Condividi tramite


Windows Resource Protection API call and PowerShell 2.0

A month ago, I was lucky enough to give a presentation on Isolated Applications and Side-by-side Assemblies to an ISV. Later, Maarten asked me if the side-by-side cache was protected by Windows Resource Protection. I checked and answered (“Yes”) but still wished I had a tool to quickly check if a file was protected or not. So I took this opportunity to learn a bit more about Boost:

#include <wtypes.h>

#include <boost/filesystem.hpp>

#include <iostream>

#include <Sfc.h>

#pragma comment(lib, "sfc")

using namespace boost::filesystem;

using namespace std;

int wmain() {

basic_recursive_directory_iterator<wpath> end_iterator;

basic_recursive_directory_iterator<wpath> iterator(L"C:\\Windows");

while (iterator != end_iterator) {

if (is_regular(iterator->status())) {

if (!SfcIsFileProtected(NULL, iterator->path().string().c_str()))

wcout << iterator->path() << endl;

}

try {

++iterator;

} catch (basic_filesystem_error<wpath> & e) {

wcout << L"\n\nException!" << endl

<< e.what() << endl

<< e.path1() << endl;

}

}

return 0;

}

But as Maarten doesn’t like C++, I decided to look at how to do this with PowerShell 2.0:

Add-Type -MemberDefinition '[DllImport("sfc.dll", CharSet = CharSet.Unicode, EntryPoint = "SfcIsFileProtected")] public static extern bool IsFileProtected(IntPtr zero, String filename);' -Name 'WindowsResourceProtection' -Namespace 'Win32'

function IsFileProtected {

param([string] $f = $(throw 'Please specify a file'))

return [Win32.WindowsResourceProtection]::IsFileProtected([IntPtr]::Zero, $f)

}

gci \Windows -r | ? {!(IsFileProtected($_))}

Of course, I guess I could have used SFC.EXE /VERIFYFILE=

But how would I have learned about those other topics then? Eh Maarten?