I have created a batch file (say test.bat). In test.bat I called the tool certmgr.exe to delete the certificate from the certificate store. But when multiple certificate in store with same name, then certmgr.exe, asking the option like which certificate want to delete.
But I want to if the certmgr.exe find the same name certificate in store, then delete all the certificate, no need to ask to user for confirmation. Any idea?
Thanks,
I see that you already resolved this issue by using certutil.exe, but another solution using certmgr.exe could be achieved by piping 1 to the certmgr command (so it always delete the first certificate with the specified name) and then looping on that command until no other certificates exist with that name.
So something like:
while(certificateExistsWithName(certName)) //this is pseudocode that would need to be implemented
echo 1 | certmgr.exe /del /n "certName" /s myStore... etc
Related
I need to verify if a chrome extension is installed or not installed on remote computers.
Extension id is unique value like that "234aljksdfklja3idffklsasf".
I need to search "HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings"
direction for extension id "234aljksdfklja3idffklsasf"
How to do that?
i think i will use code below but i need some help
WMIC /NameSpace:\root\default Class StdRegProv ....
Instead of WMIC, you should use the REG cmd, it's made to do this.
The HKCU is whatever the user running the command's registry key is.
Reg allows you to load and check the registry keys of any users not just the one running the command, even users who have not logged in since the last reboot.
Since this is a chrome extension you may need to check every used on the system to see if each has it enabled individually.
Alternatively there is probably an HKLM key that corresponds to the extension being installed, if all you want to know is if it's present at all so it can be removed.
Reg also allows you to query your computers through the network.
One issue you will have if you need to check every user's registry for the key is you need to know what the user's SIDs present on the systen are.
This is findable by querying HKLM, but I am on mobile and can't recall how without getting on my computer later to do this.
Alternatively you can also just load the reg hive file by looping the fire tory structure of the remote machine and loading each user.dat file through the reg command which is much simpler but then the code must execute on each remote machine through a login script or GPO script push.
Basically you can use reg in this manner on a local machine to check the reg of the user you are running as (HKCU)
(reg query "HKCU\SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings" /s | FIND /I "234aljksdfklja3idffklsasf") && Echo.FOUND 234aljksdfklja3idffklsasf
Of course to run on another computer it's fairly simple to do, but HKCU will be the reg of the admin user you ran the command as with access to that other system, or you can try HKLM to see if that setting exists on the local machine key, which the following checks HKLM instead.
(reg query \\[Computer_Name_or_IP_Address]\hklm\SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings /s | FIND /I "234aljksdfklja3idffklsasf") && Echo.FOUND 234aljksdfklja3idffklsasf
You could loop a set of computer names/IPs and check each using the above command inside the loop like so:
FOR %A IN (
Computer_A
192.168.12.13
192.168.12.31
Computer_C
) DO (
(
reg query \\%~A\hklm\SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings /s | FIND /I "234aljksdfklja3idffklsasf"
) && Echo.%~A -- FOUND 234aljksdfklja3idffklsasf || ECHO.%~A -- Key Not Found!
)
If you need to check the actual HKCU of every used on the system then you need to load each reg hive on the system and check it, this is true if you use WMIC as well, and Reg is faster.
From the MS reg page:
reg query <KeyName> [{/v <ValueName> | /ve}] [/s] [/se <Separator>] [/f <Data>] [{/k | /d}] [/c] [/e] [/t <Type>] [/z]
i got one more solution to this situation. But only works if extension is packed. Btw this solution also doesnt solve my problem because my extension is unpacked.
Packeted extensions are stored "AppData\Local\Google\Chrome\User Data\Default\Extensions".
wmic /node:remoteip datafile where "name='C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Extensions\extensionid\1.0.4_0\manifest.json'"
if extension installed command returns manifest.json file specs.
I got the solution;
wmic /node:ipaddr /NAMESPACE:"\\root\DEFAULT" class stdregprov call GetStringValue ^&H80000001,"SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings","extensionid"
On localhost, it works but on remote computers access denied.
I am working on an application that requires my users to share their fully-qualified-domain-name of their windows machine.
To help my users to extract their machine's FQDN, I want to share simple command line steps that they can copy/paste and execute on their terminals to get the result.
I was thinking of below command to extract local machine's FQDN:
echo %COMPUTERNAME%.%USERDNSDOMAIN%
But there are few problems of this command.
It gives output in ALL CAPS. (I can live with it)
It gives incorrect output if the variable is not set.
For example:
If USERDNSDOMAIN value is not set, then, you'll get following output:
echo %COMPUTERNAME%.%USERDNSDOMAIN% //<- Run this on cmd prompt
ClientComputerName.%USERDNSDOMAIN% //<- wrong output: Notice '%USERDNSDOMAIN%' is appended in o/p
Is there any way to stop echoing a variable if it's value is not set?
Please note that I want to extract "fully qualified domain name" of my windows machine through CMD prompt only.
You can get the FQDN name using PowerShell.
=== Get-FQDN.bat
#ECHO OFF
FOR /F %%A IN ('powershell -NoLogo -NoProfile -Command ^
"([System.Net.Dns]::GetHostByName($Env:COMPUTERNAME)).HostName"') DO (
SET "THEFQDN=%%A"
)
ECHO %THEFQDN%
If you have multiple users, then you surely have some way to get programs and batch files installed on them. Once this batch file script is installed into a directory on the user's PATH, it is a one-line command.
Get-FQDN
1st, please note that the "USER DNS Domain" is NOT the domain the computer is joined to, it is the domain the USER who is logged in belongs to.
If you log in as a user from a trusted domain, or a child or parent domain, then it will display that domain.
So, if you log in as a LOCAL account it will be blank (likely you are running into this)
There is a fairly simple way to get the actual computer domain however, by using NLTest. (For the like of me I could never figure out why Microsoft didn't pre-populate a variable with this info.)
At the CMD Line simply dump this into the command prompt (I believe you will need to run with admin privileges but I haven't tested):
FOR /F "tokens=3" %_ IN ('nltest /DOMAIN_TRUSTS /PRIMARY ^|FIND /I "0:"') DO #(ECHO.%COMPUTERNAME%.%_)
The result will be in all caps because that is how Microsoft displays this info.
Here is an example output:
MYLAPTOP.USERS.MYDOMAIN.LOCAL
But on-re-read you want something the users know how to do themselves, so ymmv if you could just send a reference email, or hand it to them each time they need it.
If you just wan this info and other info easily available you could use BGInfo or other options like that to set the desktop background.
Alternatively you could change the logon scripts to generate a simple text file with all the info each time the user logs on, and placed in a certain folder you tell them to look in.
Is there a CMD command to set an existing Windows user's property's checkbox, "Password never expires", to be unchecked? (Assumption: The checkbox was previously checked before I unchecked it manually to illustrate the box being unchecked)
I am creating a batch file for windows 10 and I would like to do it programmatically. (I am hardening an OS and baselining it.)
I looked at the CMD command: net user and it does have several password options such as /passwordchg to specify a user can change their own password and /passwordreq which specifies a user must have a password. I find it strange that there isn't one for "Password never expires" (i.e. /passwordexp:{YES|NO}) so my batch file can uncheck that option programmatically. I'm probably missing it in my Google searches but I am unable to find a solution. I include a excerpt of my code:
...
...
net user %Name% /<somePasswordExpireOption:YES
...
...
Any suggestions are welcome. Thanks in advance.
Perhaps, as long as they are local not domain:
WMIC UserAccount Where "Name='%Name%'" Set PasswordExpires=FALSE
I am having a hard time understanding the process of signing / certifying Outlook plugin.
The problem is that plugin works but I can't install it on all machines. On some it can be installed and on some not (it gives security alert about manifest not signed/certified). I have gone through docs but I can't say its clear for me.
What is the easiest way to fix that problem? Could someone explain it in a few, plain english, words?
First you want to create a non-expiring certificate for Visual Studio projects
Type Developer Command in the Start Menu search and right click and select Run as administrator
Paste the following commands in the command prompt for MakeCert and pvk2pfx
MakeCert /n "CN=Your New Cert" /r /h 0 /eku "1.3.6.1.5.5.7.3.3,1.3.6.1.4.1.311.10.3.13" /e "01/01/2100" /sv MyNewCert.pvk MyNewCert.cer
pvk2pfx -pvk MyNewCert.pvk -spc MyNewCert.cer -pfx MyNewCert.pfx
Note:
The date format is the US standard MM/DD/YYYY
The -f parameter can be used at the end of the pvk2pfx line for overwriting an existing file
You'll get prompted to create a password (this is optional)
After the password prompt, you'll need to run the second command line by just pressing the Enter key.
Now you can select the same certificate for multiple Visual Studio projects
In the Visual Studio project properties, select Signing* click on Select from Fileā¦.
Navigate to the same path from the command prompt and select the certificate file (*.pfx)
I recently came across a problem generating self-signed certificates in an automated fashion. Anytime I run makecert.exe I get a pop-up window for a password for the certificate. However, these certificates will never be distributed, so I don't need a password or anything.
How can I get makecert.exe to work without requiring a GUI?
If it helps, my command line takes this kind of form:
makecert.exe mycert.cer -r -n "CN=random-hex-number" -$ individual
-sv private.pkv -pe -cy end
I didn't solve the root problem, but found a way to work around it. It only prompts for a password when you don't provide a private key. By generating a private key beforehand and passing it as the PVK, it won't prompt for a password now.
Put the certificate and the private keys in a folder.
then use the pvk2pfx tool to combine them into one file.
Then when your ready to install use
#pushd "%~dp0"
#start "" /b (command) "%~dp0"
The pushd keeps it the files directory, and start "" /b runs the program without bring up the interface.