As long as we are piling on late responses, here is the script one of our talented SCCM engineers wrote to fix affected systems. The first code snippet is used in SCCM 2007 to fix clients. Further down are the detection and remediation scripts
used in SCCM 2012 as part of Desired Configuration Management (DCM).
Const HKEY_LOCAL_MACHINE = &H80000002
const REGKEYPATH = "System\CurrentControlSet\Services\"
Dim arrValues, Results, arrReturn()
strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name IS NOT NULL and PathName LIKE '% %.exe%' and NOT PathName Like '""%'")
For Each objService in objListOfServices
Results = ReadRegExpandStr (HKEY_LOCAL_MACHINE,REGKEYPATH & objService.name,"ImagePath",32)
' Results = ReadRegStr(HKEY_LOCAL_MACHINE,REGKEYPATH & objService.name,"ImagePath",32)
Results = Chr(34) & Replace(Results,".exe",".exe" & Chr(34),1,1,1)
Wscript.Echo objService.name & " ; " & Results
SetRegExpandStr HKEY_LOCAL_MACHINE,REGKEYPATH & objService.name,"ImagePath",Results,32
Next
'
'Reads a REG_EXPAND_SZ value from the local computer's registry using WMI
'
Function ReadRegExpandStr (RootKey, Key, ValueName, RegType)
Dim oCtx, oLocator, oReg, oInParams, oOutParams,strComputer,strValue
Set oCtx = CreateObject("WbemScripting.SWbemNamedValueSet")
oCtx.Add "__ProviderArchitecture", RegType
Set oLocator = CreateObject("Wbemscripting.SWbemLocator")
strComputer = "."
Set oReg = oLocator.ConnectServer(strComputer, "root\default", "", "", , , , oCtx).Get("StdRegProv")
Set oInParams = oReg.Methods_("GetExpandedStringValue").InParameters.SpawnInstance_()
oInParams.hDefKey = RootKey
oInParams.sSubKeyName = Key
oInParams.sValueName = ValueName
Set oOutParams = oReg.ExecMethod_("GetExpandedStringValue", oInParams, , oCtx)
If IsNull(oOutParams.sValue) Then
ReadRegExpandStr = "Unknown"
Else
Wscript.Echo Cstr(oOutParams.sValue)
ReadRegExpandStr = Cstr(oOutParams.sValue)
End If
End Function
'
'Creates a REG_EXPAND_SZ value in the local computer's registry using WMI
'
Function SetRegExpandStr (RootKey, Key, ValueName, Value, RegType)
Dim oCtx, oLocator, oReg, oInParams, oOutParams,strComputer
Set oCtx = CreateObject("WbemScripting.SWbemNamedValueSet")
oCtx.Add "__ProviderArchitecture", RegType
Set oLocator = CreateObject("Wbemscripting.SWbemLocator")
strComputer = "."
Set oReg = oLocator.ConnectServer(strComputer, "root\default", "", "", , , , oCtx).Get("StdRegProv")
Set oInParams = oReg.Methods_("SetExpandedStringValue").InParameters.SpawnInstance_()
oInParams.hDefKey = RootKey
oInParams.sSubKeyName = Key
oInParams.sValueName = ValueName
oInParams.sValue = Value
Set oOutParams = oReg.ExecMethod_("SetExpandedStringValue", oInParams, , oCtx)
End function
'
'Reads a REG_SZ value from the local computer's registry using WMI
'
Function ReadRegStr (RootKey, Key, Value, RegType)
Dim oCtx, oLocator, oReg, oInParams, oOutParams,strComputer
Set oCtx = CreateObject("WbemScripting.SWbemNamedValueSet")
oCtx.Add "__ProviderArchitecture", RegType
Set oLocator = CreateObject("Wbemscripting.SWbemLocator")
strComputer="."
