Jump to content
Sign in to follow this  
colombeen

[SOLVED] WMI: Retrieve out params from method

Recommended Posts

Hi guys,

I'm trying to get some information using WMI, from the Win32_EncryptableVolume class.

I exec my query, filter out the C-drive, but when I need more info using the objects methods, I only get 1 value back and I can't seem to retrieve the other out params that should be there.

A very minimal version of what I'm trying to do (no error checking etc, very basic). You need to start SciTE as admin or you won't see any results in the console!

#RequireAdmin
$strComputer = @ComputerName

$objWMIService = ObjGet("winmgmts:{impersonationLevel=impersonate}!\\" & $strComputer & "\root\CIMV2\Security\MicrosoftVolumeEncryption")
$objWMIQuery = $objWMIService.ExecQuery("SELECT * FROM Win32_EncryptableVolume WHERE DriveLetter='C:'", "WQL", 0)

For $objDrive In $objWMIQuery
    ConsoleWrite("> " & $objDrive.GetConversionStatus() & @CRLF)
    ConsoleWrite("> " & $objDrive.GetConversionStatus().ConversionStatus & @CRLF)
    ConsoleWrite("> " & $objDrive.GetConversionStatus().EncryptionPercentage & @CRLF)
Next

The result from the console is : 

> 0
> 
>

What I'm expecting to get back is : 

> 0
> 0
> 0

When using powershell I get this (run as admin is required!!!) : 

PS C:\WINDOWS\system32> (Get-WmiObject -namespace "Root\cimv2\security\MicrosoftVolumeEncryption" -ClassName "Win32_Encryptablevolume" -Filter "DriveLetter='C:'").GetConversionStatus()
...
ConversionStatus     : 0
EncryptionFlags      : 0
EncryptionPercentage : 0
ReturnValue          : 0
...

All I seem to be getting is the ReturnValue when I use the method.

I've tried this on multiple methods, always ending up with the same result

Anyone here who has experience with this type of thing?

 

Greetz

colombeen

Edited by colombeen

Share this post


Link to post
Share on other sites

Try this:

global $a,$b,$c

$strComputer = @ComputerName
$objWMIService = ObjGet("winmgmts:{impersonationLevel=impersonate}!\\" & $strComputer & "\root\CIMV2\Security\MicrosoftVolumeEncryption")
$objWMIQuery = $objWMIService.ExecQuery("SELECT * FROM Win32_EncryptableVolume WHERE DriveLetter='C:'", "WQL", 0)

For $objDrive In $objWMIQuery
    $res = $objDrive.GetConversionStatus($a,$b,$c)
    ConsoleWrite("> " & $res & @CRLF)
    ConsoleWrite("> " & $a & @CRLF)
    ConsoleWrite("> " & $b & @CRLF)
    ConsoleWrite("> " & $c & @CRLF)
Next
Exit

And here is the documentation:

uint32 GetConversionStatus(
  [out] uint32 ConversionStatus,
  [out] uint32 EncryptionPercentage,
  [out] uint32 EncryptionFlags,
  [out] uint32 WipingStatus,
  [out] uint32 WipingPercentage,
  [in]  uint32 PrecisionFactor
);

 

Share this post


Link to post
Share on other sites
On 17-8-2018 at 11:14 AM, Juvigy said:

Try this:

global $a,$b,$c

$strComputer = @ComputerName
$objWMIService = ObjGet("winmgmts:{impersonationLevel=impersonate}!\\" & $strComputer & "\root\CIMV2\Security\MicrosoftVolumeEncryption")
$objWMIQuery = $objWMIService.ExecQuery("SELECT * FROM Win32_EncryptableVolume WHERE DriveLetter='C:'", "WQL", 0)

For $objDrive In $objWMIQuery
    $res = $objDrive.GetConversionStatus($a,$b,$c)
    ConsoleWrite("> " & $res & @CRLF)
    ConsoleWrite("> " & $a & @CRLF)
    ConsoleWrite("> " & $b & @CRLF)
    ConsoleWrite("> " & $c & @CRLF)
Next
Exit

 

I'll definitely try that out!

Edited by colombeen

Share this post


Link to post
Share on other sites

Mhhmmnn... Some of the values that I get back aren't what I'm expecting.

