After listening to Larry’s excellent technical segment on dumping the event logs from a large list of computers, I decided to try it out on my own. If you missed the technical segment, you can find the notes here.    To do my own testing I needed to start with a large list of computers.   For my list, I want to have the names of every computer in the domain.   So I turned to “dsquery computer ” to get a list of all computers. 

C:\WINDOWS> dsquery computer 

“CN=CONTROLER1,OU=Domain Controllers,DC=subdomain,DC=domain,DC=com”

BLA BLA BLA… Truncated

“CN=WORKSTATION1,OU=ORGUNIT1,OU=OrgUnit2,OU=OrgUnit3,DC=Subdomain,DC=Domain,DC=com”

BLA BLA BLA… Truncated again


The length of the results changes because of the variable number of subdomains, but fortunetly for us the workstation name is always the first part of the string.  It is always between the CN= and the first comma. We can strip out the workstation name with the “DELIMS” and “TOKENS” option of the FOR loop.  Also, by default DSQUERY will only return the first 100 results. This can be changed using the “-LIMIT” option. Setting the LIMIT to 0 returns all result. For now lets check our output looking at only two entries.

C:\WINDOWS>for /F “delims=, tokens=1″ %i in (‘dsquery computer -limit 2′) do echo %i

C:\WINDOWS>echo “CN=WORKSTATION1

“CN=WORKSTATION1

C:\WINDOWS>echo “CN=WORKSTATION2

“CN=WORKSTATION2


We are almost there. I need to strip the first 4 characters of the line. For this I stole a page or two from Ed Skoudis’ play book. We can strip the first four characters with the SET command using the expression variable = %variable:~4%. But, since we are in a FOR loop we have to turn on delayed variable expansion and use ! instead of %.

C:\WINDOWS>cmd.exe /v:on /c “for /F “delims=, tokens=1″ %i in 

(‘dsquery computer -limit 2′) do set name=%i  & set name=!name:~4! & echo !name!”

Dsquery has reached the specified limit on number of results to display; use a different value for the -limit option to display more results.

C:\WINDOWS>set name=”CN=WORKSTATION1    & set name=!name:~4!   & echo !name!

WORKSTATION1

C:\WINDOWS>set name=”CN=WORKSTATION2    & set name=!name:~4!   & echo !name!

WORKSTATION2


Now we have all the computer names in the domain being printed one at a time. I can dump all the names of the machines in the domain to file to feed Larry’s event dumper.

C:\WINDOWS>cmd.exe /v:on /c “for /F “delims=, tokens=1″ %i in (‘dsquery computer -limit 0′) do set name=%i & set name=!name:~4! & echo !name! >> c:\temp\machines.txt”

Better yet, we could combine it with a WMIC command and other commands to do various useful tasks on our machines.  For example, if I want to query every machine in my network for an instance of a process that starts with CMD I could run the following:  (remember that % is a wild card in wmic)

C:\WINDOWS>cmd.exe /v:on /c “for /F “delims=, tokens=1″ %i in (‘dsquery computer -limit 2′) do set name=%i  & set name=!name:~4! & wmic /node:!name! process where “name like ‘cmd%’” list brief”

Dsquery has reached the specified limit on number of results to display; use a different value for the -limit option to display more results.

C:\WINDOWS>set name=”CN=WORKSTATION1    & set name=!name:~4!   & wmic /node:!name! process where “name like ‘cmd%’” list brief

HandleCount  Name     Priority  ProcessId  ThreadCount  WorkingSetSize

33           cmd.exe  8         2308       1            1654784

C:\WINDOWS>set name=”CN=WORKSTATION2    & set name=!name:~4!   & wmic /node:!name! process where “name like ‘cmd%’” list brief

HandleCount  Name     Priority  ProcessId  ThreadCount  WorkingSetSize

33           cmd.exe  8         2368       1            1626112


So there you go.  Now using this basic syntax…

cmd.exe /v:on /c “for /F “delims=, tokens=1″ %i in (‘dsquery computer -limit 0′) do set name=%i  & set name=!name:~4! & Any command here based on !name!

… you can run any command you want on every machine in your domain.   

Join me for SANS 504 June 21-26

About the author