Skip to main content
Windows: search for log4j*.jar and check implementation version (run as administrator on each windows machine (poSH v5.1))

Please note:  This is intended as a quick search for traditionally installed software.  It will not always find the issue in commercial software or where people have changed names of files.

$File = 'D:\ServerList\EMweb_jar.txt'
$StartTime = (Get-Date).ToString("yyyyMMdd-HHmmss")
$JarFilter = 'log4j*.jar'
$Transcript = "C:\Users\Public\Downloads\Transcript$StartTime.txt"
Start-Transcript -Path $Transcript
$ResultLocationSafe = "C:\Users\Public\Downloads\Log4jScanSafe$StartTime.txt"
$ResultLocationCheck = "C:\Users\Public\Downloads\Log4jScanCheck$StartTime.txt"
$Servers = Get-Content $File
Write-Host $Servers -ForegroundColor Cyan
ForEach ($Server in $Servers) {$Session = New-PSSession -ComputerName $Server
$ReturnRemoteJarList = Invoke-Command -Session $Session {Write-Host "Searching $using:Server, $env:COMPUTERNAME" -ForegroundColor Green
$HDs= (Get-WmiObject -Class Win32_logicaldisk -Filter "DriveType = '3'").DeviceID
[System.Reflection.Assembly]::LoadWithPartialName('System.IO.Compression.FileSystem')
Write-Host "Hard drive/s to search through- $HDS" -ForegroundColor Yellow
ForEach ($HD in $HDs) {$TimeStamp = (Get-Date).ToString("yyyyMMdd-HHmmssmmm")
Write-Host "Searching $HD drive, $TimeStamp" -ForegroundColor Yellow
$JarFiles= Get-ChildItem -Path "$HD\" -Filter $using:JarFilter -Recurse -ErrorAction SilentlyContinue -Force | %{$_.FullName}
ForEach ($JarFile in $JarFiles) {$TempFolder = "$env:TEMP\$TimeStamp"
[System.IO.Compression.ZipFile]::ExtractToDirectory("$JarFile", "$TempFolder")
$JarVersion = (Select-String -Path "$TempFolder\META-INF\MANIFEST.MF" -Pattern "Implementation-Version") -replace '(?s)^.*Implementation-Version: ', ''
Remove-Item -Recurse -Force $TempFolder
if ($JarVersion -ge 2) {Write-Host "$env:COMPUTERNAME, $JarFile, $JarVersion" -ForegroundColor Red
echo "$env:COMPUTERNAME, $JarFile, $JarVersion" >> $using:ResultLocationCheck}
else {Write-Host "$env:COMPUTERNAME, $JarFile, $JarVersion" -ForegroundColor White
echo "$env:COMPUTERNAME, $JarFile, $JarVersion" >> $using:ResultLocationSafe} } }
if (Test-Path $using:ResultLocationCheck){Write-Host "$env:COMPUTERNAME's result was sent to $using:ResultLocationCheck on $env:COMPUTERNAME" -ForegroundColor Cyan}
else {Write-Host "$using:JarFilter version 2+ was not found on $env:COMPUTERNAME." -ForegroundColor Green}
$RemoteJarList = Get-Content $using:ResultLocationCheck -ErrorAction SilentlyContinue
Return $RemoteJarList
Remove-PSSession $Session}
echo $ReturnRemoteJarList >> $ResultLocationCheck}
if (Test-Path $ResultLocationCheck){Write-Host "All the log4j v2+ results were sent to $ResultLocationCheck on $env:COMPUTERNAME" -ForegroundColor Cyan}
else {Write-Host "$JarFilter version 2+ was not found on the computer/s from the list at $File" -ForegroundColor Green}
Stop-Transcript
Exit

Example output:

PS C:\Users\thn17-adm> cat D:\ServerList\EMweb_jar.txt
*****.rad.rutgers.edu
*****.rad.rutgers.edu
*****.rad.rutgers.edu

PS C:\Users\thn17-adm> cat C:\Users\Public\Downloads\Log4jScanCheck20211218-185253.txt
GAC Version Location PSComputerName
— ——- ——– ————–
True v4.0.30319 C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934… em-web1-tst.rad.rutgers.edu
GAC Version Location PSComputerName
— ——- ——– ————–
True v4.0.30319 C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934… shp-cfapp-prd-asb.rad.rutgers.edu
SHP-CFAPP-PRD-A, C:\ColdFusion2018\cfusion\hf-updates\hf-2018-00012-328566\backup\lib\log4j-api-2.9.0.jar, 2.9.0
SHP-CFAPP-PRD-A, C:\ColdFusion2018\cfusion\hf-updates\hf-2018-00012-328566\backup\lib\log4j-core-2.9.0.jar, 2.9.0
SHP-CFAPP-PRD-A, C:\ColdFusion2018\cfusion\hf-updates\hf-2018-00012-328566\backup\lib\log4j-to-slf4j-2.9.1.jar, 2.9.1
SHP-CFAPP-PRD-A, C:\ColdFusion2018\cfusion\hf-updates\hf-2018-00013-329786\backup\lib\log4j-api-2.13.3.jar, 2.13.3
SHP-CFAPP-PRD-A, C:\ColdFusion2018\cfusion\hf-updates\hf-2018-00013-329786\backup\lib\log4j-core-2.13.3.jar, 2.13.3
SHP-CFAPP-PRD-A, C:\ColdFusion2018\cfusion\hf-updates\hf-2018-00013-329786\backup\lib\log4j-to-slf4j-2.13.3.jar, 2.13.3
SHP-CFAPP-PRD-A, C:\ColdFusion2018\cfusion\lib\log4j-api-2.16.0.jar, 2.16.0
SHP-CFAPP-PRD-A, C:\ColdFusion2018\cfusion\lib\log4j-core-2.16.0.jar, 2.16.0
SHP-CFAPP-PRD-A, C:\ColdFusion2018\cfusion\lib\log4j-to-slf4j-2.16.0.jar, 2.16.0
GAC Version Location PSComputerName
— ——- ——– ————–
True v4.0.30319 C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934… em-web2-tst.rad.rutgers.edu