Import file hashes
File hashes can be imported in the Workspace Control Console using a command-line option:
Pwrtech.exe /importhashes=<file> /createifnotexists
Specify the full path to a CSV (comma delimited) or TXT file (tab delimited) for <file>.
Below more information about the format of CSV and TXT files and several examples.
CSV file
Format: <authorized file name or full path>,<file hash>,<process of authorized file (optional)>,<mode (optional)>,<WorkspaceContainer|WorkspaceContainer (optional)>
Enclose the file name or path in quotation marks if it includes spaces.
To remove files, file hashes, or specific Workspace Containers, the filenames, file hashes, or Workspace Containers in the CSV file must start with a hyphen (-)
TXT file
Format: <authorized file or application (or the full path to authorized file/application)> <file hash> <process of authorized file (optional)> <WorkspaceContainer|WorkspaceContainer (optional)>
Enclose the file name or path in quotation marks if it includes spaces.
To remove files, file hashes, or specific Workspace Containers, the filenames, file hashes, or Workspace Containers in the TXT file must start with a hyphen (-)
Examples of when an existing Authorized File matches an imported rule.
In the example EXE files are used, other executables files, for example SCR, COM, DLL, are supported as well.
|
Scenario |
Authorized File |
Authorized Process |
Outcome |
|
Full |
|||
|
Existing data in Workspace Control |
Notepad.exe |
Excel.exe |
Existing and imported data match -> update data in Workspace Control |
|
Imported data |
Notepad.exe |
Excel.exe |
|
|
No Authorized Process |
|||
|
Existing data in Workspace Control |
Notepad.exe |
Allow any process to launch or access this file |
Existing and imported data match -> update data in Workspace Control |
|
Imported data |
Notepad.exe |
Not specified (left blank) |
|
|
Wildcard in Authorized File path |
|||
|
Existing data in Workspace Control |
*\Notepad.exe |
Excel.exe |
Existing and imported data match -> update data in Workspace Control |
|
Imported data |
*\Notepad.exe |
Excel.exe |
|
|
Wildcard in existing Authorized File path only |
|||
|
Existing data in Workspace Control |
*\Notepad.exe |
Excel.exe |
Existing and imported data match -> update data in Workspace Control |
|
Imported data |
C:\files\Notepad.exe |
Excel.exe |
|
|
Wildcard in imported Authorized File path only |
|||
|
Existing data in Workspace Control |
C:\files\Notepad.exe |
Excel.exe |
Existing and imported data match -> update data in Workspace Control |
|
Imported data |
*\Notepad.exe |
Excel.exe |
|
|
Wildcard in Authorized File name only |
|||
|
Existing data in Workspace Control |
Note* |
Excel.exe |
Existing and imported data match -> update data in Workspace Control
|
|
Imported data |
Notepad.exe |
Excel.exe |
|
|
Specific existing Authorized File name, wildcard in imported Authorized File name |
|||
|
Existing data in Workspace Control |
Notepad.exe |
Excel.exe |
Existing and imported data match -> update data in Workspace Control |
|
Imported data |
Note* |
Excel.exe |
|
|
No process specified for existing Authorized File, specific process specified for imported Authorized File |
|||
|
Existing data in Workspace Control |
Notepad.exe |
Allow any process to launch or access this file |
Existing and imported data do not match -> ignore imported data or create new in Workspace Control |
|
Imported data |
Notepad.exe |
Excel.exe |
|
|
Process specified for existing Authorized File, no process specified for imported Authorized File |
|||
|
Existing data in Workspace Control |
Notepad.exe |
Excel.exe |
Existing and imported data do not match -> ignore imported data or create new in Workspace Control |
|
Imported data |
Notepad.exe |
Not specified (left blank) |
|
Example scenarios when importing file hashes
CSV file format: <authorized file name or full path>,<file hash>,<process of authorized file (optional)>,<mode (optional)>,<WorkspaceContainer|WorkspaceContainer (optional)>
|
Existing configuration in Workspace Control |
Imported rules (that match existing configuration) |
Result in Workspace Control |
|
Allow hash [XYZ] for Notepad.exe |
|
Allow hash [XYZ] for Notepad.exe |
|
Allow hash [XYZ] for Notepad.exe |
|
Deny hash [XYZ] for Notepad.exe |
|
Authorized File for Notepad.exe |
|
No Authorized Files for Notepad.exe |
|
