Last active
April 6, 2023 22:17
-
-
Save Purp1eW0lf/6bbb2c1e22fe64a151d7ab97be8e83bb to your computer and use it in GitHub Desktop.
Revisions
-
Purp1eW0lf revised this gist
Jan 7, 2023 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,6 @@ <# Meta Date: 2023 January 7th Authors: Harlan Carvey (Twitter @keydet89) and Dray Agha (Twitter @purp1ew0lf) Company: Huntress Labs Purpose: Automate collecting Windows Registry hives, including related .DATs for all users. -
Jan 7, 2023 . No changes.There are no files selected for viewing
-
Jan 7, 2023 . 1 changed file with 3 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -61,7 +61,9 @@ function Collect_via_TSCopy{ # zip it all up function Zip_Collected{ #Delete excess files rm C:\IR\TScopy_x64.exe #Tree for a directory map tree C:\IR /f >> C:\IR\tree_output.txt -
Jan 7, 2023 . 1 changed file with 7 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -4,7 +4,10 @@ Meta Authors: Harlan Carvey (Twitter @keydet89) and Dray Agha (Twitter @purp1ew0lf) Company: Huntress Labs Purpose: Automate collecting Windows Registry hives, including related .DATs for all users. Notes: Will trigger AV as it's technically credential dumping. Also relies on having internet access, to wget TSCopy Kudos for TrustedSec's TScopy.exe tool, which this script leverages: https://github.com/trustedsec/tscopy #> # check admin function admin_check{ @@ -65,14 +68,14 @@ function Zip_Collected{ # Get current user's desktop to save zip to. $DesktopPath = [Environment]::GetFolderPath("Desktop") Get-ChildItem -Path C:\ir | Compress-Archive -DestinationPath $DesktopPath\Registry_Collection_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip write-host "`n`nYour ZIP is waiting at: "-NoNewline; write-host "$DesktopPath\Registry_Collection_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip`n`n" -ForegroundColor green ; # Clean up C:\IR on host after ZIP Remove-Item "C:\IR" -Recurse -force # Open up dir sleep 2; ii "$DesktopPath\Registry_Collection_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip" } #Execute main function in silence -
Jan 7, 2023 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,6 +1,6 @@ <# Meta Date: 2022 January 7th Authors: Harlan Carvey (Twitter @keydet89) and Dray Agha (Twitter @purp1ew0lf) Company: Huntress Labs Purpose: Automate collecting Windows Registry hives, including related .DATs for all users. -
Jan 1, 2023 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -3,7 +3,8 @@ Meta Date: 2022 December 30th Authors: Harlan Carvey (Twitter @keydet89) and Dray Agha (Twitter @purp1ew0lf) Company: Huntress Labs Purpose: Automate collecting Windows Registry hives, including related .DATs for all users. Notes: Will trigger AV as it's technically credential dumping. Also relies on having internet access, to wge TSCopy #> # check admin function admin_check{ -
Dec 30, 2022 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -41,8 +41,8 @@ function Collect_via_Reg{ ## TSCopy for further registry hives function Collect_via_TSCopy{ # pull TScropy exe this way, because invoke-webrequests progress bar is slow and I am a bad scripter (New-Object Net.WebClient).DownloadFile("https://github.com/trustedsec/tscopy/raw/master/dist/TScopy_x64.exe", "C:\ir\TScopy_x64.exe"); # each user's ntuser.dat C:\ir\TScopy_x64.exe -f c:\users\*\ntuser.dat* -o C:\ir\Collected_ntuser_files -
Dec 30, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -68,7 +68,7 @@ function Zip_Collected{ write-host "`n`nYour ZIP is waiting at: "-NoNewline; write-host "$DesktopPath\Huntress_Registry_Collection_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip`n`n" -ForegroundColor green ; # Clean up C:\IR on host after ZIP Remove-Item "C:\IR" -Recurse -force # Open up dir sleep 2; ii "$DesktopPath\Huntress_Registry_Collection_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip" -
Dec 30, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -59,7 +59,7 @@ function Collect_via_TSCopy{ function Zip_Collected{ #Tree for a directory map tree C:\IR /f >> C:\IR\tree_output.txt # Get current user's desktop to save zip to. $DesktopPath = [Environment]::GetFolderPath("Desktop") -
