Posts Tagged ‘powershell’

Don’t get-mousejacked

March 4, 2016 Leave a comment

[UPDATED: April 14th, 2016:

Good news everyone! MSFT has released an optional update that resolves this issue:


This morning, my boy Bruce Schneier posted about Bastille’s February 23rd published attacks on various wireless mouse/keyboard dongles.

I’ve written a quick Powershell script to get a full inventory of affected computers (deal with the output yourself).

Worth noting that this is clearly novel, but, as of this time, MSFT hasn’t released a patch, which is weird given that Bastille disclosed the vulnerabilities to them November 24th, 2015. The recommended solution (from Bastille) is to move to a wired keyboard. Nice! But aren’t those vulnerable as well?! Is Tom Cruise crawling in my ceiling tiles?!!1

Here are the details and links to attack code:


Quick script: Report the Windows updates installed within the last 30 days

October 27, 2014 Leave a comment
Get-WmiObject -Class "win32_quickfixengineering" | where {$_.installedon -gt (get-date).adddays(-30) } | select HotFixID,installedon

Search an offline Windows event/application log quickly

October 22, 2014 Leave a comment
get-winevent -FilterHashTable @{path="pathto:\dc4secevent.evtx";logname='Security';ID=628}

Apply auto-approval rules to new classifications in WSUS

October 17, 2014 Leave a comment

Okay, so not exactly what I said above, but you can use Powershell to approve updates that match some classification, OS, and/or product matching your auto-approval rules (although you will have to know your auto-approval rules).

You can use where-object to specify which Microsoft.UpdateServices.Commands.WsusUpdate objects to pipe into `approve-wsus` as follows.

This makes approving all updates for newly selected products or OSes much easier than going through the GUI and manually approving each for Install.

Here is an example of approving all updates for Windows 2012:

import-module updateservices
Get-WsusUpdate -Classification Critical -Approval Unapproved -Status FailedOrNeeded | where {$_.products -like "*2012*"} | approve-wsusupdate -action install -targetgroupname "All Computers" -whatif
Get-WsusUpdate -Classification Security -Approval Unapproved -Status FailedOrNeeded | where {$_.products -like "*2012*"} | approve-wsusupdate -action install -targetgroupname "All Computers" -whatif
Get-WsusUpdate -Classification all -Approval Unapproved -Status FailedOrNeeded | where {$_.products -like "*2012*" -and $_.classification -like "Updates"} | approve-wsusupdate -action install -targetgroupname "Servers" -whatif

Can’t find much in the way of the Microsoft.UpdateServices.Commands.WsusUpdate class, so here are the available fields to filter on (using -like or -contains as per the type definition):

Approved                           Property   string Approved {get;}
Classification                     Property   string Classification {get;}
ComputersInstalledOrNotApplicable  Property   int ComputersInstalledOrNotApplicable {get;}
ComputersNeedingThisUpdate         Property   int ComputersNeedingThisUpdate {get;}
ComputersWithErrors                Property   int ComputersWithErrors {get;}
ComputersWithNoStatus              Property   int ComputersWithNoStatus {get;}
InstalledOrNotApplicablePercentage Property   int InstalledOrNotApplicablePercentage {get;}
LanguagesSupported                 Property   System.Collections.Specialized.StringCollection LanguagesSupported {get;}
LicenseAgreement                   Property   string LicenseAgreement {get;}
MsrcNumbers                        Property   System.Collections.Specialized.StringCollection MsrcNumbers {get;}
MustBeInstalledExclusively         Property   bool MustBeInstalledExclusively {get;}
Products                           Property   System.Collections.Specialized.StringCollection Products {get;}
Removable                          Property   bool Removable {get;}
RestartBehavior                    Property   string RestartBehavior {get;}
Update                             Property   Microsoft.UpdateServices.Administration.IUpdate Update {get;}
UpdateId                           Property   string UpdateId {get;}
UpdatesSupersededByThisUpdate      Property   System.Collections.Specialized.StringCollection UpdatesSupersededByThi...
UpdatesSupersedingThisUpdate       Property   System.Collections.Specialized.StringCollection UpdatesSupersedingThis...

Create a sparse file of a given size with Powershell

September 3, 2014 Leave a comment

Very simple to create a sparse file:

[System.IO.file]::writeallbytes('t.txt',$(New-Object Byte[] $(400MB)))

Creating a not-sparse file is more complicated and would likely use get-random to assign the contents of the byte. You might consider writing 1MB 400 times to get 400MB, or some derivation there of. This is why benchmarking is difficult, you need to mimic whatever operation you’re trying to benchmark. Does this operation write 1024KB chunks? Does it flush data to disk using an API other than .NET?

Querying for and uninstalling evil KBs with Powershell Remoting

August 18, 2014 3 comments

You haven’t enabled Powershell Remoting yet? C’mon! Check out this blog post and this verbose guide (Secrets of Powershell Remoting).

Disregarding security flaw edge cases, Powershell Remoting defaults follow good security practices, such as Kerberos cert based authentication (much like accessing an admin share), and fully encrypted TCP pipe.

This past week, two KBs made news for cause BSODs. Although none of our systems (workstations or servers) had BSODs caused, we still wanted to get a grasp on where the KBs were installed.

Powershell Remoting made this very simple. (old version)

In this case, the block starting with `get-wmiobject` queries computer objects (by OU) to check if the two given KBs are installed. A report is output to my desktop.

The block starting with `Invoke-Command` runs `wusa.exe` synchronously, and returns once the given KB is uninstalled. It will create a restore point. Before I did this, I took a look at WSUS to verify that the patch was pulled (and it was).

Note that if you use WSUS, you can find the update, and go to it’s Approval option and select Approve for Removal.

Powershell: Very fast ping

April 9, 2014 3 comments
%d bloggers like this: