{"id":353612,"date":"2024-09-24T13:51:53","date_gmt":"2024-09-24T13:51:53","guid":{"rendered":"https:\/\/www.ninjaone.com\/script-hub\/ueberpruefung-laufender-prozesse-in-windows\/"},"modified":"2024-10-13T19:03:32","modified_gmt":"2024-10-13T19:03:32","slug":"ueberpruefung-laufender-prozesse-in-windows","status":"publish","type":"script_hub","link":"https:\/\/www.ninjaone.com\/de\/script-hub\/ueberpruefung-laufender-prozesse-in-windows\/","title":{"rendered":"Wie man laufende Prozesse in Windows mit PowerShell \u00fcberpr\u00fcft und sichert"},"content":{"rendered":"

In der heutigen IT-Welt ist die Gew\u00e4hrleistung der Sicherheit und Integrit\u00e4t eines Netzwerks von gr\u00f6\u00dfter Bedeutung. Eine der wichtigsten Aufgaben von IT-Experten und Managed Service Providern (MSPs)<\/a> ist es, sicherzustellen, dass nur vertrauensw\u00fcrdige und \u00fcberpr\u00fcfte Prozesse auf ihren Systemen laufen.<\/p>\n

Nicht \u00fcberpr\u00fcfte oder nicht signierte Prozesse k\u00f6nnen potenzielle Einstiegspunkte f\u00fcr b\u00f6sartige Software sein, was zu Sicherheitsverletzungen und Systeminstabilit\u00e4t f\u00fchren kann. An dieser Stelle kommen PowerShell-Skripte<\/a>\u00a0ins Spiel. Sie bieten eine zuverl\u00e4ssige Methode zur \u00dcberpr\u00fcfung laufender Prozesse und zur Identifizierung nicht signierter ausf\u00fchrbarer Dateien.<\/p>\n

Die Wichtigkeit der Prozessverifizierung<\/h2>\n

IT-Experten m\u00fcssen h\u00e4ufig \u00fcberpr\u00fcfen, ob alle laufenden Prozesse auf einem System signiert und vertrauensw\u00fcrdig sind. Diese \u00dcberpr\u00fcfung stellt sicher, dass die Prozesse aus legitimen Quellen stammen und nicht manipuliert wurden.<\/p>\n

In Umgebungen, in denen Sicherheit oberste Priorit\u00e4t hat, wie z. B. in Finanzinstituten, im Gesundheitswesen oder in Unternehmen , die mit sensiblen Daten umgehen<\/a>, ist die Gew\u00e4hrleistung der Legitimit\u00e4t laufender Prozesse von entscheidender Bedeutung. Dieses Skript bietet eine optimierte M\u00f6glichkeit, den \u00dcberpr\u00fcfungsprozess zu automatisieren, was es zu einem unsch\u00e4tzbaren Tool f\u00fcr IT-Administratoren und MSPs macht.<\/p>\n

Das Skript:<\/h2>\n
#Requires -Version 5.1\r\n\r\n<#\r\n.SYNOPSIS\r\n    Verify that running processes are signed and output unsigned.\r\n.DESCRIPTION\r\n    Verify that running processes are signed and output unsigned.\r\n    It will exclude processes based on the process name, path, or product name.\r\n    The script will output the unsigned processes to the console and save the results to a Multi-Line custom field and a WYSIWYG custom field if specified.\r\n\r\n.EXAMPLE\r\n    (No Parameters)\r\n    ## EXAMPLE OUTPUT WITHOUT PARAMS ##\r\n    Unsigned Processes Found: 2\r\n\r\n    Name        : explorer\r\n    Description : Windows Explorer\r\n    Path        : C:\\Windows\\explorer.exe\r\n    Id          : 1234\r\n    Signed      : NotSigned\r\n\r\n    Name        : notepad\r\n    Description : Notepad\r\n    Path        : C:\\Windows\\notepad.exe\r\n    Id          : 5678\r\n    Signed      : NotSigned\r\n\r\nPARAMETER: -ExcludeProcess \"explorer.exe\"\r\n    Exclude the process explorer.exe from the results.\r\n.EXAMPLE\r\n    -ExcludeProcess \"notepad\"\r\n    ## EXAMPLE OUTPUT WITH ExcludeProcess ##\r\n    Unsigned Processes Found: 1\r\n\r\n    Name        : explorer\r\n    Description : Windows Explorer\r\n    Path        : C:\\Windows\\explorer.exe\r\n    Id          : 1234\r\n    Signed      : NotSigned\r\n\r\nPARAMETER: -ExcludeProcessFromCustomField \"ReplaceMeWithAnyTextCustomField\"\r\n    Exclude the processes from the custom field specified.\r\n.EXAMPLE\r\n    -ExcludeProcessFromCustomField \"ReplaceMeWithAnyTextCustomField\"\r\n    ## EXAMPLE OUTPUT WITH ExcludeProcessFromCustomField ##\r\n    Unsigned Processes Found: 2\r\n\r\n    Name        : explorer\r\n    Description : Windows Explorer\r\n    Path        : C:\\Windows\\explorer.exe\r\n    Id          : 1234\r\n    Signed      : NotSigned\r\n\r\n    Name        : notepad\r\n    Description : Notepad\r\n    Path        : C:\\Windows\\notepad.exe\r\n    Id          : 5678\r\n    Signed      : NotSigned\r\n\r\nPARAMETER: -SaveResultsToMultilineCustomField \"ReplaceMeWithAnyMultilineCustomField\"\r\n    Save the results to a Multi-Line custom field specified.\r\n.EXAMPLE\r\n    -SaveResultsToMultilineCustomField \"ReplaceMeWithAnyMultilineCustomField\"\r\n    ## EXAMPLE OUTPUT WITH ExcludeProcessFromCustomField ##\r\n    Unsigned Processes Found: 2\r\n\r\n    Name        : explorer\r\n    Description : Windows Explorer\r\n    Path        : C:\\Windows\\explorer.exe\r\n    Id          : 1234\r\n    Signed      : NotSigned\r\n\r\n    Name        : notepad\r\n    Description : Notepad\r\n    Path        : C:\\Windows\\notepad.exe\r\n    Id          : 5678\r\n    Signed      : NotSigned\r\n\r\n    [Info] Attempting to update Multiline Custom Field(ReplaceMeWithAnyMultilineCustomField)\r\n    [Info] Updated Multiline Custom Field(ReplaceMeWithAnyMultilineCustomField)\r\n\r\n\r\nPARAMETER: -SaveResultsToWysiwygCustomField \"ReplaceMeWithAnyMultilineCustomField\"\r\n    Save the results to a WYSIWYG custom field specified.