Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Get-PSAutoRun
#Requires -Version 3.0
Function Get-PSAutorun {
<#
.SYNOPSIS
Get Autorun entries.
.DESCRIPTION
Retrieve a list of programs configured to autostart at boot or logon.
.PARAMETER All
Switch to gather artifacts from all categories.
If it's turned on, all other category switches will be ignored.
.PARAMETER BootExecute
Switch to gather artifacts from the Boot Execute category.
.PARAMETER AppinitDLLs
Switch to gather artifacts from the Appinit category.
.PARAMETER ExplorerAddons
Switch to gather artifacts from the Explorer category.
.PARAMETER SidebarGadgets
Switch to gather artifacts from the Sidebar Gadgets category.
.PARAMETER ImageHijacks
Switch to gather artifacts from the Image Hijacks category.
.PARAMETER InternetExplorerAddons
Switch to gather artifacts from the Intenet Explorer category.
.PARAMETER KnownDLLs
Switch to gather artifacts from the KnownDLLs category.
.PARAMETER Logon
Switch to gather artifacts from the Logon category.
.PARAMETER Winsock
Switch to gather artifacts from the Winsock and network providers category.
.PARAMETER Codecs
Switch to gather artifacts from the Codecs category.
.PARAMETER PrintMonitorDLLs
Switch to gather artifacts from the Print Monitors category.
.PARAMETER LSAsecurityProviders
Switch to gather artifacts from the LSA Providers category.
.PARAMETER ServicesAndDrivers
Switch to gather artifacts from the Services and Drivers categories.
.PARAMETER ScheduledTasks
Switch to gather artifacts from the Scheduled tasks category.
.PARAMETER Winlogon
Switch to gather artifacts from the Winlogon category.
.PARAMETER WMI
Switch to gather artifacts from the WMI category.
.PARAMETER ShowFileHash
Switch to enable and display MD5, SHA1 and SHA2 file hashes.
.PARAMETER VerifyDigitalSignature
Switch to report if a file is digitally signed with the built-in Get-AuthenticodeSignature cmdlet.
.EXAMPLE
Get-PSAutorun -BootExecute -AppinitDLLs
.EXAMPLE
Get-PSAutorun -KnownDLLs -LSAsecurityProviders -ShowFileHash
.EXAMPLE
Get-PSAutorun -All -ShowFileHash -VerifyDigitalSignature
#>
[CmdletBinding()]
Param(
[switch]$All,
[Switch]$BootExecute,
[Switch]$AppinitDLLs,
[Switch]$ExplorerAddons,
[Switch]$SidebarGadgets,
[Switch]$ImageHijacks,
[Switch]$InternetExplorerAddons,
[Switch]$KnownDLLs,
[Switch]$Logon,
[Switch]$Winsock,
[Switch]$Codecs,
[Switch]$PrintMonitorDLLs,
[Switch]$LSAsecurityProviders,
[Switch]$ServicesAndDrivers,
[Switch]$ScheduledTasks,
[Switch]$Winlogon,
[Switch]$WMI,
[Switch]$ShowFileHash,
[Switch]$VerifyDigitalSignature
)
Begin {
#region Helperfunctions
# Courtesy of Microsoft
# Extracted from PS 4.0 with (dir function:\Get-FileHash).Definition
Function Get-FileHash {
[CmdletBinding(DefaultParameterSetName = "Path")]
param(
[Parameter(Mandatory, ParameterSetName="Path", Position = 0)]
[System.String[]]
$Path,
[Parameter(Mandatory, ParameterSetName="LiteralPath", ValueFromPipelineByPropertyName = $true)]
[Alias("PSPath")]
[System.String[]]
$LiteralPath,
[ValidateSet("SHA1", "SHA256", "SHA384", "SHA512", "MACTripleDES", "MD5", "RIPEMD160")]
[System.String]
$Algorithm="SHA256"
)
begin {
# Construct the strongly-typed crypto object
$hasher = [System.Security.Cryptography.HashAlgorithm]::Create($Algorithm)
}
process {
$pathsToProcess = @()
if($PSCmdlet.ParameterSetName -eq "LiteralPath") {
$pathsToProcess += Resolve-Path -LiteralPath $LiteralPath | Foreach-Object ProviderPath
} else {
$pathsToProcess += Resolve-Path $Path | Foreach-Object ProviderPath
}
foreach($filePath in $pathsToProcess) {
if(Test-Path -LiteralPath $filePath -PathType Container) {
continue
}
try {
# Read the file specified in $FilePath as a Byte array
[system.io.stream]$stream = [system.io.file]::OpenRead($FilePath)
# Compute file-hash using the crypto object
[Byte[]] $computedHash = $hasher.ComputeHash($stream)
} catch [Exception] {
$errorMessage = [Microsoft.PowerShell.Commands.UtilityResources]::FileReadError -f $FilePath, $_
Write-Error -Message $errorMessage -Category ReadError -ErrorId "FileReadError" -TargetObject $FilePath
return
} finally {
if($stream) {
$stream.Close()
}
}
# Convert to hex-encoded string
[string] $hash = [BitConverter]::ToString($computedHash) -replace '-',''
$retVal = [PSCustomObject] @{
Algorithm = $Algorithm.ToUpperInvariant()
Hash = $hash
Path = $filePath
}
$retVal.psobject.TypeNames.Insert(0, "Microsoft.Powershell.Utility.FileHash")
$retVal
}
}
}
Function Get-RegValue {
[CmdletBinding()]
Param(
[string]$Path,
[string[]]$Name,
[string]$Category
)
Begin{
if ($Path -match "Wow6432Node") {
$ClassesPath = Join-Path -Path (Split-Path $Path -Qualifier) -ChildPath "SOFTWARE\Wow6432Node\Classes\CLSID"
} else {
$ClassesPath = Join-Path -Path (Split-Path $Path -Qualifier) -ChildPath "SOFTWARE\Classes\CLSID"
}
}
Process {
try {
$Values = Get-Item -LiteralPath $Path -ErrorAction Stop
if ($Name -eq "*") {
$Name = $Values.GetValueNames()
}
$Name | ForEach-Object -Process {
# Need to differentiate between empty string and really non existing values
if ($Values.GetValue($_) -ne $null) {
$Value = Switch -regex($Values.GetValue($_)) {
'^\{[A-Z0-9]{4}([A-Z0-9]{4}-){4}[A-Z0-9]{12}\}$' {
(Get-ItemProperty -Path (Join-Path -Path $ClassesPath -ChildPath "$($_)\InprocServer32") -Name '(default)' -ErrorAction SilentlyContinue).'(default)'
break
}
default {
$_
}
}
if ($Value) {
[pscustomobject]@{
Path = $Path
Item = $_
Value = $Value
Category = $Category
}
}
}
}
} catch {
}
}
End {}
}
Function Get-AllScheduledTasks {
[CmdletBinding()]
param (
[Parameter(Mandatory=$false,ValueFromPipeline=$true)]
[System.String[]]$ComputerName = $env:COMPUTERNAME
)
Begin {
Function Get-SubFolders ($folder,[switch]$recurse)
{
$folder
if ($recurse)
{
$TaskService.GetFolder($folder).GetFolders(0) | ForEach-Object {
Get-SubFolders $_.Path -Recurse
}
} else {
$TaskService.GetFolder($folder).GetFolders(0)
}
}
}
Process {
$ComputerName | ForEach-Object -Process {
$alltasks = @()
$Computer = $_
$TaskService = New-Object -com schedule.service
try
{
$TaskService.Connect($Computer) | Out-Null
} catch {
Write-Warning "Cannot connect to $Computer because $($_.Exception.Message)"
return
}
Get-SubFolders -folder "\" -recurse | ForEach-Object -Process {
$TaskService.GetFolder($_).GetTasks(1) | ForEach-Object -Process {
$obj = New-Object -TypeName pscustomobject -Property @{
ComputerName = $Computer
Path = Split-Path $_.Path
Name = $_.Name
}
$alltasks += $obj
}
}
Write-Verbose -Message "There's a total of $($alltasks.Count) tasks on $Computer"
$alltasks
}
}
End {}
}
Function Get-Task {
[CmdletBinding()]
param (
[parameter(ValueFromPipeline=$false,ValueFromPipelineByPropertyName=$true,Mandatory=$false)]
[system.string[]] ${ComputerName} = $env:computername,
[parameter(ValueFromPipeline=$false,ValueFromPipelineByPropertyName=$true,Mandatory=$false,
HelpMessage="The task folder string must begin by '\'")]
[ValidatePattern('^\\')]
[system.string[]] ${Path} = "\",
[parameter(ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true,Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[system.string[]] ${Name} = $null
)
Begin {}
Process
{
$resultsar = @()
$ComputerName | ForEach-Object -Process {
$Computer = $_
$TaskService = New-Object -com schedule.service
try
{
$TaskService.Connect($Computer) | Out-Null
} catch {
Write-Warning "Failed to connect to $Computer"
}
if ($TaskService.Connected)
{
Write-Verbose -Message "Connected to the scheduler service of computer $Computer"
Foreach ($Folder in $Path)
{
Write-Verbose -Message "Dealing with folder task $Folder"
$RootFolder = $null
try
{
$RootFolder = $TaskService.GetFolder($Folder)
} catch {
Write-Warning -Message "The folder task $Folder cannot be found"
}
if ($RootFolder)
{
Foreach ($Task in $Name)
{
$TaskObject = $null
try
{
Write-Verbose -Message "Dealing with task name $Task"
$TaskObject = $RootFolder.GetTask($Task)
} catch {
Write-Warning -Message "The task $Task cannot be found under $Folder"
}
if ($TaskObject)
{
# Status
# http://msdn.microsoft.com/en-us/library/windows/desktop/aa383617%28v=vs.85%29.aspx
switch ($TaskObject.State)
{
0 { $State = 'Unknown'}
1 { $State = 'Disabled'}
2 { $State = 'Queued'}
3 { $State = 'Ready'}
4 { $State = 'Running'}
default {$State = $_ }
}
$resultsar += New-Object -TypeName pscustomobject -Property @{
ComputerName = $Computer
Name = $TaskObject.Name
Path = $Folder
State = $State
Enabled = $TaskObject.Enabled
Xml = $TaskObject.XML
}
}
}
}
}
}
}
$resultsar
}
End {}
}
# From David Wyatt
# http://gallery.technet.microsoft.com/scriptcenter/Normalize-file-system-5d33985a
Function Get-NormalizedFileSystemPath {
<#
.Synopsis
Normalizes file system paths.
.DESCRIPTION
Normalizes file system paths. This is similar to what the Resolve-Path cmdlet does, except Get-NormalizedFileSystemPath also properly handles UNC paths and converts 8.3 short names to long paths.
.PARAMETER Path
The path or paths to be normalized.
.PARAMETER IncludeProviderPrefix
If this switch is passed, normalized paths will be prefixed with 'FileSystem::'. This allows them to be reliably passed to cmdlets such as Get-Content, Get-Item, etc, regardless of Powershell's current location.
.EXAMPLE
Get-NormalizedFileSystemPath -Path '\\server\share\.\SomeFolder\..\SomeOtherFolder\File.txt'
Returns '\\server\share\SomeOtherFolder\File.txt'
.EXAMPLE
'\\server\c$\.\SomeFolder\..\PROGRA~1' | Get-NormalizedFileSystemPath -IncludeProviderPrefix
Assuming you can access the c$ share on \\server, and PROGRA~1 is the short name for "Program Files" (which is common), returns:
'FileSystem::\\server\c$\Program Files'
.INPUTS
String
.OUTPUTS
String
.NOTES
Paths passed to this command cannot contain wildcards; these will be treated as invalid characters by the .NET Framework classes which do the work of validating and normalizing the path.
.LINK
Resolve-Path
#>
[CmdletBinding()]
Param (
[Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
[Alias('PSPath', 'FullName')]
[string[]]
$Path,
[switch]
$IncludeProviderPrefix
)
Process{
foreach ($_path in $Path)
{
$_resolved = $_path
if ($_resolved -match '^([^:]+)::') {
$providerName = $matches[1]
if ($providerName -ne 'FileSystem') {
Write-Error "Only FileSystem paths may be passed to Get-NormalizedFileSystemPath. Value '$_path' is for provider '$providerName'."
continue
}
$_resolved = $_resolved.Substring($matches[0].Length)
}
if (-not [System.IO.Path]::IsPathRooted($_resolved)) {
$_resolved = Join-Path -Path $PSCmdlet.SessionState.Path.CurrentFileSystemLocation -ChildPath $_resolved
}
try {
$dirInfo = New-Object System.IO.DirectoryInfo($_resolved)
} catch {
$exception = $_.Exception
while ($null -ne $exception.InnerException) {
$exception = $exception.InnerException
}
Write-Error "Value '$_path' could not be parsed as a FileSystem path: $($exception.Message)"
continue
}
$_resolved = $dirInfo.FullName
if ($IncludeProviderPrefix) {
$_resolved = "FileSystem::$_resolved"
}
Write-Output $_resolved
}
}
}
Function Get-PSRawAutoRun {
[CmdletBinding()]
Param(
[switch]$All,
[Switch]$BootExecute,
[Switch]$AppinitDLLs,
[Switch]$ExplorerAddons,
[Switch]$SidebarGadgets,
[Switch]$ImageHijacks,
[Switch]$InternetExplorerAddons,
[Switch]$KnownDLLs,
[Switch]$Logon,
[Switch]$Winsock,
[Switch]$Codecs,
[Switch]$PrintMonitorDLLs,
[Switch]$LSAsecurityProviders,
[Switch]$ServicesAndDrivers,
[Switch]$ScheduledTasks,
[Switch]$Winlogon,
[Switch]$WMI,
[Switch]$ShowFileHash,
[Switch]$VerifyDigitalSignature
)
Begin {
}
Process {
if ($All -or $BootExecute) {
Write-Verbose -Message "Looking for Boot Execute entries"
#region Boot Execute
$Category = @{ Category = 'Boot Execute'}
# REG_MULTI_SZ
"BootExecute","SetupExecute","Execute","S0InitialCommand" | ForEach-Object {
$item = $_
$v = $null
$v = (Get-RegValue -Path "HKLM:\System\CurrentControlSet\Control\Session Manager" -Name $_ @Category)
if ($v) {
$v.Value | ForEach-Object {
if ($_ -ne '""') {
[pscustomobject]@{
Path = "HKLM:\System\CurrentControlSet\Control\Session Manager"
Item = $item
Value = $_
Category = 'Boot Execute'
}
}
}
}
}
Get-RegValue -Path "HKLM:\System\CurrentControlSet\Control" -Name "ServiceControlManagerExtension" @Category
#endregion Boot Execute
}
if ($All -or $AppinitDLLs) {
Write-Verbose -Message "Looking for Appinit DLLs entries"
#region AppInit
$null,"Wow6432Node" | Foreach-Object {
Get-RegValue -Path "HKLM:\SOFTWARE\$($_)\Microsoft\Windows NT\CurrentVersion\Windows" -Name "Appinit_Dlls" -Category "AppInit"
}
if (Test-Path -Path "HKLM:\System\CurrentControlSet\Control\Session Manager\AppCertDlls" -PathType Container) {
Get-RegValue -Path "HKLM:\System\CurrentControlSet\Control\Session Manager\AppCertDlls" -Name "*" -Category "AppInit"
}
#endregion AppInit
}
if ($All -or $ExplorerAddons) {
Write-Verbose -Message "Looking for Explorer Add-ons entries"
#region Explorer
$Category = @{ Category = 'Explorer'}
# Filter & Handler
"Filter","Handler" | ForEach-Object -Process {
$key = "HKLM:\SOFTWARE\Classes\Protocols\$($_)"
if (Test-Path -Path $key -PathType Container) {
(Get-Item -Path $key).GetSubKeyNames() | ForEach-Object -Process {
if ($_ -eq 'ms-help') {
if ([environment]::Is64BitOperatingSystem) {
$ClassesPath = "HKLM:\SOFTWARE\Wow6432Node\Classes\CLSID"
} else {
$ClassesPath = "HKLM:\SOFTWARE\Classes\CLSID"
}
$i = (Get-ItemProperty -Path "$key\ms-help" -Name "CLSID").CLSID
[pscustomobject]@{
Path = "$key\ms-help"
Item = $i
Value = (Get-ItemProperty -Path (Join-Path -Path $ClassesPath -ChildPath "$($i)\InprocServer32") -Name '(default)' -ErrorAction SilentlyContinue).'(default)'
Category = 'Explorer'
}
} else {
Get-RegValue -Path "$key\$($_)" -Name "CLSID" @Category
}
}
}
}
# SharedTaskScheduler
$null,"Wow6432Node" | Foreach-Object -Process {
Get-RegValue -Path "HKLM:\SOFTWARE\$($_)\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler" -Name "*" @Category
}
# ShellServiceObjects
$null,"Wow6432Node" | Foreach-Object -Process {
$ClassesPath = "HKLM:\SOFTWARE\$($_)\Classes\CLSID"
$key = "HKLM:\SOFTWARE\$($_)\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects"
(Get-Item -Path $key).GetSubKeyNames() | ForEach-Object -Process {
[pscustomobject]@{
Path = $key
Item = $_
Value = (Get-ItemProperty -Path (Join-Path -Path $ClassesPath -ChildPath "$($_)\InprocServer32") -Name '(default)').'(default)'
Category = 'Explorer'
}
}
}
# ShellExecuteHooks
$null,"Wow6432Node" | Foreach-Object -Process {
$key = "HKLM:\SOFTWARE\$($_)\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"
if (Test-Path -Path $key -PathType Container) {
$ClassesPath = "HKLM:\SOFTWARE\$($_)\Classes\CLSID"
(Get-Item -Path $key).GetValueNames() | ForEach-Object {
# Get-RegValue -Path $key -Name $_ @Category
[pscustomobject]@{
Path = $key
Item = $_
Value = (Get-ItemProperty -Path (Join-Path -Path $ClassesPath -ChildPath "$($_)\InprocServer32") -Name '(default)').'(default)'
Category = 'Explorer'
}
}
}
}
# ShellServiceObjectDelayLoad
$null,"Wow6432Node" | Foreach-Object -Process {
Get-RegValue -Path "HKLM:\SOFTWARE\$($_)\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad" -Name "*" @Category
}
# Handlers
@(
@{Name = '*' ; Properties = @('ContextMenuHandlers','PropertySheetHandlers')},
@{Name ='Drive' ; Properties = @('ContextMenuHandlers')},
@{Name ='AllFileSystemObjects' ; Properties = @('ContextMenuHandlers','DragDropHandlers','PropertySheetHandlers')},
@{Name ='Directory' ; Properties = @('ContextMenuHandlers','DragDropHandlers','PropertySheetHandlers', 'CopyHookHandlers')},
@{Name ='Directory\Background' ; Properties = @('ContextMenuHandlers')},
@{Name ='Folder' ; Properties = @('ColumnHandlers','ContextMenuHandlers','DragDropHandlers','ExtShellFolderViews','PropertySheetHandlers')}
) | ForEach-Object -Process {
$Name = $_.Name
$Properties = $_.Properties
$null,"Wow6432Node" | Foreach-Object -Process {
