Author Posts

January 31, 2018 at 2:40 pm

im am having issues using the get-childitem command on certs and the -eku parmateter see below

same issue if I use

get-childitem -path cert:\currentuser -recurse -eku "*client*"
or
PS Cert:\> get-childitem -eku "*client*"
Get-ChildItem : A parameter cannot be found that matches parameter name 'eku'.
At line:1 char:15
+ get-childitem -eku "*client*"
+ ~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ChildItem], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

January 31, 2018 at 3:15 pm

Get-Childitem

-eku isn't an available parameter

January 31, 2018 at 3:38 pm

-Eku is a dynamic parameter that becomes available when you change to the cert: drive

PS> Get-Command Get-ChildItem -Syntax

Get-ChildItem [[-Path] ] [[-Filter] ] [-Include ] [-Exclude ] [-Recurse] [-Depth ] [-Force] [-Name] [-UseTransaction] [-Attributes ] [-Directory] [-File] [-Hidde
n] [-ReadOnly] [-System] []

Get-ChildItem [[-Filter] ] -LiteralPath  [-Include ] [-Exclude ] [-Recurse] [-Dept
h ] [-Force] [-Name] [-UseTransaction] [-Attributes ] [-Directory] [-File] [-Hi
dden] [-ReadOnly] [-System] []

PS> cd cert:
PS> Get-Command Get-ChildItem -Syntax

Get-ChildItem [[-Path] ] [[-Filter] ] [-Include ] [-Exclude ] [-Recurse] [-Depth ] [-Force] [-Name] [-UseTransaction] [-CodeSigningCert] [-DocumentEncryptionCert] [-SSLServerAuthentication] [-Dn
sName ] [-Eku ] [-ExpiringInDays ] []


Get-ChildItem [[-Filter] ] -LiteralPath  [-Include ] [-Exclude ] [-Recurse] [-Dept
h ] [-Force] [-Name] [-UseTransaction] [-CodeSigningCert] [-DocumentEncryptionCert] [-SSLServerAuthentication] [
-DnsName ] [-Eku ] [-ExpiringInDays ] []

so this will work

PS> cd cert:
PS> Get-ChildItem -Path .\\CurrentUser\ -Recurse -Eku 'client'

or
Get-ChildItem -Path /CurrentUser -Recurse -Eku 'client' is you don't use tab completion for the path

January 31, 2018 at 3:59 pm

Richard

thanks tried both but same issue.

PS Cert:\> PS Cert:\> Get-ChildItem -Path .\\CurrentUser\ -Recurse -Eku 'client'
Get-Process : A positional parameter cannot be found that accepts argument 'Get-ChildItem'.
At line:1 char:1
+ PS Cert:\> Get-ChildItem -Path .\\CurrentUser\ -Recurse -Eku 'client'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-Process], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.GetProcessCommand

January 31, 2018 at 5:33 pm

Could it be that you have a duplicated PS Cert:\> inserted to Powershell (copy paste error)?

January 31, 2018 at 6:06 pm

yes that was copy paste error but still same problem

PS Cert:\> Get-ChildItem -Path .\\CurrentUser\ -Recurse -Eku "*Client*"
Get-ChildItem : A parameter cannot be found that matches parameter name 'Eku'.
At line:1 char:46
+ Get-ChildItem -Path .\\CurrentUser\ -Recurse -Eku "*Client*"
+ ~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ChildItem], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

January 31, 2018 at 6:34 pm

What powershell version are you running?

Can you tab out -eku?

January 31, 2018 at 6:52 pm

powershell 4

and no -eku does not show up when I tab -recurse does but not -eku

January 31, 2018 at 7:03 pm

Have you tried on any other machines? Are you sure it's version 4?

PS 4.0 get-childitem cert this says it was introduced with v3.

January 31, 2018 at 7:10 pm

yes 3 pcs

ps2, 3 and 4

I expect it to fail on 2 but my laptop has 4 and gives same error

January 31, 2018 at 7:18 pm

I think I may have found the issue, what OS are you running?

It doesn't work on my Windows 7 or 2008R2 machines, even with PS 5.1 however on my 2012R2 boxes it's fine, I noticed this on the documentation page:

The new dynamic parameters work in Windows PowerShell 3.0 and newer releases of Windows PowerShell, running on Windows 8, Windows Server 2012 and newer releases of the Windows operating system.

January 31, 2018 at 7:19 pm

My machine has v5.1 which works as I described above. It doesn't work on v6 though

get-help certificate

shows this under dynamic parameters

        Cmdlets Supported: Get-ChildItem

    -EKU 
        Gets certificates that have the specified text or text pattern in the EnhancedKeyUsageList property of the
        certificate. Wildcard characters (*) are permitted. The EnhancedKeyUsageList property contains the friendly
        name and the OID fields of the EKU.

        Because certificates that have an empty EnhancedKeyUsageList can be used for all purposes, all EKU searches
        return certificates that have an empty EnhancedKeyUsageList property value.

        This parameter is valid in all subdirectories of the Certificate provider, but it is effective only on
        certificates.

        This parameter was introduced in Windows PowerShell 3.0.

It should work. Do you have admin privileges on the machine on which you're trying this?

January 31, 2018 at 7:31 pm

Yes I have admin rights

But when I push this most users wont but they are deleting the cert from currentuser I hope that will work

January 31, 2018 at 7:43 pm

win7 32 and 64bit

January 31, 2018 at 7:51 pm

See my above post about the Win7 environment.

January 31, 2018 at 8:00 pm

Sorry Jon I didn't see that post.

so any ideas how in win 7 I can search for a cert using anything like the EKU?

I need to remove a cert on many pc's all with different Thumbprints

January 31, 2018 at 11:58 pm

Finding about to expire certificates the PowerShell 2.0 way

If you are using Windows PowerShell 2.0 (or if you just like to type), you can still find certificates that are about to expire by using the Get-ChildItem cmdlet on your Cert: PSDrive, and then piping the results to the Where-Object.

'blogs.technet.microsoft.com/heyscriptingguy/2013/03/05/use-powershell-to-find-certificates-that-are-about-to-expire'

Filtering on the Certificate Provider

    ## Get-CertificateByEku.ps1 
    param($ekuName = $(throw "Please specify the friendly name of an Enhanced Key Usage (such as 'Code Signing'")) 

    foreach($cert in Get-ChildItem cert:\CurrentUser\My) { 
       foreach($extension in $cert.Extensions) 
       { 
           foreach($certEku in $extension.EnhancedKeyUsages) 
           { 
               if($certEku.FriendlyName -eq $ekuName) 
               { 
                   $cert 
               } 
           } 
       } 
    }

'leeholmes.com/blog/2007/01/09/filtering-on-the-certificate-provider'

February 1, 2018 at 2:49 pm

Thanks guys. I found the same article last night and I am testing that code on the older win 7 / POSH V2 pc's today

I'll report back