Allow hash [XYZ] for Notepad.exe |
|
Allow hashes [XYZ] and [PQR] for Notepad.exe |
|
Authorized File for Notepad.exe with Workspace Control set to Workspace Container "Laptops" |
|
Authorized File for Notepad.exe with Workspace Control set to all Workspace Containers |
|
Authorized File for Notepad.exe with Workspace Control set to Workspace Container "Laptops" |
|
Authorized File for Notepad.exe with Workspace Control set to Workspace Containers Laptops and Production |
|
Authorized File for Notepad.exe with Workspace Control set to Workspace Container "Laptops" |
|
Authorized File for Notepad.exe with Workspace Control set to Workspace Container Production |
- /createifnotexists is an optional value and specifies that the authorized file must be created if it does not yet exist. It will then be created with the specified file hash and process. This value is only applicable for authorized files.
Example:
The CSV file for the authorized file File_example contains the following data:
C:\windows\system32\notepad.exe,56746574657623856,cmd.exe
Command-line option:
Pwrtech.exe /importhashes=File_example /createifnotexists
Result:
The file hash 56746574657623856 will be imported for the authorized file C:\windows\system32\notepad.exe with process cmd.exe.
If the file hash does not yet exist, it will be created for notepad.exe with process cmd.exe.
If an application and an authorized file for C:\windows\system32\notepad.exe exist in the Console, the hash will be added to both the application and the authorized file.
- With CTRL+C, the import of file hashes can be interrupted. In the command box a message will be displayed with the number of files that have been imported until the interrupt.
- When using a command box, processing messages and errors are now displayed. An example of a processing message is how many files hashes were imported. And an error can be, for instance, that the import was not successful.
- In case an error occurs during the import of file hashes, the error level is included with the error. The following errors could be returned:
Error level
Description
0
The import of file hashes was completed successfully.
2
File could not be opened. For instance incorrect syntax or nonexistent file name.
3
The import of file hashes was interrupted with CTRL+C.
4
General failure to process the imported file. For instance, the database could not be reached.
Error level in case the file could be opened, but the file contents are incorrect:
401
Incorrect file hash.
402
Incorrect value for "Type" (allow or deny) for a file hash.
403
Unknown Workspace for a file hash. Only Workspaces that exist in the Workspace Control Console can be specified in the file.
When importing file hashes for Authorized Files using a CSV or TXT file, please take into consideration the following:
- For each imported rule, the system checks if there are existing Authorized Files (global and application-level) that match the imported combination of authorized executable and additional process.
- If one or more matches are found, then:
- If the imported file hash is not yet listed in the matching Authorized Files, it is added to them.
- If the imported file hash is already listed in the matching Authorized Files, and the imported file hash includes a Mode property (= Allow or Deny) then the imported file hash overwrites the Deny/Allow mode of the existing file hash.
- If the imported file hash does not include a Mode property, then the file hash will be imported with an Allow mode.
- If the imported rule includes Workspace information, then the specified Workspace Containers are added to or removed from Workspace Control on the matching global Authorized Files.
- Application-level Authorized Files do not have Workspace Control, so Workspace changes do not take effect there.
- If multiple Workspace Containers exist with the same name, they are all added or removed as result of the import. Alternatively, specify the Workspace Container GUID in the import rule.
- Rules in the import are imported and processed top-down, so if the import contains multiple rules that update the same Authorized File or file hash, the end result depends on the order in which the rule appear in the file.
- An import file that contains a string that is recognized as neither MD5 nor SHA-1 nor SHA-256 will cause the import of the entire file to fail.