Reset 'Friendly Name' certificate property using PowerShell - windows

I need to have a certificate's Friendly Name set to an empty value so in Certificate Console Friendly Name column would display <None>.
Using this code all I could get is just empty value in the column, not <None> I need.
gci "Cert:\LocalMachine\My" | ? {$_.Subject -like "CN=mycer*"} | % { $_.FriendlyName = '' }
I also tried $_.FriendlyName = $null which made no difference.
Strange thing - when I clear Friendly Name using console then from Powershell's perspective the value is '' as the following statement produces True: write-host ($_.FriendlyName -eq ''). However, the ''' value applied vice a versa doesn't provide the expected result.
Any help is greatly appreciated.
UPDATE and ANSWER:
As Kory Gill suggested in comments, certutil.exe is indeed the way to get what I need.
Having created an clear.inf file with content below
[Version]
Signature = "$Windows NT$"
[Properties]
11 =
and executed certutil.exe -repairstore -user my "serial number" clear.inf I managed to reset Friendly Name to <None> value.

As an alternative to the PowerShell cmdlet for managing certificates, which may have issues with some properties, one can use certutil.exe as well to manage certs. This is similar to using robocopy.exe instead of Copy-File. Use the tools that give you the desired results...
This link shows an example of how to use certutil to change the friendly name.
Example usage from that page is:
certutil.exe -repairstore my "{serialnumber}" "change-friendly-name.inf"
where the inf file looks like:
[Version]
Signature = "$Windows NT$"
[Properties]
11 = "{text}new friendly name"
See also certutil reference.

Related

Windows Audit Policy/Registry Key Command Check To Only Apply On Domain Controllers

I am trying to craft a command that would run against all of my Windows machines to check if the "Audit Distribution Group Management" audit policy setting is set to "Success and Failure". I would only like to apply this check to Domain Controller servers and for any other server type to echo out something like "NoCheckRequired", is this possible?
I tried to create an if-else statement on PowerShell for this, but it was not successful.
I tried to use the "wmic.exe ComputerSystem get DomainRole" command to find out the type of machine, values 4 / 5 mean DC server from my understanding, and using an IF statement, I tried to match those values and check if the group policy audit settings were set and for any other values returned other than 4 / 5
wmic.exe ComputerSystem get DomainRole outputs the property name on a separate line before outputting the actual value, so comparing to the number 4 (as an example) will not work.
Instead, use the Get-CimInstance cmdlet:
$CS = Get-CimInstance Win32_ComputerSystem
if($CS.DomainRole -in 4,5){
# We're on a Domain Controller
}
elseif($CS.DomainRole -in 1,3) {
# We're on a Domain member
}
else {
# We're on a workgroup machine
}
Get-ADComputer -Filter 'primarygroupid -eq "516"'
Will filter the Domain controller

SCCM 2012 OSD Task Sequence - Rename computer with Service Tag

I am planning to deploy Windows 10 using SCCM 2012. It is working fine, and now I just want to rename the computer to be same as its DELL service tag, and make it as part of Task Sequence. I would ideally like to use Powershell script to do so, however happy to use VBS as well, in case it isn't easy enough with PS.
Following is the Powershell script that does the job, however I can't add it as part of Task Sequence!
$sTag = Get-WmiObject -Class win32_BIOS | Select SerialNumber
$cName = 'DESKTOP' + $sTag.SerialNumber
Rename-Computer -NewName $cName
Can someone please assist?
Thanks in advance.
I think you would be better off not renaming the computer after it is already present in sccm and ad but give it a proper name before it is joined (assuming you use unknown computer support for the osd here)
In this case you should set the SCCM Variable OSDCOmputerName already within the WinPE phase like this (you can find more detailed examples e.g. here):
$sTag = Get-WmiObject -Class win32_BIOS | Select SerialNumber
$OSDComputerName = 'DESKTOP' + $sTag.SerialNumber
$TSEnv = New-Object -COMObject Microsoft.SMS.TSEnvironment
$TSEnv.Value("OSDComputerName") = $OSDComputerName
If you want to use powershell in PE you will have to modify your boot image (Right click --> Properties --> Optional Components) to include "Windows PowerShell"

What is the GUID suffix on key container storage files in Windows?