\r\n.EXAMPLE\r\n    -SaveResultsToWysiwygCustomField \"ReplaceMeWithAnyWysiwygCustomField\"\r\n    ## EXAMPLE OUTPUT WITH ExcludeProcessFromCustomField ##\r\n    Unsigned Processes Found: 2\r\n\r\n    Name        : explorer\r\n    Description : Windows Explorer\r\n    Path        : C:\\Windows\\explorer.exe\r\n    Id          : 1234\r\n    Signed      : NotSigned\r\n\r\n    Name        : notepad\r\n    Description : Notepad\r\n    Path        : C:\\Windows\\notepad.exe\r\n    Id          : 5678\r\n    Signed      : NotSigned\r\n\r\n    [Info] Attempting to update Wysiwyg Custom Field(ReplaceMeWithAnyWysiwygCustomField)\r\n    [Info] Updated Wysiwyg Custom Field(ReplaceMeWithAnyWysiwygCustomField)\r\n\r\n.OUTPUTS\r\n    None\r\n.NOTES\r\n    Minimum OS Architecture Supported: Windows 10, Windows Server 2012\r\n    Release Notes: Initial Release\r\nBy using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https:\/\/www.ninjaone.com\/terms-of-use.\r\n    Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. \r\n    Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. \r\n    Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. \r\n    Warranty Disclaimer: The script is provided \u201cas is\u201d and \u201cas available\u201d, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. \r\n    Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. \r\n    Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. \r\n    EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).\r\n#>\r\n\r\n[CmdletBinding()]\r\nparam (\r\n    [String[]]$ExcludeProcess,\r\n    [String]$ExcludeProcessFromCustomField,\r\n    [String]$SaveResultsToMultilineCustomField,\r\n    [String]$SaveResultsToWysiwygCustomField\r\n)\r\n\r\nbegin {\r\n    function Test-IsElevated {\r\n        $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()\r\n        $p = New-Object System.Security.Principal.WindowsPrincipal($id)\r\n        $p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)\r\n    }\r\n    function Get-NinjaProperty {\r\n        [CmdletBinding()]\r\n        Param(\r\n            [Parameter(Mandatory = $True, ValueFromPipeline = $True)]\r\n            [String]$Name,\r\n            [Parameter()]\r\n            [String]$Type,\r\n            [Parameter()]\r\n            [String]$DocumentName\r\n        )\r\n    \r\n        if ($PSVersionTable.PSVersion.Major -lt 3) {\r\n            throw \"PowerShell 3.0 or higher is required to retrieve data from custom fields. https:\/\/ninjarmm.zendesk.com\/hc\/en-us\/articles\/4405408656013\"\r\n        }\r\n    \r\n        # If we're requested to get the field value from a Ninja document we'll specify it here.\r\n        $DocumentationParams = @{}\r\n        if ($DocumentName) { $DocumentationParams[\"DocumentName\"] = $DocumentName }\r\n    \r\n        # These two types require more information to parse.\r\n        $NeedsOptions = \"DropDown\", \"MultiSelect\"\r\n    \r\n        # Grabbing document values requires a slightly different command.\r\n        if ($DocumentName) {\r\n            # Secure fields are only readable when they're a device custom field\r\n            if ($Type -Like \"Secure\") { throw \"$Type is an invalid type! Please check here for valid types. https:\/\/ninjarmm.zendesk.com\/hc\/en-us\/articles\/16973443979789-Command-Line-Interface-CLI-Supported-Fields-and-Functionality\" }\r\n    \r\n            # We'll redirect the error output to the success stream to make it easier to error out if nothing was found or something else went wrong.\r\n            Write-Host \"Retrieving value from Ninja Document...\"\r\n            $NinjaPropertyValue = Ninja-Property-Docs-Get -AttributeName $Name @DocumentationParams 2>&1\r\n    \r\n            # Certain fields require more information to parse.\r\n            if ($NeedsOptions -contains $Type) {\r\n                $NinjaPropertyOptions = Ninja-Property-Docs-Options -AttributeName $Name @DocumentationParams 2>&1\r\n            }\r\n        }\r\n        else {\r\n            # We'll redirect error output to the success stream to make it easier to error out if nothing was found or something else went wrong.\r\n            $NinjaPropertyValue = Ninja-Property-Get -Name $Name 2>&1\r\n    \r\n            # Certain fields require more information to parse.\r\n            if ($NeedsOptions -contains $Type) {\r\n                $NinjaPropertyOptions = Ninja-Property-Options -Name $Name 2>&1\r\n            }\r\n        }\r\n    \r\n        # If we received some sort of error it should have an exception property and we'll exit the function with that error information.\r\n        if ($NinjaPropertyValue.Exception) { throw $NinjaPropertyValue }\r\n        if ($NinjaPropertyOptions.Exception) { throw $NinjaPropertyOptions }\r\n    \r\n        # This switch will compare the type given with the quoted string. If it matches, it'll parse it further; otherwise, the default option will be selected.\r\n        switch ($Type) {\r\n            \"Attachment\" {\r\n                # Attachments come in a JSON format this will convert it into a PowerShell Object.\r\n                $NinjaPropertyValue | ConvertFrom-Json\r\n            }\r\n            \"Checkbox\" {\r\n                # Checkbox's come in as a string representing an integer. We'll need to cast that string into an integer and then convert it to a more traditional boolean.\r\n                [System.Convert]::ToBoolean([int]$NinjaPropertyValue)\r\n            }\r\n            \"Date or Date Time\" {\r\n                # In Ninja Date and Date\/Time fields are in Unix Epoch time in the UTC timezone the below should convert it into local time as a date time object.\r\n                $UnixTimeStamp = $NinjaPropertyValue\r\n                $UTC = (Get-Date \"1970-01-01 00:00:00\").AddSeconds($UnixTimeStamp)\r\n                $TimeZone = [TimeZoneInfo]::Local\r\n                [TimeZoneInfo]::ConvertTimeFromUtc($UTC, $TimeZone)\r\n            }\r\n            \"Decimal\" {\r\n                # In ninja decimals are strings that represent a decimal this will cast it into a double data type.\r\n                [double]$NinjaPropertyValue\r\n            }\r\n            \"Device Dropdown\" {\r\n                # Device Drop-Downs Fields come in a JSON format this will convert it into a PowerShell Object.\r\n                $NinjaPropertyValue | ConvertFrom-Json\r\n            }\r\n            \"Device MultiSelect\" {\r\n                # Device Multi-Select Fields come in a JSON format this will convert it into a PowerShell Object.\r\n                $NinjaPropertyValue | ConvertFrom-Json\r\n            }\r\n            \"Dropdown\" {\r\n                # Drop-Down custom fields come in as a comma-separated list of GUIDs; we'll compare these with all the options and return just the option values selected instead of a GUID.\r\n                $Options = $NinjaPropertyOptions -replace '=', ',' | ConvertFrom-Csv -Header \"GUID\", \"Name\"\r\n                $Options | Where-Object { $_.GUID -eq $NinjaPropertyValue } | Select-Object -ExpandProperty Name\r\n            }\r\n            \"Integer\" {\r\n                # Cast's the Ninja provided string into an integer.\r\n                [int]$NinjaPropertyValue\r\n            }\r\n            \"MultiSelect\" {\r\n                # Multi-Select custom fields come in as a comma-separated list of GUID's we'll compare these with all the options and return just the option values selected instead of a guid.\r\n                $Options = $NinjaPropertyOptions -replace '=', ',' | ConvertFrom-Csv -Header \"GUID\", \"Name\"\r\n                $Selection = ($NinjaPropertyValue -split ',').trim()\r\n    \r\n                foreach ($Item in $Selection) {\r\n                    $Options | Where-Object { $_.GUID -eq $Item } | Select-Object -ExpandProperty Name\r\n                }\r\n            }\r\n            \"Organization Dropdown\" {\r\n                # Turns the Ninja provided JSON into a PowerShell Object.\r\n                $NinjaPropertyValue | ConvertFrom-Json\r\n            }\r\n            \"Organization Location Dropdown\" {\r\n                # Turns the Ninja provided JSON into a PowerShell Object.\r\n                $NinjaPropertyValue | ConvertFrom-Json\r\n            }\r\n            \"Organization Location MultiSelect\" {\r\n                # Turns the Ninja provided JSON into a PowerShell Object.\r\n                $NinjaPropertyValue | ConvertFrom-Json\r\n            }\r\n            \"Organization MultiSelect\" {\r\n                # Turns the Ninja provided JSON into a PowerShell Object.\r\n                $NinjaPropertyValue | ConvertFrom-Json\r\n            }\r\n            \"Time\" {\r\n                # Time fields are given as a number of seconds starting from midnight. This will convert it into a date time object.\r\n                $Seconds = $NinjaPropertyValue\r\n                $UTC = ([TimeSpan]::FromSeconds($Seconds)).ToString(\"hh\\:mm\\:ss\")\r\n                $TimeZone = [TimeZoneInfo]::Local\r\n                $ConvertedTime = [TimeZoneInfo]::ConvertTimeFromUtc($UTC, $TimeZone)\r\n    \r\n                Get-Date $ConvertedTime -DisplayHint Time\r\n            }\r\n            default {\r\n                # If no type was given or not one that matches the above types just output what we retrieved.