dfirhub

RemoteAdmin

Compoundv2.2

Author: Drew Ervin, Mathias Frank, Andrew Rathbun, Phill Moore

description

Composite target for files related to remote administration tools

includes (30)

+ 10 more targets

paths

120 pathsfrom 30 targets
paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: RemoteAdmin
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# 1. Action1 Client Application logs
Collect-Artifact -SourceDir "C:\Windows\Action1\logs" -FileMask "*.log" -FolderName "Action1_Client_Application_logs"

# 2. Ammyy Program Data
Collect-Artifact -SourceDir "C:\ProgramData\Ammyy" -FolderName "Ammyy_Program_Data"

# 3. AnyDesk Logs - ProgramData - *.trace
Collect-Artifact -SourceDir "C:\ProgramData\AnyDesk" -FileMask "*.trace" -FolderName "AnyDesk_Logs_ProgramData_trace"

# 4. AnyDesk Logs - ProgramData - *.conf
Collect-Artifact -SourceDir "C:\ProgramData\AnyDesk" -FileMask "*.conf" -FolderName "AnyDesk_Logs_ProgramData_conf"

# 5. AnyDesk Logs - ProgramData - connection_trace.txt
Collect-Artifact -SourceDir "C:\ProgramData\AnyDesk" -FileMask "connection_trace.txt" -FolderName "AnyDesk_Logs_ProgramData_connection_trace_txt"

# 6. AnyDesk Logs - System User Account
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk" -FolderName "AnyDesk_Logs_System_User_Account"

# 7. AnyDesk File Transfer Logs - Installed as a Service
Collect-Artifact -SourceDir "C:\ProgramData\AnyDesk" -FileMask "file_transfer_trace.txt" -FolderName "AnyDesk_File_Transfer_Logs_Installed_as_a_Service"

# 8. Application Event Log XP
Collect-Artifact -SourceDir "C:\Windows\System32\config" -FileMask "AppEvent.evt" -FolderName "Application_Event_Log_XP"

# 9. Application Event Log XP
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\config" -FileMask "AppEvent.evt" -FolderName "Application_Event_Log_XP"

# 10. Application Event Log Win7+
Collect-Artifact -SourceDir "C:\Windows\System32\winevt\logs" -FileMask "application.evtx" -FolderName "Application_Event_Log_Win7"

# 11. Application Event Log Win7+
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\winevt\logs" -FileMask "application.evtx" -FolderName "Application_Event_Log_Win7"

# 12. DWAgent Log Files
Collect-Artifact -SourceDir "C:\ProgramData\DWAgent*" -FileMask "*.log*" -FolderName "DWAgent_Log_Files"

# 13. ISL AlwaysOn Logs - Sessions List
Collect-Artifact -SourceDir "C:\Program Files (x86)\ISL Online\ISL AlwaysOn" -FileMask "session.xml" -FolderName "ISL_AlwaysOn_Logs_Sessions_List"

# 14. ISL AlwaysOn Logs - Sessions
Collect-Artifact -SourceDir "C:\Program Files (x86)\ISL Online\ISL AlwaysOn\sessions\*" -FileMask "trace.out" -FolderName "ISL_AlwaysOn_Logs_Sessions"

# 15. ISL AlwaysOn - App Logs
Collect-Artifact -SourceDir "C:\Program Files (x86)\ISL Online\ISL AlwaysOn" -FileMask "*.out" -FolderName "ISL_AlwaysOn_App_Logs"

# 16. ISL AlwaysOn - Email Configuration
Collect-Artifact -SourceDir "C:\Program Files (x86)\ISL Online\ISL AlwaysOn\status" -FileMask "tray" -FolderName "ISL_AlwaysOn_Email_Configuration"

# 17. ISL AlwaysOn - Configuration
Collect-Artifact -SourceDir "C:\Program Files (x86)\ISL Online\ISL AlwaysOn" -FileMask "StaticConfiguration.ini" -FolderName "ISL_AlwaysOn_Configuration"

