Monitoring with PowerShell: Monitoring driver issues & Monitoring ZeroLogon

So today I’m tackling two monitoring blogs again. We’re going to have a small script that checks if all devices currently have drivers installed, and if they are not in a alerting state. This is mostly useful for when a docking station or network card, or other USB device is having issues and reporting that in the Device manager. It allows you to proactively get help the user get the most out of their system.

Of course, all drivers should already be installed on the system but you never know what kind of devices a user adds. It could be anything from a USB controlled rocket launcher to a USB Com port.

Monitoring Potential Driver Issues

$DeviceState = Get-WmiObject -Class Win32_PnpEntity -ComputerName localhost -Namespace Root\CIMV2 | Where-Object {$_.ConfigManagerErrorCode -gt 0
}

$DevicesInError = foreach($Device in $DeviceState){
 $Errortext = switch($device.ConfigManagerErrorCode){
0 {"This device is working properly."}
1 {"This device is not configured correctly."}
2 {"Windows cannot load the driver for this device."}
3 {"The driver for this device might be corrupted, or your system may be running low on memory or other resources."}
4 {"This device is not working properly. One of its drivers or your registry might be corrupted."}
5 {"The driver for this device needs a resource that Windows cannot manage."}
6 {"The boot configuration for this device conflicts with other devices."}
7 {"Cannot filter."}
8 {"The driver loader for the device is missing."}
9 {"This device is not working properly because the controlling firmware is reporting the resources for the device incorrectly."}
10 {"This device cannot start."}
11 {"This device failed."}
12 {"This device cannot find enough free resources that it can use."}
13 {"Windows cannot verify this device's resources."}
14 {"This device cannot work properly until you restart your computer."}
15 {"This device is not working properly because there is probably a re-enumeration problem."}
16 {"Windows cannot identify all the resources this device uses."}
17 {"This device is asking for an unknown resource type."}
18 {"Reinstall the drivers for this device."}
19 {"Failure using the VxD loader."}
20 {"Your registry might be corrupted."}
21 {"System failure: Try changing the driver for this device. If that does not work, see your hardware documentation. Windows is removing this device."}
22 {"This device is disabled."}
23 {"System failure: Try changing the driver for this device. If that doesn't work, see your hardware documentation."}
24 {"This device is not present, is not working properly, or does not have all its drivers installed."}
25 {"Windows is still setting up this device."}
26 {"Windows is still setting up this device."}
27 {"This device does not have valid log configuration."}
28 {"The drivers for this device are not installed."}
29 {"This device is disabled because the firmware of the device did not give it the required resources."}
30 {"This device is using an Interrupt Request (IRQ) resource that another device is using."}
31 {"This device is not working properly because Windows cannot load the drivers required for this device."}
}
[PSCustomObject]@{
ErrorCode = $device.ConfigManagerErrorCode
ErrorText = $Errortext
Device = $device.Caption
Present = $device.Present
Status = $device.Status
StatusInfo = $device.StatusInfo
}
}

if(!$DevicesInError){
write-host "Healthy"
} else {
$DevicesInError
}

Monitoring Zerologon

So Zerologon is a pretty big issue and at the start there was some confusion – Is just installing the patch enough to be safe? well, to be completely clear: No. Just installing the patch is not enough. Microsoft understood the confusion and added an addendum to their own here.

So, to quote Microsoft:

Mitigation consists of installing the update on all DCs and RODCs, monitoring for new events, and addressing non-compliant devices that are using vulnerable Netlogon secure channel connections. Machine accounts on non-compliant devices can be allowed to use vulnerable Netlogon secure channel connections; however, they should be updated to support secure RPC for Netlogon and the account enforced as soon as possible to remove the risk of attack.

Microsoft – CVE-2020-1472

So to make sure we don’t get affected by the bug we have to start monitoring for two events and alert on it. That’s quite simple with PowerShell and you can use the following script for it.

$Events = Get-WinEvent -FilterXPath "Event[ System[ (Level=2 or Level=3) and (EventID=5827 or EventID=5828 or EventID=5829 or EventID=5830 or EventID=5831) ] ] ]"
if(!$Events){
    write-host "Healthy - No events found"
} else {
    write-host "Unhealthy - Events found. Immediate action required"
}

Of course you could also just take a shotgun to the problem, and enable the FullSecureChannelProtection mode. This will also be done automatically after February 2021.

New-ItemProperty "HKLM:\system\CurrentControlSet\services\netlogon\parameters" -Name 'FullSecureChannelProtection' -Value 1 -PropertyType "DWord" -Force

And that’s it! As always, Happy PowerShelling!

Recent Articles

The return of CyberDrain CTF

CyberDrain CTF returns! (and so do I!)

It’s been since september that I actually picked up a digital pen equivalent and wrote anything down. This was due to me being busy with life but also my side projects like CIPP. I’m trying to get back into the game of scripting and blogging about these scripts. There’s still so much to automate and so little time, right? ;)

Monitoring with PowerShell: Monitoring Acronis Backups

Intro

This is a monitoring script requested via Reddit, One of the reddit r/msp users wondered how they can monitor Acronis a little bit easier. I jumped on this because it happened pretty much at the same time that I was asked to speak at the Acronis CyberSummit so it kinda made sense to script this so I have something to demonstrate at my session there.

Monitoring with PowerShell: Monitoring VSS Snapshots

Intro

Wow! It’s been a while since I’ve blogged. I’ve just been so swamped with CIPP that I’ve just let the blogging go entirely. It’s a shame because I think out of all my hobbies it’s one I enjoy the most. It’s always nice helping others achieve their scripting target. I even got a couple of LinkedIn questions asking if I was done with blogging but I’m not. Writing always gives me some more piece of mind so I’ll try to catch up again. I know I’ve said that before but this time I’ll follow through. I’m sitting down right now and scheduling the release of 5 blogs in one go. No more whining and no more waiting.