I am wondering what are the GUID suffixes for the RSA key container files stored in the machine and user key container stores. I cannot identify some of these as key containers through CAPI/CNG, although I'll expose my case using command line tools instead. Commands below are for PowerShell in an elevated prompt. On most machines, the GUID suffix is the same for all these file names, but on this one there are four different GUIDs, while the API is returning only keys with only one. What is this GUID? I do not like random secrets stored by I do not know what on my machine; are they safe to delete?
The content of the machine store directory is:
> ls -n $env:ProgramData\Microsoft\Crypto\Rsa\MachineKeys | sort { "$_"[-3..-1] }
d1f9044f5d7345da71c0d2efd2e4f59e_e9f96f2e-b8b7-49b2-85a5-840195eca603
d6d986f09a1ee04e24c949879fdb506c_a4dc5a56-574d-4e4b-ba8d-d88984f9a6c5
6de9cb26d2b98c01ec4e9e8b34824aa2_a4dc5a56-574d-4e4b-ba8d-d88984f9a6c5
76944fb33636aeddb9590521c2e8815a_a4dc5a56-574d-4e4b-ba8d-d88984f9a6c5
d6d986f09a1ee04e24c949879fdb506c_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
d1f9044f5d7345da71c0d2efd2e4f59e_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
76944fb33636aeddb9590521c2e8815a_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
6de9cb26d2b98c01ec4e9e8b34824aa2_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
ba8e1b9b5510957b3af7b811f05660de_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
d1f9044f5d7345da71c0d2efd2e4f59e_c6a7fc9d-32a6-41e4-afd5-7dc7b822029e
I sorted the list by the last three characters, so that it's easy to see in a glance that there are 4 distinct GUID suffixes to the key container files. Now let's enumerate the key reported by all installed CSPs. I'll get the list of providers, and later the list of each provider's keys using the certutil tool that comes with Windows. Its output requires some regex magic for parsing, which is not essential, just convenient:
> certutil -csplist | sls '^Provider Name: (.*)' | %{ $_.Matches[0].Groups[1].Value }
Microsoft Base Cryptographic Provider v1.0
Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
Microsoft Base DSS Cryptographic Provider
[...snip...]
The output for a single key lists the name, flags and the key container ID, the latter matching respective file name in the above directory (of course, we can see more keys from additional KSPs, smart cards, TPM etc.). Example for one provider (the -q makes some providers fail silently instead of asking for user's action, such as inserting a SmartCard):
> certutil -key -q
Microsoft Strong Cryptographic Provider:
iisConfigurationKey
6de9cb26d2b98c01ec4e9e8b34824aa2_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
RSA
AT_KEYEXCHANGE
iisWasKey
76944fb33636aeddb9590521c2e8815a_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
[...snip...]
Some key names are just GUIDs too, but if we grep out only the lines that start with at the least 20 hex digits, there will be only the IDs listed. So all key IDs from all providers can be concisely shown with:
> certutil -csplist | sls '^Provider Name: (.*)' | %{ $_.Matches[0].Groups[1].Value } |
%{ certutil -key -q -csp "$_" } | sls '^\s+[0-9a-f]{20}.+' | sort -u
597367cc37b886d7ee6c493e3befb421_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
6de9cb26d2b98c01ec4e9e8b34824aa2_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
76944fb33636aeddb9590521c2e8815a_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
ba8e1b9b5510957b3af7b811f05660de_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
d6d986f09a1ee04e24c949879fdb506c_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
f0e91f6485ac2d09485e4ec18135601e_f7fe3b04-ef9b-4b27-827f-953c5743e2ec
Here are actually 2 more keys than there are in the MachineKeys directory (they come from the KSP, in fact, certutil -key -csp KSP shows them, if you are wondering). But the fact is they all have the same GUID suffix _f7fe3b04-ef9b-4b27-827f-953c5743e2ec.
The machine was installed by the vendor (an HP notebook, to be exact). This is unlike other machines, that we assemble or buy barebone and install and configure by ourselves. And I am working with some sensitive data sometimes, so I am indeed paranoid vetting the software thoroughly before allowing machines to access sensitive data.
The OS is Windows 10, if that matters, but the same type of storage has not changed from Windows 7, AFAIK, even with the introduction of the new CNG API in 8.0 (or 8.1?).
Just in case anyone would find useful a PowerShell snippet to readably list keys by provider, I used this command:
> certutil -csplist | sls '^Provider Name: (.*)' | %{ $_.Matches[0].Groups[1].Value } |
%{ Write-Host -for Yellow "`n$_"; certutil -key -q -csp "$_" }
Found the answer here: https://serverfault.com/a/642279/451491
The file naming convention is x_y, where x is a random GUID to
uniquely identify the key, and y is the machine GUID found at
HKLM\SOFTWARE\Microsoft\Cryptography.

