sysinternals suite trough MS Store

metablaster · Dec 6, 2023 · eaca966 · eaca966
1 parent f004ff8
commit eaca966
Show file tree

Hide file tree

Showing 8 changed files with 334 additions and 306 deletions.
diff --git a/.vscode/bookmarks.json b/.vscode/bookmarks.json
@@ -84,16 +84,6 @@
 					"label": ""
 				}
 			]
-		},
-		{
-			"path": "Rules/IPv4/Outbound/StoreApps.ps1",
-			"bookmarks": [
-				{
-					"line": 343,
-					"column": 10,
-					"label": ""
-				}
-			]
 		}
 	]
 }
diff --git a/Modules/Ruleset.ProgramInfo/Public/Get-SystemApp.ps1 b/Modules/Ruleset.ProgramInfo/Public/Get-SystemApp.ps1
@@ -46,6 +46,8 @@ User name in form of:
 - user_name
 - SID-string
 
+If not specified gets store apps for all user accounts on the computer
+
 .PARAMETER Domain
 NETBIOS Computer name in form of "COMPUTERNAME"
 
@@ -102,7 +104,7 @@ function Get-SystemApp
 		[SupportsWildcards()]
 		[string] $Name = "*",
 
-		[Parameter(Mandatory = $true)]
+		[Parameter()]
 		[Alias("UserName")]
 		[string] $User,
 
@@ -146,7 +148,15 @@ function Get-SystemApp
 	# TODO: it is possible to add -User parameter, what's the purpose? see also StoreApps.ps1
 	if ($Domain -eq [System.Environment]::MachineName)
 	{
-		$Apps = Get-AppxPackage -Name $Name -User $User -PackageTypeFilter Main
+		if ([string]::IsNullOrEmpty($User))
+		{
+			$Apps = Get-AppxPackage -Name $Name -AllUsers -PackageTypeFilter Main
+		}
+		else
+		{
+			$Apps = Get-AppxPackage -Name $Name -User $User -PackageTypeFilter Main
+		}
+
 		$DomainPath = $env:SystemDrive
 	}
 	else
@@ -156,7 +166,14 @@ function Get-SystemApp
 			# HACK: This will fail in Windows PowerShell with "The system cannot find the file specified"
 			# ISSUE: https://github.com/MicrosoftDocs/windows-powershell-docs/issues/344
 			# See also: https://www.reddit.com/r/sysadmin/comments/lrm3nj/will_getappxpackage_allusers_work_in_remote
-			Get-AppxPackage -Name $using:Name -User $using:User -PackageTypeFilter Main
+			if ([string]::IsNullOrEmpty($using:User))
+			{
+				Get-AppxPackage -Name $using:Name -AllUsers -PackageTypeFilter Main
+			}
+			else
+			{
+				Get-AppxPackage -Name $using:Name -User $using:User -PackageTypeFilter Main
+			}
 		}
 
 		# HACK: Hardcoded, a new functioned needed to get remote shares
@@ -179,13 +196,16 @@ function Get-SystemApp
 	{
 		if ($App.SignatureKind -eq "System")
 		{
-			# NOTE: This path will be missing for default apps on Windows server
-			# It may also be missing in fresh installed OS before connecting to internet
-			$RemotePath = "$DomainPath\Users\$User\AppData\Local\Packages\$($App.PackageFamilyName)\AC"
-			Write-Debug -Message "[$($MyInvocation.InvocationName)] Processing app path '$RemotePath'"
+			if (![string]::IsNullOrEmpty($User))
+			{
+				# NOTE: This path will be missing for default apps on Windows server
+				# It may also be missing in fresh installed OS before connecting to internet
+				$RemotePath = "$DomainPath\Users\$User\AppData\Local\Packages\$($App.PackageFamilyName)\AC"
+				Write-Debug -Message "[$($MyInvocation.InvocationName)] Processing app path '$RemotePath'"
+			}
 
