Forum Discussion

Anton_Howard's avatar
Anton_Howard
Copper Contributor
Sep 05, 2023

Registry script is changing 5 of 6 keys

I'm hoping someone can help with this, it's really starting to get on my nerves.

 

There are some registry keys that I needed to change/create on all pc's, so I tried to bundle the changes in a win32 app to run the PowerShell script changes, but they wouldn't run.

Eventually, I found that I could create an app to copy the script to the PC's and another one to run it.

This worked fine once the detection rules were sorted, but there is one key in the script that refuses to change - all others are created as expected so I can't figure out why it won't work on this one key.

 

Funny thing is that if the script is run locally, all keys are created fine.

 

Any help greatly appreciated.


$regPath1 = "HKLM:\Software\Microsoft\Cryptography\Wintrust\Config"
$valueName1 = "EnableCertPaddingCheck"
$valueData1 = 1

$regPath2 = "HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config"
$valueName2 = "EnableCertPaddingCheck"
$valueData2 = 1

$regPath3 = "HKLM:\System\CurrentControlSet\Services\LanManWorkstation\Parameters"
$valueName3 = "RequireSecuritySignature"
$valueData3 = 1

$regPath4 = "HKLM:\System\CurrentControlSet\Services\LanManWorkstation\Parameters"
$valueName4 = "EnableSecuritySignature"
$valueData4 = 1

$regPath5 = "HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters"
$valueName5 = "RequireSecuritySignature"
$valueData5 = 1

$regPath6 = "HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters"
$valueName6 = "EnableSecuritySignature"
$valueData6 = 1

# Create or update registry keys and values
$regPaths = @($regPath1, $regPath2, $regPath3, $regPath4, $regPath5, $regPath6)
$valueNames = @($valueName1, $valueName2, $valueName3, $valueName4, $valueName5, $valueName6)
$valueDatas = @($valueData1, $valueData2, $valueData3, $valueData4, $valueData5, $valueData6)

for ($i = 0; $i -lt $regPaths.Length; $i++) {
$regPath = $regPaths[$i]
$valueName = $valueNames[$i]
$valueData = $valueDatas[$i]

# Check if the registry key already exists
if (!(Test-Path $regPath)) {
# Create the registry key if it doesn't exist
New-Item -Path $regPath -Force | Out-Null
}

# Create or update the registry value
Set-ItemProperty -Path $regPath -Name $valueName -Value $valueData -Type DWORD
}

Write-Host "Registry keys and values have been created or updated successfully."

 

 

  • Anton_Howard I did some testing and wrote a slightly changed version of your script:

     

    #Set keys
    $CertPaddingCheckPaths = @("HKLM:\Software\Microsoft\Cryptography\Wintrust\Config", "HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config")
    $SecuritySignaturePaths = @("HKLM:\System\CurrentControlSet\Services\LanManWorkstation\Parameters", "HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters")
    $EnableCertPaddingCheckKey = "EnableCertPaddingCheck"
    $RequireSecuritySignatureKey = "RequireSecuritySignature"
    $KeyValue = "1"
    
    #CertPadding
    foreach ($CertPaddingCheckPath in $CertPaddingCheckPaths) {
        # Create the registry key if it doesn't exist
        if (!(Test-Path $CertPaddingCheckPath)) {
            New-Item -Path $CertPaddingCheckPath -Force -ItemType Directory | Out-Null
            Write-Host Created $CertPaddingCheckPath
        }
        # Create or update the registry value
        Set-ItemProperty -Path $CertPaddingCheckPath -Name $EnableCertPaddingCheckKey -Value $KeyValue -Type DWORD
    }
    
    #SecuritySignature
    foreach ($SecuritySignaturePath in $SecuritySignaturePaths) {
        # Create the registry key if it doesn't exist
        if (!(Test-Path $SecuritySignaturePath)) {
            New-Item -Path $SecuritySignaturePath -Force -ItemType Directory | Out-Null
            Write-Host Created $SecuritySignaturePath
        }
        # Create or update the registry value
        Set-ItemProperty -Path $SecuritySignaturePath -Name $RequireSecuritySignatureKey -Value $KeyValue -Type DWORD
    }
    
    Write-Host "Registry keys and values have been created or updated successfully."

     

    But the same issue, HKLM:\Software\Microsoft\Cryptography\Wintrust\Config doesn't get created... So I enabled some Transcript logging (Start-Transcript), and if I just do a new-item 

    HKLM:\Software\Microsoft\Cryptography\Wintrust\Config, it does create the Registry path and... It immediately gets deleted?!? Some process is checking that... So weird, I haven't found anything yet why 🙂 
    • Anton_Howard's avatar
      Anton_Howard
      Copper Contributor
      Hi Harm,
      I really appreciate your time with this problem. It is very odd that this is happening, but I'm glad you have come across the same problem and it's not just me 😉. It's very frustrating, so hopefully someone can find a reason why this is happening.
      • Harm_Veenstra's avatar
        Harm_Veenstra
        MVP
        Perhaps some service, such as the Cryptography service, is locking this. I tried to stop that service, add Registry, and start it again, but it doesn't pick that up...

Resources