I'm going to check the PC using powershell.
The purpose is to detect automatic execution malware.
If there is a new process after execution, it shows a new process. Then, I want to create a code that allows users to identify and detect whether it is a malicious process.
Function Reg {
$key_1 = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
$key_2 = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
$key_3 = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
$key_4 = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
$p1 = Get-Item -Path $key_1 | Select-Object -ExpandProperty Property
$p2 = Get-Item -Path $key_2 | Select-Object -ExpandProperty Property
$p3 = Get-Item -Path $key_3 | Select-Object -ExpandProperty Property
$p4 = Get-Item -Path $key_4 | Select-Object -ExpandProperty Property
$result = $p1 + $p2 + $p3 + $p4
$result
}
Function Check {
$file = "C:\study\project\PC_Check\result.txt"
if ( -not (Test-Path $file)) {
Reg | Out-File -FilePath "C:\study\project\PC_Check\result.txt"
}
else {
if ((Reg) -eq (Get-Content $file)) {
Write-Host "No new process."
}
else {
Write-Host "New process detected."
Reg | Out-File -FilePath "C:\study\project\PC_Check\result.txt"
}
}
}
Check
The problem with my code is that there is no comparison between the executed output and the contents of the first file.
I want to print out a new process while comparing the current outputs and file contents.
(Reg) -eq (Get-Content $file)
I think this compare part is wrong, how should I correct it?
Thank you for your time to read this and Have a nice day!
As per my comment. One way to refactor this is as follows. Tweak as needed.
Clear-Host
# Refactor to get all Autorun details
Function Get-AutorunDetail
{
'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run',
'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce',
'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run',
'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce' |
ForEach-Object {(Get-Item -Path $PSitem).Property}
}
Get-AutorunDetail |
Out-Null
Function Write-AutorunResultsFile
{
# Check if file path exists
$AutorunResultsFile = 'D:\study\project\PC_Check'
# If not, create the path and the new file
if ( -not (Test-Path -Path "$AutorunResultsFile\AutorunResultsFile.txt"))
{
New-Item -Path $AutorunResultsFile -ItemType File -Name 'AutorunResultsFile.txt' -Force |
Out-Null
# Add the Autorun detail to the new file
Get-AutorunDetail |
ForEach-Object {Add-Content -Path "$AutorunResultsFile\AutorunResultsFile.txt" -Value $PSitem}
}
else
{
if (Compare-Object -ReferenceObject {Get-AutorunDetail} -DifferenceObject (Get-Content -Path "$AutorunResultsFile\AutorunResultsFile.txt"))
{Add-Content -Path "$AutorunResultsFile\AutorunResultsFile.txt" -Value 'No new process.'}
else
{
'New process detected.'
Get-AutorunDetail |
ForEach-Object {Add-Content -Path "$AutorunResultsFile\AutorunResultsFile.txt" -Value $PSitem}
}
}
}
Write-AutorunResultsFile
Again, this is just one way, there are always more and/or better ways - but I'll leave them to you to research or others to chime in.
Updated
Clear-Host
# Refactor to get all Autorun details
Function Get-AutorunDetail
{
'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run',
'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce',
'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run',
'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce' |
ForEach-Object {(Get-Item -Path $PSitem).Property}
}
Get-AutorunDetail |
Out-Null
Function Write-AutorunResultsFile
{
# Check if file path exists
$AutorunResultsFile = 'D:\study\project\PC_Check'
# If not, create the path and the new file
if ( -not (Test-Path -Path "$AutorunResultsFile\AutorunResultsFile.txt"))
{
New-Item -Path $AutorunResultsFile -ItemType File -Name 'AutorunResultsFile.txt' -Force |
Out-Null
# Add the Autorun detail to the new file
Get-AutorunDetail |
ForEach-Object {Add-Content -Path "$AutorunResultsFile\AutorunResultsFile.txt" -Value $PSitem}
}
else
{
if ($AutorunDetails = (Compare-Object -ReferenceObject (Get-AutorunDetail) -DifferenceObject (Get-Content -Path "$AutorunResultsFile\AutorunResultsFile.txt")) -match '<=')
{
Add-Content -Path "$AutorunResultsFile\AutorunResultsFile.txt" -Value 'New process detected.'
