List registry key values for Microsoft Antimalware software (FEP)

Below you can find useful script for checking registry key values from remote machines. In this example we will extract information for Microsoft Anitmalware software (FEP).

Script will gather following information:

– Log message
– Log time
– Signatures Last Updated
– EngineVersion
– AVSignatureVersion
– ASSignatureVersion

First two checks are for MpCmdRun log file:

%windir%\temp\MpCmdRun.log – Activity when performing scans and signature updates

Output in console:

PowerShell FEP Results
PowerShell FEP Results

To get information from registry we have to use Get-ItemProperty command and provide correct path:

Get-ItemProperty  "HKLM:\SOFTWARE\Microsoft\Microsoft Antimalware\Signature Updates"

Final scripts:

$Servers = Get-Content "C:\Users\$env:username\desktop\input.txt"
$Cred = Get-Credential $env:username
$FEPArray = @()
 
    # Loop for servers
    ForEach($Server in $Servers)
    {
        Write-Warning "Processing $Server"
 
        # Open new session for server
        Try 
        { 
            # Open new session for server
            $Session = New-PSSession -ComputerName $Server -Credential $Cred -ErrorAction Stop
            If (!$Session) {Throw "Failed to connect to server"}
        }
        Catch 
        {
            $_.Exception.Message
            Break
        }

        # Check last log entry
        $ids = Invoke-Command -Session $session -ScriptBlock{Get-Content -Path C:\Windows\Temp\MpCmdRun.log  | Where-Object {$_ -match "Completed";"MpCmdRun: End Time:"} | select -last 4}

        If(!$ids)
        {
            Write-Warning "Failed to check log entry"
        }
        Else
        {
            # Gathering message and time info from log
            $desc = ($ids -split '\n')[0]
            $time = ($ids -split '\n')[2]
            $time = $time.Substring(20)
        }
      
        # Get FEP registry values
        Try 
        {      
            $reg = Invoke-Command -Session $session -ScriptBlock {(Get-ItemProperty  "HKLM:\SOFTWARE\Microsoft\Microsoft Antimalware\Signature Updates") }

            # Converting Signatures last updated value
            $lastupdated = $reg.SignaturesLastUpdated
            $lastupdated = [datetime]::FromFileTime([BitConverter]::ToInt64($lastupdated,0))

                # Create a custom object 
                $ComplexObject = New-Object PSCustomObject
                $ComplexObject | Add-Member -MemberType NoteProperty -Name "Server name" -Value $server
                $ComplexObject | Add-Member -MemberType NoteProperty -Name "Log message" -Value $desc
                $ComplexObject | Add-Member -MemberType NoteProperty -Name "Log time" -Value $time
                $ComplexObject | Add-Member -MemberType NoteProperty -Name "Signatures Last Updated" -Value $lastupdated
                $ComplexObject | Add-Member -MemberType NoteProperty -Name "EngineVersion" -Value $reg.EngineVersion
                $ComplexObject | Add-Member -MemberType NoteProperty -Name "AVSignatureVersion" -Value $reg.AVSignatureVersion
                $ComplexObject | Add-Member -MemberType NoteProperty -Name "ASSignatureVersion" -Value $reg.ASSignatureVersion 

                # Add custom object to our array
                $FEPArray += $ComplexObject
        }
        Catch 
        {
            $_.Exception.Message
            Break
        }

        # Removing session
        Remove-PSSession $Session
        #Get-PSSession
    }

        # Results
        If($FEPArray)
        {
            # Display results in new window
            $FEPArray | Out-GridView -Title "FEP check results"

            # Display results in PS console
            $FEPArray 
        }

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.