\r\n                $NinjaPropertyValue\r\n            }\r\n        }\r\n    }\r\n\r\n    function Set-NinjaProperty {\r\n        [CmdletBinding()]\r\n        Param(\r\n            [Parameter(Mandatory = $True)]\r\n            [String]$Name,\r\n            [Parameter()]\r\n            [String]$Type,\r\n            [Parameter(Mandatory = $True, ValueFromPipeline = $True)]\r\n            $Value,\r\n            [Parameter()]\r\n            [String]$DocumentName\r\n        )\r\n    \r\n        $Characters = $Value | Measure-Object -Character | Select-Object -ExpandProperty Characters\r\n        if ($Characters -ge 10000) {\r\n            throw [System.ArgumentOutOfRangeException]::New(\"Character limit exceeded, value is greater than 10,000 characters.\")\r\n        }\r\n        \r\n        # If we're requested to set the field value for a Ninja document we'll specify it here.\r\n        $DocumentationParams = @{}\r\n        if ($DocumentName) { $DocumentationParams[\"DocumentName\"] = $DocumentName }\r\n        \r\n        # This is a list of valid fields that can be set. If no type is given, it will be assumed that the input doesn't need to be changed.\r\n        $ValidFields = \"Attachment\", \"Checkbox\", \"Date\", \"Date or Date Time\", \"Decimal\", \"Dropdown\", \"Email\", \"Integer\", \"IP Address\", \"MultiLine\", \"MultiSelect\", \"Phone\", \"Secure\", \"Text\", \"Time\", \"URL\", \"WYSIWYG\"\r\n        if ($Type -and $ValidFields -notcontains $Type) { Write-Warning \"$Type is an invalid type! Please check here for valid types. https:\/\/ninjarmm.zendesk.com\/hc\/en-us\/articles\/16973443979789-Command-Line-Interface-CLI-Supported-Fields-and-Functionality\" }\r\n        \r\n        # The field below requires additional information to be set\r\n        $NeedsOptions = \"Dropdown\"\r\n        if ($DocumentName) {\r\n            if ($NeedsOptions -contains $Type) {\r\n                # We'll redirect the error output to the success stream to make it easier to error out if nothing was found or something else went wrong.\r\n                $NinjaPropertyOptions = Ninja-Property-Docs-Options -AttributeName $Name @DocumentationParams 2>&1\r\n            }\r\n        }\r\n        else {\r\n            if ($NeedsOptions -contains $Type) {\r\n                $NinjaPropertyOptions = Ninja-Property-Options -Name $Name 2>&1\r\n            }\r\n        }\r\n        \r\n        # If an error is received it will have an exception property, the function will exit with that error information.\r\n        if ($NinjaPropertyOptions.Exception) { throw $NinjaPropertyOptions }\r\n        \r\n        # The below type's require values not typically given in order to be set. The below code will convert whatever we're given into a format ninjarmm-cli supports.\r\n        switch ($Type) {\r\n            \"Checkbox\" {\r\n                # While it's highly likely we were given a value like \"True\" or a boolean datatype it's better to be safe than sorry.\r\n                $NinjaValue = [System.Convert]::ToBoolean($Value)\r\n            }\r\n            \"Date or Date Time\" {\r\n                # Ninjarmm-cli expects the  Date-Time to be in Unix Epoch time so we'll convert it here.\r\n                $Date = (Get-Date $Value).ToUniversalTime()\r\n                $TimeSpan = New-TimeSpan (Get-Date \"1970-01-01 00:00:00\") $Date\r\n                $NinjaValue = $TimeSpan.TotalSeconds\r\n            }\r\n            \"Dropdown\" {\r\n                # Ninjarmm-cli is expecting the guid of the option we're trying to select. So we'll match up the value we were given with a guid.\r\n                $Options = $NinjaPropertyOptions -replace '=', ',' | ConvertFrom-Csv -Header \"GUID\", \"Name\"\r\n                $Selection = $Options | Where-Object { $_.Name -eq $Value } | Select-Object -ExpandProperty GUID\r\n        \r\n                if (-not $Selection) {\r\n                    throw [System.ArgumentOutOfRangeException]::New(\"Value is not present in dropdown\")\r\n                }\r\n        \r\n                $NinjaValue = $Selection\r\n            }\r\n            default {\r\n                # All the other types shouldn't require additional work on the input.\r\n                $NinjaValue = $Value\r\n            }\r\n        }\r\n        \r\n        # We'll need to set the field differently depending on if its a field in a Ninja Document or not.\r\n        if ($DocumentName) {\r\n            $CustomField = Ninja-Property-Docs-Set -AttributeName $Name -AttributeValue $NinjaValue @DocumentationParams 2>&1\r\n        }\r\n        else {\r\n            $CustomField = $NinjaValue | Ninja-Property-Set-Piped -Name $Name 2>&1\r\n        }\r\n        \r\n        if ($CustomField.Exception) {\r\n            throw $CustomField\r\n        }\r\n    }\r\n\r\n    function Set-WysiwygCustomField {\r\n        param (\r\n            [string]$Name,\r\n            [Parameter(ValueFromPipeline = $True)]\r\n            [string]$Value\r\n        )\r\n        end {\r\n\r\n            # Set the Custom Field\r\n            # If the value is greater than 10,000 characters, use the Ninja-Property-Set-Piped function\r\n            # Otherwise, use the Ninja-Property-Set function\r\n            $CustomField = $Value | Ninja-Property-Set-Piped -Name $Name 2>&1\r\n\r\n            # Check for errors\r\n            if ($CustomField -or $CustomField.Exception) {\r\n                # If the Custom Field was not found, throw an error\r\n                if ($CustomField -like \"Unable to find the specified field.\" -or $CustomField.Exception -like \"Unable to find the specified field.\") {\r\n                    throw \"The Custom field ($Name) was not found\"\r\n                }\r\n                # If the Custom Field is read-only, throw an error\r\n                if ($CustomField -like \"Unable to update read-only attribute\" -or $CustomField.Exception -like \"Unable to update read-only attribute\") {\r\n                    throw \"The Custom field ($Name) is read-only\"\r\n                }\r\n                # Catch all other errors and throw the error\r\n                throw $CustomField\r\n            }\r\n        }\r\n    }\r\n\r\n    # Predefined values for Success, Danger, and Other\r\n    $ConvertToWysiwygHtmlSuccess = @(\"Signed\", \"Valid\")\r\n    $ConvertToWysiwygHtmlDanger = @(\"SignedAndNotTrusted\", \"NotSigned\", \"NotTrusted\", \"HashMismatch\")\r\n    $ConvertToWysiwygHtmlOther = @(\"UnknownError\", \"Incompatible\")\r\n    # Function to convert the output to a WYSIWYG HTML format\r\n    function ConvertTo-WysiwygHtml {\r\n        param(\r\n            [string]$Title,\r\n            [PSObject[]]$Value,\r\n            [string[]]$Success = $ConvertToWysiwygHtmlSuccess,\r\n            [string[]]$Danger = $ConvertToWysiwygHtmlDanger,\r\n            [string[]]$Other = $ConvertToWysiwygHtmlOther\r\n        )\r\n        begin {\r\n            $htmlReport = New-Object System.Collections.Generic.List[String]\r\n            # If used add the Title to the report\r\n            if ($Title) {\r\n                $htmlReport.Add(\"<h1>$Title<\/h1>\")\r\n            }\r\n        }\r\n        process {\r\n            # Convert the value to HTML\r\n            $htmlTable = $Value | ConvertTo-Html -Fragment\r\n            # Set the class for each row based on the Success, Danger, and Other values\r\n            if ($Success) {\r\n                # For each Success value, find the row in the table and add a class of 'success'\r\n                $Success | ForEach-Object {\r\n                    $Status = $_\r\n                    # Split the table into lines and find the lines that contain the Status\r\n                    $htmlTable -split \"`r`n\" | Where-Object {\r\n                        # Select only lines that have <tr><td>*>$($Status)<*\r\n                        $_ -like \"<tr><td>*>$($Status)<*\"\r\n                    } | ForEach-Object {\r\n                        # Escape the line for regex\r\n                        $LineEscaped = [regex]::Escape($_)\r\n                        if ($_ -like \"*$Status*\") {\r\n                            # Replace the line with the line and add a class of 'success'\r\n                            $htmlTable = $htmlTable -replace $LineEscaped, $($_ -replace \"<tr>\", \"<tr class='success'>\")\r\n                        }\r\n                    }\r\n                }\r\n            }\r\n            if ($Danger) {\r\n                # For each Danger value, find the row in the table and add a class of 'danger'\r\n                $Danger | ForEach-Object {\r\n                    $Status = $_\r\n                    # Split the table into lines and find the lines that contain the Status\r\n                    $htmlTable -split \"`r`n\" | Where-Object {\r\n                        # Select only lines that have <tr><td>*>$($Status)<*\r\n                        $_ -like \"<tr><td>*>$($Status)<*\"\r\n                    } | ForEach-Object {\r\n                        # Escape the line for regex\r\n                        $LineEscaped = [regex]::Escape($_)\r\n                        if ($_ -like \"*$Status*\") {\r\n                            # Replace the line with the line and add a class of 'danger'\r\n                            $htmlTable = $htmlTable -replace $LineEscaped, $($_ -replace \"<tr>\", \"<tr class='danger'>\")\r\n                        }\r\n                    }\r\n                }\r\n            }\r\n            if ($Other) {\r\n                # For each Other value, find the row in the table and add a class of 'other'\r\n                $Other | ForEach-Object {\r\n                    $Status = $_\r\n                    # Split the table into lines and find the lines that