Audit Office Documents with Macros with Powershell

Every organisation sooner or later has to deal with Office documents with macros enabled. Risk assessment and auditing are the first steps when planning to disable them via group policy or just to mitigate risk implied.

The priority should target real usage and avoid any untrusted macro. In this article I will try to help to create a simple report where we can simply leverage powershell to find documents with macros enabled.

This example function creates a list of all files in a drive or specific folder with an extension that is associated to Microsoft Office with macros enabled.

To get a report of all drives (where used space is greater than 0) in one-liner :

Feel free to re-use this script! Remember to check my github repository for the latest version.

4 Replies to “Audit Office Documents with Macros with Powershell”

  1. Hi Mate,
    Thanks for sharing. I am aiming to see which files have macros enabled. Where to get started and where to execute the scrip you have mentioned above ?

    I am fairly new to powershell.

    Thanks

    1. Hi Azeem,
      Thanks for your comment. I’m glad you find this useful. If you are new to powershell this script is quite simple except fo the the one-liner at the bottom of the article.
      You can download the script from the github repository or copy and paste into your editor with “ps1” as extension.
      At the bottom of the file you can add this line if you want to scan the volume you would like to scan for instance “D:”

      Get-FilesWithMacros “d:\” | ft

      If you want to run it for all drives (even the external) attached you can copy and paste the one-liner at the end of the article instead.

      Regards

  2. This only locates files saved in macro enabled file formats.

    Old office file formats, e.g. .doc, .xls and .ppt can also contain macros.

    Also, files saved in macro enabled formats can exist without actually containing macros.

    The proper way to check is by creating application com objects for excel, word etc, in powershell, then using the com objects you can query the files to see if the property “HasVBProject” is set to true. This way you can identify all office files that contain macros regardless of the file format.

    1. Hi Thomas,
      Thanks for your comment. I think your feedback is great.

      The only objection that I have is that doc, xls, ppt files are almost extinct today, I haven’t seen one in the last decade. Considering we don’t see documents older than 2007 very frequently.

      The com/dll approach or using the office interop assemblies and embedding C# into a powershell script are all viable options, but I will go down that route only if again I am dealing with files that are really old.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.