I am adding a registry to regedit to enable an application to be used as Remote app, currently I am adding the values manually.
Locate to this entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Terminal Server\TSAppAllowList
Navigate to fDisabledAllowList value in the right pane, set its value as "1".
Add new key under TSAppAllowList, named Applications.
Add new key under Applications, named anything you want(here is "123456").
Create two new String Values for "123456", named "Name" and "Path". Name: Notepad Path: C:\Program Files (x86)\Notepad++\notepad++.exe
Now I want to do this remotely.
My idea is to make a management system So that I can add a new value in the regedit remotely from the server(other computers) without accessing it.
I want to send some command from the management system server with required values so the system can add new value in regedit and I see the added application on the server.
Is it possible through powershell?
Can I add a new registry to the regedit remotely by using some background service? Any idea from where I can start and which technologies I can use?
Yes this is possible with Powershell.
Invoke-Command -ComputerName $computer -ScriptBlock {
$Reg = "Registry::HKLM\System\CurrentControlSet\...."
Set-ItemProperty -Path "$Reg" -Name PATH -Value $x
}
Related
Hello Everybody !
My question is about creating a script in powershell.
I need an example that shows me how to change a value in gpedit using the power shell. Is to automate the implementation of changes, to increase security.
Manually:
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Remote Management (WinRM) >> WinRM Client >> "Disallow Digest authentication" to "Enabled".
For automatite.
Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\
Value Name: AllowDigest
Value Type: REG_DWORD
Value: 0
To read the registry value you use:
Get-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -Name AllowDigest
To write/change the registry value to '0' you use:
Set-ItemProperty -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client -Name AllowDigest -Value 0
Two things to remember:
Writing to the registry requires for your PowerShell script to run as an Administrator.
The registry path and entry has to be there before you read / write to it, but reading your request you should be good as you are asking how to change the value.
I tried to create a new registry key using powershell
PS HKCU:\> New-Item -Path .\Software\Google\Chrome\NativeMessagingHosts\ -Name TEST -Value TEST
But somehow the process doesn't return I have to manually exit with CTRL+C
When I browse the key with regedit I see it was created, but why does the console not finish the command ?
Did anyone ever have a similar problem?
As commented, Your code does not work because you need to either provide a proper registry path like
HKCU:\Software\Google\Chrome\NativeMessagingHosts
OR use Set-Location HKCU: first, so the New-Item cmdlet will know where to create something new.
A registry Key does not have a value, only registry entries (properties) do.
So in order to create a new key with name "TEST", and create a new entry in that new key, use two lines of code:
New-Item -Path 'HKCU:\Software\Google\Chrome\NativeMessagingHosts' -Name 'TEST'
New-ItemProperty -Path 'HKCU:\Software\Google\Chrome\NativeMessagingHosts\TEST' -Name 'Test' -Value 'Just Testing'
You can also do this in one single statement using .NET SetValue()
Sets the name/value pair on the specified registry key, using the specified registry data type. If the specified key does not exist, it is created.
[Microsoft.Win32.Registry]::SetValue("HKEY_CURRENT_USER\Software\Google\Chrome\NativeMessagingHosts\TEST", "Test", "Just Testing", 1)
The last parameter (in this case 1) is the RegistryValueKind you want to set. (in this example a String)
I am currently building a Hyper-V lab consisting of a DC and multiple networked VMs, using Windows Server 2016. I'd like to completely disable the windows firewall for all existing and newly created VMs.
The best way that I've found to do this so far is via Group Policy for the Domain Profile. Then set Windows Firewall: Protect all network connections to disabled. What I would like to do is to have a way of scripting this out (using Powershell if possible).
I've found that by performing the above steps in the GUI, it creates a few entries in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\WindowsFirewall\DomainProfile
In each of those entries, there is a property called EnableFirewall which is set to 0. So I tried creating all of this using Powershell like this:
New-Item -path "HKLM:\SOFTWARE\Policies\Microsoft" -name WindowsFirewall
New-Item -path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall" -name DomainProfile
New-ItemProperty -path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" -name EnableFirewall -value 0 -PropertyType DWord -Force
Unfortunately it doesn't seem to be working, so there must be something else that I'm missing.
Does anybody know how to completely disable the windows firewall for all networked machines using the command line in Windows Server 2016?
Setting up the Windows-Firewall for your domain-computers through computer-startup-script is not a great solution in my opinion.
You should definetly use Group Policy for this task.
GP does exactly what I want, I would just like a way of modifying GP using Powershell. I'm building a lab from scratch, and I'm looking to script as much of it as possible rather than using the gui.
I am not completely sure, what you are trying to achive.
You have created a lab now and I think you are trying to script a complete automatic built-up for future use. Is this correct?
If yes, then my solution is maybe what you are looking for:
Create a new GPO in your lab named "Firewall-Settings" for example.
Make all of your needed FireWall-Settings to the new GPO.
In Group Policy Editor open the main-node named „Group Policy Objects“. (important) Find the newly created GPO, right-click it and select "Backup":
Save the GPO-backup to a folder. (folder must exist)
The GPO is beeing saved and named like on the screenshot below (GUID):
That's it for the preparation. Now you maybe want to script the creation of the GPO with Powershell for future use and import the backup to obtain it's settings in a new environment:
New-GPO -Name "FireWall-Settings" | New-GPLink -Target "DC=mydomain,DC=local" # distinguishedName of Target-OU
Import-GPO -Path $PathtoGPOBackup -TargetName "FireWall-Settings" -BackupGpoName "FireWall-Settings"
The Script creates a GPO in the new environment with the name "FireWall-Settings" and links it to the target-OU.
After that you import the settings of the backup-GPO. All the domain-members in scope of the GPO will get the Windows-Firewall configured automatically.
Now the process is documented and fully automatic, if this is, what you are looking for.
Kind regards
open cmd prompt with elevated mode and run this:
netsh -r ComputerName -u Username -p Password -c advfirewall set allprofiles state off
If you want to do it for all the machines. Get all the ad computers using get-adcomputer. Run a foreach loop and put the variable istead of computername.
If you have the domain admin creds, then you are good to go with this.
Hope it helps.
Depending on the profile you want to disable, specify profiles (public, domain, private) using the -Name parameter. To disable all profiles for a networked machine, where $computerName array is the hostname of your DC, PC etc:
$computerName = 'DC1, PC1, MS1'
Invoke-Command -Computername $computerName -ScriptBlock {
Set-NetFirewallProfile -Name Domain, Public, Private -Enabled False
}
I'm trying to develop my own Boxstarter script for spinning up new machines. I just realized that I'd really like to add a line that will change default applications to open certain file types. For example, I want to open .txt files with Notepad++. I know how to do this by right-click the file and checking it's properties, but is there a line I can add to my Boxstarter script that will do it? Or, since Boxstarter is basically a special set of PowerShell commands, is there a PowerShell command I can invoke directly to change the opens with property? I did some searching, and most of the results were about how to get PowerShell to open something, not change the opens with property. The rest were all about how to open PowerShell.
Another similar, but not quite the same, way to go about this is to change the file association you want to associate with a particular applicaition. Chocolatey includes some helper commands to do this and is therefore available to your Boxstarter package. Here is an excerpt from one of my Boxstarter packages:
Install-ChocolateyFileAssociation ".txt" "$env:programfiles\Sublime Text 2\sublime_text.exe"
Install-ChocolateyFileAssociation ".dll" "$($Boxstarter.programFiles86)\jetbrains\dotpeek\v1.1\Bin\dotpeek32.exe"
So now double clicking on any text file opens sublime or any dll opens dotpeek.
But I agree. Its still helpful to be able to add to the "Open With..." list.
Thanks to #Raf for pointing me in the right direction. Here's the code to change the OpensWith property of .txt files:
$principal = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$key = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey("Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\UserChoice",[Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::ChangePermissions)
$acl = $key.GetAccessControl()
$right = "SetValue"
$denyrule = New-Object System.Security.AccessControl.RegistryAccessRule($principal,$right,"DENY")
$ret = $acl.RemoveAccessRule($denyrule)
$ret = $key.SetAccessControl($acl)
Set-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\UserChoice -Name ProgId -Value Applications\notepad++.exe
Slightly modified from an answer in the TechNet forums.
I haven't figured out if there's a boxstarter shortcut for this, but changing the ACL rules was the key. Without it, you don't have the proper access to change this particular registry item. Even when I tried running Powershell as Admin and made sure I had all the right permissions on the UserChoice key (both the administrator account and my user account had Full Control), I kept getting an error that the Requested registry access is not allowed.
I know that I can set a runonce key in the Win7 registry globally, which will be executed no matter which user logs on the next time, using this registry key:
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
I need to do an initialization only for a specific user, so I wonder if there is a way to programatically (using Powershell) set a runonce-entry that is only executed if one specific user logs on, also if this user is not an Administrator.
Do you know of a way to do this? Thanks.
I think this question and the other (http://stackoverflow.com/questions/10908727/how-can-i-programatically-find-a-users-hkey-users-registry-key-using-powershell) are related:
Anyways, here is how you do it:
$User = New-Object System.Security.Principal.NTAccount($env:UserName)
$sid = $User.Translate([System.Security.Principal.SecurityIdentifier]).value
New-PSDrive HKU Registry HKEY_USERS
Get-Item "HKU:\${sid}"
Set-ItemProperty -Path "HKU:\${sid}\Software\Microsoft\Windows\CurrentVersion\RunOnce" -Name Command -Value "notepad.exe"