Windows Resource Protection API call and PowerShell 2.0
A month ago, I was lucky enough to give a presentation on Isolated Applications and Side-by-side Assemblies to an ISV. Later, Maarten asked me if the side-by-side cache was protected by Windows Resource Protection. I checked and answered (“Yes”) but still wished I had a tool to quickly check if a file was protected or not. So I took this opportunity to learn a bit more about Boost:
#include <wtypes.h>
#include <boost/filesystem.hpp>
#include <iostream>
#include <Sfc.h>
#pragma comment(lib, "sfc")
using namespace boost::filesystem;
using namespace std;
int wmain() {
basic_recursive_directory_iterator<wpath> end_iterator;
basic_recursive_directory_iterator<wpath> iterator(L"C:\\Windows");
while (iterator != end_iterator) {
if (is_regular(iterator->status())) {
if (!SfcIsFileProtected(NULL, iterator->path().string().c_str()))
wcout << iterator->path() << endl;
}
try {
++iterator;
} catch (basic_filesystem_error<wpath> & e) {
wcout << L"\n\nException!" << endl
<< e.what() << endl
<< e.path1() << endl;
}
}
return 0;
}
But as Maarten doesn’t like C++, I decided to look at how to do this with PowerShell 2.0:
Add-Type -MemberDefinition '[DllImport("sfc.dll", CharSet = CharSet.Unicode, EntryPoint = "SfcIsFileProtected")] public static extern bool IsFileProtected(IntPtr zero, String filename);' -Name 'WindowsResourceProtection' -Namespace 'Win32'
function IsFileProtected {
param([string] $f = $(throw 'Please specify a file'))
return [Win32.WindowsResourceProtection]::IsFileProtected([IntPtr]::Zero, $f)
}
gci \Windows -r | ? {!(IsFileProtected($_))}
Of course, I guess I could have used SFC.EXE /VERIFYFILE= …
But how would I have learned about those other topics then? Eh Maarten?