A cross-platform toolkit for IT troubleshooting and system diagnostics across Windows, Linux, and network environments. Includes automation scripts, auditing tools, maintenance utilities, and documentation for helpdesk staff, system administrators, and IT support engineers.
- 🔎 Overview
- 🏗️ Repository Structure
- 🟦 Tier Model
- 🧰 Tool Index
- 🚀 Getting Started
- 📘 Usage Examples
- 📂 Supported Operating Systems
- 🤝 Contributing
- 📜 License
TechSup-Toolkit provides a unified toolbox for support engineers, blue-team analysts, and escalation teams.
Each tier contains tooling designed for different operational levels:
- 🩺 Tier 1 — Core diagnostics & day-to-day troubleshooting
- 🔐 Tier 2 — Security auditing & forensic artifact collection
- 🛠 Tier 3 — System engineering tools & deeper technical analysis
- 🔬 Tier 4 — Deep-dive subsystem inspection, kernel-level data, and performance forensics
- 🧪 Tier 5 — High-fidelity system reporting & remote-support readiness analysis
The toolkit emphasizes:
- Safe, non-destructive data collection
- Unified TXT + JSON output
- Consistent structure across all tiers
- Production-safe diagnostic design
- Enterprise-ready workflows and escalation paths
🩺 Tier 1 — Core Diagnostic Tools
This tier contains foundational system-health, troubleshooting, and baseline diagnostic tools. Each tool includes a structured “What This Script Provides” section summarizing capabilities, insights, and output formats.
💻 system_info.ps1
- OS version & build
- BIOS / UEFI details
- CPU, RAM, motherboard
- Disk layout + free space
- Logged-on users
- Adapter summary
- IP configuration
- Routing table
- Uptime
- Installed updates
- System identity & environment data
system_info.txtsystem_info.json- Timestamped output directory
🌐 network_info.ps1
- Adapter operational state
- IP + DNS configuration
- Routing table
- ARP table
- Active TCP connections
- Per-adapter network statistics
- Firewall profile state
- Connectivity insights
network_info.txtnetwork_info.json- Timestamped output directory
📑 eventlog_collect.ps1
- System
- Application
- Security
- Setup
- WER crash logs
- Critical + error event summaries
- EVTX exports for escalation
- Recent-event summaries
eventlog_collect.txteventlog_collect.json- EVTX log bundle
- Timestamped output directory
📦 installed_programs.ps1
- 32-bit & 64-bit Registry-installed software
- Per-user installed applications
- MSI products
- Winget packages
- PowerShell package providers
- Version + publisher metadata
installed_programs.txtinstalled_programs.json- Timestamped output directory
🧪 process_audit.ps1
- CPU & RAM usage
- Process executable paths
- File description & company name
- SHA256 hashes
- Unsigned or suspicious process indicators
- Network-connected processes
- Total running processes
- Total network-active processes
process_audit.txtprocess_audit.json- Timestamped output directory
⚙️ service_status.ps1
- Running / stopped / disabled
- Services failing to start
- Service accounts & startup types
- Unsigned services
- Services running from temp locations
- Total services by state
- Flagged or abnormal services
service_status.txtservice_status.json- Timestamped output directory
🚀 startup_programs.ps1
- Registry Run / RunOnce (HKLM & HKCU)
- Startup folders
- WMI startup commands
- Logon-triggered scheduled tasks
- Missing executable paths
- Unsigned startup programs
- Items launching from temp directories
startup_programs.txtstartup_programs.json- Timestamped output directory
🧹 disk_cleanup.ps1
- User + system temp folders
- Recycle Bin cleanup
- Windows Update cache cleanup
- Delivery Optimization cleanup
- Chrome
- Edge
- Firefox
- Total freed bytes
- Per-section cleanup summary
disk_cleanup.txtdisk_cleanup.json- Timestamped output directory
🔐 Tier 2 – Security & Forensics Tools
This tier contains advanced auditing, threat-hunting, and forensic artifact collection tools.
Each tool includes a structured “What This Script Provides” section summarizing capabilities, insights, and output formats.
