Need help with PoSh-R2?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

242 Stars 60 Forks Apache License 2.0 91 Commits 0 Opened issues


PowerShell - Rapid Response... For the incident responder in you!

Services available


Need anything else?

Contributors list

# 441,392
57 commits

PoSh-R2PowerShell - Rapid Response (PoSH-R2)... For the incident responder in you!

PoSH-R2 is a set of Windows Management Instrumentation (WMI) scripts that investigators and forensic analysts can use to retrieve information from a compromised (or potentially compromised) Windows system. The scripts use WMI to pull this information from the operating system. Therefore, this script will need to be executed with a user that has the necessary privileges and authentication is done via a Network logon. Retreived data is written to CSVs and SQLite databases on the system running the script.

In a single execution, PoSH-R2 will retrieve the following data from an individual machine or a group of systems:

    - Autorun entries
    - Disk info
    - Environment variables
    - Event logs (50 lastest)
    - Installed Software
    - Logon sessions
    - List of drivers
    - List of mapped network drives
    - List of running processes
    - Logged in user
    - Local groups
    - Local user accounts
    - Network configuration
    - Network connections
    - Patches
    - Scheduled tasks with AT command
    - Shares
    - Services
    - System Information


  1. Call upon the script from a PowerShell window with applicable rights for WMI and follow the prompts.
  2. Data will be saved to a new directory called "PoSH_R2--Results" within the same directory from which this script was executed from.
    # Additional Notes
  3. This script will work with PowerShell version 2 and above


Running the script
Alt text

A listing of the results written to csv files
Alt text

A listing of the databases
Alt text

Reading the data back into PowerShell using out-gridview (import-csv .<some_file.csv> | out-gridview)
Alt text

Filtering only on splunk.exe. From the screenshot, we see it is running on six systems
Alt text

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.