Microsoft Windows Unquoted Service Path Enumeration

This script fixes vulnerability “Microsoft Windows Unquoted Service Path Enumeration” (Nessus plugin ID 63155) Additionally script can proceed uninstall strings and replace Evn variables with their values (Ex.: %ProgramFiles" > "C:\Program Files\")

 
 
 
 
 
4.3 Star
(28)
31,271 times
Add to favorites
Security
4/14/2020
E-mail Twitter del.icio.us Digg Facebook
  • Detection Script for SCCM
    2 Posts | Last post February 21, 2020
    • Hi,
      create script thanks for that.
      I want to distribute your script as an SCCM application. (I do not like baselines).
      Therefor it would be great if their would exist a sccm detection script.
      
      Basic Content:
      if a service is having spaces in the path -> script output should be empty -> SCCM will say run the script to fix the issue.
      if no service is having spaces in the path -> script output should be "installed" -> SCCM will say installed.
      
      !SCCM interprets any out put as detected / installed
      
    • Hi Strahle_sz
      there was discussion (on previous q/a pages) about sccm. For me your logic is not clear.
      If you want to run scripts only on host that needed this fix you can simply add 5 line script to run this one with flag -WhatIf and analize output, and create a file/registry trigger where you can run same script without -Whatif parameter
  • Unable to run it via powershell
    3 Posts | Last post February 12, 2020
    • Seems there's a restriction in our infra. Can anyone help me to resolve this:
      
      2020-02-10 14:47:54Z  :  INFO  : Executed x64 Powershell on x64 OS
      2020-02-10 14:47:54Z  :  INFO  : Computername: xxx
      2020-02-10 14:47:54Z  :  Old Value : Service : 'EFI ES1000' - C:\Program Files (x86)\Common Files\EFI\EFI ES-1000 Service\ES1000Service.exe
      2020-02-10 14:47:54Z  :  Expected  : Service : 'EFI ES1000' - "C:\Program Files (x86)\Common Files\EFI\EFI ES-1000 Service\ES1000Service.exe"
      2020-02-10 14:47:54Z  :  ERROR  : Something is going wrong. Value changing failed in service 'EFI ES1000'.
      2020-02-10 14:47:54Z  :  ERROR  : Requested registry access is not allowed.
      2020-02-10 14:47:54Z  :  Old Value : Service : 'Fiery Data Collector' - C:\Program Files (x86)\Fiery\Applications3\Command WorkStation 5\FDC\FDC.exe
      2020-02-10 14:47:54Z  :  Expected  : Service : 'Fiery Data Collector' - "C:\Program Files (x86)\Fiery\Applications3\Command WorkStation 5\FDC\FDC.exe"
      2020-02-10 14:47:54Z  :  ERROR  : Something is going wrong. Value changing failed in service 'Fiery Data Collector'.
      2020-02-10 14:47:54Z  :  ERROR  : Requested registry access is not allowed.
      2020-02-10 14:47:55Z  :  Old Value : Service : 'ofaApp' - C:\Program Files (x86)\EFI\OFASQ2\ofaApp.exe
      2020-02-10 14:47:55Z  :  Expected  : Service : 'ofaApp' - "C:\Program Files (x86)\EFI\OFASQ2\ofaApp.exe"
      2020-02-10 14:47:55Z  :  ERROR  : Something is going wrong. Value changing failed in service 'ofaApp'.
      2020-02-10 14:47:55Z  :  ERROR  : Requested registry access is not allowed.
      
      And another 1 seems not running on our secure server.
      
      Please help me to run it manually via command line instead.
      
      appreciate your help :)
    • there 2 potential problems here: 
      1 powershell executed without admin rights. Solution: start powershell as adminitrator and execute script in this console
      2 failed services protected by something (for example some antiviruses protect them selve from any modifications)
      Solution: disable self protect or raising ticket to the product
    • Able to run it with elevation, but before that I need to enable the Windows powershell and allow all scripts to run in excution policy. :) Thank you!
  • Doesn't work with services
    2 Posts | Last post February 10, 2020
    • I've run this on a couple of Win10 virtual machines at my company but it only fixes ENV and Uninstall.  Doesn't touch Services whether I add it to the command line with $true or run it with no switches.  Any idea why that would happen?
      