Add-Content -Path "$AutorunResultsFile\AutorunResultsFile.txt" -Value ($AutorunDetails.InputObject | Select-Object -Last 1)
}
else
{Add-Content -Path "$AutorunResultsFile\AutorunResultsFile.txt" -Value 'No new process detected.'}
}
}
Write-AutorunResultsFile
# Results when altering the registry key
<#
Security...
Tablet...
Display...
ms...
OneDrive
Micros...
CiscoM...
...
Docker Desktop
GoToMeeting
No new process detected.
New process detected.
test
No new process detected.
New process detected.
test1
No new process detected.
New process detected.
test2
#>
Related
I'm an Network Engineer an I wrote a small but effective PS Script to search logs(or any file for that matter) for textpatterns. Now this script only outputs the line, filename and so on. Now I wanted to extend the script so that when it finds a line, it'll tell me the line, filename and so on but also the contents of that line.
So it should look like this:
LineNumber Filename Path Pattern
---------- -------- ---- -------
4 190719_Success.log C:\skripte\190719_Success.log test
Text that's on Line 4 of the .log should appear here
5 190719_Success.log C:\skripte\190719_Success.log test
Text thats on Line 5 of the .log should appear here
Sorry for the formatting, I hope you get what I mean.
Since I'm relatively new to PS Scripting Im kinda lost how I should achieve this goal or if thats even possible.
Here is my code sofar:
Clear-Host
$Pfad = Read-Host "Bitte Pfad angeben" #Enter Directory Path to Search
$Suchbegriff = Read-Host "Suchbegriff eingeben" #Enter Pattern to search for
New-Item -ItemType directory -Path C:\Skripte -erroraction 'silentlycontinue' #create C:\Skripte Folder
Remove-Item -Path C:\Skripte\Suchergebnis.txt -erroraction 'silentlycontinue' #Cleanup from previous run
Remove-Item -Path C:\Skripte\Indizierung.csv -erroraction 'silentlycontinue' #Cleanup
cd $Pfad
echo $file.fullname
echo ""
select-string -Path .\*.* -Pattern "$Suchbegriff" -erroraction 'silentlycontinue' | Select-Object LineNumber,Filename,Path,Pattern | ft -wrap #Search the specified Directory
echo ""
while(($Create = Read-Host -Prompt "Unterordner durchsuchen? J für Ja, N für Nein") -ne "x") #Userinput if Subdirectorys should be searched aswell
{
switch ($Create)
{
'J'
{
Get-Childitem -erroraction 'silentlycontinue' | Get-ChildItem -Recurse -erroraction 'silentlycontinue' | Where-Object {$_.PSIsContainer} | Export-CSV -NoClobber -NoTypeInformation -Path C:\Skripte\Indizierung.csv #Get all Subdirectorys and put them in a CSV, two GCI are needed to reliably get all subdirectories.
$Files = import-csv -Delimiter ',' -Path C:\Skripte\Indizierung.csv #Import CSV
foreach ($File in $Files)
{
cd $file.fullname
echo $file.fullname
echo ""
select-string -Path .\*.* -Pattern "$Suchbegriff" -erroraction 'silentlycontinue' | Select-Object LineNumber,Filename,Path,Pattern | ft -wrap
echo ""
pause
exit
}
}
'n'
{
pause
Exit
}
}
}
Take a look at the following code. I added a loop for processing the files and some validation for the input + your request for the displaying the line content to the console.
Code adapted (#Theo: thanks for input)
#Get input
[System.String]$SearchPath = Read-Host -Prompt 'Enter path'
[System.String]$SearchPattern = Read-Host -Prompt 'Enter search pattern'
[System.String]$SearchRecurse = Read-Host -Prompt 'Search recurse (Y/N)'
#Validate input
if ((-not $SearchPath) -or (-not (Test-Path -Path $SearchPath)))
{
throw ('Path "' + $SearchPath + 'is not available!')
