WMF 5.0 RTM republished

I’ve already announced on my blog that WMF 5.0 is RTM but I also kept the post updated with comments about the issue with the PSModulePath environment variable raised on the UserVoice site than led to the removal of KB3094174, KB3094175, and KB3094176 packages published by the end of December.

Now, I’m very pleased to announce that Windows Management Framework (WMF) 5.0 RTM packages has been republished. The PowerShell Team deserves a big thank you for fixing the issue and also for keeping us in touch along their journey. Drum roll πŸ˜€

All the reasons I exposed in my previous blog post explaining why WMF5 is such a huge milestone are still valid.
The only update required is the table that listed package names, their download link and their SHA256 checksums.
So, here we go:

Operating System Architecture Package Name SHA256
Windows Server 2012 R2 x64 Win8.1AndW2K12R2-KB3134758-x64.msu BB6AF4547545B5D10D8EF239F47D59DE76DAFF06F05D0ED08C73EFF30B213BF2
Windows Server 2012 x64 W2K12-KB3134759-x64.msu 6E59CEC4BD30C505F426A319673A13C4A9AA8D8FF69FD0582BFA89F522F5FF00
Windows Server 2008 R2 x64 Win7AndW2K8R2-KB3134760-x64.msu 077E864CC83739AC53750C97A506E1211F637C3CD6DA320C53BB01ED1EF7A98B
Windows 8.1 x64 Win8.1AndW2K12R2-KB3134758-x64.msu BB6AF4547545B5D10D8EF239F47D59DE76DAFF06F05D0ED08C73EFF30B213BF2
Windows 8.1 x86 Win8.1-KB3134758-x86.msu F9EE4BF2D826827BC56CD58FABD0529CB4B49082B2740F212851CC0CC4ACBA06
Windows 7 SP1 x64 Win7AndW2K8R2-KB3134760-x64.msu 077E864CC83739AC53750C97A506E1211F637C3CD6DA320C53BB01ED1EF7A98B
Windows 7 SP1 x86 Win7-KB3134760-x86.msu 0486901B4FD9C41A70644E3A427FE06DD23765F1AD8B45C14BE3321203695464

Here’s WMF 5.0 RTM republished on Windows 7
WMF5RTMrepub-W7

Advertisements

First release of AutoRuns module

You may remember the excellent PowerShell Security series from PowerShell Magazine where I presented a Get-PSAutoRun function to investigate malware persistence ala “Sysinternals autoruns”.

I’ve actually revised its content during the last Christmas holidays and transformed it as a module.

I’ve updated the launch points the original Sysinternals autoruns utility checks and tried to do my best to keep track of what new launch points were added or removed between versions:
AutoRunsHistory
You may have noticed that there’s a new category for Office plugins.
I’ve also added some code about the PoweLiks malware although I hadn’t had yet a sample to fully test my detection code:
Powelik

The code has also undergone a major “quality review” to reduce the number of warnings or issues reported by the PSScriptAnalyzer module.
Test-Code-with-Invoke-ScriptAnalyzer
As you can see, it still complains about using the Get-WmiObject cmdlet and the fact that I sometimes use an empty catch block to avoid returning an error.

What’s next?
I’ve published the module in the PowerShell Gallery πŸ˜€
AutoRuns-On-PSGallery
Now, it’s your turn to test the module and tell me what you think about it. You can also contribute and fork it as it’s stored in my GitHub at this address.

Quick tip about PPKG files

I’ve been playing with the Windows 10 Deployment and Management Lab Kit Microsoft provided and applying provisioning packages (PPKG) files in chapter 6.

I’ve found the following documentation about applying provisioning packages on MSDN where I’ve learned that you can work with PPKG in an Offline image using DISM and that there’s an UI that looks like this:

ppk-UI-01

Unfortunately, you cannot list installed provisioning packages from an online image 😦
PowerShell to the rescue! Please, fix this shortcoming!

dir C:\ProgramData\Microsoft\Provisioning\ -Recurse -Include  customizations.xml | 
ForEach-Object {
 $x = [xml](Get-Content $_.FullName) ;
 if ($x.WindowsCustomizations.PackageConfig.OwnerType -ne 'Microsoft') {
  $x.WindowsCustomizations.PackageConfig
 }
} | Select ID,Name,Version,OwnerType,Rank | Format-Table -AutoSize

ppk-xml-parsing

Nice, I was able to grab the Package ID, its version, its name but not the ‘Author’ if you compare the output of my PowerShell command and the ‘Details’ UI below
(I’ve absolutely no clue where it’s stored. If you know, please share this information with us πŸ™‚ )
ppk-UI-02