      Thanks!
    • JG813, if you do not have any problems in your services script will not show and will not fix anything
  • Will this run if image path doesn't have .exe or .sys mention
    2 Posts | Last post November 16, 2019
    • One of service in Imagepath doesn't have .exe and the script it not working for it. Any pointer.
      Also, what if i just want results.
    • Hi nit58!
      
      for splitting path with arguments we need to have some thigger. I chose .exe as a point where path ends and argument list starts. It's covered 99% of all services i have found. If you have 1 specyfic service wich not covered by this script you can try to do 1 simple replace for 1 specyfied service.
      Regarding to your second question you have whatif parameter which will display all needed changes but will not touch anything in your registry.
  • Should be selected at least one of two parameters: FixServices or FixUninstall
    2 Posts | Last post October 16, 2019
    • Hi there,
      
      Thanks for this script it is excellent :)
      
      I have tried running the script with: Windows_Path_Enumerate.ps1 -FixUninstall -FixServices, or even just with only one of the parameters and keep getting the following error:
      
      Should be selected at least one of two parameters: FixServices or FixUninstall.
      At C:\temp\Windows_Path_Enumerate.ps1:511 char:5
      +     Throw "Should be selected at least one of two parameters: FixServ ...
      +     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : OperationStopped: (Should be selec...rate.ps1 -full':String) [], RuntimeException
          + FullyQualifiedErrorId : Should be selected at least one of two parameters: FixServices or FixUninstall.
      
      Is there something I am missing or overlooking?
      
      Thanks so much!
      Ew0k
    • I have seen the error of my ways :) I just needed to add the functions with parameters at the bottom of the actual script. So on the very last line I called the functions like so:
      
      Fix-ServicePath -FixServices:$true -FixUninstall:$true -FixEnv
      
      This now works as expected, thanks again for this script :)
      
      Ew0k
  • Not working on Windows 7
    3 Posts | Last post October 11, 2019
    • Hi Vector,
      
      Thanks a mil for writing this life saver for us. Huge respect and big hug :) 
      
      It works like a charm in all Windows 10 machine but it is failing in windows 7 mate. 
      
      Get-ChildItem : A parameter cannot be found that matches parameter name 'Directory'.
      At C:\Temp\Windows_Unquoated_EnumerateV2_08072019.ps1:9 char:46
      + $DiscKeys = Get-ChildItem -Recurse -Directory <<<<  $BaseKeys -Exclude $BlackList -ErrorAction SilentlyContinue |
          + CategoryInfo          : InvalidArgument: (:) [Get-ChildItem], ParameterBindingException
          + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand
       
      Method invocation failed because [Microsoft.Win32.RegistryKey] doesn't contain a method named 'OpenBaseKey'.
      At C:\Temp\Windows_Unquoated_EnumerateV2_08072019.ps1:12 char:55
      + $Registry = [Microsoft.Win32.RegistryKey]::OpenBaseKey <<<< ('LocalMachine', 'Default')
          + CategoryInfo          : InvalidOperation: (OpenBaseKey:String) [], RuntimeException
          + FullyQualifiedErrorId : MethodNotFound
       
      You cannot call a method on a null-valued expression.
      At C:\Temp\Windows_Unquoated_EnumerateV2_08072019.ps1:47 char:21
      +     $ParentKey.Close <<<< ()
          + CategoryInfo          : InvalidOperation: (Close:String) [], RuntimeException
          + FullyQualifiedErrorId : InvokeMethodOnNull
       
      You cannot call a method on a null-valued expression.
      At C:\Temp\Windows_Unquoated_EnumerateV2_08072019.ps1:49 char:16
      + $Registry.Close <<<< ()
          + CategoryInfo          : InvalidOperation: (Close:String) [], RuntimeException
          + FullyQualifiedErrorId : InvokeMethodOnNull
      
      
      Any help would be appreciated here.
      
      Raghu
    • Hi Raghu,
      
      looks like you have powershell v2 on yours win7 machines. Easiest and safer way to fix this and many other problem is simply upgrade PowerShell on a latest build (i believe 5.1). 
      You can do this in many ways: gpo, sccm, scripts, user power. In our env. we use sccm for that
    • Well there is a reason I am a novice in PS scripting. Thanks mate a ton for this tip. Honestly IDK how I over looked this since I did install PS 5.1 on other Wi 7 machines. Dah.. Thanks again
  • Error with x64 PowerShell?
    5 Posts | Last post September 05, 2019
    • Hi,
      I have ran this through SCCM using the scripts tool and deployed to a small test collection. I am getting some unexpected errors as below in the client log file. 
      
