我试图生成一个正在运行的进程的列表(完整的可执行路径),然后遍历该列表并针对每个文件执行SysInternals“ sigcheck.exe”。
由于某种原因,这无法达到预期的效果,我不确定这是由于我对输入文件的处理还是wmic创建的输出格式所致。理想情况下,我想先使它作为批处理脚本工作,然后尝试将其转换为cli-liner。
以下是我当前正在尝试的代码:
setlocal enabledelayedexpansion
@echo off
wmic process get executablepath /format:csv | more > c:\windows\temp\pslist.txt
for /f "skip=5 tokens=1,2 delims=," %%a in (c:\windows\temp\pslist.txt) do (
echo %%b
sigcheck.exe -accepteula -r -e "%%b"
)
ENDLOCAL
答案 0 :(得分:0)
这使用“ wmic.exe进程”构建列表,并将“ executablepath”仅传递到“ sigcheck.exe”。 “线程数”是一个窍门-因为WMIC具有臭名昭著的Extra-CR,要求额外提供1个不需要的属性会在输出中创建标记.....逗号。 “ for”命令在逗号处截断WMIC输出,这就是可以在没有任何额外CR的情况下仅拉出“可执行路径”的方法。
for /f "tokens=2 delims=," %A in ('wmic process where "not executablepath=null" get executablepath^,threadcount /format:csv') do @sigcheck.exe -accepteula -r -e "%A"
Sigcheck v2.72 - File version and signature viewer
Copyright (C) 2004-2019 Mark Russinovich
Sysinternals - www.sysinternals.com
c:\program files (x86)\google\chrome\application\chrome.exe:
Verified: Signed
Signing date: 7:47 PM 2/28/2019
Publisher: Google LLC
Company: Google Inc.
Description: Google Chrome
Product: Google Chrome
Prod version: 72.0.3626.121
File version: 72.0.3626.121
MachineType: 64-bit
Sigcheck v2.72 - File version and signature viewer
Copyright (C) 2004-2019 Mark Russinovich
Sysinternals - www.sysinternals.com
c:\windows\system32\windowspowershell\v1.0\powershell.exe:
Verified: Signed
Signing date: 5:26 PM 4/11/2018
Publisher: Microsoft Windows
Company: Microsoft Corporation
Description: Windows PowerShell
Product: Microsoft« Windows« Operating System
Prod version: 10.0.17134.1
File version: 10.0.17134.1 (WinBuild.160101.0800)
MachineType: 64-bit
Sigcheck v2.72 - File version and signature viewer
Copyright (C) 2004-2019 Mark Russinovich
Sysinternals - www.sysinternals.com