Registry script is changing 5 of 6 keys

Copper Contributor

I'm hoping someone can help with this, it's really starting to get on my nerves.

 

There are some registry keys that I needed to change/create on all pc's, so I tried to bundle the changes in a win32 app to run the PowerShell script changes, but they wouldn't run.

Eventually, I found that I could create an app to copy the script to the PC's and another one to run it.

This worked fine once the detection rules were sorted, but there is one key in the script that refuses to change - all others are created as expected so I can't figure out why it won't work on this one key.

 

Funny thing is that if the script is run locally, all keys are created fine.

 

Any help greatly appreciated.


$regPath1 = "HKLM:\Software\Microsoft\Cryptography\Wintrust\Config"
$valueName1 = "EnableCertPaddingCheck"
$valueData1 = 1

$regPath2 = "HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config"
$valueName2 = "EnableCertPaddingCheck"
$valueData2 = 1

$regPath3 = "HKLM:\System\CurrentControlSet\Services\LanManWorkstation\Parameters"
$valueName3 = "RequireSecuritySignature"
$valueData3 = 1

$regPath4 = "HKLM:\System\CurrentControlSet\Services\LanManWorkstation\Parameters"
$valueName4 = "EnableSecuritySignature"
$valueData4 = 1

$regPath5 = "HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters"
$valueName5 = "RequireSecuritySignature"
$valueData5 = 1

$regPath6 = "HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters"
$valueName6 = "EnableSecuritySignature"
$valueData6 = 1

# Create or update registry keys and values
$regPaths = @($regPath1, $regPath2, $regPath3, $regPath4, $regPath5, $regPath6)
$valueNames = @($valueName1, $valueName2, $valueName3, $valueName4, $valueName5, $valueName6)
$valueDatas = @($valueData1, $valueData2, $valueData3, $valueData4, $valueData5, $valueData6)

for ($i = 0; $i -lt $regPaths.Length; $i++) {
$regPath = $regPaths[$i]
$valueName = $valueNames[$i]
$valueData = $valueDatas[$i]

# Check if the registry key already exists
if (!(Test-Path $regPath)) {
# Create the registry key if it doesn't exist
New-Item -Path $regPath -Force | Out-Null
}

# Create or update the registry value
Set-ItemProperty -Path $regPath -Name $valueName -Value $valueData -Type DWORD
}

Write-Host "Registry keys and values have been created or updated successfully."

 

 

15 Replies

@Anton_Howard I did some testing and wrote a slightly changed version of your script:

 

#Set keys
$CertPaddingCheckPaths = @("HKLM:\Software\Microsoft\Cryptography\Wintrust\Config", "HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config")
$SecuritySignaturePaths = @("HKLM:\System\CurrentControlSet\Services\LanManWorkstation\Parameters", "HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters")
$EnableCertPaddingCheckKey = "EnableCertPaddingCheck"
$RequireSecuritySignatureKey = "RequireSecuritySignature"
$KeyValue = "1"

#CertPadding
foreach ($CertPaddingCheckPath in $CertPaddingCheckPaths) {
    # Create the registry key if it doesn't exist
    if (!(Test-Path $CertPaddingCheckPath)) {
        New-Item -Path $CertPaddingCheckPath -Force -ItemType Directory | Out-Null
        Write-Host Created $CertPaddingCheckPath
    }
    # Create or update the registry value
    Set-ItemProperty -Path $CertPaddingCheckPath -Name $EnableCertPaddingCheckKey -Value $KeyValue -Type DWORD
}

#SecuritySignature
foreach ($SecuritySignaturePath in $SecuritySignaturePaths) {
    # Create the registry key if it doesn't exist
    if (!(Test-Path $SecuritySignaturePath)) {
        New-Item -Path $SecuritySignaturePath -Force -ItemType Directory | Out-Null
        Write-Host Created $SecuritySignaturePath
    }
    # Create or update the registry value
    Set-ItemProperty -Path $SecuritySignaturePath -Name $RequireSecuritySignatureKey -Value $KeyValue -Type DWORD
}

Write-Host "Registry keys and values have been created or updated successfully."

