = $tcp.beginConnect("192.168.0.3",$_,$null,$null); ($w.asyncwaithandle.waitone(100,$false)); if ($tcp.Connected){echo "$_ is open"}} | select-string " "
Might print for example:
139 is open
445 is open
3389 is open
For all ports, which would take a while:
1..65536 | % {$tcp= new-object system.net.sockets.tcpclient; $w = $tcp.beginConnect("192.168.0.3",$_,$null,$null); ($w.asyncwaithandle.waitone(100,$false)); if ($tcp.Connected){echo "$_ is open"}} | select-string " "
To see if someone is logged on to the computer you are Live Response connected to, there are a number of ways but using query.exe is pretty good:
query user
Example output might read:
USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME
user1 console 2 Active none 08/05/2020 17:41
If you need to message all the logged on users:
msg * "call me on xxxxxx"
Or just for a specific user on a multi-user system see msg /?
To consider wireless networks. NetSh.exe can be used, for example, the following commands might be helpful:
netsh wlan show networks
netsh wlan show all
Printers:
wmic printer get name,printerstate
Output example:
Name PrinterState
Send To OneNote 0
HP OfficeJet 200 Mobile Series [FDA582] 128
Microsoft XPS Document Writer 0
Microsoft Print to PDF 0
Fax 0
EPSON WF-3620 Series 0
Where: 0 = online, 128 = offline
To find the approximate location of the device from the public IP, using the web service ipinfo.io which returns a number of JSON fileds:
$(invoke-webrequest ipinfo.io).Content
Note: If the computer is using a VPN, the information will be related to the location of the VPN server the end-user is connected to. This information could be used I suppose to hint if they are using a VPN.
I will probably update this post over time with additional commands, that have proved helpful.
Regards,
Jak
