I recently read the whitepaper“Using Windows Script Host and COM to Hack Windows” that is mentioning the GatherNetworkinfo.vbs script I hadn’t paid attention to yet. The gathernetworkinfo.vbs script comes by default with every Windows 7 installation and is located within the C:\Windows\System32\ folder.
The script does collect various networking information about the Windows 7 system and its configuration and dumps the information into the C:\Windows\System32\Config folder.
On a system where the script hasn’t been executed yet the Config folder looks as following:
Now open a command prompt with elevated rights and run cscript c:\windows\system32\gathernetworkinfo.vbs When the script has completed you will see that additional files have been added to the Config folder.
The structure of the script is quite easy to understand. Within the first part of the script all functions are defined, the second part defines the output file names and the last part actually calls the individual data collection functions including the output file parameter.
The script is also defined within a scheduled task called Nettrace which is not scheduled to run automatically.
Hello Alex,
I’m really glad that you published the informations I was looking for. Thank you.
When I was investigating my system I found the script gathernetworkinfo.vbs. Though I’m not familiar with .vbs I could follow your explanations very good.
However, what I find really strange is, that it’s obviously not a script common users run and that it’s not clear who the informations uses in case it’s executed.
The scheduled task is implemented but never will be executed by default and there aren’t plenty informations about the script.
Do you have an idea who the script uses or what it’s basically good for? Of course, the informations might be very helpful, so in general it’s good script.
Thank you in advance,
Chris
At first i thought it was a freaking malware, but upon opening it and inspecting its contents it looked quite harmless but gathering network info through a vbs seemed like i had been hacked, so i looked it up, turns out it was a safe microsoft file that comes with windows 7, how unprofessional of Microsoft!
GatherNetworkinfo.vbs is defined by default in Task Scheduler.
Go to Administrative Tools -> Task Scheduler and drill down the Task Scheduler Library -> Microsoft -> Windows -> NetTrace and there it is ready to execute and enabled for running.
Absolutely great info, Alex, I am still I suspect only the peak of the iceberg in my case.
I wish I had taken the advise of my father and studied IT more than four decades ago. I really would like to know what exactly happens on my system.
But this was really helpful, I wondered about the origin of the javascript routines. And this makes sense.
FWIW, the first thing a hacker does is gather information about the system. Since this has user rights, the hacker could run it to gather information. I would rename this to “everything a hacker wanted to know about this computer but was too inexperienced to ask.” “or hacker info here!” FWIW
‘SysInternals’ “AutoRuns” program found it still being referenced in my Windows 8.1…
I just simply DELETED that damn script file !!!!! come-what-may……
Along with anything/everything to do with any sort of Remote-Access too !!!!
I am wondering if it works together with CompatTelRunner.exe.
CompatTelRunner runs two tasks at the same time on my W7 PC every day. I’m trying to get rid of it as it seems like part of GWX / W10 force-feeding.
See notes under “answers.microsoft.com/en-us/windows/forum/windows_10-performance/how-to-stop-the-windows-compatability-telemetry/3e6f469a-e527-4744-a313-cb52030b3461?page=1”
Supposedly you can find CompatTelRunner in tasks but the closest thing I see is the Gather… vbs.
Any ideas on that?
Thanks, L
Have read claims that the information is essential for wi-fi connection. Think I’ll leave it enabled for now.
“The script does collect various networking information about the Windows 7 system and its configuration and dumps the information into the C:\\Windows\\System32\\Config folder. This is to connect to Wi-Fi!! Very important script.”