이벤트뷰어 PowerShell 이벤트 ID 4104 원격 명령 실행
-
게시물 수정 , 삭제는 로그인 필요
이벤트뷰어 PowerShell 이벤트 ID 4104 원격 명령 실행
이런게 있는데 이게 뭔지요?
로그 이름: Microsoft-Windows-PowerShell/Operational
원본: Microsoft-Windows-PowerShell
날짜: 2022-07-07 오전 5:28:13
이벤트 ID: 4104
작업 범주: 원격 명령 실행
수준: 경고
키워드: 없음
사용자: DESKTOP-
컴퓨터: DESKTOP-
설명:
Scriptblock 텍스트를 만드는 중(1/1):
# Copyright ?2015, Microsoft Corporation. All rights reserved.
# :: ======================================================= ::
#====================================================================================
# Initialize
#====================================================================================
Import-LocalizedData -BindingVariable localizationString -FileName CL_LocalizationData
$HDaudio = $true
$flagDefault = $true
$flagLowVolume = $true
$flagMute = $true
$flagSamplingRate = $true
$flagAPOLoadFailure = $true
$flagServiceResponse = $true
$IsRenderFlow = $false
$postBackPath = $null
$endPointtype = "Capture"
$devices = @()
$EndPointList = @()
# Set env path to fetch the AudioDiagnosticUtil.DLL
$env:Path = $env:Path + ";$env:windir\diagnostics\system\Audio\"
#====================================================================================
# Load Common Library
#====================================================================================
. .\CL_RunDiagnosticScript.ps1
. .\CL_Utility.ps1
#====================================================================================
# Functions
#====================================================================================
if(Test-PostBack -CurrentScriptName 'Diag_Audio')
{
$postBackFlag = $true
}
function GetId($deviceInfo=$("No device info is specified"))
{
return ($deviceInfo | Select-Object DeviceId).DeviceId
}
function GetAdapterName($deviceInfo=$("No device info is specified"))
{
return ($deviceInfo | Select-Object AdapterName).AdapterName
}
function Get-DeviceName([string]$deviceID = $(throw "No device ID is specified"), [string]$deviceType = $(throw "No device type is specified") )
{
[String]$deviceName = [String]::Empty
try
{
$devices = @()
$AudioMethods = Get-AudioEndpoints
$EndPointList = @()
$EndPointList = $AudioMethods::GetAudioEndPointsbyType($deviceType)
$devices += $EndPointList.ForEach({[PSCustomObject]$_})
foreach($dev in $devices)
{
$id = GetId $dev
$name = GetAdapterName $dev
if([String]$id -eq $deviceID)
{
$deviceName = $name
break
}
}
}
Catch [System.Exception]
{
Write-ExceptionTelemetry "Get-DeviceName" $_
$errorMsg = $_.Exception.Message
$errorMsg | ConvertTo-Xml | Update-DiagReport -Id "MF_AudioDiagnostic" -Name "MF_AudioDiagnostic" -Verbosity Debug
}
return $deviceName
}
function GetDes($deviceInfo=$("No device info is specified"))
{
return ($deviceInfo | Select-Object DeviceDes).DeviceDes
}
function GetJackInfo($deviceInfo=$("No device info is specified"))
{
return ($deviceInfo | Select-Object JackInfo).JackInfo
}
function GetDeviceType()
{
[string]$type = Get-DiagInput -id "IT_GetDeviceType"
$type | Select-Object @{Name=$localizationString.deviceType;Expression={$_}} | ConvertTo-Xml | Update-DiagReport -id AudioDevice -name $localizationString.AudioDevice_name -description $localizationString.AudioDevice_Description -Verbosity Informational
return $type
}
function ConvertTo-JackLoc([int]$index = $(throw "No index is specified"))
{
$result = $localizationString.jackLocInfo + " "
switch ($index) {
1 {$result += $localizationString.rear; break}
2 {$result += $localizationString.front; break}
3 {$result += $localizationString.left; break}
4 {$result += $localizationString.right; break}
5 {$result += $localizationString.top; break}
6 {$result += $localizationString.bottom; break}
7 {$result += $localizationString.rearslide; break}
8 {$result += $localizationString.risercard; break}
9 {$result += $localizationString.insidelid; break}
10 {$result += $localizationString.drivebay; break}
11 {$result += $localizationString.HDMIconnector; break}
12 {$result += $localizationString.Outsidelid; break}
13 {$result += $localizationString.ATAPIconnector; break}
default {$result = $localizationString.noJackInfoAvailable; break}
}
return $result
}
function GetDeviceId([string]$deviceFlow)
{
[string]$id = $null
[int]$count = 0
[string]$defaultFlag = "<Default />"
$choices = New-Object System.Collections.ArrayList
try
{
[Array]$device = $null
$AudioMethods = Get-AudioEndpoints
$EndPointListID = $AudioMethods::GetAudioEndPointsbyType($deviceFlow)
$device += $EndPointListID.ForEach({[PSCustomObject]$_})
$count = $device.Length
if($count -eq 1)
{
$id = GetId $device
}
elseif ($count -gt 1)
{
foreach($item in $device)
{
$deviceDes = GetDes $item
$deviceId = GetId $item
$jackInfo = GetJackInfo $item
$adapterName = GetAdapterName $item
$jackloc = ConvertTo-JackLoc $jackInfo
$name = "$deviceDes - $adapterName`r`n`r`n$jackloc.`r`n"
if($item.IsDefault -eq $true)
{
$CurrentDefaultDevice = $localizationString.Current_Default_Device
$name = "$deviceDes - $adapterName $CurrentDefaultDevice`r`n`r`n$jackloc.`r`n"
[int]$currentIndex = $device.IndexOf($item)
$choices += @{"Name"="$name"; "Description"="$name"; "Value"="$deviceId"; "ExtensionPoint"=""}
}
else
{
$name = "$deviceDes - $adapterName`r`n`r`n$jackloc.`r`n"
$choices += @{"Name"="$name"; "Description"="$name"; "Value"="$deviceId"; "ExtensionPoint"=""}
}
}
if($currentIndex -eq $null)
{
$currentIndex = 0
}
($choices[$currentIndex]).ExtensionPoint = $defaultFlag
$id = Get-DiagInput -id "IT_GetCertainDevice" -Choice $choices
}
}
Catch [System.Exception]
{
Write-ExceptionTelemetry "GetDeviceID" $_
$errorMsg = $_.Exception.Message
$errorMsg | ConvertTo-Xml | Update-DiagReport -Id "MF_AudioDiagnostic" -Name "MF_AudioDiagnostic" -Verbosity Debug
}
return $id
}
function CheckRemoteSession {
<#
DESCRIPTION
CheckRemoteSession check whether current package is running on remote session.
ARGUMENTS:
None
RETURNS:
$result : Boolean value $true if package running on remote session is disabled or $false
#>
[string]$sourceCode = @"
using System;
using System.Runtime.InteropServices;
namespace Microsoft.Windows.Diagnosis {
public static class RemoteManager {
private const int SM_REMOTESESSION = 0x1000;
[DllImport("User32.dll", CharSet = CharSet.Unicode)]
private static extern int GetSystemMetrics(int Index);
public static bool Remote() {
return (0 != GetSystemMetrics(SM_REMOTESESSION));
}
}
}
"@
$type = Add-Type -TypeDefinition $sourceCode -PassThru
return $type::Remote()
}
function ispostbackOnWin($packName)
{
<#
DESCRIPTION
ispostbackOnWin check whether package is postback.
ARGUMENTS:
packName : String value containing ID of pack
RETURNS:
$result : Boolean value $true if package running in postback or $false
#>
[string] $path1 = (Get-Location -PSProvider FileSystem).ProviderPath
[string] $path1 = join-path $path1 "\$packName"
if(test-path $path1){
return $true
}
"once" > $path1
return $false
}
function setpostbackOnWin($packName)
{
<#
DESCRIPTION
setpostbackOnWin check whether package is postback.
ARGUMENTS:
packName : String value containing ID of pack
RETURNS:
$path1 : String containing the path of postback file
#>
[string] $path1 = (Get-Location -PSProvider FileSystem).ProviderPath
[string] $path1 = join-path $path1 "\$packName"
"once" > $path1
return $path1
}
function isLastRCExecuted($rcName)
{
<#
DESCRIPTION
isLastRCExecuted check whether last root cause executed.
ARGUMENTS:
packName : String value containing package name
RETURNS:
$result : Boolean value $true if root cause executed or $false
#>
[string] $path = (Get-Location -PSProvider FileSystem).ProviderPath
[string] $path = join-path $path "\$rcName"
if(test-path $path){
return $true
}
return $false
}
function setLastRCExecuted($rcName)
{
<#
DESCRIPTION
setpostbackOnWin set that last root cause executed.