 			# TODO: See if "$_.Status" property can be used to determine if app is valid
-			if (Test-Path -PathType Container -Path $RemotePath)
+			if ([string]::IsNullOrEmpty($User) -or (Test-Path -PathType Container -Path $RemotePath))
 			{
 				# There is no Domain property, so add one, PSComputerName property is of no use here
 				Add-Member -MemberType NoteProperty -InputObject $App -Name Domain -Value $Domain -PassThru

diff --git a/Modules/Ruleset.ProgramInfo/Public/Get-UserApp.ps1 b/Modules/Ruleset.ProgramInfo/Public/Get-UserApp.ps1
@@ -46,6 +46,8 @@ User name in form of:
 - user_name
 - SID-string
 
+If not specified gets store apps for all user accounts on the computer
+
 .PARAMETER Domain
 NETBIOS Computer name in form of "COMPUTERNAME"
 
@@ -102,7 +104,7 @@ function Get-UserApp
 		[SupportsWildcards()]
 		[string] $Name = "*",
 
-		[Parameter(Mandatory = $true)]
+		[Parameter()]
 		[Alias("UserName")]
 		[string] $User,
 
@@ -155,7 +157,15 @@ function Get-UserApp
 		# Xap:
 		# Optional: Optional packages are dependent on another package that must be installed first.
 		# NOTE: There is supposed to be no Bundle package that is also not Main
-		$Apps = Get-AppxPackage -Name $Name -User $User -PackageTypeFilter Main
+		if ([string]::IsNullOrEmpty($User))
+		{
+			$Apps = Get-AppxPackage -Name $Name -AllUsers -PackageTypeFilter Main
+		}
+		else
+		{
+			$Apps = Get-AppxPackage -Name $Name -User $User -PackageTypeFilter Main
+		}
+
 		$DomainPath = $env:SystemDrive
 	}
 	else
@@ -164,7 +174,14 @@ function Get-UserApp
 			# HACK: This will fail in Windows PowerShell with "The system cannot find the file specified"
 			# ISSUE: https://github.com/MicrosoftDocs/windows-powershell-docs/issues/344
 			# See also: https://www.reddit.com/r/sysadmin/comments/lrm3nj/will_getappxpackage_allusers_work_in_remote/
-			Get-AppxPackage -Name $using:Name -User $using:User -PackageTypeFilter Main
+			if ([string]::IsNullOrEmpty($using:User))
+			{
+				Get-AppxPackage -Name $using:Name -AllUsers -PackageTypeFilter Main
+			}
+			else
+			{
+				Get-AppxPackage -Name $using:Name -User $using:User -PackageTypeFilter Main
+			}
 		}
 
 		# HACK: Hardcoded, a new function needed to get remote shares
@@ -214,13 +231,16 @@ function Get-UserApp
 				continue
 			}
 
-			# NOTE: This path will be missing for default apps on Windows server
-			# It may also be missing in fresh installed OS before connecting to internet
-			$RemotePath = "$DomainPath\Users\$User\AppData\Local\Packages\$($App.PackageFamilyName)\AC"
-			Write-Debug -Message "[$($MyInvocation.InvocationName)] Processing app path '$RemotePath'"
+			if (![string]::IsNullOrEmpty($User))
+			{
+				# NOTE: This path will be missing for default apps on Windows server
+				# It may also be missing in fresh installed OS before connecting to internet
+				$RemotePath = "$DomainPath\Users\$User\AppData\Local\Packages\$($App.PackageFamilyName)\AC"
+				Write-Debug -Message "[$($MyInvocation.InvocationName)] Processing app path '$RemotePath'"
+			}
 
 			# TODO: See if "$_.Status" property can be used to determine if app is valid
-			if (Test-Path -PathType Container -Path $RemotePath)
+			if ([string]::IsNullOrEmpty($User) -or (Test-Path -PathType Container -Path $RemotePath))
 			{
 				# There is no Domain property, so add one, PSComputerName property is of no use here
 				Add-Member -MemberType NoteProperty -InputObject $App -Name Domain -Value $Domain -PassThru

