Get-CimInstance -ClassName Win32_Service |
Where-Object { $_.State -eq 'Running' -and $_.StartMode -ne 'Disabled' } |
ForEach-Object {
$isMicrosoft = $false
$signerInfo = '无可执行路径'
if ($_.PathName) {
# 提取可执行文件路径(处理带引号/参数的路径)
$exePath = $_.PathName.Trim()
if ($exePath -match '^\"(.+?)\"') {
$exePath = $matches[1] # 提取引号内路径
} else {
$exePath = $exePath.Split(' ')[0] # 取第一个空格前的部分
}
# 验证是否为文件(非目录)且存在
if ($exePath -and (Test-Path -LiteralPath $exePath -PathType Leaf -ErrorAction SilentlyContinue)) {
try {
$sig = Get-AuthenticodeSignature -FilePath $exePath -ErrorAction Stop
if ($sig.SignerCertificate) {
$subject = $sig.SignerCertificate.Subject
$issuer = $sig.SignerCertificate.Issuer
$signerInfo = "$subject;$issuer"
# 检查是否微软签名
if ($signerInfo -match 'Microsoft|Windows') {
$isMicrosoft = $true
}
} else {
$signerInfo = '未签名'
}
} catch {
$signerInfo = "签名错误: $($_.Exception.Message)"
}
} else {
$signerInfo = '路径无效或非文件'
}
}
if (-not $isMicrosoft) {
[PSCustomObject]@{
Name = $_.Name
DisplayName = $_.DisplayName
StartMode = $_.StartMode
State = $_.State
Company = $signerInfo
}
}
} |
Sort-Object DisplayName |
Format-Table -AutoSize -Property Name, DisplayName, StartMode, State, Company虽然powershell 直接可以执行但ps1的执行不如bat方便,因此制作了此脚本,非加密
powershell -EncodedCommand "RwBlAHQALQBDAGkAbQBJAG4AcwB0AGEAbgBjAGUAIAAtAEMAbABhAHMAcwBOAGEAbQBlACAAVwBpAG4AMwAyAF8AUwBlAHIAdgBpAGMAZQAgAHwACgAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAuAFMAdABhAHQAZQAgAC0AZQBxACAAJwBSAHUAbgBuAGkAbgBnACcAIAAtAGEAbgBkACAAJABfAC4AUwB0AGEAcgB0AE0AbwBkAGUAIAAtAG4AZQAgACcARABpAHMAYQBiAGwAZQBkACcAIAB9ACAAfAAKAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsACgAgACAAIAAgACQAaQBzAE0AaQBjAHIAbwBzAG8AZgB0ACAAPQAgACQAZgBhAGwAcwBlAAoAIAAgACAAIAAkAHMAaQBnAG4AZQByAEkAbgBmAG8AIAA9ACAAJwDgZe9TZ2JMiO+NhF8nAAoACgAgACAAIAAgAGkAZgAgACgAJABfAC4AUABhAHQAaABOAGEAbQBlACkAIAB7AAoAIAAgACAAIAAgACAAIAAgACMAIADQY9ZT71NnYkyIh2X2Tu+NhF8I/wRZBnQmXhVf91MvAMJTcGWEdu+NhF8J/woAIAAgACAAIAAgACAAIAAgACQAZQB4AGUAUABhAHQAaAAgAD0AIAAkAF8ALgBQAGEAdABoAE4AYQBtAGUALgBUAHIAaQBtACgAKQAKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAZQB4AGUAUABhAHQAaAAgAC0AbQBhAHQAYwBoACAAJwBeAFwAIgAoAC4AKwA/ACkAXAAiACcAKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAeABlAFAAYQB0AGgAIAA9ACAAJABtAGEAdABjAGgAZQBzAFsAMQBdACAAIAAjACAA0GPWUxVf91OFUe+NhF8KACAAIAAgACAAIAAgACAAIAB9ACAAZQBsAHMAZQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGUAeABlAFAAYQB0AGgAIAA9ACAAJABlAHgAZQBQAGEAdABoAC4AUwBwAGwAaQB0ACgAJwAgACcAKQBbADAAXQAgACAAIwAgANZTLHsATipOeno8aE1ShHbokAZSCgAgACAAIAAgACAAIAAgACAAfQAKAAoAIAAgACAAIAAgACAAIAAgACMAIACMmsGLL2YmVDpOh2X2Tgj/XpfudlVfCf8UTlhbKFcKACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAZQB4AGUAUABhAHQAaAAgAC0AYQBuAGQAIAAoAFQAZQBzAHQALQBQAGEAdABoACAALQBMAGkAdABlAHIAYQBsAFAAYQB0AGgAIAAkAGUAeABlAFAAYQB0AGgAIAAtAFAAYQB0AGgAVAB5AHAAZQAgAEwAZQBhAGYAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAKQApACAAewAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5ACAAewAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABzAGkAZwAgAD0AIABHAGUAdAAtAEEAdQB0AGgAZQBuAHQAaQBjAG8AZABlAFMAaQBnAG4AYQB0AHUAcgBlACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAeABlAFAAYQB0AGgAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJABzAGkAZwAuAFMAaQBnAG4AZQByAEMAZQByAHQAaQBmAGkAYwBhAHQAZQApACAAewAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAHMAdQBiAGoAZQBjAHQAIAA9ACAAJABzAGkAZwAuAFMAaQBnAG4AZQByAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAuAFMAdQBiAGoAZQBjAHQACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABpAHMAcwB1AGUAcgAgAD0AIAAkAHMAaQBnAC4AUwBpAGcAbgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAC4ASQBzAHMAdQBlAHIACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABzAGkAZwBuAGUAcgBJAG4AZgBvACAAPQAgACIAJABzAHUAYgBqAGUAYwB0ADsAJABpAHMAcwB1AGUAcgAiAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACMAIADAaOVnL2YmVK5fb49+ew1UCgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAHMAaQBnAG4AZQByAEkAbgBmAG8AIAAtAG0AYQB0AGMAaAAgACcATQBpAGMAcgBvAHMAbwBmAHQAfABXAGkAbgBkAG8AdwBzACcAKQAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAGkAcwBNAGkAYwByAG8AcwBvAGYAdAAgAD0AIAAkAHQAcgB1AGUACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQAgAGUAbABzAGUAIAB7AAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcwBpAGcAbgBlAHIASQBuAGYAbwAgAD0AIAAnACpnfnsNVCcACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB9ACAAYwBhAHQAYwBoACAAewAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABzAGkAZwBuAGUAcgBJAG4AZgBvACAAPQAgACIAfnsNVBmV74s6ACAAJAAoACQAXwAuAEUAeABjAGUAcAB0AGkAbwBuAC4ATQBlAHMAcwBhAGcAZQApACIACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAAgACAAIAAgAH0AIABlAGwAcwBlACAAewAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAcwBpAGcAbgBlAHIASQBuAGYAbwAgAD0AIAAnAO+NhF/gZUhlFmJel4dl9k4nAAoAIAAgACAAIAAgACAAIAAgAH0ACgAgACAAIAAgAH0ACgAKACAAIAAgACAAaQBmACAAKAAtAG4AbwB0ACAAJABpAHMATQBpAGMAcgBvAHMAbwBmAHQAKQAgAHsACgAgACAAIAAgACAAIAAgACAAWwBQAFMAQwB1AHMAdABvAG0ATwBiAGoAZQBjAHQAXQBAAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABOAGEAbQBlACAAIAAgACAAIAAgACAAIAA9ACAAJABfAC4ATgBhAG0AZQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgAD0AIAAkAF8ALgBEAGkAcwBwAGwAYQB5AE4AYQBtAGUACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABTAHQAYQByAHQATQBvAGQAZQAgACAAIAA9ACAAJABfAC4AUwB0AGEAcgB0AE0AbwBkAGUACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABTAHQAYQB0AGUAIAAgACAAIAAgACAAIAA9ACAAJABfAC4AUwB0AGEAdABlAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQwBvAG0AcABhAG4AeQAgACAAIAAgACAAPQAgACQAcwBpAGcAbgBlAHIASQBuAGYAbwAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAB9AAoAfQAgAHwACgBTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAB8AAoARgBvAHIAbQBhAHQALQBUAGEAYgBsAGUAIAAtAEEAdQB0AG8AUwBpAHoAZQAgAC0AUAByAG8AcABlAHIAdAB5ACAATgBhAG0AZQAsACAARABpAHMAcABsAGEAeQBOAGEAbQBlACwAIABTAHQAYQByAHQATQBvAGQAZQAsACAAUwB0AGEAdABlACwAIABDAG8AbQBwAGEAbgB5AA=="