A small pre-release update to WDACConfig module

HotCakeX · Apr 30, 2023 · e5f2e08 · e5f2e08
1 parent bad8fff
commit e5f2e08
Show file tree

Hide file tree

Showing 7 changed files with 62 additions and 46 deletions.
diff --git a/WDACConfig/Deploy-SignedWDACConfig.psm1 b/WDACConfig/Deploy-SignedWDACConfig.psm1
@@ -7,8 +7,11 @@ function Deploy-SignedWDACConfig {
         ConfirmImpact = 'High'
     )]
     Param(
-        [ValidatePattern('.*\.cer')][parameter(Mandatory = $true)][string]$CertPath,       
-        [ValidatePattern('.*\.xml')][parameter(Mandatory = $true)][string[]]$PolicyPaths,
+        [ValidatePattern('\.cer$')][ValidateScript({ Test-Path $_ -PathType Leaf }, ErrorMessage = "The path you selected is not a file path.")]
+        [parameter(Mandatory = $true)][string]$CertPath,
+
+        [ValidatePattern('\.xml$')][ValidateScript({ Test-Path $_ -PathType Leaf }, ErrorMessage = "The path you selected is not a file path.")]
+        [parameter(Mandatory = $true)][string[]]$PolicyPaths,
 
         [ValidateScript({
                 try {
@@ -21,7 +24,7 @@ function Deploy-SignedWDACConfig {
             }, ErrorMessage = "A certificate with the provided common name doesn't exist in the personal store of the user certificates." )]
         [parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)][string]$CertCN,
 
-        [ValidatePattern('.*\.exe')][parameter(Mandatory = $false)][string]$SignToolPath,
+        [ValidatePattern('\.exe$')][parameter(Mandatory = $false)][string]$SignToolPath,
 
         [Parameter(Mandatory = $false)][switch]$SkipVersionCheck
     )
@@ -113,7 +116,7 @@ $ArgumentCompleterCertificateCN = {
 Register-ArgumentCompleter -CommandName "Deploy-SignedWDACConfig" -ParameterName "CertCN" -ScriptBlock $ArgumentCompleterCertificateCN
 
 
-# argument tab auto-completion for Policy Paths to show only .xml files and only base policies
+# argument tab auto-completion for Policy Paths to show only .xml files
 $ArgumentCompleterPolicyPaths = {
     Get-ChildItem | where-object { $_.extension -like '*.xml' } | foreach-object { return "`"$_`"" }
 }

diff --git a/WDACConfig/Edit-SignedWDACConfig.psm1 b/WDACConfig/Edit-SignedWDACConfig.psm1
@@ -13,7 +13,7 @@ function Edit-SignedWDACConfig {
         [Parameter(Mandatory = $false, ParameterSetName = "Merge Supplemental Policies")][switch]$MergeSupplementalPolicies,        
         [Parameter(Mandatory = $false, ParameterSetName = "Update Base Policy")][switch]$UpdateBasePolicy,
 
-        [ValidatePattern('.*\.cer')]
+        [ValidatePattern('\.cer$')][ValidateScript({ Test-Path $_ -PathType Leaf }, ErrorMessage = "The path you selected is not a file path.")]
         [Parameter(Mandatory = $true, ParameterSetName = "Allow New Apps Audit Events", ValueFromPipelineByPropertyName = $true)]
         [Parameter(Mandatory = $true, ParameterSetName = "Allow New Apps", ValueFromPipelineByPropertyName = $true)]
         [Parameter(Mandatory = $true, ParameterSetName = "Merge Supplemental Policies", ValueFromPipelineByPropertyName = $true)]
@@ -25,7 +25,7 @@ function Edit-SignedWDACConfig {
         [Parameter(Mandatory = $true, ParameterSetName = "Merge Supplemental Policies", ValueFromPipelineByPropertyName = $true)]       
         [string]$SuppPolicyName,        
 
-        [ValidatePattern('.*\.xml')]
+        [ValidatePattern('\.xml$')]
         [ValidateScript({
                 # Validate each Policy file in PolicyPaths parameter to make sure the user isn't accidentally trying to
                 # Edit a Unsigned policy using Edit-SignedWDACConfig cmdlet which is only made for Signed policies
@@ -56,7 +56,7 @@ function Edit-SignedWDACConfig {
         [Parameter(Mandatory = $true, ParameterSetName = "Update Base Policy", ValueFromPipelineByPropertyName = $true)]
         [string]$CertCN,
 
-        [ValidatePattern('.*\.xml')]
+        [ValidatePattern('\.xml$')][ValidateScript({ Test-Path $_ -PathType Leaf }, ErrorMessage = "The path you selected is not a file path.")]
         [Parameter(Mandatory = $true, ParameterSetName = "Merge Supplemental Policies", ValueFromPipelineByPropertyName = $true)]
         [string[]]$SuppPolicyPaths,
 
@@ -84,7 +84,7 @@ function Edit-SignedWDACConfig {
 
         [parameter(Mandatory = $false, ParameterSetName = "Allow New Apps Audit Events")][switch]$IncludeDeletedFiles,
 
-        [ValidatePattern('.*\.exe')]
+        [ValidatePattern('\.exe$')][ValidateScript({ Test-Path $_ -PathType Leaf }, ErrorMessage = "The path you selected is not a file path.")]
         [Parameter(Mandatory = $false, ParameterSetName = "Allow New Apps Audit Events", ValueFromPipelineByPropertyName = $true)]
         [Parameter(Mandatory = $false, ParameterSetName = "Allow New Apps", ValueFromPipelineByPropertyName = $true)]
         [Parameter(Mandatory = $false, ParameterSetName = "Merge Supplemental Policies", ValueFromPipelineByPropertyName = $true)]
@@ -897,6 +897,7 @@ $ArgumentCompleterSignToolPath = {
 }
 Register-ArgumentCompleter -CommandName "Edit-SignedWDACConfig" -ParameterName "SignToolPath" -ScriptBlock $ArgumentCompleterSignToolPath
 
+
 # argument tab auto-completion for Supplemental Policy Paths to show only .xml files and only Supplemental policies
 $ArgumentCompleterSuppPolicyPaths = {
     Get-ChildItem | where-object { $_.extension -like '*.xml' } | ForEach-Object {

diff --git a/WDACConfig/Edit-WDACConfig.psm1 b/WDACConfig/Edit-WDACConfig.psm1
@@ -18,7 +18,7 @@ function Edit-WDACConfig {
         [Parameter(Mandatory = $true, ParameterSetName = "Merge Supplemental Policies", ValueFromPipelineByPropertyName = $true)]
         [string]$SuppPolicyName,
 
-        [ValidatePattern('.*\.xml')]
+        [ValidatePattern('\.xml$')]
         [ValidateScript({
                 # Validate each Policy file in PolicyPaths parameter to make sure the user isn't accidentally trying to
                 # Edit a Signed policy using Edit-WDACConfig cmdlet which is only made for Unsigned policies
@@ -34,7 +34,7 @@ function Edit-WDACConfig {
         [Parameter(Mandatory = $true, ParameterSetName = "Merge Supplemental Policies", ValueFromPipelineByPropertyName = $true)]
         [string[]]$PolicyPaths,
 
-        [ValidatePattern('.*\.xml')]        
+        [ValidatePattern('\.xml$')][ValidateScript({ Test-Path $_ -PathType Leaf }, ErrorMessage = "The path you selected is not a file path.")]      
         [Parameter(Mandatory = $true, ParameterSetName = "Merge Supplemental Policies", ValueFromPipelineByPropertyName = $true)]
         [string[]]$SuppPolicyPaths,
 
@@ -67,6 +67,7 @@ function Edit-WDACConfig {
         [parameter(Mandatory = $false, ParameterSetName = "Allow New Apps Audit Events")]
         [parameter(Mandatory = $false, ParameterSetName = "Allow New Apps")]
         [string]$SpecificFileNameLevel,
+
         # Setting the maxim range to the maximum allowed log size by Windows Event viewer
         [ValidateRange(1024KB, 18014398509481983KB)]
         [Parameter(Mandatory = $false, ParameterSetName = "Allow New Apps Audit Events")]

diff --git a/WDACConfig/New-WDACConfig.psm1 b/WDACConfig/New-WDACConfig.psm1
@@ -21,9 +21,15 @@ function New-WDACConfig {
         [Parameter(Mandatory = $false, ParameterSetName = "Make Supplemental Policy")][switch]$MakeSupplementalPolicy,
         [Parameter(Mandatory = $false, ParameterSetName = "Make DefaultWindows With Block Rules")][switch]$MakeDefaultWindowsWithBlockRules,
 
-        [parameter(Mandatory = $true, ParameterSetName = "Make Supplemental Policy", ValueFromPipelineByPropertyName = $true)][string]$ScanLocation,
+        [ValidateScript({ Test-Path $_ -PathType Container }, ErrorMessage = "The path you selected is not a folder path.")]
+        [parameter(Mandatory = $true, ParameterSetName = "Make Supplemental Policy", ValueFromPipelineByPropertyName = $true)]
+        [string]$ScanLocation,
+
         [parameter(Mandatory = $true, ParameterSetName = "Make Supplemental Policy", ValueFromPipelineByPropertyName = $true)][string]$SuppPolicyName,
-        [ValidatePattern('.*\.xml')][parameter(Mandatory = $true, ParameterSetName = "Make Supplemental Policy", ValueFromPipelineByPropertyName = $true)][string]$PolicyPath,
+
+        [ValidatePattern('\.xml$')][ValidateScript({ Test-Path $_ -PathType Leaf }, ErrorMessage = "The path you selected is not a file path.")]
+        [parameter(Mandatory = $true, ParameterSetName = "Make Supplemental Policy", ValueFromPipelineByPropertyName = $true)]
+        [string]$PolicyPath,
 
         [ValidateSet("Allow Microsoft Base", "Default Windows Base")]
         [Parameter(Mandatory = $true, ParameterSetName = "Make Policy From Audit Logs")][string]$BasePolicyType,
@@ -76,7 +82,8 @@ function New-WDACConfig {
         [ValidateSet([Fallbackz])]
         [parameter(Mandatory = $false, ParameterSetName = "Make Policy From Audit Logs")]
         [parameter(Mandatory = $false, ParameterSetName = "Make Supplemental Policy")]
-        [string[]]$Fallbacks, 
+        [string[]]$Fallbacks,
+
         # Setting the maxim range to the maximum allowed log size by Windows Event viewer
         [ValidateRange(1024KB, 18014398509481983KB)]
         [Parameter(Mandatory = $false, ParameterSetName = "Prep MSFT Only Audit")]

diff --git a/WDACConfig/Remove-WDACConfig.psm1 b/WDACConfig/Remove-WDACConfig.psm1
@@ -11,7 +11,7 @@ function Remove-WDACConfig {
         [Parameter(Mandatory = $false, ParameterSetName = "Remove Signed Policies")][switch]$RemoveSignedPolicies,
         [Parameter(Mandatory = $false, ParameterSetName = "Remove Policies")][switch]$RemovePolicies,
 
-        [ValidatePattern('.*\.xml')]
+        [ValidatePattern('\.xml$')][ValidateScript({ Test-Path $_ -PathType Leaf }, ErrorMessage = "The path you selected is not a file path.")]
         [parameter(Mandatory = $true, ParameterSetName = "Remove Signed Policies", ValueFromPipelineByPropertyName = $true)][string[]]$PolicyPaths,
 
         [ValidateScript({
@@ -29,7 +29,7 @@ function Remove-WDACConfig {
         [ValidateSet([PolicyIDz])][parameter(Mandatory = $false, ParameterSetName = "Remove Policies")][string[]]$PolicyIDs,
         [ValidateSet([PolicyNamez])][parameter(Mandatory = $false, ParameterSetName = "Remove Policies")][string[]]$PolicyNames,
 
-        [ValidatePattern('.*\.exe')]
+        [ValidatePattern('\.exe$')][ValidateScript({ Test-Path $_ -PathType Leaf }, ErrorMessage = "The path you selected is not a file path.")]
         [parameter(Mandatory = $false, ParameterSetName = "Remove Signed Policies", ValueFromPipelineByPropertyName = $true)][string]$SignToolPath,
 