Searching For A Registry Value Then Change It

On all the Windows 10 computers I re-image, I want to disable the option in Sound for giving exclusive control to each device to applications. I have located the registry keys and values:
HKLM\Software\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\RANDOM_STRING\Properties
HKLM\Software\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\RANDOM_STRING\Properties
Within each of these keys (1st one is for Mics and 2nd is for Speakers) their are the two DWORD-32 values in each:
{b3f8fa53-0004-438e-9003-51a46e139bfc},3
{b3f8fa53-0004-438e-9003-51a46e139bfc},4
I want to basically make a batch script that will find these two values and set them to 0 for each audio devices. I'll have it run via Task Scheduler or something to make sure it gets new devices too.
The problem for me is that RANDOM_STRING portion of each path. Each one is ~25 random characters; it looks similar to the value names with the ,# at the end. I know how to change a value via a specific path, but here their is that randomized key name, and then new ones as new devices are plugged in.
Is their any way for me to create a batch file (or VBS/PowerShell) that will search the registry (or just Audio to narrow it down quicker) for those two values, and change their values to 0? Or if any other ways of going about this if so?
An example of the process I'd like (or again, something else similar):
Search for the DWORD-32 value "{b3f8fa53-0004-438e-9003-51a46e139bfc},3" within
the path
"HKLM\Software\Microsoft\Windows\CurrentVersion\MMDevices\Audio\"
and all the sub-keys within.
Set the value of the DWORD-32 value
"{b3f8fa53-0004-438e-9003-51a46e139bfc},3" to 0.
Search for the DWORD-32 value "{b3f8fa53-0004-438e-9003-51a46e139bfc},4" within
the path
"HKLM\Software\Microsoft\Windows\CurrentVersion\MMDevices\Audio\"
and all the sub-keys within.
Set the value of the DWORD-32 value
"{b3f8fa53-0004-438e-9003-51a46e139bfc},4" to 0.
I hope you know what are you doing. Manipulating registry is very risky. If you are absolutely sure, take a look at this script:
ls 'HKLM:\Software\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\*\Properties\' | `
where {$_.Property -contains '{b3f8fa53-0004-438e-9003-51a46e139bfc},3'} | `
Get-ItemProperty -Name '{b3f8fa53-0004-438e-9003-51a46e139bfc},3'
#Set-ItemProperty -Name '{b3f8fa53-0004-438e-9003-51a46e139bfc},3' -Value 0
Make sure this script (with Get-ItemProperty) gets only desired keys. To change values, replace last line with commented one. Make sure you have proper permissions. And finally: do it at you own risk :)
I was unable to get the other answer working. I am trying to ban the Netflix app from being unbearably loud (which it does if it gets exclusive control of the sound device) every time I reinstall the geforce drivers (when the exclusive control resets).
So:
Get-ChildItem -recurse -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\'| `
Foreach-Object { if ($_.Property -eq '{b3f8fa53-0004-438e-9003-51a46e139bfc},3') {$_|Get-ItemProperty -Name '{b3f8fa53-0004-438e-9003-51a46e139bfc},3'} }`
Gives me this output:
{b3f8fa53-0004-438e-9003-51a46e139bfc},3 : 0
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\MMDevices\Audio\Render\{94743724-8af1-4abc-8d45-275
7184ec5f2}\Properties
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\MMDevices\Audio\Render\{94743724-8af1-4abc-8d45-275
7184ec5f2}
PSChildName : Properties
PSProvider : Microsoft.PowerShell.Core\Registry
{b3f8fa53-0004-438e-9003-51a46e139bfc},3 : 0
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\MMDevices\Audio\Render\{b4ed07ae-0ee7-4ffb-8370-8bb
08a59a941}\Properties
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\MMDevices\Audio\Render\{b4ed07ae-0ee7-4ffb-8370-8bb
08a59a941}
PSChildName : Properties
PSProvider : Microsoft.PowerShell.Core\Registry
This looks good.
To write it the Get-ItemProperty needs to change to Set-ItemProperty but it results in a security error, please consult https://stackoverflow.com/a/35844259/308851 to take ownership of the relevant key.

Command to get name of signer from a .exe

I want to know if there is a command that will list the information that can be found in the Digital Signatures section of the properties of a .exe. Particularly I want to be able to grab the Name of the signer. Is there a command that will generate that information for me?
To get the subject name from the signer certificate used to create an Authenticode signature, you could use Get-AuthenticodeSignature:
PS > $asig = Get-AuthenticodeSignature 'C:\Windows\System32\xcopy.exe'
PS > $asig.SignerCertificate.Subject
CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
You're probably interested in the Common Name (CN), and maybe the Organization name (O). You can parse the Distinguished Name from Subject into its components to get the Common Name:
PS > $asig = Get-AuthenticodeSignature 'C:\Windows\System32\xcopy.exe'
PS > $dnDict = ($asig.SignerCertificate.Subject -split ', ') |
foreach `
{ $dnDict = #{} } `
{ $item = $_.Split('='); $dnDict[$item[0]] = $item[1] } `
{ $dnDict }
PS > $dnDict['CN']
Microsoft Windows
PS > $dnDict['O']
Microsoft Corporation
The Sigcheck tool from Microsoft's Windows Sysinternals can dump the information out. Using the -c command line option formats the output in a csv format which can be piped to a file for later processing.
Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains.
try signtool.exe. use following reference regarding signtool,
https://msdn.microsoft.com/en-us/library/windows/desktop/aa387764(v=vs.85).aspx
this is to output on the console:
writeln(GETDOSOutput('powershell write-host =(Get-AuthenticodeSignature ''C:\Program Files\Streaming\maxbox4\maXbox4.exe'').SignerCertificate.Subject', 'C:\'));

Resources