Merge pull request #15 from Thumbscrew/dont-use-remote-reg

InferPath switch
This commit is contained in:
James 2020-01-03 11:25:59 +00:00 committed by GitHub
commit 8f1755a09a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 91 additions and 61 deletions

View File

@ -36,7 +36,12 @@ function Get-PSFirewallLog {
# Follow the log # Follow the log
[Parameter(Mandatory = $false)] [Parameter(Mandatory = $false)]
[switch] [switch]
$Wait $Wait,
# Use local machine's registry setting to infer remote machine's log path
[Parameter(Mandatory = $false, ParameterSetName = 'remote')]
[switch]
$InferPath
) )
begin { begin {
@ -44,7 +49,13 @@ function Get-PSFirewallLog {
$Path = Get-PSFirewallLogPath -LogProfile $LogProfile -Verbose:$VerbosePreference $Path = Get-PSFirewallLogPath -LogProfile $LogProfile -Verbose:$VerbosePreference
} }
elseif($PSCmdlet.ParameterSetName -eq 'remote') { elseif($PSCmdlet.ParameterSetName -eq 'remote') {
$Path = Get-PSFirewallLogPath -LogProfile $LogProfile -ComputerName $ComputerName -Verbose:$VerbosePreference $lpc = "Get-PSFirewallLogPath -LogProfile $LogProfile -ComputerName $ComputerName"
if($InferPath) {
$lpc += " -InferPath"
}
$Path = Invoke-Expression $lpc -Verbose:$VerbosePreference
} }
} }

