1

I am trying to read the LNK file not the target of the shortcut. The following PowerShell code reads the target of the shortcut into the variable rather than the shortcut file itself.

Here is the code that I used to create the LNK:

New-Item -ItemType SymbolicLink -Path $env:USERPROFILE\Desktop -Name "test.lnk" -Value "C:\Windows\System32\alg.exe"

Here is the code to read the LNK:

$file_data = Get-Content -Encoding Byte $env:USERPROFILE\Desktop\test.lnk
$encoded = [System.Convert]::ToBase64String($file_data)

Here is the contents of the variable $encoded

PS C:\Users\Administrator> $encoded
TVqQAAMAAAA

I have truncated the content here, but TVqQAAMAAAA is base64 for the first bytes of a Windows PE file: MZ......

Here is the contents of the variable $file_data:

PS C:\Users\Administrator> $file_data
77
90
144

I have truncated this, but 77 90 is enough to see that this is MZ which is the magic bytes for a PE executable that is the target of the LNK not the LNK itself.

The first characters of the resulting data should be TAAAAAEUA in base64 or 76 0 0 0 1 20 2 0 in integers if this has read what I need. These are the magic bytes for a LNK file.

How do I read the bytes of the shortcut itself into the variable?

Utkonos
  • 631
  • 6
  • 21
  • 1
    I'm unable to reproduce what you state in Windows PowerShell or PowerShell Core. If you are seeing something like this, it is not a real link file. – Santiago Squarzon Jul 15 '22 at 01:48

1 Answers1

3

Your later edits inadvertently changed the premise of your question: you're confusing shortcut files (.lnk) - a Windows (GUI) shell file format - with symbolic links - a file-system-level redirection to another file.

What your New-Item call creates is a symbolic link, not a shortcut file, even though you happened to choose the same filename extension (.lnk) - in other words: the resulting file-system entry is not valid shortcut file, and, due it being a symbolic link, accessing it with Get-Content indeed transparently redirects to the target of the symbolic link and reads its content.

  • To determine a given symbolic link's target path, you needn't read its content, just use something like (Get-Item $env:USERPROFILE\Desktop\mylink).Target

This answer addresses the original form of your question, relating to - true - shortcut files (.lnk), which can not be created with New-Item (see this answer for how to create them via COM):

$file_data = Get-Content -Encoding Byte $env:USERPROFILE\Desktop\test.lnk

does read the .lnk file itself (into an [object[]] array of [byte] instances), and not whatever executable the .lnk file happens to point to.

Unlike with symbolic links or other NTFS reparse points, no transparent redirection happens when a shortcut file (.lnk) is targeted, because to the file system such files are just regular files. It is the Windows (GUI) shell that interprets such files as pointing elsewhere (to an executable with arguments or to a document).

As an aside:

  • A more efficient way to read a file as raw bytes is to combine -Encoding Byte with -Raw in a Get-Content call, which reads the file as a whole in a single operation and returns a strongly typed [byte[]] array.

  • Also note that in PowerShell (Core) 7+ -AsByteStream must be used in lieu of -Encoding Byte.

mklement0
  • 382,024
  • 64
  • 607
  • 775