csereno/ManageCap.ps1

## ManageCap.ps1
# Created by csereno
# 3/28/2018
# PowerShell script to delete captures older than 14 days, archive current ones, and start a new one using WinDump.
# Works with PowerShell 2016 and requires WinDump.exe
# Note: Changes will be needed to work with different environments.

$ArchivePath = "C:\Temp\CaptureArchive"
$CapturePath = "C:\Temp\Captures"
$Daysback = "-14"
$CurrentDate = Get-Date
$DatetoDelete = $CurrentDate.AddDays($Daysback)

# Delete all Files in the archive older than 14 day(s)
Get-ChildItem $ArchivePath | Where-Object { $_.LastWriteTime -lt $DatetoDelete } | Remove-Item

#Kill the current capture process
Stop-Process -Name "WinDump" -Force

# Archive current files and copy them to the Archive directory
Compress-Archive -Path $CapturePath -DestinationPath $ArchivePath\$CurrentDate.zip

# Delete the current capture files
Remove-Item "$CapturePath\*.*" | Where { ! $_.PSIsContainer }

#Start WinDump again using a ring buffer of 100 files of 40MB each
& "C:\Temp\windump.exe" -i1 -n -t -s 1514 -W 100 -C 40 -w "$CapturePath\temp.pcap" not port 3389

## ManageCap.xml
<!-- Windows Scheduled Task Template -->
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2016-04-06T14:02:16.5795462</Date>
    <Author>csereno</Author>
  </RegistrationInfo>
  <Triggers>
    <BootTrigger>
      <Enabled>true</Enabled>
    </BootTrigger>
    <CalendarTrigger>
      <StartBoundary>2016-04-06T00:00:00</StartBoundary>
      <Enabled>true</Enabled>
      <ScheduleByWeek>
        <DaysOfWeek>
          <Wednesday />
        </DaysOfWeek>
        <WeeksInterval>1</WeeksInterval>
      </ScheduleByWeek>
    </CalendarTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>S-1-5-18</UserId>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
    <Priority>7</Priority>
    <RestartOnFailure>
      <Interval>PT1H</Interval>
      <Count>3</Count>
    </RestartOnFailure>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>ManageCap.ps1</Command>
    </Exec>
  </Actions>
</Task>
	# Created by csereno
	# 3/28/2018
	# PowerShell script to delete captures older than 14 days, archive current ones, and start a new one using WinDump.
	# Works with PowerShell 2016 and requires WinDump.exe
	# Note: Changes will be needed to work with different environments.

	$ArchivePath = "C:\Temp\CaptureArchive"
	$CapturePath = "C:\Temp\Captures"
	$Daysback = "-14"
	$CurrentDate = Get-Date
	$DatetoDelete = $CurrentDate.AddDays($Daysback)

	# Delete all Files in the archive older than 14 day(s)
	Get-ChildItem $ArchivePath \| Where-Object { $_.LastWriteTime -lt $DatetoDelete } \| Remove-Item

	#Kill the current capture process
	Stop-Process -Name "WinDump" -Force

	# Archive current files and copy them to the Archive directory
	Compress-Archive -Path $CapturePath -DestinationPath $ArchivePath\$CurrentDate.zip

	# Delete the current capture files
	Remove-Item "$CapturePath\." \| Where { ! $_.PSIsContainer }

	#Start WinDump again using a ring buffer of 100 files of 40MB each
	& "C:\Temp\windump.exe" -i1 -n -t -s 1514 -W 100 -C 40 -w "$CapturePath\temp.pcap" not port 3389
	<!-- Windows Scheduled Task Template -->
	<?xml version="1.0" encoding="UTF-16"?>
	<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
	<RegistrationInfo>
	<Date>2016-04-06T14:02:16.5795462</Date>
	<Author>csereno</Author>
	</RegistrationInfo>
	<Triggers>
	<BootTrigger>
	<Enabled>true</Enabled>
	</BootTrigger>
	<CalendarTrigger>
	<StartBoundary>2016-04-06T00:00:00</StartBoundary>
	<Enabled>true</Enabled>
	<ScheduleByWeek>
	<DaysOfWeek>
	<Wednesday />
	</DaysOfWeek>
	<WeeksInterval>1</WeeksInterval>
	</ScheduleByWeek>
	</CalendarTrigger>
	</Triggers>
	<Principals>
	<Principal id="Author">
	<UserId>S-1-5-18</UserId>
	<RunLevel>HighestAvailable</RunLevel>
	</Principal>
	</Principals>
	<Settings>
	<MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>
	<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
	<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
	<AllowHardTerminate>true</AllowHardTerminate>
	<StartWhenAvailable>true</StartWhenAvailable>
	<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
	<IdleSettings>
	<StopOnIdleEnd>true</StopOnIdleEnd>
	<RestartOnIdle>false</RestartOnIdle>
	</IdleSettings>
	<AllowStartOnDemand>true</AllowStartOnDemand>
	<Enabled>true</Enabled>
	<Hidden>false</Hidden>
	<RunOnlyIfIdle>false</RunOnlyIfIdle>
	<WakeToRun>false</WakeToRun>
	<ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
	<Priority>7</Priority>
	<RestartOnFailure>
	<Interval>PT1H</Interval>
	<Count>3</Count>
	</RestartOnFailure>
	</Settings>
	<Actions Context="Author">
	<Exec>
	<Command>ManageCap.ps1</Command>
	</Exec>
	</Actions>
	</Task>