View File

@ -9,75 +9,92 @@ function Get-PSFirewallLogPath {
# Remote Host to retrieve from # Remote Host to retrieve from
[Parameter(Mandatory = $false, ParameterSetName = 'remote')] [Parameter(Mandatory = $false, ParameterSetName = 'remote')]
[string] [string]
$ComputerName $ComputerName,
# Use local machine's registry setting to infer remote machine's log path
[Parameter(Mandatory = $false, ParameterSetName = 'remote')]
[switch]
$InferPath
) )
process { process {
$serviceName = "RemoteRegistry"
if($PSCmdlet.ParameterSetName -eq 'remote') { if($PSCmdlet.ParameterSetName -eq 'remote') {
$startTypeChanged = $false
$statusChanged = $false
Write-Verbose "Retrieving path from registry on host $ComputerName." if($InferPath) {
$remoteRegistry = Get-Service -ComputerName $ComputerName -Name $serviceName # Get local registry key entry
$localPath = [Environment]::ExpandEnvironmentVariables((Get-ItemProperty -Path ("HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\{0}Profile\Logging" -f $LogProfile) -Name "LogFilePath").LogFilePath)
if($remoteRegistry.StartType -eq "Disabled") { if($null -eq $localPath) {
Write-Verbose "$serviceName service is Disabled. Attempting to change to Manual startup." $defaultPath = "$ENV:SystemRoot\system32\LogFiles\Firewall\pfirewall.log"
Set-Service -StartupType "Manual" -Name $serviceName -ComputerName $ComputerName Write-Warning "Path for $LogProfile firewall log not defined in registry. Assuming default path of $defaultPath"
$modifiedRemoteRegistry = Get-Service -Name $serviceName -ComputerName $ComputerName $localPath = $defaultPath
if($modifiedRemoteRegistry.StartType -ne "Manual") {
Write-Warning "Unable to change startup of $serviceName on host $ComputerName."
return $null
}
else {
Write-Verbose "$serviceName startup changed to Manual."
$startTypeChanged = $true
} }
} }
else {
$serviceName = "RemoteRegistry"
$startTypeChanged = $false
$statusChanged = $false
if($remoteRegistry.Status -ne "Running") { Write-Verbose "Retrieving path from registry on host $ComputerName."
Write-Verbose "$serviceName service is not running. Attempting to start." $remoteRegistry = Get-Service -ComputerName $ComputerName -Name $serviceName
Set-Service -Status "Running" -Name $serviceName -ComputerName $ComputerName
$modifiedRemoteRegistry = Get-Service -Name $serviceName -ComputerName $ComputerName
if($modifiedRemoteRegistry.Status -eq "Stopped") { if($remoteRegistry.StartType -eq "Disabled") {
Write-Warning "Unable to start $serviceName service on host $ComputerName." Write-Verbose "$serviceName service is Disabled. Attempting to change to Manual startup."
return $null Set-Service -StartupType "Manual" -Name $serviceName -ComputerName $ComputerName
$modifiedRemoteRegistry = Get-Service -Name $serviceName -ComputerName $ComputerName
if($modifiedRemoteRegistry.StartType -ne "Manual") {
Write-Warning "Unable to change startup of $serviceName on host $ComputerName."
return $null
}
else {
Write-Verbose "$serviceName startup changed to Manual."
$startTypeChanged = $true
}
} }
else {
Write-Verbose "$serviceName service started OK." if($remoteRegistry.Status -ne "Running") {
$statusChanged = $true Write-Verbose "$serviceName service is not running. Attempting to start."
Set-Service -Status "Running" -Name $serviceName -ComputerName $ComputerName
$modifiedRemoteRegistry = Get-Service -Name $serviceName -ComputerName $ComputerName
if($modifiedRemoteRegistry.Status -eq "Stopped") {
Write-Warning "Unable to start $serviceName service on host $ComputerName."
return $null
}
else {
Write-Verbose "$serviceName service started OK."
$statusChanged = $true
}
} }
}
$reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $ComputerName) $reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $ComputerName)
$regKey = $reg.OpenSubKey("SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\{0}Profile\Logging" -f $LogProfile) $regKey = $reg.OpenSubKey("SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\{0}Profile\Logging" -f $LogProfile)
$localPath = [Environment]::ExpandEnvironmentVariables($RegKey.GetValue("LogFilePath")) $localPath = [Environment]::ExpandEnvironmentVariables($RegKey.GetValue("LogFilePath"))
# Set Remote Registry back the way we found it if we had to change it # Set Remote Registry back the way we found it if we had to change it
if($statusChanged) { if($statusChanged) {
Write-Verbose ("Reverting status of $serviceName Service to {0}." -f $remoteRegistry.Status) Write-Verbose ("Reverting status of $serviceName Service to {0}." -f $remoteRegistry.Status)
# Set-Service -Name $serviceName -ComputerName $ComputerName -Status $remoteRegistry.Status # Set-Service -Name $serviceName -ComputerName $ComputerName -Status $remoteRegistry.Status
# Need to use Invoke-Command as Set-Service won't stop a service that has dependencies # Need to use Invoke-Command as Set-Service won't stop a service that has dependencies
Invoke-Command -ComputerName $ComputerName -ScriptBlock { Stop-Service -Name "RemoteRegistry" } Invoke-Command -ComputerName $ComputerName -ScriptBlock { Stop-Service -Name "RemoteRegistry" }
# Verify that service has been restored to its original state. # Verify that service has been restored to its original state.
$revertedRemoteRegistry = Get-Service -Name $serviceName -ComputerName $ComputerName $revertedRemoteRegistry = Get-Service -Name $serviceName -ComputerName $ComputerName
if($remoteRegistry.Status -ne $revertedRemoteRegistry.Status) { if($remoteRegistry.Status -ne $revertedRemoteRegistry.Status) {
Write-Warning "Failed to revert $serviceName status to $($remoteRegistry.Status)!" Write-Warning "Failed to revert $serviceName status to $($remoteRegistry.Status)!"
}
} }
}
if($startTypeChanged) { if($startTypeChanged) {
Write-Verbose ("Reverting Startup of $serviceName Service to {0}." -f $remoteRegistry.StartType) Write-Verbose ("Reverting Startup of $serviceName Service to {0}." -f $remoteRegistry.StartType)
Set-Service -Name $serviceName -ComputerName $ComputerName -StartupType $remoteRegistry.StartType Set-Service -Name $serviceName -ComputerName $ComputerName -StartupType $remoteRegistry.StartType
# Verify that service has been restored to its original state. # Verify that service has been restored to its original state.
if($remoteRegistry.StartType -ne $revertedRemoteRegistry.StartType) { if($remoteRegistry.StartType -ne $revertedRemoteRegistry.StartType) {
Write-Warning "Failed to revert startup type of $serviceName to $($remoteRegistry.StartType)!" Write-Warning "Failed to revert startup type of $serviceName to $($remoteRegistry.StartType)!"
}
} }
} }
@ -91,7 +108,9 @@ function Get-PSFirewallLogPath {
$path = [Environment]::ExpandEnvironmentVariables((Get-ItemProperty -Path ("HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\{0}Profile\Logging" -f $LogProfile) -Name "LogFilePath").LogFilePath) $path = [Environment]::ExpandEnvironmentVariables((Get-ItemProperty -Path ("HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\{0}Profile\Logging" -f $LogProfile) -Name "LogFilePath").LogFilePath)
if($null -eq $path) { if($null -eq $path) {
$path = "$ENV:SystemRoot\system32\LogFiles\Firewall\pfirewall.log" $defaultPath = "$ENV:SystemRoot\system32\LogFiles\Firewall\pfirewall.log"
Write-Warning "Path for $LogProfile firewall log not defined in registry. Assuming default path of $defaultPath"
$path = $defaultPath
} }
return $path return $path