Data Collection Commands

To collect data on the scanned computer, create a FixIt! tool.

Data collection commands are used to get data on objects that were not included in the report during the regular data collection. To collect data on a specific object, add a data collection command to the script manually. Listed below are the available data collection commands. To view the list of commands in the web service, click commands Commands on the FixIt! tool tab.

Command

Description

inspect-fs [-r] <Path>

Collect information about the file or directory.

If the -r option is specified, data on the specified directory will be collected, as well as data on each file and subdirectory recursively.

The files go to the ARTEFACTS directory.

Example:

inspect-fs -r "C:\Malware"

Masks are supported for the implementation of a file name.

menu_bar_openDetails

A mask specifies the common part of a file name. At that:

the asterisk «*» character replaces any, possibly empty, sequence of characters;

the question mark «?» replaces only one character;

other mask characters do not replace anything and represent the exact same character.

Examples:

report*.pdf defines all PDF documents whose names start with the word “report”. For example, report-february.pdf, report121209.pdf, etc.;

*.exe defines all EXE files, for example, setup.exe, iTunes.exe, etc.

photo????09.jpg defines all JPG images whose names start with the word "photo” and end with "09" and contain exactly four other characters in the middle. For example, photo121209.jpg, photoJohn09.jpg, photo----09.jpg, etc.

inspect-reg <SID> <Key path>

Collect information about the registry key.

Example:

inspect-reg HKLM "SOFTWARE\Malware"

inspect-proc --pid <PID>  /--imagename <Name> /--imagepath <Path> / --cmdline <Command line>

Collect information about the processes.

The files go to the ARTEFACTS directory.

Example:

inspect-proc --imagename win32calc.exe

inspect-disk <Disk ID> <Sector> <Number>

Collect information about the disc sectors.

The files go to the ARTEFACTS directory.

Example:

inspect-disk 0 10 2

inspect-drv --imagebase <Image base> / --imagesize <Image size> /--imagename <Name> /--imagepath <Path>

Collect information about the drivers with a specified base, size, name, or path to a file.

The files go to the ARTEFACTS directory.

Example:

inspect-drv --imagebase 0xfffff8064e540000