With PowerShell 5.1, two new cmdlets have been added to the Microsoft.PowerShell.Security module which allow to generate and validate Windows catalog files.
A Windows catalog file contains hashes for all files in a specified path and can be used to validate whether any changes were made to those files (after the catalog was created).
Typically, the catalog file is digitally signed to guarantee authenticity.
Users can distribute the set of files and folders along with corresponding the catalog file and the recipient can to validate whether any changes were made to the folders after the catalog was created.
Windows catalog files exist in 2 versions:
- Version 1 uses the SHA1 hashing algorithm to create file hashes.
- Version 2 uses the SHA256 hashing algorithm to create file hashes.
NOTE: Catalog version 2 is not supported on Windows Server 2008 R2 or Windows 7 and below.
Catalog version 2 should be used on Windows 8, Windows Server 2012 and later operating systems.
Let’s run through these 2 new cmdlets.
This cmdlet creates a Windows catalog file for a set of folders and files. This catalog file contains hashes for all files in the specified path.
This allows you to distribute a set of files/folders with a corresponding catalog file representing those files/folders.
This information is useful to validate whether any changes have been made to the folders since catalog creation time.
To create the file catalog of the defined path ‘c:\Tools’, type
$FileCatalog = New-FileCatalog –CatalogFilePath ‘myCatalog.cat’ -Path ‘C:\Tools’ -CatalogVersion 2
To retrieve the (code signing) certificate to sign the catalog with, type
$Certificate = Get-ChildItem -Path Cert:\CurrentUser\My –CodeSigningCert
To sign the catalog with the retrieved certificate, type
Set-AuthenticodeSignature -Certificate $Certificate -FilePath $FileCatalog
Now, we have a catalog file.
|Unsigned catalog.||Signed catalog.|
To validate the catalog file, let’s have a look at the cmdlet ‘Test-FileCatalog’.
This cmdlet validates the catalog file by comparing the hashes of all files (found in the catalog file) with the files saved to disk.
If it detects any mismatch between file hashes and paths it returns a status of ValidationFailed
To verify the integrity of the catalog file, type
Test-FileCatalog –CatalogFilePath ‘myCatalog.cat’ –Path ‘c:\Tools’
Users can retrieve more detailed information using the -Detailed switch.
This will display the catalog items versus the ‘Path Items’, the hashing algorithm (SHA1-v1 or SHA256-v2) and the digital signature.
The signing status of the catalog which is displayed in the ‘Signature’ property is the same as calling the Get-AuthenticodeSignature cmdlet on the catalog file.
For more detailed validation information, type
Test-FileCatalog –CatalogFilePath ‘myCatalog.cat’ –Path ‘c:\Tools’ –Detailed
Hope this helps…
Kurt Roggen [BE]