TekWeis.com – Page 5 – Just another WordPress site

Using Powershell to read registry HKEY_USERS

By chris | August 30, 2023

This is a small example I put together on how to quickly loop through each user SID in HKEY_USERS and find the value that shows what the wallpaper is set to for each user. This little script is a decent reference to use for finding (And with a little modification, setting) registry value(s) in the HKEY_USERS section.

<#
.DESCRIPTION
    Example to show how you can go through each user branch in registry 
    HKEY_USERS and retrieve the wallpaper file path key.
#>

$hkUsers = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('USERS', $env:COMPUTERNAME)
$hkUsersSubkeys = $hkUsers.GetSubKeyNames()

$hkUsersSubkeys | % {

    $hkeyuserpath = "$_\Control Panel\Desktop"
    $hkeyuserpath = "REGISTRY::HKEY_USERS\$hkeyuserpath"

    Write-Host "`nUSER: $_"
    $wallpaperfile = (Get-ItemProperty -Path $hkeyuserpath -ErrorAction SilentlyContinue).Wallpaper
    Write-Host "WALLPAPER: $wallpaperfile`n`n===================="

}

Script execution. Shows the wallpaper path and file used for each user account in HKEY_USERS of the Windows registry.

Download files from website via Powershell

By chris | August 11, 2023

0 Comment

A simple method I like to use when I want to quickly run a powershell script to download a file from a webserver. I use this when endpoints are not on an internal network so a network share is not always available, but since I am usually remotely calling the powershell script, Internet access is established.

The commandlet I use is Invoke-RestMethod. I provide the source url for the file on a webserver to download and the destination, and I’m done. Extremely simple and extremely effective. There are so many ways to do this, but this is the method I personally use the most.

The below example is what I have used to download the CleanZoom utility from Zoom that will remove any installed versions of Zoom on an endpoint, save the file in a temporary directory and then execute the utility.

<# --------------------------------------------------------------------------------
	Uninstall all traces of Zoom from an endpoint.

    Script downloads the CleanZoom.zip file from Zoom.com and then extracts it and
    runs the utility.
----------------------------------------------------------------------------------- #>
$src = 'https://assets.zoom.us/docs/msi-templates/CleanZoom.zip'
$dst = "$env:TEMP\CleanZoom.zip"
Invoke-RestMethod -Uri $src -OutFile $dst
Expand-Archive -Path $dst -DestinationPath $env:TEMP -Force

Start-Process $env:TEMP\CleanZoom.exe -ArgumentList "/s"

Scareware is not dead

By chris | June 19, 2023

0 Comment

An email was forwarded to me that came from a security MSP trying to stir up business with someone at the company I work at. Their quasi-scareware email was funny, but a horrible way for us to take seriously. Only thing missing was a sentence asking for bitcoin.

I remember several years ago, companies were scanning their web server logs and doing DNS look-ups to find out what companies visited their website. Then the Spam and cold call of sales would begin. That tactic finally died off……mostly. The below email was not sent to our company from a DNS look-up scrape (I know, as our external IP’s at work can barely can tell you what state we are in), it was pure spam. Probably someone going through Linkedin and such finding contacts.