How to Verify and Secure Running Processes in Windows with PowerShell

In today’s IT landscape, maintaining the security and integrity of a network is paramount. One of the critical tasks for IT professionals and Managed Service Providers (MSPs) is to ensure that only trusted and verified processes are running on their systems.

Unverified or unsigned processes can be potential entry points for malicious software, leading to security breaches and system instability. This is where PowerShell scripts, like the one we are discussing today, come into play, providing a robust method to verify running processes and identify any unsigned executables.

The Need for Process Verification

IT professionals must often verify that all running processes on a system are signed and trusted. This verification ensures that the processes are from legitimate sources and have not been tampered with.

In environments where security is a top priority, such as financial institutions, healthcare, or any organization handling sensitive data, ensuring the legitimacy of running processes is crucial. This script offers a streamlined way to automate the verification process, making it an invaluable tool for IT administrators and MSPs.

The Script:

#Requires -Version 5.1

<#
.SYNOPSIS
    Verify that running processes are signed and output unsigned.
.DESCRIPTION
    Verify that running processes are signed and output unsigned.
    It will exclude processes based on the process name, path, or product name.
    The script will output the unsigned processes to the console and save the results to a Multi-Line custom field and a WYSIWYG custom field if specified.

.EXAMPLE
    (No Parameters)
    ## EXAMPLE OUTPUT WITHOUT PARAMS ##
    Unsigned Processes Found: 2

    Name        : explorer
    Description : Windows Explorer
    Path        : C:\Windows\explorer.exe
    Id          : 1234
    Signed      : NotSigned

    Name        : notepad
    Description : Notepad
    Path        : C:\Windows\notepad.exe
    Id          : 5678
    Signed      : NotSigned

PARAMETER: -ExcludeProcess "explorer.exe"
    Exclude the process explorer.exe from the results.
.EXAMPLE
    -ExcludeProcess "notepad"
    ## EXAMPLE OUTPUT WITH ExcludeProcess ##
    Unsigned Processes Found: 1

    Name        : explorer
    Description : Windows Explorer
    Path        : C:\Windows\explorer.exe
    Id          : 1234
    Signed      : NotSigned

PARAMETER: -ExcludeProcessFromCustomField "ReplaceMeWithAnyTextCustomField"
    Exclude the processes from the custom field specified.
.EXAMPLE
    -ExcludeProcessFromCustomField "ReplaceMeWithAnyTextCustomField"
    ## EXAMPLE OUTPUT WITH ExcludeProcessFromCustomField ##
    Unsigned Processes Found: 2

    Name        : explorer
    Description : Windows Explorer
    Path        : C:\Windows\explorer.exe
    Id          : 1234
    Signed      : NotSigned

    Name        : notepad
    Description : Notepad
    Path        : C:\Windows\notepad.exe
    Id          : 5678
    Signed      : NotSigned

PARAMETER: -SaveResultsToMultilineCustomField "ReplaceMeWithAnyMultilineCustomField"
    Save the results to a Multi-Line custom field specified.
.EXAMPLE
    -SaveResultsToMultilineCustomField "ReplaceMeWithAnyMultilineCustomField"
    ## EXAMPLE OUTPUT WITH ExcludeProcessFromCustomField ##
    Unsigned Processes Found: 2

    Name        : explorer
    Description : Windows Explorer
    Path        : C:\Windows\explorer.exe
    Id          : 1234
    Signed      : NotSigned

    Name        : notepad
    Description : Notepad
    Path        : C:\Windows\notepad.exe
    Id          : 5678
    Signed      : NotSigned

    [Info] Attempting to update Multiline Custom Field(ReplaceMeWithAnyMultilineCustomField)
    [Info] Updated Multiline Custom Field(ReplaceMeWithAnyMultilineCustomField)


PARAMETER: -SaveResultsToWysiwygCustomField "ReplaceMeWithAnyMultilineCustomField"
    Save the results to a WYSIWYG custom field specified.
.EXAMPLE
    -SaveResultsToWysiwygCustomField "ReplaceMeWithAnyWysiwygCustomField"
    ## EXAMPLE OUTPUT WITH ExcludeProcessFromCustomField ##
    Unsigned Processes Found: 2