$key = "HKLM:\Software\$($_)\Classes\$Name\ShellEx"
$ClassPath = "HKLM:\Software\$($_)\Classes\CLSID"
$Hive = $_
$Properties | ForEach-Object -Process {
$subkey = Join-Path -Path $key -ChildPath $_
try {
(Get-Item -LiteralPath $subkey -ErrorAction SilentlyContinue).GetSubKeyNames() | ForEach-Object -Process {
if ($(try {
[system.guid]::Parse($_) | Out-Null
$true
} catch {
$false
})) {
if (Test-Path -Path (Join-Path -Path $ClassPath -ChildPath "$($_)\InprocServer32") -PathType Container) {
# don't change anything
} else {
if ($Hive) {
$ClassPath = "HKLM:\Software\Classes\CLSID"
} else {
$ClassPath = "HKLM:\Software\Wow6432Node\Classes\CLSID"
}
}
if (Test-PAth -Path (Join-Path -Path $ClassPath -ChildPath "$($_)\InprocServer32") -PathType Container) {
[pscustomobject]@{
Path = $key
Item = $_
Value = (Get-ItemProperty -Path (Join-Path -Path $ClassPath -ChildPath "$($_)\InprocServer32") -Name '(default)' -ErrorAction SilentlyContinue).'(default)'
Category = 'Explorer'
}
}
} else {
Get-RegValue -Path "$subkey\$($_)" -Name "*" @Category
}
}
} catch {
}
}
}
}
# ShellIconOverlayIdentifiers
$null,"Wow6432Node" | Foreach-Object -Process {
$key = "HKLM:\SOFTWARE\$($_)\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers"
if (Test-Path -Path $key -PathType Container) {
(Get-Item -Path $key).GetSubKeyNames() | ForEach-Object -Process {
Get-RegValue -Path "$key\$($_)" -Name "*" @Category
}
}
}
# LangBarAddin
Get-RegValue -Path "HKLM:\Software\Microsoft\Ctf\LangBarAddin" -Name "*" @Category
#endregion Explorer
#region User Explorer
# Filter & Handler
"Filter","Handler" | ForEach-Object -Process {
$key = "HKCU:\SOFTWARE\Classes\Protocols\$($_)"
if (Test-Path -Path $key -PathType Container) {
(Get-Item -Path $key).GetSubKeyNames() | ForEach-Object -Process {
Get-RegValue -Path "$key\$($_)" -Name "CLSID" @Category
}
}
}
if (Test-Path -Path "HKCU:\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components" -PathType Container) {
$key = "HKCU:\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components"
(Get-Item -Path $key).GetSubKeyNames() | ForEach-Object -Process {
Get-RegValue -Path "$key\$($_)" -Name 'Source' @Category
}
}
# ShellServiceObjects
if (Test-Path -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects" -PathType Container) {
$ClassesPath = "HKCU:\SOFTWARE\$($_)\Classes\CLSID"
$key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects"
(Get-Item -Path $key).GetSubKeyNames() | ForEach-Object -Process {
[pscustomobject]@{
Path = $key
Item = $_
Value = (Get-ItemProperty -Path (Join-Path -Path $ClassesPath -ChildPath "$($_)\InprocServer32") -Name '(default)').'(default)'
Category = 'Explorer'
}
}
}
# ShellServiceObjectDelayLoad
Get-RegValue -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad" -Name "*" @Category
# Handlers
@(
@{Name = '*' ; Properties = @('ContextMenuHandlers','PropertySheetHandlers')},
@{Name ='Drive' ; Properties = @('ContextMenuHandlers')},
@{Name ='AllFileSystemObjects' ; Properties = @('ContextMenuHandlers','DragDropHandlers','PropertySheetHandlers')},
@{Name ='Directory' ; Properties = @('ContextMenuHandlers','DragDropHandlers','PropertySheetHandlers', 'CopyHookHandlers')},
@{Name ='Directory\Background' ; Properties = @('ContextMenuHandlers')},
@{Name ='Folder' ; Properties = @('ColumnHandlers','ContextMenuHandlers','DragDropHandlers','ExtShellFolderViews','PropertySheetHandlers')}
) | ForEach-Object -Process {
$Name = $_.Name
$Properties = $_.Properties
$key = "HKCU:\Software\Classes\$Name\ShellEx"
$Properties | ForEach-Object -Process {
$subkey = Join-Path -Path $key -ChildPath $_
try {
(Get-Item -LiteralPath $subkey -ErrorAction SilentlyContinue).GetSubKeyNames() | ForEach-Object -Process {
Get-RegValue -Path "$subkey\$($_)" -Name "*" @Category
}
} catch {
}
}
}
# ShellIconOverlayIdentifiers
$key = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers"
if (Test-Path -Path $key -PathType Container) {
(Get-Item -Path $key).GetSubKeyNames() | ForEach-Object -Process {
Get-RegValue -Path "$key\$($_)" -Name "*" @Category
}
}
# LangBarAddin
Get-RegValue -Path "HKCU:\Software\Microsoft\Ctf\LangBarAddin" -Name "*" @Category
#endregion User Explorer
}
if ($All -or $SidebarGadgets) {
Write-Verbose -Message "Looking for Sidebar gadgets"
#region User Sidebar gadgets
if (Test-Path (Join-Path -Path (Split-Path -Path $($env:AppData) -Parent) -ChildPath "Local\Microsoft\Windows Sidebar\Settings.ini")) {
Get-Content -Path (
Join-Path -Path (Split-Path -Path $($env:AppData) -Parent) -ChildPath "Local\Microsoft\Windows Sidebar\Settings.ini"
) |
Select-String -Pattern "^PrivateSetting_GadgetName=" | ForEach-Object {
[pscustomobject]@{
Path = Join-Path -Path (Split-Path -Path $($env:AppData) -Parent) -ChildPath "Local\Microsoft\Windows Sidebar\Settings.ini"
Item = [string]::Empty
Value = ($_.Line -split "=" | Select -Last 1) -replace "%5C","\" -replace '%20'," "
Category = 'SideBar Gadgets'
}
}
}
#endregion User Sidebar gadgets
}
if ($All -or $ImageHijacks) {
Write-Verbose -Message "Looking for Image hijacks"
#region Image Hijacks
$Category = @{ Category = 'Image Hijacks'}
$null,"Wow6432Node" | Foreach-Object {
$key = "HKLM:\Software\$($_)\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"
(Get-Item -Path $key).GetSubKeyNames() | ForEach-Object -Process {
Get-RegValue -Path "$key\$($_)" -Name 'Debugger' @Category
}
}
# Autorun macro
$null,"Wow6432Node" | Foreach-Object {
Get-RegValue -Path "HKLM:\Software\$($_)\Microsoft\Command Processor" -Name "Autorun" @Category
}
# Exefile
[pscustomobject]@{
Path = "HKLM:\SOFTWARE\Classes\Exefile\Shell\Open\Command"
Item = "exefile"
Value = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Classes\Exefile\Shell\Open\Command" -Name '(default)').'(default)'
Category = 'Image Hijacks'
}
".exe",".cmd" | Foreach-Object {
$assoc = (Get-ItemProperty -Path "HKLM:\Software\Classes\$($_)" -Name '(default)').'(default)'
[pscustomobject]@{
Path = "HKLM:\Software\Classes\$assoc\shell\open\command"
Item = $_
Value = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Classes\$assoc\Shell\Open\Command" -Name '(default)').'(default)'
Category = 'Image Hijacks'
}
}
#endregion Image Hijacks
#region User Image Hijacks
Get-RegValue -Path "HKCU:\Software\Microsoft\Command Processor" -Name "Autorun" @Category
# Exefile
if (Test-Path -Path "HKCU:\SOFTWARE\Classes\Exefile\Shell\Open\Command") {
[pscustomobject]@{
Path = "HKCU:\SOFTWARE\Classes\Exefile\Shell\Open\Command"
Item = "exefile"
Value = (Get-ItemProperty -Path "HKCU:\SOFTWARE\Classes\Exefile\Shell\Open\Command" -Name '(default)').'(default)'
Category = 'Image Hijacks'
}
}
".exe",".cmd" | Foreach-Object {
if (Test-Path -Path "HKCU:\Software\Classes\$($_)") {
$assoc = (Get-ItemProperty -Path "HKCU:\Software\Classes\$($_)" -Name '(default)'-ErrorAction SilentlyContinue).'(default)'
if ($assoc) {
[pscustomobject]@{
Path = "HKCU:\Software\Classes\$assoc\shell\open\command"
Item = $_
Value = (Get-ItemProperty -Path "HKCU:\SOFTWARE\Classes\$assoc\Shell\Open\Command" -Name '(default)' -ErrorAction SilentlyContinue).'(default)'
Category = 'Image Hijacks'
}
}
}
}
#endregion User Image Hijacks
}
if ($All -or $InternetExplorerAddons) {
Write-Verbose -Message "Looking for Internet Explorer Add-ons entries"
#region Internet Explorer
$Category = @{ Category = 'Internet Explorer'}
# Browser Helper Objects
$null,"Wow6432Node" | Foreach-Object {
$ClassesPath = "HKLM:\SOFTWARE\$($_)\Classes\CLSID"
$key = "HKLM:\SOFTWARE\$($_)\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects"
if (Test-Path -Path $key -PathType Container) {
(Get-Item -Path $key).GetSubKeyNames() | ForEach-Object -Process {
[pscustomobject]@{
Path = $key
Item = $_
Value = (Get-ItemProperty -Path (Join-Path -Path $ClassesPath -ChildPath "$($_)\InprocServer32") -Name '(default)').'(default)'
Category = 'Internet Explorer'
}
}
}
}
# IE Toolbars
$null,"Wow6432Node" | Foreach-Object -Process {
Get-RegValue -Path "HKLM:\SOFTWARE\$($_)\Microsoft\Internet Explorer\Toolbar" -Name "*" @Category
}
# Explorer Bars
$null,"Wow6432Node" | Foreach-Object -Process {
$ClassesPath = "HKLM:\SOFTWARE\$($_)\Classes\CLSID"
$key = "HKLM:\SOFTWARE\$($_)\Microsoft\Internet Explorer\Explorer Bars"
try {
(Get-Item -Path $key -ErrorAction Stop).GetSubKeyNames() | ForEach-Object -Process {
[pscustomobject]@{
Path = $key
Item = $_
Value = (Get-ItemProperty -Path (Join-Path -Path $ClassesPath -ChildPath "$($_)\InprocServer32") -Name '(default)').'(default)'
Category = 'Internet Explorer'
}
}
} catch {
}
}
# IE Extensions
$null,"Wow6432Node" | Foreach-Object {
$key = "HKLM:\SOFTWARE\$($_)\Microsoft\Internet Explorer\Extensions"
if (Test-Path -Path $key -PathType Container) {
(Get-Item -Path $key -ErrorAction SilentlyContinue).GetSubKeyNames() | ForEach-Object -Process {
Get-RegValue -Path "$key\$($_)" -Name "ClsidExtension" @Category
}
}
}
#endregion Internet Explorer
#region User Internet Explorer
# UrlSearchHooks
$ClassesPath = "HKLM:\SOFTWARE\Classes\CLSID"
$key = "HKCU:\Software\Microsoft\Internet Explorer\UrlSearchHooks"
if (Test-Path -Path $key -PathType Container) {
(Get-Item -Path $key).GetValueNames() | ForEach-Object -Process {
[pscustomobject]@{
Path = $key
Item = $_
Value = (Get-ItemProperty -Path (Join-Path -Path $ClassesPath -ChildPath "$($_)\InprocServer32") -Name '(default)').'(default)'
Category = 'Internet Explorer'
}
}
}
# Explorer Bars
$null,"Wow6432Node" | Foreach-Object -Process {
$ClassesPath = "HKLM:\SOFTWARE\$($_)\Classes\CLSID"
$key = "HKCU:\SOFTWARE\$($_)\Microsoft\Internet Explorer\Explorer Bars"
if (Test-Path -Path $key -PathType Container) {
(Get-Item -Path $key).GetSubKeyNames() | ForEach-Object -Process {
[pscustomobject]@{
Path = $key
Item = $_
Value = (Get-ItemProperty -Path (Join-Path -Path $ClassesPath -ChildPath "$($_)\InprocServer32") -Name '(default)').'(default)'
Category = 'Internet Explorer'
}
}
}
}
# IE Extensions
$null,"Wow6432Node" | Foreach-Object {
$key = "HKCU:\SOFTWARE\$($_)\Microsoft\Internet Explorer\Extensions"
if (Test-Path -Path $key -PathType Container) {
(Get-Item -Path $key -ErrorAction SilentlyContinue).GetSubKeyNames() | ForEach-Object -Process {
Get-RegValue -Path "$key\$($_)" -Name "ClsidExtension" @Category
}
}
}
#endregion User Internet Explorer
}
if ($All -or $KnownDLLs) {
Write-Verbose -Message "Looking for Known DLLs entries"
#region Known Dlls
Get-RegValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs" -Name "*" -Category "Known Dlls"
#endregion Known Dlls
}
if ($All -or $Logon) {
Write-Verbose -Message "Looking for Logon Startup entries"
#region Logon
$Category = @{ Category = 'Logon'}
# Winlogon
Get-RegValue -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "VmApplet","Userinit","Shell","TaskMan","AppSetup" @Category
# Domain Group Policies scripts
"Startup","Shutdown","Logon","Logoff" | ForEach-Object -Process {
$key = "HKLM:\Software\Policies\Microsoft\Windows\System\Scripts\$($_)"
if (Test-Path -Path $key) {
(Get-Item -Path $key).GetSubKeyNames() | ForEach-Object -Process {
$subkey = (Join-Path -Path $key -ChildPath $_)
(Get-Item -Path $subkey).GetSubKeyNames() | ForEach-Object -Process {
Get-RegValue -Path (Join-Path -Path $subkey -ChildPath $_) -Name 'script' @Category
}
}
}
}
# Local GPO scripts
"Startup","Shutdown" | ForEach-Object -Process {
$key = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\$($_)"
if (Test-Path -Path $key) {
(Get-Item -Path $key).GetSubKeyNames() | ForEach-Object -Process {
$subkey = (Join-Path -Path $key -ChildPath $_)
(Get-Item -Path $subkey).GetSubKeyNames() | ForEach-Object -Process {
Get-RegValue -Path (Join-Path -Path $subkey -ChildPath $_) -Name 'script' @Category
}
}
}
}
# Shell override by GPO
Get-RegValue -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "Shell" @Category
# AlternateShell
Get-RegValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SafeBoot" -Name "AlternateShell" @Category
# Terminal server
Get-RegValue -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd" -Name "StartupPrograms" @Category
Get-RegValue -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce" -Name "*" @Category
Get-RegValue -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run" -Name "*" @Category
Get-RegValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "InitialProgram" @Category
# Run
$null,"Wow6432Node" | Foreach-Object { Get-RegValue -Path "HKLM:\SOFTWARE\$($_)\Microsoft\Windows\CurrentVersion\Run" -Name "*" @Category }
# RunOnce
$null,"Wow6432Node" | Foreach-Object { Get-RegValue -Path "HKLM:\SOFTWARE\$($_)\Microsoft\Windows\CurrentVersion\RunOnce" -Name "*" @Category }
# LNK files or direct executable
if (Test-Path -Path "$($env:systemdrive)\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" -PathType Container) {
$Wsh = new-object -comobject "WScript.Shell"
Get-ChildItem -Path "$($env:systemdrive)\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" |ForEach-Object {
$File = $_
$header = (Get-Content -Path $($_.FullName) -Encoding Byte -ReadCount 1 -TotalCount 2) -as [string]
Switch ($header) {
'77 90' {
[pscustomobject]@{
Path = "$($env:systemdrive)\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
Item = $File.Name
Value = $File.FullName
Category = 'Logon'
}
break
}
'76 0' {
$shortcut = $Wsh.CreateShortcut($File.FullName)
[pscustomobject]@{
Path = "$($env:systemdrive)\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
Item = $File.Name
Value = "$($shortcut.TargetPath) $($shortcut.Arguments)"
Category = 'Logon'
}
break
}
default {}
}
}
}
# Run by GPO
Get-RegValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "*" @Category
# Show all subkey that have a StubPath value
$null,"Wow6432Node" | Foreach-Object {
$key = "HKLM:\SOFTWARE\$($_)\Microsoft\Active Setup\Installed Components"
(Get-Item -Path $key).GetSubKeyNames() | ForEach-Object -Process {
Get-RegValue -Path "$key\$($_)" -Name "StubPath" @Category
}
}
Get-RegValue -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Windows" -Name "IconServiceLib" @Category
$null,"Wow6432Node" | Foreach-Object { Get-RegValue -Path "HKLM:\SOFTWARE\$($_)\Microsoft\Windows CE Services\AutoStartOnConnect" -Name "*" @Category }
$null,"Wow6432Node" | Foreach-Object { Get-RegValue -Path "HKLM:\SOFTWARE\$($_)\Microsoft\Windows CE Services\AutoStartOnDisconnect" -Name "*" @Category }
#endregion Logon
#region User Logon
# Local GPO scripts
"Logon","Logoff" | ForEach-Object -Process {
$key = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\$($_)"
if (Test-Path -Path $key) {
(Get-Item -Path $key).GetSubKeyNames() | ForEach-Object -Process {
$subkey = (Join-Path -Path $key -ChildPath $_)
(Get-Item -Path $subkey).GetSubKeyNames() | ForEach-Object -Process {
# (Join-Path -Path $subkey -ChildPath $_)
Get-RegValue -Path (Join-Path -Path $subkey -ChildPath $_) -Name 'script' @Category
}
}
}
}
# Shell override by GPO
Get-RegValue -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "Shell" @Category
# LNK files or direct executable
if (Test-Path -Path "$($env:AppData)\Microsoft\Windows\Start Menu\Programs\Startup") {
$Wsh = new-object -comobject "WScript.Shell"
Get-ChildItem -Path "$($env:AppData)\Microsoft\Windows\Start Menu\Programs\Startup" |ForEach-Object {
$File = $_
$header = (Get-Content -Path $($_.FullName) -Encoding Byte -ReadCount 1 -TotalCount 2) -as [string]
Switch ($header) {
'77 90' {
[pscustomobject]@{
Path = "$($env:AppData)\Microsoft\Windows\Start Menu\Programs\Startup"
Item = $File.Name
Value = $File.FullName
Category = 'Logon'
}
break
}
'76 0' {
$shortcut = $Wsh.CreateShortcut($File.FullName)
[pscustomobject]@{
Path = "$($env:AppData)\Microsoft\Windows\Start Menu\Programs\Startup"
Item = $File.Name
Value = "$($shortcut.TargetPath) $($shortcut.Arguments)"
Category = 'Logon'
}
break
}
default {}
}
}
}
Get-RegValue -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Windows" -Name "Load" @Category
Get-RegValue -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Windows" -Name "Run" @Category
# Run by GPO
Get-RegValue -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" -Name "*" @Category
# Run
Get-RegValue -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "*" @Category
# RunOnce
Get-RegValue -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce" -Name "*" @Category
Get-RegValue -Path "HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce" -Name "*" @Category
Get-RegValue -Path "HKCU:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run" -Name "*" @Category
#endregion User Logon
}
if ($All -or $Winsock) {
Write-Verbose -Message "Looking for Winsock protocol and network providers entries"
#region Winsock providers
$Category = @{ Category = 'Winsock Providers'}
$null,"64" | ForEach-Object -Process {
$key = "HKLM:\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries$($_)"
(Get-Item -Path $key).GetSubKeyNames() | ForEach-Object -Process {
[pscustomobject]@{
Path = "$key\$($_)"
Item = 'PackedCatalogItem'
Value = ((New-Object -TypeName System.Text.ASCIIEncoding).GetString(
(Get-ItemProperty -Path "$key\$($_)" -Name PackedCatalogItem).PackedCatalogItem,0,211
) -split ([char][int]0))[0]
Category = 'Winsock Providers'
}
}
}
$null,"64" | ForEach-Object -Process {
$key = "HKLM:\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries$($_)"
(Get-Item -Path $key).GetSubKeyNames() | ForEach-Object -Process {
Get-RegValue -Path "$key\$($_)" -Name 'LibraryPath' @Category
}
}
#endregion Winsock providers
#region Network providers
$Category = @{ Category = 'Network Providers'}
$key = "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order"
(Get-RegValue -Path $key -Name "ProviderOrder" @Category).Value -split "," | ForEach-Object {
Get-RegValue -Path "HKLM:\SYSTEM\CurrentControlSet\services\$($_)\NetworkProvider" -Name "ProviderPath" @Category
}
#endregion Network providers
}
if ($All -or $Codecs) {
Write-Verbose -Message "Looking for Codecs"
#region Codecs
$Category = @{ Category = 'Codecs'}
# Drivers32
$null,"Wow6432Node" | Foreach-Object {
Get-RegValue -Path "HKLM:\Software\$($_)\Microsoft\Windows NT\CurrentVersion\Drivers32" -Name "*" @Category
}
# Filter
$key = "HKLM:\Software\Classes\Filter"
if (Test-Path -Path $key -PathType Container) {
(Get-Item -Path $key).GetSubKeyNames() | ForEach-Object -Process {
[pscustomobject]@{
Path = $key
Item = $_
Value = (Get-ItemProperty -Path (Join-Path -Path "HKLM:\SOFTWARE\Classes\CLSID" -ChildPath "$($_)\InprocServer32") -Name '(default)').'(default)'
Category = 'Codecs'
}
}
}
# Instances
@("{083863F1-70DE-11d0-BD40-00A0C911CE86}","{AC757296-3522-4E11-9862-C17BE5A1767E}",
"{7ED96837-96F0-4812-B211-F13C24117ED3}","{ABE3B9A4-257D-4B97-BD1A-294AF496222E}") | Foreach-Object -Process {
$Item = $_
$null,"Wow6432Node" | Foreach-Object {
$key = "HKLM:\Software\$($_)\Classes\CLSID\$Item\Instance"
$clsidp = "HKLM:\Software\$($_)\Classes\CLSID"
if (Test-Path -Path $key -PathType Container) {
(Get-Item -Path $key).GetSubKeyNames() | ForEach-Object -Process {
try {
[pscustomobject]@{
Path = $key
Item = $_
Value = (Get-ItemProperty -Path (Join-Path -Path $clsidp -ChildPath "$($_)\InprocServer32") -Name '(default)' -ErrorAction Stop).'(default)'
Category = 'Codecs'
}
} catch {
}
}
}
}
}
#endregion Codecs
#region User Codecs
# Drivers32
$null,"Wow6432Node" | Foreach-Object {
Get-RegValue -Path "HKCU:\Software\$($_)\Microsoft\Windows NT\CurrentVersion\Drivers32" -Name "*" @Category
}
# Filter
$key = "HKCU:\Software\Classes\Filter"
if (Test-Path -Path $key -PathType Container) {
(Get-Item -Path $key).GetSubKeyNames() | ForEach-Object -Process {
[pscustomobject]@{
Path = $key
Item = $_
Value = (Get-ItemProperty -Path (Join-Path -Path "HKCU:\SOFTWARE\Classes\CLSID" -ChildPath "$($_)\InprocServer32") -Name '(default)').'(default)'
Category = 'Codecs'
}
}
}
# Instances
@("{083863F1-70DE-11d0-BD40-00A0C911CE86}","{AC757296-3522-4E11-9862-C17BE5A1767E}",
"{7ED96837-96F0-4812-B211-F13C24117ED3}","{ABE3B9A4-257D-4B97-BD1A-294AF496222E}") | Foreach-Object -Process {
$Item = $_
$null,"Wow6432Node" | Foreach-Object {
$key = "HKCU:\Software\$($_)\Classes\CLSID\$Item\Instance"
if (Test-Path -Path $key -PathType Container) {
(Get-Item -Path $key).GetSubKeyNames() | ForEach-Object -Process {
try {
[pscustomobject]@{
Path = $key
Item = $_
Value = (Get-ItemProperty -Path (Join-Path -Path "HKCU:\SOFTWARE\Classes\CLSID" -ChildPath "$($_)\InprocServer32") -Name '(default)' -ErrorAction Stop).'(default)'
Category = 'Codecs'
}
} catch {
}
}
}
}
}
#endregion User Codecs
}
if ($All -or $PrintMonitorDLLs) {
Write-Verbose -Message "Looking for Print Monitor DLLs entries"
#region Print monitors
$Category = @{ Category = 'Print Monitors'}
$key = "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Monitors"
(Get-Item -Path $key).GetSubKeyNames() | ForEach-Object -Process {
Get-RegValue -Path "$key\$($_)" -Name 'Driver' @Category
}
#endregion Print monitors
}
if ($All -or $LSAsecurityProviders) {
Write-Verbose -Message "Looking for LSA Security Providers entries"
#region LSA providers
$Category = @{ Category = 'LSA Providers'}
# REG_SZ
Get-RegValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders" -Name 'SecurityProviders' @Category
# REG_MULTI_SZ
"Authentication Packages","Notification Packages","Security Packages" | ForEach-Object {
$item = $_
(Get-RegValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name $_ @Category).Value | ForEach-Object {
if ($_ -ne '""') {
[pscustomobject]@{
Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"
Item = $item
Value = $_
Category = 'LSA Providers'
}
}
}
}
# HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages
if (Test-Path -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig" -PathType Container) {
(Get-RegValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig" -Name "Security Packages" @Category).Value | ForEach-Object {
[pscustomobject]@{
Path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig"
Item = "Security Packages"
Value = $_
Category = 'LSA Providers'
}
}
}
#endregion LSA providers
}
if ($All -or $ServicesAndDrivers) {
Write-Verbose -Message "Looking for Services and Drivers"
#region Services
(Get-Item -Path "HKLM:\System\CurrentControlSet\Services").GetSubKeyNames() | ForEach-Object {
$Type = $null
$key = "HKLM:\System\CurrentControlSet\Services\$($_)"
try {
$Type = Get-ItemProperty -Path $key -Name Type -ErrorAction Stop
} catch {
}
if ($Type) {
Switch ($Type.Type) {
1 {
Get-RegValue -Path $key -Name "ImagePath" -Category 'Drivers'
break
}
16 {
Get-RegValue -Path $key -Name "ImagePath" -Category 'Services'
Get-RegValue -Path "$key\Parameters" -Name "ServiceDll" -Category 'Services'
break
}
32 {
Get-RegValue -Path $key -Name "ImagePath" -Category 'Services'
Get-RegValue -Path "$key\Parameters" -Name "ServiceDll" -Category 'Services'
break
}
default {
# $_
}
}
}
}
#endregion Services
}
if ($All -or $ScheduledTasks) {
Write-Verbose -Message "Looking for Scheduled Tasks"
#region Scheduled Tasks
Get-AllScheduledTasks | Get-Task | ForEach-Object {
$Value = $null
$Value = if (
($node = ([xml]$_.XML).Task.get_ChildNodes() | Where Name -eq 'Actions' ).HasChildNodes
) {
# $node can have Exec or comHandler or both childs (ex: MediaCenter tasks)
switch ($node.get_ChildNodes().Name) {
Exec {
$subnode = ($node.get_ChildNodes() | Where { $_.Name -eq "Exec"})
if ($subnode.get_ChildNodes() | Where Name -eq 'Arguments' | Select -ExpandProperty '#text') {
'{0} {1}' -f ($subnode.get_ChildNodes() | Where Name -eq 'Command' | Select -ExpandProperty '#text'),
($subnode.get_ChildNodes() | Where Name -eq 'Arguments' | Select -ExpandProperty '#text');
} else {
$subnode.get_ChildNodes() | Where Name -eq 'Command' | Select -ExpandProperty '#text' ;
}
break;
}
ComHandler {
$subnode = ($node.get_ChildNodes() | Where { $_.Name -eq "ComHandler"})
if ($subnode.get_ChildNodes()| Where Name -eq 'Data' | Select -ExpandProperty InnerText) {
'{0} {1}'-f ($subnode.get_ChildNodes() | Where Name -eq 'ClassId' | Select -ExpandProperty '#text'),
($subnode.get_ChildNodes() | Where Name -eq 'Data' | Select -ExpandProperty InnerText);
} else {
$subnode.get_ChildNodes() | Where Name -eq 'ClassId' | Select -ExpandProperty '#text';
}
break;
}
default {}
}
}
[pscustomobject]@{
Path = (Join-Path -Path "$($env:systemroot)\system32\Tasks" -ChildPath "$($_.Path)\$($_.Name)") ;
Item = $_.Name
Value = $Value ;
Category = "Task" ;
}
}
#endregion Scheduled Tasks
}
if ($All -or $Winlogon) {
Write-Verbose -Message "Looking for Winlogon entries"
#region Winlogon
$Category = @{ Category = 'Winlogon'}
Get-RegValue -Path "HKLM:\SYSTEM\Setup" -Name "CmdLine" @Category
"Credential Providers","Credential Provider Filters","PLAP Providers" | ForEach-Object {
$key = Join-Path -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication" -ChildPath $_
(Get-Item -Path $key).GetSubKeyNames() | ForEach-Object -Process {
[pscustomobject]@{
Path = $key
Item = $_
Value = (Get-ItemProperty -Path (Join-Path -Path "HKLM:\SOFTWARE\Classes\CLSID" -ChildPath "$($_)\InprocServer32") -Name '(default)').'(default)'
Category = 'Winlogon'
}
}
}
"System","SaveDumpStart" | ForEach-Object {
Get-RegValue -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name $_ @Category
}
# Notify doesn't exist on Windows 8.1
if (Test-Path -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -PathType Container) {
$key = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
(Get-Item -Path $key).GetSubKeyNames() | ForEach-Object -Process {
Get-RegValue -Path "$key\$($_)" -Name 'DLLName' @Category
}
}
if (Test-Path -Path "HKLM:\System\CurrentControlSet\Control\BootVerificationProgram" -PathType Container) {
Get-RegValue -Path "HKLM:\System\CurrentControlSet\Control\BootVerificationProgram" -Name "ImagePath" @Category
}
#endregion Winlogon
#region User Winlogon
Get-RegValue -Path "HKCU:\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop" -Name "Scrnsave.exe" @Category
Get-RegValue -Path "HKCU:\Control Panel\Desktop" -Name "Scrnsave.exe" @Category
#endregion User Winlogon
}
if ($All -or $WMI) {
Write-Verbose -Message "Looking for WMI Database entries"
# Temporary events created with Register-CimIndicationEvent or Register-WMIEvent
<#
Get-EventSubscriber -ErrorAction SilentlyContinue | ForEach-Object -Process {
$job = $_ | Select -ExpandProperty Action
if ($job.Command) {
Write-Warning -Message "A temporary WMI Event subscription was found"
}
}
#>
# Permanent events
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer -ErrorAction SilentlyContinue| Where { $_.__CLASS -eq "ActiveScriptEventConsumer" } | ForEach-Object {
if ($_.ScriptFileName) {
[pscustomobject]@{
Path = $_.__PATH ;
Item = $_.Name
Value = $_.ScriptFileName ;
Category = "WMI" ;
}
} elseif ($_.ScriptText) {
[pscustomobject]@{
Path = $_.__PATH ;
Item = $_.Name
Value = $null ;
Category = "WMI" ;
}
}
}
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer -ErrorAction SilentlyContinue| Where { $_.__CLASS -eq "CommandlineEventConsumer" } | ForEach-Object {
[pscustomobject]@{
Path = $_.__PATH ;
Item = $_.Name
Value = "$($_.WorkingDirectory)$($_.ExecutablePath)" ;# $($_.CommandLineTemplate)" ;
Category = "WMI" ;
}
}
}
}
End {
}
}
Function Get-PSPrettyAutorun {
[CmdletBinding()]
Param(
[Parameter(Mandatory,ValueFromPipeLine)]
[system.object[]]$RawAutoRun
)
Begin {}
Process {
$RawAutoRun | ForEach-Object {
$Item = $_
Switch ($Item.Category) {
Task {
Write-Verbose -Message "Reading Task $($Item.Path)"
$Item | Add-Member -MemberType NoteProperty -Name ImagePath -Value $(
Switch -Regex ($Item.Value ) {
#GUID
'^(\{)?[A-Za-z0-9]{4}([A-Za-z0-9]{4}\-?){4}[A-Za-z0-9]{12}(\})?' {
# $clsid = ($_ -split "\s")[0]
$clsid = ([system.guid]::Parse( ($_ -split "\s")[0])).ToString('B')
if (Test-Path (Join-Path -Path "HKLM:\SOFTWARE\Classes\CLSID" -ChildPath "$($clsid)\InprocServer32") -PathType Container) {
Write-Verbose -Message "Reading from InprocServer32"
(Get-ItemProperty -Path (Join-Path -Path "HKLM:\SOFTWARE\Classes\CLSID" -ChildPath "$($clsid)\InprocServer32") -Name '(default)' -ErrorAction SilentlyContinue).'(default)'
} elseif (Test-Path (Join-Path -Path "HKLM:\SOFTWARE\Classes\CLSID" -ChildPath "$($clsid)\LocalServer32") -PathType Container) {
Write-Verbose -Message "Reading from LocalServer32"
(Get-ItemProperty -Path (Join-Path -Path "HKLM:\SOFTWARE\Classes\CLSID" -ChildPath "$($clsid)\LocalServer32") -Name '(default)' -ErrorAction SilentlyContinue).'(default)'
