Using PowerShell to Check Remote Windows Systems for CVE-2017-5754 (Meltdown) and CVE-2017-5715 (Spectre)

The Microsoft Security Response Center has released a PowerShell module named SpeculationControl that can be used to check for the CVE-2017-5754 (Meltdown) and CVE-2017-5715 (Spectre) vulnerabilities.

The SpeculationControl module can be installed from the PowerShell Gallery with Install-Module which is part of the PowerShellGet module that ships natively with PowerShell version 5.0, but can be installed on PowerShell version 3.0 and higher.

Running the one function (Get-SpeculationControlSettings) contained in the SpeculationControl module is simple enough, although it does require the script execution policy to be set to remote signed or less restrictive.

One problem is the function doesn’t have any parameters for running it remotely. In fact, it doesn’t have any parameters whatsoever.

While you could deploy this module to all of your remote systems, that would be a less than desirable solution.

There’s a technique I blogged about back in 2014 where you can Run a local PowerShell Function against a Remote Computer with PowerShell Remoting that can be used to run this function which only exists on your local computer against remote systems without requiring the function itself to exist on the remote system.

This does however require PowerShell remoting to be enabled on the remote system.

When the function is used as shown in the previous example, it doesn’t trigger the module auto-loading functionality that was introduced in PowerShell version 3.0, so if you haven’t already run the command against the local computer, you’ll receive the following error message.

To resolve this problem, simply import the SpeculationControl module manually.

You could also rework their command since it’s a function (not complied) or write a proxy function to add remoting functionality without having to resort to this technique.

One thing to note is the Get-SpeculationControlSettings function uses the Get-WMIObject cmdlet so it’s not compatible with PowerShell Core.

µ

7 Comments

  1. marcus

    Has anyone put together a script for scanning multiple remote devices at once?

    Reply
    • Jerry

      Invoke command can handle an array of machines – so if you did this method with -computername Server1,server2,server3 it should work OK. Might be a little rough to read though you’ll have to guess which box the output came from.

      Reply
      • Mike F Robbins

        No guess work needed. The remote computer name the results are from show up as a synthetic property named PSComputerName. I added an arrow pointing this out in one of the screenshots in the blog article.

        Reply
  2. Andy Brannelly

    You could try this which worked a treat for me:

    $computers = Get-Content -Path C:\Scripts\UserPCs.txt
    $creds = Get-Credential -Credential domain\username
    foreach ($computer in $computers) {
    Invoke-Command -ComputerName $computer ${function:Get-SpeculationControlSettings}
    }

    This works across operating systems too which was one of the issues with Get-SpeculationControlSetting locally which I believe only works on win10?

    Reply
  3. vrdse

    I’d like to share a script that also uses Get-SpeculationControlSettings and Invoke-Command, but adds parallelization and additional information, such a as processor, BIOS, AVCompatbility registry key, etc. for a broader picture. https://github.com/vrdse/MeltdownSpectreReport

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: