Powershell Script to Fix Registry Security Issues

Good Morning All,

I am trying to write a script that will go through all the computers in AD and has them first check to see if a Registry Key Path exists before continuing to make it and a DWord. I feel like I am close but I can’t seem to figure out what exactly I need to change and fix.

Please know I have only ever taken one coding class in college and am not very good at more advanced scripting. This one is starting to go above my head.

$DaysInactive = 30
$time = (Get-Date).Adddays(-($DaysInactive))
$LoopCount = 1000
$Loops = 0
While ($Loops -le $LoopCount)
{
$Loops++
Foreach ($Computer in Get-ADComputer -Filter {LastLogonTimeStamp -gt $time} -ResultPageSize 2000 -resultSetSize $null | Select-Object -ExpandProperty dnshostname) ## Get all computers from AD and loop through them
{
$KeyFound = $true
$KeyNotFound =$false
If (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING' -ErrorAction SilentlyContinue) {
return $true
}
Else {
return $false
}
If ($KeyNotFound)
{
New-Item -Path "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl" -Name FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING
New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING" -Name "iexplore.exe" -Value 1 -PropertyType "DWord"
New-Item -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\" -Name FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING
New-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING" -Name "iexplore.exe" -Value 1 -PropertyType "DWord"
}
If ($KeyFound)
{
Write-Output 'Key Already Exists, Closing Now'
}
}
}

Hello Con,

First I would request you to resubmit your code in the preformatted syntax. Second I don’t see where you are doing a remote call to each of the computers in question? Have you enabled PSRemoting for all of the computers? How are you making the call to explore the registry of each of these computers? If you already have this figured out please let us know what you are needing help with. It’s not very clear what you need help with.

Its too much of looping out there. You can follow below steps to do what you want.

  • Have some code to achieve the main goal, here the registry change and the conditions for when it has to be changed
  • Get the computers from domain and store the names in a variable
  • Use Invoke-Command with -ComputerName and pass the list of computer names to -ComputerName parameter, it takes array of strings.

Thats it.

You don’t need a while and for loop here.

example

$ScriptBlock = { Set-ItemProperty -Path HKLM:\Software\Microsoft\SomeKey -Name SomeKey -Value SomeValue }
$ComputerList = Get-ADComputer -Filter * | Select-Object -ExpandProperty Name
Invoke-Command -ComputerName $ComputerList -ScriptBlock $ScriptBlock

PS: It would be better if you can read below instructions which has detailed steps on how to format code in the forums.
https://powershell.org/forums/topic/read-me-before-posting-youll-be-glad-you-did/

Btw set-itemproperty has a -type parameter with registry paths, but it’s not easily found in the docs.

You can see the “[-Type < RegistryValueKind > ]” added when I specify “-ArgumentList hklm:”. Well maybe not on this forum. I added spaces around the < and >.

Get-Command Set-ItemProperty -ArgumentList hklm: -Syntax


Set-ItemProperty [-Path] < string[] > [-Name] < string > [-Value] < Object > [-PassThru] [-Force] [-Filter < string >] [-Include < string[] >] [-Exclude < string[] >] [-Credential < pscredential >] [-WhatIf] [-Confirm] [-UseTransaction] [-Type < RegistryValueKind >] [< CommonParameters >]

Set-ItemProperty [-Path] < string[] > -InputObject < psobject > [-PassThru] [-Force] [-Filter < string >] [-Include < string[] >] [-Exclude < string[] >] [-Credential < pscredential >] [-WhatIf] [-Confirm] [-UseTransaction] [-Type < RegistryValueKind >] [< CommonParameters >]

Set-ItemProperty [-Name] < string > [-Value] < Object > -LiteralPath < string[] > [-PassThru] [-Force] [-Filter < string >] [-Include < string[] >] [-Exclude < string[] >] [-Credential < pscredential >] [-WhatIf] [-Confirm] [-UseTransaction] [-Type < RegistryValueKind >] [< CommonParameters >]

Set-ItemProperty -LiteralPath < string[] > -InputObject < psobject > [-PassThru] [-Force] [-Filter < string >] [-Include < string[] >] [-Exclude < string[] >] [-Credential < pscredential >] [-WhatIf] [-Confirm] [-UseTransaction] [-Type < RegistryValueKind >] [< CommonParameters >]