Put quotes around ImagePath keys

If the Imagepath key for a service has spaces, it should have quotes around the value to avoid running malicious code.

[VBScript code]
'Program: Service_ImagePath-Remediate.vbs V2.2.0.0
'Purpose: Enclose all service paths in quotes
' Author: Roger C  10/13/2017
'  Logic: 
'			Populate an array with the services that were identified by Qualys as having spaces without quotes
'			Loop the array, and compare it to the registry 
'			if service is found and the IMAGEPATH matches, enclose the IMAGEPATH value in quotes

option explicit
'===[ Declare variables ]===

'Reqired for advanced logging
Dim LogFileHandle, objFSO, objNetwork, ScriptUser, ScriptComputer
Dim MaxLogFileSize : MaxLogFileSize = 10000
Dim LogFilenamePath : LogFilenamePath = ".\"

Dim i
Const ArrayRows = 48
Dim SvcArray(48,3) 		' == stores the remediation details ==
							' SvcArray(x,1) is the service name
							' SvcArray(x,2) is the original (incorrect) value
							' SvcArray(x,3) is the new (correct) value

Dim objShell ' ==[ initialize the shell object, or error out
on error resume next
Set objShell = CreateObject("wscript.shell")
on error goto 0
If  NOT IsObject(objShell) then
	LogWriteln("Error: unable to create Wscript.shell object. Unable to continue.")
	Wscript.quit
end if
	
Dim RegLocation : RegLocation = "SYSTEM\CurrentControlSet\Services"
Dim RegKey, KeyValue

Dim msgExit : msgExit = "--- Exiting the routine"

FillArray

for i = 1 to ArrayRows 														' loop through the array of registry keys
	KeyValue = ""
	RegKey = "HKLM\" & RegLocation & "\" & SvcArray(i,1) & "\ImagePath"
	on error resume next
	KeyValue = objShell.regread(Regkey) 									' read ImagePath for this row
	on error goto 0
	if KeyValue <> "" then              									' if we found some data to work with
		LogWriteln( "      RegLocation: " & RegKey)							' give the log file some info
		LogWriteln( "    Current value: " & KeyValue)
		LogWriteln( "       Compare to: " & SvcArray(i,2))
		if KeyValue <> SvcArray(i,2) then 									' if the data we found matches the problemtatic data, per Qualys
			LogWriteln( "          Results: Does not match Qualys report.  Remediation is not required")
		else
			LogWriteln( "          Results: Current value matches the Qualys report.  Remediation is required")
			LogWriteln( "        Change to: " & SvcArray(i,3))			
				LogWriteln( "      remediating...")
				on error resume next
				objShell.RegWrite Regkey, SvcArray(i,3), "REG_EXPAND_SZ"	' Write the correct data to the key
				wscript.echo err.number
				KeyValue = objShell.regread(Regkey)							' read the data again, for verification
				on error goto 0
				if KeyValue = SvcArray(i,3) then 							' if we found what we want
					LogWriteln( "      Success")							' then we're happy
				else
					LogWriteln( "      Failed")
				end if
			end if
		LogWriteln( "      ")
	end if
next

LogWriteln( msgExit )

'===[ subroutines ]========================================================================

sub LogWriteln(s)        '-------------------------------------------------------------------
	s = "  " & TimeStamp() &  " " & s
	'wscript.echo s              'write message to the console
	if Not isObject(LogFileHandle) Then InitLogFile
	if isObject(LogFileHandle) <> 0 Then LogFileHandle.write s & vbCRLF 'write message to the log file
End Sub

sub InitLogFile        '-------------------------------------------------------------------
	Const Write = 2
	Const Append = 8
	Dim OpenMode : OpenMode = Write
	Dim Failed   : Failed = False
	Dim LogFilename, OldLogFilename
	LogFilename = LogFilenamePath & Replace(ucase(wscript.ScriptName),".VBS",".LOG")
	OldLogFilename = LogFilenamePath & Replace(ucase(wscript.ScriptName),".VBS",".OLD.LOG")

	on error resume next
	Set objFSO=CreateObject("Scripting.FileSystemObject")
	on error goto 0
	if not IsObject(objFSO) or Err.number <> 0 then 
		'wscript.echo("Unable to create object: [Scripting.FileSystemObject]. Aborting.")
		'wscript.quit 1
	end if

