mirror of
https://github.com/Thumbscrew/PSWinFW.git
synced 2025-04-04 14:23:42 +00:00
Compare commits
12 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 9a1eeefca9 | |||
| 125047cedd | |||
| f1b2e5caf6 | |||
| 0f022e6345 | |||
| 64964b3de4 | |||
| 8f1755a09a | |||
| 21a72cdd33 | |||
| 1a07e1750e | |||
| a57e5ef79a | |||
| dec9235a02 | |||
| 1137345c05 | |||
| 500fe600a4 |
BIN
PSWinFW.psd1
BIN
PSWinFW.psd1
Binary file not shown.
@ -26,4 +26,12 @@ Get-PSFirewallLog -LogProfile Domain
|
||||
Get Windows Firewall log on a remote computer using the Remote Registry service to get the log path:
|
||||
```powershell
|
||||
Get-PSFirewallLog -LogProfile Public -ComputerName MyRemoteComputer -Verbose
|
||||
```
|
||||
Get the last 100 events from the Domain profile of a remote machine, inferring the path using the local machine's path (doesn't use Remote Registry service):
|
||||
```powershell
|
||||
Get-PSFirewallLog -LogProfile Domain -ComputerName MyRemoteComputer -InferPath -Tail 100
|
||||
```
|
||||
Get the last 100 events from the Private profile firewall log and follow the log:
|
||||
```powershell
|
||||
Get-PSFirewallLog -LogProfile Private -Tail 100 -Wait
|
||||
```
|
||||
@ -1,4 +1,45 @@
|
||||
function Get-PSFirewallLog {
|
||||
<#
|
||||
.SYNOPSIS
|
||||
|
||||
Retrieves Windows Firewall log events and returns them as a table.
|
||||
|
||||
.DESCRIPTION
|
||||
|
||||
Retrieves Windows Firewall log events and returns them as a table. Log path can be directly specified or automatically determined based on local or remote registry settings.
|
||||
|
||||
.EXAMPLE
|
||||
|
||||
Get-PSFirewallLog -Path C:\Windows\system32\logfiles\firewall\pfirewall.log -Tail 1000
|
||||
|
||||
Get last 1000 Windows Firewall log lines at a specific path.
|
||||
|
||||
.EXAMPLE
|
||||
|
||||
Get-PSFirewallLog -LogDirectory C:\Windows\system32\logfiles\firewall\ -LogFileName domainfw.log
|
||||
|
||||
Get Windows Firewall log by specifying the log directory and filename separately.
|
||||
|
||||
.EXAMPLE
|
||||
|
||||
Get-PSFirewallLog -LogProfile Domain
|
||||
|
||||
Get Windows Firewall log by retrieving the path automatically from the registry on the local machine.
|
||||
|
||||
.EXAMPLE
|
||||
|
||||
Get-PSFirewallLog -LogProfile Public -ComputerName MyRemoteComputer -Verbose
|
||||
|
||||
Get Windows Firewall log on a remote computer using the Remote Registry service to get the log path.
|
||||
|
||||
.EXAMPLE
|
||||
|
||||
Get-PSFirewallLog -LogProfile Public -ComputerName MyRemoteComputer -InferPath
|
||||
|
||||
Get Windows Firewall log on a remote computer using the path configured in the local machine's registry (converted to a UNC path).
|
||||
|
||||
#>
|
||||
|
||||
[CmdletBinding(DefaultParameterSetName = 'direct')]
|
||||
param (
|
||||
# Path to firewall log. Defaults to $ENV:SystemRoot\system32\LogFiles\Firewall\pfirewall.log if parameter not supplied.
|
||||
@ -23,24 +64,39 @@ function Get-PSFirewallLog {
|
||||
[string]
