WMF 5.0 RTM republished

I’ve already announced on my blog that WMF 5.0 is RTM but I also kept the post updated with comments about the issue with the PSModulePath environment variable raised on the UserVoice site than led to the removal of KB3094174, KB3094175, and KB3094176 packages published by the end of December.

Now, I’m very pleased to announce that Windows Management Framework (WMF) 5.0 RTM packages has been republished. The PowerShell Team deserves a big thank you for fixing the issue and also for keeping us in touch along their journey. Drum roll 😀

All the reasons I exposed in my previous blog post explaining why WMF5 is such a huge milestone are still valid.
The only update required is the table that listed package names, their download link and their SHA256 checksums.
So, here we go:

Operating System	Architecture	Package Name	SHA256
Windows Server 2012 R2	x64	Win8.1AndW2K12R2-KB3134758-x64.msu	BB6AF4547545B5D10D8EF239F47D59DE76DAFF06F05D0ED08C73EFF30B213BF2
Windows Server 2012	x64	W2K12-KB3134759-x64.msu	6E59CEC4BD30C505F426A319673A13C4A9AA8D8FF69FD0582BFA89F522F5FF00
Windows Server 2008 R2	x64	Win7AndW2K8R2-KB3134760-x64.msu	077E864CC83739AC53750C97A506E1211F637C3CD6DA320C53BB01ED1EF7A98B
Windows 8.1	x64	Win8.1AndW2K12R2-KB3134758-x64.msu	BB6AF4547545B5D10D8EF239F47D59DE76DAFF06F05D0ED08C73EFF30B213BF2
Windows 8.1	x86	Win8.1-KB3134758-x86.msu	F9EE4BF2D826827BC56CD58FABD0529CB4B49082B2740F212851CC0CC4ACBA06
Windows 7 SP1	x64	Win7AndW2K8R2-KB3134760-x64.msu	077E864CC83739AC53750C97A506E1211F637C3CD6DA320C53BB01ED1EF7A98B
Windows 7 SP1	x86	Win7-KB3134760-x86.msu	0486901B4FD9C41A70644E3A427FE06DD23765F1AD8B45C14BE3321203695464

Here’s WMF 5.0 RTM republished on Windows 7

First release of AutoRuns module

You may remember the excellent PowerShell Security series from PowerShell Magazine where I presented a Get-PSAutoRun function to investigate malware persistence ala “Sysinternals autoruns”.

I’ve actually revised its content during the last Christmas holidays and transformed it as a module.

I’ve updated the launch points the original Sysinternals autoruns utility checks and tried to do my best to keep track of what new launch points were added or removed between versions:

You may have noticed that there’s a new category for Office plugins.
I’ve also added some code about the PoweLiks malware although I hadn’t had yet a sample to fully test my detection code:

The code has also undergone a major “quality review” to reduce the number of warnings or issues reported by the PSScriptAnalyzer module.

As you can see, it still complains about using the Get-WmiObject cmdlet and the fact that I sometimes use an empty catch block to avoid returning an error.

What’s next?
I’ve published the module in the PowerShell Gallery 😀

Now, it’s your turn to test the module and tell me what you think about it. You can also contribute and fork it as it’s stored in my GitHub at this address.

Quick tip about PPKG files

I’ve been playing with the Windows 10 Deployment and Management Lab Kit Microsoft provided and applying provisioning packages (PPKG) files in chapter 6.

I’ve found the following documentation about applying provisioning packages on MSDN where I’ve learned that you can work with PPKG in an Offline image using DISM and that there’s an UI that looks like this:

Unfortunately, you cannot list installed provisioning packages from an online image 😦
PowerShell to the rescue! Please, fix this shortcoming!

dir C:\ProgramData\Microsoft\Provisioning\ -Recurse -Include  customizations.xml | 
ForEach-Object {
 $x = [xml](Get-Content $_.FullName) ;
 if ($x.WindowsCustomizations.PackageConfig.OwnerType -ne 'Microsoft') {
  $x.WindowsCustomizations.PackageConfig
 }
} | Select ID,Name,Version,OwnerType,Rank | Format-Table -AutoSize

Nice, I was able to grab the Package ID, its version, its name but not the ‘Author’ if you compare the output of my PowerShell command and the ‘Details’ UI below
(I’ve absolutely no clue where it’s stored. If you know, please share this information with us 🙂 )