      2019-09-02 15:43:15Z  :  WARNING  : !ATTENTION! : Executed x32 Powershell on x64 OS. Not all vulnerabilities could be fixed.
      2019-09-02 15:43:15Z  :  WARNING  : For fixing all vulnerabilities should be used x64 Powershell.
      2019-09-02 15:43:15Z  :  INFO  : Computername: PC003
      
      Does anyone have any ideas as to how I can fix this?
      
      Thanks
      
      
    • Hi Matt,
      this is expected warning in your case.
      You can try workaround from this topic:
      https://social.technet.microsoft.com/Forums/Lync/en-US/773405a4-f3b4-4926-96c4-847301443ddc/deployment-of-powershell-scripts-in-a-64bit-environment-via-sccm?forum=configmgrgeneral
    • Hi,
      Thanks for the reply.
      I did have a look at this article but must admit didn't find it that useful. 
      May have to look at doing this another way. 
      Thanks
    • that article propose to use 1 more script before powershell execution: cmd that will test is system x64 or not, and based on a result start posh from diferrent locations
      This is general workaround for all system centre components which support posh natiwelly
    • or you can create 2 deployments for x64 and x86 clients and run posh for each of them from specyfied locations
  • Unable to save logs to network shares
    2 Posts | Last post September 04, 2019
    • Hey, great script man and thank you for your contribution.
      
      Everything is working for me except for custom logging location. I seem to be unable to export logs to any network shares. Local paths work fine but when I input a path of a network drive I get the following errors:
      
      Write-FileLog : Cannot validate argument on parameter 'Logname'. Cannot index into a null array.
      At C:\Windows_Path_Enumerate.ps1:522 char:102
      + ... **********************************' | Write-FileLog -Logname $Logname
      +                                                                  ~~~~~~~~
          + CategoryInfo          : InvalidData: (:) [Write-FileLog], ParameterBindingValidationException
          + FullyQualifiedErrorId : ParameterArgumentValidationError,Write-FileLog
      
      Write-FileLog : Cannot validate argument on parameter 'Logname'. Cannot index into a null array.
      At C:\Windows_Path_Enumerate.ps1:523 char:42
      +     $validation | Write-FileLog -Logname $Logname -OutOnScreen
      +                                          ~~~~~~~~
          + CategoryInfo          : InvalidData: (:) [Write-FileLog], ParameterBindingValidationException
          + FullyQualifiedErrorId : ParameterArgumentValidationError,Write-FileLog
      
      Write-FileLog : Cannot validate argument on parameter 'Logname'. Cannot index into a null array.
      At C:\Windows_Path_Enumerate.ps1:528 char:50
      +         -FixEnv:$FixEnv | Write-FileLog -Logname $Logname -OutOnScree ...
      +                                                  ~~~~~~~~
          + CategoryInfo          : InvalidData: (:) [Write-FileLog], ParameterBindingValidationException
          + FullyQualifiedErrorId : ParameterArgumentValidationError,Write-FileLog
      
      
      Any idea why these errors are popping or how I can get round them?
      Cheers
    • Hi killhha!
      
      I will try test and fix this problem soon
      As a workaround you can try replace Write-Filelog execution places with Tee-Object or Out-File with -Append parameter or write file locally and at the end of this script add copy-item <local path> <remote path>
      Thanks for bug report
  • Collect Logs
    2 Posts | Last post August 28, 2019
    • Your script has made my job that much easier-thanks! I deployed this through SCCM but I can't figure out how to collect the logs. My detection method (for SCCM) is set to if ServicesFix.log exists.But i want to collect these logs.
    • Rmart73, 
      
      on my opinion you can do simple trick with file server:
      - create a share and grant domain computers put files there
      - change logname parameter onto \\server\share\$($env:computername)_uqspe.log and set something similar in a detection method
  • Potential Incorrect Fix
    2 Posts | Last post August 13, 2019
    • Please see the old and new value posted below.  The new value doesn't look correct to me.  Specifically the " .exe" appended at the end.
      
      2019-08-12 10:45:46Z  :  Old Value : Software : '{D219755A-89CC-49F2-A676-67945B7FC1E7}' - RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{D219755A-89CC-49F2-A676-67945B7FC1E7}\setup.exe"
      
      2019-08-12 10:45:46Z  :  Expected  : Software : '{D219755A-89CC-49F2-A676-67945B7FC1E7}' - "RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{D219755A-89CC-49F2-A676-67945B7FC1E7}\setup.exe" .exe" 
    • Good point, here could be a problem when path with exe storred in a parameter. Will try to fix it in a next release.
1 - 10 of 38 Items