Home > Uncategorized > Querying for and uninstalling evil KBs with Powershell Remoting

Querying for and uninstalling evil KBs with Powershell Remoting

You haven’t enabled Powershell Remoting yet? C’mon! Check out this blog post and this verbose guide (Secrets of Powershell Remoting).

Disregarding security flaw edge cases, Powershell Remoting defaults follow good security practices, such as Kerberos cert based authentication (much like accessing an admin share), and fully encrypted TCP pipe.

This past week, two KBs made news for cause BSODs. Although none of our systems (workstations or servers) had BSODs caused, we still wanted to get a grasp on where the KBs were installed.

Powershell Remoting made this very simple. (old version)

In this case, the block starting with `get-wmiobject` queries computer objects (by OU) to check if the two given KBs are installed. A report is output to my desktop.

The block starting with `Invoke-Command` runs `wusa.exe` synchronously, and returns once the given KB is uninstalled. It will create a restore point. Before I did this, I took a look at WSUS to verify that the patch was pulled (and it was).

Note that if you use WSUS, you can find the update, and go to it’s Approval option and select Approve for Removal.

  1. August 18, 2014 at 11:57 am

    Nice post! I hadn’t heard of those updates actually, so this was a good heads-up for me.

  2. January 15, 2015 at 7:42 am

    I don’t have fastping, where is this from?

    • January 15, 2015 at 8:15 am

      It is a function I wrote myself, and include it in my $profile. Check it out here. There’s still a bit of a delay if the name doesn’t resolve, but it’s very handy when querying remote machines via any method (remoting, WMI, etc), as those methods’ timeouts tend to be very long and may throw errors (avoidable with `-erroraction`, but less convenient than a `if (fastping $host) {do stuff}`

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: