mattifestation / cimsweep Goto Github PK

Running PS version 5 Build 10240 Rev 16384

Script block to re-create error:

$CimSessionTest = New-CimSession -ComputerName testhost.domain.local
Get-CSRegistryAutoStart -Session $CimSessionTest

After each registry key is printed (Path, AutoRunEntry, ImagePath, Category, PSComputerName, Cimsession) the following error is thrown:

Set-DefaultDisplayProperties : The term 'Set-DefaultDisplayProperties' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the
path is correct and try again.
At C:\Program Files\WindowsPowerShell\Modules\CimSweep\Defense\Autoruns.ps1:228 char:13
+             Set-DefaultDisplayProperties -InputObject $AutoRunsEntry  ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Set-DefaultDisplayProperties:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

I expected this to work but it didn't. Investigate the feasibility of this.

CimSweep states in the module manifest that PSv3 is the minimum version required. This PSv4 language element needs to be changed accordingly.

Get-CSService uses the following regex to extract normalized service path binaries: (?<ServicePath>[a-z]:\\.+(\.exe|\.dll)). This will fail to pull out the correct service path given the following example: "C:\Windows\System32\foo.exe" /arg bar.exe.

The regex should match on the fewest number of characters versus the most. A better regex would be the following: (?<ServicePath>[a-z]:\\.+?(\.exe|\.dll))

Also update .OUTPUTS documentation to reflect the change. Also add OutputType attributes to reflect all custom object types. This method was described here and I love it!

This doesn't work running as admin on win10, localhost, for me. Trying to grab the AmCache for some other testing. Also, what's the point of this error?

If I step through the code in ISE, it does work... wtf smalls? (Maybe there's a race condition where the shadowcopy is getting deleted before the file is copied.)

Permanent WMI event subscriptions can be registered in the root/default namespace in addition to root/subscription. Get-CSWmiPersistence should query both namespaces.

The -Path parameter is redundant as -Hive and -Subkey already exist. My logic in including -Path was primarily for local testing where I was afforded tab completion with registry PSDrive paths - HKCU:\ and HKLM:. This can potentially cause two issues from a usability standpoint:

1. StdRegProv supports HKLM, HKCU, HKU, HKCR, and HKCC. HKU, HKCR, and HKCC don't exist as PSDrives by default so I don't want to have to force users to call New-PSDrive just to use those hives.
2. Tab completion with -Path is nice but it provides a false sense of security in that while tab completion implies that the registry key exists on the local machine, it doesn't imply it's existent in a remote CIM session.

Unless there are any objections, I'm going to remove -Path in the next release. Speak now, or forever hold your peace. :)

On line 137:
[Microsoft.Management.Infrastructure.CimSession[]]

Works when changed to:
[Microsoft.Management.Infrastructure.CimSession]

I think there is some data type confusion when Get-CSRegistryValue returns just one result. In this new 0.6.1 code you fixed to maintain PSv3 compatibility (thank you!), you build an array of types:

                $Types = foreach ($Value in $Result.Types) { $Type[$Value] }

When more than one result is returned, this works fine and $Types is an Object[]. However, when only one result is returned, $Types ends up being a String. And then when you later index into $Types with $Types[$i] it returns one of the characters of that string.

In my testing, either of the following fixes worked fine:

                [String[]]$Types = foreach ($Value in $Result.Types) { $Type[$Value] }

or

                $Types = @()
                foreach ($Value in $Result.Types) {
                    $Types += $Type[$Value]
                }

Thanks!