Blog Post

Core Infrastructure and Security Blog
8 MIN READ

Demystifying Schannel

BrandonWilson's avatar
BrandonWilson
Icon for Microsoft rankMicrosoft
Sep 20, 2018
First published on TechNet on Nov 13, 2017   Hello all! Nathan Penn here to help with some of those pesky security questions that have lingered for years. Recently I have been fielding several...
Updated Sep 04, 2019
Version 3.0
NathanPenn
MikeCrowley's avatar
MikeCrowley
Iron Contributor
Aug 16, 2022

For anyone interested, here is how to view the above with PowerShell

 

Get-ItemPropertyValue -Path hklm:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL -Name EventLogging

#enable logging
Set-ItemProperty -Path hklm:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL -Name EventLogging -Value 7
#Restart-Computer

$Date = Get-Date

$Filter = @{
    LogName      = "System"
    ProviderName = "Schannel"
    StartTime    = $Date.AddDays(-1)
    Id           = 36880
}

$Events = Get-WinEvent -FilterHashtable $Filter | foreach {
    $EventXML = ([xml]$_.ToXml()).event.userdata.eventxml
    [pscustomobject]@{    
        TimeCreated = $_.TimeCreated
        MachineName = $_.MachineName
        Protocol = $EventXML.protocol
        CipherSuite = $EventXML.CipherSuite  
        TargetName = $EventXML.TargetName  
        LocalCertSubjectName = $EventXML.LocalCertSubjectName  
        RemoteCertSubjectName = $EventXML.RemoteCertSubjectName    
    }
}

Write-Output "`nProtocol"
$Events | group Protocol | select count, name
Write-Output "`nCipherSuite"
$Events | group CipherSuite | select count, name
Write-Output "`nLocalCertSubjectName"
$Events | group LocalCertSubjectName | select count, name
Write-Output "`nRemoteCertSubjectName"
$Events | group RemoteCertSubjectName | select count, name
Write-Output "`nTargetName"
$Events | group TargetName | select count, name


#disable logging
Set-ItemProperty -Path hklm:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL -Name EventLogging -Value 1 
#Restart-Computer