ARGUMENTS:
packName : String value containing ID of pack
RETURNS:
$path : String containing the path of postback file
#>
[string] $path = (Get-Location -PSProvider FileSystem).ProviderPath
[string] $path = join-path $path "\$rcName"
"once" > $path
return $path
}
#====================================================================================
# Main
#====================================================================================
if(CheckRemoteSession) {
Get-DiagInput -ID "IT_RunOnRemoteSession"
return
}
[string]$regLogName = "Registry log.txt"
(Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices' -Recurse) | Out-File $regLogName
if((Test-Path $regLogName)) {
Update-DiagReport -file $regLogName -id InstalledAudioDevice -name $localizationString.installedAudioDevice_name -description $localizationString.installedAudioDevice_description -Verbosity Informational
}
if(isLastRCExecuted "HDAudioExecuted")
{
return
}
if((RunDiagnosticScript {& .\TS_AudioDeviceDriver.ps1}) -eq $false)
{
$path = setpostbackOnWin "AudioDiagnostic"
return
}
if((RunDiagnosticScript {& .\TS_AudioService.ps1}) -eq $false)
{
$path = setpostbackOnWin "AudioDiagnostic"
return
}
[int]$rcDetect = . .\TS_AudioServiceResponse.ps1
if($rcDetect -eq 1)
{
$flagServiceResponse = $false
}
Write-DiagProgress -activity " "
# Get audio device type
[string]$audioDeviceType = GetDeviceType
if ($audioDeviceType -ieq "Render")
{
$IsRenderFlow = $true
}
if(!$postBackFlag)
{
# Get audio device ID
[string]$audioDeviceID = GetDeviceId $audioDeviceType
}
# Get audio device name
[string]$audioDeviceName = Get-DeviceName $audioDeviceID $audioDeviceType
if([String]::IsNullOrEmpty($audioDeviceID))
{
return
}
RunDiagnosticScript {& .\TS_DisabledInCPL.ps1 $audioDeviceType $audioDeviceID}
if((RunDiagnosticScript {& .\TS_UnpluggedIn.ps1 $audioDeviceType $audioDeviceID}) -eq $false)
{
$path = setpostbackOnWin "AudioDiagnostic"
return
}
if((RunDiagnosticScript {& .\TS_Mute.ps1 $audioDeviceType $audioDeviceID}) -eq $true)
{
$flagMute = $false
}
if((RunDiagnosticScript {& .\TS_NotDefault.ps1 $audioDeviceType $audioDeviceID}) -eq $true)
{
$flagDefault = $false
}
if($IsRenderFlow)
{
if((RunDiagnosticScript {& .\TS_LowVolume.ps1 $audioDeviceType $audioDeviceID}) -eq $true)
{
$flagLowVolume = $false
}
}
if((RunDiagnosticScript {& .\TS_SamplingRate.ps1 $audioDeviceID}) -eq $true)
{
$flagSamplingRate = $false
}
if((RunDiagnosticScript {& .\TS_APOLoadFailure.ps1 $null $audioDeviceName $audioDeviceType}) -eq $true)
{
$flagAPOLoadFailure = $false
}
if(ispostbackOnWin "AudioDiagnostic")
{
return
}
elseif($IsRenderFlow)
{
# Record data for Enhancements
$Response = Get-DiagInput -Id "IT_AudioProperties"
if ($Response -eq "1")
{
StartProcess $audioDeviceID
Write-DiagTelemetry -Property "OpenEnhancements" -Value "Yes"
}else
{
Write-DiagTelemetry -Property "OpenEnhancements" -Value "No"
}
if($flagServiceResponse -and $flagMute -and $flagDefault -and $flagLowVolume -and $flagSamplingRate -and $flagAPOLoadFailure)
{
if(-not([String]::IsNullOrEmpty($audioDeviceName)))
{
RunDiagnosticScript {& .\TS_HDAudioDriver.ps1 $audioDeviceName $audioDeviceID $audioDeviceType}
$postBackPath = setLastRCExecuted "HDAudioExecuted"
}
}
}
ScriptBlock ID: e97e2734-0e05-4398-81e5-76ae20e0a150
경로: C:\WINDOWS\TEMP\SDIAG_0084a7c5-74fb-4e11-808e-b860e432e6e5\MF_AudioDiagnostic.ps1
이벤트 Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}" />
<EventID>4104</EventID>
<Version>1</Version>
<Level>3</Level>
<Task>2</Task>
<Opcode>15</Opcode>
<Keywords>0x0</Keywords>
<TimeCreated SystemTime="2022-07-06T20:28:13.2912894Z" />
<EventRecordID>163</EventRecordID>
<Correlation ActivityID="{273c00a}" />
<Execution ProcessID="6980" ThreadID="9748" />
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>DESKTOP-</Computer>
<Security UserID="S-1-5-" />
</System>
<EventData>
<Data Name="MessageNumber">1</Data>
<Data Name="MessageTotal">1</Data>
<Data Name="ScriptBlockText"># Copyright ?2015, Microsoft Corporation. All rights reserved.
# :: ======================================================= ::
#====================================================================================
# Initialize
#====================================================================================
Import-LocalizedData -BindingVariable localizationString -FileName CL_LocalizationData
$HDaudio = $true
$flagDefault = $true
$flagLowVolume = $true
$flagMute = $true
$flagSamplingRate = $true
$flagAPOLoadFailure = $true
$flagServiceResponse = $true
$IsRenderFlow = $false
$postBackPath = $null
$endPointtype = "Capture"
$devices = @()
$EndPointList = @()
# Set env path to fetch the AudioDiagnosticUtil.DLL
$env:Path = $env:Path + ";$env:windir\diagnostics\system\Audio\"
#====================================================================================
# Load Common Library
#====================================================================================
. .\CL_RunDiagnosticScript.ps1
. .\CL_Utility.ps1
#====================================================================================
# Functions
#====================================================================================
if(Test-PostBack -CurrentScriptName 'Diag_Audio')
{
$postBackFlag = $true
}
function GetId($deviceInfo=$("No device info is specified"))
{
return ($deviceInfo | Select-Object DeviceId).DeviceId
}
function GetAdapterName($deviceInfo=$("No device info is specified"))
{
return ($deviceInfo | Select-Object AdapterName).AdapterName
}
function Get-DeviceName([string]$deviceID = $(throw "No device ID is specified"), [string]$deviceType = $(throw "No device type is specified") )
{
[String]$deviceName = [String]::Empty
try
{
$devices = @()
$AudioMethods = Get-AudioEndpoints
$EndPointList = @()
$EndPointList = $AudioMethods::GetAudioEndPointsbyType($deviceType)
$devices += $EndPointList.ForEach({[PSCustomObject]$_})
foreach($dev in $devices)
{
$id = GetId $dev
$name = GetAdapterName $dev
if([String]$id -eq $deviceID)
{
$deviceName = $name
break
}
}
}
Catch [System.Exception]
{
Write-ExceptionTelemetry "Get-DeviceName" $_
$errorMsg = $_.Exception.Message
$errorMsg | ConvertTo-Xml | Update-DiagReport -Id "MF_AudioDiagnostic" -Name "MF_AudioDiagnostic" -Verbosity Debug
}
return $deviceName
}
function GetDes($deviceInfo=$("No device info is specified"))
{
return ($deviceInfo | Select-Object DeviceDes).DeviceDes
}
function GetJackInfo($deviceInfo=$("No device info is specified"))
{
return ($deviceInfo | Select-Object JackInfo).JackInfo
}
function GetDeviceType()
{
[string]$type = Get-DiagInput -id "IT_GetDeviceType"
$type | Select-Object @{Name=$localizationString.deviceType;Expression={$_}} | ConvertTo-Xml | Update-DiagReport -id AudioDevice -name $localizationString.AudioDevice_name -description $localizationString.AudioDevice_Description -Verbosity Informational
return $type
}
function ConvertTo-JackLoc([int]$index = $(throw "No index is specified"))
{
$result = $localizationString.jackLocInfo + " "
switch ($index) {
1 {$result += $localizationString.rear; break}
2 {$result += $localizationString.front; break}
3 {$result += $localizationString.left; break}
4 {$result += $localizationString.right; break}
5 {$result += $localizationString.top; break}
6 {$result += $localizationString.bottom; break}
7 {$result += $localizationString.rearslide; break}
8 {$result += $localizationString.risercard; break}
9 {$result += $localizationString.insidelid; break}
10 {$result += $localizationString.drivebay; break}
11 {$result += $localizationString.HDMIconnector; break}
12 {$result += $localizationString.Outsidelid; break}
13 {$result += $localizationString.ATAPIconnector; break}
default {$result = $localizationString.noJackInfoAvailable; break}
}
return $result
}
function GetDeviceId([string]$deviceFlow)
{
[string]$id = $null
[int]$count = 0
[string]$defaultFlag = "<Default />"
$choices = New-Object System.Collections.ArrayList
try
{
[Array]$device = $null
$AudioMethods = Get-AudioEndpoints
$EndPointListID = $AudioMethods::GetAudioEndPointsbyType($deviceFlow)
$device += $EndPointListID.ForEach({[PSCustomObject]$_})
$count = $device.Length
if($count -eq 1)
{
$id = GetId $device
}
elseif ($count -gt 1)
{
foreach($item in $device)
{
$deviceDes = GetDes $item
$deviceId = GetId $item
$jackInfo = GetJackInfo $item
$adapterName = GetAdapterName $item
$jackloc = ConvertTo-JackLoc $jackInfo
$name = "$deviceDes - $adapterName`r`n`r`n$jackloc.`r`n"
if($item.IsDefault -eq $true)
{
$CurrentDefaultDevice = $localizationString.Current_Default_Device
$name = "$deviceDes - $adapterName $CurrentDefaultDevice`r`n`r`n$jackloc.`r`n"
[int]$currentIndex = $device.IndexOf($item)
$choices += @{"Name"="$name"; "Description"="$name"; "Value"="$deviceId"; "ExtensionPoint"=""}
}
else
{
$name = "$deviceDes - $adapterName`r`n`r`n$jackloc.`r`n"
$choices += @{"Name"="$name"; "Description"="$name"; "Value"="$deviceId"; "ExtensionPoint"=""}
}
}
if($currentIndex -eq $null)
{
$currentIndex = 0
}
($choices[$currentIndex]).ExtensionPoint = $defaultFlag
$id = Get-DiagInput -id "IT_GetCertainDevice" -Choice $choices
}
}
Catch [System.Exception]
{
Write-ExceptionTelemetry "GetDeviceID" $_
$errorMsg = $_.Exception.Message
$errorMsg | ConvertTo-Xml | Update-DiagReport -Id "MF_AudioDiagnostic" -Name "MF_AudioDiagnostic" -Verbosity Debug
}
return $id
}
function CheckRemoteSession {
<#
DESCRIPTION
CheckRemoteSession check whether current package is running on remote session.
ARGUMENTS:
None
RETURNS:
$result : Boolean value $true if package running on remote session is disabled or $false
#>
[string]$sourceCode = @"
using System;
using System.Runtime.InteropServices;
namespace Microsoft.Windows.Diagnosis {
public static class RemoteManager {
private const int SM_REMOTESESSION = 0x1000;
[DllImport("User32.dll", CharSet = CharSet.Unicode)]
private static extern int GetSystemMetrics(int Index);
public static bool Remote() {
return (0 != GetSystemMetrics(SM_REMOTESESSION));
}
}
}
"@
$type = Add-Type -TypeDefinition $sourceCode -PassThru
return $type::Remote()
}
function ispostbackOnWin($packName)
{
<#
DESCRIPTION
ispostbackOnWin check whether package is postback.
ARGUMENTS:
packName : String value containing ID of pack
RETURNS:
$result : Boolean value $true if package running in postback or $false
#>
[string] $path1 = (Get-Location -PSProvider FileSystem).ProviderPath
[string] $path1 = join-path $path1 "\$packName"
if(test-path $path1){
return $true
}
"once" > $path1
return $false
}
function setpostbackOnWin($packName)
{
<#
DESCRIPTION
setpostbackOnWin check whether package is postback.
ARGUMENTS:
packName : String value containing ID of pack
RETURNS:
$path1 : String containing the path of postback file
#>
[string] $path1 = (Get-Location -PSProvider FileSystem).ProviderPath
[string] $path1 = join-path $path1 "\$packName"
"once" > $path1
return $path1
}
function isLastRCExecuted($rcName)
{
<#
DESCRIPTION
isLastRCExecuted check whether last root cause executed.
ARGUMENTS:
packName : String value containing package name
RETURNS:
$result : Boolean value $true if root cause executed or $false
#>
[string] $path = (Get-Location -PSProvider FileSystem).ProviderPath
[string] $path = join-path $path "\$rcName"
if(test-path $path){
return $true
}
return $false
}
function setLastRCExecuted($rcName)
{
<#
DESCRIPTION
setpostbackOnWin set that last root cause executed.
ARGUMENTS:
packName : String value containing ID of pack
RETURNS:
$path : String containing the path of postback file
#>
[string] $path = (Get-Location -PSProvider FileSystem).ProviderPath
[string] $path = join-path $path "\$rcName"
"once" > $path
return $path
}
#====================================================================================
# Main
#====================================================================================
if(CheckRemoteSession) {
Get-DiagInput -ID "IT_RunOnRemoteSession"
return
}
[string]$regLogName = "Registry log.txt"
(Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices' -Recurse) | Out-File $regLogName
if((Test-Path $regLogName)) {
Update-DiagReport -file $regLogName -id InstalledAudioDevice -name $localizationString.installedAudioDevice_name -description $localizationString.installedAudioDevice_description -Verbosity Informational
}
if(isLastRCExecuted "HDAudioExecuted")
{
return
}
if((RunDiagnosticScript {& .\TS_AudioDeviceDriver.ps1}) -eq $false)
{
$path = setpostbackOnWin "AudioDiagnostic"
return
}
if((RunDiagnosticScript {& .\TS_AudioService.ps1}) -eq $false)
{
$path = setpostbackOnWin "AudioDiagnostic"
return
}
[int]$rcDetect = . .\TS_AudioServiceResponse.ps1
if($rcDetect -eq 1)
{
$flagServiceResponse = $false
}
Write-DiagProgress -activity " "
# Get audio device type
[string]$audioDeviceType = GetDeviceType
if ($audioDeviceType -ieq "Render")
{
$IsRenderFlow = $true
}
if(!$postBackFlag)
{
# Get audio device ID
[string]$audioDeviceID = GetDeviceId $audioDeviceType
}
# Get audio device name
[string]$audioDeviceName = Get-DeviceName $audioDeviceID $audioDeviceType
if([String]::IsNullOrEmpty($audioDeviceID))
{
return
}
RunDiagnosticScript {& .\TS_DisabledInCPL.ps1 $audioDeviceType $audioDeviceID}
if((RunDiagnosticScript {& .\TS_UnpluggedIn.ps1 $audioDeviceType $audioDeviceID}) -eq $false)
{
$path = setpostbackOnWin "AudioDiagnostic"
return
}
if((RunDiagnosticScript {& .\TS_Mute.ps1 $audioDeviceType $audioDeviceID}) -eq $true)
{
$flagMute = $false
}
if((RunDiagnosticScript {& .\TS_NotDefault.ps1 $audioDeviceType $audioDeviceID}) -eq $true)
{
$flagDefault = $false
}
if($IsRenderFlow)
{
if((RunDiagnosticScript {& .\TS_LowVolume.ps1 $audioDeviceType $audioDeviceID}) -eq $true)
{
$flagLowVolume = $false
}
}
if((RunDiagnosticScript {& .\TS_SamplingRate.ps1 $audioDeviceID}) -eq $true)
{
$flagSamplingRate = $false
}
if((RunDiagnosticScript {& .\TS_APOLoadFailure.ps1 $null $audioDeviceName $audioDeviceType}) -eq $true)
{
$flagAPOLoadFailure = $false
}
if(ispostbackOnWin "AudioDiagnostic")
{
return
}
elseif($IsRenderFlow)
{
# Record data for Enhancements
$Response = Get-DiagInput -Id "IT_AudioProperties"
if ($Response -eq "1")
{
StartProcess $audioDeviceID
Write-DiagTelemetry -Property "OpenEnhancements" -Value "Yes"
}else
{
Write-DiagTelemetry -Property "OpenEnhancements" -Value "No"
}
if($flagServiceResponse -and $flagMute -and $flagDefault -and $flagLowVolume -and $flagSamplingRate -and $flagAPOLoadFailure)
{
if(-not([String]::IsNullOrEmpty($audioDeviceName)))
{
RunDiagnosticScript {& .\TS_HDAudioDriver.ps1 $audioDeviceName $audioDeviceID $audioDeviceType}
$postBackPath = setLastRCExecuted "HDAudioExecuted"
}
}
}
</Data>
<Data Name="ScriptBlockId">e97e2734-0e05-4398-81e5-76ae20e0a150</Data>
<Data Name="Path">C:\WINDOWS\TEMP\SDIAG_0084a7c5-74fb-4e11-808e-b860e432e6e5\MF_AudioDiagnostic.ps1</Data>
</EventData>
</Event>
로그 이름: Microsoft-Windows-PowerShell/Operational
원본: Microsoft-Windows-PowerShell
날짜: 2022-07-07 오전 5:28:13
이벤트 ID: 4104
작업 범주: 원격 명령 실행
수준: 경고
키워드: 없음
사용자: DESKTOP-
컴퓨터: DESKTOP-
설명:
Scriptblock 텍스트를 만드는 중(8/8):
ormat, formatExtData, 0, formatSize);
retFormat = format;
return formatExtData;
}
public int SetDeviceFormat(string pszDeviceName, Byte[] formatExtData, int formatSize)
{
IntPtr ptrToFormat = Marshal.AllocHGlobal(formatSize);
Marshal.Copy(formatExtData, 0, ptrToFormat, formatSize);
int rval = LoadDLL.AudioSetDeviceFormat(pszDeviceName, ptrToFormat, IntPtr.Zero);
Marshal.FreeHGlobal(ptrToFormat);
return rval;
}
}
public static bool verifySamplingRate(string deviceID)
{
EndpointCtrl control = new EndpointCtrl();
bool result = false;