Dec 30, 2022 . 1 changed file with 4 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -25,10 +25,10 @@ function Collect_via_Reg{ $ErrorActionPreference = "SilentlyContinue" $progressPreference = 'silentlyContinue' # Make the various directories, to be neat and tidy mkdir c:\ir, C:\ir\Collected_ntuser_files, C:\ir\Collected_UsrClass_files, C:\ir\amcache # save the registry files reg save HKLM\Software c:\ir\Software reg save HKLM\System c:\ir\System reg save HKLM\SECURITY c:\ir\SECURITY @@ -41,8 +41,7 @@ function Collect_via_Reg{ ## TSCopy for further registry hives function Collect_via_TSCopy{ # pull TScropy exe wget -useb https://github.com/trustedsec/tscopy/raw/master/dist/TScopy_x64.exe -outfile C:\ir\TScopy_x64.exe # each user's ntuser.dat -
Dec 30, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -19,7 +19,7 @@ function admin_check{ # Collect basic hives function Collect_via_Reg{ #print to re-assure user things are happening until ZIP write-host "`n`nHuntress "-NoNewline -ForegroundColor green ; write-host "Registry collection script is running...`n`n"; #Ensure errors don't ruin anything for us $ErrorActionPreference = "SilentlyContinue" -
Dec 30, 2022 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -65,8 +65,8 @@ function Zip_Collected{ # Get current user's desktop to save zip to. $DesktopPath = [Environment]::GetFolderPath("Desktop") Get-ChildItem -Path C:\ir | Compress-Archive -DestinationPath $DesktopPath\Huntress_Registry_Collection_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip write-host "`n`nYour ZIP is waiting at: "-NoNewline; write-host "$DesktopPath\Huntress_Registry_Collection_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip`n`n" -ForegroundColor green ; # Clean up C:\IR on host after ZIP # Remove-Item "C:\IR" -Recurse -force -
Dec 30, 2022 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -60,7 +60,7 @@ function Collect_via_TSCopy{ function Zip_Collected{ #Tree for a directory map tree /f >> C:\IR\tree_output.txt # Get current user's desktop to save zip to. $DesktopPath = [Environment]::GetFolderPath("Desktop") @@ -72,7 +72,7 @@ function Zip_Collected{ # Remove-Item "C:\IR" -Recurse -force # Open up dir sleep 2; ii "$DesktopPath\Huntress_Registry_Collection_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip" } #Execute main function in silence -
Dec 30, 2022 . 1 changed file with 5 additions and 9 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -58,22 +58,18 @@ function Collect_via_TSCopy{ # zip it all up function Zip_Collected{ #Tree for a directory map tree /f >> tree_output.txt # Get current user's desktop to save zip to. $DesktopPath = [Environment]::GetFolderPath("Desktop") Get-ChildItem -Path C:\ir | Compress-Archive -DestinationPath $DesktopPath\IR_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip write-host "`n`nYour ZIP is waiting at: "-NoNewline; write-host "$DesktopPath\IR_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip`n`n" -ForegroundColor green ; # Clean up C:\IR on host after ZIP # Remove-Item "C:\IR" -Recurse -force # Open up dir sleep 2; ii "$DesktopPath\IR_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip" -
Dec 30, 2022 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -19,7 +19,7 @@ function admin_check{ # Collect basic hives function Collect_via_Reg{ #print to re-assure user things are happening until ZIP write-host "`n`nHuntress: "-NoNewline -ForegroundColor green ; write-host "Registry collection script is running...`n`n"; #Ensure errors don't ruin anything for us $ErrorActionPreference = "SilentlyContinue" @@ -69,7 +69,7 @@ function Zip_Collected{ $DesktopPath = [Environment]::GetFolderPath("Desktop") Get-ChildItem -Path C:\ir | Compress-Archive -DestinationPath $DesktopPath\IR_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip write-host "`n`nYour ZIP is waiting at: "-NoNewline; write-host "$DesktopPath\IR_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip`n`n" -ForegroundColor green ; # Clean up C:\IR on host after ZIP Remove-Item "C:\IR" -Recurse -force -
