Hello folks,

I have a silly question  and a second set of ideas:

This thing it is been driving me so crazy since last night.

*** So the goal it is to query a Multi-string windows registry key , if the value it is found then remove it.

Path: "HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002"

OS: Windows 2008 r2

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256

How can I accomplish this? , super easy .

Query the Windows registry

     if the value it is found 

        then

           create a temporary array without the values in question which it is going to be replaced later.

       if not then all good.

// To get the Values from the registry //

Invoke-VMScript -VM $VMName -ScriptText " $($tls10_cipher_temp=(Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002").Functions)" -GuestUser $GuestCred -GuestPassword $GuestPass -ScriptType PowerShell -ErrorAction Stop

// This will compare if the

$somevariable=@($tls10_cipher_temp -like 'TLS_ECDHE_RSA_WITH_AES_*_CBC_SHA_P256').Count -gt 0

switch ($somevariable) {

                                    $true    {  Write-Host "Cipher Suite found: `t The script will remove it"; $tls10_cipher=$tls10_cipher_temp | Where-Object { $_ -notlike "TLS_ECDHE_RSA_WITH_AES_*_CBC_SHA_P256*"}

Invoke-VMScript -VM $VMName -ScriptText "New-ItemProperty -path ""$tls_cipher_path"" -PropertyType 'MultiString' -Name Functions -Value $tls10_cipher -Force " -GuestUser $GuestCred -GuestPassword $GuestPass -ScriptType PowerShell

}

                                    $false   { Write-Host "`n`n`t`t`rTLS 1.0 ciphers Validation status: ..........[$true]"-f Green; write-host "`n`tCurrentValue:$tls_cipher_temp"}

                                    Default  { Write-Host "Unable to validate the TLS 1.0 cipher suite , please check your values"}  

                                    }

it looks so simple to get this done...

however I am stuck , because the Invoke-VMScript  it is giving me a false positive , when I query the registry , it says the value was found .

and when gets time to evaluate $somevariable it contains "false" , which it is not true because I already  removed manually those 2 strings.

What surprised me . If I perform the same command on the server it says the value was not found ,

PS C:\Users\jc~> $tls10_cipher_temp | Where-Object {$_ -like 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256'}

PS C:\Users\jc~> $tls10_cipher_temp | Where-Object {$_ -like 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256'}

PS C:\Users\jc~> $tls10_cipher_temp | Where-Object {$_ -like 'TLS_ECDHE_RSA_WITH_AES_*_CBC_SHA_P256'}

PS C:\Users\jc~> echo $tls10_cipher_temp

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_RC4_128_SHA

TLS_RSA_WITH_RC4_128_MD5

TLS_RSA_WITH_NULL_SHA256

TLS_RSA_WITH_NULL_SHA

SSL_CK_RC4_128_WITH_MD5

SSL_CK_DES_192_EDE3_CBC_WITH_MD5

PS C:\Users\jc~>

PS C:\Users\jc~> $test2=(Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration

\Local\SSL\00010002").Functions

PS C:\Users\jc~> echo $test2

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_RC4_128_SHA

TLS_RSA_WITH_RC4_128_MD5

TLS_RSA_WITH_NULL_SHA256

TLS_RSA_WITH_NULL_SHA

SSL_CK_RC4_128_WITH_MD5

SSL_CK_DES_192_EDE3_CBC_WITH_MD5

PS C:\Users\jc~>

Then I was like how about if I combine all together without variables , maybe my problem it is on the variable types.

local server not found

PS C:\Users\jc~> @(((Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Loc

al\SSL\00010002").Functions)-like 'TLS_ECDHE_RSA_WITH_AES_*_CBC_SHA_P256').Count -gt 0

False

PS C:\Users\jca~> hostname

VM-SAFAL-38

PS C:\Users\jc~>

VMsrcipt it looks like it found it:

Invoke-VMScript -VM $VMName -ScriptText "$(@(((Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002").Functions)-like 'TLS_ECDHE_RSA_WITH_AES_*_CBC_SHA_P256').Count -gt 0 )" -GuestUser $GuestCred -GuestPassword $GuestPass -ScriptType PowerShell -ErrorAction Stop

VM           : vm-safal-38

ExitCode     : 0

ScriptOutput : The term 'True' is not recognized as the name of a cmdlet, function, script fil

               e, or operable program. Check the spelling of the name, or if a path was includ

               ed, verify that the path is correct and try again.

               At line:1 char:8

               + & {True <<<< }

                   + CategoryInfo          : ObjectNotFound: (True:String) [], CommandNotFoun

                  dException

                   + FullyQualifiedErrorId : CommandNotFoundException

Uid          : /VIServer=jc@~:443/VirtualMachine=VirtualMachine-vm-~/VMScriptResult=1076874359_0/

Length       : 405

Test2: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_RSA_WITH_AES_1

28_CBC_SHA256_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AE

S_128_CBC_SHA_P384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_R

SA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P38

4 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AE

S_128_CBC_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE

_ECDSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_W

ITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_1

28_MD5 TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA SSL_CK_RC4_128_WITH_MD5 SSL_CK_DES_192_EDE3_CBC_WITH_MD5

$tls10_cipherchecks= @($tls10_cipher_temp -like 'TLS_ECDHE_RSA_WITH_AES_*_CBC_SHA_P256').Count -gt 0

TLS10_cipherchecks: True

so why the  Invoke-VMScript found it ?

I also reboot the server .

Any thoughts ?

Regards.