Wondering how to find Digitally Signed Files with PowerShell? We can help you.

When there are many new files that are digitally signed with a certificate, we will at times need to check the status of the Digital Signatures of these files.

For this, we can use, the PowerShell ‘Get-AuthenticodeSignature’ cmdlet.

Here at Bobcares, we use PowerShell for reporting on Digitally Signed files for our customers as a part of Server Management Services.

Checking properties of Digitally Signed Files with PowerShell

These Cmdlets will examine a file and show the properties of the Digital Certificate on a file.

Here is an example of it:

PS C:\> Get-AuthenticodeSignature -FilePath C:\windows\notepad.exe

Directory: C:\windows

SignerCertificate Status Path
----------------- ------ ----
AE9C1AE54763822EEC42474983D8B635116C8452 Valid notepad.exe

A quick glance shows us the file has a valid digital signature.

For checking more details, we can pipe the results into Format-List using the following:

C:\> Get-AuthenticodeSignature -FilePath C:\windows\notepad.exe | Format-List

It is possible to take a list of files, pipe them in to see their status using the following:

C:\> get-childitem c:\windows\*.exe | Get-AuthenticodeSignature

However, the Cmdlet has a particular format.

If we try to take this information and export it as a list to a CSV to report on a list of files, it will not give a clear result.

First, we will see the exposed ones using Get-Member using the following command:

C:\> get-childitem c:\windows\*.exe | Get-AuthenticodeSignature | Get-Member

We can run the Get-AuthenticodeSignature and take only the correct ones and output them to a CSV file we can use the following:

Get-ChildItem c:\windows\notepad*.exe | Get-AuthenticodeSignature | ` Select-Object -Property Path,ISOSBinary,SignatureType,Status,StatusMessage | ` Export-CSV C:\report\Signature.csv -NoTypeInformation

This will provide a more clear result.

We can see the properties *IN* that X509Certificate2 object by using the following:

Get-ChildItem c:\windows\notepad*.exe | Get-AuthenticodeSignature | ` Select-Object -ExpandProperty SignerCertificate | Get-Member -MemberType Properties

To obtain a property such as the SerialNumber, we will use a feature of Select-Object called a “Calculated Property”.

Get-ChildItem C:\Windows\notepad.exe | Get-AuthenticodeSignature | ` Select-Object -Property @{Name=’SignerSerialNumber’;Expression={($_.SignerCertificate.SerialNumber)}}

Using this in PowerShell  will produce the following result:

SignerSerialNumber —————— 33000001C422B2F79B793DACB20000000001C4

For producing a Calculated Property for each of the individual items from the X509Certificate2 object we can use the following:

Get-ChildItem C:\Windows\notepad.exe | Get-AuthenticodeSignature | ` Select-object -Property Path, Status,StatusMessage,SignatureType, ` @{Name=’SubjectName’;Expression={($_.SignerCertificate.Subject)}}, ` @{Name=’SubjectIssuer’;Expression={($_.SignerCertificate.Issuer)}}, ` @{Name=’SubjectSerialNumber’;Expression={($_.SignerCertificate.SerialNumber)}}, ` @{Name=’SubjectNotBefore’;Expression={($_.SignerCertificate.NotBefore)}}, ` @{Name=’SubjectNotAfter’;Expression={($_.SignerCertificate.NotAfter)}}, ` @{Name=’SubjectThumbprint’;Expression={($_.SignerCertificate.ThumbPrint)}}, ` @{Name=’TimeStamperName’;Expression={($_.SignerCertificate.Subject)}}, ` @{Name=’TimeStamperIssuer’;Expression={($_.SignerCertificate.Issuer)}}, ` @{Name=’TimeStamperSerialNumber’;Expression={($_.SignerCertificate.SerialNumber)}}, ` @{Name=’TimeStamperNotBefore’;Expression={($_.SignerCertificate.NotBefore)}}, ` @{Name=’TimeStamperNotAfter’;Expression={($_.SignerCertificate.NotAfter)}}, ` @{Name=’TimeStamperThumbprint’;Expression={($_.SignerCertificate.ThumbPrint)}}

With this, we now have an object that would export directly to a CSV.

We can also write a function corresponding to this as given below:

Function Expand-AuthenticodeSignature($AuthenticodeSignature) { $AuthenticodeSignature | Select-object -Property Path, ` Status,StatusMessage,SignatureType, ` @{Name=’SubjectName’;Expression={($_.SignerCertificate.Subject)}}, ` @{Name=’SubjectIssuer’;Expression={($_.SignerCertificate.Issuer)}}, ` @{Name=’SubjectSerialNumber’;Expression={($_.SignerCertificate.SerialNumber)}}, ` @{Name=’SubjectNotBefore’;Expression={($_.SignerCertificate.NotBefore)}}, ` @{Name=’SubjectNotAfter’;Expression={($_.SignerCertificate.NotAfter)}}, ` @{Name=’SubjectThumbprint’;Expression={($_.SignerCertificate.ThumbPrint)}}, ` @{Name=’TimeStamperName’;Expression={($_.SignerCertificate.Subject)}}, ` @{Name=’TimeStamperIssuer’;Expression={($_.SignerCertificate.Issuer)}}, ` @{Name=’TimeStamperSerialNumber’;Expression={($_.SignerCertificate.SerialNumber)}}, ` @{Name=’TimeStamperNotBefore’;Expression={($_.SignerCertificate.NotBefore)}}, ` @{Name=’TimeStamperNotAfter’;Expression={($_.SignerCertificate.NotAfter)}}, ` @{Name=’TimeStamperThumbprint’;Expression={($_.SignerCertificate.ThumbPrint)}}}

Now that we have the data in a more consumable and exportable form. We can get a list of files with their Digital Certificate status using the following:

$List=Get-ChildItem C:\Windows\*.exe | Get-AuthenticodeSignature

After that, we can produce the new output in a script with our function and Export it directly to a CSV file.

Expand-AuthenticodeSignature -AuthenticodeSignature $List | Export-Csv C:\report\working.csv

[Need assistance? We are happy to help you!]

Conclusion

To conclude we saw how our Support Techs implement reporting on digitally signed files with PowerShell.