-
Notifications
You must be signed in to change notification settings - Fork 0
/
LargeCollector.cmd
210 lines (169 loc) · 8.26 KB
/
LargeCollector.cmd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
@echo off
rem .
rem ADCS Large Database Collector
rem Copyright (c) 2015-2021, Tristan Kington, Microsoft Corp
Setlocal
rem LargeCollector.CMD <CLEARLOG>
rem LargeCollector.CMD <OutputFilename> <mode> [[DateToday] [DateAMonthAgo]]
rem %1 is REQUIRED and is either CLEARLOG or the name of the output file name
rem %2 is the mode in which to run the collector (Issued, Active, etc - See Usage)
rem %3 is OPTIONAL for W2008R2+ and is today's date
rem %4 is OPTIONAL for W2008R2+ and is the date a month ago
SET _Version=6.02.01
rem .
rem * PageSize is the number of rows attemptedly dumped at a time.
rem * on slow IO or shared IO systems, this may be orders of magnitude slower,
rem * and you may need to customize the _FallbackPageSize value even lower.
SET _ADCSPAGESIZE=50000
SET _FALLBACKPAGESIZE=1000
rem SET _PROGRESSLOGFILE=%~dp1 for same folder as output file.
SET _PROGRESSLOGFILE=.\_LargeDBProgress.log
SET _WATERMARKFILE=.\HighWaterMark.TXT
SET _FINDTEMP=.\_Findtemp.txt
SET LEGACY=0
SET FALLBACKCOUNT=0
:ClearLogFile
if "%1"=="CLEARLOG" echo. > %_PROGRESSLOGFILE%
if "%1"=="CLEARLOG" goto ExitNow
:CheckUsage
if "%1"=="" goto Usage
if "%2"=="" goto Usage
:GetHighWatermark
rem _HighWaterMark is just the highest item ID, not the count of items of type X
SET _HighWaterMark=0
SET _Count=0
SET /A "_Range=_ADCSPAGESIZE"
SET _Total=0
rem Avoid CSV for 2003 and 2008
ver | find "5.2"
if %ERRORLEVEL%==0 SET LEGACY=1
ver | find "6.0"
if %ERRORLEVEL%==0 SET LEGACY=1
if %LEGACY%==1 GOTO LEGACY2003
:CSV2008R2
certutil -view -restrict "RequestID=$" -out RequestID csv > %_WATERMARKFILE%
FOR /F "tokens=1" %%i in (%_WATERMARKFILE%) do SET /A _HighWaterMark=%%i
SET _NOW=now
SET _MonthAgo=now-30:00
goto Collection
:LEGACY2003
certutil -view -restrict "RequestID=$" -out RequestID > .\HighRequestID.TXT
findstr /C:"Issued Request ID:" .\HighRequestID.TXT > %_WATERMARKFILE%
FOR /F "delims=(): tokens=2" %%i in (%_WATERMARKFILE%) do SET /A _HighWaterMark=%%i
set _NOW=%3
set _MonthAgo=%4
goto Collection
rem just in case we've missed some weird case in the future...
goto Collection
:FallBack
rem If you got here, you failed 50K record collection, so we're trying again with a 1000 pagesize
rem THIS WILL TAKE LONGER
Set _ADCSPAGESIZE=%_FALLBACKPAGESIZE%
SET /A "_Range=_ADCSPAGESIZE"
SET /A _Count=0
SET FALLBACKCOUNT=1
echo =============================================================== >> %_PROGRESSLOGFILE%
echo %DATE% %TIME% - HELLO AGAIN LARGE COLLECTOR %_Version% >> %_PROGRESSLOGFILE%
echo Re running with page size %_ADCSPAGESIZE% ================================ >> %_PROGRESSLOGFILE%
goto Collection
:Collection
echo %DATE% %TIME% > %1
echo. >> %1
echo --------------------------------------------------------------- >> %_PROGRESSLOGFILE%
echo %DATE% %TIME% - HELLO LARGE COLLECTOR %_Version% >> %_PROGRESSLOGFILE%
echo %DATE% %TIME% - Running in %2 mode to %1 >> %_PROGRESSLOGFILE%
echo %DATE% %TIME% - High watermark is %_HighWaterMark% >> %_PROGRESSLOGFILE%
echo %DATE% %TIME% - Page size is %_ADCSPAGESIZE% >> %_PROGRESSLOGFILE%
echo %DATE% %TIME% - Starting... >> %_PROGRESSLOGFILE%
rem echo Large Database Collector - this may take a LONG time.
rem echo (Estimate from time to do one set.)
:LoopStart
if %_Range% GTR %_HighWaterMark% SET _Range=%_HighWaterMark%
echo %DATE% %TIME% - %_Count% to %_Range% of %_HighWaterMark%
echo %DATE% %TIME% - %_Count% to %_Range% of %_HighWaterMark% >> %_PROGRESSLOGFILE%
set CommonFields=Request.RequestID,certificatetemplate,notafter,commonname,ext:2.5.29.17,Request.SubmittedWhen
goto %2
:Issued
certutil -view -restrict "RequestID>%_Count%,RequestID<=%_Range%,disposition=20" -out Request.RequestID,certificatetemplate,notafter,commonname,ext:2.5.29.17,Request.SubmittedWhen,Request.RequesterName >> %1
goto ContinueLoop
:Issued30Day
certutil -view -restrict "Request.SubmittedWhen>%_MonthAgo%,RequestID>%_Count%,RequestID<=%_Range%,disposition=20" -out Request.RequestID,certificatetemplate,notafter,commonname,ext:2.5.29.17,Request.SubmittedWhen,Request.RequesterName >> %1
goto ContinueLoop
:Active
certutil -view -restrict "RequestID>%_Count%,RequestID<=%_Range%,NotAfter>%_now%,disposition=20" -out Request.RequestID,certificatetemplate,notafter,commonname,ext:2.5.29.17,Request.SubmittedWhen,Request.RequesterName >> %1
goto ContinueLoop
:Failed
certutil -view -restrict "RequestID>%_Count%,RequestID<=%_Range%,disposition=30" -out Request.RequestID,certificatetemplate,Request.RequesterName,Request.SubmittedWhen,Request.StatusCode >> %1
goto ContinueLoop
:Failed30Day
certutil -view -restrict "Request.SubmittedWhen>%_MonthAgo%,RequestID>%_Count%,RequestID<=%_Range%,disposition=30" -out Request.RequestID,Request.SubmittedWhen,Request.commonname,ext:2.5.29.17,certificatetemplate,Request.RequesterName,Request.StatusCode >> %1
goto ContinueLoop
:Denied
certutil -view -restrict "RequestID>%_Count%,RequestID<=%_Range%,disposition=31" -out Request.RequestID,certificatetemplate,Request.SubmittedWhen,Request.RequesterName,Request.CommonName,Request.StatusCode >> %1
goto ContinueLoop
:Denied30Day
certutil -view -restrict "Request.SubmittedWhen>%_MonthAgo%,RequestID>%_Count%,RequestID<=%_Range%,disposition=31" -out Request.RequestID,Request.SubmittedWhen,Request.commonname,ext:2.5.29.17,certificatetemplate,Request.RequesterName,Request.StatusCode >> %1
goto ContinueLoop
:Revoked
certutil -view -restrict "RequestID>%_Count%,RequestID<=%_Range%,disposition=21" -out Request.RequestID,certificatetemplate,commonname,ext:2.5.29.17,Request.SubmittedWhen,notafter,Request.RevokedWhen,Request.RevokedEffectiveWhen >> %1
goto ContinueLoop
:Revoked30Day
certutil -view -restrict "Request.SubmittedWhen>%_MonthAgo%,RequestID>%_Count%,RequestID<=%_Range%,disposition=21" -out Request.RequestID,certificatetemplate,commonname,ext:2.5.29.17,Request.SubmittedWhen,notafter,Request.RevokedWhen,Request.RevokedEffectiveWhen >> %1
goto ContinueLoop
:Pending
certutil -view -restrict "RequestID>%_Count%,RequestID<=%_Range%,disposition=9" -out Request.RequestID,certificatetemplate,Request.Commonname,ext:2.5.29.17,Request.SubmittedWhen, >> %1
goto ContinueLoop
:ContinueLoop
if %_Range%==%_HighWaterMark% goto End
IF %ERRORLEVEL% NEQ 0 (
echo %DATE% %TIME% - %_Count% to %_Range% of %_HighWaterMark% - ### Error Occurred - %ERRORLEVEL%
echo %DATE% %TIME% - %_Count% to %_Range% of %_HighWaterMark% - ### Error Occurred - %ERRORLEVEL% >> %_PROGRESSLOGFILE%
if %FALLBACKCOUNT% EQU 0 (
goto FallBack
) ELSE (
rem Nowhere to go from here except down.
echo ### ERROR ### Didn't survive fallback - try a lower set of page sizes
echo %DATE% %TIME% - ### ERROR ### Didn't survive 1 fallback - try a lower set of page sizes >> %_PROGRESSLOGFILE%
goto ExitNow
)
)
SET /A "_Count+=_ADCSPAGESIZE"
SET /A "_Range+=_ADCSPAGESIZE"
goto LoopStart
:Usage
echo.
echo Usage
echo =====
echo.
echo LargeCollector.CMD CLEARLOG
echo LargeCollector.CMD ^<OutputFilename^> ^<mode^> [[DateToday]
echo [DateAMonthAgo]]
echo.
echo OutputFilename - path and filename to send output to
echo CLEARLOG - clears the global progress log.
echo.
echo Mode - can be one of: Issued, Issued30, - non-revoked certs in db
echo Active - non-expired non-revoked
echo Revoked, Revoked30,
echo Failed, Failed30,
echo Denied, Denied30,
echo Pending
echo.
echo '30'(day) modes work on Windows Server 2008 R2
echo or later only, unless the [Date]s are provided
echo.
echo This release backs off from 50K records to 1K records per certutil
echo query, in order to account for the slowest CAs observed (poor IO).
goto ExitNow
:End
:AppendRowCount
echo %DATE% %TIME% - Checking item counts... >> %_PROGRESSLOGFILE%
findstr "^Row " %1 > %_FINDTEMP%
for /f "tokens=3" %%k in ('find /C "Row" %_FINDTEMP%') do set _RowCount=%%k
del %_FINDTEMP%
echo %DATE% %TIME% - Completed >> %_PROGRESSLOGFILE%
echo. >> %1
echo %DATE% %TIME% >> %1
echo. >> %1
echo _ADCS_ROW_COUNT: %_RowCount% >> %1
:ExitNow