	On Error Resume Next ' try to open the file to check its size
	
	Set LogFileHandle=objFSO.GetFile(LogFilename)
	on error goto 0
	
	if isObject(LogFileHandle) and err.number = 0 then 		
		if LogFileHandle.Size < MaxLogFileSize then
			OpenMode = Append
		else ' if file is too big, try to roll it over to the OLD file
			on error resume next
			if objFSO.FileExists(OldLogFilename) then objFSO.DeleteFile(OldLogFilename)
			objFSO.MoveFile LogFilename, OldLogFilename
			on error goto 0
		end if	
	end if
	
	Err.Clear
	On Error Resume Next
	Set LogFileHandle = objFSO.OpenTextFile(LogFilename,OpenMode,True)
	On Error goto 0
	if err.number <> 0 then
        'wscript.echo ("  Warning: Unable to write to the log file (" & LogFilename & ")")
        Failed = True
    End If	

	Set objNetwork = CreateObject("Wscript.Network")
	ScriptUser = objNetwork.UserName
	ScriptComputer = objNetwork.ComputerName

	If Not Failed then 
		On Error Resume Next
		LogFileHandle.write( _
			"===[" & Month(DATE) & "/" & Day(DATE) & "/" & Year(DATE) & _
			"]===< " & wscript.ScriptName & " >======[ User:" & ScriptUser & " on " & ScriptComputer & " ]=======" & vbCrlf	_
			)
		'if err.number  0 then wscript.echo "Unable to write to " & LogFilename & " - is it locked?"
		on error goto 0
	end if
End Sub

Function TimeStamp()
	Dim intSeconds, intMilliseconds
	intSeconds = (Hour(Now) * 3600) + (Minute(Now) * 60) + Second(Now)
	intMilliseconds = Timer() - intSeconds
	intMilliseconds = Fix(intMilliseconds * 100)
	TimeStamp = Hour(Now) & ":" & Right("0" & Minute(Now),2) & ":" & Right("0" & Second(Now),2) & "." & Right("0" & intMilliseconds,2)
End Function

