Have you tried making only one of the three changes at a time to determine which type of logging is causing the problem?
after enabling PSLogging, issues to start powershell on W10
Dear all,
I have been looking into securing my W10 device and enable extended logging for Powershell using this link:
https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
After I have set the parameters in the registry and restarted my client, I am failing to start powershell.
I.e. in the CMD typing "powershell" - which has worked without any issues, I receive:
"the type of object "System.String" can not be converted into "System.String[]".
Once I remove the registry keys from the link again, Powershell starts without any issues.
To my understanding I am just enabling the logging for the modules, etc. - but no script block or simillar.
Would you please assist to have both features (logging and powershell) working?
Thank you very much for your assistance.
4 answers
Sort by: Most helpful
-
-
M.H 1 Reputation point
2021-03-03T15:30:08.827+00:00 # Module Logging $RegistryPath = "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" $Name = "EnableModuleLogging" $Value = "1" If (!(Test-Path $RegistryPath)) { # Value Doesn't Exist, so create it New-Item -Path $RegistryPath -Force | Out-Null New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType DWORD -Force | Out-Null} Else { New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType DWORD -Force | Out-Null} $Name = "ModuleNames" $Value = "*" New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType String -Force | Out-Null
-
M.H 1 Reputation point
2021-03-03T19:31:00.59+00:00 I would still would like to have some advise, how to proceed from there:
- to enable the logging to increase security
- without blocking any powershell
is this just happening on my device or anybody else has the same issues?
Any help is highly appreciated, thank you :) -
Ian Xue (Shanghai Wicresoft Co., Ltd.) 30,376 Reputation points Microsoft Vendor
2021-03-04T08:48:57.557+00:00 Hi,
Try creating a new subkey named ModuleNames, not a string value.
$RegistryPath = "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging" $Name = "EnableModuleLogging" $Value = "1" If (!(Test-Path $RegistryPath)) { # Value Doesn't Exist, so create it New-Item -Path $RegistryPath -Force | Out-Null New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType DWORD -Force | Out-Null} Else { New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType DWORD -Force | Out-Null} $RegistryPath = "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames" $Name = '*' $Value = '*' New-Item -Path $RegistryPath New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType String
Best Regards,
Ian Xue============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.