Log in to create and rate content, and to follow, bookmark, and share content with other members. Not a member? Join Now!

AnsweredAssumed Answered

PowerShell Version Detected

Question asked by Chalky_White on Nov 12, 2019
Latest reply on Nov 25, 2019 by Chalky_White

Like • Show 0 Likes0
Comment • 8

Hi, i find the results output for QID 45254 PowerShell Detected on Host confusing. Why would it show two versions for the same EXE?

HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine PowerShellVersion = 2.0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe found
HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine PowerShellVersion = 5.1.17134.1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe found
HKLM\SOFTWARE\Wow6432Node\Microsoft\PowerShell\1\PowerShellEngine PowerShellVersion = 2.0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe found
HKLM\SOFTWARE\Wow6432Node\Microsoft\PowerShell\3\PowerShellEngine PowerShellVersion = 5.1.17134.1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe found

At this present time i can't work out the query string in Global Asset Management module to display PowerShell, and wonder whether it wouldn't do the same thing, based on above output?

Thanks, Tony

No one else has this question

Outcomes

8 Replies

Rob Dewhirst Nov 19, 2019 11:13 AM
Mark Correct
Correct Answer
32 vs 64-bit versions of Powershell.
1 person found this helpful
Like • Show 0 Likes0
Actions
- Chalky_White @ Rob Dewhirst on Nov 20, 2019 12:45 AM
  Mark Correct
  Correct Answer
  Thanks Rob, still looks like duplication to me??? Both reg keys for the different versions point to the same EXE in the same location.....
  
  HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine PowerShellVersion = 2.0
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe found
  HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine PowerShellVersion = 5.1.17134.1
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe found
  Like • Show 0 Likes0
  Actions
  - Rob Dewhirst @ Chalky_White on Nov 20, 2019 2:53 PM
    Mark Correct
    Correct Answer
    If you first example, there are two different paths show, one is in C:\Windows\SysWOW64...
    1 person found this helpful
    Like • Show 0 Likes0
    Actions
    - Chalky_White @ Rob Dewhirst on Nov 21, 2019 2:40 AM
      Mark Correct
      Correct Answer
      i'm also finding similar results with Winzip detection, Checked one example out and found that whilst the product version is 15.0, the EXE version is 25.0.9302.0. Wonder if all this started when the Asset Inventory module was enabled on our account? Sadly this version business is triggering QIDs such as 105488 EOL/Obsolete Software: Unsupported Winzip, when infact we are running v25, which is still good.
      
      Here are the results;
      
      C:\Program Files (x86)\WinZip\winzip32.exe Version is 25.0.9302.0
      %ProgramFiles(x86)%\WinZip\WINZIP32.EXE Version is 15.0.0.0
      
      1 person found this helpful
      Like • Show 0 Likes0
      Actions
      - Matthew Verive @ Chalky_White on Nov 22, 2019 1:41 PM
        Mark Correct
        Correct Answer
        This is a different issue than the PowerShell one, but is indeed an issue in its own right. QID 105488 isn't giving a differentiation between the file version and product version. However, Qualys flagging this as vulnerable is correct - you're using WinZip 15. A quick check shows that the latest version of WinZip is 24, so unless you're Corel and are running a beta version of 25... (plus, the file modified date is 2010, which is when WinZip 15 was released).
        2 people found this helpful
        Like • Show 0 Likes0
        Actions
Matthew Verive Nov 22, 2019 1:34 PM
Mark Correct
Correct Answer
Something to note here - those version numbers are coming from registry entries, not the EXEs. I don't know why the QID is repeating the EXEs found, but at least the four registry paths are unique.

As far as why there are two version numbers: the entry at HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine is for compatibility purposes - it's not accurate. HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine gives you the real version. That being said, Microsoft recommends checking the EXE version and not the registry:
[...] you should instead check for the existence of the file %systemroot%\system32\WindowsPowerShell\v1.0\powershell.exe. If your installer absolutely requires a registry-based validations, you should first check for HKLM:\Software\Microsoft\PowerShell\3\PowerShellEngine (note the 3) before falling back to HKLM:\Software\Microsoft\PowerShell\1\PowerShellEngine.
(from https://devblogs.microsoft.com/powershell/windows-powershell-2-0-deprecation/ )

I'd argue this is worth a change to QID 45254.
2 people found this helpful
Like • Show 0 Likes0
Actions
Robert Dell'Immagine Nov 24, 2019 6:20 PM
Mark Correct
Correct Answer
I asked our signatures team to review this thread.
Like • Show 0 Likes0
Actions
Chalky_White Nov 25, 2019 12:22 AM
Mark Correct
Correct Answer
thank you Matthew and Robert, Matthew i'm kicking myself that i didn't spot the datestamp ;-)
Like • Show 1 Like1
Actions

PowerShell Version Detected

Outcomes

Related Content

Recommended Content