getwmi change method
-
Tuesday, February 12, 2013 10:25 PM
Get-WmiObject -Class Win32_Service -ComputerName XXXXXX |
select-object PSComputerName,Name,PathName,startMode | where-object {$_.startMode -eq "Auto" -and $($_.PathName).Substring(0,1) -ne '"' -and $($_.PathName).Substring(0,$($_.PathName).LastIndexOf("\") + 1).Contains(' ') } |
Foreach { $_.Change($null," " + $_.pathName + "")}I'm trying to replace a the path of services with above method of get=wmiobject.... It does n't when I call the change method.
The first portion works fine...... I am able to pull-out the services according to my criteria, but when I try to loop thru and use the change method it bombs........
Any suggestions please!!!!
michael john ocasio
All Replies
-
Tuesday, February 12, 2013 11:26 PM
Your code effectively changes nothing. The change is identical to the original:
This: $_.pathName
is identical to this: " " + $_.pathName + ""
All you have done is add en empty string to each end of the existing path.
¯\_(ツ)_/¯
-
Tuesday, February 12, 2013 11:36 PM
So if I concatenate the path with quotes ay the begining and end and save it to a variable
such as
somenthing |
Foreach { $temp = $_.pathName ; $temp = """ + $temp + """ ; $_,pathName = $temp ; $_.Change($null," " + $_.pathName + "") } would this work? All what i'm reying to do is enclosed the path with quotes.... thank you for your suggestionsmichael john ocasio
-
Tuesday, February 12, 2013 11:44 PMModerator
What is the purpose of this script?
Bill
-
Tuesday, February 12, 2013 11:58 PM
This is one easy way:
$qpath='"' + $_.pathName + '"' # #
But I think you will find that the system will remove the quotes before the update is completed.
¯\_(ツ)_/¯
- Edited by jrvMicrosoft Community Contributor Wednesday, February 13, 2013 12:00 AM
-
Wednesday, February 13, 2013 12:02 AM
Also note that your script is mostly nonsense as it appears to query nothing that can be changed.
Why would you want to try and add quotes to internal strings. This is not usual in any way.
¯\_(ツ)_/¯
- Edited by jrvMicrosoft Community Contributor Wednesday, February 13, 2013 12:02 AM
-
Wednesday, February 13, 2013 12:03 AM
FInd services executables whose path is unquote and the path contain embedded space.
The script find the services base my criteria..... What I'm having a problem is implemeting the change method to enclosed the path in quotes.
It retriesves the services with criteria in question
Get-WmiObject -Class Win32_Service -ComputerName XXXXXX |
select-object PSComputerName,Name,PathName,startMode | where-object {$_.startMode -eq "Auto" -and $($_.PathName).Substring(0,1) -ne '"' -and $($_.PathName).Substring(0,$($_.PathName).LastIndexOf("\") + 1).Contains(' ') } |this is the segment code I having problem modify the original value of the path.
Foreach { $_.Change($null," " + $_.pathName + "")} as IRV point out that here I was just adding a empty string at the begining and end of the path value....... My bad...... but if I do $_.Change($null, ($_.pathName -Replace """ + $_,pathName + """))
or xan I use a format '"{0}"' -f $_.pathName
michael john ocasio
-
Wednesday, February 13, 2013 12:04 AMModerator
FInd services executables whose path is unquote and the path contain embedded space.
Why?
Bill
-
Wednesday, February 13, 2013 12:21 AMA requirement from managers due to scanner tool detecting certain software that when it install the service executable path is unquote and with embedded space flag as vulnerable. The task is to remotetly connect to target machines and identify the service with vulnerability and enclose path with quotes as new pathName Value.
michael john ocasio
-
Wednesday, February 13, 2013 12:32 AM
This is closer to what you are trying to do.
Get-WmiObject -Class Win32_Service -ComputerName . -filter 'StartMode="Auto"'| Where-object { $path=Split-Path $_.PathName $leaf=Split-Path $_.PathName -leaf $path.Contains(' ') -and ($path[0] -ne '"') } | ForEach-Object{ Write-host ('"' + $path + '" ' + $leaf) -fore green }By the way. This is only necessary for Windows NT 4.0 through W2k before SP2. All systems since then have been patched to avoid this issue. The issue persists because many people do not patch and some still run W2k SP1.
Most scanners allow you to disable this detection to avoid nuisance. Some check the patch and OS version and automatically skip this. Many free scanners do not do this.
¯\_(ツ)_/¯
- Edited by jrvMicrosoft Community Contributor Wednesday, February 13, 2013 12:33 AM
-
Wednesday, February 13, 2013 12:55 AM
I'm aware of that , I keep insisting on the same assumption as yours.........Since 2000 I believe when McAfee found the problem......
But I did verify the installation of a software vendor and indeed it did install the service with an unquote path and embedded space (Program Files). Nevertheless, we are already pass the 60 days. Managers believe I have not research enough in finding a solution. I did request the first thing to do is to identify the software that is causing the problem in all servers and workstations. Notify the vendor and request an update and to disable the software temporary. There respond was no, lets fixed and get rId off the vulnerability and move forward. I remind them, if we did implement the script (cleaner) and eventually get an update of any of the software in question that the vulnerability will surface again. There response was that is why we want YOU to develop the script. Not a WIN WIN...... They just want to roll the can....... sound like congress. I'm pretty closed to what I want to accomplish just need some guidance on how to use the change method in get-wmiobject or the put method that I seeing on others clasess with win32_
Tthanks for the help
michael john ocasio
-
Wednesday, February 13, 2013 1:14 AM
The script I posted is what you are trying to do just add the change line.
As I posted. It is likely that the system will remove the quotes. Test very carefully on a test system.
Tell you managers that making a global change like this built by a person who is not a script writer is very dangerous. If anything goes wrong you can totally disable many systems and might crash your whole network.
None of the more experienced admins her would recommend what you are doing. It is a recipe for disaster.
I would call Microsoft Support and get them tto point you at the security bulletins and KBs that indicate how and when this was patched.
The scanner you are using is a free scanner that has a set of known weaknesses. It also allows you to disable selective reports. If Microsoft validates the the fix and you have no W2K SP2 or earlier systems then just disable the report. Microsoft will no misdirect you.n Correctly analyzing this issue and addressing it correctly would get you more response and honors from the managers. Doing a little investigation and determining that you have a false positive is far better and shows more professionalism than endangering the whole network with a fix that is not required.
Assume you are told you have a brain tumor. Would you rather get a second opinion that proves to you that you do not instead of having a brain operation?
A risk analysis would quickly tell you that changing 500 or more systems in batch is a no-no. It is a no-brainer.
¯\_(ツ)_/¯
-
Wednesday, February 13, 2013 1:30 AM
Her is the code with the 'Change'
You must check the error return to see why you cannot change the service.
Get-WmiObject -Class Win32_Service -ComputerName . -filter 'StartMode="Auto"'| Where-object { $path=Split-Path $_.PathName $leaf=Split-Path $_.PathName -leaf $path.Contains(' ') -and ($path[0] -ne '"') } | ForEach-Object{ $fixed='"' + $path + '"/' + $leaf Write-host $fixed -fore green $errReturn=$_.Change($null,$fixed) if($errReturn -ne 0){ Write-Host "FAILED:$errReturn" - fore red -back white } }
¯\_(ツ)_/¯
- Edited by jrvMicrosoft Community Contributor Wednesday, February 13, 2013 4:09 AM
- Marked As Answer by mjocasio23 Wednesday, February 13, 2013 4:18 AM
-
Wednesday, February 13, 2013 1:40 AM
Here is an even faster and more flexible version using correct WMI/WQL semantics.
Get-WmiObject -Class Win32_Service -ComputerName . -filter 'state="running" and pathname like "% %" and Not pathname like "\"%"' | Where-object { $path=Split-Path $_.PathName $leaf=Split-Path $_.PathName -leaf $fixed='"' + $path + '"/' + $leaf Write-host $fixed -fore green $errReturn=$_.Change($null,$fixed) if($errReturn -ne 0){ Write-Host "FAILED:$errReturn" - fore red -back white } }
¯\_(ツ)_/¯
- Edited by jrvMicrosoft Community Contributor Wednesday, February 13, 2013 4:10 AM
- Marked As Answer by mjocasio23 Wednesday, February 13, 2013 4:18 AM
-
Wednesday, February 13, 2013 1:42 AM
I agreed with you 1000%. It just don't sound right and I have not got a hit (google) present time...... So they only fact that I do know that Microsoft fixed the path problem back them when Long path names were introduced. Course of action is to ask Microsoft and rely what they have to say. Inform Tenable (Nessus) to disabled the plug and scan.....
Thank you for advise and I will keep learning PowerShell
michael john ocasio
-
Wednesday, February 13, 2013 1:44 AM
None of us can or will test this. The WMI method calling interface is incorrectly documented at times. Tpo know the exact order of the arguments you need to look at each systems MOF. Different versions of Windows can have different argument orders. TO overcome that WMI can be called with named arguments. TO do this we would use Invoke-WMIMethod with named arguments.
¯\_(ツ)_/¯
-
Wednesday, February 13, 2013 1:56 AM
Here is the command to get the current parameter list which can be used and passed to tehmethod or used to check parameter order.
$_.GetMethodParameters('change')
We cal it with the name of the method we want to get a parameter set for.
To pass a set you need to use the Create command to create a parameter set.
¯\_(ツ)_/¯
-
Wednesday, February 13, 2013 2:11 AM
Here is a good blog on how to use Cim to call the method using named parameters.
http://itknowledgeexchange.techtarget.com/powershell/using-invoke-wmimethod-to-set-the-dns-servers/
Example:
Get-CimInstance -ClassName Win32_Sevice -Filter $filter | Invoke-CimMethod -MethodName change -Arguments @{Pathname=$fixed} #¯\_(ツ)_/¯
- Marked As Answer by mjocasio23 Wednesday, February 13, 2013 4:17 AM
-
Wednesday, February 13, 2013 4:12 AM
None of the above methods are exactly correct. It will take more code to exactly extract the part of the path to be quoted then put it back together.
All of the pieces you need are in those two scripts. YOu will need to adjust to get the correct outcome.
¯\_(ツ)_/¯
-
Wednesday, February 13, 2013 4:21 AM
This is one step closer but still builds bad strings due anomalies in the structure of service strings.
Such as:
"C:\Windows\system32\SearchIndexer.exe \"Embedding
Notice the use of a backslash where there shouldn't be one. This will require special handling.
Get-WmiObject -Class Win32_Service -ComputerName . -filter 'state="running" AND Not pathname like "\"%"' | ForEach-Object { $path=Split-Path $_.PathName if($path.Contains(' ')){ $leaf=Split-Path $_.PathName -leaf $fixed='"' + $path + '\"' + $leaf Write-host $fixed -fore green #$errReturn=$_.Change($null,$fixed) #if($errReturn -ne 0){ Write-Host "FAILED:$errReturn" - fore red -back white } } }
¯\_(ツ)_/¯
.png)