} else {
try {
Write-Verbose -Message "Reading from AppID"
$appid = (Get-ItemProperty -Path (Join-Path -Path "HKLM:\SOFTWARE\Classes\CLSID" -ChildPath "$($clsid)") -Name 'AppId' -ErrorAction Stop).'AppId'
"$($env:systemroot)\system32\sc.exe"
} catch {
# Write-Warning -Message "AppId not found for $clsid"
}
}
break
}
# Rundll32
'^(%windir%\\system32\\)?rundll32\.exe\s(/[a-z]\s)?.*,.*' {
Join-Path -Path "$($env:systemroot)\system32" -ChildPath (
@([regex]'^(%windir%\\system32\\)?rundll32\.exe\s(/[a-z]\s)?(%windir%\\system32\\)?(?<File>.*),').Matches($_) |
Select -Expand Groups | Select -Last 1 | Select -ExpandProperty Value
)
break
}
# Windir\system32
'^(%windir%|%(s|S)ystem(r|R)oot%|C:\\Windows)\\(s|S)ystem32\\.*\.(exe|vbs)' {
Join-Path -Path "$($env:systemroot)\system32" -ChildPath (
@([regex]'^(%windir%|%(s|S)ystem(r|R)oot%|C:\\Windows)\\(s|S)ystem32\\(?<File>.*\.(exe|vbs))(\s)?').Matches($_) |
Select -Expand Groups | Select -Last 1 | Select -ExpandProperty Value
)
break
}
# windir\somethingelse
'^(%windir%|%(s|S)ystem(r|R)oot%|C:\\Windows)\\.*\\.*\.(exe|vbs)' {
Join-Path -Path "$($env:systemroot)" -ChildPath (
@([regex]'^(%windir%|%(s|S)ystem(r|R)oot%|C:\\Windows)\\(?<File>.*\\.*\.(exe|vbs))(\s)?').Matches($_) |
Select -Expand Groups | Select -Last 1 | Select -ExpandProperty Value
)
break
}
# special W7 case with media center
'^%SystemRoot%\\ehome\\.*\s' {
# "$($env:systemroot)\ehome\ehrec.exe"
Join-Path -Path "$($env:systemroot)\ehome" -ChildPath "$(
@([regex]'^%SystemRoot%\\ehome\\(?<FileName>.*)\s').Matches($_) |
Select -Expand Groups | Select -Last 1 | Select -ExpandProperty Value
).exe"
break
}
# ProgramFiles
'^"?(C:\\Program\sFiles|%ProgramFiles%)\\' {
Join-Path -Path "$($env:ProgramFiles)" -ChildPath (
@([regex]'^"?(C:\\Program\sFiles|%ProgramFiles%)\\(?<File>.*\.exe)("|\s)?').Matches($_) |
Select -Expand Groups | Select -Last 1 | Select -ExpandProperty Value
)
break
}
# ProgramFilesx86
'^"?(C:\\Program\sFiles\s\(x86\)|%ProgramFiles\(x86\)%)\\' {
Join-Path -Path "$(${env:ProgramFiles(x86)})" -ChildPath (
@([regex]'^"?(C:\\Program\sFiles\s\(x86\)|%ProgramFiles\(x86\)%)\\(?<File>.*\.exe)("|\s)?').Matches($_) |
Select -Expand Groups | Select -Last 1 | Select -ExpandProperty Value
)
break
}
# FileName.exe
'[a-zA-Z0-9]*\.exe(\s)?' {
# '[a-zA-Z0-9]*(\.exe\s)?' {
Join-Path -Path "$($env:systemroot)\system32" -ChildPath "$(
@([regex]'^(?<FileName>[a-zA-Z0-9]*)(\.exe\s)?').Matches($_) |
Select -Expand Groups | Select -Last 1 | Select -ExpandProperty Value
).exe"
break
}
"^aitagent(\s/increment)?" {
"$($env:systemroot)\system32\aitagent.exe"
break
}
default {
$_
}
} #endof switch
) -Force -PassThru
break;
}
AppInit {
if ($Item.Value -eq [string]::Empty) {
$Item | Add-Member -MemberType NoteProperty -Name ImagePath -Value $null -Force -PassThru
} else {
# Switch ? malware example
Add-Member -MemberType NoteProperty -Name ImagePath -Value "$($Item.Value)" -Force -PassThru
}
break
}
"Boot Execute" {
$Item | Add-Member -MemberType NoteProperty -Name ImagePath -Value $(
Switch -Regex ($Item.Value) {
'^autocheck\sautochk\s' {
"$($env:SystemRoot)\system32\autochk.exe"
break;
}
default {
$Item.Value
}
}
) -Force -PassThru
break
}
Codecs {
$Item | Add-Member -MemberType NoteProperty -Name ImagePath -Value $(
Switch -Regex ($Item.Value) {
"^[A-Z]:\\Windows\\" {
if ($Item.Path -match "Wow6432Node") {
$_ -replace "system32","SysWOW64"
} else {
$_
}
break
}
# "^[A-Z]:\\Program\sFiles" {
"^[A-Z]:\\[Pp]rogra" {
$_ | Get-NormalizedFileSystemPath
break
}
default {
if ($Item.Path -match "Wow6432Node") {
Join-Path "$($env:systemroot)\Syswow64" -ChildPath $_
} else {
Join-Path "$($env:systemroot)\System32" -ChildPath $_
}
}
}
) -Force -PassThru
break
}
Drivers {
$Item | Add-Member -MemberType NoteProperty -Name ImagePath -Value $(
switch -Regex ($Item.Value) {
"^\\SystemRoot\\System32\\drivers\\" {
$_ -replace "\\Systemroot","$($env:systemroot)"
break;
}
"^System32\drivers\\" {
Join-Path -Path "$($env:systemroot)" -ChildPath $_
break;
}
"^System32\\drivers\\" {
Join-Path -Path "$($env:systemroot)" -ChildPath $_
break;
}
"^system32\\DRIVERS\\" {
Join-Path -Path "$($env:systemroot)" -ChildPath $_
break;
}
"^\\\?\?\\C:\\Windows\\system32\\drivers" {
$_ -replace "\\\?\?\\",""
break;
}
"^System32\\CLFS\.sys" {
$_ -replace "System32\\","$($env:systemroot)\system32\"
}
'^"?[A-Za-z]\\[Pp]rogram\s[fF]iles.*\\(?<FilePath>.*\\\.exe)\s?' {
Join-Path -Path "$($env:ProgramFiles)" -ChildPath (
@([regex]'^"?[A-Za-z]\\[Pp]rogram\s[fF]iles.*\\(?<FilePath>.*\\\.exe)\s?').Matches($_) |
Select -Expand Groups | Select -Last 1 | Select -ExpandProperty Value
)
break
}
default {
$_
}
}) -Force -PassThru
break
}
Explorer {
$Item | Add-Member -MemberType NoteProperty -Name ImagePath -Value $(
if ($Item.Value -match "^[A-Z]:\\") {
if ($Item.Path -match "Wow6432Node") {
$Item.Value -replace "system32","syswow64" | Get-NormalizedFileSystemPath
} else {
$Item.Value | Get-NormalizedFileSystemPath
}
} else {
if ($Item.Path -match "Wow6432Node") {
Join-Path -Path "$($env:systemroot)\syswow64" -ChildPath $Item.Value
} else {
Join-Path -Path "$($env:systemroot)\system32" -ChildPath $Item.Value
}
}
) -Force -PassThru
break
}
"Image Hijacks" {
$Item | Add-Member -MemberType NoteProperty -Name ImagePath -Value $null -Force -PassThru
break
}
"Internet Explorer" {
if ($Item.Item -ne "Locked") {
$Item | Add-Member -MemberType NoteProperty -Name ImagePath -Value $(
$Item.Value | Get-NormalizedFileSystemPath
) -Force -PassThru
}
break
}
"Known Dlls" {
if ( (Test-Path -Path $Item.Value -PathType Container) -and ($Item.Item -match "DllDirectory")) {
} else {
# Duplicate objects
$Item | Add-Member -MemberType NoteProperty -Name ImagePath -Value $(
Join-Path -Path "$($env:SystemRoot)\System32" -ChildPath $Item.Value
) -Force -PassThru
if ([environment]::Is64BitOperatingSystem) {
$Item | Add-Member -MemberType NoteProperty -Name ImagePath -Value $(
Join-Path -Path "$($env:SystemRoot)\Syswow64" -ChildPath $Item.Value
) -Force -PassThru
}
}
break
}
Logon {
$Item | Add-Member -MemberType NoteProperty -Name ImagePath -Value $(
switch -Regex ($Item.Value) {
'\\Rundll32\.exe\s' {
(($_ -split '\s')[1] -split ",")[0]
break;
}
'\\Rundll32\.exe"' {
(($_ -split '\s',2)[1] -split ",")[0] -replace '"',""
break;
}
'^"[A-Z]:\\Program' {
($_ -split '"')[1]
break;
}
'^"[A-Z]:\\Windows' {
$_
break;
}
'rdpclip' {
"$($env:SystemRoot)\system32\$($_).exe"
break
}
'^Explorer\.exe$' {
"$($env:SystemRoot)\$($_)"
break
}
# regsvr32.exe /s /n /i:U shell32.dll
'^regsvr32\.exe\s/s\s/n\s/i:U\sshell32\.dll' {
if ($Item.Path -match "Wow6432Node") {
"$($env:SystemRoot)\syswow64\shell32.dll"
}else {
"$($env:SystemRoot)\system32\shell32.dll"
}
break
}
'^C:\\Windows\\system32\\regsvr32\.exe\s/s\s/n\s/i:/UserInstall\sC:\\Windows\\system32\\themeui\.dll' {
if ($Item.Path -match "Wow6432Node") {
"$($env:SystemRoot)\syswow64\themeui.dll"
}else {
"$($env:SystemRoot)\system32\themeui.dll"
}
break
}
'^C:\\Windows\\system32\\cmd\.exe\s/D\s/C\sstart\sC:\\Windows\\system32\\ie4uinit\.exe\s\-ClearIconCache' {
if ($Item.Path -match "Wow6432Node") {
"$($env:SystemRoot)\syswow64\ie4uinit.exe"
}else {
"$($env:SystemRoot)\system32\ie4uinit.exe"
}
break
}
'^[A-Z]:\\Windows\\Sys' {
if ($Item.Path -match "Wow6432Node") {
(($_ -split "\s")[0] -replace ',','') -replace "System32","Syswow64"
} else {
(($_ -split "\s")[0] -replace ',','')
}
break
}
'^[a-zA-Z0-9]+\.(exe|dll)' {
if ($Item.Path -match "Wow6432Node") {
Join-Path -Path "$($env:SystemRoot)\syswow64" -ChildPath ($_ -split "\s")[0]
} else {
Join-Path -Path "$($env:SystemRoot)\system32" -ChildPath ($_ -split "\s")[0]
}
break
}
'^RunDLL32\s' {
Join-Path -Path "$($env:SystemRoot)\system32" -ChildPath (($_ -split '\s')[1] -split ",")[0]
break;
}
# ProgramFiles
'^[A-Za-z]:\\Program\sFiles\\' {
Join-Path -Path "$($env:ProgramFiles)" -ChildPath (
@([regex]'[A-Za-z]:\\Program\sFiles\\(?<File>.*\.exe)\s?').Matches($_) |
Select -Expand Groups | Select -Last 1 | Select -ExpandProperty Value
)
break
}
# ProgramFilesx86
'^[A-Za-z]:\\Program\sFiles\s\(x86\)\\' {
Join-Path -Path "$(${env:ProgramFiles(x86)})" -ChildPath (
@([regex]'[A-Za-z]:\\Program\sFiles\s\(x86\)\\(?<File>.*\.exe)\s?').Matches($_) |
Select -Expand Groups | Select -Last 1 | Select -ExpandProperty Value
)
break
}
default {
Write-Verbose -Message "default: $_"
[string]::Empty
# $_
}
}
) -Force -PassThru
break
}
"LSA Providers" {
$Item | Add-Member -MemberType NoteProperty -Name ImagePath -Value $(
if ($Item.Value -match "\.dll$") {
Join-Path -Path "$($env:SystemRoot)\system32" -ChildPath $Item.Value
} else {
Join-Path -Path "$($env:SystemRoot)\system32" -ChildPath "$($Item.Value).dll"
}
) -Force -PassThru
break
}
"Network Providers" {
$Item | Add-Member -MemberType ScriptProperty -Name ImagePath -Value $({$this.Value}) -Force -PassThru
}
"Print Monitors" {
$Item | Add-Member -MemberType NoteProperty -Name ImagePath -Value $(
Join-Path -Path "$($env:SystemRoot)\System32" -ChildPath $Item.Value
) -Force -PassThru
break
}
Services {
$Item | Add-Member -MemberType NoteProperty -Name ImagePath -Value $(
switch -Regex ($Item.Value) {
'^"?[A-Za-z]:\\[Ww]indows\\' {
Join-Path -Path "$($env:systemroot)" -ChildPath (
@([regex]'^"?[A-Za-z]:\\[Ww]indows\\(?<FilePath>.*\\.*\.(exe|dll))\s?').Matches($_) |
Select -Expand Groups | Select -Last 1 | Select -ExpandProperty Value
)
break
}
'^"?[A-Za-z]:\\[Pp]rogram\s[fF]iles\\(?<FileName>.*\.[eE][xX][eE])\s?' {
Join-Path -Path "$($env:ProgramFiles)" -ChildPath (
@([regex]'^"?[A-Za-z]:\\[Pp]rogram\s[fF]iles\\(?<FileName>.*\.[eE][xX][eE])\s?').Matches($_) |
Select -Expand Groups | Select -Last 1 | Select -ExpandProperty Value
)
break
}
'^"?[A-Za-z]:\\[Pp]rogram\s[fF]iles\s\(x86\)\\(?<FileName>.*\.exe)\s?' {
Join-Path -Path "$(${env:ProgramFiles(x86)})" -ChildPath (
@([regex]'^"?[A-Za-z]:\\[Pp]rogram\s[fF]iles\s\(x86\)\\(?<FileName>.*\.exe)\s?').Matches($_) |
Select -Expand Groups | Select -Last 1 | Select -ExpandProperty Value
)
break
}
"winhttp.dll" {
Join-Path -Path "$($env:SystemRoot)\System32" -ChildPath "winhttp.dll"
break
}
default {
$_
}
}) -Force -PassThru
break
}
Winlogon {
# this works on W8.1
# $Item | Add-Member -MemberType ScriptProperty -Name ImagePath -Value $({$this.Value}) -Force -PassThru
# for backward compatibility with W7 we do:
$Item | Add-Member -MemberType NoteProperty -Name ImagePath -Value $(
Switch -Regex ($Item.Value) {
'^[a-zA-Z0-9]*\.[dDlL]{3}' {
Join-Path -Path "$($env:SystemRoot)\System32" -ChildPath $Item.Value
break
}
default {
$_;
}
}
) -Force -PassThru
break
}
"Winsock Providers" {
$Item | Add-Member -MemberType NoteProperty -Name ImagePath -Value $(
Switch -Regex ($Item.Value) {
"^%SystemRoot%\\system32\\" {
$_ -replace "%SystemRoot%","$($env:SystemRoot)";
break;
}
default {
$_;
}
}
) -Force -PassThru
break
}
WMI {
if ($Item.Value) {
$Item | Add-Member -MemberType NoteProperty -Name ImagePath -Value $($Item.Value) -Force -PassThru
} else {
$Item | Add-Member -MemberType NoteProperty -Name ImagePath -Value $null -Force -PassThru
}
break
}
default {
}
}
}
}
End {}
}
Function Add-PSAutoRunExtendedInfo {
[CmdletBinding()]
Param(
[Parameter(Mandatory,ValueFromPipeLine)]
[system.object[]]$RawAutoRun
)
Begin {}
Process {
$RawAutoRun | ForEach-Object {
$o = [pscustomobject]@{
Path = $_.Path ;
Item = $_.Item ;
Category = $_.Category ;
Value = $_.Value
ImagePath = $_.ImagePath ;
Size = $null;
LastWriteTime = $null;
Version = $null;
}
If ($_.ImagePath) {
try {
$extinfo = Get-Item -Path $_.ImagePath -ErrorAction Stop
$o.Size = $extinfo.Length;
$o.Version = $extinfo.VersionInfo.ProductVersion;
$o.LastWriteTime = $extinfo.LastWriteTime;
$o
} catch {
$o
}
} else {
$o
}
}
}
End{}
}
Function Add-PSAutoRunHash {
[CmdletBinding()]
Param(
[Parameter(Mandatory,ValueFromPipeLine)]
[system.object[]]$RawAutoRun,
[Switch]$ShowFileHash
)
Begin {}
Process {
$RawAutoRun | ForEach-Object {
If ($ShowFileHash) {
if ($_.ImagePath) {
If (Test-Path -Path $($_.ImagePath) -PathType Leaf) {
$_ | Add-Member -MemberType NoteProperty -Name MD5 -Value $(
(Get-FileHash -Path $($_.ImagePath) -Algorithm MD5).Hash
) -Force -PassThru |
Add-Member -MemberType NoteProperty -Name SHA1 -Value $(
(Get-FileHash -Path $($_.ImagePath) -Algorithm SHA1).Hash
) -Force -PassThru |
Add-Member -MemberType NoteProperty -Name SHA256 -Value $(
(Get-FileHash -Path $($_.ImagePath) -Algorithm SHA256).Hash
) -Force -PassThru
} else {
$_ | Add-Member -MemberType NoteProperty -Name MD5 -Value $null -Force -PassThru |
Add-Member -MemberType NoteProperty -Name SHA1 -Value $null -Force -PassThru |
Add-Member -MemberType NoteProperty -Name SHA256 -Value $null -Force -PassThru
}
} else {
$_ | Add-Member -MemberType NoteProperty -Name MD5 -Value $null -Force -PassThru |
Add-Member -MemberType NoteProperty -Name SHA1 -Value $null -Force -PassThru |
Add-Member -MemberType NoteProperty -Name SHA256 -Value $null -Force -PassThru
}
} else {
$_
}
}
}
End {}
}
Function Add-PSAutoRunAuthentiCodeSignature {
[CmdletBinding()]
Param(
[Parameter(Mandatory,ValueFromPipeLine)]
[system.object[]]$RawAutoRun,
[Switch]$VerifyDigitalSignature
)
Begin {}
Process {
$RawAutoRun | ForEach-Object {
If ($VerifyDigitalSignature) {
if ($_.ImagePath) {
If (Test-Path -Path $_.ImagePath -PathType Leaf) {
$_ | Add-Member -MemberType ScriptProperty -Name Signed -Value ({
try {
$signature = Get-AuthenticodeSignature -FilePath $($this.ImagePath) -ErrorAction Stop
Switch ($signature.Status) {
'Valid' {
$true
break
}
'NotSigned' {
$false
break
}
default {
$false
}
}
} catch {
$false
}
}) -Force -PassThru
}
} else {
$_ | Add-Member -MemberType NoteProperty -Name Signed -Value $null -Force -PassThru
}
} else {
$_
}
}
}
End{}
}
#endregion Helperfunctions
}
Process {
if ($PSBoundParameters.ContainsKey('ShowFileHash')) {
$GetHash = $true
} else {
$GetHash = $false
}
if ($PSBoundParameters.ContainsKey('VerifyDigitalSignature')) {
$GetSig = $true
} else {
$GetSig = $false
}
Get-PSRawAutoRun @PSBoundParameters |
Get-PSPrettyAutorun |
Add-PSAutoRunExtendedInfo |
Add-PSAutoRunHash -ShowFileHash:$GetHash |
Add-PSAutoRunAuthentiCodeSignature -VerifyDigitalSignature:$GetSig
}
End {}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.