|
||||
$LogProfile,
|
||||
|
||||
# Number of firewall events to retrieve. Defaults to 0 (All events).
|
||||
# Number of firewall events to retrieve. Defaults to -1 (All events).
|
||||
[Parameter(Mandatory = $false)]
|
||||
[int]
|
||||
$Tail = 0,
|
||||
$Tail = -1,
|
||||
|
||||
# ComputerName to retrieve log from
|
||||
[Parameter(Mandatory = $true, ParameterSetName = 'remote')]
|
||||
[string]
|
||||
$ComputerName
|
||||
$ComputerName,
|
||||
|
||||
# Follow the log
|
||||
[Parameter(Mandatory = $false)]
|
||||
[switch]
|
||||
$Wait,
|
||||
|
||||
# Use local machine's registry setting to infer remote machine's log path
|
||||
[Parameter(Mandatory = $false, ParameterSetName = 'remote')]
|
||||
[switch]
|
||||
$InferPath
|
||||
)
|
||||
|
||||
begin {
|
||||
if($PSCmdlet.ParameterSetName -eq 'auto') {
|
||||
# $Path = [Environment]::ExpandEnvironmentVariables((Get-ItemProperty -Path ("HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\{0}Profile\Logging" -f $LogProfile) -Name "LogFilePath").LogFilePath)
|
||||
$Path = Get-PSFirewallLogPath -LogProfile $LogProfile -Verbose:$VerbosePreference
|
||||
}
|
||||
elseif($PSCmdlet.ParameterSetName -eq 'remote') {
|
||||
$Path = Get-PSFirewallLogPath -LogProfile $LogProfile -ComputerName $ComputerName -Verbose:$VerbosePreference
|
||||
$lpc = "Get-PSFirewallLogPath -LogProfile $LogProfile -ComputerName $ComputerName"
|
||||
|
||||
if($InferPath) {
|
||||
$lpc += " -InferPath"
|
||||
}
|
||||
|
||||
$Path = Invoke-Expression $lpc -Verbose:$VerbosePreference
|
||||
}
|
||||
}
|
||||
|
||||
@ -59,55 +115,56 @@ function Get-PSFirewallLog {
|
||||
}
|
||||
|
||||
if(Test-Path $logPath) {
|
||||
$log = Get-Content $logPath
|
||||
|
||||
if($log.Length -gt 0) {
|
||||
# Remove header lines
|
||||
$log = $log[5..($log.Length - 1)]
|
||||
|
||||
if($Tail -gt 0) {
|
||||
$startIndex = if($Tail -lt $log.Length) { $log.Length - $Tail } else { 0 }
|
||||
|
||||
$log = $log[$startIndex..($log.Length - 1)]
|
||||
}
|
||||
|
||||
$members = @{
|
||||
"Date" = 0
|
||||
"Time" = 1
|
||||
"Action" = 2
|
||||
"Protocol" = 3
|
||||
"SourceIP" = 4
|
||||
"DestinationIP" = 5
|
||||
"SourcePort" = 6
|
||||
"DestinationPort" = 7
|
||||
"Size" = 8
|
||||
"TcpFlags" = 9
|
||||
"TcpSyn" = 10
|
||||
"TcpAck" = 11
|
||||
"TcpWin" = 12
|
||||
"IcmpType" = 13
|
||||
"IcmpCode" = 14
|
||||
"Info" = 15
|
||||
"Path" = 16
|
||||
}
|
||||
|
||||
$log | ForEach-Object {
|
||||
$line = $_
|
||||
$split = $line -split ('\s')
|
||||
|
||||
$fwEvent = New-Object PSCustomObject
|
||||
|
||||
foreach($member in $members.GetEnumerator() | Sort-Object Value) {
|
||||
$fwEvent | Add-Member NoteProperty -Name $member.Name -Value $split[$member.Value]
|
||||
}
|
||||
|
||||
$fwEvent.pstypenames.insert(0, 'PSWinFW.Log.Event')
|
||||
|
||||
$fwEvent
|
||||
}
|
||||
$members = @{
|
||||
"Date" = 0
|
||||
"Time" = 1
|
||||
"Action" = 2
|
||||
"Protocol" = 3
|
||||
"SourceIP" = 4
|
||||
"DestinationIP" = 5
|
||||
"SourcePort" = 6
|
||||
"DestinationPort" = 7
|
||||
"Size" = 8
|
||||
"TcpFlags" = 9
|
||||
"TcpSyn" = 10
|
||||
"TcpAck" = 11
|
||||
"TcpWin" = 12
|
||||
"IcmpType" = 13
|
||||
"IcmpCode" = 14
|
||||
"Info" = 15
|
||||
"Path" = 16
|
||||
}
|
||||
else {
|
||||
Write-Error "File $logPath has zero length."
|
||||
|
||||
$count = (Get-Content -Path $logPath).Count
|
||||
|
||||
# Check if outputting all events from the log and cut the first 5 lines that aren't events.
|
||||
if(($Tail -lt 0) -or ($Tail -gt $count)) {
|
||||
$Tail = $count - 5
|
||||
}
|
||||
|
||||
Write-Verbose "Log has $count lines. Retrieving $Tail lines."
|
||||
|
||||
$c = "Get-Content -Path $logPath -Tail $Tail"
|
||||
|
||||
if($Wait) {
|
||||
$c = "$c -Wait"
|
||||
}
|
||||
|
||||
Invoke-Expression $c | ForEach-Object {
|
||||
$line = $_
|
||||
|
||||
$split = $line -split ('\s')
|
||||
|
||||
$fwEvent = New-Object PSCustomObject
|
||||
|
||||
foreach($member in $members.GetEnumerator() | Sort-Object Value) {
|
||||
$fwEvent | Add-Member NoteProperty -Name $member.Name -Value $split[$member.Value]
|
||||
}
|
||||
|
||||
$fwEvent.pstypenames.insert(0, 'PSWinFW.Log.Event')
|
||||
|
||||
$fwEvent
|
||||
}
|
||||
}
|
||||
else {
|
||||
|
||||
@ -1,4 +1,33 @@
|
||||
function Get-PSFirewallLogPath {
|
||||
<#
|
||||
.SYNOPSIS
|
||||
|
||||
Retrieves Windows Firewall log path for a given Profile.
|
||||
|
||||
.DESCRIPTION
|
||||
|
||||
Retrieves Windows Firewall log path for a local or remote machine for given Profile.
|
||||
|
||||
.EXAMPLE
|
||||
|
||||
Get-PSFirewallLogPath -LogProfile Domain
|
||||
|
||||
Retrieves path of the specified profile's log from the local machine.
|
||||
|
||||
.EXAMPLE
|
||||
|
||||
Get-PSFirewallLogPath -LogProfile Private -ComputerName MyRemoteComputer
|
||||
|
||||
Retrieves path of the specified profile's log from a remote machine using the Remote Regsitry service.
|
||||
|
||||
.EXAMPLE
|
||||
|
||||
Get-PSFirewallLogPath -LogProfile Domain -ComputerName MyRemoteComputer -InferPath
|
||||
|
||||
Retrieves path of the specified profile's log from a remote machine using registry settings configured on the local machine.
|
||||
|
||||
#>
|
||||
|
||||
param(
|
||||
# Log Profile to retrieve path for
|
||||
[Parameter(Mandatory = $true)]
|
||||
@ -9,75 +38,92 @@ function Get-PSFirewallLogPath {
|
||||
# Remote Host to retrieve from
|
||||
[Parameter(Mandatory = $false, ParameterSetName = 'remote')]
|
||||
[string]
|
||||
$ComputerName
|
||||
$ComputerName,
|
||||
|
||||
# Use local machine's registry setting to infer remote machine's log path
|
||||
[Parameter(Mandatory = $false, ParameterSetName = 'remote')]
|
||||
[switch]
|
||||
$InferPath
|
||||
)
|
||||
|
||||
process {
|
||||
$serviceName = "RemoteRegistry"
|
||||
|
||||
if($PSCmdlet.ParameterSetName -eq 'remote') {
|
||||
$startTypeChanged = $false
|
||||
$statusChanged = $false
|
||||
|
||||
Write-Verbose "Retrieving path from registry on host $ComputerName."
|
||||
$remoteRegistry = Get-Service -ComputerName $ComputerName -Name $serviceName
|
||||
|
||||
if($remoteRegistry.StartType -eq "Disabled") {
|
||||
Write-Verbose "$serviceName service is Disabled. Attempting to change to Manual startup."
