如何对 运行 进程进行批处理或 cli 自动化 sigcheck.exe?

How to batch or cli automate sigcheck.exe on running processes?

我正在尝试生成 运行 个进程的列表(完整的可执行路径),然后遍历该列表并对每个文件执行 SysInternals "sigcheck.exe"。

出于某种原因,这没有按预期执行,我不确定这是由于我对输入文件的处理,还是由于 wmic 创建的输出格式。理想情况下,我希望首先将其作为批处理脚本运行,然后尝试将其转换为 cli 单行程序。

下面是我目前正在尝试的代码:

setlocal enabledelayedexpansion
@echo off
wmic process get executablepath /format:csv | more > c:\windows\temp\pslist.txt
for /f "skip=5 tokens=1,2 delims=," %%a in (c:\windows\temp\pslist.txt) do (
 echo %%b
 sigcheck.exe -accepteula -r -e "%%b"
)
ENDLOCAL

这使用“wmic.exe 进程”构建一个列表,并将“可执行路径”传递给“sigcheck.exe”。 “threadcount”是一个技巧——因为 WMIC 有它臭名昭著的额外 CR,要求 1 个额外和不需要的属性会在输出中创建标记……逗号。 “for”命令在逗号处截断 WMIC 输出,这就是如何在没有任何额外 CR 的情况下提取“executablepath”。

命令:

for /f "tokens=2 delims=," %A in ('wmic process where "not executablepath=null" get executablepath^,threadcount /format:csv') do @sigcheck.exe -accepteula -r -e "%A"

输出(为简洁起见部分):

Sigcheck v2.72 - File version and signature viewer
Copyright (C) 2004-2019 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\program files (x86)\google\chrome\application\chrome.exe:
        Verified:       Signed
        Signing date:   7:47 PM 2/28/2019
        Publisher:      Google LLC
        Company:        Google Inc.
        Description:    Google Chrome
        Product:        Google Chrome
        Prod version:   72.0.3626.121
        File version:   72.0.3626.121
        MachineType:    64-bit

Sigcheck v2.72 - File version and signature viewer
Copyright (C) 2004-2019 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\windows\system32\windowspowershell\v1.0\powershell.exe:
        Verified:       Signed
        Signing date:   5:26 PM 4/11/2018
        Publisher:      Microsoft Windows
        Company:        Microsoft Corporation
        Description:    Windows PowerShell
        Product:        Microsoft« Windows« Operating System
        Prod version:   10.0.17134.1
        File version:   10.0.17134.1 (WinBuild.160101.0800)
        MachineType:    64-bit

Sigcheck v2.72 - File version and signature viewer
Copyright (C) 2004-2019 Mark Russinovich
Sysinternals - www.sysinternals.com