Enabling powershell logging

pratik · October 29, 2021, 5:22am

we are trying to change a local security policy by changing the registry value. The setting to be changed is “Turn on Module Logging” is to be Enabled in Windows powershell of gpedit.msc.

I enabled it manually and checked the registry modification and created a fixlet to do the same modification via windows registry wizard. The registry is getting changed but the change is not reflecting in the gpedit.msc.

Is there any other way to do it?

the action script I used:

action uses wow64 redirection false

delete __createfile
delete wizardedit.reg

createfile until @end_create_reg_file
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging]
“EnableModuleLogging”=“1”

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Powershell\ModuleLogging\ModuleNames]
""=""
@end_create_reg_file

move __createfile wizardedit.reg
waithidden regedit /s “wizardedit.reg”

FatScottishGuy · October 29, 2021, 8:10am

Have you ran gpupdate /force to make the updates sync?

You could maybe do it at the end of your fixlet with a:

waithidden powershell.exe gpupdate /force

pratik · October 29, 2021, 8:47am

I did it manually and checked. Not working

I tried only gpupade /force. is it necessary to run in powershell?

FatScottishGuy · October 29, 2021, 9:46am

No, you can run it in a cmd prompt too

https://developer.bigfix.com/action-script/reference/registry/ is your best bet for using native action script rather than a registry file given it’s only one key you are changing.

As for why it’s not updating at the group policy level, I’m not entirely sure

pratik · October 29, 2021, 10:07am

No. Still not working. I tried with native action script

Davide_11 · November 5, 2021, 2:33pm

Hello @pratik,
try to use this action script and keep attention to the double quote:

action uses wow64 redirection false

delete __createfile
delete wizardedit.reg

createfile until @end_create_reg_file
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging]
“EnableModuleLogging”=“1”

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Powershell\ModuleLogging\ModuleNames]
""=""
@end_create_reg_file

move __createfile wizardedit.reg

waithidden reg import “wizardedit.reg”

trn · November 5, 2021, 4:44pm

I’m not sure whether things are getting lost (format scripts when you post them using the </> button) but I believe the value name and contents should be an asterisk, not an empty string

action uses wow64 redirection {not x64 of operating system}

regset64 "[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging]" "EnableModuleLogging"="1"

regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Powershell\ModuleLogging\ModuleNames]" "*"="*"

bigfixforum · November 5, 2021, 4:58pm

I did this in my PS script that logs every thing.

$LOG="C:\TEMP\bftaskFIP_upd.log"
Start-Transcript -Path $LOG
…your ps code…
…

Stop-Transcript

pratik · November 8, 2021, 6:55am

From the above PowerShell script, this policy will be enabled?.

If you have any other script which will enable the “Turn on module logging”. Please send the complete action script.

pratik · December 4, 2021, 11:45am

Yes. There is an Asterisk symbol. I have used that. Still not working.

trn · December 4, 2021, 4:33pm

Doing a bit of research I believe EnableModuleLogging to be of type DWORD - your original script was setting it to be a string

action uses wow64 redirection {not x64 of operating system}

regset64 "[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging]" "EnableModuleLogging"=dword:00000001

regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Powershell\ModuleLogging\ModuleNames]" "*"="*"

pratik · December 6, 2021, 7:22am

Thank you for your response. It’s still not working.

trn · December 6, 2021, 8:05am

Please post your full script. Remember to format it with the </> button.

pratik · December 6, 2021, 8:11am

trn · December 6, 2021, 8:46am

gpupdate…

So what is the group policy for Powershell logging, and why are you no using GPO to enforce the setting(s) you want?

pratik · December 6, 2021, 9:20am

In our environment servers are not included in AD. So we need to do it through bigfix.

JasonWalker · December 6, 2021, 1:03pm

Are the registry values actually being set? It’s not clear to me whether the values are not being applied,or whether they are being applied but not having the effect you want.

trn · December 6, 2021, 1:11pm

So what is the purpose of the gpupdate?

pratik · December 7, 2021, 4:42am

The Values are being set, but not having the effect I want.

I want the Policy “Turn on module logging” to be set as “Enabled”. in path
"Computer Configuration\ Administrative Templates\ Windows Components\ Windows PowerShell".

pratik · December 7, 2021, 4:50am

Someone in this thread suggested to add gpupdate in the script.