I'll just show you guys what I'm working on (FYI: it's far from ready, but the end result will be shared) : 

; newer version in latest post

When I run this the $intWipingStatus contains "-1", but in powershell I get this value "4294967295", while the documentation shows that it could only be an int between 0 and 3

https://docs.microsoft.com/en-us/windows/desktop/secprov/getconversionstatus-win32-encryptablevolume

 

Any idea?

Edited by colombeen

Share this post


Link to post
Share on other sites

Guessing it's not a very popular subject.

Another thing that frustrates me is the return value of the "IsAutoUnlockKeyStored"-method (I'm not talking about the out param, just the return value).

The documentation shows

uint32 IsAutoUnlockKeyStored(
  [out] boolean IsAutoUnlockKeyStored
);

And the return values should be 

Return code/value           Description
---------------------------------------------------
S_OK                        The method was successful.
0 (0x0)

FVE_E_NOT_ACTIVATED         BitLocker is not enabled on the volume. Add a key protector to enable BitLocker.
2150694920 (0x80310008)

FVE_E_NOT_OS_VOLUME         The method can only be run for the currently running operating system volume.
2150694952 (0x80310028)

But then why do I keep getting "-2144272376"

Is there some kind of conversion I'm forgetting or is MS just screwing me over? :D

Edited by colombeen

Share this post


Link to post
Share on other sites

-2144272376 converts to 0x80310008 (FVE_E_NOT_ACTIVATED)

MsgBox(0, '', '0x' & Hex(-2144272376))

 


"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Share this post


Link to post
Share on other sites
3 minutes ago, ripdad said:

-2144272376 converts to 0x80310008 (FVE_E_NOT_ACTIVATED)

MsgBox(0, '', '0x' & Hex(-2144272376))

 

YOU
ARE
A
LIFE
SAVER

 

But I'm still not sure what to do with the -1 I'm getting from the $intWipingStatus :-s

Edited by colombeen

Share this post


Link to post
Share on other sites

-1 in WMI usually means: UNKNOWN

In powershell...

4294967295 converts to 0xFFFFFFFF which usually means allow or enabled and 0x00000000 usualy means disabled.

Not 100% sure this is the case for your issue though.

 


"The mediocre teacher tells. The Good teacher explains. The superior teacher demonstrates. The great teacher inspires." -William Arthur Ward

Share this post


Link to post
Share on other sites
23 hours ago, ripdad said:

-1 in WMI usually means: UNKNOWN

In powershell...

4294967295 converts to 0xFFFFFFFF which usually means allow or enabled and 0x00000000 usualy means disabled.

Not 100% sure this is the case for your issue though.

 

I was coming to the same conclusion as well on the -1 being UNKNOWN in most cases.

I've added it to my array as the first item and just +1 the result I get for now :)

; newer version in latest post

If anyone who is using bitlocker could test this out (and post back the results), it would be greatly appreciated!

Edited by colombeen

Share this post


Link to post
Share on other sites

I've made some more changes. I'm hoping it will work (can't test it here, I'm not allowed to encrypt my system just yet).

If anyone is willing to test my script (doens't matter if your system is or isn't using bitlocker, you just need WinVista or newer), please let me know what the result was so that I can fix bugs etc before I implement it (and also share it here ofcourse)

Please run SciTE as admin, otherwise you won't see the errors etc in the console

; newer version in latest post

Also, I'm not sure if it's possible to read this information remotely because of safety precautions by MS.

This is my result : 

BitlockerDriveInfo.thumb.png.1b638669df3f6fd3afb7fbd8f9a80067.png

My console output :

!> GetConversionStatus      0x00000000
!> GetEncryptionMethod      0x00000000
!> GetKeyProtectors         0x00000000
!> GetLockStatus            0x00000000
!> GetProtectionStatus      0x00000000
!> IsAutoUnlockEnabled      0x80310008
!> IsAutoUnlockKeyStored    0x80310008

EDIT:

I had a little issue that the secondary pop-up didn't show because I forgot to change $test[0][11] to $test[0][12] when I added another item to the array.

Edited by colombeen
bugfix

Share this post


Link to post
Share on other sites

This is the output of your script:

!> GetConversionStatus        0x00000000
!> GetEncryptionMethod        0x00000000
!> GetKeyProtectors       0x00000000
!> GetLockStatus      0x00000000
!> GetProtectionStatus        0x00000000
!> IsAutoUnlockEnabled        0x80310019
!> IsAutoUnlockKeyStored  0x00000000
"C:\Documents and Settings\delchevs\Desktop\COM fixes\BitLocker.au3" (58) : ==> The requested action with this object has failed.:
$aResult[$iRow][1]  =   $aVolumeTypeMsg[$objDrive.VolumeType]
$aResult[$iRow][1]  =   $aVolumeTypeMsg[$objDrive^ ERROR

And if i run the example script from my first post i get:

> 0
> 1
> 100
>

I am using win7 and have bitlocker.

Share this post


Link to post
Share on other sites
; newer version in latest post

This is an attempt to fix the missing properties in Win7

Edited by colombeen

Share this post


Link to post
Share on other sites

Now it works.

C:|Operating System Volume|Unkown|Protected|Unlocked|False|False|Fully Encrypted|AES_256|100|Free Space Not Wiped||{Array}
{CF607D86-743D-4E29-8FF2-A49D0D7AB820}|Numerical password
{B1AA7EF7-AC39-4D21-A278-B12EA6AA5F2B}|Trusted Platform Module (TPM)
!> GetConversionStatus        0x00000000
!> GetEncryptionMethod        0x00000000
!> GetKeyProtectors       0x00000000
!> GetLockStatus      0x00000000
!> GetProtectionStatus        0x00000000
!> IsAutoUnlockEnabled        0x80310019
!> IsAutoUnlockKeyStored  0x00000000

 

Share this post


Link to post
Share on other sites

Awesome!

I'll still need to fix some things but I'm getting there :) 

EDIT:

I've added a few checks to make sure everything works fine, I'm not noticing alot of performance loss.

; newer version in latest post

 

Edited by colombeen

Share this post


Link to post
Share on other sites

I'm just having one last issue before I can post the "final" version in the example scripts

I need to add

#AutoIt3Wrapper_Au3Check_Parameters=-d -w 1 -w 2 -w 3 -w- 4 -w 5 -w 6 -w- 7

But the changes I need to make so that my script will still work is what I can't figure out.

This is the part that will show errors : 

If IsArray($aVolumeKeyProtectorID) And UBound($aVolumeKeyProtectorID) > 0 Then
    Local $aVolumeKeyProtectors[UBound($aVolumeKeyProtectorID)][2], $iKeyProtectorType

    For $i = 0 To UBound($aVolumeKeyProtectorID) - 1
        $aVolumeKeyProtectors[$i][0]        =   $aVolumeKeyProtectorID[$i]
        If _WMIMethodExists($objDrive, "GetKeyProtectorType") Then
            If $objDrive.GetKeyProtectorType($aVolumeKeyProtectorID[$i], $iKeyProtectorType) = 0 Then
                $aVolumeKeyProtectors[$i][1]=   $aKeyProtectorTypeMsg[$iKeyProtectorType]
            Else
                $aVolumeKeyProtectors[$i][1]=   "Unknown"
            EndIf
        Else
            $aVolumeKeyProtectors[$i][1]    =   "Unknown"
        EndIf
    Next
Else
    Local $aVolumeKeyProtectors             =   "None"
EndIf

I declare the $aVolumeKeyProtectors 2 times, which I know is wrong, even more so when you put it inside of a loop.

Any suggestions? I can't seem to figure it out

Share this post


Link to post
Share on other sites

It's easy if you know how to do it:

Local $aVolumeKeyProtectors
If IsArray($aVolumeKeyProtectorID) And UBound($aVolumeKeyProtectorID) > 0 Then
    Dim $aVolumeKeyProtectors[UBound($aVolumeKeyProtectorID)][2]
    Local $iKeyProtectorType
    ; ...
Else
    $aVolumeKeyProtectors             =   "None"
EndIf

 

Share this post


Link to post
Share on other sites
3 hours ago, LarsJ said:

It's easy if you know how to do it:

Local $aVolumeKeyProtectors
If IsArray($aVolumeKeyProtectorID) And UBound($aVolumeKeyProtectorID) > 0 Then
    Dim $aVolumeKeyProtectors[UBound($aVolumeKeyProtectorID)][2]
    Local $iKeyProtectorType
    ; ...
Else
    $aVolumeKeyProtectors             =   "None"
EndIf

 

Is it that simple? I'll try that out! Thx!