    Name        : explorer
    Description : Windows Explorer
    Path        : C:\Windows\explorer.exe
    Id          : 1234
    Signed      : NotSigned

    Name        : notepad
    Description : Notepad
    Path        : C:\Windows\notepad.exe
    Id          : 5678
    Signed      : NotSigned

    [Info] Attempting to update Wysiwyg Custom Field(ReplaceMeWithAnyWysiwygCustomField)
    [Info] Updated Wysiwyg Custom Field(ReplaceMeWithAnyWysiwygCustomField)

.OUTPUTS
    None
.NOTES
    Minimum OS Architecture Supported: Windows 10, Windows Server 2012
    Release Notes: Initial Release
By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https://www.ninjaone.com/terms-of-use.
    Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. 
    Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. 
    Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. 
    Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. 
    Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. 
    Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. 
    EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
#>

[CmdletBinding()]
param (
    [String[]]$ExcludeProcess,
    [String]$ExcludeProcessFromCustomField,
    [String]$SaveResultsToMultilineCustomField,
    [String]$SaveResultsToWysiwygCustomField
)

begin {
    function Test-IsElevated {
        $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
        $p = New-Object System.Security.Principal.WindowsPrincipal($id)
        $p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
    }
    function Get-NinjaProperty {
        [CmdletBinding()]
        Param(
            [Parameter(Mandatory = $True, ValueFromPipeline = $True)]
            [String]$Name,
            [Parameter()]
            [String]$Type,
            [Parameter()]
            [String]$DocumentName
        )
    
        if ($PSVersionTable.PSVersion.Major -lt 3) {
            throw "PowerShell 3.0 or higher is required to retrieve data from custom fields. https://ninjarmm.zendesk.com/hc/en-us/articles/4405408656013"
        }
    
        # If we're requested to get the field value from a Ninja document we'll specify it here.
        $DocumentationParams = @{}
        if ($DocumentName) { $DocumentationParams["DocumentName"] = $DocumentName }
    
        # These two types require more information to parse.
        $NeedsOptions = "DropDown", "MultiSelect"
    
        # Grabbing document values requires a slightly different command.
        if ($DocumentName) {
            # Secure fields are only readable when they're a device custom field
            if ($Type -Like "Secure") { throw "$Type is an invalid type! Please check here for valid types. https://ninjarmm.zendesk.com/hc/en-us/articles/16973443979789-Command-Line-Interface-CLI-Supported-Fields-and-Functionality" }
    
            # We'll redirect the error output to the success stream to make it easier to error out if nothing was found or something else went wrong.
            Write-Host "Retrieving value from Ninja Document..."
            $NinjaPropertyValue = Ninja-Property-Docs-Get -AttributeName $Name @DocumentationParams 2>&1
    
            # Certain fields require more information to parse.
            if ($NeedsOptions -contains $Type) {
                $NinjaPropertyOptions = Ninja-Property-Docs-Options -AttributeName $Name @DocumentationParams 2>&1
            }
        }
        else {
            # We'll redirect error output to the success stream to make it easier to error out if nothing was found or something else went wrong.
            $NinjaPropertyValue = Ninja-Property-Get -Name $Name 2>&1
    
            # Certain fields require more information to parse.
            if ($NeedsOptions -contains $Type) {
                $NinjaPropertyOptions = Ninja-Property-Options -Name $Name 2>&1
            }
        }
    
        # If we received some sort of error it should have an exception property and we'll exit the function with that error information.
        if ($NinjaPropertyValue.Exception) { throw $NinjaPropertyValue }
        if ($NinjaPropertyOptions.Exception) { throw $NinjaPropertyOptions }
    
        # This switch will compare the type given with the quoted string. If it matches, it'll parse it further; otherwise, the default option will be selected.
        switch ($Type) {
            "Attachment" {
                # Attachments come in a JSON format this will convert it into a PowerShell Object.
                $NinjaPropertyValue | ConvertFrom-Json
            }
            "Checkbox" {
                # Checkbox's come in as a string representing an integer. We'll need to cast that string into an integer and then convert it to a more traditional boolean.
                [System.Convert]::ToBoolean([int]$NinjaPropertyValue)
            }
            "Date or Date Time" {
                # In Ninja Date and Date/Time fields are in Unix Epoch time in the UTC timezone the below should convert it into local time as a date time object.
                $UnixTimeStamp = $NinjaPropertyValue
                $UTC = (Get-Date "1970-01-01 00:00:00").AddSeconds($UnixTimeStamp)
                $TimeZone = [TimeZoneInfo]::Local
                [TimeZoneInfo]::ConvertTimeFromUtc($UTC, $TimeZone)
            }
            "Decimal" {
                # In ninja decimals are strings that represent a decimal this will cast it into a double data type.
                [double]$NinjaPropertyValue
            }
            "Device Dropdown" {
                # Device Drop-Downs Fields come in a JSON format this will convert it into a PowerShell Object.
                $NinjaPropertyValue | ConvertFrom-Json
            }
            "Device MultiSelect" {
                # Device Multi-Select Fields come in a JSON format this will convert it into a PowerShell Object.
                $NinjaPropertyValue | ConvertFrom-Json
            }
            "Dropdown" {
                # Drop-Down custom fields come in as a comma-separated list of GUIDs; we'll compare these with all the options and return just the option values selected instead of a GUID.
                $Options = $NinjaPropertyOptions -replace '=', ',' | ConvertFrom-Csv -Header "GUID", "Name"
                $Options | Where-Object { $_.GUID -eq $NinjaPropertyValue } | Select-Object -ExpandProperty Name
            }
            "Integer" {
                # Cast's the Ninja provided string into an integer.
                [int]$NinjaPropertyValue
            }
            "MultiSelect" {
                # Multi-Select custom fields come in as a comma-separated list of GUID's we'll compare these with all the options and return just the option values selected instead of a guid.
                $Options = $NinjaPropertyOptions -replace '=', ',' | ConvertFrom-Csv -Header "GUID", "Name"
                $Selection = ($NinjaPropertyValue -split ',').trim()
    
                foreach ($Item in $Selection) {
                    $Options | Where-Object { $_.GUID -eq $Item } | Select-Object -ExpandProperty Name
                }
            }
            "Organization Dropdown" {
                # Turns the Ninja provided JSON into a PowerShell Object.
                $NinjaPropertyValue | ConvertFrom-Json
            }
            "Organization Location Dropdown" {
                # Turns the Ninja provided JSON into a PowerShell Object.
                $NinjaPropertyValue | ConvertFrom-Json
            }
            "Organization Location MultiSelect" {
                # Turns the Ninja provided JSON into a PowerShell Object.
                $NinjaPropertyValue | ConvertFrom-Json
            }
            "Organization MultiSelect" {
                # Turns the Ninja provided JSON into a PowerShell Object.
                $NinjaPropertyValue | ConvertFrom-Json
            }
            "Time" {
                # Time fields are given as a number of seconds starting from midnight. This will convert it into a date time object.
                $Seconds = $NinjaPropertyValue
                $UTC = ([TimeSpan]::FromSeconds($Seconds)).ToString("hh\:mm\:ss")
                $TimeZone = [TimeZoneInfo]::Local
                $ConvertedTime = [TimeZoneInfo]::ConvertTimeFromUtc($UTC, $TimeZone)
    
                Get-Date $ConvertedTime -DisplayHint Time
            }
            default {
                # If no type was given or not one that matches the above types just output what we retrieved.
                $NinjaPropertyValue
            }
        }
    }

    function Set-NinjaProperty {
        [CmdletBinding()]
        Param(
            [Parameter(Mandatory = $True)]
            [String]$Name,
            [Parameter()]
            [String]$Type,
            [Parameter(Mandatory = $True, ValueFromPipeline = $True)]
            $Value,
            [Parameter()]
            [String]$DocumentName
        )
    
        $Characters = $Value | Measure-Object -Character | Select-Object -ExpandProperty Characters
        if ($Characters -ge 10000) {
            throw [System.ArgumentOutOfRangeException]::New("Character limit exceeded, value is greater than 10,000 characters.")
        }
        
        # If we're requested to set the field value for a Ninja document we'll specify it here.
        $DocumentationParams = @{}
        if ($DocumentName) { $DocumentationParams["DocumentName"] = $DocumentName }
        
        # This is a list of valid fields that can be set. If no type is given, it will be assumed that the input doesn't need to be changed.
        $ValidFields = "Attachment", "Checkbox", "Date", "Date or Date Time", "Decimal", "Dropdown", "Email", "Integer", "IP Address", "MultiLine", "MultiSelect", "Phone", "Secure", "Text", "Time", "URL", "WYSIWYG"
        if ($Type -and $ValidFields -notcontains $Type) { Write-Warning "$Type is an invalid type! Please check here for valid types. https://ninjarmm.zendesk.com/hc/en-us/articles/16973443979789-Command-Line-Interface-CLI-Supported-Fields-and-Functionality" }
        
        # The field below requires additional information to be set
        $NeedsOptions = "Dropdown"
        if ($DocumentName) {
            if ($NeedsOptions -contains $Type) {
                # We'll redirect the error output to the success stream to make it easier to error out if nothing was found or something else went wrong.
                $NinjaPropertyOptions = Ninja-Property-Docs-Options -AttributeName $Name @DocumentationParams 2>&1
            }
        }
        else {
            if ($NeedsOptions -contains $Type) {
                $NinjaPropertyOptions = Ninja-Property-Options -Name $Name 2>&1
            }
        }
        
        # If an error is received it will have an exception property, the function will exit with that error information.
        if ($NinjaPropertyOptions.Exception) { throw $NinjaPropertyOptions }
        
        # The below type's require values not typically given in order to be set. The below code will convert whatever we're given into a format ninjarmm-cli supports.
        switch ($Type) {
            "Checkbox" {
                # While it's highly likely we were given a value like "True" or a boolean datatype it's better to be safe than sorry.
                $NinjaValue = [System.Convert]::ToBoolean($Value)
            }
            "Date or Date Time" {
                # Ninjarmm-cli expects the  Date-Time to be in Unix Epoch time so we'll convert it here.
                $Date = (Get-Date $Value).ToUniversalTime()
                $TimeSpan = New-TimeSpan (Get-Date "1970-01-01 00:00:00") $Date
                $NinjaValue = $TimeSpan.TotalSeconds
            }
            "Dropdown" {
                # Ninjarmm-cli is expecting the guid of the option we're trying to select. So we'll match up the value we were given with a guid.
                $Options = $NinjaPropertyOptions -replace '=', ',' | ConvertFrom-Csv -Header "GUID", "Name"
                $Selection = $Options | Where-Object { $_.Name -eq $Value } | Select-Object -ExpandProperty GUID
        
                if (-not $Selection) {
                    throw [System.ArgumentOutOfRangeException]::New("Value is not present in dropdown")
                }
        
                $NinjaValue = $Selection
            }
            default {
                # All the other types shouldn't require additional work on the input.
                $NinjaValue = $Value
            }
        }
        
        # We'll need to set the field differently depending on if its a field in a Ninja Document or not.
        if ($DocumentName) {
            $CustomField = Ninja-Property-Docs-Set -AttributeName $Name -AttributeValue $NinjaValue @DocumentationParams 2>&1
        }
        else {
            $CustomField = $NinjaValue | Ninja-Property-Set-Piped -Name $Name 2>&1
        }
        
        if ($CustomField.Exception) {
            throw $CustomField
        }
    }

    function Set-WysiwygCustomField {
        param (
            [string]$Name,
            [Parameter(ValueFromPipeline = $True)]
            [string]$Value
        )
        end {

            # Set the Custom Field
            # If the value is greater than 10,000 characters, use the Ninja-Property-Set-Piped function
            # Otherwise, use the Ninja-Property-Set function
            $CustomField = $Value | Ninja-Property-Set-Piped -Name $Name 2>&1

            # Check for errors
            if ($CustomField -or $CustomField.Exception) {
                # If the Custom Field was not found, throw an error
                if ($CustomField -like "Unable to find the specified field." -or $CustomField.Exception -like "Unable to find the specified field.") {
                    throw "The Custom field ($Name) was not found"
                }
                # If the Custom Field is read-only, throw an error
                if ($CustomField -like "Unable to update read-only attribute" -or $CustomField.Exception -like "Unable to update read-only attribute") {
                    throw "The Custom field ($Name) is read-only"
                }
                # Catch all other errors and throw the error
                throw $CustomField
            }
        }
    }

    # Predefined values for Success, Danger, and Other
    $ConvertToWysiwygHtmlSuccess = @("Signed", "Valid")
    $ConvertToWysiwygHtmlDanger = @("SignedAndNotTrusted", "NotSigned", "NotTrusted", "HashMismatch")
    $ConvertToWysiwygHtmlOther = @("UnknownError", "Incompatible")
    # Function to convert the output to a WYSIWYG HTML format
    function ConvertTo-WysiwygHtml {
        param(
            [string]$Title,
            [PSObject[]]$Value,
            [string[]]$Success = $ConvertToWysiwygHtmlSuccess,
            [string[]]$Danger = $ConvertToWysiwygHtmlDanger,
            [string[]]$Other = $ConvertToWysiwygHtmlOther
        )
        begin {
            $htmlReport = New-Object System.Collections.Generic.List[String]
            # If used add the Title to the report
            if ($Title) {
                $htmlReport.Add("<h1>$Title</h1>")
            }
        }
        process {
            # Convert the value to HTML
            $htmlTable = $Value | ConvertTo-Html -Fragment
            # Set the class for each row based on the Success, Danger, and Other values
            if ($Success) {
                # For each Success value, find the row in the table and add a class of 'success'
                $Success | ForEach-Object {
                    $Status = $_
                    # Split the table into lines and find the lines that contain the Status
                    $htmlTable -split "`r`n" | Where-Object {
                        # Select only lines that have <tr><td>*>$($Status)<*
                        $_ -like "<tr><td>*>$($Status)<*"
                    } | ForEach-Object {
                        # Escape the line for regex
                        $LineEscaped = [regex]::Escape($_)
                        if ($_ -like "*$Status*") {
                            # Replace the line with the line and add a class of 'success'
                            $htmlTable = $htmlTable -replace $LineEscaped, $($_ -replace "<tr>", "<tr class='success'>")
                        }
                    }
                }
            }
            if ($Danger) {
                # For each Danger value, find the row in the table and add a class of 'danger'
                $Danger | ForEach-Object {
                    $Status = $_
                    # Split the table into lines and find the lines that contain the Status
                    $htmlTable -split "`r`n" | Where-Object {
                        # Select only lines that have <tr><td>*>$($Status)<*
                        $_ -like "<tr><td>*>$($Status)<*"
                    } | ForEach-Object {
                        # Escape the line for regex
                        $LineEscaped = [regex]::Escape($_)
                        if ($_ -like "*$Status*") {
                            # Replace the line with the line and add a class of 'danger'
                            $htmlTable = $htmlTable -replace $LineEscaped, $($_ -replace "<tr>", "<tr class='danger'>")
                        }
                    }
                }
            }
            if ($Other) {
                # For each Other value, find the row in the table and add a class of 'other'
                $Other | ForEach-Object {
                    $Status = $_
                    # Split the table into lines and find the lines that contain the Status
                    $htmlTable -split "`r`n" | Where-Object {
                        # Select only lines that have <tr><td>*>$($Status)<*
                        $_ -like "<tr><td>*>$($Status)<*"
                    } | ForEach-Object {
                        # Escape the line for regex
                        $LineEscaped = [regex]::Escape($_)
                        if ($_ -like "*$Status*") {
                            # Replace the line with the line and add a class of 'other'
                            $htmlTable = $htmlTable -replace $LineEscaped, $($_ -replace "<tr>", "<tr class='other'>")
                        }
                    }
                }
            }
            # Add the Table to the report
            $htmlTable | ForEach-Object { $htmlReport.Add($_) }
        }
        end {
            # Return the HTML report
            $htmlReport | Out-String
        }
    }

    # Update the script variables with the Script Variables if they are not null
    if ($env:excludeProcess -and $env:excludeProcess -notlike "null") {
        $ExcludeProcess = $env:excludeProcess
    }
    if ($env:excludeProcessFromCustomField -and $env:excludeProcessFromCustomField -notlike "null") {
        $ExcludeProcessFromCustomField = $env:excludeProcessFromCustomField
    }
    if ($env:saveResultsToMultilineCustomField -and $env:saveResultsToMultilineCustomField -notlike "null") {
        $SaveResultsToMultilineCustomField = $env:saveResultsToMultilineCustomField
    }
    if ($env:saveResultsToWysiwygCustomField -and $env:saveResultsToWysiwygCustomField -notlike "null") {
        $SaveResultsToWysiwygCustomField = $env:saveResultsToWysiwygCustomField
    }

    # If ExcludeProcess is a comma-separated list, split it into an array
    if ($ExcludeProcess -like '*,*') {
        $ExcludeProcess = $ExcludeProcess -split ',' | ForEach-Object {
            if ($_ -like '*,*') {
                $_ -split ',' | ForEach-Object { "$_".Trim() }
            }
            else { "$_".Trim() }
        }
    }
    # If ExcludeProcessFromCustomField is not null, get a list of processes to exclude from the Custom Field
    if ($ExcludeProcessFromCustomField -and $ExcludeProcessFromCustomField -notlike "null") {
        try {
            # Get the processes to exclude from the Custom Field
            $TempString = $(Get-NinjaProperty -Name $ExcludeProcessFromCustomField)
            # If the Custom Field is empty, throw an error
            if ([string]::IsNullOrWhiteSpace($TempString)) {
                throw "Empty"
            }
            # If the Custom Field is a comma-separated list, split it into an array
            $ExcludeProcess = $TempString -split ',' | ForEach-Object { "$_".Trim() }
        }
        catch {
            # If the Custom Field is empty, output a warning
            if ($_.Exception.Message -like "Empty") {
                Write-Host "[Warn] The Custom Field($ExcludeProcessFromCustomField) is empty"
            }
            else {
                # If the Custom Field is Like empty, output an error
                Write-Host "[Warn] Failed to get processes to exclude from Custom Field($ExcludeProcessFromCustomField)"
            }
        }
    }
}
process {
    if (-not (Test-IsElevated)) {
        Write-Error -Message "Access Denied. Please run with Administrator privileges."
        exit 1
    }

    # Get processes and if excluding, look at Name, Path/FileName, and ProductName
    $Processes = $(
        if ($ExcludeProcess) {
            # Output excluded processes
            Write-Host "Excluding Processes:"
            $ExcludeProcess | Out-String | Write-Host
            # Get processes and exclude based on Name, Path/FileName, and ProductName
            Get-Process | Where-Object {
                $(
                    $_.Name -notin $ExcludeProcess -and
                    $(
                        if ($_.Path) {
                            Split-Path $_.Path -Leaf
                        }
                        else { $_.FileName }
                    ) -notin $ExcludeProcess -and
                    $_.ProductName -notin $ExcludeProcess
                )
            }
        }
        else {
            # Get all processes if no exclusion is specified
            Get-Process
        }
    )

    # Reduce list to just the paths and get signed status
    $ProcessesWithSigned = $Processes | Sort-Object -Unique -Property Path | ForEach-Object {
        if ($_.Path) {
            # Get the signer certificate
            $Signature = Get-AuthenticodeSignature -FilePath $_.Path

            # Check if the signer certificate is trusted
            $Status = if ($Signature.Status -eq "Valid") {
                "Signed"
            }
            else {
                $Signature.Status
            }

