Speculation Control Validation PowerShell Script

This is described in the blog topic: "Windows Server guidance to protect against the speculative execution side-channel vulnerabilities."

 
 
 
 
 
4.6 Star
(8)
10,229 times
Add to favorites
Security
1/12/2018
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • ZIP is empty after download
    3 Posts | Last post 7:02 AM
    • the SpeculationControl.zip is empty after downloading it !
    • Same issue here. Tested on different browsers and different machines.
    • You can download the script now
  • Speculation cntrol
    1 Posts | Last post Tue 5:33 AM
    • When I run the script i get an error
      Unsupported processor manufacturer:
      At C:\scripts\SpeculationControl\SpeculationControl.psm1:148 char:18
      +             throw <<<<  ("Unsupported processor manufacturer: {0}" -f $cpu.Manufacturer)
          + CategoryInfo          : OperationStopped: (Unsupported processor manufacturer: :String) [], RuntimeException
          + FullyQualifiedErrorId : Unsupported processor manufacturer:
      
      Please advise, Its a Dell serever
  • Hardware and Windows support is present but still disabled???
    6 Posts | Last post Mon 9:44 PM
    • Hardware support for branch target injection mitigation is present: True
      Windows OS support for branch target injection mitigation is present: True
      Windows OS support for branch target injection mitigation is enabled: False
      Windows OS support for branch target injection mitigation is disabled by system policy: False
      Windows OS support for branch target injection mitigation is disabled by absence of hardware support: False
      
      What does that even mean? Why disabled if not by system policy or absence of hardware support?
    • Is this a Windows Server? If so, you need to enable the mitigations in the registry: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
    • No, this is Windows Client. And just to be safe I tried enabling it in the registry and it didn't help.
    • Here is verbose output:
      BpbEnabled                   : False
      BpbDisabledSystemPolicy      : False
      BpbDisabledNoHardwareSupport : False
      HwReg1Enumerated             : True
      HwReg2Enumerated             : True
      HwMode1Present               : False
      HwMode2Present               : False
      SmepPresent                  : True
    • Sorry, have to ask.  Did you install BIOS updates pertinent to the vulnerabilities as well as Windows updates?
    • There was no BIOS update for my motherboard model and probably won't be at all. But I updated CPU microcode and script says that hardware support is present.
  • 0 byte download
    2 Posts | Last post Sun 5:57 PM
    • The file contains nothing. I tried downloading via 2 different connections on 2 different laptops, one Win 7 one Win 10.
    • You can import the this PS module directly to your laptop by below 4 PowerShell commands in Administrator mode.
      
      I ran this for first time in windows 10 and it worked for me. You can give it a try
      
      PS C:\install\SpeculationControl> Import-Module PackageManagement
      PS C:\install\SpeculationControl> Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
      
      Name                           Version          Source                         Summary
      ----                           -------          ------                         -------
      nuget                          2.8.5.208        https://oneget.org/nuget-2.... NuGet provider for the OneGet meta-package manager
      PS C:\install\SpeculationControl> Save-Module -Name SpeculationControl -Path C:\Install\SpeculationControl
      PS C:\install\SpeculationControl> Install-Module -Name SpeculationControl
      Untrusted repository
      You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from 'PSGallery'?
      [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): A
      
  • EXE version of this script
    2 Posts | Last post Sun 2:38 PM
    • Some folks have had problems with the module. Below is a link to EXE versions of version 1.4 of the script. Created with PS2EXE with versions requiring .NET 2.0, 3.0 and 4.0 included as well as the original ps1 script converted from the module. Hopefully helpful to some as it's a little more portable. License: MIT
      
      https://1drv.ms/u/s!AvUMCaElfVkvmyfWNzSrNEchXT8R
    • Thanks, Andy. Couldn't make the script work.
  • SCCM report query
    1 Posts | Last post Sun 12:13 PM
    • The following query can be used to track BIOS versions on SCCM managed systems. Tested with 2012 R2:
      