# 18. ITarian
Collect-Artifact -SourceDir "C:\Program Files\ITarian\Endpoint Manager\rmmlogs" -FolderName "ITarian"

# 19. ITarian
Collect-Artifact -SourceDir "C:\Program Files (x86)\ITarian\Endpoint Manager\rmmlogs" -FolderName "ITarian"

# 20. Comodo
Collect-Artifact -SourceDir "C:\Program Files\Comodo\Endpoint Manager\rmmlogs" -FolderName "Comodo"

# 21. ITarian
Collect-Artifact -SourceDir "C:\Program Files (x86)\Comodo\Endpoint Manager\rmmlogs" -FolderName "ITarian"

# 22. Kaseya Agent Endpoint Service Logs (XP)
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\Kaseya\Log\Endpoint" -FolderName "Kaseya_Agent_Endpoint_Service_Logs_XP"

# 23. Kaseya Agent Endpoint Service Logs
Collect-Artifact -SourceDir "C:\ProgramData\Kaseya\Log\Endpoint" -FolderName "Kaseya_Agent_Endpoint_Service_Logs"

# 24. Kaseya Agent Service Log
Collect-Artifact -SourceDir "C:\Program Files*\Kaseya\*" -FileMask "agentmon.log*" -FolderName "Kaseya_Agent_Service_Log"

# 25. Kaseya Setup Log
Collect-Artifact -SourceDir "C:\Windows\Temp" -FileMask "KASetup.log" -FolderName "Kaseya_Setup_Log"

# 26. Kaseya Setup Log
Collect-Artifact -SourceDir "C:\Windows.old\Windows\Temp" -FileMask "KASetup.log" -FolderName "Kaseya_Setup_Log"

# 27. Kaseya Agent Edge Service Logs
Collect-Artifact -SourceDir "C:\ProgramData\Kaseya\Log\KaseyaEdgeServices" -FolderName "Kaseya_Agent_Edge_Service_Logs"

# 28. Level RMM Client Application logs
Collect-Artifact -SourceDir "C:\Program Files\Level" -FileMask "*.log" -FolderName "Level_RMM_Client_Application_logs"

# 29. LogMeIn ProgramData Logs
Collect-Artifact -SourceDir "C:\ProgramData\LogMeIn\Logs" -FolderName "LogMeIn_ProgramData_Logs"

# 30. MeshAgent .msh (configuration) file
Collect-Artifact -SourceDir "C:\Program Files\Mesh Agent" -FileMask "*.msh" -FolderName "MeshAgent_msh_configuration_file"

# 31. MeshAgent log file
Collect-Artifact -SourceDir "C:\Program Files\Mesh Agent" -FileMask "*.log" -FolderName "MeshAgent_log_file"

# 32. Net Monitor Server Data
Collect-Artifact -SourceDir "C:\ProgramData\Net Monitor for Employees Pro\data" -FolderName "Net_Monitor_Server_Data"

# 33. Net Monitor Server Config
Collect-Artifact -SourceDir "C:\ProgramData\Net Monitor for Employees Pro\config" -FolderName "Net_Monitor_Server_Config"

# 34. Net Monitor Server Temp Folder
Collect-Artifact -SourceDir "C:\ProgramData\Net Monitor for Employees Pro\tmp" -FolderName "Net_Monitor_Server_Temp_Folder"

# 35. Net Monitor Client Logs
Collect-Artifact -SourceDir "C:\Program Files*\Net Monitor for Employees Pro\log" -FolderName "Net_Monitor_Client_Logs"

# 36. Net Monitor Client Config
Collect-Artifact -SourceDir "C:\Program Files*\Net Monitor for Employees Pro\config" -FolderName "Net_Monitor_Client_Config"

# 37. Radmin Server 32bit Log
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\rserver30" -FileMask "Radm_log.htm" -FolderName "Radmin_Server_32bit_Log"

