after enabling PSLogging, issues to start powershell on W10

M.H 1 Reputation point
2021-03-03T14:10:52.25+00:00

Dear all,

I have been looking into securing my W10 device and enable extended logging for Powershell using this link:
https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

After I have set the parameters in the registry and restarted my client, I am failing to start powershell.

I.e. in the CMD typing "powershell" - which has worked without any issues, I receive:

"the type of object "System.String" can not be converted into "System.String[]".

Once I remove the registry keys from the link again, Powershell starts without any issues.

To my understanding I am just enabling the logging for the modules, etc. - but no script block or simillar.

Would you please assist to have both features (logging and powershell) working?
Thank you very much for your assistance.

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,767 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,389 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rich Matheisen 45,096 Reputation points
    2021-03-03T15:17:43.793+00:00

    Have you tried making only one of the three changes at a time to determine which type of logging is causing the problem?

    0 comments
  2. M.H 1 Reputation point
    2021-03-03T15:30:08.827+00:00 
    # Module Logging
$RegistryPath = "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging"
$Name = "EnableModuleLogging"
$Value = "1"
If (!(Test-Path $RegistryPath))  { # Value Doesn't Exist, so create it
    New-Item -Path $RegistryPath -Force | Out-Null
    New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType DWORD -Force | Out-Null}
 Else {
    New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType DWORD -Force | Out-Null}
$Name = "ModuleNames"
$Value = "*"
New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType String -Force | Out-Null
  3. M.H 1 Reputation point
    2021-03-03T19:31:00.59+00:00

    I would still would like to have some advise, how to proceed from there:

    • to enable the logging to increase security
    • without blocking any powershell

    is this just happening on my device or anybody else has the same issues?
    Any help is highly appreciated, thank you :)

    0 comments
  4. Ian Xue (Shanghai Wicresoft Co., Ltd.) 30,376 Reputation points Microsoft Vendor
    2021-03-04T08:48:57.557+00:00

    Hi,

    Try creating a new subkey named ModuleNames, not a string value. 

    $RegistryPath = "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging"  
$Name = "EnableModuleLogging"  
$Value = "1"  
If (!(Test-Path $RegistryPath))  { # Value Doesn't Exist, so create it  
    New-Item -Path $RegistryPath -Force | Out-Null  
    New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType DWORD -Force | Out-Null}  
 Else {  
    New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType DWORD -Force | Out-Null}  
  
$RegistryPath = "HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames"  
$Name = '*'  
$Value = '*'  
New-Item -Path $RegistryPath  
New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -PropertyType String

    Best Regards,
    Ian Xue

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments