|
#region Set-ProcMonAltitude |
|
function Set-ProcMonAltitude { |
|
[CmdletBinding()] |
|
PARAM( |
|
[Parameter(Mandatory = $false, Position = 0)] |
|
[int32[]] |
|
$Version = @(23, 24) |
|
, |
|
[Parameter(Mandatory = $false, Position = 1)] |
|
[int32[]] |
|
$Altitude = 20003 |
|
) |
|
|
|
begin { |
|
Write-Verbose $MyInvocation.MyCommand |
|
} |
|
|
|
process { |
|
try { |
|
foreach ($InstanceVersion In $Version) { |
|
$RegistryAccessRule = New-Object System.Security.AccessControl.RegistryAccessRule ("Everyone", ([System.Security.AccessControl.RegistryRights]::Delete -bor [System.Security.AccessControl.RegistryRights]::SetValue), [System.Security.AccessControl.AccessControlType]::Deny) |
|
$Acl = Get-Acl -Path HKLM:"SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance" -ErrorAction SilentlyContinue |
|
$DenyEveryoneDeleteOrSetValue = $false |
|
if ($Acl -is [System.Security.AccessControl.RegistrySecurity]) { |
|
$DenyEveryoneDeleteOrSetValue = ($Acl.Access | Where-Object { (Compare-Object -ReferenceObject $_ -DifferenceObject $RegistryAccessRule -Property RegistryRights, AccessControlType, IdentityReference, IsInherited, InheritanceFlags, PropagationFlags -IncludeEqual).SideIndicator -eq '==' }) -is [System.Security.AccessControl.RegistryAccessRule] |
|
} |
|
|
|
if ($DenyEveryoneDeleteOrSetValue -eq $true) { |
|
$RegistryKey = "SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance" |
|
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($RegistryKey, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::TakeOwnership) |
|
$acl = $key.GetAccessControl() |
|
$acl.RemoveAccessRuleAll($RegistryAccessRule) |
|
$key.SetAccessControl($acl) |
|
$key.Close() |
|
$Acl = Get-Acl -Path HKLM:"SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance" -ErrorAction SilentlyContinue |
|
$DenyEveryoneDeleteOrSetValue = $false |
|
if ($Acl -is [System.Security.AccessControl.RegistrySecurity]) { |
|
$DenyEveryoneDeleteOrSetValue = ($Acl.Access | Where-Object { (Compare-Object -ReferenceObject $_ -DifferenceObject $RegistryAccessRule -Property RegistryRights, AccessControlType, IdentityReference, IsInherited, InheritanceFlags, PropagationFlags -IncludeEqual).SideIndicator -eq '==' }) -is [System.Security.AccessControl.RegistryAccessRule] |
|
} |
|
} |
|
|
|
New-Item -Path HKLM:"SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance\Enum" -ItemType Directory -Force | Out-Null |
|
New-ItemProperty -Path HKLM:"SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)" -Name "SupportedFeatures" -Value 3 -PropertyType ([Microsoft.Win32.RegistryValueKind]::DWord) -Force | Out-Null |
|
New-ItemProperty -Path HKLM:"SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances" -Name "DefaultInstance" -Value "Process Monitor $($InstanceVersion) Instance" -PropertyType ([Microsoft.Win32.RegistryValueKind]::String) -Force | Out-Null |
|
New-ItemProperty -Path HKLM:"SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance" -Name "Altitude" -Value $Altitude -PropertyType ([Microsoft.Win32.RegistryValueKind]::String) -Force | Out-Null |
|
New-ItemProperty -Path HKLM:"SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance" -Name "Flags" -Value 0 -PropertyType ([Microsoft.Win32.RegistryValueKind]::DWord) -Force | Out-Null |
|
New-ItemProperty -Path HKLM:"SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance\Enum" -Name "0" -Value "Root\\LEGACY_PROCMON$($InstanceVersion)\\0000" -PropertyType ([Microsoft.Win32.RegistryValueKind]::String) -Force | Out-Null |
|
