Hello Gurus!
I've been working on a script for the past few weeks to check specific paths for certain file extensions and doing comparisons to the previous days check to find files that have been added/removed and then do a hash check on the remaining files to make sure they haven't changed since the previous day. I can get parts of it working but my reliance on compare-object for my comparisons is changing my output so I can no longer pipe it into cmdlets like Get-FileHash. I could use some help!
Here is what I'm specifically trying to do. First I am scanning the following paths for *.exe, *.dll, *.bat, *.vbs, *.cmd files.
Path1 - C:\ (non-recursive)
Path2 - C:\Windows (recursive)
(Code Example)
$include=@("*.dll","*.exe","*.bat","*.cmd","*.vbs")
$files = @(Get-ChildItem -Path C:\* -Include $Include)
$files += @(Get-ChildItem -Path $env:WINDIR\* -Include $Include)
(/Code Example)
Once I have the file list stuffed in a variable (Is Get-ChildItem The best way to do this?) I then compare it to the previous days file list (stored in CSV form and imported into a variable) and compare the two variables to find files that have been deleted or added.
(Code Example)
$previous = Import-CSV C:\Scripts\PrevFiles.csv
$current = $files | Get-FileHash -Algorithm MD5 | Select-Object Path,Hash
$FD = Compare-Object $previous $current -Property Path | Sort-Object Path | Select-Object -Property Path,SideIndicator
(/Code Example)
Once those files have been identified, they are exported to an easily readable text file:
FileChanges.txt
c:\Windows\driver.com File Deleted!
c:\GPOLogger.dll File Added!
Now I run another compare against the current and previous file lists to find all the files paths that match and create a new file list of all the matched paths that is stored in a new variable.
I now run that variable of the matching path file list piped into Get-FileHash and assign it to a new variable so I have the file path and hash for each file. I then import the CSV from the previous days FileHash output and compare them looking for changes in Hash. Once the files with changed hash are identified they are appended to the FileChanges.txt file in an easily readable format.
FileChanges.txt
c:\Windows\driver.com File Deleted!
c:\GPOLogger.dll File Added!
C:\Windows\explorer.exe Hash Changed!
Once complete, I check the FileChanges.txt for any content, if none send an e-mail saying no changes. If there is content in FileChanges.txt I send a different e-mail alerting people of the changes and attach the FileChanges.txt file to the e-mail.
I then write the current file list to CSV and overwrite yesterdays file list so it can be read tomorrow as the "previous day". I do the same thing for the current hash/file list.
------
I thought this was going to be painless until I realized Compare-Object changes the data type so I can no longer feed it's output to Get-FileHash. While I understand certain parts of Powershell very well, this is not one of them. Can anyone get me over the hump of generating file lists that I can compare and output new file lists that can be fed to Get-FileHash? Or if you have a better idea how to structure the data and comparisons, I'm all ears!
Thanks all!