Powershell Syntax Issue

PowerShell Help
1

Hello, new to the forum. Want to say thank you in advance for any and all assistance on this post. I have been racked my brain on an problem I am having with an apparent syntax issue. I am writing a script for an SCCM deployment that remediates a Group Policy vulnerability (MS015-11) by detecting the presence of two registry values, and then writing two new values if those values do not exist. The link below provides more detail.

https://www.stigviewer.com/stig/windows_10/2016-06-24/finding/V-63577

The problem I am running into is the value contains an asterisk symbol (*), so it is treating it like a wildcard and not a literal asterisk. I tried using the back-tick character (`) in front of the asterisk to escape the character, but the back-tick then becomes part of the string.I think it’s just a syntax I am missing. Here is my code. Any ideas would be greatly appreciated. Also, I am somewhat of a PS noob, so please go easy on me :slight_smile:

#Function to test presence of registry value
function Test-RegistryValue {
    param (
    [parameter(Mandatory=$true)]
    [ValidateNotNullOrEmpty()]$Path,
    [parameter(Mandatory=$true)]
    [ValidateNotNullOrEmpty()]$Name
          )
try {
Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop | Out-Null
return $true
    }
catch {
return $false
      }
}

###Variables
$RegKey_HardenedPaths = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths"
$RegVal_NETLOGON = '\\*\NETLOGON' ###Note the asterisk
$RegVal_SYSVOL = '\\*\SYSVOL' 
###Tried adding the back-tick to escape the character, but it then literally adds the back-tick into my string.
$RegVal_NETLOGON_BACKTICK = '\\`*\NETLOGON'
$RegVal_SYSVOL_BACKTICK = '\\`*\SYSVOL'
$Test_NETLOGON = Test-RegistryValue -path $RegKey_HardenedPaths -Name $RegVal_NETLOGON
$Test_SYSVOL = Test-RegistryValue -path $RegKey_HardenedPaths -Name $RegVal_SYSVOL

###When I run the function, the Get-ItemProperty cmdlet returns null, so the if statement interprets this as True, even though the reg values do not exist.
If ($Test_NETLOGON -eq $False -or $Test_SYSVOL -eq $False)
{
    New-ItemProperty -Path $RegKey_HardenedPaths -Name $RegVal_NETLOGON -Value "RequireMutualAuthentication=1, RequireIntegrity=1" -PropertyType "String" | Out-Null
    New-ItemProperty -Path $RegKey_HardenedPaths -Name $RegVal_SYSVOL  -Value "RequireMutualAuthentication=1, RequireIntegrity=1" -PropertyType "String" | Out-Null
    Write-Host "UNC Path Hardening has been applied"
}
Else
{
Write-Host "UNC Path Hardenening is already enabled"
Return $True
}
2

Use -LiteralPath instead of -Path.

3

Also, you have a server named *? I can’t help but think that would cause all manner of interesting issues! :slight_smile:

4

Sorry for the late response! I have a question for you, Don. You suggest using -LiteralPath in Get-ItemProperty instead of -Path. However, the path to the registry key isn’t the issue, it is the registry value giving me issues because of the asterisk. Is there a comparable switch to -LiteralPath that I can use for the -Name switch?

5

Hey Joel, thanks for the response. the asterisk * is a wildcard, so the path would cover any domain controller. I could instead use absolute paths as a workaround, but this issue with the asterisk is really bugging me and my OCD has kicked into overdrive! :slight_smile:

6

I’m not really sure if \*</code> is a valid UNC path at all, but I have a feeling it’s causing PowerShell to attempt to enumerate every possible IPAddress, which would doubtless take forever or just make it give up sooner or later. I think you’ll need to figure out the available machine DNS names in advance before you loop through them and query one path at a time.

7

Get-ItemProperty doesn’t throw an error, if the path exists. So, no throwing in the case of path+no value - it simply returns null.

I’m thinking this will catch both situations:

function Test-RegistryValue {
    param (
        [parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]$Path,
        [parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]$Name
    )

    try {
        $result = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop
    }
    catch {
        $result = $null
    }

    $null -ne $result
}