New-ItemProperty -Path HKLM:"SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance\Enum" -Name "Count" -Value 1 -PropertyType ([Microsoft.Win32.RegistryValueKind]::DWord) -Force | Out-Null |
|
New-ItemProperty -Path HKLM:"SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance\Enum" -Name "NextInstance" -Value 1 -PropertyType ([Microsoft.Win32.RegistryValueKind]::DWord) -Force | Out-Null |
|
|
|
if ($DenyEveryoneDeleteOrSetValue -eq $false) { |
|
$RegistryKey = "SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance" |
|
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($RegistryKey, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::TakeOwnership) |
|
$acl = $key.GetAccessControl() |
|
$acl.SetAccessRule($RegistryAccessRule) |
|
$key.SetAccessControl($acl) |
|
$key.Close() |
|
} |
|
} |
|
} |
|
catch { |
|
Throw $_ |
|
} |
|
} |
|
|
|
end { |
|
} |
|
} |
|
#endregion Set-ProcMonAltitude |
|
|
|
#region Remove-ProcMonAltitude |
|
function Remove-ProcMonAltitude { |
|
[CmdletBinding()] |
|
PARAM( |
|
[Parameter(Mandatory = $false, Position = 0)] |
|
[int32[]] |
|
$Version = @(23,24) |
|
) |
|
|
|
begin { |
|
Write-Verbose $MyInvocation.MyCommand |
|
} |
|
|
|
process { |
|
try { |
|
foreach ($InstanceVersion In $Version) { |
|
$RegistryAccessRule = New-Object System.Security.AccessControl.RegistryAccessRule ("Everyone", ([System.Security.AccessControl.RegistryRights]::Delete -bor [System.Security.AccessControl.RegistryRights]::SetValue), [System.Security.AccessControl.AccessControlType]::Deny) |
|
$Acl = Get-Acl -Path HKLM:"SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance" -ErrorAction SilentlyContinue |
|
$DenyEveryoneDeleteOrSetValue = $false |
|
if ($Acl -is [System.Security.AccessControl.RegistrySecurity]) { |
|
$DenyEveryoneDeleteOrSetValue = ($Acl.Access | Where-Object { (Compare-Object -ReferenceObject $_ -DifferenceObject $RegistryAccessRule -Property RegistryRights, AccessControlType, IdentityReference, IsInherited, InheritanceFlags, PropagationFlags -IncludeEqual).SideIndicator -eq '==' }) -is [System.Security.AccessControl.RegistryAccessRule] |
|
} |
|
|
|
if ($DenyEveryoneDeleteOrSetValue -eq $true) { |
|
$RegistryKey = "SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance" |
|
$key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($RegistryKey, [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree, [System.Security.AccessControl.RegistryRights]::TakeOwnership) |
|
$acl = $key.GetAccessControl() |
|
$acl.RemoveAccessRuleAll($RegistryAccessRule) |
|
$key.SetAccessControl($acl) |
|
$key.Close() |
|
} |
|
|
|
$Path = "SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)" |
|
if ((Test-Path -Path HKLM:$Path) -eq $true) { |
|
Remove-Item -Path HKLM:$Path -Recurse -Force | Out-Null |
|
} |
|
} |
|
} |
|
catch { |
|
Throw $_ |
|
} |
|
} |
|
|
|
end { |
|
} |
|
} |
|
#endregion Remove-ProcMonAltitude |
|
|
|
#region Get-ProcMonAltitude |
|
function Get-ProcMonAltitude { |
|
[CmdletBinding()] |
|
PARAM( |
|
[Parameter(Mandatory = $false, Position = 0)] |
|
[int32[]] |
|
$Version = @(23, 24) |
|
) |
|
|
|
begin { |
|
Write-Verbose $MyInvocation.MyCommand |
|
} |
|
|
|
process { |
|
try { |
|
foreach ($InstanceVersion In $Version) { |
|
Get-ItemProperty -Path HKLM:"SYSTEM\CurrentControlSet\services\PROCMON$($InstanceVersion)\Instances\Process Monitor $($InstanceVersion) Instance" | Select-Object -Property @{Name="Version";Expression={$_.PSChildName}},"Altitude" |
|
} |
|
} |
|
catch { |
|
Throw $_ |
|
} |
|
} |
|
|
|
end { |
|
} |
|
} |
|
#endregion Get-ProcMonAltitude |
What is this for? Preventing modification of the procmon driver config?