get-childitem and certs issue

im am having issues using the get-childitem command on certs and the -eku parmateter see below

same issue if I use

get-childitem -path cert:\currentuser -recurse -eku “client
or
PS Cert:> get-childitem -eku “client
Get-ChildItem : A parameter cannot be found that matches parameter name ‘eku’.
At line:1 char:15

  • get-childitem -eku “client
  •           ~~~~
    
    • CategoryInfo : InvalidArgument: (:slight_smile: [Get-ChildItem], ParameterBindingException
    • FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

Get-Childitem

-eku isn’t an available parameter

-Eku is a dynamic parameter that becomes available when you change to the cert: drive

PS> Get-Command Get-ChildItem -Syntax

Get-ChildItem [[-Path] ] [[-Filter] ] [-Include ] [-Exclude ] [-Recurse] [-Depth ] [-Force] [-Name] [-UseTransaction] [-Attributes ] [-Directory] [-File] [-Hidde
n] [-ReadOnly] [-System] []

Get-ChildItem [[-Filter] ] -LiteralPath  [-Include ] [-Exclude ] [-Recurse] [-Dept
h ] [-Force] [-Name] [-UseTransaction] [-Attributes ] [-Directory] [-File] [-Hi
dden] [-ReadOnly] [-System] []

PS> cd cert:
PS> Get-Command Get-ChildItem -Syntax

Get-ChildItem [[-Path] ] [[-Filter] ] [-Include ] [-Exclude ] [-Recurse] [-Depth ] [-Force] [-Name] [-UseTransaction] [-CodeSigningCert] [-DocumentEncryptionCert] [-SSLServerAuthentication] [-Dn
sName ] [-Eku ] [-ExpiringInDays ] []


Get-ChildItem [[-Filter] ] -LiteralPath  [-Include ] [-Exclude ] [-Recurse] [-Dept
h ] [-Force] [-Name] [-UseTransaction] [-CodeSigningCert] [-DocumentEncryptionCert] [-SSLServerAuthentication] [
-DnsName ] [-Eku ] [-ExpiringInDays ] []

so this will work

PS> cd cert:
PS> Get-ChildItem -Path .\\CurrentUser\ -Recurse -Eku 'client'

or
Get-ChildItem -Path /CurrentUser -Recurse -Eku ‘client’ is you don’t use tab completion for the path

Richard

thanks tried both but same issue.

PS Cert:> PS Cert:> Get-ChildItem -Path .\CurrentUser\ -Recurse -Eku ‘client’
Get-Process : A positional parameter cannot be found that accepts argument ‘Get-ChildItem’.
At line:1 char:1

  • PS Cert:> Get-ChildItem -Path .\CurrentUser\ -Recurse -Eku ‘client’
  •   + CategoryInfo          : InvalidArgument: (:) [Get-Process], ParameterBindingException
      + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.GetProcessCommand

Could it be that you have a duplicated PS Cert:> inserted to Powershell (copy paste error)?

yes that was copy paste error but still same problem

PS Cert:> Get-ChildItem -Path .\CurrentUser\ -Recurse -Eku “Client
Get-ChildItem : A parameter cannot be found that matches parameter name ‘Eku’.
At line:1 char:46

  • Get-ChildItem -Path .\CurrentUser\ -Recurse -Eku “Client
  •                                          ~~~~
    
    • CategoryInfo : InvalidArgument: (:slight_smile: [Get-ChildItem], ParameterBindingException
    • FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

What powershell version are you running?

Can you tab out -eku?

powershell 4

and no -eku does not show up when I tab -recurse does but not -eku

Have you tried on any other machines? Are you sure it’s version 4?

PS 4.0 get-childitem cert this says it was introduced with v3.

yes 3 pcs

ps2, 3 and 4

I expect it to fail on 2 but my laptop has 4 and gives same error

I think I may have found the issue, what OS are you running?

It doesn’t work on my Windows 7 or 2008R2 machines, even with PS 5.1 however on my 2012R2 boxes it’s fine, I noticed this on the documentation page:

The new dynamic parameters work in Windows PowerShell 3.0 and newer releases of Windows PowerShell, running on Windows 8, Windows Server 2012 and newer releases of the Windows operating system.

My machine has v5.1 which works as I described above. It doesn’t work on v6 though

get-help certificate

shows this under dynamic parameters

        Cmdlets Supported: Get-ChildItem

    -EKU 
        Gets certificates that have the specified text or text pattern in the EnhancedKeyUsageList property of the
        certificate. Wildcard characters (*) are permitted. The EnhancedKeyUsageList property contains the friendly
        name and the OID fields of the EKU.

        Because certificates that have an empty EnhancedKeyUsageList can be used for all purposes, all EKU searches
        return certificates that have an empty EnhancedKeyUsageList property value.

        This parameter is valid in all subdirectories of the Certificate provider, but it is effective only on
        certificates.

        This parameter was introduced in Windows PowerShell 3.0.

It should work. Do you have admin privileges on the machine on which you’re trying this?

Yes I have admin rights

But when I push this most users wont but they are deleting the cert from currentuser I hope that will work

What OS?

win7 32 and 64bit

See my above post about the Win7 environment.

Sorry Jon I didn’t see that post.

so any ideas how in win 7 I can search for a cert using anything like the EKU?

I need to remove a cert on many pc’s all with different Thumbprints

Finding about to expire certificates the PowerShell 2.0 way

If you are using Windows PowerShell 2.0 (or if you just like to type), you can still find certificates that are about to expire by using the Get-ChildItem cmdlet on your Cert: PSDrive, and then piping the results to the Where-Object.

blogs.technet.microsoft.com/heyscriptingguy/2013/03/05/use-powershell-to-find-certificates-that-are-about-to-expire

Filtering on the Certificate Provider

    ## Get-CertificateByEku.ps1 
    param($ekuName = $(throw "Please specify the friendly name of an Enhanced Key Usage (such as 'Code Signing'")) 

    foreach($cert in Get-ChildItem cert:\CurrentUser\My) { 
       foreach($extension in $cert.Extensions) 
       { 
           foreach($certEku in $extension.EnhancedKeyUsages) 
           { 
               if($certEku.FriendlyName -eq $ekuName) 
               { 
                   $cert 
               } 
           } 
       } 
    }

leeholmes.com/blog/2007/01/09/filtering-on-the-certificate-provider

Thanks guys. I found the same article last night and I am testing that code on the older win 7 / POSH V2 pc’s today

I’ll report back