EDIT:

Just tried it, WORKS LIKE A CHARM! :D

 

I moved the script to the examples : 

 

Edited by colombeen

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By RTFC
      CodeCrypter enables you to encrypt scripts without placing the key inside the script.
      This is because this key is extracted from the user environment at runtime by, for example:
      password user query any macro (e.g., @username) any AutoIt function call any UDF call some permanent environment variable on a specific machine (and not created by your script) a server response a device response anything else you can think of, as long as it's not stored in the script any combination of the above You need several scripts to get this to work, and they are scattered over several threads, so here's a single bundle that contains them all (including a patched version of Ward's AES.au3; with many thanks to Ward for allowing me to include this script here):
      Latest version: 3.2, (10 July 2020): please follow this link.
      Note: if you experience issues under Win8/8.1 (as some users have reported), please upgrade to Win10 (or use Win7) if you can; as far as I can tell, the scripts in the bundle all work under Win7 & Win10 (and XP). Moreover, I have no access to a Win8 box, so these issues will not be fixed, at least not by yours truly.
       
      How the bits and pieces fit together:
      CodeCrypter is a front-end for the MCF UDF library (you need version 1.3 or later). Its thread is here:
      '?do=embed' frameborder='0' data-embedContent>>
      The MCF package (also contained in the CodeScannerCrypter bundle) contains MCF.au3 (the library itself) plus a little include file called MCFinclude.au3. The latter you have to include in any script you wish to encrypt. Any code preceding it will not be encrypted, any code following it will be encrypted. You define the dynamic key inside MCFinclude.au3, in the UDF: _MCFCC_Init().
      From the same post you can download an MCF Tutorial which I heartily recommend, because encrypting a script requires a number of steps in the right order, namely:
      In MCFinclude.au3, define and/or choose your dynamic key(s) (skip this step = use default setting) include MCFinclude.au3 in your target script Run CodeScanner (version 2.3+) on your target script, with setting WriteMetaCode=True (see '?do=embed' frameborder='0' data-embedContent>>), then close CodeScanner. Start CodeCrypter press the Source button to load your target file enable Write MCF0 (tick the first option in Main Settings) Enable "Encrypt" (last option in the Main Settings) Go to the Tab Encrypt and set up the encryption the way you want (skip this = use default settings) Return to Main Tab and press "Run" if all goes well, a new script called MCF0test.au3 is created in the same directory as your target. It has no includes and no redundant parts. Please check that it works as normal. (see Remarks if not) It all sounds far more complicated than it is, really.
      Not convinced? Check out:
      a simple HowTo Guide: HowToCodeCrypt.pdf an updated and extended Q & A pdf (FAQ, also included in the bundle) to help you get started:CodeCrypterFAQ.pdf For additional explanations/examples in response to specific questions by forum members (how it works, what it can/cannot do), see elsewhere in this thread, notably:
      Simple analogy of how it works: post #53, second part General Explanation and HowTo: post #9, 51, 75, 185/187, 196, 207, 270, 280 (this gets a bit repetitive) BackTranslation: post #179 Obfuscation: post #36 (general), 49 (selective obfuscation) Specific features and fixes: post #3 (security), 84 (redefining the expected runtime response), 169 (Curl Enum fix), 185/187 (using license keys), 194 (replacing Ward's AES UDF with different encryption/decryption calls), 251 (AV detection issue), 262 (extract key contents to USB on different target machine prior to encryption) Limitations: post #26 (@error/@extended), 149 (FileInstall), 191 (AES.au3 on x64) Not recommended: post #46/249 (static encryption), 102 (programme logic error), 237 (parsing password via cmdline)  
      Technical notes:
      BackTranslation is a test to check that the MetaCode translation worked. Skip it at your peril. It also turns your multi-include composite script into a single portable file without redundant parts (you can opt to leave the redundant parts in, if you want).
      CodeCrypter can also obfuscate (vars and UDF names) and replace strings, variable names and UDF names with anything else you provide, for  example, for language translation). After CodeScanner separates your target's structure from its contents, CodeCrypter (actually MCF, under the hood) can change any part, and then generate a new script from whichever pieces you define. See the MCF Tutorial for more explanation and examples.
      Encryption currently relies on Ward's excellent AES UDF and TheXman's sophisticated CryptoNG bundle. You can replace these with any other algorithm you like (but this is not trivial to do: edit MCFinclude.au3 UDF _MCFCC(), and MCF.au3 UDF _EncryptEntry(), see post #194 in this thread). AES by Ward, and CryptoNG by TheXman are also included in the bundle (with many thanks to Ward and TheXman for graciously allowing me to republish their outstanding work).
      Going to lie down now...
      RT
       
