Fix-Log4j-PowershellScript (CVE-2021-44228)

search and remove JNDI Lookup Class from log4j.jar files on the system with Powershell (Windows)
make sure you use the latest script release!

Release version 1.6.2 and above

Killmode for Java processes implemented. ($killMode)
defaults to $false if not changed manually! Be careful using this feature!

the script can be deployed manually, with GPO or deployment tools like SCCM.

Features and Info:

by default the script searches on C:\ if not changed
-can be changed to search on all local drives with $searchAllDrives = $true in the script
-can be changed to search a specific path with $searchPath = "C:\your\folder\to\search\

by default the script creates a backup of the file(s) in the same folder were the jar files was found, before removing the class
-can be disabled with $enableBackup set to $false in the script

by default the script validates if the jndilookup.class has been removed from the jar file

by default if the class is still detected and the jar file was not modified, the backup file will be cleaned up.
-can be disabled with $removeBkOnFailure set to $false

by default the script searches for running java processes and write a warning in the log and console.
-KillMode for java prcesses can be enabled by $killMode set to $true - be careful with that!

Generate a log file in the scripts root directory

Generate readable console output

How to run the script:

Please read the script and modify it if needed before you execute it!
execute the script with elevated Powershell.exe or with deploment tools like SCCM.
"powershell.exe -file "C:\Path\To\Script\Fix-log4j_jndi_7zip.ps1" -executionpolicy Bypass"

Tested on Windows 10, Server 2012R2, 2016 and 2019.

Credits:

7-Zip is used to delete the class in the jar file and verify the removal.

Source: https://www.7-zip.org/
7-Zip Copyright (C) 1999-2021 Igor Pavlov.

THE SCRIPT IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND.