本文介绍了msiexec.exe - 嵌入的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在使用基于云的 EDR 平台来监控客户端受感染网络上发生的进程.我最近经常看到的是 msiexec.exe 调用了选项-Embedding"

I am using a cloud based EDR platform to monitor processes occurring on a client's compromised network. Something I have seen a lot of recently is msiexec.exe called with the option "-Embedding"

C:\Windows\System32\MsiExec.exe -Embedding 35507F61C46FB5B70D1543A9D335C298B

msiexec 文档(在 此处找到) 没有提到这个选项.谁能解释一下它的用法?

The msiexec documentation (found here) has no mention of this option. Can anyone explain its usage?

推荐答案

您可以从Aaron Stebner 在这里:https://docs.microsoft.com/en-us/archive/blogs/astebner/more-info-about-how-msi-custom-actions-work-behind-the-scenes

这是摘录:

msiexec.exe -Embedding (GUID) - 这是自定义操作服务器(由 -Embedding 开关指示)

自定义操作:自定义操作是在安装期间运行的自定义代码段.它们可以是脚本或二进制形式 - dllexevbscripts, etc... 危险关闭.有了更高的权限,他们基本上可以做任何事情",但通常他们都可以.

Custom Action: A custom action is a custom piece of code that runs during installation. They can be in script or binary form - dll, exe, vbscripts, etc... Danger close. With elevated rights they can basically do "anything", but usually they are OK.

msiexec.exe:在安装任何 MSI 文件的过程中都会有许多 msiexec.exe 进程, 并且一些 MSI 文件可以触发其中的很多.这与 MSI 中存在多少自定义操作以及可能还有许多其他事情有关.也总会有一个 client msiexec.exe 进程 运行在 user context 和一个 server msiexec.exe 进程 作为 LocalSystem 运行(除非服务器静默运行 - 那么安装就没有用户部分).这些进程运行实际安装本身.

msiexec.exe: There will be numerous msiexec.exe processes during the installation of any MSI file, and some MSI files can trigger quite a few of them. This has to do with how many custom actions exist in the MSI and probably a number of other things. There will also always be a client msiexec.exe process running in user context and a server msiexec.exe process running as LocalSystem (unless the server is run silently - then there is no user part to the install). These processes run the actual installation itself.

技术花絮:我相信 msiexec.exe 进程会在进程列表中保留大约 10 分钟安装后.这至少曾经是正常行为(事情发生了变化).Heath Stewart 的旧博客.

恶意软件:就恶意软件而言.自定义操作进程肯定会被感染,但大多数情况下不会被感染,反病毒软件可能会因为误报而决定对其进行处理.系统模式自定义操作以临时管理员权限运行,并且肯定可以用几乎任何东西感染计算机.非提升的 MSI 文件可以通过在启动时启动它们来安装木马和其他类型的恶意软件等.但是,提升的自定义操作可以安装驱动程序和服务以及各种疯狂.

Malware: With regards to this in a malware-sense. The custom action process can certainly be infected, but most often it is not and the anti-virus software could decide to mess with it because of a false positive. System mode custom actions run elevated with temporary administrator rights and can certainly infect the computer with just about anything. Non-elevated MSI files can install trojans and other kinds of malware by launching them on startup and such things. However, elevated custom actions can install drivers and services and all kinds of madness.

Anti-Virus Blues:MSI 文件的一个常见问题是,防病毒软件可能会决定在超级隐藏的 MSI 缓存文件夹中隔离 MSI:C:\Windows\安装程序.这个文件夹受到高度保护,不应被任何东西访问,在这里乱搞通常会导致无法卸载的 MSI 包(包被缓存以方便卸载、修改和修复).有一些针对此类不可卸载软件包的黑客和修复.此外,还有其他原因可能导致 MSI 源丢失(系统还原怪异是我怀疑的关键罪魁祸首之一).

Anti-Virus Blues: A common problem for MSI files is that an anti-virus could decide to quarantine an MSI in the super-hidden MSI cache folder: C:\Windows\Installer. This folder is highly protected and should not be accessed by anything, and messing around here typically causes MSI packages that can not be uninstalled (packages are cached to facilitate uninstall, modify and repair). There are some hacks and fixes for such un-uninstallable packages. Additionally, there are other reasons why the MSI source can be missing (with System Restore weirdness being one of my suspected key culprits).

城市的钥匙:已经超出了您的实际要求:如果您确定 MSI 被感染,我会犹豫是否调用它的卸载程序.. 我想这是不言而喻的.如果它运行在高处,它就有城市的钥匙".使用 Microsoft FixIt 工具(在上面的链接答案中找到)或其他一些方法来擦除安装.或者更好:我想重建你的盒子 - 好像你还不够忙?

Keys to the City: Having gone well beyond what you actually asked: if you are sure an MSI is infected, I would be hesitant to invoke its uninstaller... I guess that goes without saying. If it runs elevated it has "the keys to the city". Use that Microsoft FixIt tool (found in the linked answer above) or some other approach to wipe the install. Or better yet: rebuild your box I suppose - as if you are not busy enough?

链接:

这篇关于msiexec.exe - 嵌入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

07-04 15:35