As a result of a recent ransomware infection, I need to locate a certain computer on our rather large network (thousands of computers). I've determined that the most feasible way to locate the infected computer (which encrypted some network shares) is to search for a specific file on all our computers, via PowerShell Remoting, and this is where I've run into problems.
My script thus far is:
$searchlist = Get-ADComputer -filter *
$cred = Get-Credential [domain]\[domain admin account]
$session = New-PSSession -ComputerName $searchlist.name -Credential $cred
Invoke-Command -Session $searchist -ScriptBlock { Get-ChildItem -Filter DECRYPT_INSTRUCTION.TXT -Recurse }
It works fine... which is to say that I get a list back of some randomly generated directory which contains that file. However, I get no indication of which computer this is on, and given that there are thousands of them, that's kind of useless. Right now I see something like:
Directory: C:\92bbf795063ab59a
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 09/06/2014 12:41 AM 190 DECRYPT_INSTRUCTION.TXT
But, no indication of which computer that's on, or which one of the thousands of sessions it's coming from. Ideally, I'd just like to have the session ID printed before or after the output, but can't seem to find a way to do that.
I'm open to other options, if it's especially difficult to indicate which output is coming from which session/computer in a multi-session environment.
The objects returned from the remoting sessions probably have a PSComputerName property, but the default formatting isn't displaying it.