string defSpeakerEndpoint = deviceID;
IPolicyConfigHelper policyHelper = new IPolicyConfigHelper();
WAVEFORMATEX defaultFormatEx = new WAVEFORMATEX();
WAVEFORMATEX currentFormatEx = new WAVEFORMATEX();
Byte[] defaultFormat = policyHelper.GetDeviceFormat(defSpeakerEndpoint, true, out defaultFormatEx);
Byte[] currentFormat = policyHelper.GetDeviceFormat(defSpeakerEndpoint, false, out currentFormatEx);
if (defaultFormatEx.nAvgBytesPerSec != currentFormatEx.nAvgBytesPerSec)
{
result = true;
}
return result;
}
public static bool resetSamplingRate(string deviceID)
{
EndpointCtrl control = new EndpointCtrl();
string defSpeakerEndpoint = deviceID;
IPolicyConfigHelper policyHelper = new IPolicyConfigHelper();
WAVEFORMATEX defaultFormatEx = new WAVEFORMATEX();
WAVEFORMATEX currentFormatEx = new WAVEFORMATEX();
Byte[] defaultFormat = policyHelper.GetDeviceFormat(defSpeakerEndpoint, true, out defaultFormatEx);
Byte[] currentFormat = policyHelper.GetDeviceFormat(defSpeakerEndpoint, false, out currentFormatEx);
policyHelper.SetDeviceFormat(defSpeakerEndpoint, defaultFormat, defaultFormat.Length);
WAVEFORMATEX currentFormatEx2 = new WAVEFORMATEX();
Byte[] currentFormat2 = policyHelper.GetDeviceFormat(defSpeakerEndpoint, false, out currentFormatEx2);
control.Dispose();
return true;
}
public static EndpointList[] GetAudioEndPointsbyType(string type)
{
EDataFlow dataflowtype = new EDataFlow();
if (type == "Render")
{
dataflowtype = EDataFlow.ERender;
}
else { dataflowtype = EDataFlow.ECapture; }
EndpointCtrl control = new EndpointCtrl();
EndpointList[] list = control.GetOutputDevicesByType(dataflowtype);
return list;
}
}
}
"@
Add-Type -TypeDefinition $AudioEndpointsSource
$AudioEndpoints = [Microsoft.Windows.Diagnosis.AudioResetDeviceFormats]
return $AudioEndpoints
}
# Check whether TS_Main is running or Detecting Additional Problems on Windows 8.1 and above
Function Test-PostBack
{
[CmdletBinding()]
PARAM
(
[Alias('S')]
[Parameter(Position = 1, Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
[string] $CurrentScriptName
)
PROCESS
{
# Writing the trace to current directory
$CurrentScriptName = ("{0}.temp" -f [System.IO.Path]::GetFileNameWithoutExtension($CurrentScriptName))
if(Test-Path($CurrentScriptName))
{
return $true
}
'Executed' >> $CurrentScriptName
return $false
}
}
ScriptBlock ID: 8ca8a82b-3961-44d4-91d4-18eb6d87f7d7
경로: C:\WINDOWS\TEMP\SDIAG_0084a7c5-74fb-4e11-808e-b860e432e6e5\CL_Utility.ps1
이벤트 Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}" />
<EventID>4104</EventID>
<Version>1</Version>
<Level>3</Level>
<Task>2</Task>
<Opcode>15</Opcode>
<Keywords>0x0</Keywords>
<TimeCreated SystemTime="2022-07-06T20:28:13.3966458Z" />
<EventRecordID>171</EventRecordID>
<Correlation ActivityID="{273c00a}" />
<Execution ProcessID="6980" ThreadID="9748" />
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>DESKTOP-</Computer>
<Security UserID="S-1-5-1" />
</System>
<EventData>
<Data Name="MessageNumber">8</Data>
<Data Name="MessageTotal">8</Data>
<Data Name="ScriptBlockText">ormat, formatExtData, 0, formatSize);
retFormat = format;
return formatExtData;
}
public int SetDeviceFormat(string pszDeviceName, Byte[] formatExtData, int formatSize)
{
IntPtr ptrToFormat = Marshal.AllocHGlobal(formatSize);
Marshal.Copy(formatExtData, 0, ptrToFormat, formatSize);
int rval = LoadDLL.AudioSetDeviceFormat(pszDeviceName, ptrToFormat, IntPtr.Zero);
Marshal.FreeHGlobal(ptrToFormat);
return rval;
}
}
public static bool verifySamplingRate(string deviceID)
{
EndpointCtrl control = new EndpointCtrl();
bool result = false;
string defSpeakerEndpoint = deviceID;
IPolicyConfigHelper policyHelper = new IPolicyConfigHelper();
WAVEFORMATEX defaultFormatEx = new WAVEFORMATEX();
WAVEFORMATEX currentFormatEx = new WAVEFORMATEX();
Byte[] defaultFormat = policyHelper.GetDeviceFormat(defSpeakerEndpoint, true, out defaultFormatEx);
Byte[] currentFormat = policyHelper.GetDeviceFormat(defSpeakerEndpoint, false, out currentFormatEx);
if (defaultFormatEx.nAvgBytesPerSec != currentFormatEx.nAvgBytesPerSec)
{
result = true;
}
return result;
}
public static bool resetSamplingRate(string deviceID)
{
EndpointCtrl control = new EndpointCtrl();
string defSpeakerEndpoint = deviceID;
IPolicyConfigHelper policyHelper = new IPolicyConfigHelper();
WAVEFORMATEX defaultFormatEx = new WAVEFORMATEX();
WAVEFORMATEX currentFormatEx = new WAVEFORMATEX();
Byte[] defaultFormat = policyHelper.GetDeviceFormat(defSpeakerEndpoint, true, out defaultFormatEx);
Byte[] currentFormat = policyHelper.GetDeviceFormat(defSpeakerEndpoint, false, out currentFormatEx);
policyHelper.SetDeviceFormat(defSpeakerEndpoint, defaultFormat, defaultFormat.Length);
WAVEFORMATEX currentFormatEx2 = new WAVEFORMATEX();
Byte[] currentFormat2 = policyHelper.GetDeviceFormat(defSpeakerEndpoint, false, out currentFormatEx2);
control.Dispose();
return true;
}
public static EndpointList[] GetAudioEndPointsbyType(string type)
{
EDataFlow dataflowtype = new EDataFlow();
if (type == "Render")
{
dataflowtype = EDataFlow.ERender;
}
else { dataflowtype = EDataFlow.ECapture; }
EndpointCtrl control = new EndpointCtrl();
EndpointList[] list = control.GetOutputDevicesByType(dataflowtype);
return list;
}
}
}
"@
Add-Type -TypeDefinition $AudioEndpointsSource
$AudioEndpoints = [Microsoft.Windows.Diagnosis.AudioResetDeviceFormats]
return $AudioEndpoints
}
# Check whether TS_Main is running or Detecting Additional Problems on Windows 8.1 and above
Function Test-PostBack
{
[CmdletBinding()]
PARAM
(
[Alias('S')]
[Parameter(Position = 1, Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
[string] $CurrentScriptName
)
PROCESS
{
# Writing the trace to current directory
$CurrentScriptName = ("{0}.temp" -f [System.IO.Path]::GetFileNameWithoutExtension($CurrentScriptName))
if(Test-Path($CurrentScriptName))
{
return $true
}
'Executed' >> $CurrentScriptName
return $false
}
}
</Data>
<Data Name="ScriptBlockId">8ca8a82b-3961-44d4-91d4-18eb6d87f7d7</Data>
<Data Name="Path">C:\WINDOWS\TEMP\SDIAG_0084a7c5-74fb-4e11-808e-b860e432e6e5\CL_Utility.ps1</Data>
</EventData>
</Event>
이벤트뷰어 PowerShell 이벤트 ID 4104 원격 명령 실행
이런게 있는데 이게 뭔지요?
