Hi all,
Here’s the worklet for https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ to check if the registry key exists, and export/delete if it does.
Evaluation Code:
# Check if the registry key exists.
Get-ItemProperty "Registry::HKEY_CLASSES_ROOT\ms-msdt"
# If Get-ItemProperty returned without error, then the registry key exists.
if ($?) {
$response = 'Registry Key HKEY_CLASSES_ROOT\ms-msdt present'
Write-Output $response
exit 1
} else {
$response = 'Registry Key HKEY_CLASSES_ROOT\ms-msdt not present'
Write-Output $response
exit 0
}Remediation Code:
# https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
reg export HKEY_CLASSES_ROOT\ms-msdt "C:\Windows\temp\hkey_classes_root_ms_msdt"
reg delete HKEY_CLASSES_ROOT\ms-msdt /f
Likewise you can reuse the above to import the registry key if it’s not already present; just flip the exit codes. This assumes you previously exported the registry key in “C:\Windows\temp\hkey_classes_root_ms_msdt”
Evaluation Code:
# Check if the registry key exists.
Get-ItemProperty "Registry::HKEY_CLASSES_ROOT\ms-msdt"
# If Get-ItemProperty returned without error, then the registry key exists.
if ($?) {
$response = 'Registry Key HKEY_CLASSES_ROOT\ms-msdt present'
Write-Output $response
exit 0
} else {
$response = 'Registry Key HKEY_CLASSES_ROOT\ms-msdt not present'
Write-Output $response
exit 1
}Remediation Code:
reg import HKEY_CLASSES_ROOT\ms-msdt "C:\Windows\temp\hkey_classes_root_ms_msdt"Hope this helps!