Dec 30, 2022 . No changes.There are no files selected for viewing
-
Dec 30, 2022 . 1 changed file with 6 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -18,7 +18,9 @@ function admin_check{ # Collect basic hives function Collect_via_Reg{ #print to re-assure user things are happening until ZIP write-host "\nHuntress: "-NoNewline -ForegroundColor green ; write-host "Registry collection script is running...\n\n"; #Ensure errors don't ruin anything for us $ErrorActionPreference = "SilentlyContinue" $progressPreference = 'silentlyContinue' @@ -69,8 +71,9 @@ function Zip_Collected{ Get-ChildItem -Path C:\ir | Compress-Archive -DestinationPath $DesktopPath\IR_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip write-host "Your ZIP is waiting at: "-NoNewline; write-host "$DesktopPath\IR_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip" -ForegroundColor magenta ; # Clean up C:\IR on host after ZIP Remove-Item "C:\IR" -Recurse -force # Open up dir sleep 2; ii "$DesktopPath\IR_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip" -
Dec 30, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -70,7 +70,7 @@ function Zip_Collected{ write-host "Your ZIP is waiting at: "-NoNewline; write-host "$DesktopPath\IR_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip" -ForegroundColor magenta ; # Clean up C:\IR after ZIP rm -r -fo {C:\IR} # Open up dir sleep 2; ii "$DesktopPath\IR_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip" -
Dec 30, 2022 . 1 changed file with 2 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -61,8 +61,7 @@ function Zip_Collected{ #Tree for a directory map as it gets confusing tree /f >> tree_output.txt #And clean up unnecessary files gci C:\IR -Recurse -Force -File -Include *.pickle, TScopy_x64.exe | Remove-Item -Force -Confirm:$false # Get current user's desktop to save zip to. $DesktopPath = [Environment]::GetFolderPath("Desktop") @@ -71,7 +70,7 @@ function Zip_Collected{ write-host "Your ZIP is waiting at: "-NoNewline; write-host "$DesktopPath\IR_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip" -ForegroundColor magenta ; # Clean up C:\IR after ZIP Get-ChildItem -Path C:\ir -recurse | Remove-Item -Force -Confirm:$false # Open up dir sleep 2; ii "$DesktopPath\IR_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip" -
Dec 30, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -62,7 +62,7 @@ function Zip_Collected{ tree /f >> tree_output.txt #And clean up unnecessary files Rm C:\ir\TScopy_x64.exe gci C:\IR -Recurse -Force -File -Include *.pickle | Remove-Item -Force -Confirm:$false # Get current user's desktop to save zip to. $DesktopPath = [Environment]::GetFolderPath("Desktop") -
Dec 30, 2022 . 1 changed file with 12 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -49,21 +49,29 @@ function Collect_via_TSCopy{ C:\ir\TScopy_x64.exe -f C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat* -o C:\ir\Collected_UsrClass_files # collect amcache hive C:\ir\TScopy_x64.exe -f C:\Windows\AppCompat\Programs\Amcache.hve -o C:\ir\amcache # Next stage Zip_Collected } # zip it all up function Zip_Collected{ #Clean up before zip #Tree for a directory map as it gets confusing tree /f >> tree_output.txt #And clean up unnecessary files Rm C:\ir\TScopy_x64.exe gci C:\IR -Recurse -Force -File -Include *.pickle | remove-item # Get current user's desktop to save zip to. $DesktopPath = [Environment]::GetFolderPath("Desktop") Get-ChildItem -Path C:\ir | Compress-Archive -DestinationPath $DesktopPath\IR_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip write-host "Your ZIP is waiting at: "-NoNewline; write-host "$DesktopPath\IR_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip" -ForegroundColor magenta ; # Clean up C:\IR after ZIP Get-ChildItem -Path C:\ir | Remove-Item -Force -Confirm:$false # Open up dir sleep 2; ii "$DesktopPath\IR_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip" -