로그 이름: Microsoft-Windows-PowerShell/Operational
원본: Microsoft-Windows-PowerShell
날짜: 2022-07-07 오전 5:28:13
이벤트 ID: 4104
작업 범주: 원격 명령 실행
수준: 경고
키워드: 없음
사용자: DESKTOP-
컴퓨터: DESKTOP-
설명:
Scriptblock 텍스트를 만드는 중(1/1):
# Copyright ?2015, Microsoft Corporation. All rights reserved.
# :: ======================================================= ::
#====================================================================================
# Initialize
#====================================================================================
Import-LocalizedData -BindingVariable localizationString -FileName CL_LocalizationData
$HDaudio = $true
$flagDefault = $true
$flagLowVolume = $true
$flagMute = $true
$flagSamplingRate = $true
$flagAPOLoadFailure = $true
$flagServiceResponse = $true
$IsRenderFlow = $false
$postBackPath = $null
$endPointtype = "Capture"
$devices = @()
$EndPointList = @()
# Set env path to fetch the AudioDiagnosticUtil.DLL
$env:Path = $env:Path + ";$env:windir\diagnostics\system\Audio\"
#====================================================================================
# Load Common Library
#====================================================================================
. .\CL_RunDiagnosticScript.ps1
. .\CL_Utility.ps1
#====================================================================================
# Functions
#====================================================================================
if(Test-PostBack -CurrentScriptName 'Diag_Audio')
{
$postBackFlag = $true
}
function GetId($deviceInfo=$("No device info is specified"))
{
return ($deviceInfo | Select-Object DeviceId).DeviceId
}
function GetAdapterName($deviceInfo=$("No device info is specified"))
{
return ($deviceInfo | Select-Object AdapterName).AdapterName
}
function Get-DeviceName([string]$deviceID = $(throw "No device ID is specified"), [string]$deviceType = $(throw "No device type is specified") )
{
[String]$deviceName = [String]::Empty
try
{
$devices = @()
$AudioMethods = Get-AudioEndpoints
$EndPointList = @()
$EndPointList = $AudioMethods::GetAudioEndPointsbyType($deviceType)
$devices += $EndPointList.ForEach({[PSCustomObject]$_})
foreach($dev in $devices)
{
$id = GetId $dev
$name = GetAdapterName $dev
if([String]$id -eq $deviceID)
{
$deviceName = $name
break
}
}
}
Catch [System.Exception]
{
Write-ExceptionTelemetry "Get-DeviceName" $_
$errorMsg = $_.Exception.Message
$errorMsg | ConvertTo-Xml | Update-DiagReport -Id "MF_AudioDiagnostic" -Name "MF_AudioDiagnostic" -Verbosity Debug
}
return $deviceName
}
function GetDes($deviceInfo=$("No device info is specified"))
{
return ($deviceInfo | Select-Object DeviceDes).DeviceDes
}
function GetJackInfo($deviceInfo=$("No device info is specified"))
{
return ($deviceInfo | Select-Object JackInfo).JackInfo
}
function GetDeviceType()
{
[string]$type = Get-DiagInput -id "IT_GetDeviceType"
$type | Select-Object @{Name=$localizationString.deviceType;Expression={$_}} | ConvertTo-Xml | Update-DiagReport -id AudioDevice -name $localizationString.AudioDevice_name -description $localizationString.AudioDevice_Description -Verbosity Informational
return $type
}
function ConvertTo-JackLoc([int]$index = $(throw "No index is specified"))
{
$result = $localizationString.jackLocInfo + " "
switch ($index) {
1 {$result += $localizationString.rear; break}
2 {$result += $localizationString.front; break}
3 {$result += $localizationString.left; break}
4 {$result += $localizationString.right; break}
5 {$result += $localizationString.top; break}
6 {$result += $localizationString.bottom; break}
7 {$result += $localizationString.rearslide; break}
8 {$result += $localizationString.risercard; break}
9 {$result += $localizationString.insidelid; break}
10 {$result += $localizationString.drivebay; break}
11 {$result += $localizationString.HDMIconnector; break}
12 {$result += $localizationString.Outsidelid; break}
13 {$result += $localizationString.ATAPIconnector; break}
default {$result = $localizationString.noJackInfoAvailable; break}
}
return $result
}
function GetDeviceId([string]$deviceFlow)
{
[string]$id = $null
[int]$count = 0
[string]$defaultFlag = "<Default />"
$choices = New-Object System.Collections.ArrayList
try
{
[Array]$device = $null
$AudioMethods = Get-AudioEndpoints
$EndPointListID = $AudioMethods::GetAudioEndPointsbyType($deviceFlow)
$device += $EndPointListID.ForEach({[PSCustomObject]$_})
$count = $device.Length
if($count -eq 1)
{
$id = GetId $device
}
elseif ($count -gt 1)
{
foreach($item in $device)
{
$deviceDes = GetDes $item
$deviceId = GetId $item
$jackInfo = GetJackInfo $item
$adapterName = GetAdapterName $item
$jackloc = ConvertTo-JackLoc $jackInfo
$name = "$deviceDes - $adapterName`r`n`r`n$jackloc.`r`n"
if($item.IsDefault -eq $true)
{
$CurrentDefaultDevice = $localizationString.Current_Default_Device
$name = "$deviceDes - $adapterName $CurrentDefaultDevice`r`n`r`n$jackloc.`r`n"
[int]$currentIndex = $device.IndexOf($item)
$choices += @{"Name"="$name"; "Description"="$name"; "Value"="$deviceId"; "ExtensionPoint"=""}
}
else
{
$name = "$deviceDes - $adapterName`r`n`r`n$jackloc.`r`n"
$choices += @{"Name"="$name"; "Description"="$name"; "Value"="$deviceId"; "ExtensionPoint"=""}
}
}
if($currentIndex -eq $null)
{
$currentIndex = 0
}
($choices[$currentIndex]).ExtensionPoint = $defaultFlag
$id = Get-DiagInput -id "IT_GetCertainDevice" -Choice $choices
}
}
Catch [System.Exception]
{
Write-ExceptionTelemetry "GetDeviceID" $_
$errorMsg = $_.Exception.Message
$errorMsg | ConvertTo-Xml | Update-DiagReport -Id "MF_AudioDiagnostic" -Name "MF_AudioDiagnostic" -Verbosity Debug
}
return $id
}
function CheckRemoteSession {
<#
DESCRIPTION
CheckRemoteSession check whether current package is running on remote session.
ARGUMENTS:
None
RETURNS:
$result : Boolean value $true if package running on remote session is disabled or $false
#>
[string]$sourceCode = @"
using System;
using System.Runtime.InteropServices;
namespace Microsoft.Windows.Diagnosis {
public static class RemoteManager {
private const int SM_REMOTESESSION = 0x1000;
[DllImport("User32.dll", CharSet = CharSet.Unicode)]
private static extern int GetSystemMetrics(int Index);
public static bool Remote() {
return (0 != GetSystemMetrics(SM_REMOTESESSION));
}
}
}
"@
$type = Add-Type -TypeDefinition $sourceCode -PassThru
return $type::Remote()
}
function ispostbackOnWin($packName)
{
<#
DESCRIPTION
ispostbackOnWin check whether package is postback.
ARGUMENTS:
packName : String value containing ID of pack
RETURNS:
$result : Boolean value $true if package running in postback or $false
#>
[string] $path1 = (Get-Location -PSProvider FileSystem).ProviderPath
[string] $path1 = join-path $path1 "\$packName"
if(test-path $path1){
return $true
}
"once" > $path1
return $false
}
function setpostbackOnWin($packName)
{
<#
DESCRIPTION
setpostbackOnWin check whether package is postback.
ARGUMENTS:
packName : String value containing ID of pack
RETURNS:
$path1 : String containing the path of postback file
#>
[string] $path1 = (Get-Location -PSProvider FileSystem).ProviderPath
[string] $path1 = join-path $path1 "\$packName"
"once" > $path1
return $path1
}
function isLastRCExecuted($rcName)
{
<#
DESCRIPTION
isLastRCExecuted check whether last root cause executed.
ARGUMENTS:
packName : String value containing package name
RETURNS:
$result : Boolean value $true if root cause executed or $false
#>
[string] $path = (Get-Location -PSProvider FileSystem).ProviderPath
[string] $path = join-path $path "\$rcName"
if(test-path $path){
return $true
}
return $false
}
function setLastRCExecuted($rcName)
{
<#
DESCRIPTION
setpostbackOnWin set that last root cause executed.
ARGUMENTS:
packName : String value containing ID of pack
RETURNS:
$path : String containing the path of postback file
#>
[string] $path = (Get-Location -PSProvider FileSystem).ProviderPath
[string] $path = join-path $path "\$rcName"
"once" > $path
return $path
}
#====================================================================================
# Main
#====================================================================================
if(CheckRemoteSession) {
Get-DiagInput -ID "IT_RunOnRemoteSession"
return
}
[string]$regLogName = "Registry log.txt"
(Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices' -Recurse) | Out-File $regLogName
if((Test-Path $regLogName)) {
Update-DiagReport -file $regLogName -id InstalledAudioDevice -name $localizationString.installedAudioDevice_name -description $localizationString.installedAudioDevice_description -Verbosity Informational
}
if(isLastRCExecuted "HDAudioExecuted")
{
return
}
if((RunDiagnosticScript {& .\TS_AudioDeviceDriver.ps1}) -eq $false)
{
$path = setpostbackOnWin "AudioDiagnostic"
return
}
if((RunDiagnosticScript {& .\TS_AudioService.ps1}) -eq $false)
{
$path = setpostbackOnWin "AudioDiagnostic"
return
}
[int]$rcDetect = . .\TS_AudioServiceResponse.ps1
if($rcDetect -eq 1)
{
$flagServiceResponse = $false
}
Write-DiagProgress -activity " "
# Get audio device type
[string]$audioDeviceType = GetDeviceType
if ($audioDeviceType -ieq "Render")
{
$IsRenderFlow = $true
}
if(!$postBackFlag)
{
# Get audio device ID
[string]$audioDeviceID = GetDeviceId $audioDeviceType
}
# Get audio device name
[string]$audioDeviceName = Get-DeviceName $audioDeviceID $audioDeviceType
if([String]::IsNullOrEmpty($audioDeviceID))
{
return
}
RunDiagnosticScript {& .\TS_DisabledInCPL.ps1 $audioDeviceType $audioDeviceID}
if((RunDiagnosticScript {& .\TS_UnpluggedIn.ps1 $audioDeviceType $audioDeviceID}) -eq $false)
{
$path = setpostbackOnWin "AudioDiagnostic"
return
}
if((RunDiagnosticScript {& .\TS_Mute.ps1 $audioDeviceType $audioDeviceID}) -eq $true)
{
$flagMute = $false
}
if((RunDiagnosticScript {& .\TS_NotDefault.ps1 $audioDeviceType $audioDeviceID}) -eq $true)
{
$flagDefault = $false
}
if($IsRenderFlow)
{
if((RunDiagnosticScript {& .\TS_LowVolume.ps1 $audioDeviceType $audioDeviceID}) -eq $true)
{
$flagLowVolume = $false
}
}
if((RunDiagnosticScript {& .\TS_SamplingRate.ps1 $audioDeviceID}) -eq $true)
{
$flagSamplingRate = $false
}
if((RunDiagnosticScript {& .\TS_APOLoadFailure.ps1 $null $audioDeviceName $audioDeviceType}) -eq $true)
{
$flagAPOLoadFailure = $false
}
if(ispostbackOnWin "AudioDiagnostic")
{
return
}
elseif($IsRenderFlow)
{
# Record data for Enhancements
$Response = Get-DiagInput -Id "IT_AudioProperties"
if ($Response -eq "1")
{
StartProcess $audioDeviceID
Write-DiagTelemetry -Property "OpenEnhancements" -Value "Yes"
}else
{
Write-DiagTelemetry -Property "OpenEnhancements" -Value "No"
}
if($flagServiceResponse -and $flagMute -and $flagDefault -and $flagLowVolume -and $flagSamplingRate -and $flagAPOLoadFailure)
{
if(-not([String]::IsNullOrEmpty($audioDeviceName)))
{
RunDiagnosticScript {& .\TS_HDAudioDriver.ps1 $audioDeviceName $audioDeviceID $audioDeviceType}
$postBackPath = setLastRCExecuted "HDAudioExecuted"
}
}
}
ScriptBlock ID: e97e2734-0e05-4398-81e5-76ae20e0a150
경로: C:\WINDOWS\TEMP\SDIAG_0084a7c5-74fb-4e11-808e-b860e432e6e5\MF_AudioDiagnostic.ps1
이벤트 Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}" />
<EventID>4104</EventID>
<Version>1</Version>
<Level>3</Level>
<Task>2</Task>
<Opcode>15</Opcode>
<Keywords>0x0</Keywords>
<TimeCreated SystemTime="2022-07-06T20:28:13.2912894Z" />
<EventRecordID>163</EventRecordID>
<Correlation ActivityID="{273c00a}" />
<Execution ProcessID="6980" ThreadID="9748" />
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>DESKTOP-</Computer>
<Security UserID="S-1-5-" />
</System>
<EventData>
<Data Name="MessageNumber">1</Data>
<Data Name="MessageTotal">1</Data>
<Data Name="ScriptBlockText"># Copyright ?2015, Microsoft Corporation. All rights reserved.
# :: ======================================================= ::
#====================================================================================
# Initialize
#====================================================================================
Import-LocalizedData -BindingVariable localizationString -FileName CL_LocalizationData
$HDaudio = $true
$flagDefault = $true
$flagLowVolume = $true
$flagMute = $true
$flagSamplingRate = $true
$flagAPOLoadFailure = $true
$flagServiceResponse = $true
$IsRenderFlow = $false
$postBackPath = $null
$endPointtype = "Capture"
$devices = @()
$EndPointList = @()
# Set env path to fetch the AudioDiagnosticUtil.DLL
$env:Path = $env:Path + ";$env:windir\diagnostics\system\Audio\"
#====================================================================================
# Load Common Library
#====================================================================================
. .\CL_RunDiagnosticScript.ps1
. .\CL_Utility.ps1
#====================================================================================
# Functions
#====================================================================================
if(Test-PostBack -CurrentScriptName 'Diag_Audio')
{
$postBackFlag = $true
}
function GetId($deviceInfo=$("No device info is specified"))
{
return ($deviceInfo | Select-Object DeviceId).DeviceId
}
function GetAdapterName($deviceInfo=$("No device info is specified"))
{
return ($deviceInfo | Select-Object AdapterName).AdapterName
}
function Get-DeviceName([string]$deviceID = $(throw "No device ID is specified"), [string]$deviceType = $(throw "No device type is specified") )
{
[String]$deviceName = [String]::Empty
try
{
$devices = @()
$AudioMethods = Get-AudioEndpoints
$EndPointList = @()
$EndPointList = $AudioMethods::GetAudioEndPointsbyType($deviceType)
$devices += $EndPointList.ForEach({[PSCustomObject]$_})
foreach($dev in $devices)
{
$id = GetId $dev
$name = GetAdapterName $dev
if([String]$id -eq $deviceID)
{
$deviceName = $name
break
}
}
}
Catch [System.Exception]
{
Write-ExceptionTelemetry "Get-DeviceName" $_
$errorMsg = $_.Exception.Message
$errorMsg | ConvertTo-Xml | Update-DiagReport -Id "MF_AudioDiagnostic" -Name "MF_AudioDiagnostic" -Verbosity Debug
}
return $deviceName
}
function GetDes($deviceInfo=$("No device info is specified"))
{
return ($deviceInfo | Select-Object DeviceDes).DeviceDes
}
function GetJackInfo($deviceInfo=$("No device info is specified"))
{
return ($deviceInfo | Select-Object JackInfo).JackInfo
}
function GetDeviceType()
{
[string]$type = Get-DiagInput -id "IT_GetDeviceType"
$type | Select-Object @{Name=$localizationString.deviceType;Expression={$_}} | ConvertTo-Xml | Update-DiagReport -id AudioDevice -name $localizationString.AudioDevice_name -description $localizationString.AudioDevice_Description -Verbosity Informational
return $type
}
function ConvertTo-JackLoc([int]$index = $(throw "No index is specified"))
{
$result = $localizationString.jackLocInfo + " "
switch ($index) {
1 {$result += $localizationString.rear; break}
2 {$result += $localizationString.front; break}
3 {$result += $localizationString.left; break}
4 {$result += $localizationString.right; break}
5 {$result += $localizationString.top; break}
6 {$result += $localizationString.bottom; break}
7 {$result += $localizationString.rearslide; break}
8 {$result += $localizationString.risercard; break}
9 {$result += $localizationString.insidelid; break}
10 {$result += $localizationString.drivebay; break}
11 {$result += $localizationString.HDMIconnector; break}
12 {$result += $localizationString.Outsidelid; break}
13 {$result += $localizationString.ATAPIconnector; break}
default {$result = $localizationString.noJackInfoAvailable; break}
}
return $result
}
function GetDeviceId([string]$deviceFlow)
{
[string]$id = $null
[int]$count = 0
[string]$defaultFlag = "<Default />"
$choices = New-Object System.Collections.ArrayList
try
{
[Array]$device = $null
$AudioMethods = Get-AudioEndpoints
$EndPointListID = $AudioMethods::GetAudioEndPointsbyType($deviceFlow)
$device += $EndPointListID.ForEach({[PSCustomObject]$_})
$count = $device.Length
if($count -eq 1)
{
$id = GetId $device
}
elseif ($count -gt 1)
{
foreach($item in $device)
{
$deviceDes = GetDes $item
$deviceId = GetId $item
$jackInfo = GetJackInfo $item
$adapterName = GetAdapterName $item
$jackloc = ConvertTo-JackLoc $jackInfo
$name = "$deviceDes - $adapterName`r`n`r`n$jackloc.`r`n"
if($item.IsDefault -eq $true)
{
$CurrentDefaultDevice = $localizationString.Current_Default_Device
$name = "$deviceDes - $adapterName $CurrentDefaultDevice`r`n`r`n$jackloc.`r`n"
[int]$currentIndex = $device.IndexOf($item)
$choices += @{"Name"="$name"; "Description"="$name"; "Value"="$deviceId"; "ExtensionPoint"=""}
}
else
{
$name = "$deviceDes - $adapterName`r`n`r`n$jackloc.`r`n"
$choices += @{"Name"="$name"; "Description"="$name"; "Value"="$deviceId"; "ExtensionPoint"=""}
}
}
if($currentIndex -eq $null)
{
$currentIndex = 0
}
($choices[$currentIndex]).ExtensionPoint = $defaultFlag
$id = Get-DiagInput -id "IT_GetCertainDevice" -Choice $choices
}
}
Catch [System.Exception]
{
Write-ExceptionTelemetry "GetDeviceID" $_
$errorMsg = $_.Exception.Message
$errorMsg | ConvertTo-Xml | Update-DiagReport -Id "MF_AudioDiagnostic" -Name "MF_AudioDiagnostic" -Verbosity Debug
}
return $id
}
function CheckRemoteSession {
<#
DESCRIPTION
CheckRemoteSession check whether current package is running on remote session.
