You are not logged in.
Pages: 1
Trying to print last threat detected by Windows Defender by hybrid Windows shell / Powershell script. It does work, but print output incorrectly for some reason:
for /f "tokens=1-4" %%a in ('
powershell "Get-MpThreatDetection | Select-Object -Last 1 -Property ThreatID,Resources,RemediationTime |ft -HideTableHeader"
') do (
for /f "tokens=* delims=" %%A in ('
powershell "Get-MpThreat -ThreatID %%a | Select-Object -ExpandProperty ThreatName"
') do (
for /f "tokens=2 delims=_}" %%X in ("%%b") do (
REM == Name, File, Date, Time
echo %%A --- %%X -- %%c - %%d
)
)
)
got output:
Trojan:Win32/Wacatac.B\Users\user\AppData\Local\Temp\spd.exe - 28/11/2020 - 10:45:50
instead of expected:
Trojan:Win32/Wacatac.B!ml --- C:\Users\user\AppData\Local\Temp\spd.exe -- 28/11/2020 - 10:45:50
I am aware it could depend on specific output, so output of first loop is :
2147735505 {file:_C:\Users\lazna\AppData\Local\Temp\spd.exe} 28/11/2020 10:45:50
and output of second loop is:
Trojan:Win32/Wacatac.B!ml
Delayed expansion is NOT enabled. What am I doing wrong?
Last edited by lazna (28 Nov 2020 11:17)
Offline
Using a CMD batch file to try and parse the output of PowerShell is the wrong approach to this I think.
PowerShell will output unicode characters that CMD can't deal with, in some cases (with the latest terminal) it will reflow the output dependent on the size of the window.
Working entirely in PowerShell, you can pipe the output from Get-MpThreatDetection into Get-MpThreat.
Something like:
$detection = Get-MpThreatDetection ...
$detection | Get-MpThreat -ThreatID $_.ThreatID
Offline
Thanks for pointing me to right direction, I did not know about such issue with powershell oneliners. Aftre some time of googling seems I have solution:
https://stackoverflow.com/questions/897 … 3#35462763
What about to add such info to https://ss64.com/ps/write-host.html ?
Last edited by lazna (30 Nov 2020 00:38)
Offline
Done, thanks lazna
Offline
Found one issue with this solution:
append Write-Host to the oneliner which end with Format-Table does not work. Both cmdlets should be "last in line" which is obviously not possible. Any ideas?
Offline
Found one issue with this solution:
append Write-Host to the oneliner which end with Format-Table does not work. Both cmdlets should be "last in line" which is obviously not possible. Any ideas?
This suggests you can convert the table to a string with | Format-Table | Out-String | Write-Host
Offline
thats it! Thanks
Offline
Pages: 1