-
Notifications
You must be signed in to change notification settings - Fork 18
Help
Vector BCO edited this page Apr 13, 2021
·
3 revisions
<#
.SYNOPSIS
Fix for Microsoft Windows Unquoted Service Path Enumeration
.DESCRIPTION
Script for fixing vulnerability "Unquoted Service Path Enumeration" in Services and Uninstall strings. Script modifying registry values.
Require Administrator rights and should be run on x64 powershell version in case if OS also have x64 architecture
.PARAMETER FixServices
This bool parameter allow proceed Services with vulnerability. By default this parameter enabled.
For disabling this parameter use -FixServices:$False
.PARAMETER FixUninstall
Parameter allow find and fix vulnerability in UninstallPaths.
Will be covered paths for x86 and x64 applications on x64 systems.
.PARAMETER FixEnv
Find services with Environment variables in the ImagePath parameter, and replace Env. variable to the it value
EX. %ProgramFiles%\service.exe will be replace to "C:\Program Files\service.exe"
.PARAMETER WhatIf
Parameter should be used for checking possible system impact.
With this parameter script would not change anything on your system,
and only will show information about possible (needed) changes.
.PARAMETER CreateBackup
When switch parameter enabled script will export registry tree`s
specified for services or uninstall strings based on operator selection.
Tree would be exported before any changes.
[Note] For restoring backup could be used RestoreBackup parameter
[Note] For providing full backup path could be used BackupName parameter
.PARAMETER RestoreBackup
This parameter will allow restore previously created backup.
If BackupName parameter would not be provided will be used last created backup,
in other case script will try to find selected backup name
[Note] For creation backup could be used CreateBackup parameter
[Note] For providing full backup path could be used BackupName parameter
.PARAMETER BackupFolderPath
Parameter would be proceeded only with CreateBackup or RestoreBackup
If CreateBackup or RestoreBackup parameter will be provided, then path from this parameter will be used.
During backup will be created reg file with original values per each service and application that will be modified
During restoration all reg files in the specified format will be iterable imported to the registry
Input example: C:\Backup\
Backup file format:
for -FixServices switch => Service_<ServiceName>_YYYY-MM-DD_HHmmss.reg
for -FixUninstall switch => Software_<ApplicationName>_YYYY-MM-DD_HHmmss.reg
.PARAMETER Passthru
With this parameter will be returned object array without any messages in a console
Each element will continue Service\Program Name, Path, Type <Service\Software>, ParamName <ImagePath\UninstallString>, OriginalValue, ExpectedValue
.PARAMETER Silent
[i] Silent parameter will work only together with Passthru parameter
If at least 1 Service Path or Uninstall String should be fixed script will return $true
Otherwise script will return $false
Example:
.\windows_path_enumerate.ps1 -FixUninstall -WhatIf -Passthru -Silent
Output:
$true
Description:
$true mean at least 1 service need to be fixed.
WhatIf switch mean that nothing was fixed, registry was only diagnosed for the vulnerability
.PARAMETER Help
Will display this help message
.PARAMETER LogName
Parameter allow to change output file location, or disable logging setting this parameter to empty string or $null.
.EXAMPLE
# Run powershell as administrator and type path to this script. In case if it will not run type dot (.) before path.
. C:\Scripts\Windows_Path_Enumerate.ps1
VERBOSE:
--------
2017-02-19 15:43:50Z : INFO : ComputerName: W8-NB
2017-02-19 15:43:50Z : Old Value : Service: 'BadDriver' - %ProgramFiles%\bad driver\driver.exe -k -l 'oper'
2017-02-19 15:43:50Z : Expected : Service: 'BadDriver' - "%ProgramFiles%\bad driver\driver.exe" -k -l 'oper'
2017-02-19 15:43:50Z : SUCCESS : New Value of ImagePath was changed for service 'BadDriver'
2017-02-19 15:43:50Z : Old Value : Service: 'NotAVirus' - C:\Program Files\Strange Software\virus.exe -silent
2017-02-19 15:43:51Z : Expected : Service: 'NotAVirus' - "C:\Program Files\Strange Software\virus.exe" -silent'
2017-02-19 15:43:51Z : SUCCESS : New Value of ImagePath was changed for service 'NotAVirus'
Description
-----------
Fix 2 services 'BadDriver', 'NotAVirus'.
Env variable %ProgramFiles% did not changed to full path in service 'BadDriver'
.EXAMPLE
# This command, or similar could be used for running script from SCCM
Powershell -ExecutionPolicy bypass -command ". C:\Scripts\Windows_Path_Enumerate.ps1 -FixEnv"
VERBOSE:
--------
2017-02-19 15:43:50Z : INFO : ComputerName: W8-NB
2017-02-19 15:43:50Z : Old Value : Service: 'BadDriver' - %ProgramFiles%\bad driver\driver.exe -k -l 'oper'
2017-02-19 15:43:50Z : Expected : Service: 'BadDriver' - "C:\Program Files\bad driver\driver.exe" -k -l 'oper'
2017-02-19 15:43:50Z : SUCCESS : New Value of ImagePath was changed for service 'BadDriver'
2017-02-19 15:43:50Z : Old Value : Service: 'NotAVirus' - %SystemDrive%\Strange Software\virus.exe -silent
2017-02-19 15:43:51Z : Expected : Service: 'NotAVirus' - "C:\Strange Software\virus.exe" -silent'
2017-02-19 15:43:51Z : SUCCESS : New Value of ImagePath was changed for service 'NotAVirus'
Description
-----------
Fix 2 services 'BadDriver', 'NotAVirus'.
Env variable %ProgramFiles% replaced to full path 'C:\Program Files' in service 'BadDriver'
.EXAMPLE
# This command, or similar could be used for running script from SCCM
Powershell -ExecutionPolicy bypass -command ". C:\Scripts\Windows_Path_Enumerate.ps1 -FixUninstall -FixServices:$False -WhatIf"
VERBOSE:
--------
2018-07-02 22:23:02Z : INFO : ComputerName: test
2018-07-02 22:23:04Z : Old Value : Software : 'FakeSoft32' - c:\Program files (x86)\Fake inc\Pseudo Software\uninstall.exe -silent
2018-07-02 22:23:04Z : Expected : Software : 'FakeSoft32' - "c:\Program files (x86)\Fake inc\Pseudo Software\uninstall.exe" -silent
Description
-----------
Script will find and displayed
.EXAMPLE
# This command will return $true if at least 1 path should be fixed or $false if there nothing to fix
# Log will not be available
.\windows_path_enumerate.ps1 -FixUninstall -WhatIf -Passthru -Silent -LogName ''
VERBOSE:
--------
true
.NOTES
Name: Windows_Path_Enumerate.PS1
Version: 3.5.1
Author: Vector BCO
Updated: 8 April 2021
.LINK
https://github.com/VectorBCO/windows-path-enumerate/
https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341
https://www.tenable.com/sc-report-templates/microsoft-windows-unquoted-service-path-enumeration
http://www.commonexploits.com/unquoted-service-paths/
#>