Dec 30, 2022 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -48,10 +48,10 @@ function Collect_via_TSCopy{ # each user's usrclass.dat C:\ir\TScopy_x64.exe -f C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat* -o C:\ir\Collected_UsrClass_files # collect amcache hive C:\ir\TScopy_x64.exe -f C:\Windows\AppCompat\Programs\Amcache.hve -o C:\ir\amcache # Next stage Zip_Collected } # zip it all up -
Dec 30, 2022 . 1 changed file with 10 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -23,7 +23,10 @@ function Collect_via_Reg{ $ErrorActionPreference = "SilentlyContinue" $progressPreference = 'silentlyContinue' Make the various directories, to be neat and tidy mkdir c:\ir, C:\ir\Collected_ntuser_files, C:\ir\Collected_UsrClass_files, C:\ir\amcache reg save HKLM\Software c:\ir\Software reg save HKLM\System c:\ir\System reg save HKLM\SECURITY c:\ir\SECURITY @@ -37,14 +40,15 @@ function Collect_via_Reg{ function Collect_via_TSCopy{ ## Not sure yet if we want to provide tscopy executable, or have them pull it. I am leaning on the former. wget -useb https://github.com/trustedsec/tscopy/raw/master/dist/TScopy_x64.exe -outfile C:\ir\TScopy_x64.exe # each user's ntuser.dat C:\ir\TScopy_x64.exe -f c:\users\*\ntuser.dat* -o C:\ir\Collected_ntuser_files # each user's usrclass.dat C:\ir\TScopy_x64.exe -f C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat* -o C:\ir\Collected_UsrClass_files # collect amcache hive C:\ir\TScopy_x64.exe -f C:\Windows\AppCompat\Programs\Amcache.hve -o ./C:\ir\Amcache # Next stage Zip_Collected @@ -59,7 +63,7 @@ function Zip_Collected{ write-host "Your ZIP is waiting at: "-NoNewline; write-host "$DesktopPath\IR_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip" -ForegroundColor magenta ; # Clean up #Get-ChildItem -Path C:\ir -recurse | Remove-Item -Force -Confirm:$false # Open up dir sleep 2; ii "$DesktopPath\IR_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip" -
Dec 30, 2022 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,69 @@ <# Meta Date: 2022 December 30th Authors: Harlan Carvey (Twitter @keydet89) and Dray Agha (Twitter @purp1ew0lf) Company: Huntress Labs Purpose: Automate collecting Windows Registry hives, including related .DATs for all users. #> # check admin function admin_check{ if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(` [Security.Principal.WindowsBuiltInRole] "Administrator")) { Write-Warning "Insufficient permissions. Run this Powershell script as Admin please" Break } # if we're all good, let's fire it off else {Collect_via_Reg} } # Collect basic hives function Collect_via_Reg{ #Ensure errors don't ruin anything for us $ErrorActionPreference = "SilentlyContinue" $progressPreference = 'silentlyContinue' mkdir c:\ir reg save HKLM\Software c:\ir\Software reg save HKLM\System c:\ir\System reg save HKLM\SECURITY c:\ir\SECURITY reg save HKLM\SAM C:\ir\SAM #Next Stage Collect_via_TSCopy } ## TSCopy for further registry hives function Collect_via_TSCopy{ ## Not sure yet if we want to provide tscopy executable, or have them pull it. I am leaning on the former. ## wget -useb https://github.com/trustedsec/tscopy/raw/master/dist/TScopy_x64.exe -outfile ./TScopy_x64.exe # each user's ntuser.dat ./TScopy_x64.exe -f c:\users\*\ntuser.dat* -o C:\ir\Collected_ntuser_files # each user's usrclass.dat .\TScopy_x64.exe -f C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat* -o C:\ir\Collected_UsrClass_files # collect amcache hive .\TScopy_x64.exe -f C:\Windows\AppCompat\Programs\Amcache.hve -o ./C:\ir\Amcache # Next stage Zip_Collected } # zip it all up function Zip_Collected{ $DesktopPath = [Environment]::GetFolderPath("Desktop") Get-ChildItem -Path C:\ir | Compress-Archive -DestinationPath $DesktopPath\IR_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip write-host "Your ZIP is waiting at: "-NoNewline; write-host "$DesktopPath\IR_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip" -ForegroundColor magenta ; # Clean up Get-ChildItem -Path C:\ir | Remove-Item -Force -Confirm:$false # Open up dir sleep 2; ii "$DesktopPath\IR_$(Get-Date -UFormat "%Y_%b_%d_%a_UTC%Z").zip" } #Execute main function in silence Admin_Check | out-null