Functions/Private/Artifacts/AddRemovePrograms/Discover_AddRemovePrograms.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
function Discover_AddRemovePrograms {
<#
.SYNOPSIS
Scans for Add/Remove Programs entries
 
.PARAMETER MountPath
The path where the Windows image was mounted to.
 
.PARAMETER OutputPath
The filesystem path where the discovery manifest will be emitted.
#>

[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSShouldProcess",'')]
[CmdletBinding()]
param (
    [Parameter(Mandatory = $true)]
    [string] $MountPath,
    [Parameter(Mandatory = $true)]
    [string] $OutputPath
)

$ArtifactName = Split-Path -Path $PSScriptRoot -Leaf
Write-Verbose -Message ('Starting discovery for {0} artifact' -f $ArtifactName)

### Determine the path where the manifest file will be stored
$ManifestPath = '{0}\{1}.json' -f $OutputPath, $ArtifactName

### Create a temporary key to mount the SOFTWARE registry hive on
$TempKey = (New-Guid).Guid

### Mount the SOFTWARE hive
$RegistryMount = @{
    FilePath = 'reg.exe'
    ArgumentList = 'load "HKLM\{0}" "{1}\Windows\System32\Config\SOFTWARE"' -f $TempKey, $MountPath
    Wait = $true
}
Start-Process @RegistryMount
Write-Verbose -Message ('Finished loading the SOFTWARE registry hive from {0}' -f $MountPath)

### Define empty array to hold installed software items
$SoftwareList = @()

### Obtain registry paths for installed software
$PathList = @()
$PathList += Get-ChildItem -Path HKLM:\$TempKey\Microsoft\Windows\CurrentVersion\Uninstall
$PathList += Get-ChildItem -Path HKLM:\$TempKey\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

### Obtain DisplayName property from each registry item
foreach ($Software in $PathList) {
    #$DisplayName = (Get-ItemProperty -Path $Software.PSPath -Name DisplayName -ErrorAction Ignore).DisplayName
    $DisplayName = ($Software.PSChildName) -replace "\n","" -replace "\r",""
    if ($DisplayName -and $DisplayName -ne '') {
        $SoftwareList += $DisplayName
        Write-Verbose -Message ('Added new Add/Remove Programs software item: {0}' -f $DisplayName)
    }
}

### Unmount the SOFTWARE registry hive from the mounted image
$RegistryUnmount = @{
    FilePath = 'reg.exe'
    ArgumentList = 'unload "HKLM\{0}"' -f $TempKey
    Wait = $true
}
Start-Process @RegistryUnmount
Write-Verbose -Message 'Finished unmounting the registry hive'

### Write out the discovery results to the manifest file
$SoftwareList | ConvertTo-Json | Set-Content -Path $ManifestPath
Write-Verbose -Message ('Finished discovery for {0} artifact' -f (Split-Path -Path $PSScriptRoot -Leaf))

}