🌐 network_connection_audit.ps1
- All TCP sessions
- UDP endpoints
- Listening ports
- Process → connection mapping
- External IP analysis
- Unexpected public IP connections
- High-risk remote ports
- Processes making unusual outbound connections
- Reverse lookups for remote IPs
- Identification of suspicious hosts
- Failed/unresolved hosts flagged
- Total unique external IPs
- Count of suspicious connections
- Total active connections
network_connection_audit.txtnetwork_connection_audit.json- Timestamped output directory
🖥 rdp_audit.ps1
- RDP enabled/disabled
- NLA requirement
- Custom RDP ports
- Shadowing configuration
- Remote Assistance policy
- Firewall rules allowing RDP
- Listening processes on port 3389
- Open/insecure profiles
- Non-standard port detection
- RDP Users group membership
- Local administrators
- Unexpected RDP-enabled accounts
- Failed RDP logons
- Password-spray activity
- Unauthorized connection attempts
rdp_audit.txtrdp_audit.json- Timestamped output directory
📅 scheduled_task_audit.ps1
- Hidden scheduled tasks
- Tasks with Temp/AppData executables
- Missing or unsigned binaries
- Recently created tasks
- Logon-triggered tasks
- Boot/startup tasks
- Tasks impersonating system processes
- Nonexistent file paths
- Untrusted/unsigned executables
- Unexpected task actions
- Disabled tasks used for staging
scheduled_task_audit.txtscheduled_task_audit.json- Timestamped output folder
👥 user_group_audit.ps1
- Enabled/disabled accounts
- Locked-out accounts
- Dormant or inactive accounts
- Accounts without passwords
- Password-never-expires risks
- Full membership mapping
- Administrators group audit
- Orphaned/unknown SIDs
- Privilege escalation detection
- Excessive privileged users
- Unexpected group changes
- Ghost SIDs
- Insecure account settings
user_group_audit.txtuser_group_audit.json- Timestamped output directory
🔌 usb_history.ps1
- All USB drives ever connected
- Serial number, vendor ID, product ID
- Last connected/disconnected timestamps
- Mounted volume info
- Registry artifacts
- MountedDevices mapping
- Friendly names & manufacturer info
- Volume names
- Drive letters
- Storage size + free space
usb_history.txtusb_history.json- Timestamped directory
🌐 browser_history_collect.ps1
- Chrome, Edge, Firefox, Brave, Opera support
- URL, visit count, timestamp, page title extraction
- Resilient SQLite copying (forensic-safe)
- Phishing indicators
- Data exfiltration patterns
- Suspicious browsing behavior
- User activity timeline reconstruction
browser_history.txtbrowser_history.json- Timestamped directory
🧩 dns_cache_dump.ps1
- Full DNS cache
- Negative cache (failed lookups)
- Active DNS client statistics
- Resolver configuration
- DNS servers per adapter
- Recently resolved suspicious domains
- NXDOMAIN failures
- Evidence of tampered hosts file
dns_cache_dump.txtdns_cache_dump.json- Timestamped directory
🔎 suspicious_activity_scan.ps1
- Suspicious processes
- Hidden/unsigned executables
- Abnormal parent–child process chains
- LOLBin misuse (cmd.exe, powershell.exe, mshta.exe, wscript.exe)
- Malware staging directories
- Recently dropped executables
- Temp/AppData activity
- New Run/RunOnce entries
- New scheduled tasks
- Unexpected services
suspicious_activity_scan.txtsuspicious_activity_scan.json- Timestamped directory
🚫 failed_login_report.ps1
- Event ID 4625 parsing
- Username, IP, workstation, time
- Password-spray detection
- Excessive failure correlation
- Disabled account login attempts
- Nonexistent user attempts
- Repeated IP-based failures
failed_login_report.txtfailed_login_report.json- Timestamped directory
🛑 permission_audit.ps1
- Directory/file permissions
- Explicit vs inherited ACL breakdown
- Audit of dangerous permissions
- “Everyone” or “Authenticated Users” permissions
- Write access to system folders
- Executable locations with weak ACLs
permission_audit.txtpermission_audit.json- Timestamped directory
🗂 sys_integrity_check.ps1
- Hashing critical system binaries
- Detecting tampering or modification
- Driver signature integrity checks
- Defender status
- Security service health
- Protection feature validation
sys_integrity_check.txtsys_integrity_check.json- Timestamped directory
🔥 firewall_audit.ps1
- Inbound/outbound rule listing
- Active vs inactive rules
- Allowed applications and services
- Any→Any rules
- Wide-open inbound ports
- Exposed services
- Disabled firewall profiles
firewall_audit.txtfirewall_audit.json- Timestamped directory
🧪 powershell_log_audit.ps1
- Scriptblock logging (4104)
- Module logs (4103)
- Engine lifecycle logs
- Process creation correlations
- Encoded commands
- Obfuscated PowerShell
- Untrusted script sources
powershell_log_audit.txtpowershell_log_audit.json- Timestamped directory
🛡 malware_hunt.ps1
- Unsigned or suspicious processes
- Abnormal parent/child process chains
- LOLBin exploitation
- Known malware behavior patterns
- Suspicious EXEs in AppData/Temp
- Recent executable creations
- Staging directories
malware_hunt.txtmalware_hunt.json- Timestamped directory
🌐 network_threat_hunt.ps1
- Repeated outbound beaconing
- Long-lived suspicious sessions
- C2-like timing patterns
- Odd port/protocol usage
- Unsigned processes making connections
- Hidden parent processes
- Suspicious binaries contacting remote hosts
network_threat_hunt.txtnetwork_threat_hunt.json- Timestamped directory
🧷 wmi_audit.ps1
- WMI event filters
- Command-line consumers
- Permanent subscriptions
- Rogue namespaces
- Fileless malware
- Stealthy long-term implants
wmi_audit.txtwmi_audit.json- Timestamped directory
🪝 autoruns_full_audit.ps1
- Run / RunOnce keys
- Startup folders
- Services & drivers
- Scheduled tasks
- WMI autostarts
- AppData/Temp startup executables
- Missing or unsigned binaries
- Encoded commands
autoruns_full_audit.txtautoruns_full_audit.json- Timestamped directory
🛠️ Tier 3 — Engineering Tools
This tier contains system maintenance, configuration auditing, scheduled task analysis, backup inspection, storage diagnostics, and health-review tools. Each tool includes a structured **“What This Script Provides”** section summarizing capabilities, insights, and output formats.📅 scheduled_tasks_maintenance.ps1
- Full task inventory
- Last/next run timestamps
- Exit codes and run history
- Disabled task detection
- Non-zero task results
- Tasks missing run-as credentials
- Tasks failing repeatedly
- Chronological next-run overview
- Startup/logon task breakdown
scheduled_tasks_maintenance.txtscheduled_tasks_maintenance.json- Timestamped output directory
🧩 driver_report.ps1
- Version
- Provider
- Driver date
- INF source
- Signed vs unsigned status
- Outdated driver identification
- Potentially unsafe or orphaned drivers
- Driver service state
- Load type & configuration
driver_report.txtdriver_report.json- Timestamped output directory
📂 directory_size_report.ps1
- Total directory size
- File count & average size
- Recursive folder traversal
- Largest files (Top-N)
- Largest directories
- Overgrown cache/log folders
- Cleanup candidates
- Size-based impact analysis
directory_size_report.txtdirectory_size_report.json- Timestamped output directory
🔐 permission_audit.ps1
- File/folder permission mapping
- Explicit vs inherited breakdown
- Identity → Rights mapping
- Weak ACLs
- Insecure inheritance
- Access-denied objects
- Missing or broken ACL entries
- Failing paths recorded separately
permission_audit.txtpermission_audit.json- Timestamped output directory
🧹 storage_files_cleanup.ps1
- Old files older than X days
- Abandoned logs/caches
- Large files exceeding size threshold
- Oversized media/log objects
.tmp,.bak,.old,.log,.cache
- Safe structured cleanup
- Full action-by-action status
storage_files_cleanup.txtstorage_files_cleanup.json- Timestamped output directory
♻️ backup_config.ps1
- Windows Backup (wbadmin) status
- File History configuration
- Restore point storage
- Shadow storage allocation
- Backup health
- Missing configuration detection
backup_config.txtbackup_config.json- Timestamped output directory
🪄 restore_point_manager.ps1
- List restore points
- Create new restore points
- Delete older restore points
- Keep newest N
- Shadow storage allocation
- Usage vs maximum size
restore_point_manager.txtrestore_point_manager.json- Timestamped output directory
🗄 registry_backup.ps1
- SYSTEM
- SOFTWARE
- SAM
- SECURITY
- HKCU
- Timestamped archive names
- Per-hive status reporting
- Export directory auto-creation
- Clean error-handling
registry_backup.txtregistry_backup.json- Timestamped backup directory
🗃 system_log_archive.ps1
- Application
- System
- Setup
- Security (optional)
- CBS.log
- DISM.log
- WindowsUpdate.log
- Prevents overwrite
- Supports case documentation
system_log_archive.txtsystem_log_archive.json- Timestamped output directory
🛠 patch_status.ps1
- Installed KB list
- Pending updates
- Update release metadata
- Success/failure tracking
- Install timestamps
- DISM servicing status
- Component-store corruption checks
patch_status.txtpatch_status.json- Timestamped output directory
🔬 Tier 4 — Deep Dive
This tier contains deep-level diagnostic utilities designed for advanced troubleshooting, crash analysis, forensic reconstruction, and rootkit detection.