Sub FillArray
	SvcArray(1,1)="NetPipeActivator"
	SvcArray(1,2)="%systemroot%\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe"
	SvcArray(1,3)="""%systemroot%\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe"""
	SvcArray(2,1)="c2wts"
	SvcArray(2,2)="%ProgramFiles%\Windows Identity Foundation\v3.5\c2wtshost.exe"
	SvcArray(2,3)="""%ProgramFiles%\Windows Identity Foundation\v3.5\c2wtshost.exe"""
	SvcArray(3,1)="WavesSysSvc"
	SvcArray(3,2)="C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe"
	SvcArray(3,3)="""C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe"""
	SvcArray(4,1)="ApHidMonitorService"
	SvcArray(4,2)="C:\Program Files\DellTPad\HidMonitorSvc.exe"
	SvcArray(4,3)="""C:\Program Files\DellTPad\HidMonitorSvc.exe"""
	SvcArray(5,1)="MagicMouse2Service"
	SvcArray(5,2)="C:\Program Files (x86)\Magic Mouse 2"
	SvcArray(5,3)="""C:\Program Files (x86)\Magic Mouse 2"""
	SvcArray(6,1)="dcpm-notify"
	SvcArray(6,2)="C:\Program Files\Dell\CommandPowerManager\NotifyService.exe"
	SvcArray(6,3)="""C:\Program Files\Dell\CommandPowerManager\NotifyService.exe"""
	SvcArray(7,1)="STacSV"
	SvcArray(7,2)="C:\Program Files\IDT\WDM\STacSV64.exe"
	SvcArray(7,3)="""C:\Program Files\IDT\WDM\STacSV64.exe"""
	SvcArray(8,1)="DMService"
	SvcArray(8,2)="C:\windows\Downloaded Program Files\DMService.exe"
	SvcArray(8,3)="""C:\windows\Downloaded Program Files\DMService.exe"""
	SvcArray(9,1)="uagqecsvc"
	SvcArray(9,2)="C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe"
	SvcArray(9,3)="""C:\Program Files\Microsoft Forefront UAG\Endpoint Components\3.1.0\uagqecsvc.exe"""
	SvcArray(10,1)="ac.sharedstore"
	SvcArray(10,2)="C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe"
	SvcArray(10,3)="""C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe"""
	SvcArray(11,1)="RtkAudioService"
	SvcArray(11,2)="C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe"
	SvcArray(11,3)="""C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe"""
	SvcArray(12,1)="AdobeUpdateService"
	SvcArray(12,2)="C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe"
	SvcArray(12,3)="""C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe"""
	SvcArray(13,1)="EPSON_PM_RPCV4_04"
	SvcArray(13,2)="C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE"
	SvcArray(13,3)="""C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE"""
	SvcArray(14,1)="EPSON_EB_RPCV4_04"
	SvcArray(14,2)="C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE"
	SvcArray(14,3)="""C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE"""
	SvcArray(15,1)="iBtSiva"
	SvcArray(15,2)="C:\Program Files (x86)\Intel\Bluetooth\ibtsiva.exe"
	SvcArray(15,3)="""C:\Program Files (x86)\Intel\Bluetooth\ibtsiva.exe"""
	SvcArray(16,1)="WebServe"
	SvcArray(16,2)="C:\Program Files (x86)\YouKu\YoukuClient\WebServe.exe"
	SvcArray(16,3)="""C:\Program Files (x86)\YouKu\YoukuClient\WebServe.exe"""
	SvcArray(17,1)="InstallerService"
	SvcArray(17,2)="C:\Program Files\TrueKey\Mcafee.TrueKey.InstallerService.exe"
	SvcArray(17,3)="""C:\Program Files\TrueKey\Mcafee.TrueKey.InstallerService.exe"""
	SvcArray(18,1)="iPodService"
	SvcArray(18,2)="C:\Program Files (x86)\iPod\bin\iPodService.exe"
	SvcArray(18,3)="""C:\Program Files (x86)\iPod\bin\iPodService.exe"""
	SvcArray(19,1)="AESTFilters"
	SvcArray(19,2)="C:\Program Files\IDT\WDM\AESTSr64.exe"
	SvcArray(19,3)="""C:\Program Files\IDT\WDM\AESTSr64.exe"""
	SvcArray(20,1)="NWHelper"
	SvcArray(20,2)="C:\Program Files (x86)\Novatel Wireless\Drivers\NWHelper.exe"
	SvcArray(20,3)="""C:\Program Files (x86)\Novatel Wireless\Drivers\NWHelper.exe"""
	SvcArray(21,1)="TeamTrack Broker Service"
	SvcArray(21,2)="C:\Program Files (x86)\Serena\TeamTrack\bin"
	SvcArray(21,3)="""C:\Program Files (x86)\Serena\TeamTrack\bin"""
	SvcArray(22,1)="Fitbit Connect"
	SvcArray(22,2)="C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe"
	SvcArray(22,3)="""C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe"""
	SvcArray(23,1)="SafeBootClientManager"
	SvcArray(23,2)="C:\Program Files (x86)\McAfee\Endpoint Encryption for PC\SbClientManager.exe"
	SvcArray(23,3)="""C:\Program Files (x86)\McAfee\Endpoint Encryption for PC\SbClientManager.exe"""
	SvcArray(24,1)="WsDrvInst"
	SvcArray(24,2)="C:\Program Files (x86)\iSkysoft\iSkysoft Toolbox for iOS\Library\DriverInstaller\DriverInstall.exe"
	SvcArray(24,3)="""C:\Program Files (x86)\iSkysoft\iSkysoft Toolbox for iOS\Library\DriverInstaller\DriverInstall.exe"""
