I’ve made various updates to VSC Toolset since its last public release in September 2012 and wanted to write a quick post about some of the updates for those interested. The most significant additions to the tool have been two new batch scripts: one for comparing the contents of a directory between two VSCs and one for extracting the USB device connection and disconnection events from one or more VSCs (based on the event log and Event IDs detailed here). There have also been numerous user interface and general usability enhancements made to the tool. Read on for more details, or you can skip to the VSC Toolset page to download the latest version.
CompareDirectory Batch Script
It can be helpful to see how the contents of a directory have changed over time. For example, identifying how an employment contract has been updated, not updated, or even created and deleted over a period of time can be critical in accomplishing the goals of your examination. VSC Toolset previously supported (and still supports) running a batch script utilizing diff.exe to compare two VSCs, but that may be overkill in many cases. Being able to specify a particular directory for comparison is much quicker and helps to eliminate the noise found in the output of running diff.exe against the entire VSC.
The “CompareDirectory” batch script addition to VSC Toolset works by first creating a file listing of each directory to be compared using the “dir” command. It then compares the two directory listings using diff.exe, generating output similar to the screenshot below.
|CompareDirectory Batch Script Sample Output
EventLogUSB-Win7 Batch Script
In my last post, I introduced a batch script that can be executed against a Microsoft-Windows-DriverFrameworks-UserMode/Operational event log originating from a Windows 7 system to identify USB device connection and disconnection events. In order to port over a version of the batch script compatible with VSC Toolset, I made a couple of slight modifications (primarily to the input variables). Simply select the linked VSCs against which you want to execute the batch script and click “Run Command”; VSC Toolset takes care of the rest (with some help from Log Parser). A separate CSV file containing the USB connection and disconnection events is created for each VSC the batch script is executed against. Note that you’ll need the LogParser.exe and LogParser.dll file in the same directory as the VSC Toolset executable for this batch script to work. Log Parser can be downloaded here.
The real benefit in running the EventLogUSB-Win7 batch script against multiple VSCs is that it allows you to recover USB connection and disconnection events that have since rolled off the current DriverFrameworks-UserMode/Operational event log. This can be invaluable in cases where the length of time a certain device was connected to the system is important and the time frame of interest is prior to the earliest event in the current DriverFrameworks-UserMode/Operational event log.
In addition to the CompareDirectory and EventLogUSB-Win7 batch scripts, various user interface and general usability enhancements to VSC Toolset were made. These include tips in the output of some commands (e.g. CompareDirectory) to help make the output easier to understand and a few help buttons added to the interface in some situations (depending on which command is specified in the Command drop-down box) to clarify exactly what a specific parameter is requesting. The file system view, visible after clicking “Browse Shadow Copy”, has also been improved to allow for sorting by file name or date by clicking the appropriate column header.
To ease the burden of finding all of the supporting tools you’ll need to take full advantage of VSC Toolset, I’ve added the download links and any special requirements for each on the VSC Toolset page. This information was previously scattered across multiple blog posts.
I’m always open to and appreciate feedback, including suggestions for improvement and bug reports. You can download the latest version of VSC Toolset here.