}
if ((-not $SearchPattern))
{
throw ('Search pattern is empty!')
}
if (('Y', 'N') -notcontains $SearchRecurse)
{
throw ('Search recurse parameter "' + $SearchRecurse + ' is not valid!')
}
#Get all files
Out-Host -InputObject 'Get all files...'
[PSCustomObject[]]$Files = #()
if ($SearchRecurse -eq 'Y')
{
$Files = Get-ChildItem -Path $SearchPath -File -Recurse -Force #Collect also files from subfolders
}
else
{
$Files = Get-ChildItem -Path $SearchPath -File -Force #Collect only files from the current folder
}
#Search for string
Out-Host -InputObject 'Search for string...'
[PSCustomObject[]]$Output = #()
foreach ($File in ($Files)) #Process each file
{
Out-Host -InputObject $File.FullName
$Output += Select-String -Path $File.FullName -Pattern $SearchPattern | Select-Object -Property LineNumber, Filename, Path, Pattern, Line
}
$Output | Format-Table -Wrap
I currently have a powershell script, which print out some information regarding the files which passed in as argument..
The command for executing the script, it done as such:
.\myscript.ps1 -accessitem C:\folder
I want to apply the script on all files and folder on the drive C:, is it possible i for loop to list all files, and pass the path as argument for the script?
The script:
[CmdletBinding()]
Param (
[Parameter(Mandatory=$True,Position=0)]
[String]$AccessItem
)
$ErrorActionPreference = "SilentlyContinue"
If ($Error) {
$Error.Clear()
}
$RepPath = Split-Path -Parent $MyInvocation.MyCommand.Definition
$RepPath = $RepPath.Trim()
$str = $AccessItem -replace ':',''
$str = $AccessItem -replace '/','.'
$FinalReport = "$RepPath\"+$str+".csv"
$ReportFile1 = "$RepPath\NTFSPermission_Report.txt"
If (!(Test-Path $AccessItem)) {
Write-Host
Write-Host "`t Item $AccessItem Not Found." -ForegroundColor "Yellow"
Write-Host
}
Else {
If (Test-Path $FinalReport) {
Remove-Item $FinalReport
}
If (Test-Path $ReportFile1) {
Remove-Item $ReportFile1
}
Write-Host
Write-Host "`t Working. Please wait ... " -ForegroundColor "Yellow"
Write-Host
## -- Create The Report File
$ObjFSO = New-Object -ComObject Scripting.FileSystemObject
$ObjFile = $ObjFSO.CreateTextFile($ReportFile1, $True)
$ObjFile.Write("NTFS Permission Set On -- $AccessItem `r`n")
$ObjFile.Close()
$ObjFile = $ObjFSO.CreateTextFile($FinalReport, $True)
$ObjFile.Close()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($ObjFSO) | Out-Null
Remove-Variable ObjFile
Remove-Variable ObjFSO
If((Get-Item $AccessItem).PSIsContainer -EQ $True) {
$Result = "ItemType -- Folder"
}
Else {
$Result = "ItemType -- File"
}
$DT = Get-Date -Format F
Add-Content $ReportFile1 -Value ("Report Created As On $DT")
Add-Content $ReportFile1 "=================================================================="
$Owner = (Get-Item -LiteralPath $AccessItem).GetAccessControl() | Select Owner
$Owner = $($Owner.Owner)
$Result = "$Result `t Owner -- $Owner"
Add-Content $ReportFile1 "$Result `n"
(Get-Item -LiteralPath $AccessItem).GetAccessControl() | Select * -Expand Access | Select IdentityReference, FileSystemRights, AccessControlType, IsInherited, InheritanceFlags, PropagationFlags | Export-CSV -Path "$RepPath\NTFSPermission_Report2.csv" -NoTypeInformation
Add-Content $FinalReport -Value (Get-Content $ReportFile1)
Add-Content $FinalReport -Value (Get-Content "$RepPath\NTFSPermission_Report2.csv")
Remove-Item $ReportFile1
Remove-Item "$RepPath\NTFSPermission_Report2.csv"
Invoke-Item $FinalReport
}
If ($Error) {
$Error.Clear()
}
I would prefer a outside command doing this, as workings of the script should not be altered, it it used for single file testing..