Set oReg = oLocator.ConnectServer(strComputer, "root\default", "", "", , , , oCtx).Get("StdRegProv")
Set oInParams = oReg.Methods_("GetStringValue").InParameters
oInParams.hDefKey = RootKey
oInParams.sSubKeyName = Key
oInParams.sValueName = Value
Set oOutParams = oReg.ExecMethod_("GetStringValue", oInParams, , oCtx)
If IsNull(oOutParams.sValue) Then
ReadRegStr = "Unknown"
Else
Wscript.Echo Cstr(oOutParams.sValue)
ReadRegStr = Cstr(oOutParams.sValue)
End If
End Function
SCCM 2012 DCM - Detection of unquoted services
Dim strComputer, objWMIService, objListOfServices
strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name IS NOT NULL and PathName LIKE '% %.exe%' and NOT PathName Like '""%'")
If objListOfServices.Count = 0 Then
WScript.Echo "No unquoted service path was found"
Else
Wscript.Echo "Found an unquoted Service Path"
End If
SCCM 2012 DCM remediation script
Const HKEY_LOCAL_MACHINE = &H80000002
const REGKEYPATH = "System\CurrentControlSet\Services\"
Dim arrValues, Results, arrReturn(), sArgString
Set objArgs = WScript.Arguments
If objArgs.count > 0 then
sArgString = wscript.arguments(0)
If sArgString = "failed" Then
strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objSystemItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem")
For Each objItem in objSystemItems
strSystemType = objItem.SystemType
Next
If strSystemType = "X86-based PC" then
i = 32
Else
i = 64
End If
Set objListOfServices = objWMIService.ExecQuery("Select * from Win32_Service Where Name IS NOT NULL and PathName LIKE '% %.exe%' and NOT PathName Like '""%'")
For Each objService in objListOfServices
Results = ReadRegExpandStr (HKEY_LOCAL_MACHINE,REGKEYPATH & objService.name,"ImagePath",i)
' Results = ReadRegStr(HKEY_LOCAL_MACHINE,REGKEYPATH & objService.name,"ImagePath",i)
Results = Chr(34) & Replace(Results,".exe",".exe" & Chr(34),1,1,1)
Wscript.Echo objService.name & " ; " & Results & vbcrlf
' SetRegExpandStr HKEY_LOCAL_MACHINE,REGKEYPATH & objService.name,"ImagePath",Results,i
Next
End If
End If
'
'Reads a REG_EXPAND_SZ value from the local computer's registry using WMI
'
Function ReadRegExpandStr (RootKey, Key, ValueName, RegType)
Dim oCtx, oLocator, oReg, oInParams, oOutParams,strComputer,strValue
Set oCtx = CreateObject("WbemScripting.SWbemNamedValueSet")
oCtx.Add "__ProviderArchitecture", RegType
Set oLocator = CreateObject("Wbemscripting.SWbemLocator")
strComputer = "."
Set oReg = oLocator.ConnectServer(strComputer, "root\default", "", "", , , , oCtx).Get("StdRegProv")
Set oInParams = oReg.Methods_("GetExpandedStringValue").InParameters.SpawnInstance_()
oInParams.hDefKey = RootKey
oInParams.sSubKeyName = Key
oInParams.sValueName = ValueName
Set oOutParams = oReg.ExecMethod_("GetExpandedStringValue", oInParams, , oCtx)
If IsNull(oOutParams.sValue) Then
ReadRegExpandStr = "Unknown"
Else
Wscript.Echo Cstr(oOutParams.sValue)
ReadRegExpandStr = Cstr(oOutParams.sValue)
End If
End Function
'
'Creates a REG_EXPAND_SZ value in the local computer's registry using WMI
'
Function SetRegExpandStr (RootKey, Key, ValueName, Value, RegType)
Dim oCtx, oLocator, oReg, oInParams, oOutParams,strComputer
Set oCtx = CreateObject("WbemScripting.SWbemNamedValueSet")
oCtx.Add "__ProviderArchitecture", RegType
Set oLocator = CreateObject("Wbemscripting.SWbemLocator")
strComputer = "."
Set oReg = oLocator.ConnectServer(strComputer, "root\default", "", "", , , , oCtx).Get("StdRegProv")
Set oInParams = oReg.Methods_("SetExpandedStringValue").InParameters.SpawnInstance_()
oInParams.hDefKey = RootKey
oInParams.sSubKeyName = Key
oInParams.sValueName = ValueName
oInParams.sValue = Value
Set oOutParams = oReg.ExecMethod_("SetExpandedStringValue", oInParams, , oCtx)
End function
'
'Reads a REG_SZ value from the local computer's registry using WMI
'
Function ReadRegStr (RootKey, Key, Value, RegType)
Dim oCtx, oLocator, oReg, oInParams, oOutParams,strComputer
Set oCtx = CreateObject("WbemScripting.SWbemNamedValueSet")
oCtx.Add "__ProviderArchitecture", RegType
Set oLocator = CreateObject("Wbemscripting.SWbemLocator")
strComputer="."
Set oReg = oLocator.ConnectServer(strComputer, "root\default", "", "", , , , oCtx).Get("StdRegProv")
Set oInParams = oReg.Methods_("GetStringValue").InParameters
oInParams.hDefKey = RootKey
oInParams.sSubKeyName = Key
oInParams.sValueName = Value
Set oOutParams = oReg.ExecMethod_("GetStringValue", oInParams, , oCtx)
If IsNull(oOutParams.sValue) Then
ReadRegStr = "Unknown"
Else
Wscript.Echo Cstr(oOutParams.sValue)
ReadRegStr = Cstr(oOutParams.sValue)
End If
End Function
-
Edited by
makinbank
Friday, December 19, 2014 11:03 PM
Added SCCM 2012 DCM code