0

I'm trying to generate a list of running processes (full executable path), and then loop through that listing and perform a SysInternals "sigcheck.exe" against each of the files.

For some reason this isn't performing as expected and I'm unsure if it's due to my processing of the input file, or the format of output that wmic creates. Ideally, I'd like to get this working as a batch script first and then attempt to convert it to a cli one-liner.

Below is the code I'm currently trying:

setlocal enabledelayedexpansion
@echo off
wmic process get executablepath /format:csv | more > c:\windows\temp\pslist.txt
for /f "skip=5 tokens=1,2 delims=," %%a in (c:\windows\temp\pslist.txt) do (
 echo %%b
 sigcheck.exe -accepteula -r -e "%%b"
)
ENDLOCAL
devnulldad
  • 25
  • 5
  • Change `%file%` by `!file!` and insert `setlocal EnableDelayedExpansion` line at beginning... (although a simpler solution is change `%file%` by `%%b`) – Aacini Aug 22 '18 at 15:03
  • @Aacini, I edited the script to this as suggested and it still seems to fail at actually running sigcheck.exe against the proper file path, as indicated by the running script echoing the right filename, then the splash banner for sigcheck.exe, and then a "No matching files were found." message. `setlocal enabledelayedexpansion` `@echo off` `wmic process get executablepath /format:csv | more > c:\windows\temp\pslist.txt` `for /f "skip=5 tokens=1,2 delims=," %%a in (c:\windows\temp\pslist.txt) do (` `echo %%b` `sigcheck.exe -accepteula -r -e %%b` `)` `ENDLOCAL` – devnulldad Aug 22 '18 at 15:29
  • If the file path have spaces, you should enclose it between quotes: `sigcheck.exe -accepteula -r -e "%%b"` – Aacini Aug 22 '18 at 18:03
  • thanks for pointing out that I'm new at something...I mean the nature of my question made that seem obvious to me that I'm new and trying to learn, but thanks for pointing that out. Also, enclosing in quotes doesn't help...especially since most of the running processes' executable paths don't contain spaces and they still throw out the "No matching files were found" when performed with this batch script on a Win7 system. – devnulldad Aug 23 '18 at 12:21
  • Ok. Simple question: does the `sigcheck.exe` program works? Forget the Batch file and enter a single line at the command prompt with the full process path that proves that it works. Then, post here such a line... – Aacini Aug 23 '18 at 13:51
  • `sigcheck.exe -accepteula -r -e c:\windows\system32\lsass.exe` works fine and gives correct output as the file being signed by Microsoft Windows – devnulldad Aug 23 '18 at 14:59
  • What happen if you enclose the path in quotes? `sigcheck.exe -accepteula -r -e "c:\windows\system32\lsass.exe"` – Aacini Aug 23 '18 at 19:07
  • I get the same successful results when enclosing the path in quotes when attempting just a single execution of sigcheck.exe. Using quotes in the batch script doesn't provide successful results. – devnulldad Aug 23 '18 at 20:14
  • Then the problem is _not_ in `segcheck.exe` line. Please, put quotes enclosing %%b in `echo "%%b"` line and review exactly which paths are processed... You should be capable of find the problem by youself. – Aacini Aug 23 '18 at 21:30

1 Answers1

0

This uses "wmic.exe process" to build a list and passes just the "executablepath" to "sigcheck.exe". The "threadcount" is there as a trick - since WMIC has it's infamous extra-CR, asking for 1 extra and unneeded attribute creates markers in the output.....the commas. The "for" command chops the WMIC output at the commas, which is how just the "executablepath" can be pulled out without any extra CRs.

CMD:

for /f "tokens=2 delims=," %A in ('wmic process where "not executablepath=null" get executablepath^,threadcount /format:csv') do @sigcheck.exe -accepteula -r -e "%A"

OUTPUT (partial for brevity sake):

Sigcheck v2.72 - File version and signature viewer
Copyright (C) 2004-2019 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\program files (x86)\google\chrome\application\chrome.exe:
        Verified:       Signed
        Signing date:   7:47 PM 2/28/2019
        Publisher:      Google LLC
        Company:        Google Inc.
        Description:    Google Chrome
        Product:        Google Chrome
        Prod version:   72.0.3626.121
        File version:   72.0.3626.121
        MachineType:    64-bit

Sigcheck v2.72 - File version and signature viewer
Copyright (C) 2004-2019 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\windows\system32\windowspowershell\v1.0\powershell.exe:
        Verified:       Signed
        Signing date:   5:26 PM 4/11/2018
        Publisher:      Microsoft Windows
        Company:        Microsoft Corporation
        Description:    Windows PowerShell
        Product:        Microsoft« Windows« Operating System
        Prod version:   10.0.17134.1
        File version:   10.0.17134.1 (WinBuild.160101.0800)
        MachineType:    64-bit

Sigcheck v2.72 - File version and signature viewer
Copyright (C) 2004-2019 Mark Russinovich
Sysinternals - www.sysinternals.com
Community
  • 1
  • 1
SecurityAndPrivacyGuru
  • 306
  • 1
  • 10