ShareX
Author: Andrew Rathbun
description
ShareX
paths
collection commands
# PowerShell Artifact Collection Script
# Target: ShareX
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }
function Collect-Artifact {
param(
[Parameter(Mandatory)][string]$SourceDir,
[Parameter(Mandatory)][string]$FolderName,
[string]$FileMask = "*"
)
# Expand wildcards in any path segment (e.g. 'Program Files*',
# 'ScreenConnect Client*'). robocopy itself does not glob the source.
$sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
Where-Object { $_.PSIsContainer })
if ($sources.Count -eq 0) {
$Summary.Missed++
return
}
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
$null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
foreach ($src in $sources) {
robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
}
}
# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
ForEach-Object {
$UserName = $_.Name
# ShareX
$UserPath = "$($_.FullName)\Documents\ShareX"
Collect-Artifact -SourceDir $UserPath -FolderName "ShareX_$UserName"
}
Write-Host ("Collection complete. Copied: {0} Missed: {1} Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
notes
ShareX is an amazing, free, and open-source alternative to Snipping Tool, Snagit, etc.
By default, a user's captures are stored in the above location.
The user can change their default folder path for screenshots by navigating to Application Settings -> Paths -> ShareX Personal Folder, hitting Apply, and restarting the program. Please note this target will be ineffective if the user changes the default folder path.
C:\Users\%user%\Documents\ShareX\PersonalPath.cfg will list where the user currently saves all screenshots, application configuration files, backups, and logs, to name a few. This file should persist even after the user changes the default ShareX folder path.
I changed the default folder location for where my screenshots, settings, etc were stored but C:\Users\%user%\Documents\ShareX\PersonalPath.cfg still existed and pointed to the location I moved everything over to.
Screenshots folder will contain logical copies of all captures by the user typically separated by folder in YYYY-MM format with the logical files residing inside.
Within the application's storage folder, there will be a Logs folder with files with a naming convention of ShareX-Log-YYYY-MM.txt. These files are important as they give a literal play-by-play of the user's actions with ShareX.
This Target captures the contents of everything within the default folder path upon ShareX's installation. Modify the target as needed if. Contact me if you need help with that.
UploadersConfig.json will have information regarding FTP/Cloud Storage accounts set up by the user.