Powershell Script to Fix Registry Security Issues

Welcome Forums General PowerShell Q&A Powershell Script to Fix Registry Security Issues

Viewing 4 reply threads
  • Author
    Posts
    • #182976
      Participant
      Topics: 1
      Replies: 0
      Points: -29
      Rank: Member

      Good Morning All,

      I am trying to write a script that will go through all the computers in AD and has them first check to see if a Registry Key Path exists before continuing to make it and a DWord. I feel like I am close but I can't seem to figure out what exactly I need to change and fix.

      Please know I have only ever taken one coding class in college and am not very good at more advanced scripting. This one is starting to go above my head.

      $DaysInactive = 30
      $time = (Get-Date).Adddays(-($DaysInactive))
      $LoopCount = 1000
      $Loops = 0
      While ($Loops -le $LoopCount)
      {
      $Loops++
      Foreach ($Computer in Get-ADComputer -Filter {LastLogonTimeStamp -gt $time} -ResultPageSize 2000 -resultSetSize $null | Select-Object -ExpandProperty dnshostname)  ## Get all computers from AD and loop through them
      {
          $KeyFound = $true
          $KeyNotFound =$false
          If (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING'  -ErrorAction SilentlyContinue) {
          return $true
      }
      Else {
          return $false
      }
              If ($KeyNotFound)
              {
                  New-Item -Path "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl" -Name FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING
                  New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING" -Name "iexplore.exe" -Value 1 -PropertyType "DWord"
                  New-Item -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\" -Name FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING
                  New-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING" -Name "iexplore.exe" -Value 1 -PropertyType "DWord"
               }
               If ($KeyFound)
              {
                  Write-Output 'Key Already Exists, Closing Now'
              }
      }
      }
    • #183000
      Participant
      Topics: 0
      Replies: 115
      Points: 433
      Helping Hand
      Rank: Contributor

      Hello Con,

      First I would request you to resubmit your code in the preformatted syntax. Second I don't see where you are doing a remote call to each of the computers in question? Have you enabled PSRemoting for all of the computers? How are you making the call to explore the registry of each of these computers? If you already have this figured out please let us know what you are needing help with. It's not very clear what you need help with.

    • #183003
      Senior Moderator
      Topics: 8
      Replies: 1140
      Points: 3,922
      Helping Hand
      Rank: Community Hero

      Its too much of looping out there. You can follow below steps to do what you want.

      – Have some code to achieve the main goal, here the registry change and the conditions for when it has to be changed
      – Get the computers from domain and store the names in a variable
      – Use Invoke-Command with -ComputerName and pass the list of computer names to -ComputerName parameter, it takes array of strings.

      Thats it.

      You don't need a while and for loop here.

      example

      $ScriptBlock = { Set-ItemProperty -Path HKLM:\Software\Microsoft\SomeKey -Name SomeKey -Value SomeValue }
      $ComputerList = Get-ADComputer -Filter * | Select-Object -ExpandProperty Name
      Invoke-Command -ComputerName $ComputerList -ScriptBlock $ScriptBlock
      

      PS: It would be better if you can read below instructions which has detailed steps on how to format code in the forums.
      https://powershell.org/forums/topic/read-me-before-posting-youll-be-glad-you-did/

    • #183009
      js
      Participant
      Topics: 27
      Replies: 716
      Points: 1,879
      Helping Hand
      Rank: Community Hero

      Btw set-itemproperty has a -type parameter with registry paths, but it's not easily found in the docs.

    • #183534
      js
      Participant
      Topics: 27
      Replies: 716
      Points: 1,879
      Helping Hand
      Rank: Community Hero

      You can see the "[-Type < RegistryValueKind > ]" added when I specify "-ArgumentList hklm:". Well maybe not on this forum. I added spaces around the < and >.

      Get-Command Set-ItemProperty -ArgumentList hklm: -Syntax
      
      
      Set-ItemProperty [-Path] < string[] > [-Name] < string > [-Value] < Object > [-PassThru] [-Force] [-Filter < string >] [-Include < string[] >] [-Exclude < string[] >] [-Credential < pscredential >] [-WhatIf] [-Confirm] [-UseTransaction] [-Type < RegistryValueKind >] [< CommonParameters >]
      
      Set-ItemProperty [-Path] < string[] > -InputObject < psobject > [-PassThru] [-Force] [-Filter < string >] [-Include < string[] >] [-Exclude < string[] >] [-Credential < pscredential >] [-WhatIf] [-Confirm] [-UseTransaction] [-Type < RegistryValueKind >] [< CommonParameters >]
      
      Set-ItemProperty [-Name] < string > [-Value] < Object > -LiteralPath < string[] > [-PassThru] [-Force] [-Filter < string >] [-Include < string[] >] [-Exclude < string[] >] [-Credential < pscredential >] [-WhatIf] [-Confirm] [-UseTransaction] [-Type < RegistryValueKind >] [< CommonParameters >]
      
      Set-ItemProperty -LiteralPath < string[] > -InputObject < psobject > [-PassThru] [-Force] [-Filter < string >] [-Include < string[] >] [-Exclude < string[] >] [-Credential < pscredential >] [-WhatIf] [-Confirm] [-UseTransaction] [-Type < RegistryValueKind >] [< CommonParameters >]
      
Viewing 4 reply threads
  • You must be logged in to reply to this topic.