AMSI Provider Information

AMSI-Authenticode.ps1

function AMSI-Authenticode {
    param (
        [Parameter(Mandatory=$false)]
        
        [switch]$EnableAuthenticodeSigning,
        [switch]$DisableAuthenticodeSigning
    )

    if ($EnableAuthenticodeSigning) {
        Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\AMSI" -Name "FeatureBits" -Value 0x2 -Type DWord
        Write-Output "Authenticode signing has been enabled."
    } elseif ($DisableAuthenticodeSigning) {
        Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\AMSI" -Name "FeatureBits" -Value 0x1 -Type DWord
        Write-Output "Authenticode signing has been disabled."
    } else {
        $featureBits = Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\Microsoft\AMSI" -Name "FeatureBits" -ErrorAction SilentlyContinue
        if ($featureBits -eq $null) {
            Write-Output "AMSI is not detected."
        } else {
            $status = if ($featureBits -eq 0x2) {
                "enabled"
            } else {
                "disabled"
            }
            Write-Output "Authenticode signing is $status. The current value of FeatureBits is $featureBits."
        }
    }
}

AMSI-Providers.ps1

function AMSI-Providers {

    $providersKey = "HKLM:\SOFTWARE\Microsoft\AMSI\Providers"
    # Get all subkeys under the providers key"
    $providerSubkeys = Get-ChildItem -Path $providersKey
    # Iterate through each subkey and retrieve the provider name and CLSID"
    foreach ($subkey in $providerSubkeys) {
            $providerName = (Get-ItemProperty -Path $subkey.PSPath).'(default)'
        $clsid = $subkey.Name.Split("\")[-1]
        $clsidPath = "HKLM:\SOFTWARE\Classes\CLSID\$clsid\InProcServer32"
    
        # Retrieve the DLL path and output the results
        $dllPath = (Get-ItemProperty -Path $clsidPath).'(default)'
        Write-Host "Provider Name: $providerName"
        Write-Host "GUID: $clsid"
        Write-Host "DLL Path: $dllPath"
        Write-Host ""
    }
}