编写了以下Powershell脚本来扫描和修复在引用路径中容易被利用的包含空格的未加引号的服务路径。该脚本,当运行"。\ Get-ServicePathVulnerabilities"对于任何允许的开关,永远不要执行$ Fix(-Fix)开关的if语句。请查看此源代码并帮助我确定问题,因为这是一个非常方便的脚本,可以在任何人的武器库中使用。
Function Get-ServicePathVulnerabilities {
[Cmdletbinding()]
Param (
[switch]$Fix
) # End Param
Begin {
$VulnerableServices=@()
if ($Fix){Write-Verbose "Scan Mode: Fix"} else {Write-Verbose "Scan Mode: Audit"}
} # End Begin
Process {
# Gather Services information from WMI
$Services = Get-WmiObject -Class win32_service -Property name,pathname
# Filter out services that have been enclosed with quotations
$UnquotedPath = $Services | Where-Object {$_.PathName -notmatch '"'} | Select Name,PathName
# Loop through services without quotations
foreach ($Path in $UnquotedPath) {
$Drive = $Path.PathName | Split-Path -Qualifier
$Executable = $Path.PathName | Split-Path -Leaf
# Conditional Logic to determine vulnerability
# Note: Some service paths may be unquoted and include spaces, but not vulnerable. They could just be a path to executable (no spaces) with a command line switch parameter that may contain a space.
# To avoid false positives, the logic below will exclude spaces used in any parameters
if( ($Path.PathName -match ' ') -and ($Executable -notmatch ' ') -and ($Path.PathName -notmatch './') ) {
# Vulnerability Found
Write-Warning ("Unquoted Service Path Discovered for " + $Path.Name + " PATH: " + $Path.PathName)
$VulnerableServices += New-Object PSObject -Property @{
ServiceName = $Path.Name
ServicePath = $Path.PathName
HostName = $env:COMPUTERNAME
} # End Object
} # End conditional operators
} # End Foreach Path in UnquotedPath
# Attempt to encapsulate path in quotes if specified
if ($Fix) {
$VulnerableServices | ForEach-Object {
Write-Verbose ("Attempting to fix " + $_.Servicename)
$OriginalPath = $_.ServicePath
$QuotedServicePath = ('"' + $_.ServicePath + '"')
$RegistryLocation = ('HKLM:\SYSTEM\CurrentControlSet\Services\' + $_.ServiceName)
Try {
Set-ItemProperty -Path $RegistryLocation -Name ImagePath -Value $QuotedServicePath -Verbose
$_.ServicePath = $QuotedServicePath
} Catch {
Write-Error ("Unable to fix " + $_.Servicename)
} # End Try/Catch
} # End Foreach object in VulnerableServices
} # End if Fix was Specified
} # End Process
End {
if ($VulnerableServices) {Return $VulnerableServices} else {Write-Verbose "No Unquoted Service path Vulnerabilites have been found"}
} # End End
} # Get-ServicePathVulnerabilites