windowsbatch-filewmicsysinternals

How to batch or cli automate sigcheck.exe on running processes?

I'm trying to generate a list of running processes (full executable path), and then loop through that listing and perform a SysInternals "sigcheck.exe" against each of the files.

For some reason this isn't performing as expected and I'm unsure if it's due to my processing of the input file, or the format of output that wmic creates. Ideally, I'd like to get this working as a batch script first and then attempt to convert it to a cli one-liner.

Below is the code I'm currently trying:

setlocal enabledelayedexpansion
@echo off
wmic process get executablepath /format:csv | more > c:\windows\temp\pslist.txt
for /f "skip=5 tokens=1,2 delims=," %%a in (c:\windows\temp\pslist.txt) do (
 echo %%b
 sigcheck.exe -accepteula -r -e "%%b"
)
ENDLOCAL
Solution

  • This uses "wmic.exe process" to build a list and passes just the "executablepath" to "sigcheck.exe". The "threadcount" is there as a trick - since WMIC has it's infamous extra-CR, asking for 1 extra and unneeded attribute creates markers in the output.....the commas. The "for" command chops the WMIC output at the commas, which is how just the "executablepath" can be pulled out without any extra CRs.

    CMD:

    for /f "tokens=2 delims=," %A in ('wmic process where "not executablepath=null" get executablepath^,threadcount /format:csv') do @sigcheck.exe -accepteula -r -e "%A"

    OUTPUT (partial for brevity sake):

    Sigcheck v2.72 - File version and signature viewer
Copyright (C) 2004-2019 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\program files (x86)\google\chrome\application\chrome.exe:
        Verified:       Signed
        Signing date:   7:47 PM 2/28/2019
        Publisher:      Google LLC
        Company:        Google Inc.
        Description:    Google Chrome
        Product:        Google Chrome
        Prod version:   72.0.3626.121
        File version:   72.0.3626.121
        MachineType:    64-bit

Sigcheck v2.72 - File version and signature viewer
Copyright (C) 2004-2019 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\windows\system32\windowspowershell\v1.0\powershell.exe:
        Verified:       Signed
        Signing date:   5:26 PM 4/11/2018
        Publisher:      Microsoft Windows
        Company:        Microsoft Corporation
        Description:    Windows PowerShell
        Product:        Microsoft« Windows« Operating System
        Prod version:   10.0.17134.1
        File version:   10.0.17134.1 (WinBuild.160101.0800)
        MachineType:    64-bit

Sigcheck v2.72 - File version and signature viewer
Copyright (C) 2004-2019 Mark Russinovich
Sysinternals - www.sysinternals.com