如何对 运行 进程进行批处理或 cli 自动化 sigcheck.exe?
How to batch or cli automate sigcheck.exe on running processes?
我正在尝试生成 运行 个进程的列表(完整的可执行路径),然后遍历该列表并对每个文件执行 SysInternals "sigcheck.exe"。
出于某种原因,这没有按预期执行,我不确定这是由于我对输入文件的处理,还是由于 wmic 创建的输出格式。理想情况下,我希望首先将其作为批处理脚本运行,然后尝试将其转换为 cli 单行程序。
下面是我目前正在尝试的代码:
setlocal enabledelayedexpansion
@echo off
wmic process get executablepath /format:csv | more > c:\windows\temp\pslist.txt
for /f "skip=5 tokens=1,2 delims=," %%a in (c:\windows\temp\pslist.txt) do (
echo %%b
sigcheck.exe -accepteula -r -e "%%b"
)
ENDLOCAL
这使用“wmic.exe 进程”构建一个列表,并将“可执行路径”传递给“sigcheck.exe”。 “threadcount”是一个技巧——因为 WMIC 有它臭名昭著的额外 CR,要求 1 个额外和不需要的属性会在输出中创建标记……逗号。 “for”命令在逗号处截断 WMIC 输出,这就是如何在没有任何额外 CR 的情况下提取“executablepath”。
命令:
for /f "tokens=2 delims=," %A in ('wmic process where "not executablepath=null" get executablepath^,threadcount /format:csv') do @sigcheck.exe -accepteula -r -e "%A"
输出(为简洁起见部分):
Sigcheck v2.72 - File version and signature viewer
Copyright (C) 2004-2019 Mark Russinovich
Sysinternals - www.sysinternals.com
c:\program files (x86)\google\chrome\application\chrome.exe:
Verified: Signed
Signing date: 7:47 PM 2/28/2019
Publisher: Google LLC
Company: Google Inc.
Description: Google Chrome
Product: Google Chrome
Prod version: 72.0.3626.121
File version: 72.0.3626.121
MachineType: 64-bit
Sigcheck v2.72 - File version and signature viewer
Copyright (C) 2004-2019 Mark Russinovich
Sysinternals - www.sysinternals.com
c:\windows\system32\windowspowershell\v1.0\powershell.exe:
Verified: Signed
Signing date: 5:26 PM 4/11/2018
Publisher: Microsoft Windows
Company: Microsoft Corporation
Description: Windows PowerShell
Product: Microsoft« Windows« Operating System
Prod version: 10.0.17134.1
File version: 10.0.17134.1 (WinBuild.160101.0800)
MachineType: 64-bit
Sigcheck v2.72 - File version and signature viewer
Copyright (C) 2004-2019 Mark Russinovich
Sysinternals - www.sysinternals.com
我正在尝试生成 运行 个进程的列表(完整的可执行路径),然后遍历该列表并对每个文件执行 SysInternals "sigcheck.exe"。
出于某种原因,这没有按预期执行,我不确定这是由于我对输入文件的处理,还是由于 wmic 创建的输出格式。理想情况下,我希望首先将其作为批处理脚本运行,然后尝试将其转换为 cli 单行程序。
下面是我目前正在尝试的代码:
setlocal enabledelayedexpansion
@echo off
wmic process get executablepath /format:csv | more > c:\windows\temp\pslist.txt
for /f "skip=5 tokens=1,2 delims=," %%a in (c:\windows\temp\pslist.txt) do (
echo %%b
sigcheck.exe -accepteula -r -e "%%b"
)
ENDLOCAL
这使用“wmic.exe 进程”构建一个列表,并将“可执行路径”传递给“sigcheck.exe”。 “threadcount”是一个技巧——因为 WMIC 有它臭名昭著的额外 CR,要求 1 个额外和不需要的属性会在输出中创建标记……逗号。 “for”命令在逗号处截断 WMIC 输出,这就是如何在没有任何额外 CR 的情况下提取“executablepath”。
命令:
for /f "tokens=2 delims=," %A in ('wmic process where "not executablepath=null" get executablepath^,threadcount /format:csv') do @sigcheck.exe -accepteula -r -e "%A"
输出(为简洁起见部分):
Sigcheck v2.72 - File version and signature viewer
Copyright (C) 2004-2019 Mark Russinovich
Sysinternals - www.sysinternals.com
c:\program files (x86)\google\chrome\application\chrome.exe:
Verified: Signed
Signing date: 7:47 PM 2/28/2019
Publisher: Google LLC
Company: Google Inc.
Description: Google Chrome
Product: Google Chrome
Prod version: 72.0.3626.121
File version: 72.0.3626.121
MachineType: 64-bit
Sigcheck v2.72 - File version and signature viewer
Copyright (C) 2004-2019 Mark Russinovich
Sysinternals - www.sysinternals.com
c:\windows\system32\windowspowershell\v1.0\powershell.exe:
Verified: Signed
Signing date: 5:26 PM 4/11/2018
Publisher: Microsoft Windows
Company: Microsoft Corporation
Description: Windows PowerShell
Product: Microsoft« Windows« Operating System
Prod version: 10.0.17134.1
File version: 10.0.17134.1 (WinBuild.160101.0800)
MachineType: 64-bit
Sigcheck v2.72 - File version and signature viewer
Copyright (C) 2004-2019 Mark Russinovich
Sysinternals - www.sysinternals.com