            # Output the process name, description, path, id, and signed status
            [PSCustomObject]@{
                Name        = $_.Name
                Description = $_.Description
                Path        = $_.Path
                Id          = $_.Id
                Signed      = $Status
            }
            $Status = $null
        }
    }

    # Get unsigned processes
    $Unsigned = $ProcessesWithSigned | Where-Object { $_.Signed -notlike "Signed" }
    if ($Unsigned -and $Unsigned.Count) {
        # Output number of processes
        Write-Host "Unsigned Processes Found: $($Unsigned.Count)"
    }
    elseif ($Unsigned) {
        # Handle edge case where $Unsigned isn't an array of items, but is an object alone
        Write-Host "Unsigned Processes Found: 1"
    }
    else {
        # If $Unsigned doesn't have a count and isn't a object, assume there are 0 unsigned processes found
        Write-Host "Unsigned Processes Found: 0"
    }

    # Output unsigned processes for Activity Feed
    $Unsigned | Out-String | Write-Host

    $HasErrors = $false
    # Save results to a Multi-Line custom field
    if ($SaveResultsToMultilineCustomField -and $SaveResultsToMultilineCustomField -notlike "null") {
        try {
            $Unsigned | Out-String | Set-NinjaProperty -Name $SaveResultsToMultilineCustomField
            Write-Host "[Info] Updated Multiline Custom Field($SaveResultsToMultilineCustomField)"
        }
        catch {
            if ($_.Exception.Message -like "*Unable to find the specified field*") {
                Write-Host "[Error] Unable to find and save to the Custom Field ($SaveResultsToMultilineCustomField)"
            }
            else {
                Write-Host "[Error] ninjarmm-cli returned error: $($_.Exception.Message)"
            }
            $HasErrors = $true
        }
    }
    else {
        Write-Host "[Info] Not updating Multiline Custom Field($SaveResultsToWysiwygCustomField) due to not being specified or inaccessible."
    }

    # Save results to a WYSIWYG custom field
    if ($SaveResultsToWysiwygCustomField -and $SaveResultsToWysiwygCustomField -notlike "null") {
        try {
            ConvertTo-WysiwygHtml -Value $Unsigned | Set-WysiwygCustomField -Name $SaveResultsToWysiwygCustomField
            Write-Host "[Info] Updated Wysiwyg Custom Field($SaveResultsToWysiwygCustomField)"
        }
        catch {
            if ($_.Exception.Message -like "*Unable to find the specified field*") {
                Write-Host "[Error] Unable to find and save to the Custom Field ($SaveResultsToWysiwygCustomField)"
            }
            else {
                Write-Host "[Error] ninjarmm-cli returned error: $($_.Exception.Message)"
            }
            $HasErrors = $true
        }
    }
    else {
        Write-Host "[Info] Not updating Wysiwyg Custom Field($SaveResultsToWysiwygCustomField) due to not being specified or inaccessible."
    }
    if ($HasErrors) {
        exit 1
    }
}
end {
    
    
    
}

 

Access over 300+ scripts in the NinjaOne Dojo

Get Access

How the Script Works

The provided PowerShell script is designed to verify the signatures of all running processes on a Windows system and report on those that are unsigned. Below is a step-by-step breakdown of how the script operates:

  1. Initial Setup: The script starts by defining several functions essential for its operation, such as checking if the script is being run with administrative privileges (Test-IsElevated) and retrieving or setting custom fields in NinjaOne (Get-NinjaProperty and Set-NinjaProperty).
  2. Parameter Handling: The script accepts several parameters, allowing users to exclude specific processes from verification, retrieve exclusion lists from custom fields, and save results to custom fields (both multi-line and WYSIWYG formats).
  3. Process Collection and Exclusion: It gathers a list of all running processes on the system. If the user specifies any exclusions (either through direct parameters or custom fields), these processes are filtered out.
  4. Signature Verification: The script checks each process’s signature using the Get-AuthenticodeSignature cmdlet. Processes that are not signed or have a status other than “Valid” are flagged as unsigned.
  5. Result Handling: Unsigned processes are then displayed in the console, and if specified, saved to custom fields in NinjaOne. The script can format the output in HTML for WYSIWYG fields, making it easy to include in reports or dashboards.
  6. Error Handling and Reporting: The script includes comprehensive error handling to manage issues like missing custom fields or exceeding character limits in custom fields. Any errors encountered are reported back to the user, ensuring transparency.

Hypothetical Use Case

Imagine an IT administrator managing a network of computers for a financial institution. Security is a top priority, and the administrator needs to ensure that only legitimate processes are running on all machines.

Using this script, the administrator can regularly verify that all running processes are signed, automatically exclude known safe processes, and report any unsigned processes for further investigation.

The results are saved to custom fields within NinjaOne, allowing the administrator to easily review the findings and maintain a secure environment.

Comparisons to Other Methods

Traditional methods of verifying running processes might involve manual checks using tools like Task Manager or third-party security software. However, these approaches are often time-consuming and prone to human error. In contrast, this PowerShell script automates the entire process, providing a faster, more reliable method of verification.

Additionally, the script’s integration with NinjaOne’s custom fields offers a seamless way to document and track verification results over time, which is not easily achievable with manual methods.

Frequently Asked Questions

What does it mean if a process is unsigned?

An unsigned process means that the executable running the process does not have a valid digital signature. This could indicate that the process is from an untrusted source or has been tampered with.

Can I customize which processes are excluded from verification?

Yes, the script allows you to exclude specific processes by name, path, or product name, either through parameters or by specifying a custom field in NinjaOne.

What happens if the script encounters an error?

The script includes robust error handling. If it encounters an error, such as a missing custom field or an invalid process exclusion, it will report the issue in the console output.

Is this script compatible with all versions of Windows?

The script requires Windows 10 or Windows Server 2012 and later, with PowerShell version 5.1 or higher.

Implications of the Script’s Results

The implications of finding unsigned processes on a system can be significant. Such processes could represent a security risk, potentially being malware or unauthorized software.

By identifying these processes, IT professionals can take action to remove or further investigate them, thereby reducing the risk of a security breach. Regularly running this script can help maintain a secure environment, ensuring that only trusted software is running on critical systems.

Best Practices When Using This Script

  • Run with Administrator Privileges: Ensure that the script is always run with administrative privileges to allow it full access to system processes.
  • Regular Execution: Schedule the script to run at regular intervals, ensuring that process verification is part of your routine security checks.
  • Customize Exclusions Carefully: Only exclude processes that are known and trusted to avoid missing potential security threats.
  • Review and Act on Results: Always review the results of the script carefully and take appropriate action on any unsigned processes identified.

Final Thoughts

In an era where cybersecurity threats are ever-evolving, tools like this PowerShell script are essential for IT professionals and MSPs. By automating the verification of running processes and ensuring that only signed executables are active, this script helps maintain the security and integrity of your systems.

Integrated with NinjaOne, it becomes even more powerful, allowing for streamlined reporting and action. Incorporating such practices into your IT management routines will contribute significantly to a secure and well-maintained IT environment.

Next Steps

Building an efficient and effective IT team requires a centralized solution that acts as your core service deliver tool. NinjaOne enables IT teams to monitor, manage, secure, and support all their devices, wherever they are, without the need for complex on-premises infrastructure.

Learn more about NinjaOne Remote Script Deployment, check out a live tour, or start your free trial of the NinjaOne platform.

Categories:

You might also like

How to Monitor Log Files on macOS with a Custom Bash Script

How to Monitor Log Files and Detect Specific Text on Linux Using a Bash Script

How to Use PowerShell to Monitor Text Files and Trigger Alerts for IT Professionals

How to Automate Microsoft Safety Scanner Using a PowerShell Script

Comprehensive Guide to Using PowerShell for Efficient Event Log Searches

How to Use PowerShell to Detect Open and Established Ports in Windows

Watch Demo×
×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).