Audit Office Documents with Macros with Powershell

Every organisation sooner or later has to deal with Office documents with macros enabled. Risk assessment and auditing are the first steps when planning to disable them via group policy or just to mitigate risk implied.

The priority should target real usage and avoid any untrusted macro. In this article I will try to help to create a simple report where we can simply leverage powershell to find documents with macros enabled.

This example function creates a list of all files in a drive or specific folder with an extension that is associated to Microsoft Office with macros enabled.

To get a report of all drives (where used space is greater than 0) in one-liner :

Feel free to re-use this script! Remember to check my github repository for the latest version.

2 Replies to “Audit Office Documents with Macros with Powershell”

  1. Hi Mate,
    Thanks for sharing. I am aiming to see which files have macros enabled. Where to get started and where to execute the scrip you have mentioned above ?

    I am fairly new to powershell.

    Thanks

    1. Hi Azeem,
      Thanks for your comment. I’m glad you find this useful. If you are new to powershell this script is quite simple except fo the the one-liner at the bottom of the article.
      You can download the script from the github repository or copy and paste into your editor with “ps1” as extension.
      At the bottom of the file you can add this line if you want to scan the volume you would like to scan for instance “D:”

      Get-FilesWithMacros “d:\” | ft

      If you want to run it for all drives (even the external) attached you can copy and paste the one-liner at the end of the article instead.

      Regards

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.