Delete ‘default’ value under a registry key

I was working on my main script responsible for reviewing scan results and taking actions based on results. One of the actions consists in iterating through registry values and deleting the unwanted/unknown values that didn’t fall in my whitelist filter.

As long as registry values have a different name than ‘(default)’, there isn’t any problem.
I’ve been using some of the functions provided by Shay Levy in the PSRemoteRegistry module to delete these values.

However, some applications do add the ‘(default)’ value under registry keys upon installation whereas it isn’t required and wasn’t present beforehand. This triggers a false positive in scanning results. Worse, it fails if you do:

# Add the culprit with the built-in windows command            
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /ve            
# Check that the unwanted (default) empty value has been added            
Get-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\Run            
# Try to remove it            
Remove-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name '(default)'            
# -> it failed as you can see            
# Clearing the content works but that's not what we wanted            
 Clear-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name '(default)'            
 # See!            
 Get-Item HKCU:\Software\Microsoft\Windows\CurrentVersion\Run            

A related error has already been mentioned and reported on this page.
The comment from Microsoft even says that

Posted by Microsoft on 25/09/2009 at 18:18
Your bug has not been fixed in PowerShell 2.0. However we have kept the bug active for next version

So my workaround on V2 is:

Function Remove-DefaultValue            
    Begin {}            
        Foreach ($c in $ComputerName)            
                if( !(Test-Connection -ComputerName $c -Count 1 -Quiet))            
        Write-Warning "$c doesn't respond to ping."            
                Invoke-Command -ComputerName $c -ArgumentList $key -ErrorAction Stop -Script {            
                        & (Get-Command reg) @("delete",($mainkey -replace ":",""),"/ve","/f")            
             } catch {            
                Write-Warning $_.Exeception.Message            
} # end of function

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.