windows服务powershell的.exe权限 [英] The rights of the .exe of a windows service powershell
问题描述
我的代码被屏蔽了
我会试着解释我想用它做什么,我的代码是扫描不同的 Windows 服务,仅将使用 .exe 的内容保留在内存中,然后在其中搜索用户可以完全控制的内容.我希望它在最后显示服务及其权利.
I will try to explain what I would like to do with it, my code is to scan the different windows services, to keep in memory only what uses an .exe and then to search among them the ones that the users have full control of. I would like it to display the service and its rights at the end.
$services = Get-WmiObject win32_service | ?{$_.PathName -like '*.exe*'} | select Name, State, Pathname, StartName | Out-Null
foreach ($service in $services) {
$var = "{0}.exe" -f ($Service.PathName -Split ".exe")[0]
foreach ($right in $var ){
if ( (Get-Acl $var).Access -ccontains "BUILTIN\Utilisateurs FullControl "{
Write-Warning " Exploit detected "
}
}
}
提前感谢您的反馈
推荐答案
Get-CimInstance Win32_Service |
Where-Object { $_.PathName -like '*.exe*'} |
Select-Object Name, State, Pathname, StartName |
ForEach-Object {
$_.PathName = ($_.PathName -split '(?<=\.exe\b)')[0].Trim('"')
Add-Member -PassThru -InputObject $_ Acl (Get-Acl -LiteralPath $_.PathName)
} |
Where-Object {
$_.Acl.Access.Where({
$_.IdentityReference -ceq 'BUILTIN\Utilisateurs' -and
$_.FileSystemRights -eq 'FullControl'
}, 'First').Count -gt 0
}
请注意,我已将 Get-WmiObject 替换为 Get-CimInstance,因为 CIM cmdlet 取代了 PowerShell v3(2012 年 9 月发布)中的 WMI cmdlet.因此,应该避免使用 WMI cmdlet,尤其是因为 PowerShell(核心)(v6+),未来所有的努力都将进行,甚至不再拥有它们.请注意,WMI 仍然成为 CIM cmdlet 的基础.有关详细信息,请参阅此答案.
Note that I've replaced Get-WmiObject with Get-CimInstance, because the CIM cmdlets superseded the WMI cmdlets in PowerShell v3 (released in September 2012). Therefore, the WMI cmdlets should be avoided, not least because PowerShell (Core) (v6+), where all future effort will go, doesn't even have them anymore. Note that WMI still underlies the CIM cmdlets, however. For more information, see this answer.
以上使用 ForEach-Object 调用:
更新每个对象的
.PathName属性,使其仅包含每个服务的可执行文件的 - 不带引号的 - 路径.
update the
.PathNameproperty of each object to contain only the - unquoted - path of the executable with each service.
通过 Add-Member,包含服务可执行文件的 ACL,通过 Get-Acl.
add an .Acl property to each object via Add-Member, containing the service executable's ACL, obtained via Get-Acl.
然后由那些服务可执行 ACL 包含标识 BUILTIN\Utilisateurs[1] 的条目的对象过滤生成的对象列表,并完全控制可执行文件.
The resulting list of objects is then filtered by those whose service-executable ACL contains an entry for identity BUILTIN\Utilisateurs[1] with full control over the executable.
也就是说,结果对象实际上是您打算为其发出 Write-Warning " 的对象.检测到漏洞利用
That is, the resulting objects are effectively those for which you meant to issue Write-Warning " Exploit detected "
至于你尝试了什么:
$services = ... |鉴于Out-Null的目的是抑制输出.
虽然 $var = "{0}.exe"-f ($Service.PathName -Split ".exe")[0] 确实提取了可执行路径(尽管 .exe 应该是 \.exe\b,为了健壮性),它可能包括双引号,应该去掉.
While $var = "{0}.exe" -f ($Service.PathName -Split ".exe")[0] does extract the executable path (although .exe should be \.exe\b, for robustness), it may include enclosing double quotes, which should be stripped.
不清楚 $rights 来自哪里.
您不能使用 -ccontains 来匹配对象的多个属性,并注意 -contains 运算符 及其变体是完整、在集合中测试一个值的存在,而不是在单个子字符串中查找字符串.
You cannot use -ccontains to match across multiple properties of an object, and note that the purpose of the -contains operator and its variants is to test presence of a value in full, in a collection, not to look for a substring in a single string.
[1] 有趣的是,这些身份引用是本地化的;在美国-英语系统上的等效项是 BUILTIN\Users.通常,最好获得此身份的与文化无关的表示,即其 SID,并将其用于比较: $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq 'S-1-5-32-545'
[1] It's interesting to see that these identity references are localized; the equivalent on a US-English system would be BUILTIN\Users. Generally, it would be better to obtain a culture-independent representation of this identity, namely its SID, and use that for comparison: $_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value -eq 'S-1-5-32-545'
[2] 简单来说,$null;从技术上讲,它是 PowerShell 用来表示未收到输出"的单例值,[System.Management.Automation.Internal.AutomationNull]::Value.
[2] Loosely speaking, $null; technically, it is the singleton value that PowerShell uses to signal "no output received", [System.Management.Automation.Internal.AutomationNull]::Value.
这篇关于windows服务powershell的.exe权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
