powershell.exe -ExecutionPolicy Restricted -Command
function Get-UEFIX509Certificates {
$Certs = @()
try {
$UefiDb = Get-SecureBootUEFI -Name db
$Stream = [IO.MemoryStream]::New($UefiDb.Bytes)
} catch {
Write-Host 'Failed to get UEFI db:',$_.Exception.Message
return $Certs
}
while ($Stream.Position -lt $Stream.Length) {
# Read EFI_SIGNATURE_LIST header
$SignatureType = New-Object byte[] 16
$Stream.Read($SignatureType, 0, 16) | Out-Null
$SignatureTypeGUID = [Guid]::New($SignatureType)
$SignatureListSize = New-Object byte[] 4
$Stream.Read($SignatureListSize, 0, 4) | Out-Null
$ListSize = [BitConverter]::ToUInt32($SignatureListSize, 0)
$Stream.Position += 4 # Skip SignatureHeaderSize
$SignatureSize = New-Object byte[] 4
$Stream.Read($SignatureSize, 0, 4) | Out-Null
$SignatureSize = [BitConverter]::ToUInt32($SignatureSize, 0)
if ($SignatureTypeGUID -eq 'a5c059a1-94e4-4aa7-87b5-ab155c2bf072') { # SignatureType matches X.509 GUID
$CertificateCount = ($ListSize - 28) / $SignatureSize
for ($i = 0; $i -lt $CertificateCount; $i++) {
$SignatureOwner = New-Object byte[] 16
$Stream.Read($SignatureOwner, 0, 16) | Out-Null
$SignatureOwner = [Guid]::New($SignatureOwner)
$CertificateData = New-Object byte[] ($SignatureSize - 16)
$Stream.Read($CertificateData, 0, ($SignatureSize - 16)) | Out-Null
$Certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(,$CertificateData)
$Certs += [PSCustomObject]@{
SignatureOwner = $SignatureOwner
Subject = $Certificate.Subject
}
}
}
}
return $Certs
}
$Res = 0
$Certs = Get-UEFIX509Certificates
Write-Host 'Found',$Certs.Count,'certificates'
foreach ($Cert in $Certs) {
if ($Cert.Subject.StartsWith('CN=Windows UEFI CA 2023,') -and $Cert.SignatureOwner -ne '77fa9abd-0359-4d32-bd60-28f4e78f784b') {
$Res = 1
break
}
}
Write-Host 'Final result:',$Res