	SvcArray(25,1)="IsAppService"
	SvcArray(25,2)="C:\Program Files (x86)\Iskysoft\IAF\2.4.2.223\IsAppService.exe"
	SvcArray(25,3)="""C:\Program Files (x86)\Iskysoft\IAF\2.4.2.223\IsAppService.exe"""
	SvcArray(26,1)="redis"
	SvcArray(26,2)="C:\Program Files\Redis\redis-service.exe"
	SvcArray(26,3)="""C:\Program Files\Redis\redis-service.exe"""
	SvcArray(27,1)="freeFTPdService"
	SvcArray(27,2)="C:\Program Files (x86)\freeFTPd\freeFTPdService.exe"
	SvcArray(27,3)="""C:\Program Files (x86)\freeFTPd\freeFTPdService.exe"""
	SvcArray(28,1)="hostcontrolsvc"
	SvcArray(28,2)="C:\Program Files\Broadcom\CV\bin\HostControlService.exe"
	SvcArray(28,3)="""C:\Program Files\Broadcom\CV\bin\HostControlService.exe"""
	SvcArray(29,1)="hoststoragesvc"
	SvcArray(29,2)="C:\Program Files\Broadcom\CV\bin\HostStorageService.exe"
	SvcArray(29,3)="""C:\Program Files\Broadcom\CV\bin\HostStorageService.exe"""
	SvcArray(30,1)="ushupgradesvc"
	SvcArray(30,2)="C:\Program Files\Broadcom\CV\bin\UshUpgradeService.exe"
	SvcArray(30,3)="""C:\Program Files\Broadcom\CV\bin\UshUpgradeService.exe"""
	SvcArray(31,1)="BBSvc"
	SvcArray(31,2)="C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\BBSvc.exe"
	SvcArray(31,3)="""C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\BBSvc.exe"""
	SvcArray(32,1)="BBUpdate"
	SvcArray(32,2)="C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\SeaPort.exe"
	SvcArray(32,3)="""C:\Program Files (x86)\Microsoft\BingBar\7.1.355.0\SeaPort.exe"""
	SvcArray(33,1)="CodeMeter.exe"
	SvcArray(33,2)="C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe"
	SvcArray(33,3)="""C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe"""
	SvcArray(34,1)="indexerserver60"
	SvcArray(34,2)="C:\Program Files\Denodo Platform\jre\bin\java.exe"
	SvcArray(34,3)="""C:\Program Files\Denodo Platform\jre\bin\java.exe"""
	SvcArray(35,1)="schedulerserver60"
	SvcArray(35,2)="C:\Program Files\Denodo Platform\jre\bin\java.exe"
	SvcArray(35,3)="""C:\Program Files\Denodo Platform\jre\bin\java.exe"""
	SvcArray(36,1)="aracneserver60"
	SvcArray(36,2)="C:\Program Files\Denodo Platform\jre\bin\java.exe"
	SvcArray(36,3)="""C:\Program Files\Denodo Platform\jre\bin\java.exe"""
	SvcArray(37,1)="vdpserver60"
	SvcArray(37,2)="C:\Program Files\Denodo Platform\jre\bin\java.exe"
	SvcArray(37,3)="""C:\Program Files\Denodo Platform\jre\bin\java.exe"""
	SvcArray(38,1)="Denodo PDF Conversion Server 6.0"
	SvcArray(38,2)="C:\Program Files\Denodo Platform\bin\PdfConversionsServer.exe"
	SvcArray(38,3)="""C:\Program Files\Denodo Platform\bin\PdfConversionsServer.exe"""
	SvcArray(39,1)="maintenance60"
	SvcArray(39,2)="C:\Program Files\Denodo Platform\jre\bin\java.exe"
	SvcArray(39,3)="""C:\Program Files\Denodo Platform\jre\bin\java.exe"""
	SvcArray(40,1)="browserpool60"
	SvcArray(40,2)="C:\Program Files\Denodo Platform\jre\bin\java.exe"
	SvcArray(40,3)="""C:\Program Files\Denodo Platform\jre\bin\java.exe"""
	SvcArray(41,1)="NWVZHelper"
	SvcArray(41,2)="C:\Program Files (x86)\Novatel Wireless\Verizon\Drivers\NWHelper_001.exe"
	SvcArray(41,3)="""C:\Program Files (x86)\Novatel Wireless\Verizon\Drivers\NWHelper_001.exe"""
	SvcArray(42,1)="OpenVPNServiceInteractive"
	SvcArray(42,2)="C:\Program Files\OpenVPN\bin\openvpnserv.exe"
	SvcArray(42,3)="""C:\Program Files\OpenVPN\bin\openvpnserv.exe"""
	SvcArray(43,1)="OpenVPNServiceLegacy"
	SvcArray(43,2)="C:\Program Files\OpenVPN\bin\openvpnserv.exe"
	SvcArray(43,3)="""C:\Program Files\OpenVPN\bin\openvpnserv.exe"""
	SvcArray(44,1)="OpenVPNService"
	SvcArray(44,2)="C:\Program Files\OpenVPN\bin\openvpnserv2.exe"
	SvcArray(44,3)="""C:\Program Files\OpenVPN\bin\openvpnserv2.exe"""
	SvcArray(45,1)="ovpnagent"
	SvcArray(45,2)="C:\Program Files (x86)\OpenVPN Technologies\PrivateTunnel\ovpnagent.exe"
	SvcArray(45,3)="""C:\Program Files (x86)\OpenVPN Technologies\PrivateTunnel\ovpnagent.exe"""
	SvcArray(46,1)="SSUService"
	SvcArray(46,2)="C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe"
	SvcArray(46,3)="""C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe"""
	SvcArray(47,1)="ASIX"
	SvcArray(47,2)="C:\Program Files\MosUPPSP\AsixService.exe"
	SvcArray(47,3)="""C:\Program Files\MosUPPSP\AsixService.exe"""
	SvcArray(48,1)="LGE NDIS Connection Service"
	SvcArray(48,2)="C:\Program Files (x86)\LG Electronics\LGE LTE Driver\LGVL600SVC.exe"
	SvcArray(48,3)="""C:\Program Files (x86)\LG Electronics\LGE LTE Driver\LGVL600SVC.exe"""
end sub

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s