PS-TrustedDocuments: PowerShell script to handle information on trusted documents for Microsoft Office

English | Japanese

Trusted documents are Microsoft Office document files that have been marked as trusted by enabling active content (such as macro) in them. A document file is marked as trusted when a user clicks the "Enable Editing" button or the "Enable Content" button in the following message bars.

Information on trusted documents is stored in the Windows registry and it contains these properties:

• File path
• Status (editing enabled or content (macro) enabled)
• File creation timestamp
• Status change timestamp (the last edit of the document or execution of the macro)
• Timezone offset

Information on trusted documents is useful for incident response relating to malicious Microsoft Office documents by checking when and in which Microsoft Office document file a malicious macro was executed. So I created Get-TrustedDocuments.ps1 that is a PowerShell script to display information on trusted documents. I would create other PowerShell scripts to modify or remove information on trusted documents in the future.

How to use this script is described as follows. You can also use Get-Help cmdlet to see the same information.

Get-TrustedDocuments.ps1

This script retrieves information on trusted documents for Microsoft Office stored under the HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\[version]\[document type]\Security\Trusted Documents registry keys. This script displays the status of trusted documents (editing enabled or content (macro) enabled), file creation timestamp, and status change timestamp (the last edit or execution of the macro, the time resolution of the status change timestamp is minutes).

Usage

PS> powershell -ExecutionPolicy Bypass .\Get-TrustedDocuments.ps1
[[-DocumentType] <String>] [-EditingEnabledOnly] [-ContentEnabledOnly]
[[-User] <String>] [[-HiveFilePath] <String>] [<CommonParameters>]

Parameters (all of them are optional)

• DocumentType
  Specifies the document type such as Word, Excel, and PowerPoint. Only information on the specified document type will be displayed. This parameter is case insensitive.

• EditingEnabledOnly
  If this parameter is specified, this script will display only information on documents that editing is enabled.

• ContentEnabledOnly
  If this parameter is specified, this script will display only information on documents that content (macro) is enabled.

• User
  Specifies the user. If both this parameter and the HiveFilePath parameter are not specified, this script will display information for the current user. Administrator privilege is required to use this parameter to display information for another user.

• HiveFilePath
  Specifies the path of an offline registry hive file (NTUSER.DAT file extracted from another computer) to display information. If both this parameter and the User parameter are not specified, this script uses the HKEY_CURRENT_USER registry hive of the current user. Administrator privilege is required to use this parameter because this script temporarily loads the offline registry hive file into the HKEY_USERS\PS-TrustedDocuments registry key.

Examples

# Displaying information on all trusted documents for the current user.

PS> powershell -ExecutionPolicy Bypass .\Get-TrustedDocuments.ps1

# Displaying information on trusted Word documents for the current user.

PS> powershell -ExecutionPolicy Bypass .\Get-TrustedDocuments.ps1 -DocumentType word

# Displaying information on trusted documents that editing is enabled.

PS> powershell -ExecutionPolicy Bypass .\Get-TrustedDocuments.ps1 -EditingEnabledOnly

# Displaying information on trusted documents that content (macro) is enabled.

PS> powershell -ExecutionPolicy Bypass .\Get-TrustedDocuments.ps1 -ContentEnabledOnly

# Displaying information on trusted documents for the specified user.
# Administrator privilege is required to display information for another user.

PS> powershell -ExecutionPolicy Bypass .\Get-TrustedDocuments.ps1 -User exampleuser

# Displaying information on trusted documents from an offline registry hive file.
# Administrator privilege is required.

PS> powershell -ExecutionPolicy Bypass .\Get-TrustedDocuments.ps1 -HiveFilePath .\extracted\NTUSER.DAT

Acknowledgment

I got great insight of undocumented data structure and timestamp calculation of trusted documents from the code of OfficeForensicTools and tweets by Malwrologist (@DissectMalware) . Thank you so much!

References

• Trusted documents (Microsoft)
• OfficeForensicTools by Malwrologist (@DissectMalware)
• A Twitter thread explaining undocumented data structure and timestamp calculation of trusted documents by Malwrologist (@DissectMalware)
• More on Trust Records, Macros and Security, Oh My! by Mari DeGrazia (@maridegrazia)
• MS Office File Format Sorcery by Pieter Ceelen & Stan Hegt

Author

Nobutaka Mantani (Twitter: @nmantani)

License

The BSD 2-Clause License (http://opensource.org/licenses/bsd-license.php)