I want to know if there is a command that will list the information that can be found in the Digital Signatures section of the properties of a .exe. Particularly I want to be able to grab the Name of the signer. Is there a command that will generate that information for me?
To get the subject name from the signer certificate used to create an Authenticode signature, you could use Get-AuthenticodeSignature:
PS > $asig = Get-AuthenticodeSignature 'C:\Windows\System32\xcopy.exe'
PS > $asig.SignerCertificate.Subject
CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
You're probably interested in the Common Name (CN), and maybe the Organization name (O). You can parse the Distinguished Name from Subject into its components to get the Common Name:
PS > $asig = Get-AuthenticodeSignature 'C:\Windows\System32\xcopy.exe'
PS > $dnDict = ($asig.SignerCertificate.Subject -split ', ') |
foreach `
{ $dnDict = #{} } `
{ $item = $_.Split('='); $dnDict[$item[0]] = $item[1] } `
{ $dnDict }
PS > $dnDict['CN']
Microsoft Windows
PS > $dnDict['O']
Microsoft Corporation
The Sigcheck tool from Microsoft's Windows Sysinternals can dump the information out. Using the -c command line option formats the output in a csv format which can be piped to a file for later processing.
Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains.
try signtool.exe. use following reference regarding signtool,
https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764(v=vs.85).aspx
this is to output on the console:
writeln(GETDOSOutput('powershell write-host =(Get-AuthenticodeSignature ''C:\Program Files\Streaming\maxbox4\maXbox4.exe'').SignerCertificate.Subject', 'C:\'));
Related
I would like to use winget to search for all packages and store them in a text file or a variable. Later on I would like to sort them in a list with "Name" and "ID". Unfortunately it seems like you cannot search just for winget package Names and IDs directly using winget.exe
What I have tried so far:
Clear-Host
if (Test-Path -path "$env:temp\download_winget"){
write-host "Folder exists. Continuing..."
}
else{
write-Host "There is no folder called winget_download!`nCreating..."
mkdir "$env:temp\download_winget"
}
$get_winget_packages = winget search . --accept-source-agreements | Out-File "$env:temp\download_winget\winget_packages.txt" -Encoding utf8
(Yes I know, you can also use winget search """")
My Output: (a sample) (using get-content "$env:temp\download_winget\winget_packages.txt")
Name ID Version Ãœbereinstimmung Quelle
-----------------------------------------------------------------------------------------------------------------------
...
...
...
Windows Package Manager Manifest Creator Microsoft.WingetCreate 1.1.2.0 winget
Remote Desktop Services Infrastructure A… Microsoft.WindowsVirtualDesktopAge… 1.0.5739.9800 winget
Windows Terminal Preview Microsoft.WindowsTerminal.Preview 1.16.3463.0 winget
Windows Admin Center Microsoft.WindowsAdminCenter 1.3.53858.0 winget
Windows Assessment and Deployment Kit Microsoft.WindowsADK 10.1.22621.1 winget
...
...
...
As you can see, I displayed with gc "$env:temp\download_winget\winget_packages.txt" the content of the earlier created file. Unfortunately some of the lines are not displayed correctly. For example:
Remote Desktop Services Infrastructure A… Microsoft.WindowsVirtualDesktopAge… 1.0.5739.9800 winget
I did not find any solution to get all winget packages full Name or full ID using winget search .
Even running this directly in PowerShell or CMD, it will display some package Names and ID not fully. Changing the Encoding to utf32, ascii, utf7 or something else wont change anything too.
Is there a workaround to show the correct/full names of all winget packages Name and ID?
I even tried it with a new powershell process with windowstyle maximized:
Start-Process powershell.exe -ArgumentList ("winget search ." , "| Out-File '$env:temp\download_winget\winget_packages_lol.txt' -Encoding utf8") -WindowStyle Maximized
My Output (a sample):
Name ID Version Ãœbereinstimmung Quelle
-----------------------------------------------------------------------------------------------------------------------
BitRecover Windows Live Mail Converter Wizard BitRecover.WindowsLiveMailConver 7.5 winget
or
Name ID Version Ãœbereinstimmung Quelle
-----------------------------------------------------------------------------------------------------------------------
ECLiPSe Constraint Logic Programming System Version  Coninfer.ECLiPSeCLP.7.0 7.0 #63 winget
My next steps would look like this:
$file = gc "$env:temp\download_winget\winget_packages_lol.txt"
$file | sort | Get-Unique | Set-Content "$env:temp\download_winget\winget_packages_lol.txt"
I would also work here with substrings, but as mentioned earlier this can't work if I can't get the full winget packages Name and ID.
