Windows Supply Chain Validation Cheat Sheet

Here’s a list of useful Windows Command Prompt and PowerShell commands that you can use to enumerate hardware and firmware information on a system. Each command can be used to gather specific types of information depending on your needs. Once the information is collected you can use various sources, such as OEM support portals, to verify integrity and get updated software and firmware.

Windows Command Prompt Commands

> systeminfo

Provides a summary of the system hardware, software, and configuration.

> dxdiag

Runs the DirectX Diagnostic Tool which gives detailed information about the system’s DirectX components and drivers.

> msinfo32

Opens the System Information tool that provides comprehensive information about the system’s hardware resources, components, and software environment.

> driverquery

Lists all installed device drivers and their properties. 

Note: You can use the following Powershell script to scan for LOL (Living Off the Land) drivers: Scan-LOLDrivers.ps1. Use at your own risk! To read more about LOL drivers please visit https://www.loldrivers.io/

PowerShell Commands

> Get-WmiObject -Class Win32_Processor

Provides information about the processor(s).

> Get-WmiObject -Class Win32_PhysicalMemory

Shows details about the physical memory (RAM).

> Get-WmiObject -Class Win32_DiskDrive`**

Enumerates the disk drives.

> Get-WmiObject -Class Win32_BIOS

Details about the BIOS.

> Get-WmiObject -Class Win32_BaseBoard

Information about the motherboard.

Get-CimInstance is similar to `Get-WmiObject` but uses newer CIM standards: 

> Get-CimInstance -ClassName Win32_Processor
> Get-CimInstance -ClassName Win32_PhysicalMemory
> Get-CimInstance -ClassName Win32_DiskDrive
> Get-CimInstance -ClassName Win32_BIOS
> Get-CimInstance -ClassName Win32_BaseBoard
> Get-ComputerInfo

Provides a comprehensive overview of the system hardware, OS configuration, and more.

> Get-SystemFirmware

Lists all system firmware (UEFI/BIOS).

> Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
> Confirm-SecureBootUEFI

These commands cover a wide range of system details from basic to very specific hardware and firmware information. Make sure you have the appropriate permissions to run these commands, especially in PowerShell, where some commands might require administrative rights.

WMIC Commands

> wmic baseboard get Manufacturer

Retrieves the manufacturer of the baseboard (motherboard) of the computer.

> wmic csproduct get uuid

Retrieves the Universally Unique Identifier (UUID) of the computer system product.

> wmic csproduct get Skunumber

Retrieves the Stock Keeping Unit (SKU) number of the computer system product.

> wmic os get BootDevice

Retrieves the path of the device that the operating system uses for booting.

> wmic memorychip get Manufacturer

Retrieves the manufacturer of the installed memory (RAM) chips.

> wmic memorychip get Partnumber

Retrieves the part number of the installed memory (RAM) chips.

> wmic diskdrive get model

Retrieves the model number or name of the installed disk drives.

> wmic diskdrive get FirmwareRevision

Retrieves the firmware version of the installed disk drives.

> wmic bios get smbiosbiosversion

Retrieves the version of the BIOS according to the System Management BIOS (SMBIOS) specification.

> wmic bios get manufacturer

Retrieves the manufacturer of the system BIOS.

> wmic bios get releasedate

Retrieves the release date of the BIOS.

> wmic bios get biosversion

Retrieves the version of the BIOS.

Registry Queries

> reg query HKLM\HARDWARE\DESCRIPTION\System\BIOS

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS
    BiosMajorRelease    REG_DWORD    0x1
    BiosMinorRelease    REG_DWORD    0x12
    ECFirmwareMajorRelease    REG_DWORD    0xff
    ECFirmwareMinorRelease    REG_DWORD    0xff
    EnclosureType    REG_DWORD    0xa
    BaseBoardManufacturer    REG_SZ    To be filled by O.E.M.
    BaseBoardProduct    REG_SZ    To be filled by O.E.M.
    BaseBoardVersion    REG_SZ    Default string
    BIOSReleaseDate    REG_SZ    08/08/2023
    BIOSVendor    REG_SZ    American Megatrends Inc.
    BIOSVersion    REG_SZ    1.18
    SystemFamily    REG_SZ    Notebook
    SystemManufacturer    REG_SZ    Default string
    SystemProductName    REG_SZ    To be filled by O.E.M.
    SystemSKU    REG_SZ    Default string
    SystemVersion    REG_SZ    Default string

Raw data from SMBIOS:

> reg query HKLM\SYSTEM\CurrentControlSet\Services\mssmbios\Data

Reference: https://www.codeguru.com/cplusplus/smbios-demystified/ 

Appendix A – Powershell Script

The following Powershell scripts executes the commands in the Powershell section above and outputs a basic HTML report: 

# Define output file
$outputFile = "supplychain.html"
# Collect data
$processor = Get-WmiObject -Class Win32_Processor | Out-String
$physicalMemory = Get-WmiObject -Class Win32_PhysicalMemory | Out-String
$diskDriveWmi = Get-WmiObject -Class Win32_DiskDrive | Out-String
$biosWmi = Get-WmiObject -Class Win32_BIOS | Out-String
$baseBoardWmi = Get-WmiObject -Class Win32_BaseBoard | Out-String
$processorCim = Get-CimInstance -ClassName Win32_Processor | Out-String
$physicalMemoryCim = Get-CimInstance -ClassName Win32_PhysicalMemory | Out-String
$diskDriveCim = Get-CimInstance -ClassName Win32_DiskDrive | Out-String
$biosCim = Get-CimInstance -ClassName Win32_BIOS | Out-String
$baseBoardCim = Get-CimInstance -ClassName Win32_BaseBoard | Out-String
$computerInfo = Get-ComputerInfo | Out-String
$firmware = Get-SystemFirmware | Out-String
$deviceGuard = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace "root\Microsoft\Windows\DeviceGuard" | Out-String

$secureBootUEFI = Confirm-SecureBootUEFI | Out-String

Create HTML content

$htmlContent = @"
<!DOCTYPE html>
<html>
<head>
    <title>Supply Chain Information</title>
    <style>
        body { font-family: Arial, sans-serif; margin: 20px; }
        h1 { color: #333; }
        pre { background-color: #f4f4f4; padding: 10px; border: 1px solid #ddd; }
    </style>
</head>
<body>
    <h1>Supply Chain Information</h1>
    <h2>Win32 Processor (WMI)</h2>
    <pre>$processor</pre>
    <h2>Win32 Physical Memory (WMI)</h2>
    <pre>$physicalMemory</pre>
    <h2>Win32 Disk Drive (WMI)</h2>
    <pre>$diskDriveWmi</pre>
    <h2>Win32 BIOS (WMI)</h2>
    <pre>$biosWmi</pre>
    <h2>Win32 Base Board (WMI)</h2>
    <pre>$baseBoardWmi</pre>
    <h2>Win32 Processor (CIM)</h2>
    <pre>$processorCim</pre>
    <h2>Win32 Physical Memory (CIM)</h2>
    <pre>$physicalMemoryCim</pre>
    <h2>Win32 Disk Drive (CIM)</h2>
    <pre>$diskDriveCim</pre>
    <h2>Win32 BIOS (CIM)</h2>
    <pre>$biosCim</pre>
    <h2>Win32 Base Board (CIM)</h2>
    <pre>$baseBoardCim</pre>
    <h2>Computer Info</h2>
    <pre>$computerInfo</pre>
    <h2>System Firmware</h2>
    <pre>$firmware</pre>
    <h2>Device Guard</h2>
    <pre>$deviceGuard</pre>
    <h2>Secure Boot UEFI</h2>
    <pre>$secureBootUEFI</pre>
</body>
</html>
"@

Write to HTML file

$htmlContent | Out-File -FilePath $outputFile -Encoding UTF8

Write-Output “Supply Chain Information exported to $outputFile”

The post Windows Supply Chain Validation Cheat Sheet appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.

Article Link: Windows Supply Chain Validation Cheat Sheet - Eclypsium | Supply Chain Security for the Modern Enterprise