What is GatherNetworkInfo.vbs?

Ever since Windows 7, Microsoft has installed a vbs script in the %systemroot%\System32 directory called GatherNetworkInfo.vbs. This script makes quick work when you need to gather information about a system and the network it's attached to. Because it's a default part of Windows, signed by Microsoft, and in the system path it's a tool you always know is there. However, as with any tool, it can be handy to both Sysadmin and Red Teamer, or abused by attackers needing a quick way to learn more about your network.

What does it gather?

When researching a feature in Windows you typically can find a Microsoft Docs, Technet article, or even an MVP blog post about it. However, in this case, I couldn't find anything. I did, however, find a blog post back in 2011 by Alex Verboon discussing this script. He referenced this 2010 Sans Whitepaper (PDF Link) that briefly discussed this script on page 9 and summarized what it does down to this:

The script’s voluminous output would be quite useful to a pen tester or an attacker doing reconnaissance. Amongst other things, it includes: 
  • CPU type, installed memory and BIOS version
  • OS version and patches applied
  • Current username and domain
  • Details on installed network adapters
  • DNS settings and cache contents
  • ARP cache contents
  • Windows file shares
  • Windows firewall configuration and rules
That in and of itself is a good summary of the output. Outside of this, I found it also dumps:

  • Event logs such as Application, Firewall, System & others
  • Services and their status
  • Battery Report
  • Installed Drivers
  • Windows Features Information
  • Output from GPResult for applied GPO settings
  • And much more

All of this output is saved in %systemroot%\System32\config.

If you look at this script you can quickly tell to get this information it simply runs several commands and WMI queries. It's actually pretty straight forward. Also, it's important to note that you don't need Admin rights to run the script. While you may not get all output if you run as a normal user account, but you can still get a ton of info about the system and network.