Please check HKU paths

[redboyhun]

LOG:

[DEBUG]	Checking NoDrives for user .DEFAULT...
[ERROR]	Path HKU:\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer does not exist
[DEBUG]	Checking NoDrives for user S-1-5-19...
[ERROR]	Path HKU:\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer does not exist
[DEBUG]	Checking NoDrives for user S-1-5-20...
[ERROR]	Path HKU:\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer does not exist
[DEBUG]	Checking NoDrives for user S-1-5-21-2857351402-2812262531-3171228550-1717968...
[VERBOSE]	Opening Key:'\S-1-5-21-2857351402-2812262531-3171228550-1717968\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' on Hive:'HKU:'
[DEBUG]	Checking NoDrives for user S-1-5-21-2857351402-2812262531-3171228550-1717968_Classes...
[ERROR]	Path HKU:\S-1-5-21-2857351402-2812262531-3171228550-1717968_Classes\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer does not exist
[DEBUG]	Checking NoDrives for user S-1-5-80-1184457765-4068085190-3456807688-2200952327-3769537534...
[ERROR]	Path HKU:\S-1-5-80-1184457765-4068085190-3456807688-2200952327-3769537534\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer does not exist
[DEBUG]	Checking NoDrives for user S-1-5-80-1184457765-4068085190-3456807688-2200952327-3769537534_Classes...
[ERROR]	Path HKU:\S-1-5-80-1184457765-4068085190-3456807688-2200952327-3769537534_Classes\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer does not exist
[DEBUG]	Checking NoDrives for user S-1-5-18...
[ERROR]	Path HKU:\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer does not exist

Manually invoking in PS gives drive error:

PS D:\> gci HKU:\S-1-5-18\Software\Microsoft\Windows\CurrentVersion
gci : Cannot find drive. A drive with the name 'HKU' does not exist.
At line:1 char:1
+ gci HKU:\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (HKU:String) [Get-ChildItem], DriveNotFoundException
    + FullyQualifiedErrorId : DriveNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

Instead of HKU using Registry::HKEY_USERS results in success:

PS D:\> gci Registry::HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\

    Hive: HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\

+1
Path *\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer does not exist, but *\Software\Microsoft\Windows\CurrentVersion\Explorer does.

[AssafMiron]

Hey @redboyhun
Since PSM hardening check is the only one using HKU, we defined a new PS Drive for it
See line 710 here:

CYBRHardeningCheck/CYBRHardeningCheck/PSM/PSMHardeningSteps.psm1

Line 710 in d0ffe80

New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS -Scope Global | out-Null

This is why it does not work for you in a regular PS session

For the other thing, \Policies\Explorer is referencing GPO setting applied on the machine regarding the Explorer
Since this hardening is using GPO (local or domain) setting applied on the system we are checking there and not in the regular path of /CurrentVersion/Explorer

Does this make sense?

Thanks,
Assaf

[ctssultana]

This is why it does not work for you in a regular PS session

What sort of PS session needs to be used for this to work?