There are two ways to do this:
Add -Recurse Flag to the script
Run the script on each directory
I'm going with option two since the script looks complicated enough that I don't want to touch it.
$path_to_script = "C:\path\to\myscript.ps1"
$start_directory = "C:\folder"
# Call Script on Parent Directory
& "$path_to_script" -AccessItem "$start_directory"
# Call Script on any Child Directories within the "$start_directory"
foreach($child in (ls "$start_directory" -Recurse -Directory))
{
$path = $child.FullName
& "$path_to_script" -AccessItem "$path"
}
Basically, I'm calling the script on the parent directory and any sub-directories within the parent directory.
I'm trying to create a powershell script that searches a users C drive for a certain file extension, and then writes a file to a network share if it finds one. The script is launched from the last line of a logon script that reads like this:
powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -file "\\servername\Path\To\File.ps1"
And my powershell script looks like this:
$hostname = HostName
Get-ChildItem -Path C:\*.* -Filter $file -Recurse -Force -ErrorAction
SilentlyContinue | Out-File \\servername\Path\To\Results\$hostname\file.txt
If ((Get-Content "\\servername\Path\To\Results\$hostname\file.txt") -eq $Null) {
Remove-Item \\servername\Path\To\Results\$hostname\file.txt
}
Exit
The script runs perfectly fine on my machine even when I load it from the network share but whenever another computer runs it, it never produces an Out File. And I don't think it is even searching.
What am I doing wrong? I thought it was execution policy, but I've set the logon script to bypass it. I don't understand why it isn't working.
[edit]
I've now got the script working sometimes on Windows 10 machines. But it doesn't work at all on Windows 7. I've even tried running
Get-ChildItem C:\*.pst -Recurse
directly from a powershell command prompt, and it just fails silently and doesn't search for anything. Isn't Get-ChildItem a powershell 1 command?
Hello. If you do like this: Get-ChildItem -Path C:*.* -Filter $file
-Recurse -Force the text file output will be enough to weigh.
You can try to check the access to the network folder for the current
user:if access explicitly set, and write access exists, then you can
record a file with the content. Otherwise, it can create folder test
on the local machine which will create the file, indicating that there
is no access. How is this way:
Set-ExecutionPolicy remotesigned -Scope CurrentUser -Force| Out-Null
$user = [System.Environment]::UserName
$hostname = [System.Environment]::MachineName
try {
$accs = Get-ACL -Path "\\server\sharedfolder\Results\"
foreach ($access in $accs) {
$obj = New-Object -TypeName PSObject -Property #{
Access = $accs.Access
}
$obj1 = $obj | select -ExpandProperty Access
for ($i = 0 ; $i -le $obj1.Count ; $i ++ )
{
if (!($obj1[$i].IdentityReference -like "*Users*" -or $obj1[$i].IdentityReference -like "*$user*")) {
if (!(Test-Path "c:\test")) {
md c:\test
$s = "user access from group"
$s | out-file C:\test\ErrInfo.csv
}
else {
$s = "user access from group"
$s | out-file C:\test\ErrInfo.csv
}
}
if ($obj1[$i].IdentityReference -like "*Users*" -or $obj1[$i].IdentityReference -like "*$user*") {
