WindowsOSUpgradeArtifacts

Windowsv1.1

Author: Andrew Rathbun

description

Windows OS Upgrade Artifacts

paths

5 paths

OS UpgradeMigLog.xml

C:\Windows\PantherMigLog.xml

OS UpgradeSetupact.log

C:\Windows\PantherSetupact.log

OS UpgradeHumanReadable.xml

C:\Windows\Panther*HumanReadable.xml

OS UpgradeFolderMoveLog.txt

C:\Windows\Panther\RollbackFolderMoveLog.txt

OS UpgradeUpdate Store.db

C:\ProgramData\USOPrivate\UpdateStorestore.db

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: WindowsOSUpgradeArtifacts
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle directory creation and copying
function Collect-Artifact {
    param (
        [string]$SourcePath,
        [string]$FolderName
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    if (-not (Test-Path -Path $FullDest)) {
        New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
    }
    Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}

# 1. MigLog.xml
Collect-Artifact -SourcePath "C:\Windows\Panther\MigLog.xml" -FolderName "MigLog_xml"

# 2. Setupact.log
Collect-Artifact -SourcePath "C:\Windows\Panther\Setupact.log" -FolderName "Setupact_log"

# 3. HumanReadable.xml
Collect-Artifact -SourcePath "C:\Windows\Panther\*HumanReadable.xml" -FolderName "HumanReadable_xml"

# 4. FolderMoveLog.txt
Collect-Artifact -SourcePath "C:\Windows\Panther\Rollback\FolderMoveLog.txt" -FolderName "FolderMoveLog_txt"

# 5. Update Store.db
Collect-Artifact -SourcePath "C:\ProgramData\USOPrivate\UpdateStore\store.db" -FolderName "Update_Store_db"

Write-Host "Collection complete!" -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1