         [Parameter(Mandatory = $false)][switch]$SkipVersionCheck
@@ -107,15 +107,16 @@ function Remove-WDACConfig {
         }
 
         if ($RemovePolicies) {
+            # If IDs were supplied by user
             foreach ($ID in $PolicyIDs ) {
                 citool --remove-policy "{$ID}"
             }
+            # If names were supplied by user
             foreach ($PolicyName in $PolicyNames) {                    
                 $NameID = ((CiTool -lp -json | ConvertFrom-Json).Policies | Where-Object { $_.FriendlyName -eq $PolicyName }).PolicyID                                   
                 citool --remove-policy "{$NameID}"
             }      
         }
-
     } 
 
     <#

diff --git a/WDACConfig/Resources.ps1 b/WDACConfig/Resources.ps1
@@ -41,11 +41,13 @@ function Update-self {
     if (-NOT ($currentversion -eq $latestversion)) {
         Write-Host "The currently installed module's version is $currentversion while the latest version is $latestversion - Auto Updating the module now and will run your command after that 💓"
         Remove-Module -Name WDACConfig -Force
+        # Do this if the module was installed properly using Install-moodule cmdlet
         try {
             Uninstall-Module -Name WDACConfig -AllVersions -Force -ErrorAction Stop
             Install-Module -Name WDACConfig -RequiredVersion $latestversion -Force              
             Import-Module -Name WDACConfig -RequiredVersion $latestversion -Force -Global
         }
+        # Do this if module files/folder was just copied to Documents folder and not properly installed - Should rarely happen
         catch {
             Install-Module -Name WDACConfig -RequiredVersion $latestversion -Force
             Import-Module -Name WDACConfig -RequiredVersion $latestversion -Force -Global
@@ -164,6 +166,7 @@ public static extern uint QueryDosDevice(string lpDeviceName, StringBuilder lpTa
 }
 
 ### ScriptBlock to separately capture FileHashes of deleted files and FilePaths of available files from Event Viewer Audit Logs ####
+# The unsued notice should be ignored, it is being used multiple times throughout the module by dot-sourcing
 $AuditEventLogsProcessingScriptBlock = {
     # holds FileHashes of unavailable files
     $DeletedFileHashesArray = @()
@@ -193,5 +196,3 @@ $AuditEventLogsProcessingScriptBlock = {
     # return the results as arrays so they can be used outside of the ScriptBlock
     return $DeletedFileHashesArray, $AvailableFilesPathsArray
 }
-
-
diff --git a/WDACConfig/WDACConfig.psd1 b/WDACConfig/WDACConfig.psd1
@@ -42,51 +42,51 @@ This is an advanced PowerShell module for WDAC (Windows Defender Application Con
 
 
 ✔️ New-WDACConfig [-GetBlockRules]
-    
+
 ✔️ New-WDACConfig [-GetDriverBlockRules]
-    
+
 ✔️ New-WDACConfig [-MakeAllowMSFTWithBlockRules] [-Deployit] [-TestMode] [-RequireEVSigners]
-    
+
 ✔️ New-WDACConfig [-DeployLatestDriverBlockRules]
-    
+
 ✔️ New-WDACConfig [-SetAutoUpdateDriverBlockRules]
-    
+
 ✔️ New-WDACConfig [-PrepMSFTOnlyAudit] [-LogSize <Int64>]
 
 ✔️ New-WDACConfig [-PrepDefaultWindowsAudit] [-LogSize <Int64>]
-    
+
 ✔️ New-WDACConfig [-MakePolicyFromAuditLogs] -BasePolicyType <String> [-Deployit] [-TestMode] [-RequireEVSigners] [-Debugmode] [-AllowFileNameFallbacks] [-SpecificFileNameLevel <String>] [-NoDeletedFiles] [-NoUserPEs] [-NoScript] [-Levels <String>] [-Fallbacks <String[]>] [-LogSize <Int64>]
-    
+
 ✔️ New-WDACConfig [-MakeLightPolicy] [-Deployit] [-TestMode] [-RequireEVSigners]
-    
-✔️ New-WDACConfig [-MakeSupplementalPolicy] -ScanLocation <String> -SuppPolicyName <String> -PolicyPath <String> [-Deployit] [-AllowFileNameFallbacks] [-SpecificFileNameLevel <String>] [-NoUserPEs] [-NoScript] [-Levels <String>] [-Fallbacks <String[]>]  
+
+✔️ New-WDACConfig [-MakeSupplementalPolicy] -ScanLocation <String> -SuppPolicyName <String> -PolicyPath <String> [-Deployit] [-AllowFileNameFallbacks] [-SpecificFileNameLevel <String>] [-NoUserPEs] [-NoScript] [-Levels <String>] [-Fallbacks <String[]>]
 
