'Why can't these files be accessed by the system via $stream = new-object system.IO.FileStream($file, "Open", "Read", "ReadWrite")?
Edit: I am running as Administrator.
I'm using the following script to enumerate and record hierarchy / file hashes for forensic analysis. I was having trouble using Get-FileHash on many system files which were open and found an alternative, which seems to have avoided that problem.
Clear-Host
$root = [PSCustomObject]@{}
$d1 = [DateTimeOffset]::UtcNow.ToUnixTimeMilliseconds()
$global:i = 0
function FSSkimmer {
Param(
[Parameter(Mandatory=$True)][string]$path,
[Parameter(Mandatory=$True)][PsCustomObject]$currentobject)
$paths = gci $path | Select-Object -ExpandProperty Fullname
foreach ($file in $paths) {
write-host $file
if (!$(get-item $file | Select-Object -ExpandProperty PSiscontainer)) {
$name = get-item -LiteralPath $file -erroraction 'silentlycontinue' | Select-Object -ExpandProperty Name
#$hash = Get-FileHash $file -Algorithm SHA1 -erroraction 'silentlycontinue' | Select-Object -ExpandProperty Hash
$stream = new-object system.IO.FileStream($file, "Open", "Read", "ReadWrite")
if ($stream)
{
$sha = new-object -type System.Security.Cryptography.SHA256Managed
$bytes = $sha.ComputeHash($stream)
$hash = [System.BitConverter]::ToString($bytes).Replace("-", [String]::Empty).ToLower();
$stream.Dispose()
$stream.Close()
$sha.Dispose()
#Measure-Command {(get-item $file).GetHashCode()} #| write-host
#Measure-Command {$hash = Get-FileHash $file -Algorithm SHA256}
#Measure-Command {$hash = Get-FileHash $file -Algorithm SHA1}
#Measure-Command {$hash = Get-FileHash $file -Algorithm MD5}
$global:i++
if ($global:i % 1000 -eq 0) {
write-host $file
write-host $hash
$d2 = [DateTimeOffset]::UtcNow.ToUnixTimeMilliseconds()
$diff = $d2 - $d1
$rate = $diff / $global:i
Clear-Host
Write-Host "Number of files processed: $global:i at rate of $rate ms/file"
}
$currentobject | Add-Member -MemberType NoteProperty -Name $name -Value $hash -erroraction 'silentlycontinue'
}
}
else {
$dir_name = get-item -LiteralPath $file | Select-Object -ExpandProperty Name
$dir = [PSCustomObject]@{}
$currentobject | Add-Member -MemberType NoteProperty -Name "\$($dir_name)" -Value $(FSSkimmer -path $file -currentobject $dir) -erroraction 'silentlycontinue'
}
}
return $currentobject
}
$null = FSSkimmer -path "C:\" -currentobject $root
#ConvertTo-Json -InputObject $root
However, on specific files I get an error:
C:\cygwin64\etc\pki\ca-trust\extracted\pem\objsign-ca-bundle.pem
C:\cygwin64\etc\pki\ca-trust\extracted\pem\README
C:\cygwin64\etc\pki\ca-trust\extracted\pem\tls-ca-bundle.pem
C:\cygwin64\etc\pki\ca-trust\extracted\README
C:\cygwin64\etc\pki\ca-trust\source
C:\cygwin64\etc\pki\ca-trust\source\anchors
C:\cygwin64\etc\pki\ca-trust\source\blacklist
C:\cygwin64\etc\pki\ca-trust\source\ca-bundle.legacy.crt
new-object : Exception calling ".ctor" with "4" argument(s): "The file cannot be accessed by the system.
"
At C:\Users\jonat\Desktop\script\test.ps1:15 char:27
+ ... $stream = new-object system.IO.FileStream($file, "Open", "Read", "R ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException
+ FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
It's important (since this is forensic analysis) that I cover every file, and I need to do so without any system down-time. What's the likely culprit here?
A few more files that threw the error:
C:\cygwin64\dev
C:\cygwin64\dev\mqueue
C:\cygwin64\dev\shm
C:\cygwin64\dev\fd
new-object : Exception calling ".ctor" with "4" argument(s): "The file cannot be accessed by the system.
"
At C:\Users\jonat\Desktop\script\test.ps1:15 char:27
+ ... $stream = new-object system.IO.FileStream($file, "Open", "Read", "R ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException
+ FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
C:\cygwin64\dev\stderr
new-object : Exception calling ".ctor" with "4" argument(s): "The file cannot be accessed by the system.
"
At C:\Users\jonat\Desktop\script\test.ps1:15 char:27
+ ... $stream = new-object system.IO.FileStream($file, "Open", "Read", "R ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException
+ FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
C:\cygwin64\dev\stdin
new-object : Exception calling ".ctor" with "4" argument(s): "The file cannot be accessed by the system.
"
At C:\Users\jonat\Desktop\script\test.ps1:15 char:27
+ ... $stream = new-object system.IO.FileStream($file, "Open", "Read", "R ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException
+ FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
C:\cygwin64\dev\stdout
new-object : Exception calling ".ctor" with "4" argument(s): "The file cannot be accessed by the system.
"
At C:\Users\jonat\Desktop\script\test.ps1:15 char:27
+ ... $stream = new-object system.IO.FileStream($file, "Open", "Read", "R ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException
+ FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand
C:\cygwin64\etc
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|