# 38. Radmin Server 64bit Log
Collect-Artifact -SourceDir "C:\Windows\System32\rserver30" -FileMask "Radm_log.htm" -FolderName "Radmin_Server_64bit_Log"

# 39. Radmin Server 32bit Chats
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\rserver30\CHATLOGS\*" -FileMask "*.htm" -FolderName "Radmin_Server_32bit_Chats"

# 40. Radmin Server 64bit Chats
Collect-Artifact -SourceDir "C:\Windows\System32\rserver30\CHATLOGS\*" -FileMask "*.htm" -FolderName "Radmin_Server_64bit_Chats"

# 41. RemoteConnectionManager Event Logs
Collect-Artifact -SourceDir "C:\Windows\System32\winevt\logs" -FileMask "Microsoft-Windows-TerminalServices-RemoteConnectionManager*" -FolderName "RemoteConnectionManager_Event_Logs"

# 42. RemoteConnectionManager Event Logs
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\winevt\logs" -FileMask "Microsoft-Windows-TerminalServices-RemoteConnectionManager*" -FolderName "RemoteConnectionManager_Event_Logs"

# 43. LocalSessionManager Event Logs
Collect-Artifact -SourceDir "C:\Windows\System32\winevt\logs" -FileMask "Microsoft-Windows-TerminalServices-LocalSessionManager*" -FolderName "LocalSessionManager_Event_Logs"

# 44. LocalSessionManager Event Logs
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\winevt\logs" -FileMask "Microsoft-Windows-TerminalServices-LocalSessionManager*" -FolderName "LocalSessionManager_Event_Logs"

# 45. RDPClient Event Logs
Collect-Artifact -SourceDir "C:\Windows\System32\winevt\logs" -FileMask "Microsoft-Windows-TerminalServices-RDPClient*" -FolderName "RDPClient_Event_Logs"

# 46. RDPClient Event Logs
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\winevt\logs" -FileMask "Microsoft-Windows-TerminalServices-RDPClient*" -FolderName "RDPClient_Event_Logs"

# 47. RDPCoreTS Event Logs
Collect-Artifact -SourceDir "C:\Windows\System32\winevt\logs" -FileMask "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS*" -FolderName "RDPCoreTS_Event_Logs"

# 48. RDPCoreTS Event Logs
Collect-Artifact -SourceDir "C:\Windows.old\Windows\System32\winevt\logs" -FileMask "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS*" -FolderName "RDPCoreTS_Event_Logs"

# 49. Remco RAT Default path
Collect-Artifact -SourceDir "C:\Users\*\AppData\Roaming\remcos" -FileMask "logs*.dat*" -FolderName "Remco_RAT_Default_path"

# 50. Remco RAT custom path - AppData screenshots folder
Collect-Artifact -SourceDir "C:\Users\*\AppData\Roaming\screenshots" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_screenshots_folder"

# 51. Remco RAT custom path - AppData notess folder
Collect-Artifact -SourceDir "C:\Users\*\AppData\Roaming\notess" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_notess_folder"

# 52. Remco RAT custom path - AppData micrecords folder
Collect-Artifact -SourceDir "C:\Users\*\AppData\Roaming\micrecords" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_micrecords_folder"

# 53. Remco RAT custom path - AppData hpsupport
Collect-Artifact -SourceDir "C:\Users\*\AppData\Roaming\hpsupport" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_hpsupport"

# 54. Remco RAT custom path
Collect-Artifact -SourceDir "C:\ProgramData\remcos" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path"

# 55. Remco RAT custom path - AppData notess
Collect-Artifact -SourceDir "C:\ProgramData\notess" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_notess"

# 56. Remco RAT custom path - AppData screenshots
Collect-Artifact -SourceDir "C:\ProgramData\screenshots" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_screenshots"

# 57. Remco RAT custom path  - AppData micrecords
Collect-Artifact -SourceDir "C:\ProgramData\micrecords" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_micrecords"

# 58. Remco RAT custom path  - AppData hpsupport
Collect-Artifact -SourceDir "C:\ProgramData\hpsupport" -FileMask "logs*.dat*" -FolderName "Remco_RAT_custom_path_AppData_hpsupport"

# 59. Remote Manipulator System Connection Logs
Collect-Artifact -SourceDir "C:\Program Files*\Remote Manipulator System - Host\Logs" -FileMask "rms_log_*.html" -FolderName "Remote_Manipulator_System_Connection_Logs"

# 60. Remote Manipulator System Connection Logs in ProgramData
Collect-Artifact -SourceDir "C:\ProgramData\Remote Manipulator System\Logs" -FileMask "rms_log_*.html" -FolderName "Remote_Manipulator_System_Connection_Logs_in_ProgramData"

# 61. Remote Manipulator System Install Log
Collect-Artifact -SourceDir "C:\ProgramData\Remote Manipulator System" -FileMask "install.log" -FolderName "Remote_Manipulator_System_Install_Log"

# 62. RemoteUtilities Connection Logs
Collect-Artifact -SourceDir "C:\Program Files*\Remote Utilities - Host\Logs" -FileMask "rut_log_*.html" -FolderName "RemoteUtilities_Connection_Logs"

# 63. RemoteUtilities Connection Logs in ProgramData
Collect-Artifact -SourceDir "C:\ProgramData\Remote Utilities\Logs" -FileMask "rut_log_*.html" -FolderName "RemoteUtilities_Connection_Logs_in_ProgramData"

# 64. RemoteUtilities Install Log
Collect-Artifact -SourceDir "C:\ProgramData\Remote Utilities" -FileMask "install.log" -FolderName "RemoteUtilities_Install_Log"

# 65. RustDesk logs
Collect-Artifact -SourceDir "C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\server" -FolderName "RustDesk_logs"

# 66. ScreenConnect Session Database
Collect-Artifact -SourceDir "C:\Program Files*\ScreenConnect\App_Data" -FileMask "Session.db" -FolderName "ScreenConnect_Session_Database"

# 67. ScreenConnect Session Database
Collect-Artifact -SourceDir "C:\Program Files*\ScreenConnect\App_Data" -FileMask "User.xml" -FolderName "ScreenConnect_Session_Database"

# 68. ScreenConnect User Config
Collect-Artifact -SourceDir "C:\ProgramData\ScreenConnect Client*" -FileMask "user.config" -FolderName "ScreenConnect_User_Config"

# 69. Splashtop Log Files
Collect-Artifact -SourceDir "C:\Program Files*\Splashtop\Splashtop Remote\Server\log" -FolderName "Splashtop_Log_Files"

# 70. Splashtop Log Files in ProgramData
Collect-Artifact -SourceDir "C:\ProgramData\Splashtop\Temp\log" -FolderName "Splashtop_Log_Files_in_ProgramData"

# 71. Splashtop Gateway Log Files
Collect-Artifact -SourceDir "C:\Program Files*\Splashtop\Splashtop Remote\Splashtop Gateway\log" -FolderName "Splashtop_Gateway_Log_Files"

# 72. Splashtop Enterprise/Business(legacy) Log Files in ProgramData
Collect-Artifact -SourceDir "C:\ProgramData\Splashtop\Splashtop Remote Client for ST*\*\log" -FolderName "Splashtop_Enterprise_Business_legacy_Log_Files_in_ProgramData"

# 73. Supremo Connection Logs
Collect-Artifact -SourceDir "C:\ProgramData\SupremoRemoteDesktop\Log" -FileMask "*.log" -FolderName "Supremo_Connection_Logs"

# 74. Supremo File Transfer Inbox
Collect-Artifact -SourceDir "C:\ProgramData\SupremoRemoteDesktop\Inbox" -FolderName "Supremo_File_Transfer_Inbox"

# 75. TeamViewer Connection Logs
Collect-Artifact -SourceDir "C:\Program Files*\TeamViewer" -FileMask "connections*.txt" -FolderName "TeamViewer_Connection_Logs"

# 76. TeamViewer Application Logs
Collect-Artifact -SourceDir "C:\Program Files*\TeamViewer" -FileMask "TeamViewer*_Logfile*" -FolderName "TeamViewer_Application_Logs"

# 77. Unified endpoint management and security solutions from ManageEngine
Collect-Artifact -SourceDir "C:\Program Files (x86)\ManageEngine\UEMS_Agent\logs" -FileMask "*.log" -FolderName "Unified_endpoint_management_and_security_solutions_from_ManageEngine"

# 78. UltraViewer System Logs
Collect-Artifact -SourceDir "C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\UltraViewer" -FolderName "UltraViewer_System_Logs"

# 79. UltraViewer Service Log
Collect-Artifact -SourceDir "C:\Program Files*\UltraViewer" -FileMask "UltraViewerService_log.txt" -FolderName "UltraViewer_Service_Log"

# 80. UltraViewer Connection Log
Collect-Artifact -SourceDir "C:\Program Files*\UltraViewer" -FileMask "ConnectionLog.Log" -FolderName "UltraViewer_Connection_Log"

# 81. RealVNC Viewer Log
Collect-Artifact -SourceDir "C:\Users\*\AppData\Local\RealVNC" -FileMask "vncviewer.log" -FolderName "RealVNC_Viewer_Log"

# 82. RealVNC Log
Collect-Artifact -SourceDir "C:\ProgramData\RealVNC-Service" -FileMask "vncserver.log" -FolderName "RealVNC_Log"

# 83. TightVNC Application Logs
Collect-Artifact -SourceDir "C:\ProgramData\TightVNC\Server\Logs" -FolderName "TightVNC_Application_Logs"

# 84. Xeox RMM Client Application logs
Collect-Artifact -SourceDir "C:\Program Files\Xeox" -FileMask "*.log" -FolderName "Xeox_RMM_Client_Application_logs"

# 85. Zoho Assist log files in ProgramData
Collect-Artifact -SourceDir "C:\ProgramData\ZohoMeeting\log" -FolderName "Zoho_Assist_log_files_in_ProgramData"

# 86. Zoho Assist .conf files
Collect-Artifact -SourceDir "C:\ProgramData\ZohoMeeting" -FileMask "*.conf" -FolderName "Zoho_Assist_conf_files"

# 87. Zoho Assist log files in Program Files*
Collect-Artifact -SourceDir "C:\Program Files*\ZohoMeeting\UnAttended\ZohoMeeting\logs" -FolderName "Zoho_Assist_log_files_in_Program_Files"

# 88. Zoho Assist .conf files in  Program Files*
Collect-Artifact -SourceDir "C:\Program Files*\ZohoMeeting\UnAttended\ZohoMeeting" -FileMask "*.conf" -FolderName "Zoho_Assist_conf_files_in_Program_Files"

# 89. Zoho Assist .txt files in  Program Files*
Collect-Artifact -SourceDir "C:\Program Files*\ZohoMeeting\UnAttended\ZohoMeeting" -FileMask "*.txt" -FolderName "Zoho_Assist_txt_files_in_Program_Files"

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # AnyDesk Logs - User Profile - *.trace
        $UserPath = "$($_.FullName)\AppData\Roaming\AnyDesk"
        Collect-Artifact -SourceDir $UserPath -FileMask "*.trace" -FolderName "AnyDesk_Logs_User_Profile_trace_$UserName"
        # AnyDesk Logs - User Profile - *.conf
        $UserPath = "$($_.FullName)\AppData\Roaming\AnyDesk"
        Collect-Artifact -SourceDir $UserPath -FileMask "*.conf" -FolderName "AnyDesk_Logs_User_Profile_conf_$UserName"
        # AnyDesk Videos
        $UserPath = "$($_.FullName)\Videos\AnyDesk"
        Collect-Artifact -SourceDir $UserPath -FileMask "*.anydesk" -FolderName "AnyDesk_Videos_$UserName"
        # AnyDesk Logs - User Profile - connection_trace.txt
        $UserPath = "$($_.FullName)\AppData\Roaming\AnyDesk"
        Collect-Artifact -SourceDir $UserPath -FileMask "connection_trace.txt" -FolderName "AnyDesk_Logs_User_Profile_connection_trace_txt_$UserName"
        # AnyDesk Chat Logs - User Profile
        $UserPath = "$($_.FullName)\AppData\Roaming\AnyDesk\chat"
        Collect-Artifact -SourceDir $UserPath -FileMask "*.txt" -FolderName "AnyDesk_Chat_Logs_User_Profile_$UserName"
        # AnyDesk File Transfer Logs - Running in portable mode
        $UserPath = "$($_.FullName)\AppData\Roaming\AnyDesk"
        Collect-Artifact -SourceDir $UserPath -FileMask "file_transfer_trace.txt" -FolderName "AnyDesk_File_Transfer_Logs_Running_in_portable_mode_$UserName"
        # ISLOnline Logs - Sessions - *.out
        $UserPath = "$($_.FullName)\AppData\Local\ISL Online Cache\ISL Light Client\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "ISLClient.out" -FolderName "ISLOnline_Logs_Sessions_out_$UserName"
        # ISLOnline Logs - Session Configurations
        $UserPath = "$($_.FullName)\AppData\Local\ISL Online Cache\ISL Light Client\*\conf"
        Collect-Artifact -SourceDir $UserPath -FileMask "*" -FolderName "ISLOnline_Logs_Session_Configurations_$UserName"
        # ISL Light Logs - Sessions
        $UserPath = "$($_.FullName)\AppData\Local\ISL Online Cache\ISL Light\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "trace.out" -FolderName "ISL_Light_Logs_Sessions_$UserName"
        # Kaseya Live Connect Logs (XP)
        $UserPath = "$($_.FullName)\Application Data\Kaseya\Log"
        Collect-Artifact -SourceDir $UserPath -FolderName "Kaseya_Live_Connect_Logs_XP_$UserName"
        # Kaseya Live Connect Logs
        $UserPath = "$($_.FullName)\AppData\Local\Kaseya\Log\KaseyaLiveConnect"
        Collect-Artifact -SourceDir $UserPath -FolderName "Kaseya_Live_Connect_Logs_$UserName"
        # Kaseya Setup Log
        $UserPath = "$($_.FullName)\AppData\Local\Temp"
        Collect-Artifact -SourceDir $UserPath -FileMask "KASetup.log" -FolderName "Kaseya_Setup_Log_$UserName"
        # LogMeIn Application Logs
        $UserPath = "$($_.FullName)\AppData\Local\temp\LogMeInLogs"
        Collect-Artifact -SourceDir $UserPath -FolderName "LogMeIn_Application_Logs_$UserName"
        # mRemoteNG Logs
        $UserPath = "$($_.FullName)\AppData\Roaming\mRemoteNG"
        Collect-Artifact -SourceDir $UserPath -FileMask "mRemoteNG.log" -FolderName "mRemoteNG_Logs_$UserName"
        # mRemoteNG Connection Configuration and Backups
        $UserPath = "$($_.FullName)\AppData\Roaming\mRemoteNG"
        Collect-Artifact -SourceDir $UserPath -FileMask "confCons.xml*" -FolderName "mRemoteNG_Connection_Configuration_and_Backups_$UserName"
        # mRemoteNG Program Settings
        $UserPath = "$($_.FullName)\AppData\*\mRemoteNG"
        Collect-Artifact -SourceDir $UserPath -FileMask "user.config" -FolderName "mRemoteNG_Program_Settings_$UserName"
        # Net Monitor Server Logs
        $UserPath = $_.FullName
        Collect-Artifact -SourceDir $UserPath -FolderName "Net_Monitor_Server_Logs_$UserName"
        # Microsoft Quick Assist
        $UserPath = "$($_.FullName)\AppData\Local\Temp\QuickAssist"
        Collect-Artifact -SourceDir $UserPath -FolderName "Microsoft_Quick_Assist_$UserName"
        # Microsoft Remote Help
        $UserPath = "$($_.FullName)\AppData\Local\Temp\RemoteHelp"
        Collect-Artifact -SourceDir $UserPath -FolderName "Microsoft_Remote_Help_$UserName"
        # Radmin Viewer Chats
        $UserPath = "$($_.FullName)\Documents\ChatLogs\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "*.htm" -FolderName "Radmin_Viewer_Chats_$UserName"
        # RDP Cache Files
        $UserPath = "$($_.FullName)\AppData\Local\Microsoft\Terminal Server Client\Cache"
        Collect-Artifact -SourceDir $UserPath -FolderName "RDP_Cache_Files_$UserName"
        # Windows.old RDP Cache Files
        $UserPath = "$($_.FullName)\AppData\Local\Microsoft\Terminal Server Client\Cache"
        Collect-Artifact -SourceDir $UserPath -FolderName "Windows_old_RDP_Cache_Files_$UserName"
        # RDP Cache Files
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Microsoft\Terminal Server Client\Cache"
        Collect-Artifact -SourceDir $UserPath -FolderName "RDP_Cache_Files_$UserName"
        # RustDesk logs
        $UserPath = "$($_.FullName)\AppData\Roaming\RustDesk"
        Collect-Artifact -SourceDir $UserPath -FolderName "RustDesk_logs_$UserName"
        # TeamViewer Application User Logs
        $UserPath = "$($_.FullName)\AppData\Roaming\TeamViewer"
        Collect-Artifact -SourceDir $UserPath -FileMask "TeamViewer*_Logfile*" -FolderName "TeamViewer_Application_User_Logs_$UserName"
        # TeamViewer Configuration Files
        $UserPath = "$($_.FullName)\AppData\Roaming\TeamViewer\MRU\RemoteSupport"
        Collect-Artifact -SourceDir $UserPath -FolderName "TeamViewer_Configuration_Files_$UserName"
        # Unified endpoint management and security solutions from ManageEngine
        $UserPath = "$($_.FullName)\AppData\Local\VirtualStore\Program Files (x86)\ManageEngine\UEMS_Agent\logs"
        Collect-Artifact -SourceDir $UserPath -FileMask "*.log" -FolderName "Unified_endpoint_management_and_security_solutions_from_ManageEngine_$UserName"
        # UltraViewer User Logs
        $UserPath = "$($_.FullName)\AppData\Roaming\UltraViewer"
        Collect-Artifact -SourceDir $UserPath -FolderName "UltraViewer_User_Logs_$UserName"
        # RealVNC Log
        $UserPath = "$($_.FullName)\AppData\Local\RealVNC"
        Collect-Artifact -SourceDir $UserPath -FileMask "vncserver.log" -FolderName "RealVNC_Log_$UserName"
        # Zoho Assist log files in AppData\Local
        $UserPath = "$($_.FullName)\AppData\Local\ZohoMeeting\log"
        Collect-Artifact -SourceDir $UserPath -FolderName "Zoho_Assist_log_files_in_AppData_Local_$UserName"
        # Zoho Assist .conf files in AppData\Local
        $UserPath = "$($_.FullName)\AppData\Local\ZohoMeeting"
        Collect-Artifact -SourceDir $UserPath -FileMask "*.conf" -FolderName "Zoho_Assist_conf_files_in_AppData_Local_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

Note: This is a compound target that references 30 other targets. The KAPE command resolves them natively; the PowerShell/Batch/WSL scripts flatten every referenced path into explicit copy commands.

notes

For those looking to contribute to this list, check here for ideas: https://en.wikipedia.org/wiki/Comparison_of_remote_desktop_software.

Install one of the applications not covered above and find where useful information is stored. If useful information can be located, make an individual Target for it and place in the appropriate folder. Then, include that Target in the appropriate Compound Target.