=Start=
缘由:
前面整理了如何获取macOS系统上已安装的软件列表,这里整理一下获取Windows系统上已安装的软件列表的几种方法,方便后面有需要的时候参考。
正文:
参考解答:
大概有以下几个方法:
- 查询注册表,大多数用PowerShell来介绍
相关注册表:
HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
PowerShell命令:
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize
$InstalledSoftware = Get-ChildItem "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall"
foreach($obj in $InstalledSoftware) {
write-host $obj.GetValue('DisplayName') -NoNewline;
write-host " - " -NoNewline;
write-host $obj.GetValue('DisplayVersion')
}
$loc = Get-ChildItem HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall
$names = $loc |foreach-object {Get-ItemProperty $_.PsPath}
foreach ($name in $names) {
Write-Host $name.DisplayName
}
- 使用 wmic 命令(Windows Management Instrumentation Command-Line Utility)
使用wmic命令有多种方法,但核心都是一样的:
- 在CMD上先输入 wmic 然后回车进入wmic内执行命令
/output:C:\InstalledPrograms.txt product get name,version
- 直接在CMD中执行命令
wmic /output:C:\InstalledPrograms2.txt product get name,version
- 使用 PowerShell 中的 Get-WmiObject 命令
Get-WmiObject -Class Win32_Product
Get-WmiObject -Class Win32_Product | where vendor -eq CodeTwo | select Name, Version
- 使用 PowerShell 中的 Get-WinEvent 命令查询 event log 来获取近期安装的软件列表
Get-WinEvent -ProviderName msiinstaller | where id -eq 1033 | select timecreated,message | FL *
- 额外下载由Microsoft/Sysinternals提供的 PsInfo 命令行工具
C:> psinfo -s > software.txt
C:> psinfo -s -c > software.csv
==
上面是我整理的从命令行上获取软件安装列表的方法,对于不太懂技术的用户来说,更多的还是用GUI图形化界面进行操作,提供相关功能的工具主要有:
系统自带的-控制面板(Control Panel)
较新系统自带的-Settings应用(Settings app >> Apps >> Apps and features)
NirSoft UninstallView
CCleaner
Belarc Advisor
Geek Uninstaller
…
参考链接:
How to Get a List of All Installed Programs in Windows: 6 Ways
https://www.makeuseof.com/tag/list-installed-programs-windows/
7 Ways To Generate a List of Installed Programs in Windows
https://helpdeskgeek.com/how-to/generate-a-list-of-installed-programs-in-windows/
How to quickly check installed software versions
https://www.codetwo.com/admins-blog/how-to-check-installed-software-version/
2 Easy Ways to List Programs Installed in Windows
https://port135.com/2-easy-ways-to-list-programs-installed-in-windows/
How to: Using WMIC to Retrieve a List of All Installed Programs
https://community.spiceworks.com/how_to/111076-using-wmic-to-retrieve-a-list-of-all-installed-programs
Get list of installed applications from Windows command line
https://superuser.com/questions/68611/get-list-of-installed-applications-from-windows-command-line
How to Create a List of Your Installed Programs on Windows
https://www.howtogeek.com/165293/how-to-get-a-list-of-software-installed-on-your-pc-with-a-single-command/
8 Ways to Get List of Installed Programs For Backup in Windows
https://www.itechtics.com/list-installed-programs-windows-10/
=END=
《 “Windows上软件安装列表的获取方法” 》 有 5 条评论
分类:Windows安全
https://tttang.com/sort/windows/
深入注册表监控
https://tttang.com/archive/1588/
`
# 前言
注册表是windows的重要数据库,存放了很多重要的信息以及一些应用的设置,对注册表进行监控并防止篡改是十分有必要的。在64位系统下微软提供了CmRegisterCallback这个回调函数来实时监控注册表的操作,那么既然这里微软提供了这么一个方便的接口,病毒木马自然也会利用,这里我们就来探究其实现的原理和如何利用这个回调函数进行对抗
CmRegisterCallback
*要想更好的进行对抗,就是深入底层去看这个函数到底做了什么事情,无论是监控还是反监控,这样我们才能够更好的进行利用*
`
浅谈hook攻防
https://tttang.com/archive/1558/
`
攻与防都是相对的,只有掌握细节才能更好的对抗。
`
如何查看Windows系统是否插入了USB设备?
Tips: How to check if USB is inserted on your computer
https://securityonline.info/tips-check-usb-inserted-computer/
`
You want to check whether a USB device has been inserted into your own computer, you can use the operation of the windows registry.
