i would appreciate your swarm intelligence again.
I have wrote a remediation script for Intune which sets defined registry keys but i ran into one problem when it comes to create them for the HKEY_USERS hive.
Firstly i tried the following:
New-ItemProperty -Path Registry::HKEY_USERS ...
I knew there was no drive mapped by default but this did worked properly fine in tests. After deploying the script via intune as system i got a error message while testing the path which was something like: No Provider found
Well i thought lets make it more save and mount the drive first...
New-PSDrive -Name HKU -Provider Registry HKEY_USERS
What i can see is that the PSDrive is successfuly mapped. Sadly a got another error. Different message same meaning:
The drive was not found. A drive with that name is not available.
So guys what did i missed here? Shall i try it with persistent drives? I mean i run it in the same skript ... nothing special.
The Script runs in 64Bit I get my User SIDs from Win32_userprofile - Path is correct when mapping by myself.
Thanks mates!
For some additional informations here are some snippets of the code an the error in the log (in german cause the os language is german):
$HiveHash = @{
"HKEY_CLASSES_ROOT" = "HKLM:\SOFTWARE\Classes"
"HKEY_CURRENT_USER" = "HKCU:"
"HKEY_LOCAL_MACHINE" = "HKLM:"
"HKEY_USERS" = "HKU:"
"HKEY_CURRENT_CONFIG" = "HKCC:"
}
# Local User Profiles
$AllLocalUsers = Get-WmiObject Win32_userprofile | where { $_.localpath -like ($env:SystemDrive + "\Users*" ) }
# Build User SID Array
[System.Collections.ArrayList]$AllLocalUsersSIDs = @()
$AllLocalUsersSIDs += $AllLocalUsers.SID
# Add also Default Profile
$AllLocalUsersSIDs += ".DEFAULT"
Add-RegKeyToArray -Key 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced' -ValueName 'HideFileExt' -Value '0' -ValueType 'REG_DWORD'
# Operation Key
# Define Key Variables
If( $RunAllUsers )
{
# Hive
$KeyHivePS = "HKU:"
$KeyHivePSWithoutColon = $KeyHivePS.TrimEnd(":")
$KeyHive = ( $HiveHash.GetEnumerator() | ? { $_.Value -match $KeyHivePS } ).Name
# Key
# Timed Key Path to add Userprofil Part
$KeyPathAllUsers = $Key.TrimStart("HKEY_CURRENT_USER")
}
Else
{
# Hive
$KeyHive = $Key.split('\')[0]
$KeyHivePS = $HiveHash.$KeyHive
$KeyHivePSWithoutColon = $KeyHivePS.TrimEnd(":")
# Key
$Key = $Key -replace $KeyHive,$KeyHivePS
$KeyWithoutSingleQuotes = $Key
$Key = "'" + $Key + "'"
}
# Mount Registry PSDrive
If( ! ( Get-PSDrive $KeyHivePSWithoutColon -ErrorAction SilentlyContinue ) )
{
New-PSDrive -Name $KeyHivePSWithoutColon -PSProvider Registry -Root $KeyHive | Out-Null
Log $KeyHivePSWithoutColon 3
Log $KeyHive 3
Log ( $( Get-PSDrive -Name $KeyHivePSWithoutColon | Out-String ) ) 3
}
# Operate
If( $Action -eq "Remove" )
{
...
}
ElseIf( $Action -eq "Create" )
{
# Check existing
If( $RunAllUsers )
{
ForEach( $LocaluserSID in $AllLocalUsersSIDs )
{
# In case we got a SID without a Profil
If( Test-Path -Literalpath ( $KeyHivePS + "\" + $LocaluserSID ) )
{
# Build Key Path with User SID
$Key = ( $KeyHivePS + "\" + $LocaluserSID + $KeyPathAllUsers )
$KeyWithoutSingleQuotes = $Key
$Key = "'" + $Key + "'"
# Add KeyPath to Array for Value Operation
$KeysArray += $Key
# Output
Log ( "Path: {0}" -f $KeyWithoutSingleQuotes ) 3
Set-PSBreakpoint -Line 1195 -Script $PSCOMMANDPATH
# Checking
If( Test-Path -LiteralPath $Key )
{
Log ( "Exists: True" ) 3
}
Else
{
Log ( "Exists: False" ) 3
# RemediationMode
If( $RemediationMode -eq "remediate" )
{
# Create
New-Item -Path $Key -Force | Out-Null
# Check Create
If( Test-Path -LiteralPath $Key )
{
Log ( "Created: True" ) 3
}
Else
And here the part from the log:
Wait ... the first test path for ( $KeyHivePS + "" + $LocaluserSID ) worked fine .. why isnt the second one...
UPDATE: I found out that if im writing HKU:\1-.... in Test-Path it works instead of "HKU:\1-" or 'HKU:\1-" when does quoting start being a problem here?
And for the Quesition in the Comment: The "Exits: False" is also wrong because its a standard microsoft key which has to be there. New-Item uses just the same Path $Key and generate the error. So the Problem is the HKU: Drive within. Changed the code for you.
SOLVED: Dont Quote the Path in $Key is the solution. But am i getting stupid or is there something wrong? I mean what about spaces? it should be a problem to quote a path...
Well it seems thats nothing new: File path with quotation mark issue of Powershell