@echo off

REM Localization

setlocal enabledelayedexpansion

REM Administrator authority check

openfiles > NUL 2>&1 
if NOT %ERRORLEVEL% EQU 0 goto NotAdmin

REM OS version check

set runos=NotSupported

ver | find "Version 6.0." > NUL
if not errorlevel 1 set runos=Win_Vistaor2008

ver | find "Version 6.1." > NUL 
if not errorlevel 1 set runos=Win_7or2008R2

ver | find "Version 6.2." > NUL
if not errorlevel 1 set runos=Win_8or2012

ver | find "Version 6.3." > NUL
if not errorlevel 1 set runos=Win_81or2012R2

ver | find "Version 10." > NUL
if not errorlevel 1 set runos=Win_10or2016

if %runos%==NotSupported goto NotSupport

if %runos%==Win_Vistaor2008 goto NotSupport

REM Temporary folder path

set tooltemp=c:\temp

:startbat
cls

echo *******************************************************************************
echo CollectInfo Menu
echo - Num: 1 (Collect information - Start)
echo - Num: 2 (Collect information - Stop)
echo - Num: 3 (OS common information collecting - Run)
echo *******************************************************************************

set INP=0
set /p INP="Please enter the number you want to execute. Enter q to quit tool. > "

if "%INP%"=="q" exit /b

echo.
echo Number %INP% is executed.
echo Press any key to continue.
pause > NUL
cls

if "%INP%"=="1" goto collectstart
if "%INP%"=="2" goto collectstop
if "%INP%"=="3" goto oscollect

goto startbat

REM ######################################################################
REM Collect information - Start
REM ######################################################################

:collectstart

if not EXIST "%tooltemp%" mkdir "%tooltemp%"

cd /d "%tooltemp%"

REM ----- psr start -----

start psr.exe /start /output "%tooltemp%\psr.zip" /gui 0 /sc 1 /maxsc 100 >nul

REM ----- netsh trace start or logman start -----

set NETSH_CAPTURE=yes
set NETSH_MAXSIZE=1024
set NETSH_PERSISTENT=no
set NETSH_REPORT=no

if %runos%==Win_7or2008R2 (
netsh trace start capture=%NETSH_CAPTURE% maxsize=%NETSH_MAXSIZE% persistent=%NETSH_PERSISTENT% report=%NETSH_REPORT% overwrite=yes tracefile="%tooltemp%\netsh-winhttp.etl" scenario=InternetClient provider="Microsoft-Windows-WinINet" keywords=0xffffffffffffffff level=0xff provider={72B18662-744E-4A68-B816-8D562289A850} keywords=0xffffffffffffffff level=0xff
)

if %runos%==Win_8or2012 (
netsh trace start capture=%NETSH_CAPTURE% maxsize=%NETSH_MAXSIZE% persistent=%NETSH_PERSISTENT% report=%NETSH_REPORT% overwrite=yes tracefile="%tooltemp%\netsh-winhttp.etl" scenario=InternetClient provider="Microsoft-Windows-WinHttp" keywords=0xffffffffffffffff level=0xff provider={B3A7698A-0C45-44DA-B73D-E181C9B5C8E6} keywords=0xffffffffffffffff level=0xff provider="Microsoft-Windows-WinINet" keywords=0xffffffffffffffff level=0xff provider={4E749B6A-667D-4C72-80EF-373EE3246B08} keywords=0xffffffffffffffff level=0xff
)

if %runos%==Win_81or2012R2 (
netsh trace start capture=%NETSH_CAPTURE% maxsize=%NETSH_MAXSIZE% persistent=%NETSH_PERSISTENT% report=%NETSH_REPORT% overwrite=yes tracefile="%tooltemp%\netsh-winhttp.etl" scenario=InternetClient_dbg provider="Microsoft-Windows-WinHttp" keywords=0xffffffffffffffff level=0xff provider={B3A7698A-0C45-44DA-B73D-E181C9B5C8E6} keywords=0xffffffffffffffff level=0xff provider="Microsoft-Windows-WinINet" keywords=0xffffffffffffffff level=0xff provider={4E749B6A-667D-4C72-80EF-373EE3246B08} keywords=0xffffffffffffffff level=0xff
)

if %runos%==Win_10or2016 (
netsh trace start capture=%NETSH_CAPTURE% maxsize=%NETSH_MAXSIZE% persistent=%NETSH_PERSISTENT% report=%NETSH_REPORT% overwrite=yes tracefile="%tooltemp%\netsh-winhttp.etl" scenario=InternetClient_dbg provider="Microsoft-Windows-WinHttp" keywords=0xffffffffffffffff level=0xff provider={B3A7698A-0C45-44DA-B73D-E181C9B5C8E6} keywords=0xffffffffffffffff level=0xff provider="Microsoft-Windows-WinINet" keywords=0xffffffffffffffff level=0xff provider={4E749B6A-667D-4C72-80EF-373EE3246B08} keywords=0xffffffffffffffff level=0xff
)

echo Press any key to return to the menu.
pause > NUL

goto startbat

REM ######################################################################
REM Collect information - Stop
REM ######################################################################

:collectstop

REM Creating output folder

for /F "tokens=1,2,3 delims=/" %%p in ("%DATE%") do @set dateD=%%p%%q%%r
set INFODIR=%userprofile%\desktop\%dateD%_%COMPUTERNAME%_info
if not EXIST "%INFODIR%" mkdir "%INFODIR%"

REM Setting time information

set time2=%time: =0%
set timeD=%time2:~0,2%%time2:~3,2%%time2:~6,2%

cd /d "%tooltemp%"

REM ----- netsh trace stop -----

netsh trace stop

for /f "usebackq delims=. tokens=1" %%i in (`dir /b  "%tooltemp%\netsh-*.etl"`) do ren "%tooltemp%\%%i.etl" %%i_%timeD%.etl > nul
for /f "usebackq delims=. tokens=1" %%i in (`dir /b  "%tooltemp%\netsh-*.cab"`) do ren "%tooltemp%\%%i.cab" %%i_%timeD%.cab > nul
move "%tooltemp%\netsh-*.etl" "%INFODIR%" >nul
move "%tooltemp%\netsh-*.cab" "%INFODIR%" >nul

REM ----- psr stop -----

psr.exe /stop >nul

move "%tooltemp%\psr.zip" "%INFODIR%\psr_%timeD%.zip" >nul

echo Press any key to return to the menu.
pause > NUL

goto startbat

REM ######################################################################
REM OS common information collecting - Run
REM ######################################################################

:oscollect

echo Collecting Information is started.
echo Processing will proceed even if error messages are displayed.
echo.

REM Creating output folder

for /F "tokens=1,2,3 delims=/" %%p in ("%DATE%") do @set dateD=%%p%%q%%r
set INFODIR=%userprofile%\desktop\%dateD%_%COMPUTERNAME%_info
if not EXIST "%INFODIR%" mkdir "%INFODIR%"

REM Setting time information

set time2=%time: =0%
set timeD=%time2:~0,2%%time2:~3,2%%time2:~6,2%

REM Creating OS folder

mkdir "%INFODIR%\OS_%timeD%"
cd /d "%INFODIR%\OS_%timeD%"

REM ----- Eventlog

wevtutil epl System wevtutil-System.evtx
wevtutil qe System /f:text > wevtutil-System.txt
wevtutil epl Setup wevtutil-Setup.evtx
wevtutil epl Application wevtutil-Application.evtx
wevtutil qe Application /f:text > wevtutil-Application.txt
wevtutil epl Security wevtutil-Security.evtx
wevtutil epl Microsoft-Windows-CAPI2/Operational wevtutil-CAPI2.evtx
wevtutil epl Microsoft-Windows-GroupPolicy/Operational wevtutil-GroupPolicy-Operational.evtx
wevtutil epl Microsoft-Windows-NCSI/Operational wevtutil-NCSI.evtx
wevtutil epl Microsoft-Windows-NlaSvc/Operational wevtutil-NlaSvc.evtx
wevtutil epl Microsoft-Windows-NetworkProfile/Operational wevtutil-NetworkProfile.evtx
wevtutil epl Microsoft-Windows-Dhcp-Client/Admin wevtutil-DHCPClient-Admin.evtx
wevtutil epl Microsoft-Windows-Dhcp-Client/Operational wevtutil-DHCPClient-Operational.evtx
wevtutil epl Microsoft-Windows-TaskScheduler/Operational wevtutil-TaskScheduler-Operational.evtx