diff --git a/Modules/Ruleset.ProgramInfo/Public/Search-Installation.ps1 b/Modules/Ruleset.ProgramInfo/Public/Search-Installation.ps1
@@ -123,6 +123,7 @@ function Search-Installation
 		$PSDefaultParameterValues["Edit-Table:CimSession"] = $CimSession
 		$PSDefaultParameterValues["Update-Table:Session"] = $Session
 		$PSDefaultParameterValues["Update-Table:CimSession"] = $CimSession
+		$PSDefaultParameterValues["Get-UserApp:Session"] = $Session
 	}
 	else
 	{
@@ -134,12 +135,14 @@ function Search-Installation
 			$SessionParams.ComputerName = $Domain
 			$PSDefaultParameterValues["Edit-Table:Domain"] = $Domain
 			$PSDefaultParameterValues["Update-Table:Domain"] = $Domain
+			$PSDefaultParameterValues["Get-UserApp:Domain"] = $Domain
 
 			if ($Credential)
 			{
 				$SessionParams.Credential = $Credential
 				$PSDefaultParameterValues["Edit-Table:Credential"] = $Credential
 				$PSDefaultParameterValues["Update-Table:Credential"] = $Credential
+				$PSDefaultParameterValues["Get-UserApp:Credential"] = $Credential
 			}
 		}
 	}
@@ -279,23 +282,7 @@ function Search-Installation
 		}
 		"SysInternals"
 		{
-			if ($Domain -eq [System.Environment]::MachineName)
-			{
-				# TODO: Show warning instead of error when failed (ex. in non elevated run check is Admin)
-				# NOTE: There is supposed to be no Bundle package that is also not Main
-				# TODO: We have Get-UserApp but it doesn't have -AllUsers switch so this is duplicate code,
-				# either implement the switch or make a new function ex. Get-AllUsersApp
-				$SysinternalsSuite = Get-AppxPackage -Name "Microsoft.SysinternalsSuite" -AllUsers -PackageTypeFilter Main
-			}
-			else
-			{
-				$SysinternalsSuite = Invoke-Command @SessionParams -ScriptBlock {
-					# HACK: This will fail in Windows PowerShell with "The system cannot find the file specified"
-					# ISSUE: https://github.com/MicrosoftDocs/windows-powershell-docs/issues/344
-					# See also: https://www.reddit.com/r/sysadmin/comments/lrm3nj/will_getappxpackage_allusers_work_in_remote/
-					Get-AppxPackage -Name "Microsoft.SysinternalsSuite" -AllUsers -PackageTypeFilter Main
-				}
-			}
+			$SysinternalsSuite = Get-UserApp -Name "Microsoft.SysinternalsSuite"
 
 			if ($SysinternalsSuite)
 			{

diff --git a/Modules/Ruleset.ProgramInfo/Public/Test-VirusTotal.ps1 b/Modules/Ruleset.ProgramInfo/Public/Test-VirusTotal.ps1
@@ -51,6 +51,7 @@ Specify path to sigcheck executable program.
 Do not specify sigcheck file, only path to where sigcheck is located.
 By default working directory and PATH is searched for sigcheck64.exe.
 On 32 bit operating system sigcheck.exe is searched instead.
+If SysInternals suite was installed trough MS Store sigcheck is named sigcheck.exe ragless of OS bitness
 If location to sigcheck executable is not found then no VirusTotal scan and report is done.
 
 .PARAMETER SkipPositivies
@@ -205,7 +206,7 @@ function Test-VirusTotal
 					Set-Variable -Name SigcheckPath -Scope Global -Value "C:\tools"
 				}
 
-				# Check if sigcheck is in PATH
+				# Check if sigcheck is in PATH, this includes sigcheck installed by MS Store
 				Write-Debug -Message "[$InvocationName] Checking if sigcheck is in PATH"
 				$Command = Get-Command -Name $SigcheckExecutable -CommandType Application -ErrorAction Ignore |
 				Where-Object {
@@ -384,6 +385,7 @@ function Test-VirusTotal
 							$Publisher = $RawPublisher.Groups["publisher"]
 							$Description = $RawDescription.Groups["description"]
 
