================================================================= EXAMPLE 1 From Http://xinn.org/scripting102.html ( step by step details are at the bottom) ================================================================= @echo off Rem This script works on NT4, Win2k, XP and 2003. This script is called av-run FOR /F "tokens=1 delims= " %%i IN ('"pulist %computername%" ^| findstr /I Mcshield') DO if /I %%i==Mcshield goto :end FOR /F "tokens=4 delims= " %%i IN ('"sc query McAfeeFramework" ^| findstr /I RUNNING') DO if /I %%i==RUNNING goto :send :send net send %username% ALERT! You've signed in the domain with your AntiVirus software disabled. Contact HelpDesk A.S.A.P. at 123.555.7890 ext 911 net send SiteAdmin User: %username% logged on Computer: %computername% at Time: %time% Date: %date%, but is not running AV!!! :end ================================================================= EXAMPLE 2 From Http://xinn.org/scripting102.html ================================================================= @echo off Rem This script works on XP and 2003 only!! This script is called av-run-xp FOR /F "tokens=2 delims= " %%i IN ('"wmic.exe SERVICE GET Name, State" ^| findstr /I Running ^| findstr /I Mcshield') DO if %%i==Running goto :end FOR /F "tokens=2 delims= " %%i IN ('"wmic.exe SERVICE GET Name, State" ^| findstr /I Stopped ^| findstr /I Mcshield') DO if %%i==Stopped goto :send :send net send %username% ALERT! You've signed in the domain with your AntiVirus software disabled. Contact HelpDesk A.S.A.P. at 123.555.7890 ext 911 net send SiteAdmin User: %username% logged on Computer: %computername% at Time: %time% Date: %date%, but is not running AV!!! :end ================================================================= EXAMPLE 3 From Http://xinn.org/scripting101.html ================================================================= @echo off echo +----------------------------------------------+ echo +-------------- Mapping Drives ----------------+ echo +----------------------------------------------+ net use m: \\SalesFiles\Marketing\Ken net use u: \\SalesData\User\Ken net use r: \\SalesFiles\Marketing\Resources echo Synchronizing system clock with time server... net time \\NTPServer /set /yes con2prt /c \\SalesData\Letter-HD if errorlevel 0 goto Clj-1 net send SiteAdmin %username% had an error connecting Letter-Head Printer at %time% %date% :Clj-1 con2prt /c \\SalesData\Color-LJ1 if errorlevel 0 goto Bw-lj3 net send SiteAdmin %username% had an error connecting Color-LaserJet-1 Printer at %time% %date% :Bw-lj3 con2prt /c \\SalesData\BlkWht-LJ3 if errorlevel 0 goto done net send SiteAdmin %username% had an error connecting Black-White-Laser-Jet-3 Printer at %time% %date% :done ================================================================= Breakdown of EXAMPLE 1 ================================================================= @echo off Setting "@echo" to "off" tells the script to not display each line in the script, and it's output on the screen, basically it's telling the script to keep the info to itself, unless the line has an "echo" statment in in, if echo is specified the "off" is ignored for that output or line only. Rem This script works on NT4, Win2k, XP and 2003. This script is called av-run Rem statements are called Remarks aka comments. When the "rem" statement is found on a line, the script ignores anything after them, until a carraige return or new line is found. Rem statments can be at the begining of a line, or after a command. FOR /F "tokens=1 delims= " %%i IN ('"pulist %computername%" ^| findstr /I Mcshield') DO if /I %%i==Mcshield goto :end This one is going to be much longer than the others... The token portion is basically a count, and the delims is the delimiter, percent percent "i" (you can use any letter of the alphabet) is going to contain the result of the token and delims. So if we had the following output: 123-555-7890 We want to display just the 7890 the token would equal 2 and the delims wouldequal dash (-). So %%i should be 7890 if we echo %%i. *****NOTE***** in dos when testing a script like this, if the "FOR /F" line is being run from a script, you MUST use TWO percent signs for the variable, BUT if your testing on the command line without calling a script, you only need ONE percent sign. When a delimiter is found, everything on the left of the delim is a token, so 123 is token one, 555 is token two and 7890 is token three. The delimiter itself is ignored. Look at these For lines along with the outputs:(these were run in the cmd window directly, so only one % sign. **Note the Tokens vs. the output** C:\>FOR /F "tokens=1 delims=-" %i IN ('echo 123-555-7890') DO @echo %i 123 C:\>FOR /F "tokens=2 delims=-" %i IN ('echo 123-555-7890') DO @echo %i 555 C:\>FOR /F "tokens=3 delims=-" %i IN ('echo 123-555-7890') DO @echo %i 7890 C:\>FOR /F "tokens=3 delims=-" %i IN ('echo -23-555-7890') DO @echo %i 7890 **note that even though a dash is at the begining, it is a delimiter so it's ignored** C:\>FOR /F "tokens=3 delims=-" %i IN ('echo 0-23-555-7890') DO @echo %i 555 **note that the token stayed the same- however a "0-" was added so now 555 is the third delim** As you've noticed in the For line, anything in the parenthesis is what is a system command, you cannot type just anything in there. So far the "FOR /F" line basically says, Find the 3rd value sperated by a dash, and place it in this variable "i", to find "i" look in the command in the parenthesis for "i", once you've done that "DO" this... And that's the next part, in our example was said echo what you found for "i" to the screen. More complicationed still, you can set multiple tokens and variables, the following output should give you a basic understanding of it if your catching onto the FOR statements now: C:\>FOR /F "tokens=1,* delims=-" %i IN ('echo 123-555-7890') DO @echo %i %j 123 555-7890 ***note that a 3rd variable is not listed on this line, but is on the line below*** C:\>FOR /F "tokens=1,2* delims=-" %i IN ('echo 123-555-7890') DO @echo %i %j %k 123 555 7890 C:\>FOR /F "tokens=1,2,3 delims=-" %i IN ('echo 123-555-7890') DO @echo %i %j 123 555 ***note that a 3rd token is called, but there is no 3rd variable to assign it to*** C:\>FOR /F "tokens=1,2,3 delims=-" %i IN ('echo 123-555-7890') DO @echo %i %j %k 123 555 7890 C:\>FOR /F "tokens=1,2* delims=-" %i IN ('echo 123-555-7890') DO @echo %i %j %k 123 555 7890 FOR /F "tokens=4 delims= " %%i IN ('"sc query McAfeeFramework" ^| findstr /I RUNNING') DO if /I %%i==RUNNING goto :send Let's take this one apart. First lets see the output of "sc query McAfeeFramework" SERVICE_NAME: McAfeeFramework TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 That's too much effort to find the amount of tokens that will take to find the word "Running" so let's pipe it through the Findstr command to list the single line, when using the "|" pipe character inside the ----> IN ('" here "') <---- portion of the For line, you have to escape the pipe char first with a carrot "^" You always need to escape the pipe, even if run on the cmd line directly, because it's within the parenthesis. So to summerize this one: Find the second value that is seperated by a space and assign it to the "i" variable. Use the commands within the parentesis to locate "i" then goto the "send" heading if "i" equals the value of "Running", ignore case of the word running :send Headings in a script should be one continous word, no spaces or tabs and begin with a colon. These are simply markers in the file, giving your script "jump points" if your will, you can jump from :this to :that and :here and :there net send %username% ALERT! You've signed in the domain with your AntiVirus software disabled. Contact HelpDesk A.S.A.P. at 123.555.7890 ext 911 Net send this user (which will use the currently logged in user) this message, "ALERT! You've.... etc" net send SiteAdmin User: %username% logged on Computer: %computername% at Time: %time% Date: %date%, but is not running AV!!! Same thing, Net send the user named SiteAdmin this message User:so-and-so logged on Computer:this-n-that at 12:02pm Date 01/01/2001, but is not running AV!!! :end End here is just a heading, there is nothin left for the script to do so it will close on it's own. ==================== We hope that gives you a good start on understanding the FOR /F statments using tokens and delims FOR /F ["options"] %variable IN (filenameset) DO command [command-parameters] FOR /F ["options"] %variable IN ("string") DO command [command-parameters] FOR /F ["options"] %variable IN ('command') DO command [command-parameters] Here are some more advanced FOR /F statements... Skip=n ... we could use the skip option to ignore the first three lines of this output SERVICE_NAME: McAfeeFramework TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 ***NEW CMD** C:\>FOR /F "skip=3 tokens=4 delims= " %i IN ('"sc query McAfeeFramework"') DO @echo %i RUNNING Also of note, the variables are case sensitive, so %%I is not the same as %%i, in win2k and above you can assign 52 variables. Here's another one you can try FOR /F "delims==" %i IN ('set') DO @echo %i =============================================================================================================== =============================================================================================================== =============================================================================================================== =============================================================================================================== =============================================================================================================== Our McAfee AV script: @echo off echo Script Run under this user: %username% on this date: %date% at this time: %time% >C:\AV-Stats.txt :begin if exist "C:\Program Files\Network Associates\VirusScan\Mcshield.exe" goto av-instld net send %username% ALERT! You've signed in the domain on a PC with corrupt/missing AntiVirus software, contact the HelpDesk!! net send SiteAdmin User: %username% logged on Computer: %computername% at Time: %time% Date: %date%, AV is corrupt/missing!!! :dbl-check if not exist "C:\Program Files\Network Associates\VirusScan\Mcshield.exe" goto av-miss :av-instld Rem Compare the latest updates with this computer- Compares values on the logon server with this PC's registry values REG COMPARE \\%logonserver%\HKLM\SOFTWARE\Network Associates\ePolicy Orchestrator\Application Plugins\VIRUSCAN8000\ \\. /v DATVersion if errorlevel=0 goto av-dat if errorlevel=1 goto av-miss if errorlevel=2 goto av-out-dated :av-out-dated net send %username% ALERT! Your AV virus definitions are out of date, please update ASAP! net send SiteAdmin User: %username% logged on Computer: %computername% at Time: %time% Date: %date%, AV Dats are old!!! :av-dat reg query "HKLM\SOFTWARE\Network Associates\ePolicy Orchestrator\Application Plugins\VIRUSCAN8000" /v DATVersion | findstr DATVersion >>C:\AV-Stats.txt :av-ver reg query "HKLM\SOFTWARE\Network Associates\ePolicy Orchestrator\Application Plugins\VIRUSCAN8000" /v DatDate | findstr DatDate >>C:\AV-Stats.txt :av-fine goto step2 :av-miss sleep 1 echo AV is missing, and or is corrupted!! >>C:\AV-Stats.txt net send %username% ALERT! You've signed in the domain on a PC with corrupt/missing AntiVirus software, contact the HelpDesk!! goto end Rem Check to see if the McAfee services are running :step2 Rem figure out if the pc is win2k or xp FOR /F "tokens=3 delims= " %%i IN ('ver') DO if %%i==XP goto call-xp :call-2k call av-run.bat Rem Example 1 found here Http://xinn.org/scripting102.html :call-xp call av-run-xp.bat Rem Example 2 found here Http://xinn.org/scripting102.html :end