I just stumbled across the MIR-ROR (Motile Incident Response
– Respond Objectively, Remediate) tool reported over at the ISC Storm Center as reviewed in June’s ISSA journal (http://holisticinfosec.org/toolsmith/docs/june2009.pdf). It is a script which was created by a Microsoft IH guru and utilizes the SysInternal utilities.
The script automates and consolidates the output from a variety of Windows and SystInternals commands. net *, ipconfig, arp, netstat, nbtstat, systeminfo, tasklist, openfiles, driverquery, sc, at, set, ftype, assoc, and doskey from the %systemroot% and the remaining tools, autorunsc, handle, listdlls, logonsessions, now, psfile, psinfo, pslist, psloggedon, psloglist, psservice, seccheck, showacls, showpriv, sigcheck, srvinfo, and tcpvcon from the SysInternal utilities.
I am sure you could create a USB stick/CD and change the script to use known good Windows files, in case you do not trust the actual Windows executable (but then again, the output could lie).