|
||||
Set-Service -StartupType "Manual" -Name $serviceName -ComputerName $ComputerName
|
||||
$modifiedRemoteRegistry = Get-Service -Name $serviceName -ComputerName $ComputerName
|
||||
if($InferPath) {
|
||||
# Get local registry key entry
|
||||
$localPath = [Environment]::ExpandEnvironmentVariables((Get-ItemProperty -Path ("HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\{0}Profile\Logging" -f $LogProfile) -Name "LogFilePath").LogFilePath)
|
||||
|
||||
if($modifiedRemoteRegistry.StartType -ne "Manual") {
|
||||
Write-Warning "Unable to change startup of $serviceName on host $ComputerName."
|
||||
return $null
|
||||
}
|
||||
else {
|
||||
Write-Verbose "$serviceName startup changed to Manual."
|
||||
$startTypeChanged = $true
|
||||
if($null -eq $localPath) {
|
||||
$defaultPath = "$ENV:SystemRoot\system32\LogFiles\Firewall\pfirewall.log"
|
||||
Write-Warning "Path for $LogProfile firewall log not defined in registry. Assuming default path of $defaultPath"
|
||||
$localPath = $defaultPath
|
||||
}
|
||||
}
|
||||
else {
|
||||
$serviceName = "RemoteRegistry"
|
||||
$startTypeChanged = $false
|
||||
$statusChanged = $false
|
||||
|
||||
if($remoteRegistry.Status -ne "Running") {
|
||||
Write-Verbose "$serviceName service is not running. Attempting to start."
|
||||
Set-Service -Status "Running" -Name $serviceName -ComputerName $ComputerName
|
||||
$modifiedRemoteRegistry = Get-Service -Name $serviceName -ComputerName $ComputerName
|
||||
|
||||
if($modifiedRemoteRegistry.Status -eq "Stopped") {
|
||||
Write-Warning "Unable to start $serviceName service on host $ComputerName."
|
||||
return $null
|
||||
}
|
||||
else {
|
||||
Write-Verbose "$serviceName service started OK."
|
||||
$statusChanged = $true
|
||||
}
|
||||
}
|
||||
|
||||
$reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $ComputerName)
|
||||
$regKey = $reg.OpenSubKey("SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\{0}Profile\Logging" -f $LogProfile)
|
||||
$localPath = [Environment]::ExpandEnvironmentVariables($RegKey.GetValue("LogFilePath"))
|
||||
|
||||
# Set Remote Registry back the way we found it if we had to change it
|
||||
|
||||
if($statusChanged) {
|
||||
Write-Verbose ("Reverting status of $serviceName Service to {0}." -f $remoteRegistry.Status)
|
||||
# Set-Service -Name $serviceName -ComputerName $ComputerName -Status $remoteRegistry.Status
|
||||
# Need to use Invoke-Command as Set-Service won't stop a service that has dependancies
|
||||
Invoke-Command -ComputerName $ComputerName -ScriptBlock { Stop-Service -Name "RemoteRegistry" }
|
||||
Write-Verbose "Retrieving path from registry on host $ComputerName."
|
||||
$remoteRegistry = Get-Service -ComputerName $ComputerName -Name $serviceName
|
||||
|
||||
# Verify that service has been restored to its original state.
|
||||
$revertedRemoteRegistry = Get-Service -Name $serviceName -ComputerName $ComputerName
|
||||
if($remoteRegistry.Status -ne $revertedRemoteRegistry.Status) {
|
||||
Write-Warning "Failed to revert $serviceName status to $($remoteRegistry.Status)!"
|
||||
}
|
||||
}
|
||||
if($remoteRegistry.StartType -eq "Disabled") {
|
||||
Write-Verbose "$serviceName service is Disabled. Attempting to change to Manual startup."
|
||||
Set-Service -StartupType "Manual" -Name $serviceName -ComputerName $ComputerName
|
||||
$modifiedRemoteRegistry = Get-Service -Name $serviceName -ComputerName $ComputerName
|
||||
|
||||
if($startTypeChanged) {
|
||||
Write-Verbose ("Reverting Startup of $serviceName Service to {0}." -f $remoteRegistry.StartType)
|
||||
Set-Service -Name $serviceName -ComputerName $ComputerName -StartupType $remoteRegistry.StartType
|
||||
|
||||
# Verify that service has been restored to its original state.
|
||||
if($remoteRegistry.StartType -ne $revertedRemoteRegistry.StartType) {
|
||||
Write-Warning "Failed to revert startup type of $serviceName to $($remoteRegistry.StartType)!"