      SELECT
        v_GS_Computer_System.Name0
        ,v_GS_Computer_System.Model0
        ,v_GS_PC_BIOS.Manufacturer0
        ,v_GS_PC_BIOS.SerialNumber0
        ,v_GS_PC_BIOS.SMBIOSBIOSVersion0
        ,v_GS_PC_BIOS.ReleaseDate0
      FROM 
      v_GS_PC_BIOS inner join v_GS_Computer_System on v_GS_PC_BIOS.ResourceId = v_GS_Computer_System.ResourceId 
      ORDER BY 
      v_GS_Computer_System.Name0
  • Zip file empty
    1 Posts | Last post Sat 6:37 PM
  • Azure Windows 2012R2 VM reporting missing hardware support for mitigation
    1 Posts | Last post Fri 11:25 AM
    • We just (on 12 January 2018) spun up a 2012R2 VM in Azure (West Europe) – it had the QualityCompat registry key, despite there being no AV installed. It also had the KB 4056898 installed. However, the registry keys to enable the protection were missing. We added those. After stopping then starting the VM, it is showing:
      
      Hardware support for branch target injection mitigation is present: False
      Windows OS support for branch target injection mitigation is present: True
      Windows OS support for branch target injection mitigation is enabled: False
      Windows OS support for branch target injection mitigation is disabled by system policy: False
      Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True
      
      Has Microsoft not updated all their Azure host hardware, or configured their Hyper-V hosts correctly?
      
      What would be useful if someone could confirm if an Azure VM like ours should be "all green" for the Get-SpeculationControlSettings output, or if it looks like ours...
      
      Could someone also confirm that an in-house, fully patched VM on patched hardware/Hyper-V should be "all green"?
  • CVE-2017-5753?
    2 Posts | Last post Fri 10:27 AM
    • The script/cmdlet output has two sections with headers that display security complience verificasions for CVE-2017-5715 and CVE-2017-5754. Is it asumed, if both sections are fully complient and all recommendations are applied from the third section, that you are protected against CVE-2017-5753 as well?
    • Anyone Please?
  • Doesn't see Windows 7 CVE-2017-5754 patch
    4 Posts | Last post Fri 8:51 AM
    • Hi there,
      Running the script on Windows 7 (x86 32-bit) devices, with both BIOS updates and update KB4056894 installed, shows correct results for CVE-2017-5715.  
      
      However CVE-2017-5754 is reported as failed/false...
      
      Hardware requires kernel VA shadowing: True
      Windows OS support for kernel VA shadow is present: False
      Windows OS support for kernel VA shadow is enabled: False
      
      Any reason why Windows 7 devices would not see the update for CVE-2017-5754?
    • I have the the same poblem mostly on some HP devices for instance HP elitebook 840
    • Hi.
      We have the same problem when we run the script on Win8.1 x86. However if we install Win8.1 x64 in the same box everything works fine: it seems there is some kind of problem with the script when it checks CVE-2017-5754 when run on x86 operating systems (the processor is an Intel i3 64 bits architecture).
      Regards.
    • Hi. 
      From FAQs in:
      https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002
      
      7. I have an x86 architecture and the PowerShell Verification output indicates that I am not fully protected from these speculative execution side-channel vulnerabilities. Will Microsoft provide complete protections in the future?
      Addressing a hardware vulnerability with a software update presents significant challenges and mitigations for older operating systems that require extensive architectural changes. The existing 32 bit update packages listed in this advisory fully address CVE-2017-5753 and CVE-2017-5715, but do not provide protections for CVE-2017-5754 at this time. Microsoft is continuing to work with affected chip manufacturers and investigate the best way to provide mitigations for x86 customers, which may be provided in a future update.
      
      So the powershell scripts works fine, the problem is that there is no mitigation for Meltdown if you have a 32-bit operating system.
      
      
1 - 10 of 37 Items