What can I do here?
WinGet releases have started including a Microsoft.WinGet.Client powershell module in the "Assets" section.
I am planning to deploy Windows 10 using SCCM 2012. It is working fine, and now I just want to rename the computer to be same as its DELL service tag, and make it as part of Task Sequence. I would ideally like to use Powershell script to do so, however happy to use VBS as well, in case it isn't easy enough with PS.
Following is the Powershell script that does the job, however I can't add it as part of Task Sequence!
$sTag = Get-WmiObject -Class win32_BIOS | Select SerialNumber
$cName = 'DESKTOP' + $sTag.SerialNumber
Rename-Computer -NewName $cName
Can someone please assist?
Thanks in advance.
I think you would be better off not renaming the computer after it is already present in sccm and ad but give it a proper name before it is joined (assuming you use unknown computer support for the osd here)
In this case you should set the SCCM Variable OSDCOmputerName already within the WinPE phase like this (you can find more detailed examples e.g. here):
$sTag = Get-WmiObject -Class win32_BIOS | Select SerialNumber
$OSDComputerName = 'DESKTOP' + $sTag.SerialNumber
$TSEnv = New-Object -COMObject Microsoft.SMS.TSEnvironment
$TSEnv.Value("OSDComputerName") = $OSDComputerName
If you want to use powershell in PE you will have to modify your boot image (Right click --> Properties --> Optional Components) to include "Windows PowerShell"
I am wondering what are the GUID suffixes for the RSA key container files stored in the machine and user key container stores. I cannot identify some of these as key containers through CAPI/CNG, although I'll expose my case using command line tools instead. Commands below are for PowerShell in an elevated prompt. On most machines, the GUID suffix is the same for all these file names, but on this one there are four different GUIDs, while the API is returning only keys with only one. What is this GUID? I do not like random secrets stored by I do not know what on my machine; are they safe to delete?
The content of the machine store directory is:
> ls -n $env:ProgramData\Microsoft\Crypto\Rsa\MachineKeys | sort { "$_"[-3..-1] }
d1f9044f5d7345da71c0d2efd2e4f59e_e9f96f2e-b8b7-49b2-85a5-840195eca603
d6d986f09a1ee04e24c949879fdb506c_a4dc5a56-574d-4e4b-ba8d-d88984f9a6c5
6de9cb26d2b98c01ec4e9e8b34824aa2_a4dc5a56-574d-4e4b-ba8d-d88984f9a6c5
76944fb33636aeddb9590521c2e8815a_a4dc5a56-574d-4e4b-ba8d-d88984f9a6c5
d6d986f09a1ee04e24c949879fdb506c_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
d1f9044f5d7345da71c0d2efd2e4f59e_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
76944fb33636aeddb9590521c2e8815a_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
6de9cb26d2b98c01ec4e9e8b34824aa2_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
ba8e1b9b5510957b3af7b811f05660de_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
d1f9044f5d7345da71c0d2efd2e4f59e_c6a7fc9d-32a6-41e4-afd5-7dc7b822029e
I sorted the list by the last three characters, so that it's easy to see in a glance that there are 4 distinct GUID suffixes to the key container files. Now let's enumerate the key reported by all installed CSPs. I'll get the list of providers, and later the list of each provider's keys using the certutil tool that comes with Windows. Its output requires some regex magic for parsing, which is not essential, just convenient:
> certutil -csplist | sls '^Provider Name: (.*)' | %{ $_.Matches[0].Groups[1].Value }
Microsoft Base Cryptographic Provider v1.0
Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
Microsoft Base DSS Cryptographic Provider
[...snip...]
The output for a single key lists the name, flags and the key container ID, the latter matching respective file name in the above directory (of course, we can see more keys from additional KSPs, smart cards, TPM etc.). Example for one provider (the -q makes some providers fail silently instead of asking for user's action, such as inserting a SmartCard):
> certutil -key -q
Microsoft Strong Cryptographic Provider:
iisConfigurationKey
6de9cb26d2b98c01ec4e9e8b34824aa2_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
RSA
AT_KEYEXCHANGE
iisWasKey
76944fb33636aeddb9590521c2e8815a_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
[...snip...]