if ($obj1[$i].FileSystemRights -like "*ReadAndExecute*")
{
if (!(Test-Path "c:\test")) {
md c:\test
$s = "Premission only ReadAndExecute"
$s | out-file C:\test\ErrInfo_rex.csv
}
else {
$s = "Premission only ReadAndExecute"
$s | out-file C:\test\ErrInfo_rex.csv
}
}
if ($obj1[$i].FileSystemRights -like "*FullControl*" -and $obj1[$i].AccessControlType -like "*Allow*" -or $obj1[$i].FileSystemRights -like "*Modify*" -and $obj1[$i].AccessControlType -like "*Allow*")
{
if (!(Test-Path "\\server\sharedfolder\Results\$hostname"))
{
md "\\server\sharedfolder\Results\$hostname"
Get-ChildItem -Path C:\testpatch\*.* -Filter $file -Recurse -Force -ErrorAction SilentlyContinue | Out-File "\\server\sharedfolder\Results\$hostname\file.txt"
}
else {
Get-ChildItem -Path C:\testpatch\*.* -Filter $file -Recurse -Force -ErrorAction SilentlyContinue | Out-File "\\server\sharedfolder\Results\$hostname\file.txt"
}
}
}
}
}
}
catch {
if (!(Test-Path "c:\test")) {
md c:\test
$s = "--NoAccess--"
$s | out-file C:\test\ErrInfo_noaccess.csv
}
else {
$s = "--NoAccess--"
$s | out-file C:\test\ErrInfo_noaccess.csv
}
}
Or you can do something like this (whiteout EXIT):
Set-ExecutionPolicy remotesigned -Scope CurrentUser -Force| Out-Null
$hostname = [System.Environment]::MachineName
if (!(Test-Path "\\server\sharedfolder\Results\$hostname")) {
md "\\server\sharedfolder\Results\$hostname" | Out-Null
If ((Get-ChildItem -Path C:\test\*.* -Filter $file -Recurse -Force -ErrorAction SilentlyContinue).Count -ne "0") {
Get-ChildItem -Path C:\test\*.* -Filter $file -Recurse -Force -ErrorAction SilentlyContinue | Out-File "\\server\sharedfolder\Results\$hostname\file.txt"
}
}
elseif (Test-Path "\\server\sharedfolder\Results\$hostname") {
If ((Get-ChildItem -Path C:\test\*.* -Filter $file -Recurse -Force -ErrorAction SilentlyContinue).Count -ne "0") {
Get-ChildItem -Path C:\test\*.* -Filter $file -Recurse -Force -ErrorAction SilentlyContinue | Out-File "\\server\sharedfolder\Results\$hostname\file.txt"
}
}
I need to get a list of all the folders owners on a shared network drive. However, I want to limit the recursion to just 3 folders deep (some of our users will create folders several levels deep, despite us telling them not to). I've found the below script, and slightly modified it to just give folder owner (it originally returned a lot more information for ACLs), but it still goes down through every folder level. How can I modify this to only return 3 folder levels?
$OutFile = "C:\temp\FolderOwner.csv" # indicates where to input your logfile#
$Header = "Folder Path;Owner"
Add-Content -Value $Header -Path $OutFile
$RootPath = "G:\" # which directory/folder you would like to extract the acl permissions#
$Folders = dir $RootPath -recurse | where {$_.psiscontainer -eq $true}
foreach ($Folder in $Folders){
$Owner = (get-acl $Folder.fullname).owner
Foreach ($ACL in $Owner){
$OutInfo = $Folder.Fullname + ";" + $owner
Add-Content -Value $OutInfo -Path $OutFile
}
}
You should be able to add a '*' to your path for each level. For example, this should return items three levels deep under C:\Temp:
dir c:\temp\*\*\*
Here's a sample function you can use (it's written for PowerShell v3 or higher, but it can be modified to work for version 2):
function Get-FolderOwner {
param(
[string] $Path = "."