The windows registry verifies the insertion of the USB device.
1. Press the WIN + R key
2. Type “regedit”, press Enter
3. Go to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00x\Enum\USBSTOR (HKLM\SYSTEM\ControlSet00x\Enum\USBSTOR)
4. Now, you can see the list of USB device connected to your computer
`
windows registry : forensic analysis
https://iforensic.wordpress.com/2011/11/07/windows-registry-forensic-analysis/
A Forensic Analysis Of The Windows Registry
https://www.forensicfocus.com/articles/a-forensic-analysis-of-the-windows-registry/
Tracing USB Device Identifiers on XP
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.93.5832&rep=rep1&type=pdf
获取主机已安装程序的多种方式
https://mp.weixin.qq.com/s/CAEtoKe6ijO39xMVZPRKkw
`
# 0x02 通过控制面板查看安装程序
开始菜单 -> 控制面板 -> 程序 -> 程序和功能
appwiz.cpl
# 0x03 通过WMI获取安装程序列表
WMI查询Win32_Product这种方式获取的已安装程序列表并不完整,因为这种方只能获取那些通过Windows Installer安装的程序,所以其它方式安装的程序就会无法获取。
wmic product get name,version
wmic /namespace:\\root\cimv2 path win32_product get name,version
Get-WmiObject -Class win32_product | Select-Object -Property name,version
# 0x04 通过注册表获取安装程序列表
这种方式一般都是通过读取以下4个注册表项中的子健来获取主机上的已安装程序,每个子健代表一个已安装的程序,对应的是控制面板的程序和功能程序列表,Wow6432Node为32位。
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall
HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall
HKLM\\SOFTWARE\\WOW6432NODE\\Microsoft\\Windows\\CurrentVersion\\Uninstall
HKCU\\SOFTWARE\\WOW6432NODE\\Microsoft\\Windows\\CurrentVersion\\Uninstall
`
渗透基础——获得当前系统已安装的程序列表
https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E5%9F%BA%E7%A1%80-%E8%8E%B7%E5%BE%97%E5%BD%93%E5%89%8D%E7%B3%BB%E7%BB%9F%E5%B7%B2%E5%AE%89%E8%A3%85%E7%9A%84%E7%A8%8B%E5%BA%8F%E5%88%97%E8%A1%A8
`
0x05 补充
通常,已安装的程序会创建快捷方式,所以,尝试枚举快捷方式文件也能获得完整的程序列表
通过wmic获取所有快捷方式:
wmic PATH Win32_ShortcutFile get name /FORMAT:table
0x06 小结
本文介绍了通过wmi无法获得当前系统已安装程序完整列表的原因,编写powershell脚本,通过枚举注册表项,实现获得程序完整列表。作为一篇介绍基础知识的文章,希望能给新人带来启发。
`
5 Ways to View the USB Device History in Windows
https://www.makeuseof.com/windows-view-usb-history/
`
# 监控USB设备活动记录的底层原理在于Windows事件日志的记录和解析
1. Using USBDeview to View USB Connections
2. Viewing USB Connection History Using PowerShell
3. Viewing USB Connection History in the Registry #方法2和3无法看到USB设备何时连接或断开。但是您可以在Windows事件日志中看到这些信息。
4. Viewing USB Connection History With Event Logs #Windows会记录你电脑上发生的所有事情。在这些日志中有USB设备连接和断开的详细信息。
5. Viewing USB Connection History of Computers on Your Local Network
`
Monitoring USB drives in Windows using Wazuh (如何借助 Wazuh 在Windows系统上监控USB外设)
https://wazuh.com/blog/monitoring-usb-drives-in-windows-using-wazuh/
`
# Enabling ‘Audit PNP Activity’ events.
To enable the USB storage drive detection, it is needed to enable first the “Audit PNP Activity”. To do that, open Administrative Tools > Local Security Policy.
In this window, navigate to Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking > Audit PNP Activity.
We need to configure the “audit events” at least for “Success” events as shown below.
Once this change is applied, a new event will be generated every time a new external PNP device is recognized by the system.
As said in the prerequisites section above, in Windows 10 and Windows Server 2016, the generated event number will be 6416. More information about this event can be found here.
`
6416(S): A new external device was recognized by the System.
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6416
Detecting USB drive insertion and removal using windows service and c#
https://stackoverflow.com/questions/620144/detecting-usb-drive-insertion-and-removal-using-windows-service-and-c-sharp
`
# WMI
SELECT * FROM Win32_VolumeChangeEvent WHERE EventType = 2;
`