|
||||
if($modifiedRemoteRegistry.StartType -ne "Manual") {
|
||||
Write-Warning "Unable to change startup of $serviceName on host $ComputerName."
|
||||
return $null
|
||||
}
|
||||
else {
|
||||
Write-Verbose "$serviceName startup changed to Manual."
|
||||
$startTypeChanged = $true
|
||||
}
|
||||
}
|
||||
|
||||
if($remoteRegistry.Status -ne "Running") {
|
||||
Write-Verbose "$serviceName service is not running. Attempting to start."
|
||||
Set-Service -Status "Running" -Name $serviceName -ComputerName $ComputerName
|
||||
$modifiedRemoteRegistry = Get-Service -Name $serviceName -ComputerName $ComputerName
|
||||
|
||||
if($modifiedRemoteRegistry.Status -eq "Stopped") {
|
||||
Write-Warning "Unable to start $serviceName service on host $ComputerName."
|
||||
return $null
|
||||
}
|
||||
else {
|
||||
Write-Verbose "$serviceName service started OK."
|
||||
$statusChanged = $true
|
||||
}
|
||||
}
|
||||
|
||||
$reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $ComputerName)
|
||||
$regKey = $reg.OpenSubKey("SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\{0}Profile\Logging" -f $LogProfile)
|
||||
$localPath = [Environment]::ExpandEnvironmentVariables($RegKey.GetValue("LogFilePath"))
|
||||
|
||||
# Set Remote Registry back the way we found it if we had to change it
|
||||
|
||||
if($statusChanged) {
|
||||
Write-Verbose ("Reverting status of $serviceName Service to {0}." -f $remoteRegistry.Status)
|
||||
# Set-Service -Name $serviceName -ComputerName $ComputerName -Status $remoteRegistry.Status
|
||||
# Need to use Invoke-Command as Set-Service won't stop a service that has dependencies
|
||||
Invoke-Command -ComputerName $ComputerName -ScriptBlock { Stop-Service -Name "RemoteRegistry" }
|
||||
|
||||
# Verify that service has been restored to its original state.
|
||||
$revertedRemoteRegistry = Get-Service -Name $serviceName -ComputerName $ComputerName
|
||||
if($remoteRegistry.Status -ne $revertedRemoteRegistry.Status) {
|
||||
Write-Warning "Failed to revert $serviceName status to $($remoteRegistry.Status)!"
|
||||
}
|
||||
}
|
||||
|
||||
if($startTypeChanged) {
|
||||
Write-Verbose ("Reverting Startup of $serviceName Service to {0}." -f $remoteRegistry.StartType)
|
||||
Set-Service -Name $serviceName -ComputerName $ComputerName -StartupType $remoteRegistry.StartType
|
||||
|
||||
# Verify that service has been restored to its original state.
|
||||
if($remoteRegistry.StartType -ne $revertedRemoteRegistry.StartType) {
|
||||
Write-Warning "Failed to revert startup type of $serviceName to $($remoteRegistry.StartType)!"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -91,7 +137,9 @@ function Get-PSFirewallLogPath {
|
||||
$path = [Environment]::ExpandEnvironmentVariables((Get-ItemProperty -Path ("HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\{0}Profile\Logging" -f $LogProfile) -Name "LogFilePath").LogFilePath)
|
||||
|
||||
if($null -eq $path) {
|
||||
$path = "$ENV:SystemRoot\system32\LogFiles\Firewall\pfirewall.log"
|
||||
$defaultPath = "$ENV:SystemRoot\system32\LogFiles\Firewall\pfirewall.log"
|
||||
Write-Warning "Path for $LogProfile firewall log not defined in registry. Assuming default path of $defaultPath"
|
||||
$path = $defaultPath
|
||||
}
|
||||
|
||||
return $path
|
||||
|
||||
Loading…
Reference in New Issue
Block a user