+							# HACK: Somewhere around here is errors with "You cannot call a method with null value expression"
 							if ($Detection.Success)
 							{
 								Write-Information -Tags $InvocationName -MessageData "INFO: VirusTotal report for '$Executable' is '$($Detection.Value)'"

diff --git a/Rules/IPv4/Outbound/Software/Microsoft/SysInternals.ps1 b/Rules/IPv4/Outbound/Software/Microsoft/SysInternals.ps1
@@ -123,10 +123,18 @@ $SysInternalsRoot = "%SystemDrive%\tools"
 # Test if installation exists on system
 if ((Confirm-Installation "SysInternals" ([ref] $SysInternalsRoot)) -or $ForceLoad)
 {
-	$Program = "$SysInternalsRoot\Autoruns64.exe"
+	# If installed manually instead trough MS store then add suffix is it's 64 bit OS
+	$AddSuffix = ($SysInternalsRoot -NotLike "*Microsoft.SysinternalsSuite*") -and [System.Environment]::Is64BitOperatingSystem
+
+	$Program = "$SysInternalsRoot\Autoruns.exe"
+	if ($AddSuffix)
+	{
+		$Program.Insert($Program.Length - 4, "64")
+	}
+
 	if ((Test-ExecutableFile $Program) -or $ForceLoad)
 	{
-		New-NetFirewallRule -DisplayName "Sysinternals Autoruns x64" `
+		New-NetFirewallRule -DisplayName "Sysinternals Autoruns" `
 			-Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile `
 			-Service Any -Program $Program -Group $Group `
 			-Enabled True -Action Allow -Direction $Direction -Protocol TCP `
@@ -139,10 +147,15 @@ if ((Confirm-Installation "SysInternals" ([ref] $SysInternalsRoot)) -or $ForceLo
 
 	# TODO: It also uses port 80 but not known for what, not setting here.
 	# Most likely to fetch symbols
-	$Program = "$SysInternalsRoot\procexp64.exe"
+	$Program = "$SysInternalsRoot\procexp.exe"
+	if ($AddSuffix)
+	{
+		$Program.Insert($Program.Length - 4, "64")
+	}
+
 	if ((Test-ExecutableFile $Program) -or $ForceLoad)
 	{
-		New-NetFirewallRule -DisplayName "Sysinternals ProcessExplorer x64" `
+		New-NetFirewallRule -DisplayName "Sysinternals Process Explorer" `
 			-Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile `
 			-Service Any -Program $Program -Group $Group `
 			-Enabled True -Action Allow -Direction $Direction -Protocol TCP `
@@ -153,10 +166,15 @@ if ((Confirm-Installation "SysInternals" ([ref] $SysInternalsRoot)) -or $ForceLo
 			-Description "Access to VirusTotal and symbol server" | Format-RuleOutput
 	}
 
-	$Program = "$SysInternalsRoot\Procmon64.exe"
+	$Program = "$SysInternalsRoot\Procmon.exe"
+	if ($AddSuffix)
+	{
+		$Program.Insert($Program.Length - 4, "64")
+	}
+
 	if ((Test-ExecutableFile $Program) -or $ForceLoad)
 	{
-		New-NetFirewallRule -DisplayName "Sysinternals ProcessMonitor x64" `
+		New-NetFirewallRule -DisplayName "Sysinternals Process Monitor" `
 			-Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile `
 			-Service Any -Program $Program -Group $Group `
 			-Enabled True -Action Allow -Direction $Direction -Protocol TCP `
@@ -167,10 +185,15 @@ if ((Confirm-Installation "SysInternals" ([ref] $SysInternalsRoot)) -or $ForceLo
 			-Description "Access to symbols server" | Format-RuleOutput
 	}
 
-	$Program = "$SysInternalsRoot\Tcpview64.exe"
+	$Program = "$SysInternalsRoot\Tcpview.exe"
+	if ($AddSuffix)
+	{
+		$Program.Insert($Program.Length - 4, "64")
+	}
+
 	if ((Test-ExecutableFile $Program) -or $ForceLoad)
 	{
-		New-NetFirewallRule -DisplayName "Sysinternals TcpView x64" `
+		New-NetFirewallRule -DisplayName "Sysinternals TCP View" `
 			-Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile `
 			-Service Any -Program $Program -Group $Group `
 			-Enabled True -Action Allow -Direction $Direction -Protocol TCP `
@@ -181,10 +204,15 @@ if ((Confirm-Installation "SysInternals" ([ref] $SysInternalsRoot)) -or $ForceLo
 			-Description "WhoIs access" | Format-RuleOutput
 	}
 