)
Get-ChildItem $Path -Directory | ForEach-Object {
# Get-Acl throws terminating errors, so we need to wrap it in
# a ForEach-Object block; included -ErrorAction Stop out of habit
try {
$Owner = $_ | Get-Acl -ErrorAction Stop | select -exp Owner
}
catch {
$Owner = "Error: {0}" -f $_.Exception.Message
}
[PSCustomObject] #{
Path = $_.FullName
Owner = $Owner
}
}
}
Then you could use it like this:
Get-FolderOwner c:\temp\*\*\* | Export-Csv C:\temp\FolderOwner.csv
If you're after all items up to and including 3 levels deep, you can modify the function like this:
function Get-FolderOwner {
param(
[string] $Path = ".",
[int] $RecurseDepth = 1
)
$RecurseDepth--
Get-ChildItem $Path -Directory | ForEach-Object {
# Get-Acl throws terminating errors, so we need to wrap it in
# a ForEach-Object block; included -ErrorAction Stop out of habit
try {
$Owner = $_ | Get-Acl -ErrorAction Stop | select -exp Owner
}
catch {
$Owner = "Error: {0}" -f $_.Exception.Message
}
[PSCustomObject] #{
Path = $_.FullName
Owner = $Owner
}
if ($RecurseDepth -gt 0) {
Get-FolderOwner -Path $_.FullName -RecurseDepth $RecurseDepth
}
}
}
And use it like this:
Get-FolderOwner c:\temp -RecurseDepth 3 | Export-Csv C:\temp\FolderOwner.csv
Any help?
resolve-path $RootPath\*\* |
where { (Get-Item $_).PSIsContainer } -PipelineVariable Path |
Get-Acl |
Select #{l='Folder';e={$Path}},Owner
Really need help creating a script that backs up, and shoots out the error along the file that did not copy
Here is what I tried:
Creating lists of filepaths to pass on to copy-item, in hopes to later catch errors per file, and later log them:
by using $list2X I would be able to cycle through each file, but copy-item loses the Directory structure and shoots it all out to a single folder.
So for now I am using $list2 and later I do copy-item -recurse to copy the folders:
#create list to copy
$list = Get-ChildItem -path $source | Select-Object Fullname
$list2 = $list -replace ("}"),("")
$list2 = $list2 -replace ("#{Fullname=") , ("")
out-file -FilePath g:\backuplog\DirList.txt -InputObject $list2
#create list crosscheck later
$listX = Get-ChildItem -path $source -recurse | Select-Object Fullname
$list2X = $listX -replace ("}"),("")
$list2X = $list2X -replace ("#{Fullname=") , ("")
out-file -FilePath g:\backuplog\FileDirList.txt -InputObject $list2X
And here I would pass the list:
$error.clear()
Foreach($item in $list2){
Copy-Item -Path $item -Destination $destination -recurse -force -erroraction Continue
}
out-file -FilePath g:\backuplog\errorsBackup.txt -InputObject $error
Any help with this is greatly appreciated!!!
The answer to complex file-copying or backup scripts is almost always: "Use robocopy."
Bill
"Want to copy all the items in C:\Scripts (including subfolders) to C:\Test? Then simply use a wildcard character..."
Next make it easier on yourself and do something like this:
$files = (Get-ChildItem $path).FullName #Requires PS 3.0
#or
$files = Get-ChildItem $path | % {$_.Fullname}
$files | Out-File $outpath
well it took me a long time, considering my response time. here is my copy function, which logs most errors(network drops, failed copies , etc) the copy function , and targetobject.
Function backUP{ Param ([string]$destination1 ,$list1)
$destination2 = $destination1
#extract new made string for backuplog
$index = $destination2.LastIndexOf("\")
$count = $destination2.length - $index
$source1 = $destination2.Substring($index, $count)
$finalstr2 = $logdrive + $source1
Foreach($item in $list1){
Copy-Item -Container: $true -Recurse -Force -Path $item -Destination $destination1 -erroraction Continue
if(-not $?)
{
write-output "ERROR de copiado : " $error| format-list | out-file -Append "$finalstr2\GCI-ERRORS-backup.txt"
Foreach($erritem in $error){
write-output "Error Data:" $erritem.TargetObject | out-file -Append "$finalstr2\GCI- ERRORS-backup.txt"
}
$error.Clear()
}
}
}