You are not logged in.

#1 28 Nov 2020 11:15

lazna
Member
Registered: 15 Apr 2020
Posts: 12

Strange ECHO behaviour

Trying to print last threat detected by Windows Defender by hybrid Windows shell / Powershell script. It does work, but print output incorrectly for some reason:

for /f "tokens=1-4" %%a in ('
			powershell "Get-MpThreatDetection | Select-Object -Last 1 -Property ThreatID,Resources,RemediationTime |ft -HideTableHeader"
			') do (
			for /f "tokens=* delims=" %%A in ('
						powershell "Get-MpThreat -ThreatID %%a | Select-Object -ExpandProperty ThreatName"
						') do (
						for /f "tokens=2 delims=_}" %%X in ("%%b") do (
REM == 								Name, File, Date, Time
									echo %%A --- %%X -- %%c - %%d
									)
						)
			)

got output:

Trojan:Win32/Wacatac.B\Users\user\AppData\Local\Temp\spd.exe - 28/11/2020 - 10:45:50

instead of expected:

Trojan:Win32/Wacatac.B!ml --- C:\Users\user\AppData\Local\Temp\spd.exe -- 28/11/2020 - 10:45:50

I am aware it could depend on specific output, so output of first loop is :

2147735505 {file:_C:\Users\lazna\AppData\Local\Temp\spd.exe} 28/11/2020 10:45:50

and output of second loop is:

Trojan:Win32/Wacatac.B!ml

Delayed expansion is NOT enabled. What am I doing wrong?

Last edited by lazna (28 Nov 2020 11:17)

Offline

#2 29 Nov 2020 18:15

Simon Sheppard
Admin
Registered: 27 Aug 2005
Posts: 1,130
Website

Re: Strange ECHO behaviour

Using a CMD batch file to try and parse the output of PowerShell is the wrong approach to this I think.
PowerShell will output unicode characters that CMD can't deal with, in some cases (with the latest terminal) it will reflow the output dependent on the size of the window.

Working entirely in PowerShell, you can pipe the output from Get-MpThreatDetection into Get-MpThreat.
Something like:

$detection = Get-MpThreatDetection ...
$detection | Get-MpThreat -ThreatID $_.ThreatID

Offline

#3 29 Nov 2020 23:34

lazna
Member
Registered: 15 Apr 2020
Posts: 12

Re: Strange ECHO behaviour

Thanks for pointing me to right direction, I did not know about such issue with powershell oneliners. Aftre some time of googling seems I have solution:

https://stackoverflow.com/questions/897 … 3#35462763

What about to add such info to https://ss64.com/ps/write-host.html ?

Last edited by lazna (30 Nov 2020 00:38)

Offline

#4 30 Nov 2020 01:06

Simon Sheppard
Admin
Registered: 27 Aug 2005
Posts: 1,130
Website

Re: Strange ECHO behaviour

Done, thanks lazna

Offline

#5 01 Dec 2020 10:37

lazna
Member
Registered: 15 Apr 2020
Posts: 12

Re: Strange ECHO behaviour

Found one issue with this solution:

append Write-Host to the oneliner which end with Format-Table does not work. Both cmdlets should be "last in line" which is obviously not possible. Any ideas?

Offline

#6 01 Dec 2020 13:15

Simon Sheppard
Admin
Registered: 27 Aug 2005
Posts: 1,130
Website

Re: Strange ECHO behaviour

lazna wrote:

Found one issue with this solution:

append Write-Host to the oneliner which end with Format-Table does not work. Both cmdlets should be "last in line" which is obviously not possible. Any ideas?

This suggests you can convert the table to a string with | Format-Table | Out-String | Write-Host

https://stackoverflow.com/questions/365 … write-host

Offline

#7 01 Dec 2020 22:14

lazna
Member
Registered: 15 Apr 2020
Posts: 12

Re: Strange ECHO behaviour

thats it! Thanks

Offline

Board footer

Powered by