REM ----- Registry

reg query HKLM\SYSTEM\CurrentControlSet\Services\TCPIP /s > reg-TCPIP.txt
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall /s > reg-WindowsFirewall.txt
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess /s > reg-SharedAccess.txt
reg save HKLM\SYSTEM\CurrentControlSet\Control reg-Control.hiv
reg save HKLM\SYSTEM\CurrentControlSet\Services reg-Services.hiv
reg export HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall reg-WindowsFirewall.reg
reg export HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess reg-SharedAccess.reg
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc /s > reg-NlaSvc.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList" /s > reg-NetworkList.txt
reg query "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings" /s > reg-Policys-InternetSettings.txt
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /s > reg-InternetSettings.txt

REM ----- Command

msinfo32.exe /nfo msinfo32.nfo
gpresult /H gpresult.htm
gpresult /z > gpresult.txt
auditpol /get /category:* > auditpol.txt
ipconfig /all > ipconfig-all.txt
ipconfig /displaydns > ipconfig-displaydns.txt
net session > net-session.txt
net use > net-use.txt
netstat -r > netstat-r.txt
netstat -s > netstat-s.txt
netstat -anob > netstat-anob.txt
netsh interface ipv4 show offload > netsh-int-ipv4-offload.txt
fltmc instances > fltmc_instances.txt
fltmc filters > fltmc_filters.txt
set > set.txt
driverquery /fo csv /v > driverquery.csv
wmic nic get * /format:htable > wmi_nic.html
wmic nicconfig get * /format:htable > wmi_nicconfig.html
wmic qfe get * /format:htable > wmi_qfe.html
wmic partition get * /format:htable > wmi_partition.html
wmic logicaldisk get * /format:htable > wmi_logicaldisk.html
wmic volume get * /format:htable > wmi_volume.html
wmic diskdrive get * /format:htable > wmi_diskdrive.html
copy %systemroot%\system32\drivers\etc\hosts .\ >nul
copy %systemroot%\system32\drivers\etc\lmhosts.sam .\ >nul
copy %systemroot%\system32\drivers\etc\networks .\ >nul
copy %systemroot%\system32\drivers\etc\protocol .\ >nul
copy %systemroot%\system32\drivers\etc\services .\ >nul
copy %windir%\WindowsUpdate.log .\ >nul
copy %windir%\SoftwareDistribution\ReportingEvents.log .\ >nul
copy %windir%\inf\Setupapi.* .\ >nul
copy %WinDir%\System32\LogFiles\SCM\*.EVM* .\ >nul
klist tgt > klist-tgt-%USERNAME%.txt
klist tickets > klist-tickets-%USERNAME%.txt
whoami /all > whoami-all-%USERNAME%.txt
tasklist -svc > tasklist-svc.txt
tasklist -v > tasklist-v.txt
schtasks /Query /V > schtasks.txt
dism /Online /Get-intl > Get_intl.log
dism /Online /Get-Packages /Format:Table > Get-Packages.log
dism /Online /Get-Features /Format:Table > Get-Features.log
netsh winhttp show proxy > netsh-winhttp-proxy.txt
dir c:\Windows\ServiceProfiles\LocalService\winhttp\ > dir_winhttp.txt
copy c:\Windows\ServiceProfiles\LocalService\winhttp\*.cache .\
dir %UserProfile%\AppData\Local\Microsoft\Windows\INetCache > INetCache.txt
copy %UserProfile%\AppData\Local\Microsoft\Windows\INetCache\*.dat .\

REM ----- Advfirewall related information

netsh advfirewall show allprofiles > netsh-advfirewall-allprofiles.txt
netsh advfirewall show currentprofile > netsh-advfirewall-currentprofile.txt
netsh advfirewall firewall show rule name=all verbose > netsh-advfirewall-rules.txt
netsh advfirewall monitor show firewall > netsh-advfirewall-monitor.txt
netsh advfirewall export netsh-advfirewall-export.wfw >nul

REM ----- WFP related information

netsh wfp show netevents >nul
netsh wfp show state >nul
netsh wfp show filters >nul
netsh wfp show boottimepolicy >nul

move netevents.xml netsh-wfp-netevents.xml >nul
move wfpstate.xml netsh-wfp-wfpstate.xml >nul
move filters.xml netsh-wfp-filters.xml >nul
move btpol.xml netsh-wfp-btpol.xml >nul

echo.
echo Collecting Information is ended.
echo Press any key to return to the menu.
pause > NUL

goto startbat

REM ######################################################################
REM Error Handling
REM ######################################################################

:NotAdmin

echo Please run with administrative rights.
echo Press any key to exit.
pause > NUL
exit /b

:NotSupport

echo Unsupported OS version.
echo Press any key to exit.
pause > NUL
exit /b

REM EOF