Powershell Snapin
-
I am trying to deploy to the computers at my workplace a powershell script that adds two folders to the windows firewall exceptions. I have followed the instructions on the wiki, and according to the log that fog spits out on the computer I’m deploying to, the script has run and completed, returning error code:0 (I’m assuming that means no error).
The script I am using is as follows:
@echo off
Add-MpPreference -ExclusionPath C:(The local folder I’m excluding) -force
Add-MpPreference -ExclusionPath \(Network drive I’m excluding) -forceI have manually run this script many a time with no problems. But when I run it through snapin it doesn’t add the exceptions. Am I doing something wrong in my script?
-
@Alfredo-the-Pasta are both exceptions failing to add or just the network drive?
-
I can’t really help with snapins or powershell. But I can tell you that snapins run (execute) as the user “SYSTEM” so if your PS interacts with user sessions then SYSTEM has the exemptions you are watching.
Also there is a fog.log file on the target computer, there may be additional information in that file to the state of execution of your PS script.
-
Both exceptions are failing to apply.
As far as I’m aware the exemptions are global for the computer.
-
Joe Schmitt Senior Developerlast edited by Joe Schmitt Oct 20, 2017, 11:53 AM Oct 20, 2017, 5:53 PM
@alfredo-the-pasta you may want to try retrieving the success state of each cmdlet and saving it to a file:
So add
$? | Out-File C:\powershell-log.txtafter each command (or something alike) -
It’s very possible that you just can’t run these with SYSTEM, which is what FOG snapins run as. I’ve had other commands not function via Snapin that work just fine when running locally.
Is there a batch\command file alternative?
Also, this appears to be a Windows 10 command. I do not have it on my Windows 7 box, but it’s there on Windows 10.
-
@joe-schmitt So I tried running that, now the fog log is showing returnerrorcode:1
Avaryan may be right. I’ll have to search for a command line equivalent.
-
@alfredo-the-pasta You may be able to add the paths directly to the registry. Give me a few minutes.
-
Nope, doesn’t seem to allow me to do that. Seems Microsoft doesn’t want you doing this this way.
I wrote this:
$PathsToExclude = ( "C:\Test01", "C:\Test02", "C:\Test03" ) $RegPath = "HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" ForEach($Path in $PathsToExclude) { New-ItemProperty -Path $RegPath -Name $Path -Value 0 -Force }Ran with admin rights, but got this error:
New-ItemProperty : Requested registry access is not allowed. At C:\Users\support\Documents\ExceptionTest.ps1:10 char:5 + New-ItemProperty -Path $RegPath -Name $Path -Value 0 -Force + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (HKEY_LOCAL_MACH...xclusions\Paths:String) [New-ItemProperty], SecurityException + FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.NewItemPropertyCommand New-ItemProperty : Requested registry access is not allowed. At C:\Users\support\Documents\ExceptionTest.ps1:10 char:5 + New-ItemProperty -Path $RegPath -Name $Path -Value 0 -Force + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (HKEY_LOCAL_MACH...xclusions\Paths:String) [New-ItemProperty], SecurityException + FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.NewItemPropertyCommand New-ItemProperty : Requested registry access is not allowed. At C:\Users\support\Documents\ExceptionTest.ps1:10 char:5 + New-ItemProperty -Path $RegPath -Name $Path -Value 0 -Force + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (HKEY_LOCAL_MACH...xclusions\Paths:String) [New-ItemProperty], SecurityException + FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.NewItemPropertyCommand99% sure that GPO could do this.
SYSTEM has Full Control permission to this path though, so not sure why it didn’t work from Snapin.
-
Just dug around, and it would appear that you are right about being able to use GPO. Is there a way to automate this? If not I’m probably just going to go back to sneakernetting this from a flash drive. We haven’t joined our computer to a domain yet so I can’t really push it that way.