 ✔️ New-WDACConfig [-MakeDefaultWindowsWithBlockRules] [-Deployit] [-TestMode] [-RequireEVSigners]
-    
-✔️ Remove-WDACConfig [-RemoveSignedPolicies] -PolicyPaths <String[]> [-SignToolPath <String>] -CertCN <String>
-    
+
+✔️ Remove-WDACConfig [-RemoveSignedPolicies] -PolicyPaths <String[]> -CertCN <String> [-SignToolPath <String>] 
+
 ✔️ Remove-WDACConfig [-RemovePolicies] [-PolicyIDs <String[]>] [-PolicyNames <String[]>]
 
-✔️ Edit-WDACConfig [-AllowNewAppsAuditEvents] -SuppPolicyName <String> -PolicyPaths <String[]> [-Debugmode] [-Levels <String>] [-Fallbacks <String[]>] [-LogSize <Int64>]
-    
-✔️ Edit-WDACConfig [-AllowNewApps] -SuppPolicyName <String> -PolicyPaths <String[]> [-Levels <String>] [-Fallbacks <String[]>]
-    
+✔️ Edit-WDACConfig [-AllowNewAppsAuditEvents] -SuppPolicyName <String> -PolicyPaths <String[]> [-Debugmode] [-Levels <String>] [-Fallbacks <String[]>] [-NoScript] [-NoUserPEs] [-AllowFileNameFallbacks] [-SpecificFileNameLevel <String>] [-LogSize <Int64>] [-IncludeDeletedFiles]
+
+✔️ Edit-WDACConfig [-AllowNewApps] -SuppPolicyName <String> -PolicyPaths <String[]> [-Levels <String>] [-Fallbacks <String[]>] [-NoScript] [-NoUserPEs] [-AllowFileNameFallbacks] [-SpecificFileNameLevel <String>]    
+
 ✔️ Edit-WDACConfig [-MergeSupplementalPolicies] -SuppPolicyName <String> -PolicyPaths <String[]> -SuppPolicyPaths <String[]>
-    
+
 ✔️ Edit-WDACConfig [-UpdateBasePolicy] -CurrentBasePolicyName <String[]> -NewBasePolicyType <String> [-RequireEVSigners]
-    
-✔️ Edit-SignedWDACConfig [-AllowNewAppsAuditEvents] -CertPath <String> -SuppPolicyName <String> -PolicyPaths <String[]> [-SignToolPath <String>] -CertCN <String> [-Debugmode] [-LogSize <Int64>] [-Levels <String>] [-Fallbacks <String[]>]
-    
-✔️ Edit-SignedWDACConfig [-AllowNewApps] -CertPath <String> -SuppPolicyName <String> -PolicyPaths <String[]> [-SignToolPath <String>] -CertCN <String> [-Levels <String>] [-Fallbacks <String[]>]
-    
-✔️ Edit-SignedWDACConfig [-MergeSupplementalPolicies] -CertPath <String> -SuppPolicyName <String> -PolicyPaths <String[]> [-SignToolPath <String>] -CertCN <String> -SuppPolicyPaths <String[]>
-    
-✔️ Edit-SignedWDACConfig [-UpdateBasePolicy] -CertPath <String> -SignToolPath <String> -CertCN <String> -CurrentBasePolicyName <String[]> -NewBasePolicyType <String> [-RequireEVSigners]
 
-✔️ Deploy-SignedWDACConfig -CertPath <String> -PolicyPaths <String[]> [-SignToolPath <String>] -CertCN <String>
+✔️ Edit-SignedWDACConfig [-AllowNewAppsAuditEvents] -CertPath <String> -SuppPolicyName <String> -PolicyPaths <String[]> -CertCN <String> [-Debugmode] [-LogSize <Int64>] [-NoScript] [-NoUserPEs] [-AllowFileNameFallbacks] [-SpecificFileNameLevel <String>] [-IncludeDeletedFiles] [-SignToolPath <String>] [-Levels <String>] [-Fallbacks <String[]>]
+
+✔️ Edit-SignedWDACConfig [-AllowNewApps] -CertPath <String> -SuppPolicyName <String> -PolicyPaths <String[]> -CertCN <String> [-NoScript] [-NoUserPEs] [-AllowFileNameFallbacks] [-SpecificFileNameLevel <String>] [-SignToolPath <String>] [-Levels <String>] [-Fallbacks <String[]>]
+
+✔️ Edit-SignedWDACConfig [-MergeSupplementalPolicies] -CertPath <String> -SuppPolicyName <String> -PolicyPaths <String[]> -CertCN <String> -SuppPolicyPaths <String[]> [-SignToolPath <String>]
+
+✔️ Edit-SignedWDACConfig [-UpdateBasePolicy] -CertPath <String> -CertCN <String> -SignToolPath <String> -CurrentBasePolicyName <String[]> -NewBasePolicyType <String> [-RequireEVSigners]
+
+✔️ Deploy-SignedWDACConfig -CertPath <String> -PolicyPaths <String[]> -CertCN <String> [-SignToolPath <String>]
 
 ✔️ Confirm-WDACConfig [-ListActivePolicies] [-OnlyBasePolicies] [-OnlySupplementalPolicies]
-    
+
 ✔️ Confirm-WDACConfig [-VerifyWDACStatus]
 
 ✔️ Confirm-WDACConfig [-CheckSmartAppControlStatus]
@@ -182,7 +182,7 @@ To get help and syntax on PowerShell console, type:
             ReleaseNotes = @"
 
 ## Version 0.1.1
-Created a Resources.ps1 file to store repeated functions that are using in all sub-modules, resulting in reduced repeated codes. It is dot-sourced at the beginning of each sub-module and function calls are dot-sourced too.
+Created a Resources.ps1 file to store repeated functions that are used in all sub-modules, resulting in reduced repeated codes. It is dot-sourced at the beginning of each sub-module and function calls are dot-sourced too.
 Started using #Requires -RunAsAdministrator instead of a function to check for Admin privileges, also resulting in reduced repeated codes.
 Bumped PowerShell required version to 7.3.4 since it has some fixed for ConfigCI module cmdlets that the WDACConfig module relies on.
 Improved the Edit-WDACConfig -AllowNewAppsAuditEvents so that it can now produce a more effective supplemental policy. Also going forward, it won't include deleted files by default, unless the newly introduced -IncludeDeletedFiles switch is used. Deleted files are files that are run and then deleted during a program's installation but event viewer audit logs will have their records.
@@ -195,6 +195,8 @@ Changed Valid range for log size parameter from [int64]::MaxValue (9223372036854
 Edit-SignedWDACConfig -AllowNewAppsAuditEvents and Edit-WDACConfig -AllowNewAppsAuditEvents no longer include file rules for deleted file hashes by default, unless -IncludeDeletedFiles optional switch parameter is used.
 Edit-SignedWDACConfig -AllowNewAppsAuditEvents and Edit-WDACConfig -AllowNewAppsAuditEvents got smarter. They now can successfully detect and only create extra rules for files that are not in the user-selected paths.
 Edit-SignedWDACConfig cmdlet and Edit-WDACConfig got equiped with multiple new optional parameters that were added to New-WDACConfig cmdlet in the previous update. Those parameters include: -NoUserPEs, -NoScript, -AllowFileNameFallbacks and -SpecificFileNameLevel.
+Added Validations to parameters to validate folder paths and file paths.
+
 
 ## Version 0.1.0
 New features: Added new parameter to New-WDACConfig cmdlet, -PrepDefaultWindowsAudit, which as the name suggests, will prepare the system for Default Windows auditing,