Function Enable-ProcessCreationCommandLine {
$COMMAND_LINE_REG_KEY = "ProcessCreationIncludeCmdLine_Enabled"
$COMMAND_LINE_ENABLE_VALUE = 1
# Check if the CommandLine registry key exists
if (Test-RegistryKeyExists -Path $WINDWOS_AUDIT_REG_PATH -ValueName $COMMAND_LINE_REG_KEY) {
$commandLinePolicyValue = (Get-ItemProperty -Path $WINDWOS_AUDIT_REG_PATH -Name $COMMAND_LINE_REG_KEY).$COMMAND_LINE_REG_KEY
$isCommandLinePolicyEnabled = $commandLinePolicyValue -eq $COMMAND_LINE_ENABLE_VALUE
# Enable the CommandLine policy only if it not already enabled
if($isCommandLinePolicyEnabled) {
LogInformation "CommandLine policy is already enabled, do nothing"
return
}
# The command line registry key exists but disabled - enable it
Set-ItemProperty -Path $WINDWOS_AUDIT_REG_PATH -Name $COMMAND_LINE_REG_KEY -Value $COMMAND_LINE_ENABLE_VALUE | Out-Null
LogInformation "Enabled CommandLine policy"
}
else {
# The CommandLine registry key does not exist so create it with enable state
New-ItemProperty -Path $WINDWOS_AUDIT_REG_PATH -Name $COMMAND_LINE_REG_KEY -Value $COMMAND_LINE_ENABLE_VALUE -Type DWord | Out-Null
LogInformation "Create a new registry value to enable CommandLine arguments in process creation events"
}
}
Function Get-AscPoliciesState {
# if the AscPolicies registry value not exists - return default value
$state = $ASC_POLICIES_NOT_SET
# Check if the AscPolicies registry value exists
if (Test-RegistryKeyExists -Path $OMS_AGENT_PARAMETERS_REG_PATH -ValueName $ASC_POLICIES_STATE_REG_KEY) {
$state = $ASC_POLICIES_SET
}
$state
}
Function Set-AscPoliciesState {
param(
[Parameter(Mandatory = $true)]
[Int]$State
)
if (Test-RegistryKeyExists -Path $OMS_AGENT_PARAMETERS_REG_PATH -ValueName $ASC_POLICIES_STATE_REG_KEY) {
# The Asc policies state registry value already exists, set the given value
Set-ItemProperty -Path $OMS_AGENT_PARAMETERS_REG_PATH -Name $ASC_POLICIES_STATE_REG_KEY -Value $State | Out-Null
}
else {
# The Asc Policies state registry value is not exists create it and set the value
LogInformation "Create a new registry value: $($ASC_POLICIES_STATE_REG_KEY)=$($State)"
New-ItemProperty -Path $OMS_AGENT_PARAMETERS_REG_PATH -Name $ASC_POLICIES_STATE_REG_KEY -Type DWord -Value $State | Out-Null
}
}
Function Enable-AscPolicies {
try {
LogInformation "Asc Enable Policies Start"
$ascPoliciesState = Get-AscPoliciesState
if ($ascPoliciesState -eq $ASC_POLICIES_NOT_SET){
# Enable the Asc Policies and mark the computer with Asc Policies State=1
LogInformation "Set Asc Policies"
Enable-ProcessCreationEvents
Enable-ProcessCreationCommandLine
Set-AscPoliciesState -State $ASC_POLICIES_SET
}
elseif ($ascPoliciesState -eq $ASC_POLICIES_SET) {
LogInformation "Asc Policies has already been set - do nothing"
}
else {
LogInformation "Invalid value found in registry value: '$($OMS_AGENT_PARAMETERS_REG_PATH)\$($ASC_POLICIES_STATE_REG_KEY)' the value '$($ascPoliciesState)' is invalid"
}