Forum Discussion
Registry script is changing 5 of 6 keys
I'm hoping someone can help with this, it's really starting to get on my nerves. There are some registry keys that I needed to change/create on all pc's, so I tried to bundle the changes in a win...
Anton_Howard I did some testing and wrote a slightly changed version of your script:
#Set keys
$CertPaddingCheckPaths = @("HKLM:\Software\Microsoft\Cryptography\Wintrust\Config", "HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config")
$SecuritySignaturePaths = @("HKLM:\System\CurrentControlSet\Services\LanManWorkstation\Parameters", "HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters")
$EnableCertPaddingCheckKey = "EnableCertPaddingCheck"
$RequireSecuritySignatureKey = "RequireSecuritySignature"
$KeyValue = "1"
#CertPadding
foreach ($CertPaddingCheckPath in $CertPaddingCheckPaths) {
# Create the registry key if it doesn't exist
if (!(Test-Path $CertPaddingCheckPath)) {
New-Item -Path $CertPaddingCheckPath -Force -ItemType Directory | Out-Null
Write-Host Created $CertPaddingCheckPath
}
# Create or update the registry value
Set-ItemProperty -Path $CertPaddingCheckPath -Name $EnableCertPaddingCheckKey -Value $KeyValue -Type DWORD
}
#SecuritySignature
foreach ($SecuritySignaturePath in $SecuritySignaturePaths) {
# Create the registry key if it doesn't exist
if (!(Test-Path $SecuritySignaturePath)) {
New-Item -Path $SecuritySignaturePath -Force -ItemType Directory | Out-Null
Write-Host Created $SecuritySignaturePath
}
# Create or update the registry value
Set-ItemProperty -Path $SecuritySignaturePath -Name $RequireSecuritySignatureKey -Value $KeyValue -Type DWORD
}
Write-Host "Registry keys and values have been created or updated successfully."
But the same issue, HKLM:\Software\Microsoft\Cryptography\Wintrust\Config doesn't get created... So I enabled some Transcript logging (Start-Transcript), and if I just do a new-item
HKLM:\Software\Microsoft\Cryptography\Wintrust\Config, it does create the Registry path and... It immediately gets deleted?!? Some process is checking that... So weird, I haven't found anything yet why 🙂
Hi Harm,
I really appreciate your time with this problem. It is very odd that this is happening, but I'm glad you have come across the same problem and it's not just me 😉. It's very frustrating, so hopefully someone can find a reason why this is happening.
I really appreciate your time with this problem. It is very odd that this is happening, but I'm glad you have come across the same problem and it's not just me 😉. It's very frustrating, so hopefully someone can find a reason why this is happening.
- Did you ever find a solution?
- No I'm afraid not. I thought it would get more responses on here with a solution, but no luck.
It's just frustrating to be honest, if I can solve this issue then future registry changes can be rolled out with more confidence.Anton_Howard Read the article (https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2013-3900), which does a .reg import. If I do that, the EnableCertPaddingCheck is a REG_SZ, not DWORD. I modified the script for that below. Could you test that?
Set keys $CertPaddingCheckPaths = @("HKLM:\Software\Microsoft\Cryptography\Wintrust\Config", "HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config") $SecuritySignaturePaths = @("HKLM:\System\CurrentControlSet\Services\LanManWorkstation\Parameters", "HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters") $EnableCertPaddingCheckKey = "EnableCertPaddingCheck" $RequireSecuritySignatureKey = "RequireSecuritySignature" $KeyValue = "1" #CertPadding foreach ($CertPaddingCheckPath in $CertPaddingCheckPaths) { # Create the registry key if it doesn't exist if (!(Test-Path $CertPaddingCheckPath)) { New-Item -Path $CertPaddingCheckPath -Force -ItemType Directory | Out-Null Write-Host Created $CertPaddingCheckPath } # Create or update the registry value Set-ItemProperty -Path $CertPaddingCheckPath -Name $EnableCertPaddingCheckKey -Value $KeyValue -Type String } #SecuritySignature foreach ($SecuritySignaturePath in $SecuritySignaturePaths) { # Create the registry key if it doesn't exist if (!(Test-Path $SecuritySignaturePath)) { New-Item -Path $SecuritySignaturePath -Force -ItemType Directory | Out-Null Write-Host Created $SecuritySignaturePath } # Create or update the registry value Set-ItemProperty -Path $SecuritySignaturePath -Name $RequireSecuritySignatureKey -Value $KeyValue -Type DWORD } Write-Host "Registry keys and values have been created or updated successfully."
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was helpful in other ways, please consider giving it a Like.
- Perhaps some service, such as the Cryptography service, is locking this. I tried to stop that service, add Registry, and start it again, but it doesn't pick that up...