-	$Program = "$SysInternalsRoot\whois64.exe"
+	$Program = "$SysInternalsRoot\whois.exe"
+	if ($AddSuffix)
+	{
+		$Program.Insert($Program.Length - 4, "64")
+	}
+
 	if ((Test-ExecutableFile $Program) -or $ForceLoad)
 	{
-		New-NetFirewallRule -DisplayName "Sysinternals WhoIs x64" `
+		New-NetFirewallRule -DisplayName "Sysinternals WhoIs" `
 			-Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile `
 			-Service Any -Program $Program -Group $Group `
 			-Enabled True -Action Allow -Direction $Direction -Protocol TCP `
@@ -197,25 +225,14 @@ that you specify" | Format-RuleOutput
 	}
 
 	$Program = "$SysInternalsRoot\psping.exe"
-	if ((Test-ExecutableFile $Program) -or $ForceLoad)
+	if ($AddSuffix)
 	{
-		New-NetFirewallRule -DisplayName "Sysinternals PSPing client x86" `
-			-Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile `
-			-Service Any -Program $Program -Group $Group `
-			-Enabled False -Action Allow -Direction $Direction -Protocol Any `
-			-LocalAddress Any -RemoteAddress Any `
-			-LocalPort Any -RemotePort Any `
-			-LocalUser $SysInternalsUsers `
-			-InterfaceType $DefaultInterface `
-			-Description "PsPing implements Ping functionality, TCP ping, latency and bandwidth measurement.
-Due to wide range of address and port options these should be set to Any.
-This rule serves to allow PSPing.exe to act as a client." | Format-RuleOutput
+		$Program.Insert($Program.Length - 4, "64")
 	}
 
-	$Program = "$SysInternalsRoot\psping64.exe"
 	if ((Test-ExecutableFile $Program) -or $ForceLoad)
 	{
-		New-NetFirewallRule -DisplayName "Sysinternals PSPing client x64" `
+		New-NetFirewallRule -DisplayName "Sysinternals PSPing client" `
 			-Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile `
 			-Service Any -Program $Program -Group $Group `
 			-Enabled True -Action Allow -Direction $Direction -Protocol Any `
@@ -229,24 +246,14 @@ This rule serves to allow PSPing64.exe to act as a client." | Format-RuleOutput
 	}
 
 	$Program = "$SysInternalsRoot\sigcheck.exe"
-	if ((Test-ExecutableFile $Program) -or $ForceLoad)
+	if ($AddSuffix)
 	{
-		New-NetFirewallRule -DisplayName "Sysinternals sigcheck x86" `
-			-Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile `
-			-Service Any -Program $Program -Group $Group `
-			-Enabled False -Action Allow -Direction $Direction -Protocol TCP `
-			-LocalAddress Any -RemoteAddress Internet4 `
-			-LocalPort Any -RemotePort 443 `
-			-LocalUser $SysInternalsUsers `
-			-InterfaceType $DefaultInterface `
-			-Description "Connection to VirusTotal to upload file for scan" |
-		Format-RuleOutput
+		$Program.Insert($Program.Length - 4, "64")
 	}
 
-	$Program = "$SysInternalsRoot\sigcheck64.exe"
 	if ((Test-ExecutableFile $Program) -or $ForceLoad)
 	{
-		New-NetFirewallRule -DisplayName "Sysinternals sigcheck x64" `
+		New-NetFirewallRule -DisplayName "Sysinternals sigcheck" `
 			-Platform $Platform -PolicyStore $PolicyStore -Profile $DefaultProfile `
 			-Service Any -Program $Program -Group $Group `
 			-Enabled True -Action Allow -Direction $Direction -Protocol TCP `