Some key names are just GUIDs too, but if we grep out only the lines that start with at the least 20 hex digits, there will be only the IDs listed. So all key IDs from all providers can be concisely shown with:
> certutil -csplist | sls '^Provider Name: (.*)' | %{ $_.Matches[0].Groups[1].Value } |
%{ certutil -key -q -csp "$_" } | sls '^\s+[0-9a-f]{20}.+' | sort -u
597367cc37b886d7ee6c493e3befb421_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
6de9cb26d2b98c01ec4e9e8b34824aa2_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
76944fb33636aeddb9590521c2e8815a_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
ba8e1b9b5510957b3af7b811f05660de_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
d6d986f09a1ee04e24c949879fdb506c_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
f0e91f6485ac2d09485e4ec18135601e_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
Here are actually 2 more keys than there are in the MachineKeys directory (they come from the KSP, in fact, certutil -key -csp KSP shows them, if you are wondering). But the fact is they all have the same GUID suffix _f7fe3b04-ef9b-4b27-827f-953c5743e2ec.
The machine was installed by the vendor (an HP notebook, to be exact). This is unlike other machines, that we assemble or buy barebone and install and configure by ourselves. And I am working with some sensitive data sometimes, so I am indeed paranoid vetting the software thoroughly before allowing machines to access sensitive data.
The OS is Windows 10, if that matters, but the same type of storage has not changed from Windows 7, AFAIK, even with the introduction of the new CNG API in 8.0 (or 8.1?).
Just in case anyone would find useful a PowerShell snippet to readably list keys by provider, I used this command:
> certutil -csplist | sls '^Provider Name: (.*)' | %{ $_.Matches[0].Groups[1].Value } |
%{ Write-Host -for Yellow "`n$_"; certutil -key -q -csp "$_" }
Found the answer here: https://serverfault.com/a/642279/451491
The file naming convention is x_y, where x is a random GUID to
uniquely identify the key, and y is the machine GUID found at
HKLM\SOFTWARE\Microsoft\Cryptography.
I need to have a certificate's Friendly Name set to an empty value so in Certificate Console Friendly Name column would display <None>.
Using this code all I could get is just empty value in the column, not <None> I need.
gci "Cert:\LocalMachine\My" | ? {$_.Subject -like "CN=mycer*"} | % { $_.FriendlyName = '' }
I also tried $_.FriendlyName = $null which made no difference.
Strange thing - when I clear Friendly Name using console then from Powershell's perspective the value is '' as the following statement produces True: write-host ($_.FriendlyName -eq ''). However, the ''' value applied vice a versa doesn't provide the expected result.
Any help is greatly appreciated.
UPDATE and ANSWER:
As Kory Gill suggested in comments, certutil.exe is indeed the way to get what I need.
Having created an clear.inf file with content below
[Version]
Signature = "$Windows NT$"
[Properties]
11 =
and executed certutil.exe -repairstore -user my "serial number" clear.inf I managed to reset Friendly Name to <None> value.
As an alternative to the PowerShell cmdlet for managing certificates, which may have issues with some properties, one can use certutil.exe as well to manage certs. This is similar to using robocopy.exe instead of Copy-File. Use the tools that give you the desired results...
This link shows an example of how to use certutil to change the friendly name.
Example usage from that page is:
certutil.exe -repairstore my "{serialnumber}" "change-friendly-name.inf"
where the inf file looks like:
[Version]
Signature = "$Windows NT$"
[Properties]
11 = "{text}new friendly name"
See also certutil reference.
I'm writing a script to run PSinfo (from the Sysinternals suite) against a list of machines, then I want to search the output for a specific string before doing other things. The basic code is as follows:
with open ("specific-pcs.txt") as machines:
line = []
for machineName in machines:
machineName = machineName.strip()
ps_Info = subprocess.Popen("location of PsInfo \\" + machineName + " -s").communicate()[0]
if ("Silverlight" in ps_Info):
subprocess.Popen("wmic product where caption='Microsoft Silverlight' call uninstall")
print "Uninstalling Silverlight"
else:
pass
The output of PsInfo looks something like this:
Microsoft Office Word MUI (English) 2010 14.0.7015.1000
Microsoft ReportViewer 2010 Redistributable 10.0.30319
Microsoft Silverlight 5.1.10411.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 9.0.30729.4148
Realtek High Definition Audio Driver 6.0.1.7004
But running the code as is, it complains that "'Nonetype' is not iterable".
All I need it to do is say if Silverlight (in this case) exists in the output or not.
What do I need to change?
Thanks, Chris.
communicate returns None for a stream if it is not redirected to a pipe, which means in your case:
subprocess.Popen("location of PsInfo \\" + machineName + " -s").communicate()
will return (None, None), and when using the in operator on None you get the argument of type 'NoneType' is not iterable error.
Also, you should use a list of arguments when calling Popen instead of a single string, so this should work:
ps_Info = subprocess.Popen([r"C:\Path\To\PsInfo", r"\\" + machineName, "-s"],
stdout=subprocess.PIPE).communicate()[0]