ARGUMENTS:
None
RETURNS:
$result : Boolean value $true if package running on remote session is disabled or $false
#>
[string]$sourceCode = @"
using System;
using System.Runtime.InteropServices;
namespace Microsoft.Windows.Diagnosis {
public static class RemoteManager {
private const int SM_REMOTESESSION = 0x1000;
[DllImport("User32.dll", CharSet = CharSet.Unicode)]
private static extern int GetSystemMetrics(int Index);
public static bool Remote() {
return (0 != GetSystemMetrics(SM_REMOTESESSION));
}
}
}
"@
$type = Add-Type -TypeDefinition $sourceCode -PassThru
return $type::Remote()
}
function ispostbackOnWin($packName)
{
<#
DESCRIPTION
ispostbackOnWin check whether package is postback.
ARGUMENTS:
packName : String value containing ID of pack
RETURNS:
$result : Boolean value $true if package running in postback or $false
#>
[string] $path1 = (Get-Location -PSProvider FileSystem).ProviderPath
[string] $path1 = join-path $path1 "\$packName"
if(test-path $path1){
return $true
}
"once" > $path1
return $false
}
function setpostbackOnWin($packName)
{
<#
DESCRIPTION
setpostbackOnWin check whether package is postback.
ARGUMENTS:
packName : String value containing ID of pack
RETURNS:
$path1 : String containing the path of postback file
#>
[string] $path1 = (Get-Location -PSProvider FileSystem).ProviderPath
[string] $path1 = join-path $path1 "\$packName"
"once" > $path1
return $path1
}
function isLastRCExecuted($rcName)
{
<#
DESCRIPTION
isLastRCExecuted check whether last root cause executed.
ARGUMENTS:
packName : String value containing package name
RETURNS:
$result : Boolean value $true if root cause executed or $false
#>
[string] $path = (Get-Location -PSProvider FileSystem).ProviderPath
[string] $path = join-path $path "\$rcName"
if(test-path $path){
return $true
}
return $false
}
function setLastRCExecuted($rcName)
{
<#
DESCRIPTION
setpostbackOnWin set that last root cause executed.
ARGUMENTS:
packName : String value containing ID of pack
RETURNS:
$path : String containing the path of postback file
#>
[string] $path = (Get-Location -PSProvider FileSystem).ProviderPath
[string] $path = join-path $path "\$rcName"
"once" > $path
return $path
}
#====================================================================================
# Main
#====================================================================================
if(CheckRemoteSession) {
Get-DiagInput -ID "IT_RunOnRemoteSession"
return
}
[string]$regLogName = "Registry log.txt"
(Get-ChildItem -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices' -Recurse) | Out-File $regLogName
if((Test-Path $regLogName)) {
Update-DiagReport -file $regLogName -id InstalledAudioDevice -name $localizationString.installedAudioDevice_name -description $localizationString.installedAudioDevice_description -Verbosity Informational
}
if(isLastRCExecuted "HDAudioExecuted")
{
return
}
if((RunDiagnosticScript {& .\TS_AudioDeviceDriver.ps1}) -eq $false)
{
$path = setpostbackOnWin "AudioDiagnostic"
return
}
if((RunDiagnosticScript {& .\TS_AudioService.ps1}) -eq $false)
{
$path = setpostbackOnWin "AudioDiagnostic"
return
}
[int]$rcDetect = . .\TS_AudioServiceResponse.ps1
if($rcDetect -eq 1)
{
$flagServiceResponse = $false
}
Write-DiagProgress -activity " "
# Get audio device type
[string]$audioDeviceType = GetDeviceType
if ($audioDeviceType -ieq "Render")
{
$IsRenderFlow = $true
}
if(!$postBackFlag)
{
# Get audio device ID
[string]$audioDeviceID = GetDeviceId $audioDeviceType
}
# Get audio device name
[string]$audioDeviceName = Get-DeviceName $audioDeviceID $audioDeviceType
if([String]::IsNullOrEmpty($audioDeviceID))
{
return
}
RunDiagnosticScript {& .\TS_DisabledInCPL.ps1 $audioDeviceType $audioDeviceID}
if((RunDiagnosticScript {& .\TS_UnpluggedIn.ps1 $audioDeviceType $audioDeviceID}) -eq $false)
{
$path = setpostbackOnWin "AudioDiagnostic"
return
}
if((RunDiagnosticScript {& .\TS_Mute.ps1 $audioDeviceType $audioDeviceID}) -eq $true)
{
$flagMute = $false
}
if((RunDiagnosticScript {& .\TS_NotDefault.ps1 $audioDeviceType $audioDeviceID}) -eq $true)
{
$flagDefault = $false
}
if($IsRenderFlow)
{
if((RunDiagnosticScript {& .\TS_LowVolume.ps1 $audioDeviceType $audioDeviceID}) -eq $true)
{
$flagLowVolume = $false
}
}
if((RunDiagnosticScript {& .\TS_SamplingRate.ps1 $audioDeviceID}) -eq $true)
{
$flagSamplingRate = $false
}
if((RunDiagnosticScript {& .\TS_APOLoadFailure.ps1 $null $audioDeviceName $audioDeviceType}) -eq $true)
{
$flagAPOLoadFailure = $false
}
if(ispostbackOnWin "AudioDiagnostic")
{
return
}
elseif($IsRenderFlow)
{
# Record data for Enhancements
$Response = Get-DiagInput -Id "IT_AudioProperties"
if ($Response -eq "1")
{
StartProcess $audioDeviceID
Write-DiagTelemetry -Property "OpenEnhancements" -Value "Yes"
}else
{
Write-DiagTelemetry -Property "OpenEnhancements" -Value "No"
}
if($flagServiceResponse -and $flagMute -and $flagDefault -and $flagLowVolume -and $flagSamplingRate -and $flagAPOLoadFailure)
{
if(-not([String]::IsNullOrEmpty($audioDeviceName)))
{
RunDiagnosticScript {& .\TS_HDAudioDriver.ps1 $audioDeviceName $audioDeviceID $audioDeviceType}
$postBackPath = setLastRCExecuted "HDAudioExecuted"
}
}
}
</Data>
<Data Name="ScriptBlockId">e97e2734-0e05-4398-81e5-76ae20e0a150</Data>
<Data Name="Path">C:\WINDOWS\TEMP\SDIAG_0084a7c5-74fb-4e11-808e-b860e432e6e5\MF_AudioDiagnostic.ps1</Data>
</EventData>
</Event>
로그 이름: Microsoft-Windows-PowerShell/Operational
원본: Microsoft-Windows-PowerShell
날짜: 2022-07-07 오전 5:28:13
이벤트 ID: 4104
작업 범주: 원격 명령 실행
수준: 경고
키워드: 없음
사용자: DESKTOP-
컴퓨터: DESKTOP-
설명:
Scriptblock 텍스트를 만드는 중(8/8):
ormat, formatExtData, 0, formatSize);
retFormat = format;
return formatExtData;
}
public int SetDeviceFormat(string pszDeviceName, Byte[] formatExtData, int formatSize)
{
IntPtr ptrToFormat = Marshal.AllocHGlobal(formatSize);
Marshal.Copy(formatExtData, 0, ptrToFormat, formatSize);
int rval = LoadDLL.AudioSetDeviceFormat(pszDeviceName, ptrToFormat, IntPtr.Zero);
Marshal.FreeHGlobal(ptrToFormat);
return rval;
}
}
public static bool verifySamplingRate(string deviceID)
{
EndpointCtrl control = new EndpointCtrl();