    • By RTFC
      The CodeScannerCrypterBundle (ca. 2.5 MB unzipped) contains the following UDFs and utilities:
      CodeScanner: analyse AutoIt script structure and content, identify potential issues, generate MCF data files CodeCrypter: front-end GUI for the MCF library, for script encryption (without storing the decryption key(s) in the script!) MetaCodeFile UDF (MCF library): for analysis and user-defined alterations of AutoIt script structure and content MCFinclude.au3: #include this UDF in any AutoIt script that you wish CodeCrypter to process AES.au3, by Ward; machine code UDF for AES encryption (32-bit, patched version) CryptoNG, by TheXman; encryption UDF using Bcrypt dll calls (32/64-bit; various algorithms) StoreCCprofile.au3/readCSdatadump.au3/helloworld.au3: auxiliary utilities and example script HowToCodeCrypt.pdf: a simple guide in five steps CodeCrypterFAQ.pdf: questions and answers, partly based upon exchanges in the CodeCrypter thread. Please follow the links for additional information.
    • By shital
      #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_UseX64=y #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** RunAs(test", @ComputerName, "testinng",2,"wmic product where ""name= '%notepadexamples%'"" call uninstall", @SystemDir & "\wbem", @SW_MAXIMIZE)  it not working 
       
    • By Bhooshan
      I need to mute an ongoing call on Microsoft teams without activating the window. Teams allows us to mute using shortcut key Ctrl+Shift+m but only when the window is active.
      # Used set option as ongoing call can be with any person which leads to change in Title Name.
      AutoItSetOption ( "WinTitleMatchMode", 2 ) 
      # I am not clear with the control ID which will be good to use here and also the key combination of ^M       
      ControlSend ( "Microsoft Teams", "", "[CLASS:Intermediate D3D Window; INSTANCE:1]", "{ctrl down}")
       
      Can anyone help...!!! 
       

    • By TheXman
      Encryption / Decryption / Hashing
      Purpose
      Cryptography API: Next Generation (CNG) is Microsoft's long-term replacement for their CryptoAPI.  CNG is designed to be extensible at many levels and cryptography agnostic in behavior.  Although the Crypt.au3 UDF that is installed with AutoIt3 still works perfectly, the advapi32.dll functions that it uses have been deprecated.  This UDF was created to offer a replacement for the deprecated functions.  According to Microsoft, deprecated functions may be removed in future release.  Therefore, this UDF will be available when/if that happens.
      Description
      This UDF implements some of Microsoft's Cryptography API: Next Generation (CNG) Win32 API functions.  In its initial release, it implements functions to encrypt text & files, decrypt text and files, generate hashes, and the Password-Based Key Derivation Function 2 (PBKDF2) function.  The UDF can implement any of the encryption/decryption algorithms or hashing algorithms that are installed on the PC in which it is running.  Most, if not all, of the values that you would commonly use to specify that desired algorithms, key bit lengths, and other magic number type values, are already defined as constants or enums in the UDF file.
      To flatten the learning curve, there is an example file that shows examples of all of the major functionality.  This example file is not created to be an exhaustive set of how to implement each feature and parameter.  It is designed to give you a template or guide to help you hit the ground running in terms of using the functions.  I have tried to fully document the headers of all of the functions as well as the code within the functions themselves.    As of v1.4.0, there is also a Help file that includes all of the functions, with examples.
      Current UDF Functions
      _CryptoNG_3DES_CBC_DecryptData _CryptoNG_3DES_CBC_DecryptFile _CryptoNG_3DES_CBC_EncryptData _CryptoNG_3DES_CBC_EncryptFile _CryptoNG_AES_CBC_DecryptData _CryptoNG_AES_CBC_DecryptFile _CryptoNG_AES_CBC_EncryptData _CryptoNG_AES_CBC_EncryptFile _CryptoNG_CreateRSAKeyPair _CryptoNG_DecryptData _CryptoNG_DecryptFile _CryptoNG_EncryptData _CryptoNG_EncryptFile _CryptoNG_EnumAlgorithms _CryptoNG_EnumRegisteredProviders _CryptoNG_GenerateRandom _CryptoNG_HashData _CryptoNG_HashFile _CryptoNG_LastErrorMessage _CryptoNG_PBKDF2 _CryptoNG_Version  
      Related Links
      Cryptography API: Next Generation - Main Page
      Cryptography API: Next Generation - Reference
      Cryptography API: Next Generation - Primitives
      Cryptography API: Next Generation - Cryptographic Algorithm Providers
×
×
  • Create New...