get-childitem and certs issue

This topic contains 18 replies, has 5 voices, and was last updated by  scott s 3 months, 2 weeks ago.

  • Author
    Posts
  • #92504

    scott s
    Participant

    im am having issues using the get-childitem command on certs and the -eku parmateter see below

    same issue if I use

    get-childitem -path cert:\currentuser -recurse -eku "*client*"
    or
    PS Cert:\> get-childitem -eku "*client*"
    Get-ChildItem : A parameter cannot be found that matches parameter name 'eku'.
    At line:1 char:15
    + get-childitem -eku "*client*"
    + ~~~~
    + CategoryInfo : InvalidArgument: (:) [Get-ChildItem], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

  • #92507

    Jon
    Participant

    Get-Childitem

    -eku isn't an available parameter

  • #92510

    Richard Siddaway
    Moderator

    -Eku is a dynamic parameter that becomes available when you change to the cert: drive

    PS> Get-Command Get-ChildItem -Syntax
    
    Get-ChildItem [[-Path] ] [[-Filter] ] [-Include ] [-Exclude ] [-Recurse] [-Depth ] [-Force] [-Name] [-UseTransaction] [-Attributes ] [-Directory] [-File] [-Hidde
    n] [-ReadOnly] [-System] []
    
    Get-ChildItem [[-Filter] ] -LiteralPath  [-Include ] [-Exclude ] [-Recurse] [-Dept
    h ] [-Force] [-Name] [-UseTransaction] [-Attributes ] [-Directory] [-File] [-Hi
    dden] [-ReadOnly] [-System] []
    
    PS> cd cert:
    PS> Get-Command Get-ChildItem -Syntax
    
    Get-ChildItem [[-Path] ] [[-Filter] ] [-Include ] [-Exclude ] [-Recurse] [-Depth ] [-Force] [-Name] [-UseTransaction] [-CodeSigningCert] [-DocumentEncryptionCert] [-SSLServerAuthentication] [-Dn
    sName ] [-Eku ] [-ExpiringInDays ] []
    
    
    Get-ChildItem [[-Filter] ] -LiteralPath  [-Include ] [-Exclude ] [-Recurse] [-Dept
    h ] [-Force] [-Name] [-UseTransaction] [-CodeSigningCert] [-DocumentEncryptionCert] [-SSLServerAuthentication] [
    -DnsName ] [-Eku ] [-ExpiringInDays ] []
    

    so this will work

    PS> cd cert:
    PS> Get-ChildItem -Path .\\CurrentUser\ -Recurse -Eku 'client'
    

    or
    Get-ChildItem -Path /CurrentUser -Recurse -Eku 'client' is you don't use tab completion for the path

  • #92518

    scott s
    Participant

    Richard

    thanks tried both but same issue.

    PS Cert:\> PS Cert:\> Get-ChildItem -Path .\\CurrentUser\ -Recurse -Eku 'client'
    Get-Process : A positional parameter cannot be found that accepts argument 'Get-ChildItem'.
    At line:1 char:1
    + PS Cert:\> Get-ChildItem -Path .\\CurrentUser\ -Recurse -Eku 'client'
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Get-Process], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.GetProcessCommand

    • #92543

      Christian
      Participant

      Could it be that you have a duplicated PS Cert:\> inserted to Powershell (copy paste error)?

  • #92548

    scott s
    Participant

    yes that was copy paste error but still same problem

    PS Cert:\> Get-ChildItem -Path .\\CurrentUser\ -Recurse -Eku "*Client*"
    Get-ChildItem : A parameter cannot be found that matches parameter name 'Eku'.
    At line:1 char:46
    + Get-ChildItem -Path .\\CurrentUser\ -Recurse -Eku "*Client*"
    + ~~~~
    + CategoryInfo : InvalidArgument: (:) [Get-ChildItem], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

    • #92551

      Jon
      Participant

      What powershell version are you running?

      Can you tab out -eku?

  • #92555

    scott s
    Participant

    powershell 4

    and no -eku does not show up when I tab -recurse does but not -eku

    • #92557

      Jon
      Participant

      Have you tried on any other machines? Are you sure it's version 4?

      PS 4.0 get-childitem cert this says it was introduced with v3.

  • #92560

    scott s
    Participant

    yes 3 pcs

    ps2, 3 and 4

    I expect it to fail on 2 but my laptop has 4 and gives same error

  • #92561

    Jon
    Participant

    I think I may have found the issue, what OS are you running?

    It doesn't work on my Windows 7 or 2008R2 machines, even with PS 5.1 however on my 2012R2 boxes it's fine, I noticed this on the documentation page:

    The new dynamic parameters work in Windows PowerShell 3.0 and newer releases of Windows PowerShell, running on Windows 8, Windows Server 2012 and newer releases of the Windows operating system.

  • #92563

    Richard Siddaway
    Moderator

    My machine has v5.1 which works as I described above. It doesn't work on v6 though

    get-help certificate

    shows this under dynamic parameters

            Cmdlets Supported: Get-ChildItem
    
        -EKU 
            Gets certificates that have the specified text or text pattern in the EnhancedKeyUsageList property of the
            certificate. Wildcard characters (*) are permitted. The EnhancedKeyUsageList property contains the friendly
            name and the OID fields of the EKU.
    
            Because certificates that have an empty EnhancedKeyUsageList can be used for all purposes, all EKU searches
            return certificates that have an empty EnhancedKeyUsageList property value.
    
            This parameter is valid in all subdirectories of the Certificate provider, but it is effective only on
            certificates.
    
            This parameter was introduced in Windows PowerShell 3.0.
    

    It should work. Do you have admin privileges on the machine on which you're trying this?

  • #92566

    scott s
    Participant

    Yes I have admin rights

    But when I push this most users wont but they are deleting the cert from currentuser I hope that will work

    • #92567

      Jon
      Participant

      What OS?

  • #92570

    scott s
    Participant

    win7 32 and 64bit

    • #92573

      Jon
      Participant

      See my above post about the Win7 environment.

  • #92578

    scott s
    Participant

    Sorry Jon I didn't see that post.

    so any ideas how in win 7 I can search for a cert using anything like the EKU?

    I need to remove a cert on many pc's all with different Thumbprints

  • #92630

    postanote
    Participant

    Finding about to expire certificates the PowerShell 2.0 way

    If you are using Windows PowerShell 2.0 (or if you just like to type), you can still find certificates that are about to expire by using the Get-ChildItem cmdlet on your Cert: PSDrive, and then piping the results to the Where-Object.

    'blogs.technet.microsoft.com/heyscriptingguy/2013/03/05/use-powershell-to-find-certificates-that-are-about-to-expire'

    Filtering on the Certificate Provider

        ## Get-CertificateByEku.ps1 
        param($ekuName = $(throw "Please specify the friendly name of an Enhanced Key Usage (such as 'Code Signing'")) 
    
        foreach($cert in Get-ChildItem cert:\CurrentUser\My) { 
           foreach($extension in $cert.Extensions) 
           { 
               foreach($certEku in $extension.EnhancedKeyUsages) 
               { 
                   if($certEku.FriendlyName -eq $ekuName) 
                   { 
                       $cert 
                   } 
               } 
           } 
        }
    

    'leeholmes.com/blog/2007/01/09/filtering-on-the-certificate-provider'

  • #92683

    scott s
    Participant

    Thanks guys. I found the same article last night and I am testing that code on the older win 7 / POSH V2 pc's today

    I'll report back

You must be logged in to reply to this topic.