So today I’m tackling two monitoring blogs again. We’re going to have a small script that checks if all devices currently have drivers installed, and if they are not in a alerting state. This is mostly useful for when a docking station or network card, or other USB device is having issues and reporting that in the Device manager. It allows you to proactively get help the user get the most out of their system.
Of course, all drivers should already be installed on the system but you never know what kind of devices a user adds. It could be anything from a USB controlled rocket launcher to a USB Com port.
Monitoring Potential Driver Issues
$DeviceState = Get-WmiObject -Class Win32_PnpEntity -ComputerName localhost -Namespace Root\CIMV2 | Where-Object {$_.ConfigManagerErrorCode -gt 0
}
$DevicesInError = foreach($Device in $DeviceState){
$Errortext = switch($device.ConfigManagerErrorCode){
0 {"This device is working properly."}
1 {"This device is not configured correctly."}
2 {"Windows cannot load the driver for this device."}
3 {"The driver for this device might be corrupted, or your system may be running low on memory or other resources."}
4 {"This device is not working properly. One of its drivers or your registry might be corrupted."}
5 {"The driver for this device needs a resource that Windows cannot manage."}
6 {"The boot configuration for this device conflicts with other devices."}
7 {"Cannot filter."}
8 {"The driver loader for the device is missing."}
9 {"This device is not working properly because the controlling firmware is reporting the resources for the device incorrectly."}
10 {"This device cannot start."}
11 {"This device failed."}
12 {"This device cannot find enough free resources that it can use."}
13 {"Windows cannot verify this device's resources."}
14 {"This device cannot work properly until you restart your computer."}
15 {"This device is not working properly because there is probably a re-enumeration problem."}
16 {"Windows cannot identify all the resources this device uses."}
17 {"This device is asking for an unknown resource type."}
18 {"Reinstall the drivers for this device."}
19 {"Failure using the VxD loader."}
20 {"Your registry might be corrupted."}
21 {"System failure: Try changing the driver for this device. If that does not work, see your hardware documentation. Windows is removing this device."}
22 {"This device is disabled."}
23 {"System failure: Try changing the driver for this device. If that doesn't work, see your hardware documentation."}
24 {"This device is not present, is not working properly, or does not have all its drivers installed."}
25 {"Windows is still setting up this device."}
26 {"Windows is still setting up this device."}
27 {"This device does not have valid log configuration."}
28 {"The drivers for this device are not installed."}
29 {"This device is disabled because the firmware of the device did not give it the required resources."}
30 {"This device is using an Interrupt Request (IRQ) resource that another device is using."}
31 {"This device is not working properly because Windows cannot load the drivers required for this device."}
}
[PSCustomObject]@{
ErrorCode = $device.ConfigManagerErrorCode
ErrorText = $Errortext
Device = $device.Caption
Present = $device.Present
Status = $device.Status
StatusInfo = $device.StatusInfo
}
}
if(!$DevicesInError){
write-host "Healthy"
} else {
$DevicesInError
}
Monitoring Zerologon
So Zerologon is a pretty big issue and at the start there was some confusion – Is just installing the patch enough to be safe? well, to be completely clear: No. Just installing the patch is not enough. Microsoft understood the confusion and added an addendum to their own here.
So, to quote Microsoft:
Mitigation consists of installing the update on all DCs and RODCs, monitoring for new events, and addressing non-compliant devices that are using vulnerable Netlogon secure channel connections. Machine accounts on non-compliant devices can be allowed to use vulnerable Netlogon secure channel connections; however, they should be updated to support secure RPC for Netlogon and the account enforced as soon as possible to remove the risk of attack.
Microsoft – CVE-2020-1472
So to make sure we don’t get affected by the bug we have to start monitoring for two events and alert on it. That’s quite simple with PowerShell and you can use the following script for it.
$Events = Get-WinEvent -FilterXPath "Event[ System[ (Level=2 or Level=3) and (EventID=5827 or EventID=5828 or EventID=5829 or EventID=5830 or EventID=5831) ] ] ]"
if(!$Events){
write-host "Healthy - No events found"
} else {
write-host "Unhealthy - Events found. Immediate action required"
}
Of course you could also just take a shotgun to the problem, and enable the FullSecureChannelProtection mode. This will also be done automatically after February 2021.
New-ItemProperty "HKLM:\system\CurrentControlSet\services\netlogon\parameters" -Name 'FullSecureChannelProtection' -Value 1 -PropertyType "DWord" -Force
And that’s it! As always, Happy PowerShelling!
Pingback: Monitoring with PowerShell: Monitoring Domain Admins logon - CyberDrain