 

But the same issue, HKLM:\Software\Microsoft\Cryptography\Wintrust\Config doesn't get created... So I enabled some Transcript logging (Start-Transcript), and if I just do a new-item 

HKLM:\Software\Microsoft\Cryptography\Wintrust\Config, it does create the Registry path and... It immediately gets deleted?!? Some process is checking that... So weird, I haven't found anything yet why :) 
Hi Harm,
I really appreciate your time with this problem. It is very odd that this is happening, but I'm glad you have come across the same problem and it's not just me ;). It's very frustrating, so hopefully someone can find a reason why this is happening.
Perhaps some service, such as the Cryptography service, is locking this. I tried to stop that service, add Registry, and start it again, but it doesn't pick that up...
Did you ever find a solution?
No I'm afraid not. I thought it would get more responses on here with a solution, but no luck.
It's just frustrating to be honest, if I can solve this issue then future registry changes can be rolled out with more confidence.

@Anton_Howard Read the article (https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2013-3900), which does a .reg import. If I do that, the EnableCertPaddingCheck is a REG_SZ, not DWORD. I modified the script for that below. Could you test that?

 

Set keys
$CertPaddingCheckPaths = @("HKLM:\Software\Microsoft\Cryptography\Wintrust\Config", "HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config")
$SecuritySignaturePaths = @("HKLM:\System\CurrentControlSet\Services\LanManWorkstation\Parameters", "HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters")
$EnableCertPaddingCheckKey = "EnableCertPaddingCheck"
$RequireSecuritySignatureKey = "RequireSecuritySignature"
$KeyValue = "1"

#CertPadding
foreach ($CertPaddingCheckPath in $CertPaddingCheckPaths) {
    # Create the registry key if it doesn't exist
    if (!(Test-Path $CertPaddingCheckPath)) {
        New-Item -Path $CertPaddingCheckPath -Force -ItemType Directory | Out-Null
        Write-Host Created $CertPaddingCheckPath
    }
    # Create or update the registry value
    Set-ItemProperty -Path $CertPaddingCheckPath -Name $EnableCertPaddingCheckKey -Value $KeyValue -Type String
}

#SecuritySignature
foreach ($SecuritySignaturePath in $SecuritySignaturePaths) {
    # Create the registry key if it doesn't exist
    if (!(Test-Path $SecuritySignaturePath)) {
        New-Item -Path $SecuritySignaturePath -Force -ItemType Directory | Out-Null
        Write-Host Created $SecuritySignaturePath
    }
    # Create or update the registry value
    Set-ItemProperty -Path $SecuritySignaturePath -Name $RequireSecuritySignatureKey -Value $KeyValue -Type DWORD
}

Write-Host "Registry keys and values have been created or updated successfully."



Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.

If the post was helpful in other ways, please consider giving it a Like.

Hi Harm,
Sorry, but I don't understand what this new script is. I'm running the powershell script from within Intune and I don't know how I can use this to import the script into registry instead. If I save it as .reg it will not run as it is not correct format and powershell won't run it either. The CVE page shows that there is a problem changing the registry for that particular value, but doesn't explain how to fix it as far as I can tell.
It's the same script, in my post above, but I adjusted the WinTrust key to string instead of Dword. I mentioned the reg file from that link as example, if you imported that you would see that it's a string and not a Dword.

Just test the adjusted powershell script, curious if that will fix it
Hi Harm,
I have re-deployed the script from intune and it shows as failed on deployment (my detection rules are for the problematic registry key), even though it said the script failed it has updated all but the first registry key the same as before. It's a real mystery.
Also, I tried running the powershell script manually and it populates all of the registry keys. There must be something related to Intune calling the script for that particular reg key.
So weird, no explanation for it too :( You could try to export the correct keys to a .reg file, create a .intunewin package, and use regedit regfile.reg /s and import it like that?
Hi Harm,
You wouldn't believe it, but I followed your suggestion to export and import the .reg keys and I have exactly the same problem. All keys import apart from the first one.
Strange how it works outside of intune absolutely fine.
Wow... Something is monitoring and changing the keys back, a security thing of some sort...
I guess it must be intune changing it back then, if manual changes are staying as they are. I'll do some more digging.
No clue yet what it could be, curious about your findings!