Each tool includes a structured “What This Script Provides” section summarizing its capabilities, insights, and output formats.
💥 app_crash_report.ps1
- Application Error events (Event ID 1000)
- Windows Error Reporting failure events (Event ID 1001)
- Faulting module, path, and exception code
- Crash bucket and WER metadata
- Local crash archive scanning
- Crash directory metadata
- Historical crash patterns
- Application reliability events
- System-wide crash trends
- Chronological failure events
app_crash_report.txtapp_crash_report.json- Timestamped output directory
🧨 bsod_report.ps1
- Kernel-Power (Event ID 41)
- BugCheck (Event ID 1001)
- Crash dump association
- Blue screen frequency analysis
- Minidump file listing
- Dump timestamps and sizes
- File system crash artifacts
- BugCheck stop codes
- Faulting driver patterns
- Power failures and hardware symptoms
bsod_report.txtbsod_report.json- Timestamped output directory
🕵️ rootkit_scan.ps1
- Unsigned kernel drivers
- Drivers loaded from suspicious paths
- Running drivers bypassing system32
🧩 Hidden Process Identification
- Session 0 user-mode processes
- Parentless processes
- Phantom background tasks
- Autoruns from Temp/AppData
- Unexpected Run/RunOnce entries
- Stealthy startup mechanisms
rootkit_scan.txtrootkit_scan.json- Timestamped output directory
🗂️ mft_timeline_collect.ps1
- File creation timestamps
- Modification timestamps
- MFT timestamp events
- NTFS metadata collection
- Create, delete, rename events
- Rapid file changes
- Suspicious activity bursts
- Malware drop detection
- Persistence file changes
- Evidence of tampering or wipe activity
mft_timeline_collect.txtmft_timeline_collect.json- Timestamped output directory
🧪 Tier 5 — Expert Tools
This tier contains advanced enterprise-grade diagnostic and data-collection utilities designed for senior technicians and escalation engineers. Each tool includes a structured **“What This Script Provides”** section summarizing capabilities, insights, and output formats.🛰️ remote_support_tool.ps1
- Core OS and build information
- System architecture and configuration
- Hardware + platform metadata
- Adapter configuration
- IP, DNS, gateway details
- Interface operational status
- Active processes
- CPU + memory insights
- Vendor/signed process metadata
- Full application list
- Display name, version, publisher
- Useful for compatibility review
- System-level errors
- Hardware and kernel warnings
- Failure correlation clues
remote_support_tool.txtremote_support_tool.json- Timestamped output directory
🧬 comprehensive_system_report.ps1
- OS version + build
- Computer information snapshot
- Memory + architecture
- Manufacturer and model
- Installed RAM
- System identifiers
- NIC link speed
- Adapter status
- MAC address enumeration
- Free/used disk capacity
- Drive performance indicators
- Driver provider + version
- Service start modes
- Running/stopped states
- Installed KBs
- Update descriptions
- Patch age indicators
- Kernel-level failures
- Power events
- Hardware error history
comprehensive_system_report.txtcomprehensive_system_report.json- Timestamped output directory