contain the Status\r\n                    $htmlTable -split \"`r`n\" | Where-Object {\r\n                        # Select only lines that have <tr><td>*>$($Status)<*\r\n                        $_ -like \"<tr><td>*>$($Status)<*\"\r\n                    } | ForEach-Object {\r\n                        # Escape the line for regex\r\n                        $LineEscaped = [regex]::Escape($_)\r\n                        if ($_ -like \"*$Status*\") {\r\n                            # Replace the line with the line and add a class of 'other'\r\n                            $htmlTable = $htmlTable -replace $LineEscaped, $($_ -replace \"<tr>\", \"<tr class='other'>\")\r\n                        }\r\n                    }\r\n                }\r\n            }\r\n            # Add the Table to the report\r\n            $htmlTable | ForEach-Object { $htmlReport.Add($_) }\r\n        }\r\n        end {\r\n            # Return the HTML report\r\n            $htmlReport | Out-String\r\n        }\r\n    }\r\n\r\n    # Update the script variables with the Script Variables if they are not null\r\n    if ($env:excludeProcess -and $env:excludeProcess -notlike \"null\") {\r\n        $ExcludeProcess = $env:excludeProcess\r\n    }\r\n    if ($env:excludeProcessFromCustomField -and $env:excludeProcessFromCustomField -notlike \"null\") {\r\n        $ExcludeProcessFromCustomField = $env:excludeProcessFromCustomField\r\n    }\r\n    if ($env:saveResultsToMultilineCustomField -and $env:saveResultsToMultilineCustomField -notlike \"null\") {\r\n        $SaveResultsToMultilineCustomField = $env:saveResultsToMultilineCustomField\r\n    }\r\n    if ($env:saveResultsToWysiwygCustomField -and $env:saveResultsToWysiwygCustomField -notlike \"null\") {\r\n        $SaveResultsToWysiwygCustomField = $env:saveResultsToWysiwygCustomField\r\n    }\r\n\r\n    # If ExcludeProcess is a comma-separated list, split it into an array\r\n    if ($ExcludeProcess -like '*,*') {\r\n        $ExcludeProcess = $ExcludeProcess -split ',' | ForEach-Object {\r\n            if ($_ -like '*,*') {\r\n                $_ -split ',' | ForEach-Object { \"$_\".Trim() }\r\n            }\r\n            else { \"$_\".Trim() }\r\n        }\r\n    }\r\n    # If ExcludeProcessFromCustomField is not null, get a list of processes to exclude from the Custom Field\r\n    if ($ExcludeProcessFromCustomField -and $ExcludeProcessFromCustomField -notlike \"null\") {\r\n        try {\r\n            # Get the processes to exclude from the Custom Field\r\n            $TempString = $(Get-NinjaProperty -Name $ExcludeProcessFromCustomField)\r\n            # If the Custom Field is empty, throw an error\r\n            if ([string]::IsNullOrWhiteSpace($TempString)) {\r\n                throw \"Empty\"\r\n            }\r\n            # If the Custom Field is a comma-separated list, split it into an array\r\n            $ExcludeProcess = $TempString -split ',' | ForEach-Object { \"$_\".Trim() }\r\n        }\r\n        catch {\r\n            # If the Custom Field is empty, output a warning\r\n            if ($_.Exception.Message -like \"Empty\") {\r\n                Write-Host \"[Warn] The Custom Field($ExcludeProcessFromCustomField) is empty\"\r\n            }\r\n            else {\r\n                # If the Custom Field is Like empty, output an error\r\n                Write-Host \"[Warn] Failed to get processes to exclude from Custom Field($ExcludeProcessFromCustomField)\"\r\n            }\r\n        }\r\n    }\r\n}\r\nprocess {\r\n    if (-not (Test-IsElevated)) {\r\n        Write-Error -Message \"Access Denied. Please run with Administrator privileges.\"\r\n        exit 1\r\n    }\r\n\r\n    # Get processes and if excluding, look at Name, Path\/FileName, and ProductName\r\n    $Processes = $(\r\n        if ($ExcludeProcess) {\r\n            # Output excluded processes\r\n            Write-Host \"Excluding Processes:\"\r\n            $ExcludeProcess | Out-String | Write-Host\r\n            # Get processes and exclude based on Name, Path\/FileName, and ProductName\r\n            Get-Process | Where-Object {\r\n                $(\r\n                    $_.Name -notin $ExcludeProcess -and\r\n                    $(\r\n                        if ($_.Path) {\r\n                            Split-Path $_.Path -Leaf\r\n                        }\r\n                        else { $_.FileName }\r\n                    ) -notin $ExcludeProcess -and\r\n                    $_.ProductName -notin $ExcludeProcess\r\n                )\r\n            }\r\n        }\r\n        else {\r\n            # Get all processes if no exclusion is specified\r\n            Get-Process\r\n        }\r\n    )\r\n\r\n    # Reduce list to just the paths and get signed status\r\n    $ProcessesWithSigned = $Processes | Sort-Object -Unique -Property Path | ForEach-Object {\r\n        if ($_.Path) {\r\n            # Get the signer certificate\r\n            $Signature = Get-AuthenticodeSignature -FilePath $_.Path\r\n\r\n            # Check if the signer certificate is trusted\r\n            $Status = if ($Signature.Status -eq \"Valid\") {\r\n                \"Signed\"\r\n            }\r\n            else {\r\n                $Signature.Status\r\n            }\r\n\r\n            # Output the process name, description, path, id, and signed status\r\n            [PSCustomObject]@{\r\n                Name        = $_.Name\r\n                Description = $_.Description\r\n                Path        = $_.Path\r\n                Id          = $_.Id\r\n                Signed      = $Status\r\n            }\r\n            $Status = $null\r\n        }\r\n    }\r\n\r\n    # Get unsigned processes\r\n    $Unsigned = $ProcessesWithSigned | Where-Object { $_.Signed -notlike \"Signed\" }\r\n    if ($Unsigned -and $Unsigned.Count) {\r\n        # Output number of processes\r\n        Write-Host \"Unsigned Processes Found: $($Unsigned.Count)\"\r\n    }\r\n    elseif ($Unsigned) {\r\n        # Handle edge case where $Unsigned isn't an array of items, but is an object alone\r\n        Write-Host \"Unsigned Processes Found: 1\"\r\n    }\r\n    else {\r\n        # If $Unsigned doesn't have a count and isn't a object, assume there are 0 unsigned processes found\r\n        Write-Host \"Unsigned Processes Found: 0\"\r\n    }\r\n\r\n    # Output unsigned processes for Activity Feed\r\n    $Unsigned | Out-String | Write-Host\r\n\r\n    $HasErrors = $false\r\n    # Save results to a Multi-Line custom field\r\n    if ($SaveResultsToMultilineCustomField -and $SaveResultsToMultilineCustomField -notlike \"null\") {\r\n        try {\r\n            $Unsigned | Out-String | Set-NinjaProperty -Name $SaveResultsToMultilineCustomField\r\n            Write-Host \"[Info] Updated Multiline Custom Field($SaveResultsToMultilineCustomField)\"\r\n        }\r\n        catch {\r\n            if ($_.Exception.Message -like \"*Unable to find the specified field*\") {\r\n                Write-Host \"[Error] Unable to find and save to the Custom Field ($SaveResultsToMultilineCustomField)\"\r\n            }\r\n            else {\r\n                Write-Host \"[Error] ninjarmm-cli returned error: $($_.Exception.Message)\"\r\n            }\r\n            $HasErrors = $true\r\n        }\r\n    }\r\n    else {\r\n        Write-Host \"[Info] Not updating Multiline Custom Field($SaveResultsToWysiwygCustomField) due to not being specified or inaccessible.\"\r\n    }\r\n\r\n    # Save results to a WYSIWYG custom field\r\n    if ($SaveResultsToWysiwygCustomField -and $SaveResultsToWysiwygCustomField -notlike \"null\") {\r\n        try {\r\n            ConvertTo-WysiwygHtml -Value $Unsigned | Set-WysiwygCustomField -Name $SaveResultsToWysiwygCustomField\r\n            Write-Host \"[Info] Updated Wysiwyg Custom Field($SaveResultsToWysiwygCustomField)\"\r\n        }\r\n        catch {\r\n            if ($_.Exception.Message -like \"*Unable to find the specified field*\") {\r\n                Write-Host \"[Error] Unable to find and save to the Custom Field ($SaveResultsToWysiwygCustomField)\"\r\n            }\r\n            else {\r\n                Write-Host \"[Error] ninjarmm-cli returned error: $($_.Exception.Message)\"\r\n            }\r\n            $HasErrors = $true\r\n        }\r\n    }\r\n    else {\r\n        Write-Host \"[Info] Not updating Wysiwyg Custom Field($SaveResultsToWysiwygCustomField) due to not being specified or inaccessible.\"\r\n    }\r\n    if ($HasErrors) {\r\n        exit 1\r\n    }\r\n}\r\nend {\r\n    \r\n    \r\n    \r\n}<\/pre>\n
 <\/p>\n\n
<\/h2>
<\/p><\/div>
<\/a><\/div><\/div>\n
Wie das Skript funktioniert<\/h2>\n
Das mitgelieferte PowerShell-Skript wurde entwickelt, um die Signaturen aller laufenden Prozesse auf einem Windows-System zu \u00fcberpr\u00fcfen und diejenigen zu melden, die nicht signiert sind. Im Folgenden wird Schritt f\u00fcr Schritt beschrieben, wie das Skript funktioniert:<\/p>\n
    \n
  1. Ersteinrichtung<\/strong>: Das Skript beginnt mit der Definition mehrerer Funktionen, die f\u00fcr den Betrieb des Skripts wichtig sind, z. B. die \u00dcberpr\u00fcfung, ob das Skript mit Administratorrechten ausgef\u00fchrt wird (Test-IsElevated) und das Abrufen oder Setzen von benutzerdefinierten Feldern in NinjaOne (Get-NinjaProperty und Set-NinjaProperty).<\/li>\n
  2. Behandlung der Parameter<\/strong>: Das Skript akzeptiert mehrere Parameter, mit denen Benutzer:innen bestimmte Prozesse von der \u00dcberpr\u00fcfung ausschlie\u00dfen, Ausschlusslisten aus benutzerdefinierten Feldern abrufen und Ergebnisse in benutzerdefinierten Feldern speichern k\u00f6nnen (sowohl mehrzeilige als auch WYSIWYG-Formate).<\/li>\n
  3. Prozess-Erfassung und Ausschluss<\/strong>: Er sammelt eine Liste aller laufenden Prozesse auf dem System. Wenn die Benutzer:innen irgendwelche Ausschl\u00fcsse angeben (entweder durch direkte Parameter oder benutzerdefinierte Felder), werden diese Prozesse herausgefiltert.<\/li>\n
  4. \u00dcberpr\u00fcfung der Signatur<\/strong>: Das Skript \u00fcberpr\u00fcft die Signatur jedes Prozesses mit dem cmdlet „Get-AuthenticodeSignature“. Prozesse, die nicht signiert sind oder einen anderen Status als „g\u00fcltig“ haben, werden als unsigniert gekennzeichnet.<\/li>\n
  5. Ergebnishandhabung<\/strong>: Prozesse ohne Signatur werden danach im Dashboard angezeigt und, falls gew\u00fcnscht, in benutzerdefinierte Felder in NinjaOne \u00fcbertragen. Das Skript kann die Ausgabe in HTML f\u00fcr WYSIWYG-Felder formatieren, sodass sie leicht in Berichte oder Dashboards integriert werden kann.<\/li>\n
  6. Fehlerbehandlung und Berichterstattung<\/strong>: Das Skript enth\u00e4lt eine komplette Fehlerbehandlungsl\u00f6sung, um Probleme wie fehlende benutzerdefinierte Felder oder die \u00dcberschreitung von Zeichengrenzen in benutzerdefinierten Feldern zu bew\u00e4ltigen. Aufgetretene Fehler werden den Benutzer:innen zur\u00fcckgemeldet, was f\u00fcr Transparenz sorgt.<\/li>\n<\/ol>\n
    Hypothetischer Anwendungsfall<\/h2>\n
    Stellen Sie sich einen IT-Administrator vor, der ein Computernetzwerk f\u00fcr ein Finanzinstitut verwaltet. Die Sicherheit<\/a> hat oberste Priorit\u00e4t, und der Administrator muss sicherstellen, dass auf allen Rechnern nur legitime Prozesse ablaufen.<\/p>\n
    Mit diesem Skript kann der Administrator regelm\u00e4\u00dfig \u00fcberpr\u00fcfen, ob alle laufenden Prozesse signiert sind, bekannte sichere Prozesse automatisch ausschlie\u00dfen und unsignierte Prozesse zur weiteren Untersuchung melden.<\/p>\n
    Die Ergebnisse werden in benutzerdefinierten Feldern in NinjaOne gespeichert, sodass der Administrator die Ergebnisse leicht \u00fcberpr\u00fcfen und eine sichere Umgebung aufrechterhalten kann.<\/p>\n
    Vergleiche mit anderen Methoden<\/h2>\n
    Herk\u00f6mmliche Methoden zur \u00dcberpr\u00fcfung laufender Prozesse k\u00f6nnen in manuellen \u00dcberpr\u00fcfungen mit Tools wie dem Task-Manager oder Sicherheitssoftware von Drittanbietern bestehen. Diese Ans\u00e4tze sind jedoch oft zeitaufw\u00e4ndig und anf\u00e4llig f\u00fcr menschliche Fehler. Im Gegensatz dazu automatisiert dieses PowerShell-Skript den gesamten Prozess und bietet eine schnellere und zuverl\u00e4ssigere Methode der \u00dcberpr\u00fcfung.<\/p>\n
    Dar\u00fcber hinaus bietet die Integration des Skripts mit den benutzerdefinierten Feldern von NinjaOne eine nahtlose M\u00f6glichkeit zur Dokumentation und Nachverfolgung von Pr\u00fcfergebnissen im Zeitverlauf, was mit manuellen Methoden nicht ohne weiteres m\u00f6glich ist.<\/p>\n
    H\u00e4ufig gestellte Fragen<\/h2>\n
    Was bedeutet es, wenn ein Prozess unsigniert ist?<\/h3>\n
    Ein unsignierter Prozess bedeutet, dass die ausf\u00fchrbare Datei, die den Prozess ausf\u00fchrt, nicht \u00fcber eine g\u00fcltige digitale Signatur verf\u00fcgt. Dies k\u00f6nnte darauf hinweisen, dass der Prozess aus einer nicht vertrauensw\u00fcrdigen Quelle stammt oder manipuliert wurde.<\/p>\n
    Kann ich selbst bestimmen, welche Prozesse von der \u00dcberpr\u00fcfung ausgeschlossen werden?<\/h3>\n
    Ja, das Skript erm\u00f6glicht es Ihnen, bestimmte Prozesse nach Namen, Pfad oder Produktnamen auszuschlie\u00dfen, entweder \u00fcber Parameter oder durch Angabe eines benutzerdefinierten Feldes in NinjaOne.<\/p>\n
    Was passiert, wenn das Skript auf einen Fehler st\u00f6\u00dft?<\/h3>\n
    Das Skript enth\u00e4lt eine zuverl\u00e4ssige Fehlerbehandlungsl\u00f6sung. Wenn es auf einen Fehler st\u00f6\u00dft, z. B. ein fehlendes benutzerdefiniertes Feld oder einen ung\u00fcltigen Prozessausschluss, meldet es das Problem in der Konsolenausgabe.<\/p>\n
    Ist dieses Skript mit allen Versionen von Windows kompatibel?<\/h3>\n
    Das Skript erfordert Windows 10 oder Windows Server 2012 und h\u00f6her, mit PowerShell Version 5.1 oder h\u00f6her.<\/p>\n
    Auswirkungen der Ergebnisse des Skripts<\/h2>\n
    Das Auffinden unsignierter Prozesse in einem System kann erhebliche Auswirkungen haben. Solche Prozesse k\u00f6nnten ein Sicherheitsrisiko darstellen, da es sich um Malware oder nicht autorisierte Software handeln k\u00f6nnte.<\/p>\n
    Durch die Identifizierung dieser Prozesse k\u00f6nnen IT-Experten Ma\u00dfnahmen ergreifen, um sie zu beseitigen oder weiter zu untersuchen und so das Risiko einer Sicherheitsverletzung zu verringern. Die regelm\u00e4\u00dfige Ausf\u00fchrung dieses Skripts kann dazu beitragen, eine sichere Umgebung aufrechtzuerhalten und sicherzustellen, dass nur vertrauensw\u00fcrdige Software auf kritischen Systemen ausgef\u00fchrt wird.<\/p>\n
    Best Practices bei der Verwendung dieses Skripts<\/h2>\n