如何使用 PowerShell 从 .dll 或 .exe 文件中提取数据

Question

我想列出所有启动类型设置为自动的服务

我正在使用 PowerShell 5

$path = 'hklm:\SYSTEM\ControlSet001\Services'
$services = get-childitem $path | get-itemproperty -name 'Start'
foreach ($s in $services){
    if($s.'Start' -like '2'){
        $dn = get-itemproperty $s.'pspath' -name 'DisplayName'
        echo $dn
    }
}

但问题是大多数条目都使用这样的东西：

@%systemroot%\system32\SearchIndexer.exe,-103
@%SystemRoot%\System32\wscsvc.dll,-200

那么如何从中提取字符串呢？

为了进一步说明，@%systemroot%\system32\SearchIndexer.exe,-103 的显示名称是 "Windows Search"。问题是，PowerShell 是否能够从 SearchIndexer.exe 中提取字符串 "Windows Search"？以及如何做到这一点？

更新：

基本上偷了

的代码

$source = @"
using System;
using System.Runtime.InteropServices;
using System.Text;

public class ExtractData
{
[DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Ansi)]
private static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)]string lpFileName);

[DllImport("user32.dll", CharSet = CharSet.Auto)]
private static extern int LoadString(IntPtr hInstance, int ID, StringBuilder lpBuffer, int nBufferMax);

[DllImport("kernel32.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool FreeLibrary(IntPtr hModule);

public string ExtractStringFromDLL(string file, int number) {
    IntPtr lib = LoadLibrary(file);
    StringBuilder result = new StringBuilder(2048);
    LoadString(lib, number, result, result.Capacity);
    FreeLibrary(lib);
    return result.ToString();
}
}
"@

Add-Type -TypeDefinition $source

$ed = New-Object ExtractData

$path = 'hklm:\SYSTEM\ControlSet001\Services'
$services = get-childitem $path | get-itemproperty -name 'Start' -ErrorAction SilentlyContinue
foreach ($s in $services){
    if($s.'Start' -like '2'){
        $dn = get-itemproperty $s.'pspath' -name 'DisplayName'
        try{
        $dn = $dn.DisplayName.Split(',')
        $dn = $ed.ExtractStringFromDLL([Environment]::ExpandEnvironmentVariables($dn[0]).substring(1), $dn[1].substring(1))
        }
        catch{}
        finally{
        echo $dn
        }
    }
}

丑陋，但成功了，终于……

Answer 1

怎么了

get-service | where-object StartType -eq Automatic

?

Answer 2

试试这个。它适用于 PowerShell 3，因此也适用于更高版本。

Get-WmiObject -Class Win32_Service | 
    Where-Object StartMode -eq Auto | 
    Select-Object -Property DisplayName

如何使用 PowerShell 从 .dll 或 .exe 文件中提取数据

How to use PowerShell to extract data from .dll or .exe files

windows

powershell

extract

powershell-5.0