{"id":1779,"date":"2014-03-23T00:01:00","date_gmt":"2014-03-23T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2014\/03\/23\/weekend-scripter-use-powershell-to-investigate-file-signaturespart-2\/"},"modified":"2022-06-10T12:14:29","modified_gmt":"2022-06-10T19:14:29","slug":"weekend-scripter-use-powershell-to-investigate-file-signaturespart-2","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/weekend-scripter-use-powershell-to-investigate-file-signaturespart-2\/","title":{"rendered":"Weekend Scripter: Use PowerShell to Investigate File Signatures\u2014Part 2"},"content":{"rendered":"

Summary<\/strong>: Windows PowerShell MVP, Boe Prox, concludes this two-part series about investigating file signatures with Windows PowerShell and the .NET Framework.<\/p>\n

Microsoft Scripting Guy, Ed Wilson, is here. Welcome back guest blogger, Boe Prox<\/a>, for the conclusion of the two-part series he started yesterday. Also read Use PowerShell to Investigate File Signatures\u2014Part\u00a01<\/a>.<\/p>\n

Today I am going to demo a function that I wrote and discuss a couple of items that I came across while investigating the file signatures. But first, I am going to talk about a couple of things that helped shape the direction of my function, which is called Get-FileSignature<\/a> (the download is available on the Script Center Repository).<\/p>\n

I wanted to know if there was a way to easily determine if an extension had been altered by looking at the LastWriteTime<\/strong> time stamp. The reason is that if a drive or folder was being blocked from hosting files of a certain type, files that are already there could have their extension altered to avoid being detected by using a casual scan such as the following:<\/p>\n

\n Get-ChildItem -Filter *.iso\n<\/p>\n

You could use *.iso*, or *.iso.*, or any other means, but there is a potential to miss files in the scan. The point is that there is always the possibility of an extension being changed because a user knows of the file\u2019s impending removal.<\/p>\n

When I tested the LastWriteTime<\/strong> of a file after I changed the extension, I found that nothing changed and the time stamp remained the same.<\/p>\n

\n $file = Convert-Path en_windows_8_enterprise_x64_dvd_917522.iso\n<\/p>\n

\n Get-Item $File | Select Name,LastWriteTime\n<\/p>\n

\n Rename-Item -Path $File -NewName “$File.txt” -Verbose\n<\/p>\n

\n Get-Item “$File.name.txt” | Select Name,LastWriteTime\n<\/p>\n

\"Image<\/a><\/p>\n

As you can see, there is no change to LastWriteTime<\/strong> when the extension is changed. Fortunately, I am able to use a function that I wrote called Get-FileTimeStamp<\/a>. This function uses P\/Invoke to display the ChangeTime<\/strong> (also known as MFT TimeStamp), which updates with any change, including metadata changes such as the extension. (I also wrote a blog post about this topic: Finding a File\u2019s MFT Timestamp using PowerShell<\/a>.)<\/p>\n

\"Image<\/a><\/p>\n

Now I have a more useful way to determine if a file extension had been changed. I will reiterate that this is not a foolproof way of determining that the extension has changed because any change to the file (such as an attribute) will trigger the ChangeTime<\/strong> to update. The Get-FileSignature<\/strong> function uses a portion of the code from Get-FileTimeStamp<\/strong> to provide the ChangeTime<\/strong>.<\/p>\n

\n Get-Content vs. [io.file]::ReadAllBytes() vs. FileStream\n<\/p>\n

Next on my agenda was to find the most efficient way of getting the file signature. I needed a method that would take into account not only small files, but also larger files, such as the 3\u00a0GB ISO file that I am using in my examples today. I looked at three possible ways of getting the file signature:<\/p>\n