bool result = false;
string defSpeakerEndpoint = deviceID;
IPolicyConfigHelper policyHelper = new IPolicyConfigHelper();
WAVEFORMATEX defaultFormatEx = new WAVEFORMATEX();
WAVEFORMATEX currentFormatEx = new WAVEFORMATEX();
Byte[] defaultFormat = policyHelper.GetDeviceFormat(defSpeakerEndpoint, true, out defaultFormatEx);
Byte[] currentFormat = policyHelper.GetDeviceFormat(defSpeakerEndpoint, false, out currentFormatEx);
if (defaultFormatEx.nAvgBytesPerSec != currentFormatEx.nAvgBytesPerSec)
{
result = true;
}
return result;
}
public static bool resetSamplingRate(string deviceID)
{
EndpointCtrl control = new EndpointCtrl();
string defSpeakerEndpoint = deviceID;
IPolicyConfigHelper policyHelper = new IPolicyConfigHelper();
WAVEFORMATEX defaultFormatEx = new WAVEFORMATEX();
WAVEFORMATEX currentFormatEx = new WAVEFORMATEX();
Byte[] defaultFormat = policyHelper.GetDeviceFormat(defSpeakerEndpoint, true, out defaultFormatEx);
Byte[] currentFormat = policyHelper.GetDeviceFormat(defSpeakerEndpoint, false, out currentFormatEx);
policyHelper.SetDeviceFormat(defSpeakerEndpoint, defaultFormat, defaultFormat.Length);
WAVEFORMATEX currentFormatEx2 = new WAVEFORMATEX();
Byte[] currentFormat2 = policyHelper.GetDeviceFormat(defSpeakerEndpoint, false, out currentFormatEx2);
control.Dispose();
return true;
}
public static EndpointList[] GetAudioEndPointsbyType(string type)
{
EDataFlow dataflowtype = new EDataFlow();
if (type == "Render")
{
dataflowtype = EDataFlow.ERender;
}
else { dataflowtype = EDataFlow.ECapture; }
EndpointCtrl control = new EndpointCtrl();
EndpointList[] list = control.GetOutputDevicesByType(dataflowtype);
return list;
}
}
}
"@
Add-Type -TypeDefinition $AudioEndpointsSource
$AudioEndpoints = [Microsoft.Windows.Diagnosis.AudioResetDeviceFormats]
return $AudioEndpoints
}
# Check whether TS_Main is running or Detecting Additional Problems on Windows 8.1 and above
Function Test-PostBack
{
[CmdletBinding()]
PARAM
(
[Alias('S')]
[Parameter(Position = 1, Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
[string] $CurrentScriptName
)
PROCESS
{
# Writing the trace to current directory
$CurrentScriptName = ("{0}.temp" -f [System.IO.Path]::GetFileNameWithoutExtension($CurrentScriptName))
if(Test-Path($CurrentScriptName))
{
return $true
}
'Executed' >> $CurrentScriptName
return $false
}
}
ScriptBlock ID: 8ca8a82b-3961-44d4-91d4-18eb6d87f7d7
경로: C:\WINDOWS\TEMP\SDIAG_0084a7c5-74fb-4e11-808e-b860e432e6e5\CL_Utility.ps1
이벤트 Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}" />
<EventID>4104</EventID>
<Version>1</Version>
<Level>3</Level>
<Task>2</Task>
<Opcode>15</Opcode>
<Keywords>0x0</Keywords>
<TimeCreated SystemTime="2022-07-06T20:28:13.3966458Z" />
<EventRecordID>171</EventRecordID>
<Correlation ActivityID="{273c00a}" />
<Execution ProcessID="6980" ThreadID="9748" />
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>DESKTOP-</Computer>
<Security UserID="S-1-5-1" />
</System>
<EventData>
<Data Name="MessageNumber">8</Data>
<Data Name="MessageTotal">8</Data>
<Data Name="ScriptBlockText">ormat, formatExtData, 0, formatSize);
retFormat = format;
return formatExtData;
}
public int SetDeviceFormat(string pszDeviceName, Byte[] formatExtData, int formatSize)
{
IntPtr ptrToFormat = Marshal.AllocHGlobal(formatSize);
Marshal.Copy(formatExtData, 0, ptrToFormat, formatSize);
int rval = LoadDLL.AudioSetDeviceFormat(pszDeviceName, ptrToFormat, IntPtr.Zero);
Marshal.FreeHGlobal(ptrToFormat);
return rval;
}
}
public static bool verifySamplingRate(string deviceID)
{
EndpointCtrl control = new EndpointCtrl();
bool result = false;
string defSpeakerEndpoint = deviceID;
IPolicyConfigHelper policyHelper = new IPolicyConfigHelper();
WAVEFORMATEX defaultFormatEx = new WAVEFORMATEX();
WAVEFORMATEX currentFormatEx = new WAVEFORMATEX();
Byte[] defaultFormat = policyHelper.GetDeviceFormat(defSpeakerEndpoint, true, out defaultFormatEx);
Byte[] currentFormat = policyHelper.GetDeviceFormat(defSpeakerEndpoint, false, out currentFormatEx);
if (defaultFormatEx.nAvgBytesPerSec != currentFormatEx.nAvgBytesPerSec)
{
result = true;
}
return result;
}
public static bool resetSamplingRate(string deviceID)
{
EndpointCtrl control = new EndpointCtrl();
string defSpeakerEndpoint = deviceID;
IPolicyConfigHelper policyHelper = new IPolicyConfigHelper();
WAVEFORMATEX defaultFormatEx = new WAVEFORMATEX();
WAVEFORMATEX currentFormatEx = new WAVEFORMATEX();
Byte[] defaultFormat = policyHelper.GetDeviceFormat(defSpeakerEndpoint, true, out defaultFormatEx);
Byte[] currentFormat = policyHelper.GetDeviceFormat(defSpeakerEndpoint, false, out currentFormatEx);
policyHelper.SetDeviceFormat(defSpeakerEndpoint, defaultFormat, defaultFormat.Length);
WAVEFORMATEX currentFormatEx2 = new WAVEFORMATEX();
Byte[] currentFormat2 = policyHelper.GetDeviceFormat(defSpeakerEndpoint, false, out currentFormatEx2);
control.Dispose();
return true;
}
public static EndpointList[] GetAudioEndPointsbyType(string type)
{
EDataFlow dataflowtype = new EDataFlow();
if (type == "Render")
{
dataflowtype = EDataFlow.ERender;
}
else { dataflowtype = EDataFlow.ECapture; }
EndpointCtrl control = new EndpointCtrl();
EndpointList[] list = control.GetOutputDevicesByType(dataflowtype);
return list;
}
}
}
"@
Add-Type -TypeDefinition $AudioEndpointsSource
$AudioEndpoints = [Microsoft.Windows.Diagnosis.AudioResetDeviceFormats]
return $AudioEndpoints
}
# Check whether TS_Main is running or Detecting Additional Problems on Windows 8.1 and above
Function Test-PostBack
{
[CmdletBinding()]
PARAM
(
[Alias('S')]
[Parameter(Position = 1, Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
[string] $CurrentScriptName
)
PROCESS
{
# Writing the trace to current directory
$CurrentScriptName = ("{0}.temp" -f [System.IO.Path]::GetFileNameWithoutExtension($CurrentScriptName))
if(Test-Path($CurrentScriptName))
{
return $true
}
'Executed' >> $CurrentScriptName
return $false
}
}
</Data>
<Data Name="ScriptBlockId">8ca8a82b-3961-44d4-91d4-18eb6d87f7d7</Data>
<Data Name="Path">C:\WINDOWS\TEMP\SDIAG_0084a7c5-74fb-4e11-808e-b860e432e6e5\CL_Utility.ps1</Data>
</EventData>
</Event>
