Unable to test PowerShell Auditing Settings via registry

[matt2005]

When testing for PowerShell auditing settings I am unable to test for the following value as it contains a "*"

The code below is what I'm currently using which doesn't work. I have tried escaping the * by "*" but that doesn't work.

Registry 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames\' "*" { Should -Be '*'}

The problem code is the expandproperty as shown below.

Get-ItemProperty HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames\ | Select-Object -ExpandProperty '*'

Here is the Full Context that I'm using for the PowerShell Audit Settings.

Context -Name 'Powershell Auditing' -Fixture {
        #Turn on Module Logging: Enabled
        Registry 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging\' 'EnableModuleLogging' { Should -BeExactly 1}
        #* Module Names: *
        Registry 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames\' "*" { Should -Be '*'}
        #* Turn on Powershell Script Block Logging:
        #    * Enabled
        Registry 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\' 'EnableScriptBlockLogging' { Should -Be 1}
        #* Log script block invocation start / stop events:
        #   * Disabled
        IF (Test-Path 'HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockInvocationLogging') {
            #If Value doesn't exist it defaults to 0
            Registry 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\' 'EnableScriptBlockInvocationLogging' {Should -BeLessOrEqual 0}
        }
    }

[matt2005]

I have created a workaround for my issue by using ".PSObject.Properties.Where{$_.Name -eq '*'}.Value" as shown below.

Context -Name 'Powershell Auditing' -Fixture {
        #Turn on Module Logging: Enabled
        Registry 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging\' 'EnableModuleLogging' { Should -BeExactly 1}
        #* Module Names: *
        #Registry 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames\' "*" { Should -Be '*'}
        It -Name 'Log all modules (ModuleNames: *)' -test {
            (Get-ItemProperty HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames\).PSObject.Properties.Where{$_.Name -eq '*'}.Value | Should -BeExactly '*'
        } 
        #* Turn on Powershell Script Block Logging:
        #    * Enabled
        Registry 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\' 'EnableScriptBlockLogging' { Should -Be 1}
        #* Log script block invocation start / stop events:
        #   * Disabled
        IF (Test-Path 'HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockInvocationLogging') {
            #If Value doesn't exist it defaults to 0
            Registry 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\' 'EnableScriptBlockInvocationLogging' {Should -BeLessOrEqual 0}
        }
    }

[cdhunt]

That is an interesting scenario. I would suggest a new function for testing PowerShell Auditing but 👍 on the workaround. Using an asterisk is an annoying name for a property.