Added switch for inferring remote computer's log path based on local reg settings.

2025-01-18 09:35:47 +00:00 · 2020-01-03 11:23:25 +00:00 · 2020-01-03 11:23:25 +00:00 · 21a72cdd33
commit 21a72cdd33
parent dec9235a02
2 changed files with 91 additions and 61 deletions
--- a/public/Get-PSFirewallLog.ps1
+++ b/public/Get-PSFirewallLog.ps1
@ -36,7 +36,12 @@ function Get-PSFirewallLog {
        # Follow the log
        [Parameter(Mandatory = $false)]
        [switch]
-        $Wait
+        $Wait,
+
+        # Use local machine's registry setting to infer remote machine's log path
+        [Parameter(Mandatory = $false, ParameterSetName = 'remote')]
+        [switch]
+        $InferPath
    )
    
    begin {
@ -44,7 +49,13 @@ function Get-PSFirewallLog {
            $Path = Get-PSFirewallLogPath -LogProfile $LogProfile -Verbose:$VerbosePreference
        }
        elseif($PSCmdlet.ParameterSetName -eq 'remote') {
-            $Path = Get-PSFirewallLogPath -LogProfile $LogProfile -ComputerName $ComputerName -Verbose:$VerbosePreference
+            $lpc = "Get-PSFirewallLogPath -LogProfile $LogProfile -ComputerName $ComputerName"
+
+            if($InferPath) {
+                $lpc += " -InferPath"
+            }
+
+            $Path = Invoke-Expression $lpc -Verbose:$VerbosePreference
        }
    }
    
--- a/public/Get-PSFirewallLogPath.ps1
+++ b/public/Get-PSFirewallLogPath.ps1
@ -9,75 +9,92 @@ function Get-PSFirewallLogPath {
        # Remote Host to retrieve from
        [Parameter(Mandatory = $false, ParameterSetName = 'remote')]
        [string]
-        $ComputerName
+        $ComputerName,
+
+        # Use local machine's registry setting to infer remote machine's log path
+        [Parameter(Mandatory = $false, ParameterSetName = 'remote')]
+        [switch]
+        $InferPath
    )

    process {
-        $serviceName = "RemoteRegistry"
-
        if($PSCmdlet.ParameterSetName -eq 'remote') {
-            $startTypeChanged = $false
-            $statusChanged = $false

-            Write-Verbose "Retrieving path from registry on host $ComputerName."
-            $remoteRegistry = Get-Service -ComputerName $ComputerName -Name $serviceName
-            
-            if($remoteRegistry.StartType -eq "Disabled") {
-                Write-Verbose "$serviceName service is Disabled. Attempting to change to Manual startup."
-                Set-Service -StartupType "Manual" -Name $serviceName -ComputerName $ComputerName
-                $modifiedRemoteRegistry = Get-Service -Name $serviceName -ComputerName $ComputerName
+            if($InferPath) {
+                # Get local registry key entry
+                $localPath = [Environment]::ExpandEnvironmentVariables((Get-ItemProperty -Path ("HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\{0}Profile\Logging" -f $LogProfile) -Name "LogFilePath").LogFilePath)

-                if($modifiedRemoteRegistry.StartType -ne "Manual") {
-                    Write-Warning "Unable to change startup of $serviceName on host $ComputerName."
-                    return $null
-                }
-                else {
-                    Write-Verbose "$serviceName startup changed to Manual."
-                    $startTypeChanged = $true
+                if($null -eq $localPath) {
+                    $defaultPath = "$ENV:SystemRoot\system32\LogFiles\Firewall\pfirewall.log"
+                    Write-Warning "Path for $LogProfile firewall log not defined in registry. Assuming default path of $defaultPath"
+                    $localPath = $defaultPath
                }
            }
+            else {
+                $serviceName = "RemoteRegistry"
+                $startTypeChanged = $false
+                $statusChanged = $false

-            if($remoteRegistry.Status -ne "Running") {
-                Write-Verbose "$serviceName service is not running. Attempting to start."
-                Set-Service -Status "Running" -Name $serviceName -ComputerName $ComputerName
-                $modifiedRemoteRegistry = Get-Service -Name $serviceName -ComputerName $ComputerName
-
-                if($modifiedRemoteRegistry.Status -eq "Stopped") {
-                    Write-Warning "Unable to start $serviceName service on host $ComputerName."
-                    return $null
-                }
-                else {
-                    Write-Verbose "$serviceName service started OK."
-                    $statusChanged = $true
-                }
-            }
-
-            $reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $ComputerName)
-            $regKey = $reg.OpenSubKey("SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\{0}Profile\Logging" -f $LogProfile)
-            $localPath = [Environment]::ExpandEnvironmentVariables($RegKey.GetValue("LogFilePath"))
-
-            # Set Remote Registry back the way we found it if we had to change it
-
-            if($statusChanged) {
-                Write-Verbose ("Reverting status of $serviceName Service to {0}." -f $remoteRegistry.Status)
-                # Set-Service -Name $serviceName -ComputerName $ComputerName -Status $remoteRegistry.Status
-                # Need to use Invoke-Command as Set-Service won't stop a service that has dependencies
-                Invoke-Command -ComputerName $ComputerName -ScriptBlock { Stop-Service -Name "RemoteRegistry" }
+                Write-Verbose "Retrieving path from registry on host $ComputerName."
+                $remoteRegistry = Get-Service -ComputerName $ComputerName -Name $serviceName
                
-                # Verify that service has been restored to its original state.
-                $revertedRemoteRegistry = Get-Service -Name $serviceName -ComputerName $ComputerName
-                if($remoteRegistry.Status -ne $revertedRemoteRegistry.Status) {
-                    Write-Warning "Failed to revert $serviceName status to $($remoteRegistry.Status)!"
-                }
-            }
+                if($remoteRegistry.StartType -eq "Disabled") {
+                    Write-Verbose "$serviceName service is Disabled. Attempting to change to Manual startup."
+                    Set-Service -StartupType "Manual" -Name $serviceName -ComputerName $ComputerName
+                    $modifiedRemoteRegistry = Get-Service -Name $serviceName -ComputerName $ComputerName

-            if($startTypeChanged) {
-                Write-Verbose ("Reverting Startup of $serviceName Service to {0}." -f $remoteRegistry.StartType)
-                Set-Service -Name $serviceName -ComputerName $ComputerName -StartupType $remoteRegistry.StartType
-                
-                # Verify that service has been restored to its original state.
-                if($remoteRegistry.StartType -ne $revertedRemoteRegistry.StartType) {
-                    Write-Warning "Failed to revert startup type of $serviceName to $($remoteRegistry.StartType)!"
+                    if($modifiedRemoteRegistry.StartType -ne "Manual") {
+                        Write-Warning "Unable to change startup of $serviceName on host $ComputerName."
+                        return $null
+                    }
+                    else {
+                        Write-Verbose "$serviceName startup changed to Manual."
+                        $startTypeChanged = $true
+                    }
+                }
+
+                if($remoteRegistry.Status -ne "Running") {
+                    Write-Verbose "$serviceName service is not running. Attempting to start."
+                    Set-Service -Status "Running" -Name $serviceName -ComputerName $ComputerName
+                    $modifiedRemoteRegistry = Get-Service -Name $serviceName -ComputerName $ComputerName
+
+                    if($modifiedRemoteRegistry.Status -eq "Stopped") {
+                        Write-Warning "Unable to start $serviceName service on host $ComputerName."
+                        return $null
+                    }
+                    else {
+                        Write-Verbose "$serviceName service started OK."
+                        $statusChanged = $true
+                    }
+                }
+
+                $reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $ComputerName)
+                $regKey = $reg.OpenSubKey("SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\{0}Profile\Logging" -f $LogProfile)
+                $localPath = [Environment]::ExpandEnvironmentVariables($RegKey.GetValue("LogFilePath"))
+
+                # Set Remote Registry back the way we found it if we had to change it
+
+                if($statusChanged) {
+                    Write-Verbose ("Reverting status of $serviceName Service to {0}." -f $remoteRegistry.Status)
+                    # Set-Service -Name $serviceName -ComputerName $ComputerName -Status $remoteRegistry.Status
+                    # Need to use Invoke-Command as Set-Service won't stop a service that has dependencies
+                    Invoke-Command -ComputerName $ComputerName -ScriptBlock { Stop-Service -Name "RemoteRegistry" }
+                    
+                    # Verify that service has been restored to its original state.
+                    $revertedRemoteRegistry = Get-Service -Name $serviceName -ComputerName $ComputerName
+                    if($remoteRegistry.Status -ne $revertedRemoteRegistry.Status) {
+                        Write-Warning "Failed to revert $serviceName status to $($remoteRegistry.Status)!"
+                    }
+                }
+
+                if($startTypeChanged) {
+                    Write-Verbose ("Reverting Startup of $serviceName Service to {0}." -f $remoteRegistry.StartType)
+                    Set-Service -Name $serviceName -ComputerName $ComputerName -StartupType $remoteRegistry.StartType
+                    
+                    # Verify that service has been restored to its original state.
+                    if($remoteRegistry.StartType -ne $revertedRemoteRegistry.StartType) {
+                        Write-Warning "Failed to revert startup type of $serviceName to $($remoteRegistry.StartType)!"
+                    }
                }
            }

@ -91,7 +108,9 @@ function Get-PSFirewallLogPath {
            $path = [Environment]::ExpandEnvironmentVariables((Get-ItemProperty -Path ("HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\{0}Profile\Logging" -f $LogProfile) -Name "LogFilePath").LogFilePath)

            if($null -eq $path) {
-                $path = "$ENV:SystemRoot\system32\LogFiles\Firewall\pfirewall.log"
+                $defaultPath = "$ENV:SystemRoot\system32\LogFiles\Firewall\pfirewall.log"
+                Write-Warning "Path for $LogProfile firewall log not defined in registry. Assuming default path of $defaultPath"
+                $path = $defaultPath
            }

            return $path