$ErrorActionPreference = 'SilentlyContinue' Write-Output "=== HOST ===" Write-Output $env:COMPUTERNAME Write-Output "=== LOGGED-ON USER ===" query user 2>$null Write-Output "" Write-Output "=== INSTALLED DATTO/WORKPLACE PRODUCTS (uninstall keys) ===" $paths = @( 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*', 'HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*' ) foreach ($p in $paths) { Get-ItemProperty $p -ErrorAction SilentlyContinue | Where-Object { $_.DisplayName -like '*Datto*' -or $_.DisplayName -like '*Workplace*' } | ForEach-Object { Write-Output (" {0} | v{1} | {2}" -f $_.DisplayName, $_.DisplayVersion, $_.InstallLocation) } } Write-Output "" Write-Output "=== DATTO PROGRAM FOLDERS ===" Get-ChildItem 'C:\Program Files\Datto' -ErrorAction SilentlyContinue | ForEach-Object { Write-Output (" {0} (modified {1})" -f $_.Name, $_.LastWriteTime) } Write-Output "--- SmartBadge DLLs present ---" Get-ChildItem 'C:\Program Files\Datto' -Recurse -Filter 'DattoSmartBadgeShim*.dll' -ErrorAction SilentlyContinue | ForEach-Object { Write-Output (" {0}" -f $_.FullName) } Write-Output "" Write-Output "=== DATTO WORKPLACE SERVICES / PROCESSES ===" Get-Service -ErrorAction SilentlyContinue | Where-Object { $_.Name -like '*Datto*' -or $_.DisplayName -like '*Workplace*' } | ForEach-Object { Write-Output (" svc {0} [{1}] {2}" -f $_.Name, $_.Status, $_.DisplayName) } Get-Process -ErrorAction SilentlyContinue | Where-Object { $_.ProcessName -like '*Workplace*' -or $_.ProcessName -like '*Datto*' } | ForEach-Object { Write-Output (" proc {0} (pid {1}) {2}" -f $_.ProcessName, $_.Id, $_.Path) } Write-Output "" Write-Output "=== HKLM Excel Addins (Datto) ===" foreach ($base in @('HKLM:\Software\Microsoft\Office\Excel\Addins','HKLM:\Software\WOW6432Node\Microsoft\Office\Excel\Addins')) { Write-Output "[$base]" Get-ChildItem $base -ErrorAction SilentlyContinue | Where-Object { $_.PSChildName -like '*Datto*' } | ForEach-Object { Write-Output (" {0} LoadBehavior={1}" -f $_.PSChildName, (Get-ItemProperty $_.PSPath).LoadBehavior) } } Write-Output "" Write-Output "=== CLSID InprocServer32 (SmartBadge shims) ===" foreach ($clsid in @('{2B96EDC1-FDF3-47E1-B177-F205E7B98DF4}','{3C639243-95A2-400D-B4B4-4384DA7F61D3}')) { foreach ($base in @("HKLM:\Software\Classes\CLSID\$clsid\InprocServer32","HKLM:\Software\WOW6432Node\Classes\CLSID\$clsid\InprocServer32")) { $item = Get-Item $base -ErrorAction SilentlyContinue if ($item) { $def = $item.GetValue('') $tm = $item.GetValue('ThreadingModel') Write-Output (" {0}`n -> {1} [TM={2}]" -f $base, $def, $tm) } else { Write-Output (" {0}`n -> " -f $base) } } } Write-Output "" Write-Output "=== Active user hive: Excel addin LoadBehavior + Resiliency ===" Get-ChildItem 'Registry::HKEY_USERS' -ErrorAction SilentlyContinue | Where-Object { $_.Name -match 'S-1-12-1-|S-1-5-21-' -and $_.Name -notmatch '_Classes$' } | ForEach-Object { $sid = $_.PSChildName $ua = "Registry::HKEY_USERS\$sid\Software\Microsoft\Office\Excel\Addins" if (Test-Path $ua) { Get-ChildItem $ua -ErrorAction SilentlyContinue | Where-Object { $_.PSChildName -like '*Datto*' } | ForEach-Object { Write-Output (" [$sid] HKCU addin {0} LoadBehavior={1}" -f $_.PSChildName, (Get-ItemProperty $_.PSPath).LoadBehavior) } } $rb = "Registry::HKEY_USERS\$sid\Software\Microsoft\Office\16.0\Excel\Resiliency" if (Test-Path "$rb\DoNotDisableAddinList") { (Get-ItemProperty "$rb\DoNotDisableAddinList").PSObject.Properties | Where-Object { $_.Name -notlike 'PS*' } | ForEach-Object { Write-Output (" [$sid] DoNotDisable {0}={1}" -f $_.Name, $_.Value) } } if (Test-Path "$rb\DisabledItems") { $di = Get-Item "$rb\DisabledItems" if ($di.ValueCount -gt 0) { Write-Output (" [$sid] DisabledItems has {0} entries (Excel has disabled an add-in)" -f $di.ValueCount) } } } Write-Output "=== END RECON ==="